Tuesday, 2017-08-08

*** thorst has joined #openstack-keystone		00:00
*** thorst has quit IRC		00:02
*** ducttape_ has quit IRC		00:04
*** thorst has joined #openstack-keystone		00:05
*** jmlowe has joined #openstack-keystone		00:06
*** ayoung has quit IRC		00:11
*** ducttape_ has joined #openstack-keystone		00:16
*** ducttape_ has quit IRC		00:21
*** thorst has quit IRC		00:23
*** thorst has joined #openstack-keystone		00:23
*** harlowja has quit IRC		00:25
*** lucasxu has joined #openstack-keystone		00:27
*** thorst has quit IRC		00:27
*** ducttape_ has joined #openstack-keystone		00:34
*** thorst has joined #openstack-keystone		00:38
*** edmondsw has joined #openstack-keystone		00:42
*** edmondsw has quit IRC		00:47
*** ducttape_ has quit IRC		00:53
*** markvoelker has joined #openstack-keystone		00:55
*** lucasxu has quit IRC		00:57
*** markvoelker_ has joined #openstack-keystone		00:57
*** tobberydberg has joined #openstack-keystone		00:59
*** jmlowe has quit IRC		01:00
*** markvoelker has quit IRC		01:01
*** catintheroof has joined #openstack-keystone		01:02
*** Shunli has joined #openstack-keystone		01:02
*** ducttape_ has joined #openstack-keystone		01:03
*** tobberydberg has quit IRC		01:04
*** ducttape_ has quit IRC		01:04
*** ducttape_ has joined #openstack-keystone		01:05
*** lucasxu has joined #openstack-keystone		01:06
*** ducttape_ has quit IRC		01:07
*** ducttape_ has joined #openstack-keystone		01:07
*** tobberydberg has joined #openstack-keystone		01:08
*** ducttape_ has quit IRC		01:08
*** zhurong has joined #openstack-keystone		01:11
*** catintheroof has quit IRC		01:11
*** tobberydberg has quit IRC		01:14
*** jmlowe has joined #openstack-keystone		01:24
*** thorst has quit IRC		01:24
*** otleimat has quit IRC		01:41
*** ducttape_ has joined #openstack-keystone		02:13
*** tobberydberg has joined #openstack-keystone		02:14
*** mtreinish has quit IRC		02:17
*** ducttape_ has quit IRC		02:18
*** ducttape_ has joined #openstack-keystone		02:18
*** lifeless has quit IRC		02:18
*** tobberydberg has quit IRC		02:19
*** rodrigods has quit IRC		02:19
*** lifeless has joined #openstack-keystone		02:19
*** mtreinish has joined #openstack-keystone		02:22
*** ducttape_ has quit IRC		02:23
*** rodrigods has joined #openstack-keystone		02:23
*** dstepanenko has joined #openstack-keystone		02:24
*** mjax has quit IRC		02:28
*** dstepanenko has quit IRC		02:29
*** edmondsw has joined #openstack-keystone		02:30
*** edmondsw has quit IRC		02:35
*** ducttape_ has joined #openstack-keystone		02:39
openstackgerrit	Merged openstack/keystone master: Move url safe naming docs to admin guide https://review.openstack.org/488625	02:48
*** mjax has joined #openstack-keystone		02:51
*** mjax has quit IRC		02:52
*** mjax has joined #openstack-keystone		02:56
*** aselius has quit IRC		02:56
*** ducttap__ has joined #openstack-keystone		03:03
*** ducttape_ has quit IRC		03:06
*** spzala has quit IRC		03:16
*** david-lyle has quit IRC		03:16
*** dstepanenko has joined #openstack-keystone		03:19
*** david-lyle has joined #openstack-keystone		03:23
*** dstepanenko has quit IRC		03:24
*** ducttap__ has quit IRC		03:24
*** nicolasbock has joined #openstack-keystone		03:25
*** ducttape_ has joined #openstack-keystone		03:31
*** ducttape_ has quit IRC		03:31
*** nicolasbock has quit IRC		03:39
*** lucasxu has quit IRC		03:43
*** Dinesh_Bhor has joined #openstack-keystone		03:45
*** dave-mccowan has quit IRC		03:47
*** nicolasbock has joined #openstack-keystone		03:50
*** links has joined #openstack-keystone		03:53
*** spzala has joined #openstack-keystone		04:17
*** spzala has quit IRC		04:21
*** thorst has joined #openstack-keystone		04:25
*** thorst has quit IRC		04:30
*** harlowja has joined #openstack-keystone		04:35
*** dstepanenko has joined #openstack-keystone		04:43
*** spzala has joined #openstack-keystone		04:47
*** spzala has quit IRC		04:51
*** mvpnitesh has joined #openstack-keystone		05:05
*** nicolasbock has quit IRC		05:11
*** harlowja has quit IRC		05:14
*** rajalokan has joined #openstack-keystone		05:35
*** mjax has quit IRC		05:52
*** nicolasbock has joined #openstack-keystone		05:53
*** dstepanenko has quit IRC		05:54
*** thorst has joined #openstack-keystone		05:58
*** thorst has quit IRC		06:03
*** tobberydberg has joined #openstack-keystone		06:06
*** edmondsw has joined #openstack-keystone		06:06
*** edmondsw has quit IRC		06:11
*** rcernin has joined #openstack-keystone		06:21
*** dstepanenko has joined #openstack-keystone		06:38
*** dstepanenko has quit IRC		06:39
*** dstepanenko has joined #openstack-keystone		06:39
*** dstepanenko has quit IRC		06:58
*** zhurong has quit IRC		06:59
*** pcaruana has joined #openstack-keystone		07:00
*** markvoelker_ has quit IRC		07:01
*** rajalokan has quit IRC		07:02
*** spzala has joined #openstack-keystone		07:04
*** markvoelker has joined #openstack-keystone		07:07
*** markvoelker has quit IRC		07:08
*** markvoelker has joined #openstack-keystone		07:08
*** spzala has quit IRC		07:09
*** rajalokan has joined #openstack-keystone		07:13
*** rajalokan has quit IRC		07:20
*** tesseract has joined #openstack-keystone		07:21
openstackgerrit	Rajat Sharma proposed openstack/keystone master: Update URL in README.rst https://review.openstack.org/491701	07:28
*** dstepanenko has joined #openstack-keystone		07:34
*** dstepanenko has quit IRC		07:39
*** edmondsw has joined #openstack-keystone		07:54
*** edmondsw has quit IRC		07:59
*** thorst has joined #openstack-keystone		07:59
*** thorst has quit IRC		08:04
openstackgerrit	zhiguo.li proposed openstack/keystone master: Add two steps in part 'Configure the Apache HTTP server' for Ubuntu and change the related parts for RDO or SUSE https://review.openstack.org/489589	08:06
openstackgerrit	zhiguo.li proposed openstack/keystone master: Modify the steps in 'Configure the Apache HTTP server' for three OS https://review.openstack.org/489589	08:16
openstackgerrit	zhiguo.li proposed openstack/keystone master: Modify the steps in 'Configure the Apache HTTP server' for three OS https://review.openstack.org/489589	08:17
openstackgerrit	zhiguo.li proposed openstack/keystone master: Modify the steps of configuring the Apache server for three OS https://review.openstack.org/489589	08:25
*** aojea has joined #openstack-keystone		08:32
*** aojea has quit IRC		08:46
*** mvpnitesh has quit IRC		08:46
*** aojea has joined #openstack-keystone		08:47
*** mvpnitesh has joined #openstack-keystone		08:50
*** dstepanenko has joined #openstack-keystone		09:01
*** spzala has joined #openstack-keystone		09:05
*** spzala has quit IRC		09:10
*** nicolasbock has quit IRC		09:15
*** dstepanenko has quit IRC		09:26
*** Shunli has quit IRC		09:34
*** edmondsw has joined #openstack-keystone		09:43
*** nicolasbock has joined #openstack-keystone		09:43
*** edmondsw has quit IRC		09:47
*** kornicameister has quit IRC		09:47
*** dstepanenko has joined #openstack-keystone		09:58
*** thorst has joined #openstack-keystone		10:00
*** kornicameister has joined #openstack-keystone		10:00
*** dstepanenko has quit IRC		10:02
*** thorst has quit IRC		10:05
*** mdavidson has quit IRC		10:16
*** iurygregory has quit IRC		10:16
*** iurygregory has joined #openstack-keystone		10:17
*** mdavidson has joined #openstack-keystone		10:17
*** markvoelker has quit IRC		10:17
*** odyssey4me has quit IRC		10:18
*** odyssey4me has joined #openstack-keystone		10:19
*** zhurong has joined #openstack-keystone		10:24
*** dstepanenko has joined #openstack-keystone		10:31
*** ducttape_ has joined #openstack-keystone		10:32
*** ducttape_ has quit IRC		10:36
*** thorst has joined #openstack-keystone		10:42
*** thorst has quit IRC		10:54
*** thorst has joined #openstack-keystone		10:54
*** thorst has quit IRC		10:59
*** spzala has joined #openstack-keystone		11:07
*** spzala has quit IRC		11:12
*** lwanderley has joined #openstack-keystone		11:15
*** raildo has joined #openstack-keystone		11:29
*** dave-mccowan has joined #openstack-keystone		11:40
*** dstepanenko has quit IRC		11:41
*** thorst has joined #openstack-keystone		11:51
*** dstepanenko has joined #openstack-keystone		11:55
*** edmondsw has joined #openstack-keystone		11:57
*** jrist has joined #openstack-keystone		11:58
*** aojea has quit IRC		12:05
*** aojea has joined #openstack-keystone		12:06
*** aojea has quit IRC		12:11
*** lwanderley has quit IRC		12:18
*** lwanderley has joined #openstack-keystone		12:18
*** prashkre has joined #openstack-keystone		12:19
hrybacki	lbragstad: FYI -- back online but in internal meetings for the week. Back to regular work-work on Monday	12:29
