Wednesday, 2017-08-09

morgan	You might be able to have exclusive groups within a non exclusive group.	00:00
openstackgerrit	Davanum Srinivas (dims) proposed openstack/oslo.policy master: [WIP] Support for SSL based remote checks https://review.openstack.org/491783	00:10
*** ducttape_ has quit IRC		00:12
*** dstepanenko has joined #openstack-keystone		00:15
*** dstepanenko has quit IRC		00:20
*** ducttape_ has joined #openstack-keystone		00:22
*** hoonetorg has quit IRC		00:23
*** sbezverk has quit IRC		00:24
*** ducttape_ has quit IRC		00:26
*** thorst has joined #openstack-keystone		00:39
*** ducttape_ has joined #openstack-keystone		00:42
*** ducttape_ has quit IRC		00:42
*** thorst has quit IRC		00:44
*** ducttape_ has joined #openstack-keystone		00:46
*** Shunli has joined #openstack-keystone		00:49
*** thorst has joined #openstack-keystone		00:58
*** adriant has quit IRC		00:59
*** ducttape_ has quit IRC		01:06
*** markvoelker has joined #openstack-keystone		01:07
*** zhurong has joined #openstack-keystone		01:26
*** gongysh has joined #openstack-keystone		01:44
*** ducttape_ has joined #openstack-keystone		01:45
*** aselius has quit IRC		01:47
*** mjax has quit IRC		01:49
*** ducttap__ has joined #openstack-keystone		01:51
*** ducttape_ has quit IRC		01:55
*** otleimat has quit IRC		01:56
*** dstepanenko has joined #openstack-keystone		02:03
*** dstepanenko has quit IRC		02:08
openstackgerrit	Davanum Srinivas (dims) proposed openstack/oslo.policy master: [WIP] Support for SSL based remote checks https://review.openstack.org/491783	02:10
*** otleimat has joined #openstack-keystone		02:11
otleimat	morgan thanks	02:11
*** thorst has quit IRC		02:16
*** ducttape_ has joined #openstack-keystone		02:25
*** ducttap__ has quit IRC		02:28
*** markvoelker has quit IRC		02:30
*** markvoelker has joined #openstack-keystone		02:33
*** zhurong has quit IRC		02:44
*** zhurong has joined #openstack-keystone		03:01
*** sbezverk has joined #openstack-keystone		03:06
*** markvoelker has quit IRC		03:07
*** links has joined #openstack-keystone		03:15
*** thorst has joined #openstack-keystone		03:17
*** sbezverk has quit IRC		03:18
*** ducttape_ has quit IRC		03:20
*** thorst has quit IRC		03:21
*** ducttape_ has joined #openstack-keystone		03:27
*** dave-mccowan has quit IRC		03:28
*** ducttape_ has quit IRC		03:28
*** ducttape_ has joined #openstack-keystone		03:34
*** ducttape_ has quit IRC		03:36
*** markvoelker_ has joined #openstack-keystone		03:49
*** dstepanenko has joined #openstack-keystone		03:52
*** markvoelker_ has quit IRC		03:54
*** dstepanenko has quit IRC		03:56
*** nicolasbock has joined #openstack-keystone		03:57
*** gongysh has quit IRC		04:03
*** zhurong has quit IRC		04:19
*** zhurong has joined #openstack-keystone		04:20
*** prashkre has joined #openstack-keystone		04:21
*** sbezverk has joined #openstack-keystone		04:26
*** mjax has joined #openstack-keystone		04:33
*** mjax has quit IRC		04:34
*** otleimat has quit IRC		04:36
*** ducttape_ has joined #openstack-keystone		04:38
*** gongysh has joined #openstack-keystone		04:39
*** ducttape_ has quit IRC		04:41
*** sbezverk has quit IRC		04:46
*** dstepanenko has joined #openstack-keystone		04:46
*** dstepanenko has quit IRC		04:51
*** rajalokan has joined #openstack-keystone		04:59
*** rajalokan has quit IRC		04:59
*** rajalokan has joined #openstack-keystone		04:59
*** rajalokan has quit IRC		05:01
*** prashkre has quit IRC		05:02
*** rajalokan has joined #openstack-keystone		05:02
*** mvpnitesh has joined #openstack-keystone		05:03
*** markvoelker has joined #openstack-keystone		05:06
*** gyee has quit IRC		05:08
*** thorst has joined #openstack-keystone		05:17
*** thorst has quit IRC		05:22
*** rajalokan has quit IRC		05:23
*** markvoelker has quit IRC		05:32
*** markvoelker has joined #openstack-keystone		05:32
*** prashkre has joined #openstack-keystone		05:34
*** rajalokan has joined #openstack-keystone		05:34
*** rajalokan has quit IRC		05:37
*** rajalokan has joined #openstack-keystone		05:38
*** rajalokan has quit IRC		05:41
*** rajalokan has joined #openstack-keystone		05:42
*** rajalokan has left #openstack-keystone		05:49
*** rcernin has joined #openstack-keystone		05:52
*** ducttape_ has joined #openstack-keystone		05:53
*** ayoung has quit IRC		05:53
*** dstepanenko has joined #openstack-keystone		05:54
*** ducttap__ has joined #openstack-keystone		05:57
*** tobberydberg has joined #openstack-keystone		05:57
*** ducttape_ has quit IRC		05:57
*** dstepanenko has quit IRC		05:58
*** ducttap__ has quit IRC		05:59
*** ducttape_ has joined #openstack-keystone		05:59
*** ducttape_ has quit IRC		06:03
*** ducttape_ has joined #openstack-keystone		06:03
*** ayoung has joined #openstack-keystone		06:04
*** hoonetorg has joined #openstack-keystone		06:07
*** ducttape_ has quit IRC		06:08
*** tesseract has joined #openstack-keystone		06:35
*** edmondsw has joined #openstack-keystone		06:35
*** edmondsw has quit IRC		06:38
*** markvoelker has quit IRC		07:03
*** mjax has joined #openstack-keystone		07:06
*** markvoelker has joined #openstack-keystone		07:06
*** ducttape_ has joined #openstack-keystone		07:07
*** mjax has quit IRC		07:07
*** ducttap__ has joined #openstack-keystone		07:09
*** prashkre_ has joined #openstack-keystone		07:09
*** markvoelker has quit IRC		07:09
*** ducttape_ has quit IRC		07:10
*** ducttap__ has quit IRC		07:11
*** prashkre has quit IRC		07:11
*** pcaruana has joined #openstack-keystone		07:24
*** dstepanenko has joined #openstack-keystone		07:37
*** thorst has joined #openstack-keystone		07:42
*** thorst has quit IRC		07:44
*** dstepanenko has quit IRC		08:18
*** dstepanenko has joined #openstack-keystone		08:20
*** ioggstream has joined #openstack-keystone		08:22
*** aojea has joined #openstack-keystone		08:22
*** dstepanenko has quit IRC		08:33
*** aojea has quit IRC		08:35
*** aojea has joined #openstack-keystone		08:35
*** prashkre__ has joined #openstack-keystone		08:35
*** prashkre_ has quit IRC		08:41
*** zsli_ has joined #openstack-keystone		08:44
*** odyssey4me has quit IRC		08:47
*** Dinesh_Bhor has quit IRC		08:47
*** cburgess has quit IRC		08:47
*** tobberydberg has quit IRC		08:47
*** dutsmoc has quit IRC		08:47
*** asettle has quit IRC		08:47
*** cloudnull has quit IRC		08:47
*** dims has quit IRC		08:47
*** BlackDex has quit IRC		08:47
*** jamielennox has quit IRC		08:47
*** dgonzalez has