Tuesday, 2017-07-18

« Monday, 2017-07-17 Index Wednesday, 2017-07-19 »
*** ducttap__ has quit IRC00:07
*** ducttape_ has joined #openstack-keystone00:17
openstackgerritGage Hugo proposed openstack/keystone-specs master: Update project-tags spec  https://review.openstack.org/48452900:19
*** ducttape_ has quit IRC00:21
*** ducttape_ has joined #openstack-keystone00:22
*** boris-42__ has quit IRC00:27
*** ducttape_ has quit IRC00:27
*** dave-mccowan has quit IRC00:42
*** phalmos has joined #openstack-keystone00:43
*** lucasxu has joined #openstack-keystone00:45
*** lucasxu has quit IRC00:45
*** thorst has joined #openstack-keystone00:46
*** dave-mccowan has joined #openstack-keystone00:46
*** thorst has quit IRC00:51
*** ducttape_ has joined #openstack-keystone01:01
*** daidv__ has quit IRC01:05
*** ducttape_ has quit IRC01:12
*** ducttape_ has joined #openstack-keystone01:17
*** daidv__ has joined #openstack-keystone01:21
*** ducttape_ has quit IRC01:21
*** harlowja has quit IRC01:34
*** namnh has joined #openstack-keystone01:34
namnhbreton: hi boris01:39
namnhare you here?01:39
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013701:55
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient master: Updated from global requirements  https://review.openstack.org/48457701:56
*** dave-mccowan has quit IRC02:02
*** zhurong has joined #openstack-keystone02:05
*** otleimat has quit IRC02:05
*** samueldmq_ has joined #openstack-keystone02:06
*** vryzhenkin has joined #openstack-keystone02:12
*** mancdaz_ has joined #openstack-keystone02:12
*** _d34dh0r53_ has joined #openstack-keystone02:12
*** d34dh0r53 has quit IRC02:13
*** mancdaz has quit IRC02:13
*** diablo_rojo_phon has quit IRC02:13
*** samueldmq has quit IRC02:13
*** freerunner has quit IRC02:13
*** mancdaz_ is now known as mancdaz02:13
*** vryzhenkin is now known as freerunner02:13
*** samueldmq_ is now known as samueldmq02:14
*** diablo_rojo_phon has joined #openstack-keystone02:14
*** ducttape_ has joined #openstack-keystone02:15
*** ducttape_ has quit IRC02:19
openstackgerritEric Fried proposed openstack/keystoneauth master: Discourage 'version' and accept 'M.latest'  https://review.openstack.org/48360402:25
*** dave-mccowan has joined #openstack-keystone02:26
*** rodrigods has quit IRC02:43
*** dave-mccowan has quit IRC02:44
*** thorst has joined #openstack-keystone02:47
*** thorst has quit IRC02:52
*** rodrigods has joined #openstack-keystone02:55
*** chlong has quit IRC03:11
*** prashkre has joined #openstack-keystone03:23
*** ducttape_ has joined #openstack-keystone03:28
*** markvoelker has quit IRC03:29
*** ducttap__ has joined #openstack-keystone03:30
*** ducttape_ has quit IRC03:34
*** harlowja has joined #openstack-keystone03:40
*** ducttap__ has quit IRC03:43
*** ducttape_ has joined #openstack-keystone03:48
*** thorst has joined #openstack-keystone03:48
*** ducttape_ has quit IRC03:52
*** thorst has quit IRC03:53
*** links has joined #openstack-keystone03:55
*** aselius has quit IRC04:17
*** prashkre has quit IRC04:28
*** prashkre has joined #openstack-keystone04:36
*** gyee has quit IRC04:44
*** nicolasbock has joined #openstack-keystone04:44
*** harlowja has quit IRC04:54
*** zzzeek has quit IRC04:55
*** prashkre has quit IRC04:59
*** zhurong has quit IRC05:00
*** aojea has joined #openstack-keystone05:02
*** aojea has quit IRC05:06
*** aojea has joined #openstack-keystone05:11
*** josecastroleon1 has joined #openstack-keystone05:12
*** josecastroleon has quit IRC05:15
*** aojea has quit IRC05:16
*** nicolasbock has quit IRC05:19
*** aojea has joined #openstack-keystone05:20
*** nicolasbock has joined #openstack-keystone05:21
*** aojea has quit IRC05:25
*** rcernin has joined #openstack-keystone05:29
*** aojea has joined #openstack-keystone05:29
*** markvoelker has joined #openstack-keystone05:30
*** aojea has quit IRC05:34
*** zzzeek has joined #openstack-keystone05:36
*** zzzeek has quit IRC05:37
*** zzzeek has joined #openstack-keystone05:38
*** mvpnitesh has joined #openstack-keystone05:43
*** aojea has joined #openstack-keystone05:45
*** thorst has joined #openstack-keystone05:49
*** ducttape_ has joined #openstack-keystone05:49
*** aojea has quit IRC05:50
*** zhurong has joined #openstack-keystone05:50
*** thorst has quit IRC05:53
*** ducttape_ has quit IRC05:53
*** aojea has joined #openstack-keystone06:03
*** markvoelker has quit IRC06:04
*** aojea has quit IRC06:08
*** aojea has joined #openstack-keystone06:13
openstackgerritLiChunlin proposed openstack/keystone master: Add a hacking rule for string interpolation at logging  https://review.openstack.org/48425006:15
