Wednesday, 2018-01-24

« Tuesday, 2018-01-23 Index Thursday, 2018-01-25 »
*** zhurong has joined #openstack-keystone00:03
*** panbalag has joined #openstack-keystone00:15
*** zhurong has quit IRC00:20
*** panbalag has left #openstack-keystone00:23
*** phalmos_ has quit IRC00:29
*** Dinesh_Bhor has joined #openstack-keystone00:38
*** Dinesh_Bhor has quit IRC00:49
*** Dinesh_Bhor has joined #openstack-keystone00:50
Dinesh_Bhorcmurphy: Hi, you there? Want to discuss about this: https://review.openstack.org/#/c/267456/1600:54
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth master: Updated from global requirements  https://review.openstack.org/53705600:57
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/53705700:57
*** zhurong has joined #openstack-keystone00:58
*** nicolasbock has quit IRC00:58
openstackgerritOpenStack Proposal Bot proposed openstack/ldappool master: Updated from global requirements  https://review.openstack.org/53494100:59
*** r-daneel has quit IRC01:01
lbragstaddid gerrit just slow down for anyone else?01:12
gagehugoit's been slow for me all day01:14
lbragstad:/01:15
*** Dinesh_Bhor has quit IRC01:15
lbragstadfyi - i pulled https://review.openstack.org/#/c/530490/ off the end of the queue since it's not dependent on any of the system token work01:15
lbragstadall the stuff needed for that API already merged01:15
gagehugook01:16
*** Dinesh_Bhor has joined #openstack-keystone01:19
*** aselius has quit IRC01:19
openstackgerritLance Bragstad proposed openstack/keystone master: Add release note for system-scope  https://review.openstack.org/52803901:21
openstackgerritLance Bragstad proposed openstack/keystone master: Update documentation to reflect system-scope  https://review.openstack.org/53013301:21
*** david-lyle has quit IRC01:22
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy master: Updated from global requirements  https://review.openstack.org/53714601:25
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/52379101:27
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient master: Updated from global requirements  https://review.openstack.org/53716401:29
*** panbalag has joined #openstack-keystone01:31
openstackgerritOpenStack Proposal Bot proposed openstack/ldappool master: Updated from global requirements  https://review.openstack.org/53494101:58
*** dikonoor has joined #openstack-keystone02:03
*** panbalag has quit IRC02:08
*** Dinesh_Bhor has quit IRC02:15
*** Dinesh__Bhor has joined #openstack-keystone02:15
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/52379102:18
*** harlowja has quit IRC02:20
*** dikonoo has joined #openstack-keystone02:22
*** dikonoor has quit IRC02:22
*** gyee has quit IRC02:31
*** wxy has joined #openstack-keystone02:33
*** gongysh has joined #openstack-keystone02:35
openstackgerritwangxiyuan proposed openstack/keystone master: Improve limit sql backend  https://review.openstack.org/53558702:49
*** aojea has joined #openstack-keystone02:49
*** aojea_ has joined #openstack-keystone02:53
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider  https://review.openstack.org/52410902:54
*** aojea has quit IRC02:56
*** zhurong has quit IRC02:57
openstackgerritwangxiyuan proposed openstack/keystone master: Implement policies for limits  https://review.openstack.org/53014302:58
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411002:58
openstackgerritwangxiyuan proposed openstack/keystone master: Add api-ref for unified limits  https://review.openstack.org/53568802:58
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider  https://review.openstack.org/52410903:00
openstackgerritwangxiyuan proposed openstack/keystone master: Implement policies for limits  https://review.openstack.org/53014303:01
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411003:01
openstackgerritwangxiyuan proposed openstack/keystone master: Add api-ref for unified limits  https://review.openstack.org/53568803:01
*** aojea_ has quit IRC03:03
*** david-lyle has joined #openstack-keystone03:31
*** david-lyle has quit IRC03:32
*** david-lyle has joined #openstack-keystone03:33
*** charleswang has joined #openstack-keystone03:37
*** david-lyle has quit IRC03:39
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider  https://review.openstack.org/52410903:43
openstackgerritwangxiyuan proposed openstack/keystone master: Implement policies for limits  https://review.openstack.org/53014303:43
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411003:43
openstackgerritwangxiyuan proposed openstack/keystone master: Add api-ref for unified limits  https://review.openstack.org/53568803:43
charleswang@here I see below zuul error for review https://review.openstack.org/#/c/506340/ . I can reproduce locally with devstack and tox. Can someone familiar with keystone database take a look. I have no idea how to fix it.03:44
charleswangoslo_db.exception.DBNonExistentConstraint: (pymysql.err.InternalError) (1091, u"Can't DROP 'user_domain_id_fkey'; check that column/key exists") [SQL: u'ALTER TABLE user DROP FOREIGN KEY user_domain_id_fkey']03:45
*** annp has joined #openstack-keystone03:48
lbragstadwxy: posted a possible solution to the try/except question - https://review.openstack.org/#/c/535587/403:49
wxylbragstad: looking. :)03:49
vish_18lbragstad: https://bugs.launchpad.net/keystone/+bug/171493703:49
openstackLaunchpad bug 1714937 in OpenStack Identity (keystone) "keystone returns 500 on password change" [Low,Confirmed] - Assigned to Vishakha Agarwal (vishakha.agarwal)03:49