*** zhurong has quit IRC		12:30
hrybacki	lbragstad: looks like I'll be able to attend PTG Wed-Fri. Is there any reason you'd need me there on Tuesday as well?	12:30
*** sbezverk has joined #openstack-keystone		12:35
openstackgerrit	Davanum Srinivas (dims) proposed openstack/oslo.policy master: [WIP] Support for SSL based remote checks https://review.openstack.org/491783	12:36
*** dstepanenko has quit IRC		12:38
lbragstad	hrybacki: welcome back!	12:43
lbragstad	hrybacki: it looks like the plan is to have cross-project meetings on monday and tuesday	12:43
lbragstad	and project specific topics will happen wednesday - friday	12:43
hrybacki	lbragstad: Ah, yes. So much of the policy and role discussion will happen early in the week	12:46
hrybacki	lbragstad: thanks :)	12:46
*** dstepanenko has joined #openstack-keystone		12:46
hrybacki	role as in the hopeful default role for OS discussion	12:46
lbragstad	hrybacki: right - that's how it boiled down at the last PTG, too	12:49
lbragstad	hrybacki: i was there from Wednesday - Friday and i missed most of the discussions on policy	12:49
lbragstad	i spent rest of the the week tracking people down to get summaries	12:49
hrybacki	lbragstad: interesting	12:50
hrybacki	Okay, I'll hit my manager back up and raise the points	12:50
lbragstad	hrybacki: ok - let me know	12:51
*** lwanderley has quit IRC		12:52
*** aojea has joined #openstack-keystone		12:53
hrybacki	lbragstad: ack!	12:55
lbragstad	fwiw - i put when i'll be getting into denver and when i'll be leaving on the etherpad https://etherpad.openstack.org/p/keystone-queens-ptg	12:55
*** catintheroof has joined #openstack-keystone		13:00
*** lucasxu has joined #openstack-keystone		13:02
*** jrist has quit IRC		13:02
*** ayoung has joined #openstack-keystone		13:03
prashkre	lbragstad: Hi. could you please take a look at latest comment on https://review.openstack.org/#/c/490138/ and give your feedback on it to proceed further.	13:03
*** clayton has quit IRC		13:03
*** clayton has joined #openstack-keystone		13:05
*** sbezverk has quit IRC		13:07
*** spzala has joined #openstack-keystone		13:08
*** links has quit IRC		13:11
*** markvoelker has joined #openstack-keystone		13:12
*** mvpnitesh has quit IRC		13:14
lbragstad	clarkb: i subscribed you to https://bugs.launchpad.net/keystone/+bug/1694525	13:14
openstack	Launchpad bug 1694525 in OpenStack Identity (keystone) "keystone reports 404 User Not Found during grenade tests" [Medium,Triaged]	13:14
lbragstad	clarkb: a couple of us have been looking at it - have you noticed that specific issue cropping up recently or do you know if there is a better logstash query for it?	13:15
cmurphy	o/ yeah "user not found" is too broad a search query and not necessarily an indicator of a problem	13:16
lbragstad	i agree	13:16
*** jmlowe has quit IRC		13:28
*** dstepanenko has quit IRC		13:29
*** ducttape_ has joined #openstack-keystone		13:42
ayoung	hrybacki, lbragstad One addendum to the RBAC in middleware proposal. Note how Kubernetes does things: https://kubernetes.io/docs/admin/authorization/#determine-the-request-verb	13:43
ayoung	they have more verbs than just the HTTP defined set. I also hear rumors about a "USE" verb but I don't know what that means or how it is defined	13:43
lbragstad	interesting	13:43
* lbragstad pins tab		13:43
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Except forbidden when clearing default project IDs https://review.openstack.org/491546	13:45
lbragstad	cmurphy: responded - https://review.openstack.org/#/c/491546/2	13:45
*** dstepanenko has joined #openstack-keystone		13:48
ayoung	lbragstad, here is one reference to the USE verb https://github.com/kubernetes/kubernetes/issues/17637	13:49
ayoung	lbragstad, and here is the list of verbs from the code https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_role.go#L55	13:52
cmurphy	lbragstad: responded back	14:01
lbragstad	cmurphy: so - just to clarify, you are ok with the try/except?	14:02
lbragstad	if someone is writing a driver out of tree - is the right thing to raise a 403 in the unset_deafult_project_id method or is the right thing to return None?	14:04
lbragstad	I think I prefer avoiding None because it makes you less prone to coding around a special value	14:05
lbragstad	better described by Item 14: Prefer Exceptions to returning None from Effective Python	14:07
cmurphy	lbragstad: i think i prefer the try/except now that i'm considering that other backends might be involved	14:10
lbragstad	cmurphy: ack - reverting some of the recent changes then	14:10
*** jmlowe has joined #openstack-keystone		14:11
cmurphy	lbragstad: but i don't have a very strong opinion :)	14:11
cmurphy	just seems like no matter what identity backend you're using it would be pretty confusing to see a 403 when trying to delete a project	14:12
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Except forbidden when clearing default project IDs https://review.openstack.org/491546	14:14
lbragstad	cmurphy: yeah	14:14
lbragstad	cmurphy: i think the decoupled nature of all the subsystems is to blame for that	14:15
lbragstad	the requirement that the resource API and the identity API have different backends makes situations like this messy	14:16
lbragstad	(it also leads to us using notifications as a way to enforce constraints that should otherwise be done in the backend)	14:16
cmurphy	yeah :/	14:16
lbragstad	and because of that we can't leverage database FK between systems	14:17
*** lwanderley has joined #openstack-keystone		14:20
*** lwanderley has quit IRC		14:21
*** Guest13936 is now known as med_		14:21
*** med_ has quit IRC		14:21
*** med_ has joined #openstack-keystone		14:21
*** med_ is now known as medberry		14:21
*** lwanderley has joined #openstack-keystone		14:23
*** lwanderley has quit IRC		14:24
*** admcleod_ is now known as admcleod		14:26
*** lwanderley has joined #openstack-keystone		14:28
knikolla	o/	14:32
lbragstad	o/	14:32
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Except forbidden when clearing default project IDs https://review.openstack.org/491546	14:32
lbragstad	cmurphy: failed pep8	14:32
knikolla	lbragstad: doesn't the mocked _disallow_write not raise Forbidden in your test?	14:35
knikolla	i'm a bit confused, but may be my lack of coffee yet	14:36
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Except forbidden when clearing default project IDs https://review.openstack.org/491546	14:37
lbragstad	knikolla: yeah - i missed that	14:37
lbragstad	that mock should be better	14:37
lbragstad	it should be asserting the exception is raised and handled by the manager	14:37
*** aojea has quit IRC		14:38
*** dstepanenko has quit IRC		14:40
*** medberry is now known as med_		14:43
knikolla	lbragstad: doesn't mock.patch.object replace the function with a mock?	14:46
