Thursday, 2018-06-14

« Wednesday, 2018-06-13 Index Friday, 2018-06-15 »
*** felipemonteiro has joined #openstack-keystone00:00
*** r-daneel has quit IRC00:08
*** felipemonteiro has quit IRC00:09
*** felipemonteiro has joined #openstack-keystone00:14
*** felipemonteiro_ has joined #openstack-keystone00:16
*** felipemonteiro has quit IRC00:20
*** blake has quit IRC00:22
*** r-daneel has joined #openstack-keystone00:25
*** felipemonteiro_ has quit IRC00:25
*** r-daneel_ has joined #openstack-keystone00:29
*** r-daneel has quit IRC00:29
*** r-daneel_ is now known as r-daneel00:29
*** dineshbhor__ has joined #openstack-keystone00:31
*** annp has joined #openstack-keystone00:48
*** blake has joined #openstack-keystone00:49
*** r-daneel has quit IRC00:50
*** blake has quit IRC00:52
*** liuzz has joined #openstack-keystone01:11
openstackgerritwangxiyuan proposed openstack/keystone master: Unified limit update APIs Refactor  https://review.openstack.org/55955201:29
*** r-daneel has joined #openstack-keystone01:32
*** r-daneel has quit IRC01:37
*** r-daneel has joined #openstack-keystone01:40
*** gyee has quit IRC01:41
*** boris_42_ has quit IRC01:50
*** felipemo_ has joined #openstack-keystone02:12
*** itlinux has joined #openstack-keystone02:36
*** ayoung has quit IRC02:50
*** liuzz_ has joined #openstack-keystone02:51
*** liuzz has quit IRC02:53
*** ayoung has joined #openstack-keystone03:00
*** liuzz has joined #openstack-keystone03:26
*** liuzz_ has quit IRC03:27
*** bhagyashris has quit IRC03:35
*** ayoung has quit IRC03:40
*** dave-mccowan has quit IRC03:45
*** bhagyashris has joined #openstack-keystone03:46
*** liuzz_ has joined #openstack-keystone03:52
*** liuzz has quit IRC03:53
*** annp has quit IRC04:00
*** annp has joined #openstack-keystone04:00
*** germs has quit IRC04:12
*** ykarel|away has joined #openstack-keystone04:16
*** ykarel|away is now known as ykarel04:16
*** lifeless_ has quit IRC04:22
*** threestrands has quit IRC04:47
*** dineshbhor__ has quit IRC04:59
*** links has joined #openstack-keystone05:00
*** dineshbhor__ has joined #openstack-keystone05:02
*** liuzz has joined #openstack-keystone05:05
*** liuzz_ has quit IRC05:05
*** felipemo_ has quit IRC05:07
*** pcaruana has quit IRC05:09
*** lifeless has joined #openstack-keystone05:17
*** pcichy has quit IRC05:40
*** jaosorior has quit IRC05:41
*** pcichy has joined #openstack-keystone05:55
*** itlinux has quit IRC06:17
*** pcaruana has joined #openstack-keystone06:17
*** mtreinish has quit IRC06:19
*** AlexeyAbashkin has joined #openstack-keystone06:20
*** liuzz_ has joined #openstack-keystone06:22
*** liuzz has quit IRC06:24
*** threestrands has joined #openstack-keystone06:27
*** AlexeyAbashkin has quit IRC06:33
*** martinus__ has joined #openstack-keystone06:47
*** mtreinish has joined #openstack-keystone06:58
*** AlexeyAbashkin has joined #openstack-keystone06:59
*** evrardjp_ is now known as evrardjp07:12
*** tesseract has joined #openstack-keystone07:16
*** rcernin has quit IRC07:27
*** sapd has quit IRC07:27
*** sapd has joined #openstack-keystone07:27
*** lifeless has quit IRC07:28
*** lifeless has joined #openstack-keystone07:35
*** s10 has joined #openstack-keystone08:09
*** ykarel is now known as ykarel|lunch08:19
*** AlexeyAbashkin has quit IRC08:53
*** AlexeyAbashkin has joined #openstack-keystone09:04
*** ykarel|lunch is now known as ykarel09:09
*** jaosorior has joined #openstack-keystone09:15
*** s10 has quit IRC09:20
*** links has quit IRC09:33
*** links has joined #openstack-keystone09:33
*** sonuk has joined #openstack-keystone09:33
*** sonuk_ has quit IRC09:35
*** dineshbhor__ has quit IRC09:53
*** threestrands has quit IRC09:54
*** AlexeyAbashkin has quit IRC10:03
*** nicolasbock has joined #openstack-keystone10:37
*** annp has quit IRC11:02
*** AlexeyAbashkin has joined #openstack-keystone11:03
*** ykarel_ has joined #openstack-keystone11:31
*** ykarel has quit IRC11:34
*** ykarel_ is now known as ykarel11:34
*** nicolasbock has quit IRC11:42
*** raildo has joined #openstack-keystone12:05
*** nicolasbock has joined #openstack-keystone12:11
*** felipemonteiro has joined #openstack-keystone12:26
*** felipemonteiro has quit IRC12:47
*** lifeless has quit IRC12:48
*** lifeless has joined #openstack-keystone12:49
*** edmondsw has joined #openstack-keystone12:54
*** AlexeyAbashkin has quit IRC12:56
*** dave-mccowan has joined #openstack-keystone13:00
*** AlexeyAbashkin has joined #openstack-keystone13:04
*** dave-mccowan has quit IRC13:05
*** SpamapS has joined #openstack-keystone13:06
SpamapSgreetings keystoners13:06
SpamapSI have a weird problem going on, trying to figure out what's happening.13:06
SpamapSwhy would `openstack role list` return differenting things if I pass --domain or not, when I have only one domain, and it's the 'default/Default' domain?13:07
*** felipemonteiro has joined #openstack-keystone13:09
*** dave-mccowan has joined #openstack-keystone13:10
cmurphySpamapS: because there are global roles and their are domain-specific roles, so if you pass --domain default you're asking for roles that are namespaced within the default domain13:10
SpamapScmurphy: ah, that makes sense, ok. Are there global role assignments too?13:11