*** aojea has quit IRC06:17
openstackgerritM V P Nitesh proposed openstack/keystone master: Added support for a ``description`` attribute for V3 Identity Roles  https://review.openstack.org/48434806:19
*** phalmos has quit IRC06:37
*** markvoelker has joined #openstack-keystone07:02
openstackgerritMerged openstack/oslo.policy master: Updated from global requirements  https://review.openstack.org/48456907:07
*** tesseract has joined #openstack-keystone07:18
*** aojea has joined #openstack-keystone07:20
*** markvoelker has quit IRC07:34
*** thorst has joined #openstack-keystone07:50
*** thorst has quit IRC07:54
*** mvpnitesh has quit IRC07:57
*** mvk has quit IRC08:27
*** tobberydberg has joined #openstack-keystone08:30
*** markvoelker has joined #openstack-keystone08:32
*** zhurong has quit IRC08:44
*** mvk has joined #openstack-keystone08:55
*** mvpnitesh has joined #openstack-keystone08:57
*** markvoelker has quit IRC09:05
*** ma9_1 has joined #openstack-keystone09:12
*** tobberydberg has quit IRC09:14
*** clenimar has joined #openstack-keystone09:30
*** clenimar has left #openstack-keystone09:30
*** clenimar has joined #openstack-keystone09:30
*** mvk has quit IRC09:33
*** mvk has joined #openstack-keystone09:47
*** Dinesh_Bhor has quit IRC09:50
*** thorst has joined #openstack-keystone09:51
*** bhagyashris has quit IRC09:53
*** thorst has quit IRC09:55
*** markvoelker has joined #openstack-keystone10:01
*** thorst has joined #openstack-keystone10:12
*** thorst has quit IRC10:16
*** Dinesh_Bhor has joined #openstack-keystone10:21
*** markvoelker has quit IRC10:34
*** zhurong has joined #openstack-keystone10:52
*** ducttape_ has joined #openstack-keystone11:00
*** thorst has joined #openstack-keystone11:03
*** raildo has joined #openstack-keystone11:03
openstackgerritMerged openstack/keystoneauth master: Expose valid_interfaces as a ListOpt for config files  https://review.openstack.org/48274311:04
openstackgerritMerged openstack/keystoneauth master: Remove deprecated_since for interface and fix text  https://review.openstack.org/48452811:04
openstackgerritMerged openstack/keystoneauth master: Remove kwargs from adapter.get_endpoint_data  https://review.openstack.org/48274411:04
*** jistr is now known as jistr|tpb11:05
*** ducttape_ has quit IRC11:05
*** namnh has quit IRC11:05
*** dave-mccowan has joined #openstack-keystone11:17
*** dave-mccowan has quit IRC11:23
*** jistr|tpb is now known as jistr11:28
*** aojea has quit IRC11:29
*** markvoelker has joined #openstack-keystone11:32
openstackgerritMerged openstack/keystone master: Merged the caching subsections in admin docs  https://review.openstack.org/48300911:39
openstackgerritMerged openstack/keystone master: Expanded the best practices subsection in devdocs  https://review.openstack.org/47654111:43
openstackgerritMerged openstack/keystone master: Reorganised developer documentation  https://review.openstack.org/47660611:44
*** bhagyashris has joined #openstack-keystone11:57
bhagyashrismordred: Hi, morning.11:58
*** chlong has joined #openstack-keystone12:00
*** jmlowe_ has quit IRC12:04
*** markvoelker has quit IRC12:05
*** clayton has quit IRC12:08
*** clayton has joined #openstack-keystone12:09
*** aojea has joined #openstack-keystone12:24
*** edmondsw has joined #openstack-keystone12:29
*** aojea has quit IRC12:29
mordredmorning bhagyashris12:32
*** markvoelker has joined #openstack-keystone12:33
*** aojea has joined #openstack-keystone12:33
*** aojea has quit IRC12:38
*** jmlowe has joined #openstack-keystone12:38
bhagyashrismordred: I have added request_id_logger as per the our discussion the changes I have made in keystoneauth is:  http://paste.openstack.org/show/615711/ and now I am able to see the log in the service log which I have pasted here: http://paste.openstack.org/show/615712/. so Can you please guide me what exactly should I do to log the request_id in the service log?12:40
*** aojea has joined #openstack-keystone12:42
*** aojea has quit IRC12:47
*** mvpnitesh has quit IRC12:49
*** catintheroof has joined #openstack-keystone12:51
bhagyashrismordred: Please ref the links: Changes made in keystoneauth: http://paste.openstack.org/show/615714/ and n-api service log link: http://paste.openstack.org/show/615715/12:55
*** catintheroof has quit IRC12:58
*** ducttape_ has joined #openstack-keystone13:02
*** ayoung has joined #openstack-keystone13:02
*** catintheroof has joined #openstack-keystone13:06
*** ducttape_ has quit IRC13:06
*** bknudson has joined #openstack-keystone13:06
*** aojea has joined #openstack-keystone13:09
*** catintheroof has quit IRC13:11
lbragstado/13:13