knikolla	in that case the mocked _disallow_write wouldn't raise the exception at all.	14:46
lbragstad	knikolla: it does - i might need to add a side_effect to that mock	14:47
knikolla	lbragstad: yes.	14:47
knikolla	lbragstad: besides that, patch looks good.	14:48
*** gyee has joined #openstack-keystone		14:48
*** links has joined #openstack-keystone		14:48
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Except forbidden when clearing default project IDs https://review.openstack.org/491546	14:49
lbragstad	knikolla: thanks ^	14:49
*** links has quit IRC		14:49
breton	https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/password-totp-plugin.html has this been implemented?	14:54
lbragstad	breton: yes	14:57
knikolla	breton: https://review.openstack.org/#/c/345113/	14:57
*** tobberyd_ has joined #openstack-keystone		14:57
lbragstad	https://review.openstack.org/#/c/491478/2 can use another review	14:57
lbragstad	^ closes an rc bug	14:57
breton	are there any docs about it?	14:58
breton	how to use user options?	14:58
lbragstad	https://docs.openstack.org/keystone/latest/advanced-topics/auth-totp.html	14:58
knikolla	breton: oops, sent the wrong link. sorry	14:59
*** tobberydberg has quit IRC		15:00
breton	lbragstad: cool, thanks. But that thing says about totp only. How do i enable password+totp	15:01
breton	lbragstad: ?	15:01
*** gyee_ has joined #openstack-keystone		15:01
breton	i am now seeing in the code that it is about resource options	15:01
breton	and does something with multi_factor_auth_enabled	15:02
breton	but how do i use it :(	15:02
*** otleimat has joined #openstack-keystone		15:02
*** gyee_ has quit IRC		15:04
*** tobberyd_ has quit IRC		15:04
*** gyee has quit IRC		15:04
*** gyee has joined #openstack-keystone		15:05
morgan	lbragstad:	15:05
morgan	uh... erm	15:05
lbragstad	it was added here - v	15:05
lbragstad	https://github.com/openstack/keystone/commit/ab9237f2c378eb2cf51b492ca9528327fa48b0b6	15:05
*** jrist has joined #openstack-keystone		15:05
morgan	someone needs to add docs about the auth-rules thing	15:05
morgan	so you can require totp	15:06
lbragstad	yeah - looks like the code that added multi-factor to resource options landed without docs	15:06
cmurphy	-_- lol	15:06
morgan	well i did a ton of the resource stuff, but no one followed up w/ the docs.	15:06
lbragstad	morgan: the basic flow is that an "admin" sets the RO for the users	15:06
morgan	yeah.	15:07
morgan	thats the basic idea	15:07
lbragstad	and the information is pulled when the user authenticates	15:07
lbragstad	and the mfa flow is initiated at that point, right?	15:07
lbragstad	^ boom - docs	15:07
* lbragstad calls it a day		15:07
morgan	the RO is a set of "[[x,y], [z], [y,z]]" auth modules	15:07
morgan	and if you match any of those combinations (aka, password && totp, token, token && totp [don't do this last one])	15:08
morgan	it works	15:08
morgan	and iirc you can add the RO on user create	15:09
lbragstad	morgan: is that fact that ^ isn't documented a rc blocker?	15:09
morgan	sooooo	15:09
morgan	no. not an rc blocker	15:09
lbragstad	but a bug	15:09
breton	but	15:09
morgan	i would never block an rc for a bug for a feature that is new.	15:09
morgan	it can land doc wise anytime	15:09
breton	the commit was in ocata cycle	15:09
morgan	yep	15:09
breton	ok.	15:09
lbragstad	ah - yes	15:09
lbragstad	https://review.openstack.org/#/c/418166/	15:09
morgan	so, not gonna block any rc especially for that	15:09
lbragstad	nevermind - i'm getting my release dates mixed up	15:10
morgan	the 410 fix is an rc blocker	15:10
morgan	https://review.openstack.org/#/c/490685/	15:10
*** lwanderley has quit IRC		15:11
morgan	cmurphy: thanks for the +2s on the "remove positional"	15:11
breton	why is it rc blocker? It has been like this for ages.	15:11
morgan	i've updated the library in pypi to inactive and pushed a few doc changes to indicate it is dead.	15:11
cmurphy	morgan: np	15:11
morgan	oh wait, hold on	15:11
morgan	crossing bugs in my mind.	15:11
morgan	nvm	15:11
morgan	was thinking it fixed something else as a side effect	15:12
lbragstad	morgan: the 204 -> 403 is a release blocker	15:12
lbragstad	https://bugs.launchpad.net/keystone/+bug/1705081	15:12
openstack	Launchpad bug 1705081 in OpenStack Identity (keystone) "DELETE project API is failing in forbidden(403) error message" [High,In progress] - Assigned to Lance Bragstad (lbragstad)	15:12
morgan	yeah that one	15:13
*** prashkre has quit IRC		15:13
* lbragstad sets https://review.openstack.org/#/c/491546/ on the desk next to morgan		15:13
morgan	approved	15:13
morgan	lbragstad: sorry, i don't have a desk	15:13
morgan	my coffee is taking up the small amount of space on the arm of the chair i am in	15:14
* lbragstad gently sets https://review.openstack.org/#/c/491546/ over morgan's coffee		15:14
morgan	lbragstad: -2, it is in the way of my coffee.	15:14
morgan	:P	15:14
*** dstepanenko has joined #openstack-keystone		15:14
cmurphy	you don't get in between morgan and his coffee	15:15
lbragstad	that is the correct answer, sir	15:15
morgan	cmurphy: ++	15:15
morgan	cmurphy: this is also awesome home-made cold brew	15:15
morgan	24-48hrs of brewing = amazing	15:15
lbragstad	morgan: what coffee to water ration do you use for code brew?	15:15
lbragstad	ratio*(	15:16
morgan	lbragstad: 1:10 or so, 100g coffee, 1000g water	15:16
morgan	somtimes i go 1:15	15:16
morgan	depends on the coffee	15:16
morgan	lbragstad: using https://www.kickstarter.com/projects/735135736/you-deserve-better-coffee-make-it-now-with-the-arc	15:16
breton	so how do i use the MFA? Do i need to set ro.MFA_RULES_OPT to [['password', 'totp']]?	15:16
morgan	breton: yes.	15:17
morgan	user['options'][ro.MFA_RULES_OPT] = [['password', 'totp'], ['token']] (ideally)	15:17
morgan	i think i explicitly exemted token	15:18
morgan	but it never hurts to be explicit	15:18
lbragstad	morgan: breton https://bugs.launchpad.net/keystone/+bug/1709344	15:18
openstack	Launchpad bug 1709344 in OpenStack Identity (keystone) "Identity resource options for multi-factor are undocumented" [Low,Triaged]	15:18
*** dstepanenko has quit IRC		15:19
breton	i wonder	15:20
breton	is there a way to use something derived from the secret in TOTP	15:21
morgan	breton: explain?	15:21
*** sbezverk has joined #openstack-keystone		15:23
breton	there is an existing system with totp. When i create a TOTP credential in keystone, i need to provide a secret for the user in the 'blob' field. I guess administrators will not be happy to give out secrets already used for existing totp tokens.	15:23
breton	i wonder what can be done in this situation other than giving out second, openstack-specific tokens	15:24
breton	(physical tokens)	15:24
*** sbezverk_ has joined #openstack-keystone		15:24
morgan	so, in the case of say yubikey you can import a specific secret	15:27
*** sbezverk has quit IRC		15:28
morgan	in the case of the other types of hard tokens, you often have to use their hardware appliance	15:28
*** lwanderley has joined #openstack-keystone		15:28
morgan	(RSA)	15:28
morgan	so, if we want to support that, we need a connector to the hardware appliance.	15:28
morgan	and a way to indicate "ask this thing for the current value"	15:28
morgan	we went with the google-authenticator totp model because it is pretty ubiquitous at this point and works with things such as yubikey	15:29
*** lwanderley has quit IRC		15:29
breton	who are "we"?	15:29
morgan	"we" being the openstack keystone team. in the latter bit (choosing google-auth totp model)	15:30
morgan	and prior "we" would be whomever is connecting to that appliance	15:30
morgan	or the upstream team, if we want to implement support for it	15:30
