Friday, 2018-03-09

*** r-daneel has quit IRC		00:03
*** dtruong has quit IRC		00:05
*** dtruong has joined #openstack-keystone		00:06
*** sapd_ has quit IRC		00:12
*** dtruong has quit IRC		00:12
*** dtruong has joined #openstack-keystone		00:12
*** david-lyle has quit IRC		00:17
*** david-lyle has joined #openstack-keystone		00:17
*** david-lyle has quit IRC		00:18
*** guys has quit IRC		00:24
*** oikiki has quit IRC		00:35
*** itlinux has joined #openstack-keystone		00:39
*** guys has joined #openstack-keystone		01:07
*** anyone is now known as eschwartz		01:08
*** annp has joined #openstack-keystone		01:09
*** gyee has quit IRC		01:13
*** lifeless has quit IRC		01:27
*** jrist has joined #openstack-keystone		02:06
*** sapd has joined #openstack-keystone		02:14
*** harlowja has quit IRC		02:21
lbragstad	adriant: i thought knikolla his some issue like that	02:46
lbragstad	jamielennox: ok - back	02:46
*** zhurong has joined #openstack-keystone		02:47
adriant	lbragstad: and this is a weird one. when I assign a role to a domain I created, the scope in the assignment is 'project', when it's to the 'default' domain, the scope is 'domain'. :/	02:49
lbragstad	uh - i bet it's the is_admin_project stuff	02:49
adriant	no, wait, nvm	02:51
adriant	something was being weird earlier	02:51
adriant	ok, that's interesting...	02:52
adriant	'openstack role add test --user admin --project test_domain' throws and error, it can't find the project	02:53
adriant	'openstack role add test --user admin --project 8ea96eef932b46e4a9abe5f60285bac4' doesn't	02:53
adriant	and the latter sets the scope to 'project' scope, even though the project is a domain	02:53
lbragstad	?	02:53
lbragstad	8ea96eef932b46e4a9abe5f60285bac4 is a domain, then?	02:54
adriant	'openstack role add test --user admin --domain test_domain' technically does the same thing, but actually sets the scope to domain	02:54
adriant	yes	02:54
adriant	that is the id of a domain :P	02:54
lbragstad	right - osc should specify the domain in the path for the role assignment	02:54
lbragstad	the --domain bit should take care of that	02:55
adriant	I think it's just the API itself allows setting domain ID for project scope since well... projects are domains.	02:56
adriant	but the role assignment stuff doesn't know the difference, so it uses the scope it was given rather than checking, is this actually a domain	02:57
adriant	hence assignment.scope being: {u'project': {u'id': u'8ea96eef932b46e4a9abe5f60285bac4'}} or {u'domain': {u'id': u'8ea96eef932b46e4a9abe5f60285bac4'}}	02:57
lbragstad	right	02:58
adriant	potentially, when a project is a domain, what we should see is: {u'domain': {u'id': u'8ea96eef932b46e4a9abe5f60285bac4'}, u'project': {u'id': u'8ea96eef932b46e4a9abe5f60285bac4'}}	02:58
adriant	both the scope is technically both	02:58
lbragstad	well - a domain is a top-level projects	02:59
lbragstad	project*	02:59
lbragstad	not every project is actually a domain	02:59
lbragstad	iirc	02:59
adriant	oh yeah	02:59
adriant	correctly I said it the wrong way around	02:59
adriant	domains are projects*	03:00
adriant	so when a role is assigned to a domain the scope should be both domain and project	03:00
adriant	although now I'm curious how the effective role stuff interprets that	03:01
adriant	does it do anything different if the scope if domain vs project on the same domain project...	03:01
lbragstad	might be worth a test...	03:02
lbragstad	most of that stuff blows my mind	03:02
* adriant finds so many of the weird edge cases		03:02
*** namnh has joined #openstack-keystone		03:03
adriant	ok, it looks like or at least feels like being able to set project scope on a domain is a bug	03:05
adriant	when I set 'domain scope' properly, I can do include_names	03:05
*** lifeless has joined #openstack-keystone		03:06
lbragstad	jamielennox: ok - i think i figured out the oslo_context bit (maybe?) https://review.openstack.org/#/c/530509/	03:17
lbragstad	that seems to pass things to the oslo.policy library properly	03:17
lbragstad	ayoung: might be interested in the ^ too	03:20
openstackgerrit	melissaml proposed openstack/oslo.policy master: Update links in README https://review.openstack.org/551116	03:43
*** mburrows has joined #openstack-keystone		03:45
jamielennox	lbragstad: sorry, was gone longer than i said	03:49
jamielennox	lbragstad:that's the basics yea, does auth_token really set HTTP_X_SYSTEM?	03:50
hrybacki	cmurphy: sorry for the delay -- updated	03:53
aning	cmurphy: You are right, the keystone "user" table has all the users in it.	03:56
*** oikiki has joined #openstack-keystone		04:01
*** dave-mccowan has quit IRC		04:12
*** sapd has quit IRC		04:18
*** oikiki_ has joined #openstack-keystone		04:19
*** oikiki has quit IRC		04:21
adriant	lbragstad: I think there isn't a difference between scope assigned/domain assigned for a role on a domain project, at least not that I can see. It's just that internally the 'scope' if either to the project or the domain, which means I have to explicitly check 'is this a domain scope' rather than just treat them all as project scope assignments.	04:26