*** aojea has quit IRC13:14
*** aojea has joined #openstack-keystone13:19
samueldmqmorning keystone13:19
samueldmqlbragstad: o/13:19
*** aojea has quit IRC13:24
*** nicolasbock has quit IRC13:27
*** zhurong has quit IRC13:28
*** nicolasbock has joined #openstack-keystone13:28
*** lucasxu has joined #openstack-keystone13:31
*** nicolasbock has quit IRC13:32
knikollao/13:33
*** nicolasbock has joined #openstack-keystone13:35
*** ma9_ has joined #openstack-keystone13:35
*** links has quit IRC13:38
*** ma9_1 has quit IRC13:38
*** ma9_ has quit IRC13:40
*** ma9_ has joined #openstack-keystone13:41
*** ma9_ has quit IRC13:44
knikollagagehugo: regarding https://bugs.launchpad.net/keystone/+bug/1702211 . did you reproduce it by running that test only individually?13:45
openstackLaunchpad bug 1702211 in OpenStack Identity (keystone) "test_password_history_not_enforced_in_admin_reset failed in tempest test" [Undecided,Confirmed]13:45
*** aojea has joined #openstack-keystone13:47
*** aojea has quit IRC13:47
*** aojea has joined #openstack-keystone13:47
*** ma9_ has joined #openstack-keystone13:48
*** ma9_1 has joined #openstack-keystone13:51
*** catintheroof has joined #openstack-keystone13:51
*** ma9_ has quit IRC13:55
*** ducttape_ has joined #openstack-keystone13:57
*** ma9_1 has quit IRC14:00
gagehugoknikolla yeah, I didn't make any progress though after that14:07
knikollagagehugo: hmm… that excludes race conditions with other tests14:12
*** ducttape_ has quit IRC14:15
openstackgerritRodrigo Duarte proposed openstack/keystone master: DO NOT MERGE: Test commit for new CI job  https://review.openstack.org/48482314:32
*** ducttap__ has joined #openstack-keystone14:32
*** aselius has joined #openstack-keystone14:33
openstackgerritEric Fried proposed openstack/keystoneauth master: Discourage 'version' and accept 'M.latest'  https://review.openstack.org/48360414:45
*** otleimat has joined #openstack-keystone15:00
morganmmm hi15:03
* mordred sees a morgan15:03
morganlbragstad: eyes on https://review.openstack.org/#/c/483514/ to see if this is a reasonable direction before I build the test suite15:03
morganshould be straight-forward (basically take a catalog from the SQL backend and construct the YAML for it, then check to make sure everything is the same, except IDs (since those are programatically generated)15:04
mordredmorgan: ++15:06
morganmordred: and... frankly... if this works... i would love for it to be the default choice of backend [long term]15:08
mordredmorgan: ++ it's a better choice for backend for the general case15:08
morganif we do a v4 keystone, i expect the catalog backend to be much simpler15:08
morganno more endpoint filtering...15:08
morganetc15:08
morganmordred: ideally (if we had a consistent choice for DLM that will be in every cloud </rant>) I would use something like ZK or consul to populate the catalog via active connections in middleware.15:09
morganbut i like yaml-filesystem catalog data as a close second.15:10
lbragstadmorgan: ++15:10
mordredmorgan: we do have a consistent choice for DLM that will be in every cloud15:11
mordredmorgan: it got decided that openstack clouds can count on etcd existing / being a hard requirement15:11
mordredI don't konw all the details - dims has been driving that more15:12
lbragstadnice15:12
bretonwhat's wrong with endpoint filtering? What was the reason we implemented it in the first place?15:12
lbragstadbreton: it was a way to filter the catalog based on your role assignments15:12
lbragstadhas anyone here taken the plunge to f26, yet?15:13
dimsmordred : morgan : when queens opens up, we should encourage projects to depend directly on etcd3, all the infra and background work is done and ready15:13
mordreddims: ossum15:13
lbragstadcc dstanek?15:14
morganmordred: bleh, the worst of the choices for what i wanted imo15:15
morganmordred: but *shrug*15:15
morganbreton: we implemented it because a certain organisation wanted it, and it never really grew much support because it wasn't used/is-now-irrelevant-in-almost-any-scenario15:16
*** bknudson has left #openstack-keystone15:17
*** bknudson has joined #openstack-keystone15:21
bretoni wonder how much of our stuff is there, but not used.15:22
bretonendpoint policies?15:25
bretonx.509? (/me sighs)15:25
bretonec2/s3?15:25
bretoncredentials?15:25
bretonoauth1?15:25
bretonlets have v4 and throw it all away15:27
morganpretty much, but we can't delete v315:27
