Wednesday, 2018-02-21

*** openstackstatus has quit IRC		00:12
*** openstackstatus has joined #openstack-keystone		00:14
*** ChanServ sets mode: +v openstackstatus		00:14
*** AlexeyAbashkin has joined #openstack-keystone		00:23
*** AlexeyAbashkin has quit IRC		00:27
*** lbragstad has quit IRC		00:32
*** d0ugal_ has joined #openstack-keystone		00:48
*** daidv has joined #openstack-keystone		00:51
*** dave-mccowan has joined #openstack-keystone		01:06
*** rcernin has quit IRC		01:36
*** rcernin has joined #openstack-keystone		01:36
*** rcernin has quit IRC		01:42
*** rcernin has joined #openstack-keystone		01:43
*** sapd has joined #openstack-keystone		01:51
*** rcernin has quit IRC		01:53
*** rcernin has joined #openstack-keystone		01:53
*** annp has joined #openstack-keystone		02:28
*** harlowja_ has quit IRC		02:28
*** links has joined #openstack-keystone		02:49
*** oikiki_ has quit IRC		03:04
*** AlexeyAbashkin has joined #openstack-keystone		03:23
*** AlexeyAbashkin has quit IRC		03:27
*** lbragstad has joined #openstack-keystone		03:43
*** ChanServ sets mode: +o lbragstad		03:43
*** gongysh has joined #openstack-keystone		04:05
*** d0ugal__ has joined #openstack-keystone		04:12
*** d0ugal_ has quit IRC		04:15
*** AlexeyAbashkin has joined #openstack-keystone		04:22
*** annp has quit IRC		04:23
*** annp has joined #openstack-keystone		04:23
*** AlexeyAbashkin has quit IRC		04:26
*** dave-mccowan has quit IRC		04:34
*** gyee has quit IRC		05:27
*** lbragstad has quit IRC		05:28
*** gongysh has quit IRC		05:54
*** d0ugal__ has quit IRC		06:27
*** d0ugal__ has joined #openstack-keystone		06:32
*** nixi_girl has joined #openstack-keystone		06:49
*** d0ugal__ has quit IRC		06:52
*** nixi_girl has quit IRC		07:00
*** narcis has joined #openstack-keystone		07:02
*** nixi_girl has joined #openstack-keystone		07:08
*** narcis has quit IRC		07:21
*** rcernin has quit IRC		07:21
*** hoonetorg has quit IRC		07:46
*** pcaruana has joined #openstack-keystone		07:47
*** usr2033 has joined #openstack-keystone		07:53
usr2033	hi	07:53
usr2033	i have a problem about policy.v3cloudsample.json file. Can anyone help?	07:54
*** d0ugal has joined #openstack-keystone		07:55
*** d0ugal has quit IRC		07:55
*** d0ugal has joined #openstack-keystone		07:55
*** mancdaz has quit IRC		07:57
*** mancdaz_ has joined #openstack-keystone		07:58
*** mancdaz_ is now known as mancdaz		07:58
*** hoonetorg has joined #openstack-keystone		08:00
*** d0ugal has quit IRC		08:00
*** d0ugal has joined #openstack-keystone		08:01
*** d0ugal has quit IRC		08:06
*** d0ugal has joined #openstack-keystone		08:15
*** sapd_ has joined #openstack-keystone		08:17
*** sapd_ has quit IRC		08:17
*** AlexeyAbashkin has joined #openstack-keystone		08:22
*** d0ugal has quit IRC		08:29
*** tesseract has joined #openstack-keystone		08:34
*** d0ugal has joined #openstack-keystone		08:34
*** d0ugal has quit IRC		08:39
*** d0ugal has joined #openstack-keystone		08:48
*** d0ugal has quit IRC		08:48
*** d0ugal has joined #openstack-keystone		08:48
*** nixi_girl has quit IRC		08:56
*** d0ugal has quit IRC		08:58
*** d0ugal has joined #openstack-keystone		09:07
*** openstackgerrit has joined #openstack-keystone		09:43
openstackgerrit	Merged openstack/keystone master: Remove v2.0 policies https://review.openstack.org/546420	09:43