quit IRC		08:47
*** lamt has quit IRC		08:47
*** andymccr has quit IRC		08:47
*** NikitaKonovalov has quit IRC		08:47
*** peterstac has quit IRC		08:47
*** dougshelley66 has quit IRC		08:47
*** ppiela has quit IRC		08:47
*** masber has quit IRC		08:47
*** kaisers2 has quit IRC		08:47
*** brad[] has quit IRC		08:47
*** timothyb89 has quit IRC		08:47
*** EmilienM has quit IRC		08:47
*** zigo has quit IRC		08:47
*** tesseract has quit IRC		08:47
*** rha has quit IRC		08:47
*** Dave has quit IRC		08:47
*** dulek has quit IRC		08:47
*** gongysh has quit IRC		08:47
*** mfisch` has quit IRC		08:47
*** htruta` has quit IRC		08:47
*** rvba has quit IRC		08:47
*** tristanC has quit IRC		08:47
*** timburke has quit IRC		08:47
*** Trident has quit IRC		08:47
*** breton has quit IRC		08:47
*** frickler has quit IRC		08:47
*** freerunner has quit IRC		08:47
*** johnthetubaguy has quit IRC		08:47
*** bradjones has quit IRC		08:47
*** eglute has quit IRC		08:47
*** d34dh0r53 has quit IRC		08:47
*** jmccrory has quit IRC		08:47
*** obre has quit IRC		08:47
*** SamYaple has quit IRC		08:47
*** kairat has quit IRC		08:47
*** akrzos has quit IRC		08:47
*** kencjohnston_ has quit IRC		08:47
*** aojea has quit IRC		08:47
*** ioggstream has quit IRC		08:47
*** rcernin has quit IRC		08:47
*** links has quit IRC		08:47
*** nkinder has quit IRC		08:47
*** jaosorior has quit IRC		08:47
*** bigjools has quit IRC		08:47
*** jdennis has quit IRC		08:47
*** baffle has quit IRC		08:47
*** med_ has quit IRC		08:47
*** alex_xu has quit IRC		08:47
*** Tahvok has quit IRC		08:47
*** matteus has quit IRC		08:47
*** vaishali has quit IRC		08:47
*** basilAB has quit IRC		08:47
*** pcaruana has quit IRC		08:47
*** junbo has quit IRC		08:47
*** d0ugal has quit IRC		08:47
*** oomichi has quit IRC		08:47
*** robcresswell has quit IRC		08:47
*** samueldmq has quit IRC		08:47
*** hrybacki has quit IRC		08:47
*** mgagne has quit IRC		08:47
*** rarora has quit IRC		08:47
*** gus has quit IRC		08:47
*** fungi has quit IRC		08:47
*** dstanek has quit IRC		08:47
*** wolsen has quit IRC		08:47
*** portdirect has quit IRC		08:47
*** chris_hultin\|AWA has quit IRC		08:47
*** ayoung has quit IRC		08:47
*** rodrigods has quit IRC		08:47
*** Nakato has quit IRC		08:47
*** efried has quit IRC		08:47
*** zeus has quit IRC		08:47
*** clarkb has quit IRC		08:47
*** andreaf has quit IRC		08:47
*** knikolla has quit IRC		08:47
*** rm_work has quit IRC		08:47
*** evrardjp has quit IRC		08:47
*** mrhillsman has quit IRC		08:47
*** jhesketh has quit IRC		08:47
*** prashkre__ has quit IRC		08:47
*** spotz has quit IRC		08:47
*** gagehugo has quit IRC		08:47
*** amrith has quit IRC		08:47
*** jlvillal has quit IRC		08:47
*** kevinbenton has quit IRC		08:47
*** admcleod has quit IRC		08:47
*** chrome0 has quit IRC		08:47
*** Daviey has quit IRC		08:47
*** dansmith has quit IRC		08:47
*** jamiec has quit IRC		08:47
*** Krenair has quit IRC		08:47
*** hugokuo has quit IRC		08:47
*** mvpnitesh has quit IRC		08:47
*** jmlowe has quit IRC		08:47
*** kornicameister has quit IRC		08:47
*** stevemar has quit IRC		08:47
*** wasmum has quit IRC		08:47
*** dtroyer has quit IRC		08:47
*** hyakuhei has quit IRC		08:47
*** mordred has quit IRC		08:47
*** afazekas has quit IRC		08:47
*** flwang has quit IRC		08:47
*** ebbex has quit IRC		08:47
*** hemna has quit IRC		08:47
*** morgan has quit IRC		08:47
*** john5223 has quit IRC		08:47
*** zsli_ has quit IRC		08:47
*** zhurong has quit IRC		08:47
*** nicolasbock has quit IRC		08:47
*** Shunli has quit IRC		08:47
*** clayton has quit IRC		08:47
*** david-lyle has quit IRC		08:47
*** lifeless has quit IRC		08:47
*** jistr has quit IRC		08:47
*** openstackgerrit has quit IRC		08:47
*** aloga has quit IRC		08:47
*** mtreinish has quit IRC		08:47
*** lbragstad has quit IRC		08:47
*** flaper87 has quit IRC		08:47
*** jidar has quit IRC		08:47
*** charz has quit IRC		08:47
*** szaher has quit IRC		08:47
*** slunkad has quit IRC		08:47
*** timss has quit IRC		08:47
*** andreykurilin has quit IRC		08:47
*** ChanServ has quit IRC		08:47
*** Adri2000 has quit IRC		08:47
*** Adobeman has quit IRC		08:47
*** diablo_rojo_phon has quit IRC		08:47
*** mancdaz has quit IRC		08:47
*** cmurphy has quit IRC		08:47
*** toddnni has quit IRC		08:47
*** melwitt has quit IRC		08:47
*** openstack has joined #openstack-keystone		13:52
*** openstack has joined #openstack-keystone		13:53
*** tobberydberg has joined #openstack-keystone		13:54
*** tobberydberg has quit IRC		13:59
lbragstad	knikolla: o/	14:00
lbragstad	cmurphy: so - apparently hints does does independently of the driver or backend implementation	14:00
lbragstad	s/does//	14:01
lbragstad	ugh.. does stuff*	14:01
cmurphy	lbragstad: stuff that conflicts with caching?	14:02
lbragstad	cmurphy: i don't think so?	14:02
lbragstad	still unwinding it	14:02
cmurphy	that sounds fun	14:02
lbragstad	so the controller builds the hints object from filters and the request	14:02
lbragstad	then is attempts to pass it to the manager so that it can pass it through to the backend - in case it supports using a hints object	14:03
lbragstad	which makes sense	14:03
lbragstad	but then you have this - https://github.com/openstack/keystone/blob/2fa4169b60e57e00a0d7b9ca3ac5c3ffe8c0dd6c/keystone/common/controller.py#L405-L407	14:04
lbragstad	which is called on the way out of the controller method	14:04
*** Adri2000 has joined #openstack-keystone		14:05
*** tobberydberg has joined #openstack-keystone		14:06
*** ducttape_ has joined #openstack-keystone		14:09
cmurphy	lbragstad: in this specific case though the manager didn't need it and so it was unaltered by the time it got back to the controller	14:10
*** tobberydberg has quit IRC		14:11
lbragstad	cmurphy: yep - which means we should be able to remove the hints object from being passed to the manager	14:11
lbragstad	cache the response from the manager	14:11
lbragstad	but let the hints logic still run in the controller parts	14:11
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove unused hints from assignment APIs https://review.openstack.org/491921	14:11
lbragstad	^	14:11
openstackgerrit	Merged openstack/keystone master: Consolidate certificate docs to admin-guide https://review.openstack.org/477685	14:12
knikolla	cmurphy: have any experience setting up shibboleth-sp with multiple identity providers?	14:15