morgan	if the token is a hard-token (fob) that is part of a specific ecosystem, someone either has to import the secret and make sure the algorithm is the same or have a way to connect to the appliance thing that supplies the "good/bad" result.	15:31
breton	is there support for totp in openstackclient?	15:32
*** jmlowe has quit IRC		15:32
*** jmlowe has joined #openstack-keystone		15:32
breton	*for MFA	15:32
morgan	depends on if we have the stuff implemented in ksa	15:33
morgan	since osc leans on ksa's auth plugins	15:33
breton	and in ksa?	15:33
morgan	i just don't know off the top of my head	15:33
lbragstad	yeah - it looks like there is support for totp in ksa	15:34
morgan	lbragstad: i don't think ksa supports multiple auth-plugins atm though	15:34
lbragstad	https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/totp.py	15:34
morgan	which was a todo by... uh... who was working on mfa before i re-wrote for the RO code?	15:34
morgan	lbragstad: yes. but can you send both TOTP and password via ksa?	15:35
lbragstad	nonameentername proposed the original implementation	15:35
morgan	i don't think so	15:35
morgan	nah, was someone else	15:35
morgan	i don't remember who it was though.	15:35
breton	looks like we can't indeed.	15:35
morgan	breton: so that is something we need to fix.	15:36
lbragstad	sounds like we need a bug opened against ksa?	15:36
*** tobberydberg has joined #openstack-keystone		15:38
*** tobberyd_ has joined #openstack-keystone		15:41
lbragstad	morgan: breton by multiple auth plugins you mean ksa needs to be able to understand ['password', 'totp'] like flows?	15:41
*** tobberydberg has quit IRC		15:42
breton	lbragstad: yep	15:43
*** tobberyd_ has quit IRC		15:45
*** aselius has joined #openstack-keystone		15:52
lbragstad	breton: morgan feel free to fill in the context as you see fit - https://bugs.launchpad.net/keystoneauth/+bug/1709362	15:53
openstack	Launchpad bug 1709362 in keystoneauth "Add support for multiple authentication plugins" [Wishlist,Triaged]	15:53
*** rmascena has joined #openstack-keystone		15:54
*** raildo has quit IRC		15:56
*** rmascena is now known as raildo		16:01
*** tobberydberg has joined #openstack-keystone		16:07
*** dstepanenko has joined #openstack-keystone		16:09
*** tobberydberg has quit IRC		16:11
*** dstepanenko has quit IRC		16:13
breton	so in case of MFA	16:14
breton	if i have 2FA -- password and totp	16:15
breton	password succeeds, totp fails	16:15
breton	how many notifications will be emitted?	16:15
breton	and what notifications? success+fail? just fail?	16:15
*** lwanderley has joined #openstack-keystone		16:18
*** pcaruana has quit IRC		16:27
openstackgerrit	Samriddhi proposed openstack/keystone master: Fill in content in CLI Documentation https://review.openstack.org/490669	16:29
*** rcernin has quit IRC		16:31
*** tesseract has quit IRC		16:31
*** markvoelker has quit IRC		16:36
*** lwanderley has quit IRC		16:37
lbragstad	otleimat: o/	16:45
lbragstad	otleimat: looking to pick up https://bugs.launchpad.net/keystone/+bug/1645568 ?	16:45
openstack	Launchpad bug 1645568 in OpenStack Identity (keystone) " keystone-manage mapping_purge fails silently" [Low,Triaged] - Assigned to Omar Tleimat (otleimat)	16:45
*** lwanderley has joined #openstack-keystone		16:45
otleimat	lbragstad after reviewing the comments, is the issue that still remains the ability to have " a combination of --domain-name --public-id --local-id and --type, and now that's not possible anymore since they are all mutually exclusive"? Also, I was going to extend the coverage of the unit tests	16:59
samueldmq	morning keystone	17:00
gagehugo	samueldmq o/	17:00
samueldmq	gagehugo: o/	17:01
openstackgerrit	Davanum Srinivas (dims) proposed openstack/oslo.policy master: [WIP] Support for SSL based remote checks https://review.openstack.org/491783	17:17
*** prashkre has joined #openstack-keystone		17:21
*** spzala has quit IRC		17:29
*** tobberydberg has joined #openstack-keystone		17:33
*** sbezverk_ has quit IRC		17:37
*** markvoelker has joined #openstack-keystone		17:37
*** tobberydberg has quit IRC		17:37
*** ducttape_ has quit IRC		17:39
*** sbezverk has joined #openstack-keystone		17:42
*** markvoelker has quit IRC		17:44
openstackgerrit	Davanum Srinivas (dims) proposed openstack/oslo.policy master: [WIP] Support for SSL based remote checks https://review.openstack.org/491783	17:44
*** sjain has joined #openstack-keystone		17:45
*** ducttape_ has joined #openstack-keystone		17:49
lbragstad	otleimat: the problem with that specific bug is that the code is attempting to figure out the required argument - when it probably should have been designed to use a library to enforce mutual exclusiveness	17:56
lbragstad	the result of hand-rolling the code to do that in keystone is that its buggy	17:57
*** dstepanenko has joined #openstack-keystone		17:57
*** jrist has quit IRC		17:57
*** lwanderley has quit IRC		17:58
lbragstad	otleimat: based on the latest comments in https://review.openstack.org/#/c/408304/ it sounds like we need to figure out what all the possibilities are and re-center on that	17:58
lbragstad	it appears the approach ^ is missing a couple cases	17:58
lbragstad	(which is also a good sign that it's not properly tested	17:59
lbragstad	)	17:59
*** spzala has joined #openstack-keystone		17:59
*** tobberydberg has joined #openstack-keystone		18:00
*** tellesnobrega has joined #openstack-keystone		18:00
*** spzala has quit IRC		18:01
*** dstepanenko has quit IRC		18:01
*** spzala has joined #openstack-keystone		18:01
otleimat	lbragstad: thanks for the overview, I'll take a closer look at it this week	18:02
lbragstad	otleimat: awesome - let me know if you need any help	18:03
*** tobberydberg has quit IRC		18:04
*** ducttape_ has quit IRC		18:09
*** ducttape_ has joined #openstack-keystone		18:09
*** prashkre has quit IRC		18:17
*** spilla has joined #openstack-keystone		18:17
*** ducttape_ has quit IRC		18:20
*** prashkre has joined #openstack-keystone		18:21
*** jeremyfreudberg has joined #openstack-keystone		18:21
tellesnobrega	ayoung, ping	18:22
ayoung	ping tellesnobrega	18:22
ayoung	ping: tellesnobrega: Name or service not known	18:22
ayoung	traceroute tellesnobrega	18:22
ayoung	tellesnobrega: Name or service not known	18:22
ayoung	Cannot handle "host" cmdline arg `tellesnobrega' on position 1 (argc 1)	18:22
*** ducttape_ has joined #openstack-keystone		18:22
ayoung	nslookup tellesnobrega	18:22
tellesnobrega	ayoung, I remember that you told me in Boston that if I needed help with trusts I should ping you	18:22
ayoung	Server:127.0.0.1	18:22
ayoung	Address:127.0.0.1#53	18:22
ayoung	** server can't find tellesnobrega: NXDOMAIN	18:22
ayoung	I would never have said that.	18:23
ayoung	I would have said you should ask me....	18:23
ayoung	ping carries no payload	18:23
ayoung	and its at the layer 2 level...message would never get tom	18:23
ayoung	to me	18:23
tellesnobrega	ayoung, true, I might have heard you wrong	18:23
ayoung	at a minimum use UDP somehow	18:23
ayoung	Heh	18:23
ayoung	anyway...yes, I can help with trusts	18:23
ayoung	what do you need	18:23
tellesnobrega	we are hitting an issue on sahara with trusts, related with keystone_authtoken that prevents sahara to create trusts for the cluster	18:25
tellesnobrega	this is the bug that was reported	18:25
tellesnobrega	us	18:25
tellesnobrega	https://bugs.launchpad.net/sahara/+bug/1709091	18:25
openstack	Launchpad bug 1709091 in Sahara ""Failed to create trust" on pike" [Critical,Confirmed]	18:25
tellesnobrega	do you happen to have seen this before?	18:29
*** spilla has quit IRC		18:31
*** nicolasbock has quit IRC		18:32
*** tobberydberg has joined #openstack-keystone		18:32
ayoung	tellesnobrega, assume I know nothing about Sahara. What user is making the call to create the Trust, who is the trustor, and who is the trustee?	18:33