vish_18Had some query regarding this bug03:50
lbragstadvish_18: sure thing03:57
lbragstadreading the report again quick03:57
vish_18lbragstad: As per my understanding "Fernet " is a non-persistent token which is not stored in any DB. When a user tries to change the password, keystone deletes and revokes all the tokens specific to that user. In case of Fernet it should look for any persistent DB.03:58
lbragstadyeah - that would be one option03:59
vish_18lbragstad: I made some changes regarding this. Should I share the patch with you?04:00
lbragstadvish_18: absolutely, are you able to propose it for review using gerrit?04:01
vish_18lbragstad: Not yet.04:02
vish_18lbragstad: I will do it04:02
lbragstadthat'd be great if possible04:02
vish_18lbragstad: ok. Thanks04:03
lbragstadvish_18: do you have a gerrit account setup already?04:03
vish_18lbragstad: yes i have04:04
lbragstadcharleswang: it looks like the patch it expecting to remove a fk but it's not actually in the database04:05
lbragstador the test database04:05
lbragstadcharleswang: if you run that migration against a real database and not SQLite, does it execute properly?04:06
*** gongysh has quit IRC04:07
wxylbragstad: have to go for lunch now. I will update the patch later.04:08
lbragstadwxy: sounds good - just an option04:08
lbragstadcmurphy: hrybacki - keystone queens bug list is up for review https://etherpad.openstack.org/p/keystone-queens-bug-list04:10
*** dave-mccowan has quit IRC04:27
*** gongysh has joined #openstack-keystone04:29
*** blake has joined #openstack-keystone04:29
*** vish_18 has quit IRC04:29
*** annp has quit IRC04:33
*** annp has joined #openstack-keystone04:34
*** pramodrj07 has quit IRC04:39
*** Dinesh__Bhor has quit IRC04:40
*** Dinesh__Bhor has joined #openstack-keystone04:40
openstackgerritMerged openstack/ldappool master: Updated from global requirements  https://review.openstack.org/53494104:41
*** masber has joined #openstack-keystone04:42
openstackgerritMerged openstack/keystoneauth master: Updated from global requirements  https://review.openstack.org/53705604:47
*** blake has quit IRC04:48
gagehugolbragstad approved some of the scope changes, lets see if the gate takes :)05:06
* gagehugo heads to bed05:07
gagehugowxy o/05:07
*** dikonoo has quit IRC05:12
charleswanglbragstad: I cannot find where "user_domain_id_fkey" is defined in the keystone repo.05:17
*** harlowja has joined #openstack-keystone05:19
*** dikonoor has joined #openstack-keystone05:29
*** links has joined #openstack-keystone05:32
openstackgerritGao Fei proposed openstack/keystone-specs master: Replace curly quotes with straight quotes  https://review.openstack.org/53725905:40
*** Sandy619 has joined #openstack-keystone05:41
*** Sandy619 has quit IRC05:46
*** dikonoor has quit IRC05:51
*** dikonoor has joined #openstack-keystone05:52
*** clayton has quit IRC05:58
*** Dinesh__Bhor has quit IRC05:59
*** rcernin_ has joined #openstack-keystone06:03
*** rcernin has quit IRC06:03
*** clayton has joined #openstack-keystone06:04
*** dikonoor has quit IRC06:06
*** dikonoor has joined #openstack-keystone06:06
*** Dinesh__Bhor has joined #openstack-keystone06:08
*** dikonoor has quit IRC06:15
*** blake has joined #openstack-keystone06:28
*** dikonoor has joined #openstack-keystone06:30
*** threestrands has joined #openstack-keystone06:39
*** blake has quit IRC06:46
*** blake has joined #openstack-keystone06:46
*** Dinesh__Bhor has quit IRC06:46
*** blake has quit IRC06:47
*** threestrands has quit IRC06:49
*** Dinesh__Bhor has joined #openstack-keystone06:50
*** Dinesh__Bhor has quit IRC06:52
*** Dinesh__Bhor has joined #openstack-keystone06:52
*** blake has joined #openstack-keystone07:02
*** annp has quit IRC07:10
*** pcaruana has joined #openstack-keystone07:10
*** rcernin has joined #openstack-keystone07:12
*** rcernin_ has quit IRC07:12
*** Dinesh__Bhor has quit IRC07:17
*** pcaruana has quit IRC07:21
*** pcaruana has joined #openstack-keystone07:22
*** markvoelker has quit IRC07:25
*** markvoelker has joined #openstack-keystone07:27
*** markvoelker has quit IRC07:32
*** charleswang has quit IRC07:41
*** adriant has quit IRC07:53
*** adriant has joined #openstack-keystone07:53
*** itlinux has joined #openstack-keystone07:56
*** pcaruana has quit IRC08:01
evrardjpgood morning08:07
evrardjpcmurphy: thanks a lot on the quick response there.08:09
evrardjpalso, how long is your upgrade test broken?08:10
evrardjpomg zuul queue...08:19
evrardjppatches waiting there for 16h50.08:19
*** blake has quit IRC08:20
*** AlexeyAbashkin has joined #openstack-keystone08:23
*** itlinux has quit IRC08:24
*** tesseract has joined #openstack-keystone08:27
*** pcaruana has joined #openstack-keystone08:39
*** dikonoo has joined #openstack-keystone08:41
*** dikonoor has quit IRC08:42
cmurphyevrardjp: the bug was merged on monday, our test isn't broken it just doesn't test on mariadb 10.2 :)08:42
*** rcernin has quit IRC08:44
evrardjpcmurphy: no I mean the current one08:46
cmurphyevrardjp: oh the osa upgrade test?08:47
evrardjpopenstack-ansible-keystone-rolling-upgrade08:47
evrardjpyes08:47
cmurphyevrardjp: i'm not sure, i don't think i've ever seen it working08:47
evrardjpI am worried :D08:47
evrardjpmmm08:47
cmurphywas going to ask you guys about it after feature freeze08:47
evrardjpI will put that into my todolist.08:47
evrardjpyeah ofc!08:47
cmurphyawesome08:47
evrardjpwe want our tests to be reliable!08:48
evrardjpelse it's not worth it, nobody would watch them :p08:48
cmurphyexactly08:48