*** sapd has joined #openstack-keystone		04:33
*** germs has quit IRC		04:33
*** germs has joined #openstack-keystone		04:34
*** germs has quit IRC		04:34
*** germs has joined #openstack-keystone		04:34
*** germs has quit IRC		04:34
*** germs has joined #openstack-keystone		04:35
*** germs has quit IRC		04:35
*** germs has joined #openstack-keystone		04:35
*** zhurong has quit IRC		04:36
*** felipemonteiro has joined #openstack-keystone		04:40
ayoung	lbragstad, sorry, I got pulled in to family mode right when you asked your question	04:47
ayoung	not sure if your question was inside of keystone or the other services, about populating the context object	04:49
*** zhurong has joined #openstack-keystone		04:49
ayoung	adriant, all domains ARE projects	04:51
ayoung	https://adam.younglogic.com/2018/02/openstack-hmt-cloudforms/	04:51
ayoung	For the default domain, I can add a role on it, as a project that is then inherited by all subordinat projects	04:52
ayoung	openstack role add --user CloudAdmin --user-domain Default --project Default --project-domain Default --inherited admin	04:52
ayoung	So for 'openstack role add test --user admin --project test_domain you need --project-domain test_domain	04:53
ayoung	adriant, so you can have both a domain scoped role and a project scoped role on test_domain	04:54
ayoung	they can even be the same named role, like admin or _member_	04:54
ayoung	but they mean different things, as the policy will look for which way it is scoped. I think that is what you were aiming for, you just missesd the need to specify the domain for the project when setting it as a project scoped role	04:55
ayoung	Gnight	04:55
adriant	ayoung: Oh, I see what you mean. That's... interesting. I wonder if anyone actually uses the distinction between a project/domain scope in their policies. It feels like extra complexity for no real gain in essence.	04:58
ayoung	adriant, read my blog post	04:59
*** germs has quit IRC		04:59
ayoung	it was really useful in that case	04:59
*** germs has joined #openstack-keystone		05:00
*** germs has quit IRC		05:00
*** germs has joined #openstack-keystone		05:00
ayoung	YOu can assign a user a role on the domain-as-a-project and they inherit it to all projects underneath it. Instead of having to use admin to cross project boundaries...looking at cmurphy 's blog, that was one of the things discussed at the PTG	05:00
adriant	ayoung: but that's just inheritance, not any specific difference between domain/project scope	05:01
ayoung	cloudsample makes the distinction	05:01
ayoung	a few people have used that	05:01
adriant	I honestly was kind of hoping 'domain scope' wasn't a distinction we cared about since then everything becomes simpler and is just project scope :(	05:01
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n52 for list projects for example	05:01
ayoung	domains suck	05:02
ayoung	really, they should not exist.	05:02
ayoung	domains for users and groups should be IdPs	05:02
ayoung	domains for projects should just be projects	05:02
ayoung	ghost of battles lost	05:02
adriant	yeah, I was kind of hoping I could pretend domains didn't exist and just use 'projects' but the fact that the distinction still exists even in code is annoying	05:03
* adriant shrugs		05:03
adriant	oh well	05:03
adriant	ayoung: basically all I was hoping for as a thing we could do, is make it so when you assign a domain scope, it automatically ALSO assigns a project scope to the project.	05:05
adriant	but if people are actually using those two different cases in policy, then... shrug	05:06
*** felipemonteiro has quit IRC		05:12
*** mburrows has quit IRC		05:20
ayoung	adriant, they are different, and should be	05:25
*** harlowja has joined #openstack-keystone		05:25
ayoung	I mean...you could write your own policy and completely ignore the domain aspect of it, but...I thin that the problem comes when you want to do operations that can onluy be done on domains	05:26
ayoung	like add a user, if you supplied a project scoped token, it wouldn't know what to match	05:27
adriant	but it would know what the root of that project was	05:27
adriant	which is a 'domain'	05:27
ayoung	not in a deep hierarchy	05:27
ayoung	say tyou hav domain d, and p1, under that p2	05:27
ayoung	parent of p2 is p1, domaing for both is d	05:27
ayoung	it would have to be smart enough to say "I can accept a project scoped token where the domain is the same as the project id"	05:28
ayoung	not impossible	05:28
ayoung	domain is always on the token, regardless of how deeply nested things are	05:28
ayoung	so you could probably make it work, but you would have some strangeness if you made a role specific for adding users	05:29
ayoung	people could assigne that role to a user-on-a-project-that-is-not-a-domain	05:29
ayoung	and...well you have to make sure they don't add a user by accident	05:30
adriant	but that's how keystone is right now, or was	05:30
adriant	you can assign 'admin' anywhere	05:30
ayoung	So, yeah, you could probably get away without domain scoped roles at all	05:30
ayoung	you'd just have some funky policy rules to enforce for create_user create_group and the like	05:31
adriant	oh, so the use case is: only allow user create when role X and on scope Domain	05:31
ayoung	right	05:31
adriant	rather than: allow user create when role is X	05:32