Tahvok	I was under impression that having a global admin, would grant me access to all domains and projects. Is it not the case? Because not only I cannot see any projects, I also can't change between the domains in horizon	14:21
lbragstad	Tahvok: global admin should allow you to do anything within the deployment, unless the policies protecting the services have changed in your deployment	14:23
*** kukacz has quit IRC		14:26
cmurphy	knikolla: not particularly no	14:27
*** ioggstream has quit IRC		14:27
cmurphy	knikolla: are weird things happening?	14:27
*** ioggstream has joined #openstack-keystone		14:27
*** sjain has joined #openstack-keystone		14:27
knikolla	cmurphy: nah, i'm just having issues making the devstack plugin work with both testshib and k2k at the same time as i have no prior experience with that specific setup.	14:27
knikolla	guess i delayed enough reading through the shibboleth documentation.	14:31
cmurphy	knikolla: ha :)	14:32
*** zhurong has quit IRC		14:32
lbragstad	gagehugo: https://review.openstack.org/#/c/491934/1 looks pretty good - just a couple suggestions inline	14:33
gagehugo	lbragstad cool	14:43
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Cache list projects and domains for user https://review.openstack.org/487143	14:44
lbragstad	cmurphy: samueldmq that passes for me locally ^	14:44
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Cache list projects and domains for user https://review.openstack.org/487143	14:46
*** sjain has quit IRC		14:48
openstackgerrit	Sami Makki proposed openstack/oslo.policy master: Add JSON output option to sample generator https://review.openstack.org/491629	14:48
openstackgerrit	Sami Makki proposed openstack/oslo.policy master: Add JSON output option to sample generator https://review.openstack.org/491629	14:54
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Reduce revoke events for disabled domains and projects https://review.openstack.org/253273	15:01
*** otleimat has joined #openstack-keystone		15:05
*** dstepanenko has quit IRC		15:07
*** dstepanenko has joined #openstack-keystone		15:07
*** dstepanenko has quit IRC		15:10
*** dstepanenko has joined #openstack-keystone		15:10
*** tesseract has quit IRC		15:14
*** lucasxu has quit IRC		15:14
*** links has quit IRC		15:16
*** prashkre__ has joined #openstack-keystone		15:25
*** prashkre_ has quit IRC		15:25
*** markvoelker has quit IRC		15:28
*** dstepanenko has quit IRC		15:29
*** dstepanenko has joined #openstack-keystone		15:29
*** aselius has joined #openstack-keystone		15:29
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Ensure domains and projects are validated online https://review.openstack.org/253273	15:33
*** dstepanenko has quit IRC		15:33
Tahvok	lbragstad: I didn't touch the policies, but checked them anyway to make sure...	15:37
Tahvok	The user in the second domain is an ldap user - maybe that's the problem?	15:37
lbragstad	Tahvok: possibly	15:37
Tahvok	Also, I'm assigning the group, not a specific user	15:38
*** markvoelker has joined #openstack-keystone		15:39
*** dstepanenko has joined #openstack-keystone		15:40
*** markvoelker has quit IRC		15:56
*** lucasxu has joined #openstack-keystone		15:57
*** dstepanenko has quit IRC		15:58
*** lucasxu has quit IRC		16:03
*** markvoelker has joined #openstack-keystone		16:03
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add description for relationship links in api-ref https://review.openstack.org/491934	16:14
gagehugo	lbragstad ^ if those links on all of the relationships are too much, then we can just remove them and have the main section if that works	16:20
*** markvoelker has quit IRC		16:23
otleimat	For purging mappings, what are the allowed permutations from 'public-id, domain-name, local-id, and type'?	16:25
lbragstad	henrynash would be the person to ask for that	16:29
otleimat	Thanks, ill reach out to him	16:30
lbragstad	otleimat: he pops into the channel from time to time	16:31
*** jmlowe has quit IRC		16:31
otleimat	lbragstad: any other way I can contact him?	16:32
*** markvoelker has joined #openstack-keystone		16:32
*** kornicameister has quit IRC		16:40
*** rcernin has quit IRC		16:41
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Ensure domains and projects are validated online https://review.openstack.org/253273	16:42
*** kornicameister has joined #openstack-keystone		16:45
*** dstepanenko has joined #openstack-keystone		16:45
*** tobberydberg has joined #openstack-keystone		16:46
lbragstad	otleimat: you could start a thread on the ML tagged with [keystone]?	16:46
*** markvoelker has quit IRC		16:46
lbragstad	otleimat: that might help generated a discussion and he usually watches the mailing list	16:46
lbragstad	gagehugo: yeah - i'd be fine with a single blanket statement for now	16:49
*** dstepanenko has quit IRC		16:50
*** sbezverk has joined #openstack-keystone		16:52
lbragstad	stepping away for lunch quick	16:53
*** dstepanenko has joined #openstack-keystone		16:54
*** markvoelker has joined #openstack-keystone		16:55
*** tobberydberg has quit IRC		16:55
*** mjax has joined #openstack-keystone		17:03
*** dstepanenko has quit IRC		17:05
*** david-lyle has quit IRC		17:08
*** david-lyle has joined #openstack-keystone		17:08
*** sjain has joined #openstack-keystone		17:12
*** sjain_ has joined #openstack-keystone		17:14
*** sjain has quit IRC		17:16
breton	just had in interesting conversation with security folks who were unhappy with fernet tokens being symmetrically encrypted (and not rotated)	17:25
*** mjax has quit IRC		17:25
*** sjain_ has quit IRC		17:25
breton	one of their arguments was that yahoo had similar symmetric crypto and russian hackers could craft cookies externally, after obtaining the keys: https://www.justice.gov/opa/press-release/file/948201/download (page 9)	17:26
gagehugo	lbragstad ack	17:31
*** markvoelker has quit IRC		17:31
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add description for relationship links in api-ref https://review.openstack.org/491934	17:34
*** ducttap__ has joined #openstack-keystone		17:34
*** jmlowe has joined #openstack-keystone		17:35
*** jmlowe has quit IRC		17:35
*** jmlowe has joined #openstack-keystone		17:35
*** jmlowe has quit IRC		17:36
*** ducttape_ has quit IRC		17:37
*** jmlowe has joined #openstack-keystone		17:38
*** dstepanenko has joined #openstack-keystone		17:41
*** rcernin has joined #openstack-keystone		17:42
*** kornicameister has quit IRC		17:43
ayoung	https://review.openstack.org/#/c/455330/ breton lbragstad cmurphy can we kick this one into the approved queue?	17:44