tellesnobrega	ayoung, I would say that the user is sahara and	18:35
tellesnobrega	trustor = keystone.auth()	18:35
tellesnobrega	trustee = keystone.auth_for_admin(project_name=CONF.keystone_authtoken.admin_tenant_name)	18:35
jeremyfreudberg	(tellesnobrega, i'm back)	18:35
ayoung	nope try again	18:36
ayoung	your answer does not map to the world	18:36
ayoung	tellesnobrega, let me try asking a different way	18:36
tellesnobrega	ayoung, jeremyfreudberg was the one running the test	18:36
tellesnobrega	he may know that in more details	18:36
ayoung	say I am a human user with the ayoung username in the system	18:36
ayoung	I go to sahara and something kicks off a trust create, right?	18:37
tellesnobrega	ayoung, correct	18:37
*** tobberydberg has quit IRC		18:37
ayoung	tellesnobrega, so the trustor would be ayoung. Who is the trustee?	18:37
jeremyfreudberg	ayoung, trustee should be sahara service user	18:38
jeremyfreudberg	or whatever creds are in [keystone_authtoken] section	18:39
ayoung	jeremyfreudberg, one service user created on a per-human-user bassis?	18:39
ayoung	oooh	18:39
ayoung	yuck...but OK	18:39
ayoung	so, lets say that username is sahara	18:39
jeremyfreudberg	ayoung, sure	18:39
jeremyfreudberg	(i'm assuming i have trustor trustee in the right order, i always get the the who's who of that backwards)	18:40
jeremyfreudberg	but the issue is not with creating the trusts themselves	18:40
ayoung	If I trust you, I am the trustor, you are the trustee	18:40
jeremyfreudberg	the issue is with accessing the private keystone_authtoken configs	18:40
ayoung	I really worked hard to try and come up with language that was human consumable here	18:40
*** markvoelker has joined #openstack-keystone		18:40
jeremyfreudberg	ayoung, that makes sense	18:40
ayoung	jeremyfreudberg, so, I trust Sahara to do something on my behalf	18:41
jeremyfreudberg	yes	18:41
ayoung	trustor=ayoung, trustee=sahara	18:41
jeremyfreudberg	yes	18:41
ayoung	now, since I sent my token to sahara, that is what sahara is going to use to make the trust.	18:41
ayoung	Not its own token	18:41
jeremyfreudberg	sure	18:42
tellesnobrega	This delegates a trust from the current user to the Sahara admin user	18:42
ayoung	The bug report does not say why the trust create failed. But my first guess would be that you used the wrong token	18:42
jeremyfreudberg	my question (and our issue) is not really about that though, our trust system does work. the issue revovles around simply reading the config	18:42
*** tellesnobrega has left #openstack-keystone		18:43
jeremyfreudberg	some keystonemiddleware magic and [keystone_authtoken] being private	18:43
*** tellesnobrega has joined #openstack-keystone		18:43
ayoung	um....ok...so this is not a trust question?	18:43
jeremyfreudberg	ayoung, no, not really	18:44
ayoung	jeremyfreudberg, what values do you need from auth_token?	18:45
*** tobberydberg has joined #openstack-keystone		18:45
ayoung	the murano code posted there looks semi-sane	18:45
jeremyfreudberg	ayoung, i believe at least username and project_name	18:45
jeremyfreudberg	ayoung, we tried the murano code, as well as https://github.com/openstack/heat/blame/master/heat/common/endpoint_utils.py#L34	18:46
jeremyfreudberg	but we still get the error with trying to find those configs	18:46
ayoung	if you are creating a trust, then you probably only need the service userid	18:46
ayoung	to createa a trust, you need a trustor, a trustee, and a set of roles	18:46
ayoung	from the config, you only get, I think, the username	18:46
ayoung	with v3, there is a domain name or id in there. That is probably what you need	18:47
*** markvoelker has quit IRC		18:48
jeremyfreudberg	ayoung, hmm...	18:48
*** tobberydberg has quit IRC		18:49
ayoung	I'm kindof confused about what you are tryuing to do, but if it is create a trust, and you want to get the trustee information out of the auth_token section, you need keystone_authtoken.username and eystone_authtoken.user_domain_id	18:49
jeremyfreudberg	ayoung, sorry i'm being confusing (knikolla can attest, i sit across from him)... you're right that our entire problem is that we are having issues grabbing the right configs for the trustee	18:50
ayoung	jeremyfreudberg, then I blame knikolla for the whole thing	18:51
jeremyfreudberg	https://github.com/openstack/sahara/blob/master/sahara/service/trusts.py#L89 and https://github.com/openstack/sahara/blob/master/sahara/utils/openstack/keystone.py#L86 is how we do it now, you're saying we don't need all that?	18:51
jeremyfreudberg	replace second link with our attempt https://review.openstack.org/#/c/485521/2/sahara/utils/openstack/keystone.py@77	18:52
knikolla	Gimme a sec.	18:52
ayoung	I'm not familiar with keystone.auth_for_admin(project_name=CONF.keystone_authtoken.admin_tenant_name)	18:54
ayoung	but it looks like it should be	18:54
jeremyfreudberg	ayoung, it's our own wrapper that eventually trickles down to v3.Password	18:54
ayoung	jeremyfreudberg, is that pulling out the service users ID?	18:55
jeremyfreudberg	ayoung, username=CONF.keystone_authtoken.username,	18:56
jeremyfreudberg	password=CONF.keystone_authtoken.password, project_name = CONF.keystone_authtoken.project_name (formerly admin_tenant_name) user_domain_name=CONF.keystone_authtoken.user_domain_name,	18:56
jeremyfreudberg	project_domain_name=CONF.keystone_authtoken.project_domain_name	18:56
jeremyfreudberg	sorry, very bad paste	18:56
ayoung	https://developer.openstack.org/api-ref/identity/v3-ext/#os-trust-api	18:57
ayoung	the actual API param is trustor_user_id and trustee_user_id	18:57
ayoung	not sure about what python-keystoneclient exposes them as	18:58
jeremyfreudberg	ayoung, we aren't even at that point yet, though	18:58
jeremyfreudberg	we're still stuck trying to grab any config value from [keystone_authtoken]...	18:58
lbragstad	#startmeeting keystone-office-hours	19:00
openstack	Meeting started Tue Aug 8 19:00:44 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	19:00
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	19:00
openstack	The meeting name has been set to 'keystone_office_hours'	19:00
cmurphy	o/	19:00
mordred	cmurphy, morgan, lbragstad: I agree with what I see in the summary - adding a microversion header without actually supporting microversions seems like a very bad idea	19:01
knikolla	o/	19:01
lbragstad	mordred: ack	19:01
lbragstad	mordred: we've punted that until we can discuss our approach to microversions at the PTG	19:01
mordred	++	19:02
mordred	lbragstad: I think that's a great plan	19:02
lbragstad	cmurphy: i think https://bugs.launchpad.net/keystone/+bug/1692090 needs more info	19:04
openstack	Launchpad bug 1692090 in OpenStack Identity (keystone) "_dn_to_id ignores user_id_attribute" [Low,In progress] - Assigned to Boris Kudryavtsev (bkudryavtsev)	19:04
lbragstad	cmurphy: based on your comment - i'm inclined to think you agree	19:04
cmurphy	lbragstad: yes i think that might be solveable in config	19:05
lbragstad	cmurphy: ack - removed from rc1 and marked as Incomplete	19:05
cmurphy	lbragstad: also it seemed like the solution was making another round trip to ldap which is :(	19:06
*** tellesnobrega has left #openstack-keystone		19:06
lbragstad	yeah..	19:07
lbragstad	morgan: your 410 gone patch addressed https://bugs.launchpad.net/keystone/+bug/1696308 ?	19:07
openstack	Launchpad bug 1696308 in OpenStack Identity (keystone) "list revoked tokens API returns 500 when pki_setup is not run" [Wishlist,Triaged] - Assigned to Nisha Yadav (ynisha11)	19:07
morgan	yeah it does	19:08
*** sjain has quit IRC		19:09
ayoung	jeremyfreudberg, HTTP_X_USER_ID, HTTP_X_SERVICE_USER_ID	19:20