*** tesseract has quit IRC08:54
*** tesseract has joined #openstack-keystone09:03
openstackgerritwangxiyuan proposed openstack/keystone master: Improve limit sql backend  https://review.openstack.org/53558709:06
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider  https://review.openstack.org/52410909:06
openstackgerritwangxiyuan proposed openstack/keystone master: Implement policies for limits  https://review.openstack.org/53014309:06
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411009:06
openstackgerritwangxiyuan proposed openstack/keystone master: Add api-ref for unified limits  https://review.openstack.org/53568809:06
*** harlowja has quit IRC09:07
*** freerunner has quit IRC09:08
*** itlinux has joined #openstack-keystone09:12
*** freerunner has joined #openstack-keystone09:14
*** markvoelker has joined #openstack-keystone09:28
openstackgerritVishakha Agarwal proposed openstack/keystone master: Closes-Bug: #1714937  https://review.openstack.org/53732209:34
openstackbug 1714937 in OpenStack Identity (keystone) "keystone returns 500 on password change" [Low,Confirmed] https://launchpad.net/bugs/1714937 - Assigned to Vishakha Agarwal (vishakha.agarwal)09:34
*** markvoelker has quit IRC10:02
*** jaosorior has quit IRC10:16
*** jaosorior has joined #openstack-keystone10:17
*** sambetts|afk is now known as sambetts10:20
*** dikonoo has quit IRC10:21
*** dikonoo has joined #openstack-keystone10:33
*** rcernin has joined #openstack-keystone10:34
*** dikonoo has quit IRC10:48
*** AlexeyAbashkin has quit IRC10:53
*** AlexeyAbashkin has joined #openstack-keystone10:54
*** markvoelker has joined #openstack-keystone10:58
*** gongysh has quit IRC11:16
*** sapd_ has quit IRC11:19
*** sapd_ has joined #openstack-keystone11:19
*** itlinux has quit IRC11:23
*** markvoelker has quit IRC11:32
*** itlinux has joined #openstack-keystone11:38
*** mvenesio has joined #openstack-keystone11:45
*** dave-mccowan has joined #openstack-keystone12:09
*** zhurong has joined #openstack-keystone12:10
*** mvk has quit IRC12:19
*** raildo has joined #openstack-keystone12:27
*** markvoelker has joined #openstack-keystone12:29
*** mvk has joined #openstack-keystone12:31
*** yangzhenyu_ has joined #openstack-keystone12:39
yangzhenyu_cmurphy, hi, I have some question about application-credentials. Do I need a token when create the application-credentials? If I need a token, is not it still required username and password?12:43
cmurphyyangzhenyu_: to create one, yes you need a token which you would get with a usernamd and password. After you've created it, you can use it to get a new token without a username and password.12:50
*** mvk has quit IRC12:56
*** efried_back_wed is now known as efried12:58
yangzhenyu_cmurphy, Thanks,13:03
yangzhenyu_However, application credentials encourage not to save the user name and password to the configuration file. Where do the usernames and passwords of application credentials come from?13:03
*** markvoelker has quit IRC13:03
yangzhenyu_Also, for service components like Nova, where does it save the key after obtaining an application credential?13:04
yangzhenyu_After I read the spec file, it's not clear to me, I need your help, thanks.13:05
cmurphyyangzhenyu_: you create an application credential the same way you create any other resource the way you do today, you need a username and password from your openrc or clouds.yaml. after you've created it, you can use the application credential "id" and "secret" to authenticate13:06
cmurphya service component like nova would put `application_credential_id` and `application_credential_secret` in their [keystone_authtoken] section to authenticate with it13:07
cmurphyyangzhenyu_: i'll be writing up docs in the next week or so so hopefully it'll be more clear13:08
yangzhenyu_Thank you13:08
yangzhenyu_That is to say, the user name and password still need to write to the configuration file. Just replace the username and password in the component configuration file with the application credentials. I mainly want to understand the difference between the use and the previous.13:11
yangzhenyu_cmurphy, However, one of the more crucial issues to be solved in the spec file is to avoid saving the username and password to the configuration file.13:15
cmurphyyangzhenyu_: you're right, there is still a kind of username and password we're just calling id and secret. The difference is 1) if the application credential is compromised, that doesn't mean the user is compromised (especially important for ldap and federated users) 2) the application credential can be rotated without downtime13:17
cmurphyavoiding writing down any kind of secrets in config files is a different problem that the oslo people are working on solving13:17
yangzhenyu_cmurphy, However, for components like nova, we still have to write the application credentials to the configuration file. How to do rotate without downtime?13:21
*** edmondsw has joined #openstack-keystone13:21
*** edmondsw_ has joined #openstack-keystone13:22
cmurphyyangzhenyu_: you create a new application credential with the same permissions as the old one, and then can just update the [keystone_authtoken] config with the new id and secret13:24
cmurphywhere in the case of changing say the nova service user password you would have to first change the password with keystone, which would break nova temporarily until you have a chance to update the config file13:25
yangzhenyu_cmurphy,  I think update the nova.conf for section [keystone_authtoken], it need to restart the nova service.13:26