ayoung	and so if you had a useradmin role you could, as you said, assign that to a user on a project-that-is-a-domain and then scope check would be...	05:32
adriant	but couldn't that also be solved without domain with: allow user create when role X on root	05:32
ayoung	user.domain_id == token.domain_id and token.domain_id == token.project_id	05:33
ayoung	which is kinda hackish	05:33
ayoung	there is no root. there is Default domain	05:33
ayoung	all projects live under a domain	05:33
adriant	by root I mean, root of the given project tree	05:33
ayoung	yes, that is pretty much what I said there	05:34
ayoung	user.domain_id == token.domain_id and token.domain_id == token.project_id	05:34
ayoung	so user should be target or something	05:34
ayoung	not the user in the token	05:34
ayoung	target.domain_id == token.domain_id and token.domain_id == token.project_id	05:34
ayoung	adriant, that enough for you? I need to crash. 1/2 past midnight here, and kids are up for school regardless of when I go to bed	05:35
adriant	go sleep, I think we're on the same page, but on slightly different topics anyway :P	05:36
*** jaosorior has joined #openstack-keystone		05:37
*** germs has quit IRC		05:45
*** itlinux has quit IRC		05:48
*** germs has joined #openstack-keystone		05:48
*** germs has quit IRC		05:48
*** germs has joined #openstack-keystone		05:48
*** germs has quit IRC		05:53
*** oikiki_ has quit IRC		05:56
*** oikiki has joined #openstack-keystone		05:56
*** harlowja has quit IRC		06:00
*** itlinux has joined #openstack-keystone		06:06
*** itlinux has quit IRC		06:09
*** harlowja has joined #openstack-keystone		06:19
*** itlinux has joined #openstack-keystone		06:20
*** mburrows has joined #openstack-keystone		06:23
*** germs has joined #openstack-keystone		06:24
*** germs has quit IRC		06:24
*** germs has joined #openstack-keystone		06:24
*** masber has quit IRC		06:26
*** germs has quit IRC		06:32
*** jrist has quit IRC		06:43
*** jrist has joined #openstack-keystone		07:01
*** pcichy has joined #openstack-keystone		07:08
*** oikiki has quit IRC		07:14
*** pcaruana has joined #openstack-keystone		07:27
*** d0ugal_ has quit IRC		07:37
*** martinus__ has joined #openstack-keystone		07:40
adriant	ayoung, lbragstad: I've sent an email to the mailing list. ayoung, I think we misunderstood each other, and I think I've found some issues that I can't entirely make sense of. :(	07:43
adriant	Please have a look and help me confirm if I'm crazy or not :P	07:43
adriant	And better still, if you can reproduce my issues.	07:43
*** namnh has quit IRC		07:46
*** d0ugal_ has joined #openstack-keystone		07:54
*** sileht has left #openstack-keystone		07:56
*** rcernin has quit IRC		08:00
*** harlowja has quit IRC		08:08
*** tesseract has joined #openstack-keystone		08:38
*** dangtrinhnt has joined #openstack-keystone		08:46
*** threestrands_ has quit IRC		08:48
*** d0ugal_ has quit IRC		09:16
*** d0ugal has joined #openstack-keystone		09:17
*** d0ugal has quit IRC		09:17
*** d0ugal has joined #openstack-keystone		09:17
*** zhurong has quit IRC		09:18
*** masber has joined #openstack-keystone		09:25
*** d0ugal has quit IRC		09:32
*** d0ugal has joined #openstack-keystone		09:34
*** d0ugal has quit IRC		09:42
*** mvk has joined #openstack-keystone		09:48
*** d0ugal has joined #openstack-keystone		09:56
*** annp has quit IRC		10:30
*** mburrows has quit IRC		11:04
*** jaosorior has quit IRC		11:16
*** jaosorior has joined #openstack-keystone		11:16
*** jaosorior has quit IRC		11:21
*** jaosorior_ has joined #openstack-keystone		11:21
*** jaosorior_ has quit IRC		11:23
*** jaosorior__ has joined #openstack-keystone		11:23
*** jaosorior__ has quit IRC		11:24
*** jaosorior has joined #openstack-keystone		11:25
*** jaosorior has quit IRC		11:25
*** jaosorior has joined #openstack-keystone		11:25
*** dangtrinhnt has quit IRC		12:08
*** raildo has joined #openstack-keystone		12:17
*** dave-mccowan has joined #openstack-keystone		12:21
*** jmlowe_ has quit IRC		12:25
*** dangtrinhnt has joined #openstack-keystone		12:29
*** dangtrinhnt has quit IRC		12:56
*** germs has joined #openstack-keystone		13:06
*** germs has quit IRC		13:06
*** germs has joined #openstack-keystone		13:06
*** germs has quit IRC		13:07
*** idlemind has quit IRC		13:19
*** pcichy has quit IRC		13:31
*** pcichy has joined #openstack-keystone		13:49
*** jrist has quit IRC		13:55
*** AlexeyAbashkin has joined #openstack-keystone		13:56
*** edmondsw has joined #openstack-keystone		13:59
*** AlexeyAbashkin has quit IRC		14:01
*** AlexeyAbashkin has joined #openstack-keystone		14:03
*** jrist has joined #openstack-keystone		14:07
*** AlexeyAbashkin has quit IRC		14:07
knikolla	o/	14:08
*** jaosorior has quit IRC		14:09
lbragstad	o/	14:12
* lbragstad is still reading scroll back		14:12
ayoung	lbragstad, it would take a while to untangle all that	14:25
ayoung	there appears to be at least two bugs	14:25
lbragstad	yeah - that's not good	14:25
ayoung	and quite a few mistakes in typing. For example, his last: openstack project create test5 --domain domain1	14:25
ayoung	openstack role add test --user alice --project 86a8b3dc1b8844fd8c2af8dd50cc21386	14:25
ayoung	he managed to add an additional 8 on to the id	14:26
ayoung	it should only be 86a8b3dc1b8844fd8c2af8dd50cc2138	14:26