morganwe can make a clean(er) v4.15:28
morganbut the v3 stuff will need to be maintained forever(tm)15:28
bretonwe can after some years15:28
*** bknudson has left #openstack-keystone15:28
bretonlike v215:28
morgannope.15:28
morganas per the TC, we cannot delete an API. V2 is a special case.15:29
morganat least AFAIU15:29
morgani know v2 was a special case because it is deemed insecure and has other holes in it15:29
morganthat cannot easily be fixed.15:29
morganthat are addressed in v315:30
bretonwhat holes for example?15:30
raildoglobal admin for example, we didn't had a proper token scope on v215:31
*** bknudson has joined #openstack-keystone15:31
lbragstadwe still don't15:31
*** rcernin has quit IRC15:32
raildoyeap, but it's much better than on v215:33
lbragstadi think we can at least fix it in v3 without a major version rev15:33
lbragstadit's just going to take a lot of work15:33
raildo++15:34
*** mvk has quit IRC15:34
morganv2 has 2 roles: admin/member15:35
morganv2 exposes data (tokens) in the URL.15:35
morganyou can technically auth for a non-default domain by id in v215:35
morganwhich has a lot of weird implications (not massive security hole...but...not a good behavior)15:35
morganthe CRUD management of v2 was all over the place15:35
morganOS-KSADM/<thing>15:36
morganand something not under OS-KS... prefixes15:36
bretonwell, 2 roles thing is not a hole. A lot of small deployments use only member and admin. Domains became a hole only because v3 was added :) API inconsistency was bad, right.15:37
bknudsonhas web application authentication changed enough over the years that a more industry-standard technique is the way to go?15:37
bknudsonit's time to re-think openstack auth.15:38
bretonwhat is industry-standard technique?15:38
* breton feels out of industry15:38
bknudsonlots of systems are going to openid connect15:38
morganbknudson: the 2 roles are an issue... because it is hard-coded basically15:39
morgans/bknudson/breton15:39
morgansorry brant :P15:40
morganOIDC and OAUTH2 (and SAML for more enterpris-y things) are the standards i see everywhere15:40
morganbut for that to work, you would need to either grant auth to each API you'd want to use and/or have the API under a single pane of glass (which is not guaranteed in openstack land)15:41
morganbut mostly, it's pre-auth+sessions15:41
bknudsonwe should also re-think auth. I haven't looked into oauth2 enough to know how the auth works (apparently there's an auth part to the token)15:43
bknudsonat this point I think an auth service is the way to go… more soa / microservices if that's what we're calling ourselves15:44
bknudsonwe'd also need a service for projects.15:45
lbragstadyeah15:45
bknudson(since that's part of openstack and not general auth)15:45
lbragstadright15:45
lbragstadthat seems fine - but i think it would be valuable to offer oauth215:46
lbragstadat least as a way to minimize openstack-isms15:46
bknudsonyes, I think that should be our goal.15:47
lbragstadsince project, and especially HMT, is an openstack-ism we should keep that, but offloading common things in favor of existing wheels would be nice15:48
lbragstad(if possible)15:48
lbragstadi really need to just take a weekend and try and map out what it would take to apply oauth2 to openstack in a way that makes sense15:49
openstackgerritLance Bragstad proposed openstack/keystone master: Move auth plugin development doc to contrib guide  https://review.openstack.org/48416815:50
gagehugoI will be missing the keystone meeting today15:50
lbragstadgagehugo: thanks for the heads up15:51
openstackgerritMerged openstack/keystone master: Reorganised api-ref index page  https://review.openstack.org/48340915:53
*** brad[] has quit IRC16:00
*** rcernin has joined #openstack-keystone16:02
*** aojea has quit IRC16:02
openstackgerritSean Dague proposed openstack/keystoneauth master: Add ability to specify a microversion in a request  https://review.openstack.org/48274616:11
openstackgerritMerged openstack/keystoneauth master: Minor cleanup  https://review.openstack.org/47862116:16
openstackgerritLance Bragstad proposed openstack/keystone master: Move development environment setup to contributor docs  https://review.openstack.org/48140516:23
*** lwanderley has joined #openstack-keystone16:23
*** ducttape_ has joined #openstack-keystone16:24
*** ducttap__ has quit IRC16:28
*** Adri2000 has quit IRC16:30
openstackgerritLance Bragstad proposed openstack/keystone master: Move development environment setup to contributor docs  https://review.openstack.org/48140516:31