*** edmondsw has quit IRC13:26
cmurphyyangzhenyu_: yes, so not 0 downtime but much less than the downtime between making the update in keystone and making the update in nova13:27
cmurphyyangzhenyu_: it's also possible we could make that config option not need a service restart in the future https://review.openstack.org/#/c/534605/13:28
yangzhenyu_cmurphy,13:29
yangzhenyu_Ok, Thank you, I probably understand. Looking forward to your more detailed documentation.13:29
cmurphyyangzhenyu_: great :) happy to answer any other questions if you think of any13:30
yangzhenyu_That's great!13:30
openstackgerritMerged openstack/keystone master: Fix column rename migration for mariadb 10.2  https://review.openstack.org/53686913:47
*** AlexeyAbashkin has quit IRC13:47
*** rcernin has quit IRC13:47
*** daidv has quit IRC13:50
*** mvk has joined #openstack-keystone13:56
*** panbalag has joined #openstack-keystone13:58
*** markvoelker has joined #openstack-keystone14:00
*** AlexeyAbashkin has joined #openstack-keystone14:00
*** jaosorior has quit IRC14:05
*** panbalag has left #openstack-keystone14:12
*** links has quit IRC14:15
*** zhurong has quit IRC14:18
*** markvoelker has quit IRC14:27
*** markvoelker has joined #openstack-keystone14:27
*** AlexeyAbashkin has quit IRC14:33
cmurphyanyone awake yet? would be really good to get https://review.openstack.org/#/c/524415/ and https://review.openstack.org/#/c/534965/ gating asap14:43
lbragstado/14:44
cmurphy\o14:44
lbragstaddamn...14:44
cmurphyya sorry lbragstad14:44
lbragstadwe have a couple things creeping closer to the gate14:47
knikollao/14:47
*** aselius has joined #openstack-keystone14:49
gagehugoo/14:54
*** markvoelker has quit IRC14:55
knikollacmurphy: kicked both reviews through :)14:58
* knikolla goes to get breakfast now14:58
*** markvoelker has joined #openstack-keystone14:59
*** AlexeyAbashkin has joined #openstack-keystone15:00
cmurphyknikolla: yay ty :D15:00
lbragstadi can hear zuul grinding from my house15:03
knikollalbragstad: pardon, i think that's my stomach.haha15:04
lbragstadlol15:04
lbragstadwe can start queuing up this series too since the mariadb 10.2 patch merged https://review.openstack.org/#/c/524423/4115:13
hrybackiwoo!15:15
hrybackilbragstad: I have to provide some int. training during the policy meeting time today fyi =/15:15
lbragstadhrybacki: no worries - i don't think much is going to be happening today during the meeting anyway15:16
lbragstadthere isn't anything on the agenda15:16
*** itlinux has quit IRC15:16
hrybackiack15:17
*** itlinux has joined #openstack-keystone15:18
*** dave-mccowan has quit IRC15:22
-openstackstatus- NOTICE: gerrit has been suffering from a full disk, some mails may have been lost in the last couple of hours. we will now restart gerrit to address ongoing slowness, too15:24
cmurphyhuh i was wondering about that ^15:24
*** mvenesio has quit IRC15:29
*** panbalag has joined #openstack-keystone15:29
*** Guest28399 is now known as mgagne15:33
*** mgagne has joined #openstack-keystone15:33
*** edmondsw_ is now known as edmondsw15:34
*** charleswnag has joined #openstack-keystone15:36
*** itlinux has quit IRC15:40
*** dave-mccowan has joined #openstack-keystone15:46
*** david-lyle has joined #openstack-keystone15:50
*** jose-phi_ has joined #openstack-keystone15:52
*** jose-phillips has quit IRC15:54
*** AlexeyAbashkin has quit IRC16:05
lbragstadfwiw - the unified limit series is back up16:07
openstackgerritMerged openstack/python-keystoneclient master: Add system role functionality  https://review.openstack.org/52441516:13
openstackgerritMerged openstack/python-keystoneclient master: Add CRUD support for application credentials  https://review.openstack.org/53496516:15
lbragstadalso - https://review.openstack.org/#/c/524416/ seems to be failing because we don't have a new ksa release yet, but we're working on it16:23
*** spilla has joined #openstack-keystone16:23
lbragstadit is ready for reviews even though Zuul -1'd it16:23
cmurphylbragstad: ksa or ksc?16:24
cmurphyi don't think that is going to work without a ksc release16:24
lbragstadksa i think16:25
cmurphyit has a depends-on on the ksc change16:25
lbragstadhttp://logs.openstack.org/16/524416/2/check/openstack-tox-py27/ffe040f/job-output.txt.gz#_2018-01-22_21_25_51_30603416:25
lbragstadi think it's tripping on a missing attribute that was added in ksa16:25
lbragstadwell - now that we have the pending ksc patches merged, i can do a ksc release16:26
cmurphy\o/16:26
cmurphybut that will also need a requirements bump before osc can consume it16:27
lbragstadack - i'll get that rolling asap then16:27
lbragstadhuh - the github mirror hasn't updated yet16:29
lbragstadhttps://review.openstack.org/53744516:30
cmurphyhttp://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=1e8c9302fc055f78964f3eaef32e09dae89eb2fa who needs github :P16:30
lbragstadinorite?16:31
*** pcaruana has quit IRC16:35
*** AJaeger has joined #openstack-keystone16:45
*** AJaeger has left #openstack-keystone16:45
openstackgerritCHARLES WANG proposed openstack/keystone master: Delete users before deleting domains  https://review.openstack.org/50634016:46
*** gagehugo__ has joined #openstack-keystone16:49
*** gyee has joined #openstack-keystone16:59
*** nkinder has quit IRC16:59
*** hrybacki is now known as hrybacki_mtg17:04
openstackgerritMerged openstack/keystone master: Add scope_types to domain policies  https://review.openstack.org/52570517:12