ayoung	er...he added a 6	14:26
lbragstad	here you mean? http://paste.openstack.org/show/696006/	14:26
ayoung	yeah	14:26
lbragstad	those are the same ids	14:26
*** dansmith is now known as superdan		14:26
lbragstad	oh - wait	14:27
lbragstad	nevermind	14:27
lbragstad	yeah - 86a8b3dc1b8844fd8c2af8dd50cc2138 is the correct one	14:27
ayoung	and things like ule:admin_and_matching_domain_id",	14:27
ayoung	- "cloud_admin": "role:admin and (is_admin_project:True or	14:27
ayoung	domain_id:admin_domain_id)",	14:27
ayoung	domain_id: is how it is reported in the token if it is a domain scoped role	14:27
ayoung	versus project_domain_id for a project scoped token	14:27
ayoung	domains suck	14:27
ayoung	they really need to be taken out to the back 40 and left there	14:28
lbragstad	i agree	14:28
lbragstad	munging them with projects was where things really got complicated	14:28
openstackgerrit	Johannes Grassler proposed openstack/keystone-specs master: Add whitelist-extension-for-app-creds https://review.openstack.org/396331	14:29
ayoung	Keystone API V4 has no domains.	14:30
ayoung	I think we could actually make a set of policy rules that would mean you never need domain scoped roles	14:31
lbragstad	yep - a root project doesn't have parent, and that's how you tell	14:31
ayoung	everything is a project scoped role...juyst the policy has to check that the project IS A domain for certain operations	14:31
lbragstad	i just noticed this the other day, but projects have 'is_domain', 'parent_id', and 'parent_project_id' attributes	14:31
ayoung	lbragstad, yeah. parent_project_id is null if the parent is a domain	14:32
ayoung	I think that is the differentiator	14:32
lbragstad	right - and it's one thing, versus a combination of three attributes that change depending on if it's a domain or a project	14:33
lbragstad	i guess if we ever supported microversions, that'd be an area to fix	14:34
lbragstad	er "fix" because you can't actually remove it, but you could hide some of the ugly	14:34
lbragstad	for users that opt into using microversions	14:34
lbragstad	ayoung: ok - so what were the two bugs specifically in your opinion (re: adriant's note)?	14:35
ayoung	the ones that casue stack traces....	14:36
lbragstad	http://paste.openstack.org/show/695994/	14:36
lbragstad	http://paste.openstack.org/show/696013/	14:36
lbragstad	so - not being able to remove a role assignment that's made on a project and a domain with the same ID	14:36
lbragstad	i question if you should even be able to do that...	14:36
ayoung	or 500s	14:37
ayoung	http://paste.openstack.org/show/696013/	14:37
lbragstad	why would you need to make a project assignment on a domain?	14:37
ayoung	HMT	14:37
ayoung	you need both domain admin and project admin. domain admin on the domain, project admin inherited on all the sub projects	14:38
lbragstad	so - i would expect that when we merged domain and project resources (http://specs.openstack.org/openstack/keystone-specs/specs/keystone/mitaka/reseller.html) we forgot to clean that up	14:39
lbragstad	or make it so that you could remove those assignments	14:40
lbragstad	ayoung: historical context check - domains were certainly a thing before we munged them together with projects, right?	14:40
ayoung	the one() call I think assumes there is only one role in the results, but there are multiple, so it is ambiguous which you want to remove	14:40
ayoung	yep	14:40
ayoung	domains were added by gyee, first year I was on the project IIRC	14:41
lbragstad	ok - that sounds right, just making sure	14:41
lbragstad	and we munged them with projects when we started trying to solve reseller usecases?	14:41
ayoung	they were one of the distinguishing factors of the V3 API, so as long as that has been about	14:41
ayoung	Yeah, the HTM code required a root for the tree	14:42
lbragstad	and we decided to call that root a domain	14:42
ayoung	HMT	14:42
*** AlexeyAbashkin has joined #openstack-keystone		14:43
lbragstad	and we punted on the ability to have a domain anywhere but the root of the tree	14:43
lbragstad	because we didn't have anyone with a clear enough use case	14:43
lbragstad	iirc	14:43
*** r-daneel has joined #openstack-keystone		14:44
lbragstad	so - just to recap... we need to open a bug for the two 500s here http://paste.openstack.org/show/696013/	14:45
lbragstad	which could be solved with the same patch	14:45
lbragstad	are there any other things we need bugs open for?	14:45
lbragstad	or things that I'm missing?	14:45
*** AlexeyAbashkin has quit IRC		14:47
*** AlexeyAbashkin has joined #openstack-keystone		14:51
*** jmlowe has joined #openstack-keystone		14:52
cmurphy	any other PTG recaps I should link to in the weekly update? knikolla gagehugo raildo hrybacki wxy	15:00
raildo	cmurphy, you and lbragstad already made a great job on that recaps post blogs :)	15:01
*** david-lyle has joined #openstack-keystone		15:01
cmurphy	:)	15:01
knikolla	cmurphy: my procrastination skills exceeded my writing skills.	15:05
knikolla	i hope to finish it over the weekend.	15:06
knikolla	you and lbragstad did a great job recapping. so that's more than plenty for the weekly update :)	15:07
*** germs has joined #openstack-keystone		15:08
*** germs has quit IRC		15:08
*** germs has joined #openstack-keystone		15:08
ayoung	lbragstad, we could probably merge domains into projects	15:11