*** daidv has quit IRC		09:58
*** pcaruana has quit IRC		10:05
*** d0ugal_ has joined #openstack-keystone		10:06
*** d0ugal has quit IRC		10:06
*** d0ugal_ has quit IRC		10:11
*** d0ugal_ has joined #openstack-keystone		10:13
*** d0ugal__ has joined #openstack-keystone		10:17
*** d0ugal_ has quit IRC		10:18
*** pcaruana has joined #openstack-keystone		10:20
*** annp has quit IRC		10:25
*** d0ugal__ has quit IRC		10:54
*** d0ugal has joined #openstack-keystone		10:54
*** d0ugal has quit IRC		10:54
*** d0ugal has joined #openstack-keystone		10:54
*** pcaruana has quit IRC		11:19
*** d0ugal has quit IRC		11:23
*** d0ugal has joined #openstack-keystone		11:30
*** pcaruana has joined #openstack-keystone		11:33
*** d0ugal has quit IRC		12:06
*** d0ugal has joined #openstack-keystone		12:10
*** gongysh has joined #openstack-keystone		12:12
*** gongysh has quit IRC		12:13
*** raildo has joined #openstack-keystone		12:13
*** jmlowe has quit IRC		12:18
*** jmlowe has joined #openstack-keystone		12:18
*** mgagne has quit IRC		12:19
*** d0ugal has quit IRC		12:20
*** d34dh0r53 has quit IRC		12:20
*** chris_hultin has quit IRC		12:20
*** evrardjp has quit IRC		12:22
*** d0ugal has joined #openstack-keystone		12:22
*** evrardjp has joined #openstack-keystone		12:26
*** d34dh0r53 has joined #openstack-keystone		12:26
*** d0ugal has quit IRC		12:34
*** mgagne has joined #openstack-keystone		12:36
*** mgagne is now known as Guest20946		12:36
*** chris_hultin\|AWA has joined #openstack-keystone		12:38
*** chris_hultin\|AWA is now known as chris_hultin		12:39
*** melwitt has quit IRC		12:47
*** melwitt has joined #openstack-keystone		12:52
*** Supun has joined #openstack-keystone		13:06
*** dave-mccowan has joined #openstack-keystone		13:08
*** d0ugal has joined #openstack-keystone		13:13
*** d0ugal_ has joined #openstack-keystone		13:19
*** d0ugal has quit IRC		13:20
*** d0ugal_ has quit IRC		13:25
*** d0ugal_ has joined #openstack-keystone		13:38
*** d0ugal_ has quit IRC		13:48
*** d0ugal has joined #openstack-keystone		13:48
*** d0ugal has quit IRC		13:48
*** d0ugal has joined #openstack-keystone		13:48
*** d0ugal has quit IRC		13:58
*** d0ugal has joined #openstack-keystone		13:59
*** jdennis has quit IRC		14:00
*** d0ugal has quit IRC		14:04
*** lbragstad has joined #openstack-keystone		14:15
*** ChanServ sets mode: +o lbragstad		14:15
lbragstad	usr2033 are you still having some issues with policy.v3cloudsample?	14:17
*** d0ugal has joined #openstack-keystone		14:22
*** links has quit IRC		14:29
*** panbalag has joined #openstack-keystone		14:34
openstackgerrit	Merged openstack/ldappool master: Updated from global requirements https://review.openstack.org/538465	14:34
*** dmellado has quit IRC		14:37
*** dmellado has joined #openstack-keystone		14:42
*** d0ugal has quit IRC		14:49
openstackgerrit	Merged openstack/keystone-tempest-plugin master: Updated from global requirements https://review.openstack.org/536312	14:53
*** d0ugal has joined #openstack-keystone		14:57
*** spilla has joined #openstack-keystone		15:03
*** usr2033 has quit IRC		15:08
*** dklyle has joined #openstack-keystone		15:15
*** david-lyle has quit IRC		15:16
*** itlinux has joined #openstack-keystone		15:26
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add functional testing gate https://review.openstack.org/531014	15:31
gagehugo	o/	15:33
openstackgerrit	Merged openstack/python-keystoneclient master: Updated from global requirements https://review.openstack.org/537164	15:43
*** r-daneel has joined #openstack-keystone		15:54
knikolla	o/	15:57