*** gagehugo__ has quit IRC17:14
*** gyee has quit IRC17:15
*** charleswnag has quit IRC17:27
*** mvk has quit IRC17:35
*** pramodrj07 has joined #openstack-keystone17:37
knikollaif anyone's interested, i'm working on a self-service ui/api for our cloud to allow users to request new projects, invite users to their owned projects, and manage the members.17:38
knikollawill open source it next week.17:38
lbragstadknikolla: nice - i'd like to have a look17:40
lbragstadknikolla: is that going to benefit from the system scope stuff eventually?17:40
lbragstads/is/i hope/17:41
knikollalbragstad: yes and no. no, because ownership of a project is defined by a special role on the project, so it's project scoped assignment. yes, because i called this special role project_admin, which is super confusing cause today that means something else, but with system scope that concept will go away.17:42
*** nkinder has joined #openstack-keystone17:44
lbragstadgotcha17:44
knikollalbragstad: but on the other hand. the microservice only really needs identity access. so scope { system: 'identity' } will be nice.17:44
lbragstadright.. instead of access as a cloud administrator17:45
lbragstadthat's cool17:45
knikollait works well with SSO, because user's have no permissions when they first sign up. so they're redirected to the project request form.17:46
*** aojea has joined #openstack-keystone17:46
knikollaoh, and by the way we have SSO now in our cloud :)17:46
lbragstadsweet! i bet that's nice to have now, i remember you talking about that17:49
*** mvenesio has joined #openstack-keystone17:49
knikollalbragstad: it will be, it's currently unusable because we have tooling in place that creates users and projects in keystone based on users filling a  google form and a it being approved in a google spreadsheet.17:51
knikollano one really understand the code written to do that since the engineer who did it left a while ago.17:51
*** Tahvok has quit IRC17:51
lbragstadahhh17:52
knikollaso even if people can log in, they don't have permissions.17:52
*** Tahvok has joined #openstack-keystone17:52
openstackgerritOpenStack Release Bot proposed openstack/keystoneauth master: Update reno for stable/queens  https://review.openstack.org/53749418:00
openstackgerritOpenStack Release Bot proposed openstack/keystonemiddleware master: Update reno for stable/queens  https://review.openstack.org/53749718:01
*** david-lyle has quit IRC18:04
openstackgerritOpenStack Release Bot proposed openstack/oslo.policy master: Update reno for stable/queens  https://review.openstack.org/53755018:06
*** sambetts is now known as sambetts|afk18:08
*** tesseract has quit IRC18:08
*** hrybacki_mtg is now known as hrybacki18:14
*** panbalag1 has joined #openstack-keystone18:22
*** panbalag has quit IRC18:24
*** panbalag1 has left #openstack-keystone18:29
*** pramodrj07 has quit IRC18:31
*** Pramod has joined #openstack-keystone18:31
*** phalmos has joined #openstack-keystone18:32
cmurphykmalloc: around? could you look at https://review.openstack.org/#/c/501148/ so we can close https://bugs.launchpad.net/keystone/+bug/1566416 ?18:43
openstackLaunchpad bug 1566416 in OpenStack Security Advisory "Keystone does not validate that s3tokens requests came from s3_token middleware" [Undecided,Incomplete]18:43
*** Pramod has quit IRC18:56
*** yangzhenyu__ has joined #openstack-keystone19:04
*** yangzhenyu_ has quit IRC19:08
*** david-lyle has joined #openstack-keystone19:17
*** pcaruana has joined #openstack-keystone19:27
*** pcaruana has quit IRC19:27
cmurphyif someone would like to take a look at https://review.openstack.org/#/c/524423/41 and https://review.openstack.org/#/c/525346/32 that will get that stack rolling :)19:30
*** muttley has joined #openstack-keystone19:32
*** AlexeyAbashkin has joined #openstack-keystone19:34
*** harlowja has joined #openstack-keystone19:38
*** AlexeyAbashkin has quit IRC19:38
gagehugocmurphy I'll redeploy but those should be fine, they worked for me when I tested it last week19:39
lbragstadyes - please19:40
lbragstadfwiw - i'm working on a client for the registered limit stuff in case that helps anyone with reviews19:40
openstackgerritOpenStack Release Bot proposed openstack/python-keystoneclient master: Update reno for stable/queens  https://review.openstack.org/53763019:46
*** muttley has quit IRC19:48
*** dave-mccowan has quit IRC19:58
*** dtruong has joined #openstack-keystone20:20
kmalloccmurphy: done20:25
cmurphykmalloc: ty20:26
cmurphylbragstad: wxy I've been wondering today if maybe we could have some kind of trial period or feature branch for unified limits for a cycle instead of merging it/making it "supported" this release20:29
cmurphyi feel like we need to write a library around it and develop the flat model and give the other projects a chance to play with it so we can shake out issues in the API20:29
lbragstadso we can have api breaking changes20:30
lbragstadif we do a feature branch, how do people deploy it if they are feeling dangerous?20:30
cmurphynot sure20:31
cmurphyI just feel like the REST API on its own is not that useful and doesn't really *need* to be here this cycle, but once we get a better feeling of how this is going to work end-to-end we might want to change it but it'll be too late20:32
cmurphyjust wanted to float a what-if20:35
lbragstadso - i think the last time we talked about something like this it was with the swift team20:35
lbragstadif we do a feature branch, we'd have to rebase it somewhat regularly so that people deploying the feature can stay relatively close to master20:36