ayoung	the only thing that distinguises a domain from a project is the fact that it can own users and groups	15:12
ayoung	cmurphy, that recap was fantabulous.	15:12
cmurphy	:D	15:12
*** guys has quit IRC		15:12
*** germs has quit IRC		15:13
lbragstad	cmurphy: i need to read yours, i haven't yet	15:16
* lbragstad digs for a link		15:16
cmurphy	lbragstad: http://www.gazlene.net/dublin-ptg.html	15:17
cmurphy	it's probably mostly the same as yours	15:17
knikolla	cmurphy: do you do hand-code html or use a static site generator?	15:17
cmurphy	except i forgot to mention the JWT discussion, will need to update it	15:17
cmurphy	knikolla: i use pelican	15:17
cmurphy	but i created the theme myself	15:17
ayoung	lbragstad, so...scope. For admins	15:18
ayoung	WHat I am seeing in CloudForms is that we want to say HMT works, and that should be used to scope how a client app interacts with various services	15:18
ayoung	and this is more than just Keystone	15:19
knikolla	cmurphy: looks pretty cool! i played around a bit with pelican, but github pages compiling jekyll automatically makes it too convenient.	15:19
ayoung	we could say "to list all projects in a tree, you need to use a service scoped token" but that feels like giving away too much	15:19
ayoung	like, Amazon would not let us get service scoped tokens to talk to their service, right?	15:19
ayoung	And I kindof like what I read in the summary about "lets punt on real reseller, and just go 2 level "	15:20
ayoung	"On Behalf Of" Header...I think might not really fly	15:20
ayoung	I'd rather it be something based on the mechanisms we already have...like if you have the right role on a parent projects, you can see everything underneath it when doing "list projects"	15:21
ayoung	and that might be the reason to use domains:	15:21
ayoung	if I have...domain_manager, I know that the token I have is going to match all of the tokens issued for that domain	15:22
ayoung	that was poorly stated	15:22
ayoung	If I have domain_admin, I know that the domain on my token is going to match the domain for the project that manages any resource	15:22
ayoung	just, the remote services don't know about that relationship	15:22
ayoung	i.e. a network object in neutron has a project id, but does not know the domain id.	15:23
ayoung	However...with unified limits, it looks like you are tackling that sync?	15:23
ayoung	So maybe we can say "now you have the ability to link the project back to its domain, use the domain as a way to group projects for resource_list"	15:24
ayoung	it was a big part of the discussion back when we did hmt, just ask raildo and henrynash	15:24
lbragstad	i'm not sure i understand the amazon bit	15:29
lbragstad	amazon doesn't expose system-level apis in the way we do	15:29
lbragstad	also - the On Behalf Of thing seems much more applicable to a private cloud deployment	15:30
lbragstad	if i have an account on AWS and i hose something up - that's my fault, and getting someone to come fix it is going to be hard	15:30
lbragstad	in theory, if i have a "reader" role on a domain, i should be able to get a domain-scoped token and use it to view all instances belonging to all projects in that domain	15:33
raildo	lbragstad, ayoung ok, so the idea behind that ability to add a "project role" to a domain it was a way to make other projects handle with the domain stuff, like for example to set the quota for that domain in the other services	15:33
raildo	(which probably is not necessary any more with the unified limits api)	15:34
raildo	so, it was basically like, if I want to do domain actions in keystone with this domain, I got a domain scoped token but I'm looking for to do project stuff with that domain outside keystone, I'll request a project scoped token and deal with it as a project	15:35
raildo	and as ayoung said before, the difference is that that domain is a root project always, with no parent_id	15:35
raildo	lbragstad, I'm gonna to take a look on that bug request and I hope to send a patch set for it soon	15:36
lbragstad	raildo: that'd be awesome	15:36
lbragstad	raildo: it's here if you haven't seen it yet - https://bugs.launchpad.net/keystone/+bug/1754677	15:36
openstack	Launchpad bug 1754677 in OpenStack Identity (keystone) "Unable to remove an assignment from domain and project" [High,Triaged] - Assigned to Raildo Mascena de Sousa Filho (raildo)	15:36
lbragstad	oh - nice	15:36
lbragstad	nevermind, it looks like you found it already	15:37
raildo	lbragstad, I was faster that you :)	15:37
lbragstad	:)	15:37
raildo	lbragstad, also I like the idea to make a microversion and push all that stuff for that	15:37
raildo	lbragstad, that would make easier to deal with all that stuff	15:38
lbragstad	yeah - it just popped up in my head as i was thinking about it... if we did do microversions, that'd be something we might be able to smooth out with it	15:38
lbragstad	there was an action item last release to come up with a list of things like that	15:38
raildo	lbragstad, ++ maybe we can discuss about it in the next ptg, or something like that	15:38
lbragstad	to help people weigh the pros and cons of microversions	15:39