*** r-daneel_ has joined #openstack-keystone		16:01
*** r-daneel has quit IRC		16:02
*** r-daneel_ is now known as r-daneel		16:02
m3m0	following the instructions here: https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html, when I run apt install keystone, is there a way to make it non-interactive? it ask me for a database configuration	16:07
gagehugo	m3m0 Is that the mysql password prompts?	16:12
knikolla	was thinking the same, but it doesn't look like installing keystone installs mysql.	16:14
knikolla	just tried it now. Didn't ask me for anything while apt installing. Are you referring to the database config section of /etc/keystone/keystone.conf?	16:16
*** pcaruana has quit IRC		16:16
*** openstackgerrit has quit IRC		16:19
lbragstad	cmurphy i know i asked you this already, but you have an idea of what you want to go over for the cross-project application credentials session, yeah?	16:19
cmurphy	lbragstad: um not really actually	16:20
cmurphy	i guess i imagined a bit of q&a and a bit of "what would you like to see"	16:21
cmurphy	fine-grained access control is the obvious thing	16:21
cmurphy	it's not that critical of a session now that the base feature is there	16:22
lbragstad	cmurphy ok - so we can just stage it for a short q&a type thing and if it evolves into something else that's fine	16:23
lbragstad	attempting to flesh it out here - https://etherpad.openstack.org/p/application-credentials-rocky-ptg	16:25
*** kukacz_ has joined #openstack-keystone		16:26
knikolla	yeah, i think we should spend some time talking about fine grained access. maybe could be tied to the discussion about rbac and default roles.	16:26
lbragstad	they are closely related	16:28
lbragstad	for some reason, our discussions always seem to come full circle lol	16:29
*** kukacz_ is now known as kukacz		16:29
knikolla	more like spiral, cause after every revolution we get a little closer.	16:29
knikolla	hypnotizing.	16:29
lbragstad	psh - no wonder i'm so dizzy all the time	16:30
mnaser	i'm trying to troubleshoot an issue that comes up from time to time in puppet-openstack ci .. "This is not a recognized Fernet token"	16:30
mnaser	tempest tests all run with no problems... but from time to time, a request will be accepted by nova for a new server, then it will try to contact neutron to get list of security groups, but neutron responds with a 401	16:31
mnaser	and in the neutron logs, keystone says the token ain't good, and keystone logs show the 401	16:31
mnaser	"TokenNotFound: This is not a recognized Fernet token gAAAAABajZJB2pixOrz1RPc_RATriy4CLp1abIDZMI8i9tYNCHmibVCOQIWjGv9r71lFNI2auP1qhb5pDn9ZrUP8f9BpoayI1l6hVO3avfNTQEWnS4xrpDgRjUQFZRmJtTMppawUzkEdYfapFJHlrtKlTgLHSSsHRwS-ca9Ofg8M5WEPdqBx8m0=" .. any idea what could be causing this?	16:31
lbragstad	mnaser we raise that exception in one place	16:31
lbragstad	which is handling an InvalidToken exception from the library that actually does the encryption/decryption bits for us	16:32
mnaser	lbragstad: ok i see it here indeed https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/token/token_formatters.py#L81-L94	16:32
lbragstad	which mean, if that exception is getting thrown, then it's could be a key is missing or the token was tampered with in such a way the cryptography library can't make sense of it	16:33
mnaser	its interesting you say this	16:33
mnaser	i saw something in the syslogs	16:33
lbragstad	yep - that's the stop	16:33
lbragstad	spot*	16:33
mnaser	(in around the same time frame-ish)	16:33
mnaser	ah it might be unrelated	16:33
mnaser	"UnicodeDecodeError: 'ascii' codec can't decode byte 0x80 in position 33: ordinal not in range(128)"	16:33