edmondswlbragstad I'm looking at a bug where during processing of a project deleted event I need to know what domain that project was in... is there some cache I can pull that from or would we have to modify the even notification to include that information?16:38
lbragstadedmondsw: that's a tricky one16:39
edmondswyeah...16:39
lbragstadedmondsw: because by the time you get the notification the projects is already gone16:39
lbragstadso making a request to get any information about it isn't going to work16:39
edmondswyeah, that's what I was afraid of16:40
*** brad[] has joined #openstack-keystone16:40
lbragstadedmondsw: there is a work around16:40
lbragstadedmondsw: i had a couple really good discussions with folks that presented a couple different options16:40
lbragstadi ended up writing about them hoping to get some feedback16:40
lbragstadhttps://www.lbragstad.com/blog/improving-auditing-in-keystone16:41
edmondsw:) I'll read up16:42
edmondswthe bug (not yet opened) is that https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8 uses the default driver, whereas it needs to lookup the driver for that project's domain to actually work properly16:42
lbragstadedmondsw: option #2 would give you a solution today without any modifications to keystone16:43
edmondswlbragstad I don't think that works here. We can't require an operator to set all that up for keystone to work properly16:45
edmondswi.e. to fix this bug16:45
edmondswif we were talking about adding a feature, maybe16:45
lbragstadwhat needs the domain of the project?16:47
lbragstadthe consuming application?16:47
edmondswkeystone itself16:47
edmondswsee my comment above @ 12:4216:47
lbragstadlooking at the patch16:48
openstackgerritMerged openstack/keystoneauth master: Add support for next_min_version and not_before  https://review.openstack.org/48274516:48
lbragstadedmondsw: what do you have configured for resource backends?16:50
lbragstadi'm assuing identity is using sql/16:50
lbragstadassuming* sql?16:51
edmondswnope16:51
edmondswI saw this problem with a custom driver, but it doesn't really matter16:51
edmondswthe current impl will always try to use the default driver instead of using the driver for the domain of the project16:52
edmondswe.g. if you setup LDAP as the default driver, you'd use the ldap driver instead of sql, even if the project was actually from a different domain that uses the sql driver16:52
lbragstadok - so soft deletes don't really help us much in this case16:53
lbragstadwell - i suppose they kind of do16:53
edmondswyeah, they would16:54
lbragstadbecause the request for the deleted project would come in through the whole API16:55
lbragstadand I assume there is logic to find the domain of the project16:56
lbragstadbuilt into that path already16:56
lbragstadi'm tempted to say that this is one edge case where it might be acceptable to put the domain id of the project that was removed into the notification16:58
edmondswlbragstad actually, maybe we don't need the domain_id here... maybe we just call this for all configured domains16:58
edmondswI was confusing project domain with user domain... we care about the user domain here, not the project domain16:59
lbragstadohhhh16:59
edmondswyeah, that helps :)16:59
lbragstadok - hold on16:59
lbragstad... yeah - the project is already going to be gone, right?16:59
lbragstadthe callback is to set the default_project_id for a user if that project no longer exists to none17:00
edmondswright17:01
edmondswand we need to do that for users in all domains17:01
edmondswnot just one17:01
lbragstadso - what's the right thing to do in that case?17:01
edmondswloop through every domain config and do it for all of them?17:01
*** agrebennikov has joined #openstack-keystone17:01
*** agrebennikov has quit IRC17:02
lbragstadthis is using multiple identity backends17:02
lbragstadper domain17:02
lbragstadso LDAP per domain17:02
*** agrebennikov has joined #openstack-keystone17:02
lbragstadfor example17:02
edmondswright17:02
edmondswso we need to go do the cleanup in each of those domains17:02
edmondsws/domains/backends/17:02
lbragstadthat's weird17:03
edmondswwhy?17:03
lbragstadsorry - what you said isn't weird17:03
lbragstadi was thinking about the relationship and it feels circular (?)17:03
lbragstadbecause domains own projects17:03
lbragstadand domains own users17:03
lbragstadand a user can have a default project17:04
lbragstadis there anything stopping a user from having a default project outside their domain?17:04
lbragstadi.e. say Bob is in the Acme backend which puts him in the Acme domain17:05