cmurphysure20:36
lbragstadand they'd be required to deploy from source20:36
lbragstadafaik20:36
cmurphyI don't really feel like that's a problem, the feature is not that useful to end-users until the other openstack services start consuming it20:37
cmurphyso i don't think there will be operators in the wild using the feature branch20:37
lbragstadsure..20:38
lbragstador customer specific services...20:38
cmurphyyeah i guess20:38
lbragstadbut... i'm not sure how likely that is20:38
* lbragstad shrug20:38
lbragstadone other concern that might not be a concern... idk... is having a plan once we make a feature branch20:39
lbragstadi wouldn't want to get into the habit of just rebasing it and not actively working on a plan to make it proper20:39
lbragstadagain - i could be paranoid20:40
cmurphynot paranoid, would be good to have a solid plan20:40
lbragstadi just worry that rocky comes up and we are on the verge of releasing it and it's like"20:41
lbragstad"oh, crap, we didn't do anything with limits..."20:41
*** dave-mccowan has joined #openstack-keystone20:41
cmurphythe plan thing is sort of what's concerning me now, it feels like we're about to release a thing and we don't have a plan for after it's released20:42
lbragstadthat's the *best* way to releas20:42
lbragstadit's like letting wild animals out at the zoo!20:42
cmurphylol20:42
lbragstadbut yeah - i see what you mean20:43
lbragstadi think fungi was also involved in the feature branch discussion we had..20:43
cmurphymaybe it doesn't have to be a feature branch, maybe just don't merge the controller and api-ref this particular week20:43
cmurphygive us some time in the rocky cycle to develop some utilities around it20:44
*** itlinux has joined #openstack-keystone20:44
cmurphyidk20:44
lbragstadyeah...20:45
lbragstadwithout knowing all the details about feature branches.. that feels a little more complete to me20:45
lbragstadnot sure how much of a difference that makes20:45
*** belmoreira has joined #openstack-keystone20:51
cmurphy(I don't want to discourage people from reviewing the limits stack https://review.openstack.org/#/c/535587 :) )20:52
lbragstadi can hop on tonight with wxy and see what we come up with20:53
lbragstadi'd like his input20:53
cmurphyyes definitely20:53
cmurphythe reason i was thinking about it was i was playing with limits and found this API awkward http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/limits-api.html#update-project-limits20:56
cmurphyi think it seemed reasonable when we merged the spec20:57
cmurphybut it makes me wonder if it will be awkward when we build utilities around it20:57
cmurphyand on the one hand we should merge it because that's what we agreed to in the spec but on the other hand then we're stuck with it if it turns out to be weird20:57
lbragstadyeah... and this isn't the first time warts like this have happened21:04
lbragstadbetween the spec process and the implementation21:04
lbragstadwhat do you find odd about the update limit api?21:05
*** chason has quit IRC21:10
cmurphyit's using a PUT to update a whole batch yet it requires IDs for each individual item21:12
lbragstadoh - yea...21:13
cmurphyI remember we were wondering whether these things should have IDs and we came out on the side of having IDs but it's still slightly awkward21:13
lbragstadi guess that is a bit strange...21:13
gagehugocmurphy worked fine for me :)21:14
cmurphygagehugo: \o/21:15
*** chason has joined #openstack-keystone21:15
cmurphyon the other hand it's definitely never going to be perfect so maybe best to get keystone able to serve *something* and put the fine-tuning in the clients/libraries21:17
*** raildo has quit IRC21:17
lbragstadyeah - that's kinda where i was going with the plan bit...21:18
lbragstadit we put it off, we need a plan in place for how we are going to improve it and what we're going to improve by a specific date21:19
lbragstadotherwise i just think it'll keep slipping21:19
lbragstador it will be easier for it to21:19
*** yangzhenyu__ has quit IRC21:20
*** yangzhenyu__ has joined #openstack-keystone21:20
*** aojea_ has joined #openstack-keystone21:21
*** aojea_ has quit IRC21:21
cmurphyyeah21:21
*** aojea has quit IRC21:23
cmurphyif it's merged it's definitely easier for anyone to pick it up and build on it21:23
*** ayoung has joined #openstack-keystone21:24
*** dave-mccowan has quit IRC21:25
lbragstadagreed21:28
*** threestrands has joined #openstack-keystone21:41
*** threestrands_ has joined #openstack-keystone21:44
*** threestrands_ has quit IRC21:44
*** threestrands_ has joined #openstack-keystone21:44
openstackgerritLance Bragstad proposed openstack/python-keystoneclient master: WIP: functionality for registered limits  https://review.openstack.org/53766821:47
lbragstadwxy: ^21:47
*** threestrands has quit IRC21:47
lbragstadi noticed a few things that are out of line with the specification while working on that21:47
lbragstadwe'll either have to update the specification or update the implementation21:47
lbragstadhttps://review.openstack.org/#/c/530490/ could use another set of eyes21:50
gagehugolbragstad I will take a look once I get home later today at the system scope stuff21:51
lbragstadgagehugo: thanks!21:51
gagehugotoo many meetings today :(21:51
gagehugosystem scope seems pretty close21:51
lbragstadi still seem to be having an issue with https://review.openstack.org/#/c/530410/ but i have absolutely no idea what is happening there21:52
lbragstadseems like a tempest thing?21:52