raildo	lbragstad, yeah, I'm fine with do everything to make the operators' life easier when we are talking about deploy and configure OpenStack	15:40
ayoung	lbragstad, so, I think the short of it is, get unified limits working, and use that as a way to deal with access to the subtrees	15:40
raildo	ayoung, yeah, that would be the best option at this moment	15:42
*** AlexeyAbashkin has quit IRC		15:45
lbragstad	nice summary cmurphy	15:49
ayoung	BTW, cmurphy I didn't realize you were on the TC. That is awesome, both for you, and for Keystone. Shows how out of it I have been. So let me formally congratulate you now.	15:49
cmurphy	thanks ayoung :)	15:50
lbragstad	bug queue has bloated by about 15 new bugs in the last week	15:57
cmurphy	ptg broke keystone	15:58
* lbragstad laces up a fresh pair of bug stompers		15:58
raildo	so, on Keystone we got the bugs from the East	15:59
cmurphy	lol	15:59
*** marst has left #openstack-keystone		16:01
*** pcaruana has quit IRC		16:02
*** felipemonteiro has joined #openstack-keystone		16:14
*** ioni has joined #openstack-keystone		16:40
ioni	hello guys	16:40
ioni	i operate a 5 region openstack newton with a single keystone. I want to upgrade from newton to ocata and I was wondering if newton components can still use keystone that is on ocata	16:41
ioni	or keystone must be upgraded last	16:41
ioni	ocata compoents and keystone newton	16:42
*** spilla has joined #openstack-keystone		16:48
*** masber has quit IRC		16:54
*** Faster-Fanboi has quit IRC		17:00
*** harlowja has joined #openstack-keystone		17:00
mnaser	has anyone seen a case where keystone auth takes 150+ seconds..	17:00
mnaser	[Fri Mar 9 16:57:35 2018] POST /v3//auth/tokens => generated 11881 bytes in 144442 msecs (HTTP/1.1 201) 6 headers in 386 bytes (1 switches on core 0)	17:01
*** germs has joined #openstack-keystone		17:09
*** germs has quit IRC		17:09
*** germs has joined #openstack-keystone		17:09
*** germs has quit IRC		17:14
ayoung	ioni, can you upgrade Keystone first? You would probably be much happier	17:23
ayoung	ioni, I assume you are doing something like an ansible/scripted deployment, not using Tripleo or the like.	17:23
ayoung	Keystone works hard to be backwards compatible, so you should be able to run an Ocata Keystone for a Newton cluster. But, yes, I think the reverse would work.	17:24
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update context middleware and token models for system https://review.openstack.org/551336	17:27
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add system scope project protection tests https://review.openstack.org/551337	17:27
lbragstad	hrybacki: cmurphy ^	17:27
lbragstad	a feeble attempt at getting system scope coverage with the three default roles we talked about in dublin	17:28
lbragstad	i feel like a lot of stuff is repeated	17:28
lbragstad	which kinda sucks, but i guess i was aiming for readability	17:28
*** gyee has joined #openstack-keystone		17:43
*** harlowja has quit IRC		17:54
*** harlowja has joined #openstack-keystone		17:56
*** harlowja has quit IRC		18:00
*** germs has joined #openstack-keystone		18:06
*** germs has quit IRC		18:06
*** germs has joined #openstack-keystone		18:06
*** germs has quit IRC		18:07
*** germs has joined #openstack-keystone		18:08
*** germs has quit IRC		18:08
*** germs has joined #openstack-keystone		18:08
*** dmellado has quit IRC		18:16
*** oikiki has joined #openstack-keystone		18:33
*** dmellado has joined #openstack-keystone		18:42
*** itlinux has quit IRC		18:50
*** harlowja has joined #openstack-keystone		19:00
*** tesseract has quit IRC		19:05
aning	We are doing upgrade from Newton to Pike, what's the consequce if we skip keystone-manage db_sync --contract, all or partially?	19:16
aning	the reason is we ocasionally get deadloack at 014	19:19
*** pcichy has quit IRC		19:19
*** blake has joined #openstack-keystone		19:27
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add system scope project protection tests https://review.openstack.org/551337	19:34
lbragstad	aning: are you running on postgres	19:35
lbragstad	?	19:35
aning	yes	19:39
aning	we have postgres as the backend db	19:40
*** oikiki has quit IRC		19:48
*** oikiki has joined #openstack-keystone		19:48
lbragstad	cmurphy: was helping someone with that previously	19:53
aning	lbragstad: you mean he ever helped with the deadlock issue?	19:54
aning	cmurphy: is there a solution already for postgres deadlock issue during upgrade?	20:01
lbragstad	aning: she helped debug it a bit, iirc	20:01
aning	lbradstad, cmurphy: I have more info if you want to look at it again...	20:02
aning	we've been struggling with this for a while ... so we are thinking to skip 014 where the deadlock happens.	20:03
aning	as a workaround.	20:03
cmurphy	lbragstad: i don't think that was me, you might be thinking about the mariadb bug we had	20:07
cmurphy	was there a bug report?	20:07
cmurphy	aning: do you have the error message it gives when it locks up?	20:10
aning	Yes ... one second.	20:11
aning	2018-02-22T21:26:47.000 controller-1 postgres[76959]: warning [2-1] db=keystone,user=admin-keystone ERROR: deadlock detected	20:12
aning	2018-02-22T21:26:47.000 controller-1 postgres[76959]: warning [2-2] db=keystone,user=admin-keystone DETAIL: Process 76959 waits for AccessExclusiveLock on relation 17886 of database 16401; blocked by process 76955.	20:12