*** kornicameister has joined #openstack-keystone		17:46
*** dstepanenko has quit IRC		17:46
*** tobberydberg has joined #openstack-keystone		17:47
*** tobberydberg has quit IRC		17:51
lbragstad	breton: the whole point of fernet is to rotate your keys	17:54
*** gyee has joined #openstack-keystone		17:54
*** kbaegis has joined #openstack-keystone		17:57
lbragstad	breton: wouldn't the same situation be possible if asymmetric encryption was used?	18:00
*** lucasxu has joined #openstack-keystone		18:00
*** kbaegis has quit IRC		18:06
*** tobberydberg has joined #openstack-keystone		18:06
*** kbaegis has joined #openstack-keystone		18:07
*** ducttape_ has joined #openstack-keystone		18:07
*** tobberydberg has quit IRC		18:10
*** ducttap__ has quit IRC		18:10
*** jrist has quit IRC		18:11
morgan	breton: fernet keys are supposed to be rotated	18:14
morgan	it just is an operational concern on when to do it	18:14
morgan	not automated in keystone	18:15
morgan	lbragstad: yes, if the keys are derived, but they are harder to derive without having control on significant input data sets (not impossible)	18:15
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Make fetching all foreign keys in a join https://review.openstack.org/347972	18:16
lbragstad	morgan: so it asymmetric encryption would lead to the same concern?	18:18
morgan	somewhat.	18:18
morgan	it depends on the ciphers used	18:18
morgan	and the bits.	18:19
lbragstad	sure	18:19
morgan	also asym is way way more CPU intensive and produces way more data	18:19
lbragstad	gagehugo: any update on this? https://review.openstack.org/#/c/479747/	18:19
morgan	basically the complaint with symmetric encryption in this case is it is symmentric AND not rotated	18:19
morgan	it means someone wasn't reading any deployment docs	18:19
morgan	or it wasn't communicated that rotation of keys was an expectation	18:20
openstackgerrit	Samriddhi proposed openstack/keystone master: Updated URLs in docs https://review.openstack.org/490649	18:20
morgan	i could see that be an Info level message	18:20
morgan	lbragstad, gagehugo ^	18:20
gagehugo	lbragstad I have no idea, but I won't block it if we are wanting to make the change	18:21
* morgan shrugs		18:21
gagehugo	I couldn't find any guidelines	18:21
*** kbaegis1 has joined #openstack-keystone		18:21
morgan	there are guidelines somewhere.	18:21
ayoung	morgan, please kick this one one	18:23
ayoung	https://review.openstack.org/#/c/455330/	18:23
ayoung	its Jose...pretty much the major Kerberos user out there	18:23
morgan	ayoung: sec, reading it	18:24
ayoung	thanks	18:24
morgan	just have ot make sure we aren't breaking current behavior	18:24
morgan	otherwise i have zero issue with the change.	18:24
morgan	s/breaking/changing	18:24
morgan	(aka default)	18:24
ayoung	optional mutual authentication. No change unless opt in	18:24
*** kbaegis has quit IRC		18:24
morgan	yeah	18:27
morgan	that was what i was checking	18:27
morgan	it looks good.	18:28
morgan	the thing is ksa has such a strict interface contract we have to be super careful.	18:28
morgan	we can't break it ever (short of a ksa2 package)	18:28
morgan	we don't want to break all of openstack :P	18:28
ayoung	you don't want to break all of openstack. "Some people just want to see the world burn."	18:29
openstackgerrit	Kristi Nikolla proposed openstack/keystone master: WIP - Added keystone identity provider installation to Devstack plugin https://review.openstack.org/484121	18:32
*** markvoelker has joined #openstack-keystone		18:32
morgan	ayoung: no... we don't	18:33
*** nicolasbock has quit IRC		18:33
morgan	because if this breaks openstack,your name is on it too for +2 :P	18:33
morgan	^_^	18:33
*** ducttape_ has quit IRC		18:34
*** nicolasbock has joined #openstack-keystone		18:34
ayoung	dims, you still looking to talk Keystone/Kubernetes?	18:44
*** morgan is now known as kmalloc		18:46
dims	ayoung : wrote a proof-of-concept webhook implementation for both authentication and authorization if you wanna take a peek - https://github.com/dims/k8s-keystone-auth	18:46
ayoung	dims, saw that. what are you trying to do?	18:46
kmalloc	dims: yeah i was planning on taking a peak at that	18:47
kmalloc	dims: shortly	18:47
dims	first thing is to allow someone to specify a keystone token when using kubectl to access api server etc	18:47
ayoung	dims, please no	18:47
ayoung	no no no no no no no no no no no	18:48
ayoung	unh uh	18:48
ayoung	dear god make it stop	18:48
kmalloc	in theory it should be able to OAuth instead of doing a keystone token	18:48
kmalloc	fwiw	18:48
ayoung	just send the userid and password to Kubernetes and make it work like god intended. Sportsman like	18:48
dims	kmalloc : y that's already there	18:48
kmalloc	right	18:48
ayoung	dims why?	18:49
kmalloc	so, keystone should support that -- and be a IDP then.	18:49
*** ioggstream has quit IRC		18:49
kmalloc	keystone tokens are bad news to proliferate... unless it REALLY has a good reason to	18:49
*** ayoung is now known as kfree		18:49
*** ioggstream has joined #openstack-keystone		18:49
kmalloc	which, i am not sure what is the goal here.	18:49
kfree	So, 1 Keystone should not be an IdP	18:49
kmalloc	kfree: i want to name my next pet "malloc" so we can "free" him :P	18:49
*** nicolasbock has quit IRC		18:50
kfree	:)	18:50
*** tobberydberg has joined #openstack-keystone		18:50
kmalloc	if you are using keystone as a source of identity... then it should be done via standard protocols (ideally)	18:50
dims	kfree : kmalloc : see https://github.com/kubernetes/kubernetes/pull/39587, there's a client side auth provider that can key off any of the OS_ env variables, send that to keystone to get a token and then send that as bearer token to api server	18:50
kmalloc	my statement is predicated on the need to do so.	18:50
kfree	dims, just send that data direct to Kubernetes	18:50
kfree	and hack kubernetes to understand the Keystone database format at the SQL level if you really must	18:51
kmalloc	so, the goal is to have a single source of identity for IaaS for a deployment?	18:51
kfree	anything but propegating the mistake that is Bearer tokens	18:51
* kmalloc is looking for the reasoning for this before we dive too deep		18:51
dims	kfree : you should talk to jordan liggitt and eric chang in sig-auth	18:51