gagehugooh it is 401'ing21:53
lbragstadyeah... but tempest doesn't know how to do anything with system scope yet and we're not enforce_scope on policies.. which would result in a different 403 anyway21:55
gagehugo:?21:55
*** spilla has quit IRC21:57
*** belmoreira has quit IRC22:00
*** mvenesio has quit IRC22:05
*** rcernin has joined #openstack-keystone22:14
lbragstadcmurphy: do we have the ability to label things as experimental still?22:27
*** rcernin has quit IRC22:29
*** jrist has quit IRC22:29
*** jrist has joined #openstack-keystone22:30
cmurphylbragstad: i don't think so22:31
*** rcernin has joined #openstack-keystone22:31
lbragstadhttp://paste.openstack.org/show/652844/22:32
lbragstadlooks like we do :)22:32
lbragstadwe mark three other APIs as experimental22:32
cmurphywhich ones?22:32
lbragstadimplied_roles22:33
lbragstadrole_inference22:33
lbragstadwell - two implied_roles APIs and one role_inference API22:33
cmurphywow22:34
cmurphythose should maybe be promoted22:34
lbragstadlol22:34
cmurphyafaik we're treating all our APIs as stable22:34
lbragstadyeah - that's what i've been told22:34
knikollathat's like gmail's beta tag22:34
cmurphylol22:35
lbragstadi'd love to use the experimental tag more22:35
cmurphywe totally could https://specs.openstack.org/openstack/api-wg/guidelines/api_interoperability.html#new-or-experimental-services-and-versioning22:36
lbragstadso - if i'm reading the right...22:37
lbragstadthat just requires that we mark the limit and registered limit apis as experimental22:37
lbragstador do we really have to pull it out into a separate service?22:38
cmurphyhmm it looks like they were going to define it better and it didn't quite make it https://review.openstack.org/#/c/273158/22:39
lbragstadhuh22:40
lbragstadso i wonder if that means we can still use what we have to mark things as experimental or not?22:40
cmurphypart of what mordred's been working on seems to define it somewhat https://review.openstack.org/#/c/459710/17/guidelines/discoverability.rst22:42
cmurphyit would need its own endpoint22:42
lbragstadnice22:44
lbragstadhttps://review.openstack.org/#/c/459710/17/guidelines/discoverability.rst@27822:44
lbragstadit's own endpoint or an entirely new service?22:44
lbragstadi've heard /v3/auth/tokens as being an "endpoint"22:45
lbragstadunless i skimmed the definition22:45
mordredoh - the word 'endpoint' is highly over subscribed22:46
lbragstadthere he is22:46
lbragstadmordred: right, it totally is22:46
mordredendpoint in the context that matters here is 'thing that can be found from the catalog'22:46
lbragstadmordred: what's your interpretation of it at https://review.openstack.org/#/c/459710/17/guidelines/discoverability.rst@278 ?22:46
lbragstadhmm22:46
lbragstadok22:47
cmurphythat would mean the version endpoint like /v322:47
mordredyah22:47
*** edmondsw has quit IRC22:47
mordredI haven't read all the scrollback though ...22:47
lbragstadtechnically, i can discover subsystems of an endpoint though...22:47
cmurphymordred: we're just wondering if we can add an experimental API22:47
mordredyes. I mean - honestly, from my POV, as long as you have a *something* that I can query somewhere to find out if that experimental thing exists22:48
lbragstadlike this - https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_versions.py#L358-L36222:48
mordredto *me* that's fine ... like swift has a /info endpint that returns sets of flags you can use to check to see if swift can do a particular thing22:49
mordredlbragstad: how is 'hints': {'status': 'experimental'} exposed?22:50
lbragstadfor example - https://github.com/openstack/keystone/blob/master/keystone/assignment/routers.py#L60-L9222:50
lbragstadits in the json home document22:50
* lbragstad double checks22:50
mordredlbragstad: I may not have ever seen the json home document22:51
cmurphyis that discoverable via GET /v3 though?22:51
*** itlinux has quit IRC22:51
lbragstadcurl -X GET -H 'Accept: application/json-home' http://192.168.122.160:35357/v3/22:52
lbragstadit returns a big ole hot mess of a response...22:53
lbragstadcurl -X GET -H 'Accept: application/json-home' http://192.168.122.160:35357/v3/ | python -m json.tool22:53
lbragstadmakes it readable22:53
cmurphyoh interesting22:53
mordredfascinating22:53
* mordred goes to play22:53
lbragstadsnippet22:55
lbragstadhttp://paste.openstack.org/raw/652878/22:55
lbragstad^ experimental22:55
mordredwow. FASCINATING22:56
lbragstad:)22:56
cmurphylol well if mordred didn't know about this then it's probably safe to say not many other people do either22:56
lbragstadi remember bknudson working on that a *long* time ago22:56
lbragstadso...22:57
lbragstaddoes that mean it's discoverable?! :D22:57
mordredwell...22:58
mordreda few things, just as an fyi22:58
mordredhttps://docs.openstack.org/api/openstack-identity/3/rel/implied_role <-- that URL is wrong if it's supposed to be a URL to the API docs22:58
lbragstadyeah - we've had bugs opened about that...22:59
lbragstadgagehugo:  worked on it22:59
mordredBUT22:59
mordredyah - I think that seems like good discoverability22:59
lbragstad\o/23:00
mordredlbragstad: it would be nice if there was a way for me to get from GET /roles/{prior_role_id}/implies/{implied_role_id} to  https://docs.openstack.org/api/openstack-identity/3/rel/implied_role in the document23:01
mordredbut I guess that could be done by reading, parsing and making an inverted mapping on href-template23:01
mordred(trying to think forward to ways in which I could expose an "experimental=True" flag somewhere and have SDK not expose calls to APIs that are listed as experimental or something23:02