lbragstad	mmm	16:34
mnaser	thrown by nova processes inside oslo_log	16:34
lbragstad	ah - ok	16:34
lbragstad	is disk utilization fine on the host?	16:34
mnaser	http://logs.openstack.org/40/546440/1/gate/puppet-openstack-integration-4-scenario001-tempest-centos-7/8f765c2/logs/df.txt.gz	16:34
mnaser	11% USED	16:34
lbragstad	you're not running out of disk space in the middle of a rotation, then	16:34
mnaser	OH HOLD ON	16:35
mnaser	oops caps	16:35
mnaser	http://logs.openstack.org/40/546440/1/gate/puppet-openstack-integration-4-scenario001-tempest-centos-7/8f765c2/logs/etc/keystone/fernet-keys/	16:35
mnaser	5 6 7	16:35
mnaser	i wonder if maybe something is rotating keys...	16:35
*** AlexeyAbashkin has quit IRC		16:35
mnaser	the job takes less than an hour to run	16:35
lbragstad	mnaser how long is this host up?	16:35
mnaser	and we have a 40 minute token expiration in the gate	16:35
lbragstad	\ok	16:35
lbragstad	so...	16:35
lbragstad	how often is the key rotation happening?	16:35
mnaser	2018-02-21 15:30:02 +0000 /Stage[main]/Keystone::Cron::Fernet_rotate/Cron[keystone-manage fernet_rotate]/ensure (notice): created	16:36
mnaser	let me see	16:36
mnaser	every 5 minutes.	16:36
mnaser	https://github.com/openstack/puppet-openstack-integration/blob/master/manifests/keystone.pp#L51-L54	16:36
mnaser	heh	16:36
lbragstad	how many keystone hosts are there?	16:36
mnaser	lbragstad: only 1	16:36
lbragstad	lol	16:36
mnaser	but we have memcache in there	16:36
mnaser	so im gonna guess nova keeps the token cached for 40 minutes	16:37
lbragstad	so - tokens are valid for 40 minutes?	16:37
mnaser	but rotating every 5 minutes means all tokens are invalid at 15 minutes	16:37
lbragstad	but encryption keys are being rotated every 5 minutes	16:37
mnaser	our tempest runs last 15 minutes (barely)	16:37
lbragstad	yep - exactly	16:37
mnaser	which explains why we hit it sometimes and sometimes we didn't lol	16:37
lbragstad	right	16:37
lbragstad	you should bump you max_active_key setting	16:37
lbragstad	your*	16:38
lbragstad	https://github.com/openstack/keystone/blob/master/keystone/conf/fernet_tokens.py#L44-L54	16:38
mnaser	lbragstad: max_active_key = 5 + every 10 minutes should be good for a 40 minute token right?	16:38
mnaser	so if our rotations mess up, it'll be caught in the tempest runs i guess	16:39
lbragstad	yeah - if rotation happens every 10 minutes, 5 keys should cover you	16:39
lbragstad	but ideally, you'll want to factor in your token expiration time	16:39
mnaser	lbragstad: thank you so much! this was quite a hassle in the gate with the intermittent timeouts	16:40
lbragstad	i think it would be the token expiration (in minutes) / the intervals of key rotation (in minutes)	16:40
mnaser	#thanks lbragstad for helping troubleshoot an intermittent fernet token validation failure in puppet gates	16:40
openstackstatus	mnaser: Added your thanks to Thanks page (https://wiki.openstack.org/wiki/Thanks)	16:40
lbragstad	woot	16:41
lbragstad	anytime mnaser :)	16:41
mnaser	lbragstad: agreed but i would +1 on interval too	16:41
lbragstad	yeah - the extra buffer can't hurt	16:41
mnaser	because cronjobs dont really run at the start of token allocation	16:41
mnaser	so if you're running at :10 and :20 you might have your token expire if you got it exactly a minute before cronjob or so	16:41
lbragstad	and keystone-manage fernet_rotate will obviously keep the disk clean once you reach the max_active_key limit	16:41
* mnaser wonders why clients dont retry once at least when they get a 401		16:42