aning	2018-02-22T21:26:47.000 controller-1 postgres[76959]: warning [2-3] Process 76955 waits for AccessShareLock on relation 17776 of database 16401; blocked by process 76959.	20:12
aning	2018-02-22T21:26:47.000 controller-1 postgres[76959]: warning [2-4] Process 76959: ALTER TABLE local_user ADD CONSTRAINT local_user_user_id_fkey FOREIGN KEY(user_id, domain_id) REFERENCES "user" (id, domain_id) ON DELETE CASCADE ON UPDATE CASCADE	20:12
aning	2018-02-22T21:26:47.000 controller-1 postgres[76959]: warning [2-5] Process 76955: SELECT local_user.id AS local_user_id, local_user.user_id AS local_user_user_id, local_user.domain_id AS local_user_domain_id, local_user.name AS local_user_name, local_user.failed_auth_count AS local_user_failed_auth_count, local_user.failed_auth_at AS local_user_failed_auth_at, anon_1.user_id AS anon_1_user_id, anon_1.user_domain_id AS anon_1_user_domain_id	20:12
aning	2018-02-22T21:26:47.000 controller-1 postgres[76959]: warning [2-6] FROM (SELECT "user".id AS user_id, "user".domain_id AS user_domain_id	20:12
aning	2018-02-22T21:26:47.000 controller-1 postgres[76959]: warning [2-7] FROM "user"	20:12
aning	2018-02-22T21:26:47.000 controller-1 postgres[76959]: warning [2-8] WHERE "user".id = '20bd4216910340bc8e6019f6d826f9d7') AS anon_1 JOIN local_user ON anon_1.user_id = local_user.user_id AND anon_1.user_domain_id = local_user.domain_id ORDER BY anon_1.user_id, anon_1.user_domain_id	20:12
aning	2018-02-22T21:26:47.000 controller-1 postgres[76959]: warning [2-9] db=keystone,user=admin-keystone HINT: See server log for query details.	20:12
aning	2018-02-22T21:26:47.000 controller-1 postgres[76959]: warning [2-10] db=keystone,user=admin-keystone STATEMENT: ALTER TABLE local_user ADD CONSTRAINT local_user_user_id_fkey FOREIGN KEY(user_id, domain_id) REFERENCES "user" (id, domain_id) ON DELETE CASCADE ON UPDATE CASCADE	20:12
aning	Sorry, did I just flood the chat?	20:12
cmurphy	aning: yep, please use paste.openstack.org next time :)	20:12
aning	How to use that? I'm rather new to IRC	20:13
*** oikiki has quit IRC		20:13
cmurphy	aning: it's a website, go to http://paste.openstack.org/ to create the paste and then just drop the URL here :)	20:13
*** oikiki has joined #openstack-keystone		20:14
*** itlinux_ has joined #openstack-keystone		20:14
aning	Here it is: http://paste.openstack.org/show/696900/	20:15
lbragstad	i've seen that error before	20:21
*** threestrands has joined #openstack-keystone		20:22
*** threestrands has quit IRC		20:22
*** threestrands has joined #openstack-keystone		20:22
aning	We are not alone:)	20:22
lbragstad	ohhhhhhh	20:22
lbragstad	ugh - where did i see that?	20:22
lbragstad	cmurphy: sorry - i got mixed up	20:22
cmurphy	lbragstad: aning sorry i don't have any answers, maybe if lbragstad can figure out where we've seen that before we can get some hints	20:24
* lbragstad digs		20:24
knikolla	aning: do you have multiple keystone servers?	20:25
aning	Yes, we have two	20:26
lbragstad	it's a race bug iirc	20:26
aning	lbragstad: is it a reported bug already?	20:27
knikolla	aning: what is the exact procedure you're following?	20:30
lbragstad	http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-02-23.log.html#t2018-02-23T19:47:03	20:31
aning	Oh that's from us. kansim-wrs is our tech lead.	20:32
lbragstad	oh	20:32
lbragstad	nevermind then	20:32
*** itlinux_ has quit IRC		20:35
*** felipemonteiro has quit IRC		20:36
*** itlinux has joined #openstack-keystone		20:38
lbragstad	aning: were you able to make progress with the caching bit then?	20:39
lbragstad	or shutting of the policy for list_users?	20:39
lbragstad	to circumvent the read operation causing the deadlock	20:39
aning	No. we don't want to enalbe caching or changing policy for now.	20:40
aning	we are thinking of skipping 014 as workaround	20:40
aning	So what will be the consequence if we skip 014?	20:41
aning	knikolla: on controller0 (active) we upgrade controller1(standby) including db_sync --expand and --migrate, then we make controller1 as active, upgrade controller0 (now it's standby), then we call keystone-manage db_sync --contract on active controller1	20:41
*** raildo has quit IRC		20:42
*** itlinux has quit IRC		20:43
knikolla	aning: and the contract at this very last step is causing the error	20:44
aning	yes	20:44
aning	and it happens only ocasionally.	20:45
lbragstad	it's a race condition	20:45
knikolla	yes, only when there's a read going on. because the contract is requesting an ACCESS EXCLUSIVE lock, which also locks out reads.	20:45
lbragstad	well - these two fks won't be created in that case - https://github.com/openstack/keystone/blob/master/keystone/common/sql/contract_repo/versions/014_contract_add_domain_id_to_user_table.py#L46-L53	20:46
aning	without these two fks, my understanding is that, functional wise nothing will be broken, but there in very rare occations, the two keys may lose sync between user table and local_user table.	20:48
knikolla	i think we do cascade deletes based on domain?	20:49
cmurphy	i think that's a case where the foreign keys are pretty important	20:50