*** ducttap__ has joined #openstack-keystone		19:26
*** ducttape_ has quit IRC		19:29
*** aojea has joined #openstack-keystone		19:30
*** ducttape_ has joined #openstack-keystone		19:31
*** ducttap__ has quit IRC		19:34
*** tobberydberg has joined #openstack-keystone		19:38
*** markvoelker has joined #openstack-keystone		19:44
*** dstepanenko has joined #openstack-keystone		19:45
*** prashkre has quit IRC		19:46
*** dstepanenko has quit IRC		19:50
*** markvoelker has quit IRC		19:51
*** aojea has quit IRC		19:51
*** jmlowe has quit IRC		19:54
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Attempt caching list_projects_for_user https://review.openstack.org/487143	19:56
*** aojea has joined #openstack-keystone		20:09
*** lucasxu has quit IRC		20:17
lbragstad	cmurphy: ^ that passes tests now	20:23
lbragstad	(at least locally)	20:23
cmurphy	sweet	20:24
lbragstad	i have a patch for my other todo from today's meeting	20:24
*** aojea has quit IRC		20:24
lbragstad	running tests locally at the moment	20:24
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: WIP: Adapter.get_conf_options(deprecated_opts) https://review.openstack.org/490895	20:24
*** jeremyfreudberg has left #openstack-keystone		20:24
cmurphy	lbragstad: why did the hints arg get dropped?	20:25
cmurphy	that seems not backwards compatible	20:25
lbragstad	cmurphy: still working through that bit	20:26
lbragstad	actually	20:26
lbragstad	our caching decorator doesn't let us cache methods that accept kwargs	20:27
lbragstad	:-/	20:27
*** aojea has joined #openstack-keystone		20:28
cmurphy	hrm :(	20:28
*** jmlowe has joined #openstack-keystone		20:28
lbragstad	cmurphy: oh!	20:29
lbragstad	cmurphy: i remember now	20:29
lbragstad	cmurphy: no only does it cause weird things with caching	20:29
lbragstad	cmurphy: it's not even used	20:30
*** tobberydberg has quit IRC		20:30
lbragstad	https://review.openstack.org/#/c/487143/2/keystone/assignment/core.py	20:30
cmurphy	oh you're right	20:30
*** tobberydberg has joined #openstack-keystone		20:30
lbragstad	i should pull that out into it's own change	20:30
cmurphy	yes please	20:31
openstackgerrit	Lance Bragstad proposed openstack/keystone master: WIP: Unset project ids for all identity backends https://review.openstack.org/491916	20:35
*** tobberydberg has quit IRC		20:35
*** ducttape_ has quit IRC		20:39
*** ducttape_ has joined #openstack-keystone		20:42
*** ducttape_ has quit IRC		20:46
*** aojea has quit IRC		20:51
*** sbezverk has quit IRC		20:53
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Cache GET /v3/users/{user_id}/projects https://review.openstack.org/487143	20:57
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove hints from list_user_projects API https://review.openstack.org/491921	20:57
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Adapter.get_conf_options(deprecated_opts) https://review.openstack.org/490895	20:57
efried	^ ready; closes bug https://bugs.launchpad.net/keystoneauth/+bug/1708673	20:59
openstack	Launchpad bug 1708673 in keystoneauth "Register deprecated opts with Adapter.get_conf_options" [Undecided,In progress] - Assigned to Eric Fried (efried)	20:59
openstackgerrit	Merged openstack/keystone master: Document required `type` mapping attribute https://review.openstack.org/491478	21:01
*** spzala has quit IRC		21:02
*** ducttape_ has joined #openstack-keystone		21:05
*** gyee has quit IRC		21:05
cmurphy	lbragstad: so with 491921 - do we need to worry about it breaking out-of-tree drivers?	21:07
cmurphy	this isn't breaking an api contract at all?	21:07
lbragstad	i don't believe it is? but i'll walk through how i understand it to be sure	21:09
lbragstad	so before that change - that api will have attempted to extract things from the request and builds a hints object	21:09
lbragstad	based on query strings and whatnot	21:10
*** aojea has joined #openstack-keystone		21:10
lbragstad	regardless of what the user passed in - keystone would always return the same list of assignments (which is arguably broken behavior)	21:10
lbragstad	so - as far as what keystone returns, it should be the same before and after the patch	21:11
lbragstad	from a driver perspective - the hints object was never passed to a driver so I don't think it should affect folks maintaining their own assignment backend	21:11
cmurphy	okay	21:12
*** mjax has joined #openstack-keystone		21:12
lbragstad	cmurphy: call me out on it if that doesn't seem right though	21:13
cmurphy	lbragstad: no that makes sense	21:14
cmurphy	lbragstad: minor comment on the patch	21:14
lbragstad	cmurphy: reading	21:14
lbragstad	this might be worth investigating though? https://github.com/openstack/keystone/blob/de5efb234809c1af43f8d98c29759588c0333f29/keystone/assignment/controllers.py#L273	21:15
lbragstad	just to see if wrap_collection does anything with hints in the response	21:15
lbragstad	(which would mean it would be inconsistent with the actual response body since it was never passed to the backend)	21:16
openstackgerrit	Lance Bragstad proposed openstack/keystone master: WIP: Unset project ids for all identity backends https://review.openstack.org/491916	21:17
cmurphy	hmm iirc it does do things, like imposing list limits	21:17
lbragstad	cmurphy: right	21:17
lbragstad	^	21:17
openstackgerrit	Lance Bragstad proposed openstack/keystone master: WIP: Unset project ids for all identity backends https://review.openstack.org/491916	21:19
clarkb	lbragstad: I think I have time now to look at that grenade thing again. Looks like the logs for the case I found have already been expired and deleted :/	21:21
lbragstad	clarkb: yeah - cmurphy and i noticed that earlier	21:22
clarkb	my memory of the original case was that tests were failing due to the bug so it wasn't just a warning. IIRC nova couldn't boot instances because some system user apparently did not exist	21:22
*** sbezverk has joined #openstack-keystone		21:22
*** StefanPaetowJisc has joined #openstack-keystone		21:22
clarkb	that said all of the hits for your logstash query are failed jobs	21:22
clarkb	so I don't think its "normal" at least not during tempest runs	21:23
clarkb	oh except those are all for the midonet job which likely is just broken	21:24
clarkb	oh and that was only last 15 minutes derp	21:24
*** StefanPaetowJisc has quit IRC		21:24
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove hints when listing domains and project for users https://review.openstack.org/491921	21:25
*** StefanPaetowJisc has joined #openstack-keystone		21:25
openstackgerrit	Gage Hugo proposed openstack/keystone master: WIP - Add description for relationship links in api-ref https://review.openstack.org/491934	21:28
gagehugo	lbragstad: ^ WIP but let me know if that would be a good approach to take for describing the relationship links	21:28
*** StefanPaetowJi-1 has joined #openstack-keystone		21:28
clarkb	lbragstad: I noticed http://logs.openstack.org/17/479517/20/check/gate-grenade-dsvm-neutron-ubuntu-xenial/94d3489/logs/apache/keystone.txt?level=WARNING#_2017-08-08_21_10_44_518 while digging into logs for the earlier issue, not sure if this is expected (maybe just a bad patch?)	21:29
lbragstad	gagehugo: thanks	21:30
lbragstad	clarkb: interesting - that seems consistent with our direction	21:30
*** StefanPaetowJisc has quit IRC		21:30
*** StefanPaetowJi-1 is now known as StefanPaetowJisc		21:31
lbragstad	clarkb: https://github.com/openstack/keystone/blob/de5efb234809c1af43f8d98c29759588c0333f29/keystone/middleware/core.py#L51-L71	21:31
lbragstad	might need to update the paste file for that service?	21:31
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Protect against missing interface attribute https://review.openstack.org/488568	21:32