lbragstadand Alice is in the Foo backend, which puts her in the Foo domain17:05
edmondswthe fact that we use domains for both projects and users constantly confuses everyone17:05
edmondsw:)17:05
edmondswsame entity, totally different and unrelated usage17:06
edmondswit's awful17:06
edmondswa user in domain A can have roles on projects in any domain17:06
lbragstadif there is a Bar domain that has a Baz project, and Bob has a role on the Bar domain and the Baz project, that could be set as his default project id17:06
*** jistr is now known as jistr|off17:06
lbragstad^ that's essentially how you'd recreate the bug, right?17:07
lbragstadbecause when you delete the Baz project, it should set Bob's default project ID to None17:08
edmondswthink of it like this... I create 3 domains, with the default using sql driver, 2nd using LDAP for ldap_server_1 and 3rd using LDAP for ldap_server_217:10
edmondswI have users in each of those, and some of the users in each of those are setup with default project_id as project foo17:10
edmondswwhen foo gets deleted, I need to update the users in all of those backends to no longer use foo as their default project17:11
edmondswlbragstad ^ make sense?17:11
lbragstadyeah - that makes sense17:11
lbragstaddoes the current callback not loop through all domains?17:12
lbragstador all backends?17:12
edmondswopened https://bugs.launchpad.net/keystone/+bug/1705072 and included that example17:13
openstackLaunchpad bug 1705072 in OpenStack Identity (keystone) "clearing default project_id from users using wrong driver implementation" [Undecided,New]17:13
edmondswlbragstad no it just uses the default domain backend17:13
edmondswthat's the bug17:13
*** ducttap__ has joined #openstack-keystone17:19
*** ducttape_ has quit IRC17:22
*** harlowja has joined #openstack-keystone17:24
openstackgerritSamriddhi proposed openstack/keystone master: Added index.rst in each sub-directory  https://review.openstack.org/48415717:25
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add ability to specify a microversion in a request  https://review.openstack.org/48274617:26
*** reedip_ has joined #openstack-keystone17:30
reedip_hi guys17:30
reedip_I am getting the following error in keystone.log17:30
reedip_User 6051be91029c4673b7eb0e6778177790 has no access to project f22f9b5338ba49239b7bf64cfcfa86c3 _populate_roles /usr/lib/python2.7/dist-packages/keystone/token/providers/common.py:45417:31
reedip_Any pointers how to resolve this?17:31
*** nicolasbock has quit IRC17:35
*** nicolasbock has joined #openstack-keystone17:36
*** bknudson has quit IRC17:38
lbragstadreedip_: that's telling you that the user in question doesn't have any role assignments on the project they are attempting to scope to17:41
reedip_lbragstad : I assigned admin role to that user using openstack role add --user UID --project PID17:42
lbragstadwhen you list role assignment - do you see that assignment?17:43
reedip_lbragstad : how do I list role assignment ?17:44
lbragstadreedip_: https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/role-assignment.html17:45
reedip_lbragstad : checking , can you give me 2 min of your time for the same?17:45
lbragstadreedip_: yeah - just post your update here17:46
reedip_lbragstad : ohk , so the project field is empty17:48
reedip_Its a long value but I can see the project and group is empty17:49
lbragstadreedip_: if you do `openstack role assignment list` it should give you all role assignments17:49
reedip_It does, but for this user, it shows the domain but nothing in the project17:50
lbragstad`openstack role assignment list --user 6051be91029c4673b7eb0e6778177790` should give you the ones specific to the user in question17:50
lbragstadah17:50
lbragstadso - that user doesn't actually have a role assignment on project f22f9b5338ba49239b7bf64cfcfa86c317:51
reedip_yep17:51
reedip_so should I execute role add again ?17:51
lbragstadreedip_: yeah - or investigate why it didn't work the first time you did it?17:51
reedip_ok , thanks :)17:51
lbragstadis f22f9b5338ba49239b7bf64cfcfa86c3 a project or a domain?17:51
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add ability to specify a microversion in a request  https://review.openstack.org/48274617:52
*** spilla_ has joined #openstack-keystone17:52
reedip_its a project17:52
*** bknudson has joined #openstack-keystone17:53
lbragstadreedip_: ok - just double checking17:53
reedip_:)17:53