*** itlinux has joined #openstack-keystone23:02
lbragstadhmmm23:03
mordredbut that's just dict manipulation - the informatoin is there and is queryable23:03
mordredI wonder how many other services have jsonhome and I didn't know23:03
lbragstadi have no idea...23:03
lbragstadcmurphy: thoughts?23:04
mordredbarbican, freezer and zaqar seem to have code doing somethign with application/json-home at least23:06
cmurphyi don't think we've done a great job of communicating that we have experimental APIs23:06
cmurphyso i'd be worried about someone getting bit by that23:07
cmurphybut23:07
cmurphythis isn't likely to be used by end users yet23:07
lbragstadhttps://bugs.launchpad.net/keystone/+bug/167467623:07
openstackLaunchpad bug 1674676 in OpenStack Identity (keystone) "The URL listed against the details of identity resources returns 404 Not Found error" [Medium,Fix released] - Assigned to Gage Hugo (gagehugo)23:07
lbragstaddstanek: described the usaeg of those links23:08
lbragstadhttps://bugs.launchpad.net/keystone/+bug/1674676/comments/323:08
cmurphyit still doesn't make a lot of sense for us to choose docs.openstack.org a part of an unresolveable URN23:09
cmurphyas part*23:09
mordredoh god. is this another thing like the extra-broken xmlns spec where the thing that looks like a url isn't actually a url?23:10
cmurphylol don't you love those23:10
lbragstadcmurphy: i feel like we need to have a session on this at the PTG23:10
mordred(I had tim bray jump up and down yelling about how it was not an actual url and we should all get over it once. I still contend he's completely and utterly wrong and the design of that system is an example of epic amounts of hubris and design failure)23:10
cmurphylbragstad: on experimental APIs or on limits in particular?23:11
cmurphyeither way yes23:11
lbragstadcool23:11
mordredlike - if you want a thing that's just a unique identifier - cool - just don't prefix it with the letters 'http://'23:11
lbragstadwell - we'll have a session on limits regardless23:11
lbragstadbut i think we either need to fix the json-home stuff or something...23:11
lbragstadbecause mordred is proving our case for us23:12
mordredbecause THOSE tell me it's describing a location that can be fetched over HTTP23:12
lbragstadjson-home works for discoverability, which is good, it's just a little confusing when people go to use it23:12
lbragstadi feel like we should either fix it or redo it23:12
cmurphyyeah23:13
lbragstadthe obvious benefit being we just build on the existing discovery mechanism we've had forever23:13
mordred++ - and that honestly other people should have too23:13
lbragstadwho knows, maybe we'll come up with improved processes for using it23:14
* lbragstad is an optimist23:14
mordredlbragstad: btw: https://en.wikipedia.org/wiki/Uniform_Resource_Name23:16
mordredmy reading of that communicates to me that a more appropriate key might be 'urn:openstack:api:identity:3:rel:implied_role' and then I won't tell stories about xml23:18
lbragstad'The term "URN" continues now as one of more than a hundred URI "schemes", urn:, paralleling http:, ftp:, and so forth. URIs of the urn: scheme are not locators, are not required to be associated with a particular protocol or access method, and need not be resolvable.'23:18
mordredlbragstad: yup23:18
lbragstadyeah..23:18
lbragstadi agree the that http bits make it imply something it doesn't23:19
lbragstador shouldn't according to the definition23:19
lbragstadi feel better about moving forward with the unified limit stuff if we can mark it as experimental23:20
cmurphy++23:20
lbragstadmordred: sounds like you're going to probably have some feedback on json-home at the PTG?23:21
lbragstador ways that we can try and improve what we have implemented?23:21
mordredugh. and now I'm off reading RFCs :)23:21
mordredlbragstad: honestly I think what;s there right now is totally workable and better than if it's not there23:22
mordredlbragstad: most of this is me being an ass and quibbling with semantic mistakes people have made while defining RFCs with their heads shoved in a dark hole23:22
*** itlinux has quit IRC23:23
lbragstadlol23:24
lbragstadfair enought - either way, we'll probably talk about it in dublin23:24
lbragstadcmurphy: updated https://review.openstack.org/#/c/524110/5023:24
lbragstadthat was good - i feel good about that...23:25
* lbragstad has the warm fuzzys23:25
cmurphy:D23:26
lbragstaddo we wanna mark anything else as experimental this release?23:29
mordredlbragstad, cmurphy: well - y'all win the prize for having the coolest and most comprehensive api discoverability in all of openstack23:30
cmurphymordred: yay \o/23:30
mordredlbragstad, cmurphy: and I'm now going to turn my shame cannon on everyone else for being yutzes and NOT having json-home documents23:31
cmurphymordred: excellent23:31
lbragstadlol23:31
cmurphylbragstad: i feel pretty solid about application credentials, i think that's worth committing to non-experimentally23:31
lbragstadcmurphy: ++23:31
cmurphysystem scope also feels solid to me and it's super urgent23:32
lbragstadawesome - those should be some easy patches to respin and we should be ablet o get them gating tomorrow23:37
lbragstadfocus on flushing bugs out of the APIs during Rocky and work on the whole enforcement model thing...23:37
*** phalmos has quit IRC23:55
« Tuesday, 2018-01-23 Index Thursday, 2018-01-25 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!