*** kfree is now known as ayoung		18:51
kmalloc	knowing the use-cases vs a "hey I want something lets do something"	18:51
ayoung	I want Keystone to die and us to do things the Kubernetes way on auth	18:52
dims	kmalloc : i know the use case i want	18:52
ayoung	they front everything with a single API server	18:52
ayoung	and thus auth is centralized	18:52
ayoung	the bearer token thing is a blight on the land	18:52
dims	kmalloc : which is to setup my OS_* variables and just use kubectl	18:52
kmalloc	dims: ooh	18:53
kmalloc	ayoung: so... k8s is doing it right? ;)	18:53
ayoung	kmalloc, more right than Keystone is, and OpenStack, yes	18:53
kmalloc	ayoung: you know... i proposed much of this at one point with a nice migration for openstack	18:53
kmalloc	but.....	18:53
kmalloc	sigh	18:53
ayoung	kmalloc, if you are going to do distributed auth, you need cryptographic security, and that way leads to SAML, or PKI, or something that is "too hard"	18:54
kmalloc	though i think i could still make it all work w/ some massaging code for haproxy (have mostly working lua still)	18:54
*** tobberydberg has quit IRC		18:54
kmalloc	ayoung: i agree.	18:54
kmalloc	and have for a loooooong time	18:54
ayoung	so dims...tell them that the very thought about what you were proposing makes the Keystone team cry	18:54
dims	ayoung, it's a proof of concept in my own github, so it's not official by any means	18:55
kmalloc	ayoung: i'm collecting info before things go too far	18:55
kmalloc	ayoung: i 100% agree that if we can avoid replicating keystone's ick, it is a good thing	18:56
*** ducttape_ has joined #openstack-keystone		18:56
ayoung	dims just think if you want your name associated with it	18:56
dims	ayoung : let's see what you come up with :)	18:56
dims	ayoung : it already is :)	18:57
ayoung	dims, why do you think that this would be a good idea?	19:01
kmalloc	ayoung: it feels like the same reason someone wants a PaaS with the same auth as IaaS	19:01
kmalloc	so they can use the same settings for running where they want	19:02
ayoung	kmalloc, but they can. They just don;'t need to get a token first	19:02
ayoung	Kubernetes does not work that way	19:02
kmalloc	(it is... more "amazon"-ish where iaas and non-iaas and iaas-like-but-different all uses the same auth things)	19:02
kmalloc	right	19:02
kmalloc	i'm not arguing for/against it, just what i'm seeing the convos/what is being asked for	19:02
*** markvoelker has quit IRC		19:06
*** markvoelker has joined #openstack-keystone		19:08
dims	ayoung : happy to be proven wrong and happier if you can show a better way	19:08
dims	ayoung : i am leaving notes on the sig-auth slack channel on what i know about how things work	19:09
*** kbaegis1 has quit IRC		19:16
*** kbaegis has joined #openstack-keystone		19:16
*** ioggstream has quit IRC		19:19
*** ioggstream has joined #openstack-keystone		19:19
dims	ayoung : invited you to the sig-auth channel there	19:21
*** ducttap__ has joined #openstack-keystone		19:26
*** ducttape_ has quit IRC		19:28
*** sbezverk has quit IRC		19:29
*** dstepanenko has joined #openstack-keystone		19:30
breton	morgan: lbragstad: the whole point of yahoo's system was to rorate keys. They didn't do it.	19:30
breton	morgan: lbragstad: it is hard to securely rotate keys across multiple nodes and this problem is not solved	19:31
*** ioggstream has quit IRC		19:33
*** ducttape_ has joined #openstack-keystone		19:34
*** dstepanenko has quit IRC		19:34
*** tobberydberg has joined #openstack-keystone		19:36
*** ducttap__ has quit IRC		19:37
breton	morgan: lbragstad: tripleo added rotation yesterday-ish only	19:37
lbragstad	openstack-ansible has has support for that since we implemented fernet	19:38
lbragstad	library or kilo they had auto rotation	19:38
*** tobberydberg has quit IRC		19:40
breton	what i think we should do is force operators to rotate their keys. With `max_fernet_key_days=90` option, for example.	19:41
kmalloc	what happens if they dont?	19:41
kmalloc	keystone stops working?>	19:41
breton	yep	19:41
kmalloc	that is counter to most everything that works like that	19:42
kmalloc	by default, apache doesn't stop working if your cert is out-dated or self-signed	19:42
kmalloc	clients may balk	19:43
*** rmcall has joined #openstack-keystone		19:43
breton	most sensible clients will stop working	19:43
kmalloc	but it isn't the server that stops working	19:43
breton	my browser will, `requests` will, curl will	19:43
kmalloc	keystone is the server	19:43
breton	yes. But we cannot control things from the client side. But maybe we should be able to.	19:43
breton	max_fernet_key_days might be too harsh, i agree.	19:44
kmalloc	so, no the server shouldn't stop working	19:44
*** rajalokan has joined #openstack-keystone		19:44
kmalloc	i'd be open to some other mechanism to encourage rotation	19:44
kmalloc	but we can't just "stop" working.	19:44
*** tobberydberg has joined #openstack-keystone		19:44
breton	ok. What mechanism, for example?	19:44
kmalloc	we could offer data in the token so the clients could handle it.	19:45
kmalloc	it's about all we can do.	19:46
kmalloc	we could also work to dump bearer tokens in totality (again) and use client certs for service->keystone communication. but the "edge-only" authentication (similar to the single api, such as kube-api) is a tough sell in openstack	19:47
breton	client certs for service->keystone communication was implemeted by gyee	19:48
kmalloc	right	19:48
breton	(hi gyee)	19:48
kmalloc	move towards that as the recommended/reference/default deployment model	19:49
samueldmq	gagehugo: you on bug 1674676 ?	19:49
openstack	bug 1674676 in OpenStack Identity (keystone) "The URL listed against the details of identity resources returns 404 Not Found error" [Medium,In progress] https://launchpad.net/bugs/1674676 - Assigned to Gage Hugo (gagehugo)	19:49
*** kfox1111 has joined #openstack-keystone		19:49
kmalloc	kfox1111: hey there	19:49
kmalloc	kfox1111: so, how does tenancy from openstack impact your k8s deployment	19:50
kmalloc	is it just for access control for X tenant into the k8s deploy?	19:50
*** rajalokan has quit IRC		19:50
* kmalloc is having lag in the slack window, so typing here is a little easier as well.		19:50
kfox1111	hi.	19:50
breton	how does a user authenticate for this new system? What does they get in return to username/password?	19:50
kfox1111	kidn of undefined at the moment.	19:51
*** tobberydberg has quit IRC		19:51
kfox1111	we have an openstack cloud we are providing to our organization.	19:51