efried	^ ready; closes bug https://bugs.launchpad.net/keystoneauth/+bug/1707273	21:32
openstack	Launchpad bug 1707273 in keystoneauth "get_adapter_conf_options(include_deprecated=False) results in NoSuchOptError" [Undecided,In progress] - Assigned to Eric Fried (efried)	21:32
clarkb	interesting that you chose to log that as an error... should be warning imo. Errors should be for fatal actions	21:32
*** raildo has quit IRC		21:32
clarkb	lbragstad: its probably because in grenade we don't update the configs between versions so we write the old version then update install and start new version with old config	21:32
clarkb	(but thats totally not an error)	21:33
*** dstepanenko has joined #openstack-keystone		21:33
lbragstad	clarkb: here's the change https://review.openstack.org/#/c/427878/	21:33
lbragstad	digging into it to see if there is history behind the reasoning	21:34
clarkb	lbragstad: I've tried searching logstash tempest.txt on grenade jobs for timeouts based on the original bugs info, and I'm not finding anything so guessing this bug can be ignored/closed and we'll just have to debug it if it shows up again	21:34
lbragstad	morgan: do you remember the context of why that ^ was an error instead of a warning?	21:35
clarkb	lbragstad: cmurphy so ya I think I'd just mark that as incomplete or invalid until we have more infos	21:35
morgan	uhm....	21:36
cmurphy	clarkb: \o/ best kind of bug	21:36
morgan	yes	21:36
morgan	that is supposed to be an error	21:36
morgan	don't have that in your paste-ini	21:36
clarkb	but it isn't an error if the service is perfectly capable of functioning...	21:36
*** markvoelker has joined #openstack-keystone		21:37
morgan	it is going away as in it will break your cloud when it's deleted	21:37
clarkb	sure definitely log it	21:37
morgan	it's logged as an error because of that	21:37
clarkb	warning would be appropriate	21:37
morgan	i disagree.	21:37
*** dstepanenko has quit IRC		21:37
morgan	we did warning before and it wasn't high enough	21:37
morgan	things broke people horribly	21:37
clarkb	the problem with error is anytime I see an error in my logs I think fire	21:37
*** thorst has quit IRC		21:37
clarkb	and the problem is lots of software doesn't actually log errors for fires and it leads to people ignoring errors	21:38
clarkb	then you miss real fires	21:38
morgan	this is a fire, if we remove it it errors and breaks the cloud in non-easy to diagnose ways	21:38
* clarkb looks at gerrit's logs and has a sad		21:38
morgan	this must be removed this release.	21:38
clarkb	morgan: thats not what grenade says	21:38
*** edmondsw has quit IRC		21:38
lbragstad	morgan: you mean in Queens?	21:38
clarkb	grenade says keystone is working fine despite the error	21:38
morgan	before queens	21:38
clarkb	next release then	21:39
morgan	if it is not removed in queens you break. and break badly. paste-ini is many times CMS managed (sigh)	21:39
clarkb	not this release	21:39
morgan	it must be removed in this release, not there by next	21:39
clarkb	(so grenade is doing the right thing)	21:39
morgan	if it is still there next release, you are 100% broken and it is not a clear error	21:39
morgan	paste errors are really unclear/unfun	21:39
morgan	and confusing	21:40
morgan	this is an error case. it is an operator must make a change.	21:40
clarkb	anyways my point is it works fine in pike as evidenced by grenade	21:40
lbragstad	this says if was deprecated this release and staged for removal in Queens https://github.com/openstack/keystone/blob/de5efb234809c1af43f8d98c29759588c0333f29/keystone/middleware/core.py#L55-L58	21:40
clarkb	and there are better ways to address that (like the work to make paste data not config)	21:40
morgan	lbragstad: correct	21:40
morgan	clarkb: i tried, i lost that battle	21:40
clarkb	if it was actually an error grenade should fail imo	21:40
morgan	the way to do that is delete paste from our deps	21:40
morgan	you can't make it not config otherwise	21:41
morgan	lbragstad: when the code is deleted, paste fails if it's still there	21:41
clarkb	as is you have a honeypot for people debugging real errors that will only cause confusion	21:41
morgan	clarkb: i wanted to remove paste and make everything a simple wsgi app, i was told in no uncertain terms by other cores that that was a -2 because people use it as config and add elements to the pipeline	21:41
morgan	well, then i guess we'll just disagree. in my experience, when a change is needed within the cycle that will totally hork your cloud next upgrade, it is worthy of an error	21:42
*** markvoelker has quit IRC		21:44
* morgan stands by the decision that it is an error.		21:44
morgan	if the ptl wants to change it, he may. i'm not going to block a change like that.	21:45
morgan	or ptl supporitng a change for it.	21:45
clarkb	I'm just giving my opinion as a person that oeprates a ton of different software and reads a lot of openstack logs	21:45
clarkb	using error too much leads to people ignoring it and also creates confusion when looking for causes of real failures	21:45
morgan	the error log did exactly what it was supposed to do btw	21:45
morgan	then	21:45
morgan	it brought your attention to the paste-ini	21:45
clarkb	yup, but if I'm debugging why nova can't boot an instance that isn't useful	21:46
morgan	as an operator you'd see that and fix your config, no?	21:46
morgan	early on. but it doesn't break your cloud today	21:46
clarkb	yes, but not while I am firefighting	21:46
clarkb	its just noise and not helpful	21:46
morgan	anyway, i simply disagree here.	21:47
morgan	this is telegraphing a "will break your cloud" [it's not critical, it is an error in the config] change	21:48
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Protect against missing interface attribute https://review.openstack.org/488568	21:48
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: Adapter.get_conf_options(deprecated_opts) https://review.openstack.org/490895	21:48
efried	okay NOW they're ready.	21:49
clarkb	morgan: you might want to link to docs/release notes in that case	21:49
morgan	clarkb: if it is a huge deal, propose a fix that downgrades it and have lbragstad approve it. i stand by this choice.	21:49
clarkb	morgan: so that it is clear where the delineation is and why things aren't on fire now	21:50
clarkb	as is the message says "you are broken cloud on fire"	21:50
lbragstad	it doesn't look like it's in the cinder paste.ini	21:53
morgan	this is only in the keystone paste-ini	21:53
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Make an error state message more explicit https://review.openstack.org/491938	21:56
lbragstad	weird - so where is that getting set?	21:56
lbragstad	oh...	21:56
morgan	grenade doesn't update the paste-ini	21:56
morgan	or use the new one	21:56
morgan	so the code says "oh hey this is a bad config. this will break your cloud in the next release'	21:56
morgan	'fix your config'	21:57
morgan	if the operator was using the default paste-ini from pike, no issue would occur	21:57
morgan	but if they manage paste-ini as config (which they shouldn't, but i lost that argument as said before)	21:57
morgan	they would need to fix it to prevent a future "omg totally broken"	21:58
lbragstad	#endmeeting	22:01
openstack	Meeting ended Tue Aug 8 22:01:50 2017 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	22:01
openstack	Minutes: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-08-08-19.00.html	22:01
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-08-08-19.00.txt	22:01
openstack	Log: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-08-08-19.00.log.html	22:01