lbragstad	++	16:42
mnaser	if token_not_valid: grab_new_token -> retry else -> fail .. should fix all of those weird caching issues etc	16:42
mnaser	but oh well	16:42
*** r-daneel_ has joined #openstack-keystone		16:43
lbragstad	https://twitter.com/_mnaser/status/870796882058104832	16:44
lbragstad	that just reminded me of ^	16:44
*** jdennis has joined #openstack-keystone		16:44
*** r-daneel has quit IRC		16:44
*** r-daneel_ is now known as r-daneel		16:44
mnaser	lbragstad: its always funny when you see old things you've said still make sense now	16:46
mnaser	lbragstad: i find this happen a lot when i go over old code .. thinking about how to do it in some better way and finding out that's how i did it in the first place after going over it lol	16:46
*** panbalag has quit IRC		16:47
*** panbalag has joined #openstack-keystone		16:48
lbragstad	:)	16:48
*** gyee has joined #openstack-keystone		17:04
*** dklyle has quit IRC		17:08
kmalloc	.... man my hands hurt. stupid sudden cold with high humidity.	17:14
kmalloc	mnaser: clients SHOULD retry ;)	17:16
kmalloc	but many people do the naive implementation.	17:16
kmalloc	and explode on failure.	17:16
kmalloc	even reasonable/valid failure modes that justify a retry	17:17
*** eEbx has joined #openstack-keystone		17:19
*** oikiki has joined #openstack-keystone		17:21
*** dikonoor has joined #openstack-keystone		17:27
dikonoor	cmurphy: Hi . Would you be able to take a look at https://bugs.launchpad.net/openstack-requirements/+bug/1750843 when you get a chance ?	17:27
openstack	Launchpad bug 1750843 in OpenStack Global Requirements "pysaml2 version in global requirements must be updated to 4.5.0" [Undecided,New]	17:27
eEbx	Hey guys, I would like to ask you if anyone of you has relevant keystone benchmark tests. I would like to know if 200ms to get/validate token is ok.	17:28
dikonoor	cmurphy: Defects need inputs from someone who knows Keystone Federation	17:28
dikonoor	and how it uses the pysaml2 apis	17:28
dikonoor	lbragstad: If you or cmurphy could take a look, that would be great..https://bugs.launchpad.net/openstack-requirements/+bug/1750843	17:29
openstack	Launchpad bug 1750843 in OpenStack Global Requirements "pysaml2 version in global requirements must be updated to 4.5.0" [Undecided,New]	17:29
*** Supun has quit IRC		17:38
lbragstad	dikonoor checking	17:40
*** dikonoor has quit IRC		17:41
*** david-lyle has joined #openstack-keystone		17:41
*** itlinux has quit IRC		17:46
*** AlexeyAbashkin has joined #openstack-keystone		17:57
*** AlexeyAbashkin has quit IRC		18:01
*** openstackgerrit has joined #openstack-keystone		18:01
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update 3.10 versioning to reflect system scope changes https://review.openstack.org/546716	18:01
lbragstad	^ another thing we'll probably have to backport	18:01
lbragstad	i swear that was noted in the implementation but apparently not	18:02
*** narcis has joined #openstack-keystone		18:03
*** narcis has quit IRC		18:03
lbragstad	knikolla you all do k2k right?	18:11
lbragstad	eEbx the answer depends on how you have keystone configured	18:12
lbragstad	it can vary depending on how things are setup	18:12
knikolla	lbragstad: yes, but not on production yet.	18:13
lbragstad	knikolla ok - so do you have keystone setup as an idp somewhere?	18:13
lbragstad	and you authenticate to it for saml assertions that you give to the service provider keystone?	18:14
knikolla	Yes	18:14
knikolla	There’s an api call for keystone that gives back signed saml	18:14