kfox1111	kind of a public cloud, just for the org.	19:51
kfox1111	I see two use cases for k8s.	19:51
kmalloc	breton: use an OAuth, Basic-Auth, etc type thing. so not bearer tokens. I had an implementation for it at one point.	19:51
kmalloc	kfox1111: cool, this info helps me understand what the goals are	19:51
kfox1111	one is letting the users launch their own inside the cloud.	19:52
kfox1111	having it be easy to bind to the cloud and restrict access to their own project means they don't have to deal with auth themselves.	19:52
kfox1111	so, single tenant k8s in that case.	19:52
kmalloc	or re-impl an auth thing.	19:52
kfox1111	the second is, there are some use cases where they dont even need to stand up their own k8s. we could provide a k8s for everyone.	19:52
kfox1111	thats the more interestign one to me.	19:53
kmalloc	like hypercontainer things?	19:53
kmalloc	[as an example]	19:53
kfox1111	yeah, perhaps.	19:53
breton	kmalloc: oauth for authentication? Eh. Basic auth is bad.	19:53
kfox1111	or we set rbac rules that are restrictivve enough that we call it good enough.	19:53
kmalloc	breton: you support many forms of auth, basic-auth may be one to support, not recommended.	19:53
kmalloc	kfox1111: hm. tenancy is weird in that last case.	19:53
kmalloc	but sure.	19:53
kfox1111	we already have keystone as our source of truth for tenancy.	19:54
kmalloc	right.	19:54
kfox1111	we wouldn't want to have a second system to keep in sync with it.	19:54
dims	kmalloc : kfox1111 : any new implementation server-side cannot live in k8s main repo	19:54
kmalloc	i just meant a "single large k8s"	19:54
dims	so we are limited to what we can do with webhooks	19:54
kmalloc	dims: wasn't thinking of that	19:54
dims	ack	19:54
kfox1111	dims: yeah. thats the problem i was facing.	19:54
kfox1111	sounds like they are a little more capable now though then it was before.	19:54
kmalloc	hypercontainer is a wrapper for pods/multi-tenancy to k8s deploy	19:54
kmalloc	so i was looking to it as a kind of "working thought"	19:55
kfox1111	there is 'hyper' too, which is just a different pod driver.	19:55
kmalloc	not a "k8s main repo auth thing"	19:55
kmalloc	kfox1111: yeah.	19:55
kfox1111	the pod gets run in a vm, and all the containers in the pod are in it.	19:55
kmalloc	and it already uses keystone.	19:55
kfox1111	so security is not so much a problem there.	19:55
kmalloc	but. that aside	19:55
dims	stackube does that	19:55
kfox1111	its really just getting tenancy info from keystone and mapping it to namespaces somehow.	19:55
kmalloc	i don't see how a large k8s deploy can leverage tenancy at all from keystone	19:55
kmalloc	short of pods in vm	19:56
kfox1111	I think k8s really needs the notion of tenancy.	19:56
kfox1111	there are two ways of solving it.	19:56
kfox1111	1 would make a namespace a tenant.	19:56
kmalloc	well that is a totally different arguemnt ;) and i am not in a position to accept/reject it	19:56
kmalloc	:P	19:56
kfox1111	the k8s guys favor that. I really dislike it the more I think about it.	19:56
kmalloc	i don't think that is really a good security model	19:57
kfox1111	the other is having tenant be a first class citizen and multiple namespaces get assigned to a tenant.	19:57
kfox1111	I think that one is a much better model.	19:57
kmalloc	it's a light security model (namespaces) for logical separation	19:57
kmalloc	it can't be leaned on to be actual tenancy isolation	19:57
kfox1111	one problem with namespace is it is exposed out via kubedns.	19:57
kfox1111	so it can't map very well to openstack's tenants.	19:58
kmalloc	so, for the latter case it sounds like a wrapper is needed for k8s, and we're back to "deploy k8s for someone" or "let them deploy in a VM themselves"	19:58
kfox1111	unless you want your namespace to contain -2b246be8-98a6-41fa-afe1-c5e1de2950e1.cluster.local. :/	19:58
kmalloc	lets set aside native tenancy/namespace in k8s mapped from openstack	19:58
samueldmq	lbragstad: you around? re: https://review.openstack.org/#/c/487143	19:58
kmalloc	that seems like a weird case to consider in this model	19:58
kmalloc	lets look at "single tenant" and "tenancy provided by openstack, k8s living in vms"	19:59
dims	kfox1111 : have you seen what's in stackube?	19:59
kmalloc	which sounds like stackube's thing	19:59
kfox1111	dims: a while ago. not recently.	19:59
kmalloc	and hyper	19:59
kfox1111	hyper provides isolation around containers.	19:59
dims	kfox1111 : they have re-written a whole lot	19:59
dims	https://github.com/openstack/stackube/blob/master/pkg/auth-controller/tenant/tenant_controller.go	19:59
kfox1111	not mgmt of the rbac like thingies.	19:59
openstackgerrit	Merged openstack/keystoneauth master: Parameter to tune mutual authentication in kerberos https://review.openstack.org/455330	19:59
dims	kfox1111 : they do management of rbac like thingies too https://github.com/openstack/stackube/blob/master/pkg/auth-controller/rbacmanager/rbac/rbac.go	20:00
kfox1111	dims: this code looks weird. is it using k8s as the source of truth rather hten keystone?	20:00
kfox1111	"err = c.openstackClient.DeleteTenant(tenantName)"	20:01
dims	y,	20:01
kfox1111	or its using something else entirely and driving both k8s and openstack maybe.	20:01
dims	they have a CRD and they key off of that	20:01
*** rajalokan has joined #openstack-keystone		20:02
kfox1111	I think they are doing something themselves and not using either as the source of truth.	20:02
*** raildo has quit IRC		20:03
kfox1111	I guess you could do something like that though... make a Tenant first class citicen as a 3rd party resource,	20:04
*** sbezverk has joined #openstack-keystone		20:04
kfox1111	and the web hook could populate it when first login to k8s happens with a token.	20:04
kfox1111	and keep the tenant-> namespace mapping inside.	20:05
dims	for example when the namespace is added they generate a bunch of rbac stuff for that namespace - https://github.com/openstack/stackube/search?utf8=%E2%9C%93&q=syncRbac&type=	20:06
kfox1111	k. I'm going to do a bit of reading on this. it does look very interesting. thanks for the link. :)	20:07
lbragstad	samueldmq: sure - what's up?	20:07
dims	kfox1111 : yw	20:07
samueldmq	lbragstad: I don't think list_projects_for_user returns only enabled projects	20:07
lbragstad	samueldmq: it doesnt'	20:08
samueldmq	lbragstad: the controller even has a filter that allows you to filter on enabled https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L266	20:08