knikolla	i'm confused. is it even possible to support online upgrades if upgrading the database requires access exclusive locks, which also blocks reads :/	20:54
aning	knikolla: the CASCADE on DELETE will gurantee if we delete a row from one table, the referenced raw in the other table will be deleted as well?	20:54
aning	row	20:55
knikolla	aning: yes. in that case between the table user and the table local_user, and nonlocal_user and user.	21:02
openstackgerrit	ayoung proposed openstack/keystone-specs master: Add whitelist-extension-for-app-creds https://review.openstack.org/396331	21:02
ayoung	jgr, ^^ is just getting tox to pass	21:02
aning	without fk association between two table, potentially I could update the column in one table, leaving the related column in the other table unchanged, am I right?	21:03
aning	then the sync needs to be guruanteed by the user application, again am I right?	21:05
*** felipemonteiro has joined #openstack-keystone		21:05
adriant	ayoung, lbragstad: thanks for helping untangle that mess!	21:06
adriant	ayoung: I read through the scoll back here and I see how the policy works. (domain_id vs project_domain_id)	21:07
lbragstad	aning: right - it would be possible to delete a domain and leave users orphaned in the system	21:07
ayoung	adriant, you are now the smartest person I know	21:07
adriant	ugh at that policy, that's painful subtle enough to shoot someone in the foot	21:07
lbragstad	as are most things with keystone :)	21:07
jgr	ayoung: ah, I had this feeling that I'd forgotten something when I hit `git review`...thanks :-)	21:07
adriant	ayoung: I don't UNDERSTAND it, I'm not that bright :P	21:08
knikolla	lbragstad: that's actually the foreign key that maps local_user, nonlocal_user to user.	21:08
ayoung	usually we give you a dull spoon with which to cut off your own foot.	21:08
knikolla	deleting domains shouldn't leave orphaned things.	21:08
ayoung	jgr, I am going through now, and going to suggest you define two entities instead of one	21:08
lbragstad	knikolla: but deleting a user will leave fragments of that user in other tables, right?	21:08
ayoung	the first is the common part: Service, URL pattern, VERB	21:09
knikolla	lbragstad: yes. and depending on how we handle the user delete, might result in 500 on user listing.	21:09
lbragstad	yeah...	21:09
adriant	that said, ayoung, regarding the alice example where I made a typo. The point wasn't the error, the fact that when I didn't make the typo just now that it worked is worse :P http://paste.openstack.org/show/696971/	21:09
ayoung	the second is the actual whitelist. But I think that means the whitelist can be added to the app credential in an optional field	21:09
adriant	ayoung: alice has roles in projects that are not her domain. is that intended?	21:09
knikolla	but if we delete the row in user first, the orphaned fragments should be innocuous.	21:10
ayoung	yes, that is fine	21:10
ayoung	domains "own" the user record	21:10
adriant	correction, is allowing that intended?	21:10
adriant	Oh, but not the scope	21:10
ayoung	role assignemtns can cross domain boundaries	21:10
adriant	oh	21:10
adriant	cool	21:10
ayoung	acha!	21:10
knikolla	user will be a subset of what's available. so it won't query about the orphaned rows.	21:10
adriant	alright	21:10
knikolla	unless something weird is happening with joins.	21:10
knikolla	still i would argue against continuing without that migration.	21:11
knikolla	there be dragons.	21:11
adriant	ayoung: thanks btw, apologises for potentially silly questions, it's just that trying to work out what is intended/unintended is a little weird sometimes.	21:12
adriant	but is role assignments can be cross domain, and you can scope to other domains... that opens up some very interesting uses cases for me...	21:13
adriant	but if*	21:13
aning	knikolla: so you don't think it's good idea of skipping the fk creation?	21:15
knikolla	aning: yes, bad idea.	21:16
knikolla	at best everything will work fine. at worst you're going to get server error when you list users.	21:17
knikolla	https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py#L166	21:22
*** threestrands has quit IRC		21:22
knikolla	when listing users, an outerjoin is done on tables user and local_user	21:23
knikolla	that'll probably break.	21:24
ayoung	adriant, no problem at all. I really appreciate you taking the time to work through this. Keystone is the better for your efforts.	21:27
*** dtruong has quit IRC		21:43
openstackgerrit	Nicolas Helgeson proposed openstack/keystone master: Extend comparator support for project list by tags https://review.openstack.org/523499	21:48
*** mburrows has joined #openstack-keystone		21:52
*** r-daneel has quit IRC		21:56
*** awestin1 has quit IRC		22:27
*** jamespage has quit IRC		22:27
*** edmondsw has quit IRC		22:27
*** jamespage has joined #openstack-keystone		22:28
*** awestin1 has joined #openstack-keystone		22:28
*** dave-mccowan has quit IRC		23:09
*** martinus__ has quit IRC		23:15
*** masber has joined #openstack-keystone		23:27
*** masber has quit IRC		23:30
*** masber has joined #openstack-keystone		23:30
*** edmondsw has joined #openstack-keystone		23:49
*** blake has quit IRC		23:52
*** edmondsw has quit IRC		23:54

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!