eEbx	lbragstad: two keystone servers with nginx load balancer, db is 5 node gallera cluster	18:14
knikolla	You send that to sp keystone’s shibboleth	18:14
lbragstad	knikolla the saml assertion is only generated from information in keystone, right? there isn't a way for someone to authenticate for a saml assert and provide some extra XML to inject into the assertion is there?	18:15
lbragstad	eEbx do you have caching configured?	18:15
lbragstad	or memcache servers that are configured to work with keystone?	18:15
knikolla	No, it’s a get call with no params	18:15
lbragstad	knikolla ack - thank you	18:15
lbragstad	knikolla i'm going to paraphrase you in https://bugs.launchpad.net/openstack-requirements/+bug/1750843	18:16
openstack	Launchpad bug 1750843 in OpenStack Global Requirements "pysaml2 version in global requirements must be updated to 4.5.0" [Undecided,New]	18:16
lbragstad	:)	18:16
eEbx	yes I have memcache servers configured	18:16
knikolla	What info are you looking to put in there?	18:16
lbragstad	i'm not, but there appears to be a security issue with pysaml2	18:16
lbragstad	specifically when a user has the ability to pass data to the thing that generates the assertions	18:16
lbragstad	which doesn't sound like it affects us	18:16
kmalloc	oh, fun	18:16
kmalloc	let me take a look at that	18:16
knikolla	We don’t parse xml, shibboleth/mellon does that for us	18:17
knikolla	We merely generate and sign it	18:18
kmalloc	that shouldn't ever effect us	18:18
kmalloc	but.	18:18
kmalloc	for sake of forward looking safe	18:18
kmalloc	we should update	18:18
kmalloc	i can't believe people use assert for anything outside of testing/non-critical errors	18:19
kmalloc	expect assert wont fire before using it.	18:19
kmalloc	we probably should evaluate assert usages in keystone (we might have some lingering ones that are similar)	18:19
lbragstad	ok - updated with a comment	18:21
lbragstad	eEbx do you know if you're caching tokens?	18:22
kmalloc	lbragstad: haha i just commented too on it :P	18:22
lbragstad	nice!	18:22
kmalloc	200ms seems a little slow (eEbx) but i haven't done recent testing.	18:22
lbragstad	eEbx 200 ms is on par if you're generating the token (without caching) on every request	18:23
kmalloc	++	18:23
lbragstad	without knowing what hardware you're running on, i would expect utilization of memcache to drastically improve that	18:23
*** tesseract has quit IRC		18:25
kmalloc	yeah	18:25
kmalloc	it also depends on the load of the DB (is it used for other applciations? if so, what is the general io latency on it for lookups)	18:25
kmalloc	also, what is the concurrency of token issuance / validation	18:26
*** r-daneel_ has joined #openstack-keystone		18:31
lbragstad	lol thanks kmalloc and cmurphy for commenting on that bug :)	18:31
*** r-daneel has quit IRC		18:32
*** r-daneel_ is now known as r-daneel		18:32
cmurphy	glad to know i wasn't wildly off base :)	18:36
lbragstad	fantastic response time	18:40
* lbragstad steps away for lunch		18:40
*** panbalag has quit IRC		19:08
*** itlinux has joined #openstack-keystone		19:19
*** AlexeyAbashkin has joined #openstack-keystone		19:21
*** AlexeyAbashkin has quit IRC		19:25
*** lbragstad has quit IRC		19:40
*** lbragstad has joined #openstack-keystone		20:01
*** ChanServ sets mode: +o lbragstad		20:01
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update 3.10 versioning to limits and system scope https://review.openstack.org/546716	20:12
lbragstad	cc gagehugo ^ '	20:12