*** tesseract has quit IRC17:58
*** sjain_ has joined #openstack-keystone17:59
*** deep-book-gk_ has joined #openstack-keystone18:09
*** deep-book-gk_ has left #openstack-keystone18:09
*** lwanderley has quit IRC18:13
lbragstadannouncement: office hours will be starting in 40 minutes18:21
knikollacool18:21
openstackgerritEric Fried proposed openstack/keystoneauth master: Discourage 'version' and accept 'M.latest'  https://review.openstack.org/48360418:27
lbragstad#startmeeting keystone-office-hours19:00
openstackMeeting started Tue Jul 18 19:00:02 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.19:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:00
openstackThe meeting name has been set to 'keystone_office_hours'19:00
lbragstadalright - who's around for office hours?19:00
knikollao/19:00
gagehugoo/19:02
*** chlong_ has joined #openstack-keystone19:03
lbragstado/19:03
lbragstadalright i'm working on trying to recreate https://bugs.launchpad.net/keystone/+bug/169458919:04
openstackLaunchpad bug 1694589 in OpenStack Identity (keystone) "Federation protocol creation gives error" [Undecided,New]19:04
lbragstad#link https://bugs.launchpad.net/keystone/+bug/169458919:05
*** chlong has quit IRC19:05
*** sjain_ has quit IRC19:06
*** reedip_ has quit IRC19:12
*** gyee has joined #openstack-keystone19:17
gagehugoI will be helping with project tags mostly but feel free to ping me19:17
lbragstadgagehugo: sounds good - no worries19:18
lbragstadknikolla: you're an ldap guy19:23
lbragstadright?19:23
knikollalbragstad: i wear that hat in keystone since, but don't have much experience outside19:23
* lbragstad slaps an "LDAP Expert" sticker on knikolla19:24
lbragstadknikolla: thoughts - https://bugs.launchpad.net/keystone/+bug/1704205 ?19:24
openstackLaunchpad bug 1704205 in OpenStack Identity (keystone) "GET /v3/role_assignments?effective&include_names API fails with unexpected 500 error" [Undecided,New]19:24
*** bknudson has quit IRC19:25
knikollalooking19:28
knikollalbragstad: seems like an easy fix19:28
lbragstadknikolla: which part?19:29
*** zzzeek has quit IRC19:29
knikollalbragstad: what i had in mind before reading the comments. reading the comments now.19:29
*** zzzeek has joined #openstack-keystone19:30
knikollalbragstad: i prefer the ' ' approach.19:34
lbragstadknikolla: versus using '<missing>'19:34
knikollalbragstad: similar to https://review.openstack.org/#/c/458954/19:35
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Updated from global requirements  https://review.openstack.org/48455319:35
knikolla<missing> is a special string. an empty string is an empty string.19:36
lbragstadknikolla: yeah - i don't like the '<missing>' approach19:36
knikollathe issue is where else will the app break with a missing name19:37
lbragstadknikolla: the trick is going to be finding all those places and accounting for it19:37
lbragstadand by it, I mean accounting for a misconfigured LDAP installation19:37
knikollalbragstad: yeah. where would we draw the line.19:40
knikollai think also having this as wont fix is acceptable.19:41
lbragstadif we did filter within keystone - i would think logging each user that doesn't have a name attribute from LDAP is acceptable19:41
knikollalbragstad: or treat the user as disabled if required attributes are missing.19:43
lbragstadknikolla: yeah - logging in addition to ignoring the user completely in keysotne19:44
*** nicolasbock has quit IRC19:53
lbragstadknikolla: edmondsw adjusted the priority https://bugs.launchpad.net/keystone/+bug/170420519:57
openstackLaunchpad bug 1704205 in OpenStack Identity (keystone) "GET /v3/role_assignments?effective&include_names API fails with unexpected 500 error" [Low,Triaged]19:57
*** dave-mccowan has joined #openstack-keystone19:58
edmondswlbragstad I'm going to try to find time to work on that, or get someone else around here to do so. And don't be surprised if we ask about backporting once it's fixed19:59
edmondswmay be low for you, but it's actually a pretty significant problem for us19:59
lbragstadedmondsw: backporting to ocata should be fine if we get the fix in before pike releases19:59
lbragstadedmondsw: i'm going to target it to pike-3 then19:59
edmondswtx20:00
knikollahmm… it will change behaviour. but of something which is broken. so should be fine.20:00
lbragstadknikolla: the behavior is a 500 right now20:00
knikollaexactly20:00
edmondswyeah... no interop concern there, at least ;)20:00
lbragstadit would effectively fall under the first group here - http://specs.openstack.org/openstack/api-wg/guidelines/api_interoperability.html#evaluating-api-changes20:02
lbragstad#link http://specs.openstack.org/openstack/api-wg/guidelines/api_interoperability.html#evaluating-api-changes20:02