*** markvoelker has joined #openstack-keystone		22:04
*** StefanPaetowJisc has quit IRC		22:04
*** markvoelker_ has joined #openstack-keystone		22:05
*** markvoelker has quit IRC		22:09
efried	mordred If I specify an endpoint_override to my Adapter, and I say adap.get_endpoint_data(discover_versions=False, skip_discovery=True), do I expect that ksa will NOT try to GET at whatever I specified as my endpoint_override?	22:25
efried	(never mind that Adapter.get_endpoint_data doesn't take those kwargs today - in my sandbox it does, and passes them down to auth.get_endpoint_data)	22:26
mordred	efried: so - that's a really weird call to make - what's the intent?	22:27
efried	mordred Well, ultimately I'm trying to "fix" the thing where I specify an endpoint_override, but get_endpoint_data().url gives me back something that ain't that.	22:27
*** dstepanenko has joined #openstack-keystone		22:27
mordred	yah. that's a thing I totally agree with :)	22:28
efried	So I'm playing around in a sandbox and noticing that when I say adapter_with_endpoint_override.get_endpoint_data(), it takes a sec - longer if my endpoint_override is e.g. external and/or not a real service.	22:28
mordred	efried: so - yeah, I 'd expect get_endpoint_data(discover_versions=False, skip_discovery=True) to not do a fetch - although honestly I'm not 100% sure we should expose that on the adapter call	22:29
efried	mordred Wellll...	22:29
mordred	but - igoring that for a sec - I do think we should make sure it's possible to get the URL that's been given and avoid additional calls	22:29
*** spzala has joined #openstack-keystone		22:30
mordred	the reason I say I'm not sure we should expose it is that get_endpoint is there for if you just want a URL - and get_endpoint should pass skip_discovery=True already, right?	22:30
efried	Okay, so yeah, if I just have an adapter with an endpoint override and I say get_endpoint(), it skips everything and regurgitates my endpoint_override. That's fine.	22:30
mordred	get_endpoint_data ultimately needs to make the call because the point of it is mostly to get you the metainfo about the endpoint in question	22:31
mordred	and it can't fetch that data without doing a GET	22:31
efried	Shit, I guess the only reason I really care to go through get_endpoint_data at all in this case is because nova's _ContextAuthPlugin is busted.	22:31
mordred	HOWEVER - we need to make sure that if we give an endpoint_override and call get_endpoint_data that we don't wind up returning a different URL from the discovery dict	22:32
efried	yuh, that's the subject of https://bugs.launchpad.net/keystoneauth/+bug/1707993	22:32
openstack	Launchpad bug 1707993 in keystoneauth "EndpointData.url should regurgitate my endpoint_override" [Low,Triaged]	22:32
mordred	if you give endpoint_override you should ALWAYS get it back	22:32
*** dstepanenko has quit IRC		22:32
efried	...which I can fix with the suggested solution - though I'm still unsure how to test it.	22:32
efried	Which is what I was trying to figure out when I got into this rabbit hole.	22:33
mordred	nod	22:34
mordred	understand	22:34
efried	Cause of course I started off putting endpoint_override = http://foo.com:1234 into my conf.	22:34
efried	expecting to get that back.	22:34
efried	which... kinda happens after a long time if I let it go.	22:34
mordred	efried: well - you can put in some requests_mock things into the unittest and make sure nothing hits that url	22:34
efried	mordred I don't think that's what I want to test.	22:35
efried	I actually want to test the fix for https://bugs.launchpad.net/keystoneauth/+bug/1707993	22:35
openstack	Launchpad bug 1707993 in keystoneauth "EndpointData.url should regurgitate my endpoint_override" [Low,Triaged]	22:35
efried	and mebbe forget about that other thing :)	22:35
efried	right now if I do that - set the service_url to the endpoint_override - all the existing tests pass.	22:36
efried	What I actually need is a test that fails without that fix, of course.	22:36
mordred	yah- well, we do want to make sure we're not causing an additinal GET - but that should be covered by skip_discovery (which even mentions endpoint_override in its docs :) )	22:36
*** markvoelker has joined #openstack-keystone		22:36
mordred	efried: so - I think two things:	22:37
efried	mordred Not causing an additional GET - additional because we're setting both service_url and catalog_url? Or because we're using an endpoint_override?	22:37
mordred	efried: you need a test that sets up a version discovery doc that has a different url than when you're using for endpoint_override	22:37
*** markvoel_ has joined #openstack-keystone		22:37
mordred	so that you can see if fail beuase it'll return hte url it finds from that - and then that setting serice_url = endpoint_override makes it not fail in that way	22:38
*** thorst has joined #openstack-keystone		22:38
mordred	efried: the additional GET should be covered by skip_discovery ... if we call get_endpoint_data and skip_discovery is false, we should expect it to grab the version document for the endpoint in question	22:39
mordred	efried: which is my way of saying I think your issue has 2 hedas - the functional/important one is your suggestion of setting service_url=endpoint_override - which I think is the right fix and you should do it	22:40
*** gyee has joined #openstack-keystone		22:40
*** markvoelker_ has quit IRC		22:40
openstackgerrit	Davanum Srinivas (dims) proposed openstack/oslo.policy master: [WIP] Support for SSL based remote checks https://review.openstack.org/491783	22:40
*** markvoelker has quit IRC		22:41
efried	mordred Okay, so if I put that up, could I talk you into doing the UT (or at least getting me started)?	22:42
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: WIP: Return the endpoint_override from EndpointData https://review.openstack.org/491947	22:43
*** thorst has quit IRC		22:43
efried	^	22:43
mordred	efried: yes - although it'll be tomorrow morning before I can	22:44
efried	mordred Sure, no problem. TIA.	22:44
efried	mordred In case a mutual-back-scratch helps my case, https://review.openstack.org/#/c/488568/6/keystoneauth1/tests/unit/loading/test_adapter.py :)	22:46
openstackgerrit	Merged openstack/keystone master: Except forbidden when clearing default project IDs https://review.openstack.org/491546	23:00
*** markvoelker has joined #openstack-keystone		23:01
*** markvoel_ has quit IRC		23:03
*** spzala has quit IRC		23:05
*** spzala has joined #openstack-keystone		23:05
*** spzala has quit IRC		23:05
*** spzala has joined #openstack-keystone		23:06
*** spzala has quit IRC		23:06
*** spzala has joined #openstack-keystone		23:07
*** spzala has quit IRC		23:07
*** spzala has joined #openstack-keystone		23:07
*** spzala has quit IRC		23:07
*** spzala has joined #openstack-keystone		23:08
*** spzala has quit IRC		23:08
openstackgerrit	Merged openstack/keystone master: Fill in content in CLI Documentation https://review.openstack.org/490669	23:08
*** aojea has quit IRC		23:12
*** markvoelker has quit IRC		23:18
*** markvoelker has joined #openstack-keystone		23:18
*** ducttape_ has quit IRC		23:19
*** markvoelker has quit IRC		23:23
*** ducttape_ has joined #openstack-keystone		23:25
*** catintheroof has quit IRC		23:29
otleimat	For parsing arguments in the command line in python, does anyone know a good way to require at least one option but not limit it to one? All solutions I've seen require you to add logic. I was wondering if there any builtin options for this. A mutually exclusive group solves the requiring at least one option but limits it to at most one. Would appreciate any feedback	23:46
morgan	Not that I am aware of	23:59
morgan	It would be custom logic.	23:59

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!