gagehugo	lbragstad I like the experimental note	20:13
lbragstad	figured we should add the limit stuff in there, too	20:13
lbragstad	i'll propose a backport	20:13
lbragstad	done - https://review.openstack.org/546762	20:14
*** lbragstad has quit IRC		20:29
*** lbragstad has joined #openstack-keystone		20:30
*** ChanServ sets mode: +o lbragstad		20:30
*** lbragstad has quit IRC		20:32
*** lbragstad has joined #openstack-keystone		20:33
*** ChanServ sets mode: +o lbragstad		20:33
lbragstad	in case folks haven't seen it yet - http://lists.openstack.org/pipermail/openstack-dev/2018-February/127611.html	20:40
lbragstad	it looks like the PTG feedback session is going to be at the same time we were planning on having our retrospective	20:41
lbragstad	game night is also on thursday	20:41
lbragstad	fyi - i was thinking about bringing some games - would anyone be interested?	20:41
*** belmoreira has joined #openstack-keystone		20:43
*** rmascena has joined #openstack-keystone		20:57
*** dave-mccowan has quit IRC		21:00
*** raildo has quit IRC		21:00
*** rmascena__ has joined #openstack-keystone		21:01
*** openstackgerrit has quit IRC		21:03
*** rmascena has quit IRC		21:05
cmurphy	i would game with y'all	21:06
lbragstad	there's gonna be so much to do on thursday	21:11
lbragstad	but i can bring the resistance, dutch blitz, and exploding kittens	21:13
* lbragstad double checks the game cabinet		21:20
*** oikiki has quit IRC		21:21
lbragstad	yeah - those are the travel friendly games i have	21:21
cmurphy	:D	21:24
gagehugo	sure	21:24
gagehugo	I think I have the oregon trail card game as well	21:25
*** oikiki has joined #openstack-keystone		21:25
lbragstad	oh - that one is fun	21:26
lbragstad	nostalgia in a deck of cards	21:26
*** belmoreira has quit IRC		21:37
mnaser	lbragstad: anyone say nostalgia? https://review.openstack.org/#/c/7464/ :P	21:40
mnaser	but also i've been digging in my emails/launchpad to find the bug regarding admin-ness with v3 domains.. anyone know where that one is tracked or has a link around?	21:41
*** bhagyashris has quit IRC		21:44
lbragstad	mnaser hah - like the v3.samplepolicy bug?	21:45
mnaser	lbragstad: yes, i think it ended up being marked as a dup of another one	21:45
lbragstad	i think i know which one you're talking about	21:46
lbragstad	checking	21:49
*** rmascena__ has quit IRC		21:53
*** dmellado has quit IRC		22:00
*** openstackgerrit has joined #openstack-keystone		22:02
openstackgerrit	Gage Hugo proposed openstack/keystone master: Handle empty token key files https://review.openstack.org/546785	22:02
lbragstad	kmalloc do you want to kick this through https://review.openstack.org/#/c/546762/ ?	22:05
openstackgerrit	Merged openstack/keystone master: Update 3.10 versioning to limits and system scope https://review.openstack.org/546716	22:06
lbragstad	mnaser isn't not this one is it?	22:06
mnaser	lbragstad: are you talking about the changes above ^ ?	22:08
lbragstad	mnaser sorry - forgot to paste	22:08
lbragstad	https://bugs.launchpad.net/keystone/+bug/1630434	22:08
openstack	Launchpad bug 1630434 in OpenStack Identity (keystone) "policy.v3cloudsample.json doesn't allow domain admin list role assignments on project" [Medium,Triaged]	22:08
mnaser	lbragstad: oh yeah something similar, the one i had reported had a whole bunch of discussion if i remember	22:09
mnaser	i cant find it.. i have no idea why	22:09
mnaser	https://bugs.launchpad.net/keystone/+bug/1684320	22:10