lbragstadknikolla: ^20:02
knikollayup20:02
*** bknudson has joined #openstack-keystone20:05
*** Dinesh_Bhor has quit IRC20:17
*** dave-mccowan has quit IRC20:17
* cmurphy waves to office hours crowd20:17
*** dave-mccowan has joined #openstack-keystone20:24
knikollacmurphy: o/20:27
*** dave-mccowan has quit IRC20:27
*** spilla_ has quit IRC20:39
lbragstadcmurphy: o/20:45
lbragstadcmurphy: fwiw - i'm going through all new/untriaged bugs20:45
*** raildo has quit IRC20:48
cmurphylbragstad: i'm reviewing mordredcode20:53
*** rcernin has quit IRC20:57
lbragstadcmurphy: ksa?20:57
cmurphylbragstad: yup20:59
lbragstadnice20:59
lbragstadthat's good because we're going to have to get a release together next week21:00
lbragstadfor python-keystoneclient and keystoneauth21:00
*** lucasxu has quit IRC21:02
*** lucasxu has joined #openstack-keystone21:06
*** ducttape_ has joined #openstack-keystone21:07
*** ducttap__ has quit IRC21:10
*** lucasxu has quit IRC21:17
*** blake has joined #openstack-keystone21:26
*** thorst has quit IRC21:30
*** thorst has joined #openstack-keystone21:42
*** thorst has quit IRC21:44
*** jmlowe has quit IRC21:46
* samueldmq is back21:51
samueldmqlbragstad: office hours running now?21:51
lbragstadsamueldmq: yessir21:51
lbragstadfor another 9 minutes!21:51
samueldmqlbragstad: nice, anything that needs an extra couple of eyes on?21:52
samueldmqjust 9 minutes left ?21:52
morganhm.21:54
morgansamueldmq: can you look at https://review.openstack.org/#/c/483514/ and let me know if you see anything horribly wrong (looking for a couple spare eyes before writing the tests)21:55
samueldmqmorgan: sure, looking21:56
morgani am 100% positive some code will need to change.21:57
morganbecause zero testing.21:57
morgani'm looking for general direction good/bad/"WAIT WHAT WAS THAT?!?!" from folks before doing the next chunk of things which inc. testing21:57
morgans/testing/writing tests/21:57
samueldmqmorgan: am I understanding it wrong or ... is that an attempt to get something towards a static global catalog for the future?21:58
morganit is a method to do so21:58
morganit replaces templated backend21:58
morganwith something that natively does v2/v3 catalogs21:58
samueldmqmorgan: then I assume we are expecting people to adopt more that21:59
morganand can accurately express most anything in the SQL catalog *except* endpoint groups, filtering, policy21:59
morganwe have ~3% of the folks still using templated21:59
samueldmq(as I dont think lots of folks use templated catalog as of today)21:59
morganaccording to the last user poll21:59
samueldmqexactly21:59
morganand a general desire to be able to continue using a CMS managed catalog21:59
morganrather than an API driven one22:00
morganthe templated one has not been well tested and is extremely limited in what it can produce22:00
morganpart of why the templated one has limited use is because it has been semi-broken on an off.22:00
lbragstad#endmeeting22:01
* morgan would encourage a CMS-driven catalog over SQL-based one for most use-cases.22:01
openstackMeeting ended Tue Jul 18 22:01:23 2017 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:01
openstackMinutes:        http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-07-18-19.00.html22:01
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-07-18-19.00.txt22:01
openstackLog:            http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-07-18-19.00.log.html22:01
lbragstadmorgan: ++22:03
samueldmqmorgan: well, that sounds to be a sane idea to me :)22:11
lbragstadcc odyssey4me andymccr might be interested in some of that, too22:18
* lbragstad steps away for a bit22:18
*** gyee has quit IRC22:20
samueldmqmorgan: I left a quick comment in the representation22:31
samueldmqof that yaml22:32
*** gyee has joined #openstack-keystone22:38
*** edmondsw has quit IRC22:47
*** bknudson has quit IRC22:52
*** ducttape_ has quit IRC23:01
*** thorst has joined #openstack-keystone23:04
*** thorst has quit IRC23:06
*** ducttape_ has joined #openstack-keystone23:18
*** ducttap__ has joined #openstack-keystone23:20
*** ducttape_ has quit IRC23:20
*** ducttap__ has quit IRC23:24
*** catintheroof has quit IRC23:25
*** dave-mccowan has joined #openstack-keystone23:29
*** dave-mcc_ has joined #openstack-keystone23:37
*** dave-mccowan has quit IRC23:38
*** dave-mcc_ has quit IRC23:45
*** lucasxu has joined #openstack-keystone23:55
« Monday, 2017-07-17 Index Wednesday, 2017-07-19 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!