lbragstad	samueldmq: yep	20:08
samueldmq	lbragstad: so why do you need to invalidate the cache when a project is disabled?	20:08
lbragstad	ah - good point, didn't put that together when i read your comment	20:09
lbragstad	let me pull down the change and try to recreate it	20:09
samueldmq	lbragstad: I saw your reply to my comment but I don't understand why it's really needed	20:10
lbragstad	samueldmq: i did see a failure becuase of it in a previous patch set	20:10
lbragstad	let me see if i can recreate	20:10
samueldmq	lbragstad: sure. I'm running the tests locally right now too (without that bit)	20:10
kmalloc	kfox1111: cool. yeah i don't wnat to implement things from scratch if we don't have to	20:11
kmalloc	but happy to consider things that make life better	20:11
kmalloc	dims: ^ cc	20:11
kmalloc	samueldmq: you need to invalidate the cache because we use project enabled as a way of authz	20:12
dims	kmalloc : for sure. our options are limited as mentioned earlier	20:12
kmalloc	samueldmq: if you don't invalidate the cache, the project may still be "enabled" for some requests and things leak through, even with new auth	20:12
kmalloc	authentications*	20:12
kmalloc	so, change of project state (or values) explicitly needs a cache invalidation	20:12
kmalloc	any update of data actually should invalidate the cache	20:13
*** raildo has joined #openstack-keystone		20:13
samueldmq	kmalloc: well, but that is for the role assignment cache	20:13
kfox1111	kmalloc: definitely.	20:13
samueldmq	and the role assignments don't change when a project is disabled, they still exist and can be queried	20:13
kmalloc	does the default include disabled projects?	20:14
kmalloc	or do you need to explicitly do a filter?	20:14
kfox1111	not seeing if tehy are using keystone as a source of truth here, or if tehy are using it as a sync to ensure neutron/cinder/etc have a place to read data from.	20:14
samueldmq	kmalloc: you need a filter. there is one at the controller level https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L266	20:14
kmalloc	i mean... if i disable the project, does it's roles appear still in that API call?	20:14
kmalloc	or when you add the filter it returns it all/filtered	20:14
kfox1111	but I can see how this can be addapted to fit in a, add stackube to your existing openstack rather then here's a whole standalone k8s using openstack bits.	20:15
lbragstad	samueldmq: cmurphy breton we need to get https://review.openstack.org/#/c/491934/ gating today, too	20:15
samueldmq	kmalloc: yes, it still returns the role assingment in the disabled project. I don't see anywhere it filtering only the enabled projects by default	20:15
kmalloc	samueldmq: then we can avoid a cache pop. It seems odd that that api does that for disabled projects but... i'm not going to argue current behavior, we do weired thing	20:17
kmalloc	s	20:17
*** ducttape_ has quit IRC		20:17
openstackgerrit	Octave Orgeron proposed openstack/keystone master: Enables MySQL Cluster support for Keystone https://review.openstack.org/431229	20:18
samueldmq	kmalloc: lbragstad: aha ... the point is that list_projects_for_user returns "self.resource_api.list_projects_from_ids(project_ids)"	20:19
samueldmq	even if project_ids didn't change (the response from list_role_assignments will still be the same)	20:19
samueldmq	but the project dict will change with {'enabled': False}....	20:19
kmalloc	yeah	20:19
kmalloc	that was what i was thinking	20:19
kmalloc	which means we need to invalidate the cache	20:20
samueldmq	kmalloc: that's right, and maybe unfortunate since MEMOIZE_COMPUTED_ASSIGNMENTS is for role assignments	20:20
samueldmq	and those didnt change in reality	20:20
kmalloc	yep	20:21
samueldmq	but I guess we don't want to end up creating thousands of cache regions	20:21
kmalloc	we could dynamically create cache regions but it would get ugly fast.	20:21
kmalloc	it is likely way better to take a cache invalidation on project disable (hopefully that doesn't happen a ton)	20:21
samueldmq	I agree	20:22
kmalloc	but even if it does, we still get some acceleration via caches.	20:22
kmalloc	jamielennox: you alive?	20:22
samueldmq	lbragstad: approved. one bug less	20:24
samueldmq	kmalloc: thanks for helping on understanding that	20:24
samueldmq	kmalloc: nice new nick btw	20:24
kmalloc	^_^	20:24
*** links has joined #openstack-keystone		20:25
samueldmq	kmalloc: fortunately you populate the real name field	20:25
lbragstad	kmalloc: i was wondering who you were	20:25
samueldmq	kmalloc: I mean, I also know it's you with those cache discussions ....	20:25
kmalloc	samueldmq: yes I make an effort to keep real name populated	20:25
gagehugo	samueldmq yes	20:25
*** tobberydberg has joined #openstack-keystone		20:26
kmalloc	samueldmq: heh, it's not hard to guess based upoon context i guess.	20:26
samueldmq	:-)	20:26
samueldmq	gagehugo: cool, how are you planning to address that?	20:26
gagehugo	https://review.openstack.org/#/c/491934/	20:26
samueldmq	oh	20:26
gagehugo	with a description of what the relationship links are	20:26
lbragstad	doc fix	20:26
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add description for relationship links in api-ref https://review.openstack.org/491934	20:29
*** sbezverk has quit IRC		20:29
*** tobberydberg has quit IRC		20:30
samueldmq	gagehugo: see my comments in PS3, I was writing them when you submitted as new one	20:33
samueldmq	:-)	20:33
gagehugo	yeah I forgot to remove the part about the links in the commit message	20:33
*** markvoelker has quit IRC		20:35
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add description for relationship links in api-ref https://review.openstack.org/491934	20:41
gagehugo	samueldmq let me know if that looks better	20:41
*** markvoelker has joined #openstack-keystone		20:41
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add description for relationship links in api-ref https://review.openstack.org/491934	20:45
*** jmlowe has quit IRC		20:46
*** tobberydberg has joined #openstack-keystone		20:48
samueldmq	gagehugo: is that valid for any keystone api return?	20:49
samueldmq	``user['relationships']['http://does-not-exist#user-groups']``	20:49
samueldmq	I haven't seen relationships links in the returns we make	20:49
samueldmq	if not, we can just omit it. cc lbragstad	20:50
lbragstad	i think it's just an example of how it would work in an ideal scenario	20:51