openstack	Launchpad bug 968696 in OpenStack Identity (keystone) "duplicate for #1684320 "admin"-ness not properly scoped" [High,In progress] - Assigned to Adam Young (ayoung)	22:10
mnaser	ahh yes combined with https://bugs.launchpad.net/keystone/+bug/968696	22:10
openstack	Launchpad bug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] - Assigned to Adam Young (ayoung)	22:10
lbragstad	mnaser this is the one you reported - https://bugs.launchpad.net/keystone/+bug/1684320	22:12
openstack	Launchpad bug 968696 in OpenStack Identity (keystone) "duplicate for #1684320 "admin"-ness not properly scoped" [High,In progress] - Assigned to Adam Young (ayoung)	22:12
mnaser	ah yes	22:13
lbragstad	aha - yep - just missed that like	22:13
lbragstad	link*	22:13
mnaser	i guess when its marked as duplicate it disappers	22:13
lbragstad	search queries in lp have a toggle for it	22:13
lbragstad	apparently	22:14
mnaser	lbragstad: maybe it would be nice as a ptg topic to follow up on this (perhaps an openstack-wide goal..)	22:14
lbragstad	++	22:14
lbragstad	https://etherpad.openstack.org/p/keystone-rocky-ptg	22:14
lbragstad	https://etherpad.openstack.org/p/baremetal-vm-rocky-ptg	22:15
lbragstad	and finally - https://etherpad.openstack.org/p/rbac-and-policy-rocky-ptg	22:15
lbragstad	mnaser we have a session dedicated to it on tuesday morning	22:16
mnaser	lbragstad: oh cool i'll try to be there	22:18
*** spilla has quit IRC		22:24
*** itlinux has quit IRC		22:29
*** rcernin has joined #openstack-keystone		22:32
*** r-daneel has quit IRC		22:40
*** lbragstad has quit IRC		22:47
*** lbragstad has joined #openstack-keystone		22:47
*** ChanServ sets mode: +o lbragstad		22:47
*** oikiki has quit IRC		23:05
*** oikiki has joined #openstack-keystone		23:06
gagehugo	https://bugs.launchpad.net/keystone/+bug/1735250 confuses me a bit	23:08
openstack	Launchpad bug 1735250 in OpenStack Identity (keystone) queens "Password column limit (128 char) in the Password table exceeded when using passwords exceeding 2000 characters" [High,Confirmed]	23:08
lbragstad	gagehugo that's because we hash the passwords	23:14
lbragstad	so when you pass keystone a password over 2k, the hash will exceed the limit of the password hash table	23:14
gagehugo	lbragstad I don't understand why password.expression would ever have the non-hashed version	23:14
gagehugo	but that is likely sqla wizardry that I don't completely understand	23:14
lbragstad	ohh	23:16
lbragstad	yeah,,,	23:16
lbragstad	it does have something to do with how hybrid_property works	23:16
lbragstad	kmalloc and i were discussing that in irc one day	23:16
kmalloc	btw, that is a documented limitation (iirc) in the password system	23:17
kmalloc	because of issues with how the password column works	23:17
kmalloc	let me read the bug.	23:17
kmalloc	but... it's wonky	23:17
lbragstad	it's been a while since i've dug into that	23:17
lbragstad	gotta run to an appt quick, i'll be on later though	23:17
kmalloc	oh wait. i think there WAS a bug on this	23:18
kmalloc	and we fixed it.	23:18
kmalloc	ah the silly password.Password	23:19
kmalloc	thing	23:19
kmalloc	oh we didn't fix this.	23:19
kmalloc	i think the solution is just deleting the @password.expression	23:20
kmalloc	i can roll up some code for that... today or tomrorow	23:21
kmalloc	but like i said, i think the fix is just dropping @password.expression def.	23:22
gagehugo	hmm	23:30
openstackgerrit	Gage Hugo proposed openstack/keystone master: Handle empty token key files https://review.openstack.org/546785	23:34

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!