samueldmq	maybe that's we wanna do in the future, so that discovery is nice. but if we dont do today, let's not advertise what we dont do	20:51
*** markvoelker has quit IRC		20:52
*** tobberydberg has quit IRC		20:53
gagehugo	samueldmq yeah it's just an example of how it would work in that scenario	20:55
gagehugo	idc, we can omit it if it's too confusing	20:55
samueldmq	I'm fine either way, but let's expect people complaining about it	20:55
samueldmq	as someone reading the docs, I'd try that. and expect keystone to return relationships links	20:55
samueldmq	but I am fine. why not work to put that in the responses if that's what we want?	20:56
*** ducttape_ has joined #openstack-keystone		20:56
samueldmq	maybe we can talk abotu this in the ptg too, lbragstad ?	20:56
*** ducttape_ has quit IRC		20:56
*** links has quit IRC		20:56
gagehugo	I wonder why we have them in the first place	20:56
samueldmq	gagehugo: the goal is to have APIs that are easy to be discovered iirc	20:57
samueldmq	but we added those in docs, and dont use in reality	20:57
samueldmq	I'm fine with that doc as it is, with the example. at least we clarify what they'r for	20:58
*** markvoelker has joined #openstack-keystone		20:59
*** ducttape_ has joined #openstack-keystone		20:59
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add description for relationship links in api-ref https://review.openstack.org/491934	21:00
gagehugo	we can just remove the example for now	21:00
gagehugo	simpler that way	21:00
*** lucasxu has quit IRC		21:01
lbragstad	the idea is that the response from the service contains all the stuff for the client to make the next call	21:01
*** prashkre__ has quit IRC		21:04
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Unset project ids for all identity backends https://review.openstack.org/491916	21:06
*** ducttape_ has quit IRC		21:06
*** tobberydberg has joined #openstack-keystone		21:07
*** catintheroof has quit IRC		21:09
*** tobberydberg has quit IRC		21:12
*** tobberydberg has joined #openstack-keystone		21:17
*** dstepanenko has joined #openstack-keystone		21:18
*** jmlowe has joined #openstack-keystone		21:20
*** mjax has joined #openstack-keystone		21:21
*** dstepanenko has quit IRC		21:22
samueldmq	lbragstad: +++ agreed, but we can always make that doc better as we add support for that	21:23
samueldmq	gagehugo: thanks, approved	21:25
*** kbaegis1 has joined #openstack-keystone		21:26
samueldmq	lbragstad: for bug 1687616 looks like we're waiting on more info from the reporter?	21:26
openstack	bug 1687616 in OpenStack Identity (keystone) "KeyError 'options' while doing zero downtime upgrade from N to O" [Undecided,New] https://launchpad.net/bugs/1687616	21:26
*** kbaegis has quit IRC		21:27
lbragstad	yeah	21:27
*** edmondsw has quit IRC		21:28
*** edmondsw has joined #openstack-keystone		21:29
*** tobberydberg has quit IRC		21:29
*** thorst has quit IRC		21:31
*** edmondsw has quit IRC		21:34
kmalloc	lbragstad: that looks like something wasn't expanded in the schema	21:37
kmalloc	lbragstad: you should mark that bug incomplete	21:38
lbragstad	ack	21:38
kmalloc	lbragstad: did it	21:38
samueldmq	test_password_history_not_enforced_in_admin_reset is interesting	21:39
samueldmq	gagehugo: you were able to reproduce it, right? ^	21:39
*** nkinder has quit IRC		21:40
gagehugo	samueldmq yeah, ran the test repeatedly and would hit that every so often	21:40
kmalloc	lbragstad: this https://github.com/openstack/keystone/blob/6167850d12f93c030bc3b53b2ca74d9975ff303e/keystone/identity/backends/base.py#L162-L165 makes me sad. it should have been is_read_only or something ...	21:41
kmalloc	lbragstad: anyway... your code looks good for the try/except	21:41
samueldmq	gagehugo: in a for loop or manually	21:41
samueldmq	like, calling every second, couple of seconds, how was your test?	21:41
gagehugo	I wrote a script to run the test x times manually	21:42
*** raildo has quit IRC		21:43
*** rajalokan has quit IRC		21:47
*** thorst has joined #openstack-keystone		21:50
*** kbaegis1 has quit IRC		21:50
*** kbaegis has joined #openstack-keystone		21:52
samueldmq	gagehugo: but you were running that test isolated, correct?	21:52
kmalloc	lbragstad: +2, with a comment on how you could have made the try/except a single try/except instead of two	21:53
*** thorst has quit IRC		21:55
lbragstad	ack wrapping up an email and i can respin	21:56
*** aojea has joined #openstack-keystone		21:59
*** dklyle has joined #openstack-keystone		22:06
*** david-lyle has quit IRC		22:06
kmalloc	lbragstad: no need to respin.	22:07
kmalloc	just a comment on it	22:07
kmalloc	lbragstad: triaged a bunch of bugs.	22:07
*** aojea has quit IRC		22:07
*** adriant has joined #openstack-keystone		22:08
*** dstepanenko has joined #openstack-keystone		22:12
*** aojea has joined #openstack-keystone		22:13
*** dstepanenko has quit IRC		22:17
*** rcernin has quit IRC		22:20
*** sbezverk has joined #openstack-keystone		22:20
*** ioggstream has joined #openstack-keystone		22:23
gagehugo	samueldmq yes	22:27
otleimat	lbragstad: is general code cleanup accepted?	22:29
*** aojea has quit IRC		22:31
lbragstad	otleimat: during the rc period?	22:34
*** aojea has joined #openstack-keystone		22:34
*** tobberydberg has joined #openstack-keystone		22:37
*** ducttape_ has joined #openstack-keystone		22:39
*** aojea has quit IRC		22:39
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Unset project ids for all identity backends https://review.openstack.org/491916	22:41
lbragstad	kmalloc: nice - thanks for the review, addressed ^	22:41
*** tobberydberg has quit IRC		22:41
*** dave-mccowan has quit IRC		22:44
*** kornicameister has quit IRC		22:50
*** kornicameister has joined #openstack-keystone		22:55
*** tobberydberg has joined #openstack-keystone		23:07
*** tobberydberg has quit IRC		23:12
*** ducttap__ has joined #openstack-keystone		23:17
*** ducttape_ has quit IRC		23:20
*** mjax has quit IRC		23:23
openstackgerrit	Gage Hugo proposed openstack/keystone master: Have project get domain_id from parent https://review.openstack.org/489655	23:25
*** mjax has joined #openstack-keystone		23:25
jamielennox	kmalloc: yea, i was wondering who the nick was that would ping me like that	23:32
jamielennox	kmalloc: what's up?	23:32
*** ducttap__ has quit IRC		23:34
*** markvoelker has quit IRC		23:49
*** gyee has quit IRC		23:50
kmalloc	Hehe	23:56

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!