cmurphySpamapS: no, role assignments are always made with a scope, which can be a project, domain, or the "system" (which sounds like global but it's not exactly)13:12
SpamapSoh ok I see, so that's why I have role assignments with project, but no domain13:13
cmurphyyes13:13
SpamapSWe've had a couple of mind bending days because of https://review.openstack.org/57523413:13
SpamapSugh and now I see that comment and I'm back to o_O13:14
cmurphyhmm well there is `openstack role list` and `openstack role assignment list` and the --domain would have different meanings for each13:16
kmallocDomain specific roles are... Weird in their implmentation13:16
kmallocBecause you also have to create inferences or they do nothing.13:16
*** felipemonteiro has quit IRC13:16
kmallocOur docs suck on this front.13:16
SpamapSIt's hard to document inference.13:17
SpamapSAnyway, I think I understand why I'm seeing what I'm seeing now.13:18
SpamapSThere may be more later. :-P13:18
SpamapSThanks. :-D13:21
cmurphy:)13:21
*** r-daneel has quit IRC13:26
*** AlexeyAbashkin has quit IRC13:43
kmallocSpamapS: sure thing, come visit us anytime!13:45
kmalloc :)13:45
*** AlexeyAbashkin has joined #openstack-keystone13:46
*** dave-mccowan has quit IRC13:52
*** Tahvok has quit IRC13:54
*** r-daneel has joined #openstack-keystone13:56
*** linkmark has quit IRC13:57
*** r-daneel_ has joined #openstack-keystone13:59
*** r-daneel has quit IRC14:00
*** r-daneel_ is now known as r-daneel14:00
*** Tahvok has joined #openstack-keystone14:02
openstackgerritLance Bragstad proposed openstack/python-keystoneclient master: Add support for registered limits  https://review.openstack.org/53766814:02
*** ykarel is now known as ykarel|away14:04
openstackgerritLance Bragstad proposed openstack/python-keystoneclient master: Add support for project-specific limits  https://review.openstack.org/57439114:05
*** r-daneel_ has joined #openstack-keystone14:06
*** r-daneel has quit IRC14:07
*** r-daneel_ is now known as r-daneel14:07
kmalloclbragstad: hm14:12
kmalloclbragstad: question for you regarding shadow users14:12
lbragstadnot sure how useful i'll be but i can try :)14:13
kmalloclbragstad: it appears .get_user is only ever returning the local user, how does that work for referencing the shadow user info14:13
kmallocand more specifically, what, if anything, are we doing with LDAP users being shadowed.14:13
lbragstadi think that's a separate method... called get_federated_user?14:13
kmallocah, right.14:13
kmallocbut that seems to only affect LIST14:14
kmallocafaict, we don't actually use shadow_user for ... anything outside of mirroring in auth and for authenticate14:14
kmallocit feels like we never got to the point of actually using shadow users effectively..14:15
*** links has quit IRC14:15
kmallocedmondsw: i need your brain re: shadow_users since you helped build it14:15
lbragstadthat's what rderose and ravelar were working on14:15
kmallocright.14:15
edmondswkmalloc presenting14:16
kmallocso.. TL;DR clearing stale shadow entries should be 100% safe?14:16
kmallocedmondsw: we don't use shadow users really for anything, since rderose and ravelar didn't finish the full integration14:16
kmallocedmondsw: right?14:16
kmallocedmondsw: i have a question about someone getting a conflict due to maybe a stale entry14:17
kmallocLDAP backend.14:17
kmallocif i advise just "clear the stale entry", there is no way a rogue assignment is going to linger around14:17
kmallocbecause we havent gotten that integration in place yet, right?14:17
*** mchlumsky has joined #openstack-keystone14:21
kmalloclbragstad: i advised it is probably safe to drop the LDAP shadow since we're not leaning on it.14:24
lbragstadi want to say that was kept around because we wanted to unify all identities14:24
kmallocright14:24
kmallocand we should still do that14:24
kmallocbuuuuuut...14:24
kmallocit's not there yet14:24
*** dave-mccowan has joined #openstack-keystone14:26
*** AlexeyAbashkin has quit IRC14:32
lbragstadi really need to sit down sometime and reassess that work14:44
kmalloclbragstad: you and I both14:46
lbragstadpreferrably before the ptg14:47
kmalloclets set a time and just carve out an hour to bluejeans and discuss where we are at14:47
kmallocor so*14:48
*** r-daneel_ has joined #openstack-keystone14:48
lbragstadsure14:48
*** r-daneel has quit IRC14:49
*** r-daneel_ is now known as r-daneel14:49
openstackgerritHarry Rybacki proposed openstack/keystone master: Ensure default roles created during bootstrap  https://review.openstack.org/57224314:55
hrybackilbragstad: did Ozz's comment address your testing concern?14:55
hrybackiWRT default roles14:55
lbragstadi can check14:55
lbragstadi haven't looked yet14:55
hrybackiack tl;dr test coverage touches it but there is not an explicit test for that helper method14:56
knikollao/14:58
kmalloclbragstad: do you want me to try and isolate https://review.openstack.org/#/c/574735/ from the chain so we can land it sooner?14:59
kmalloclbragstad: i can try and do that today, or i can wrangle some folks to review the preceeding patches15:00
lbragstadi can get back to reviewing that today15:00
kmalloc(might be quicker since gate -> merge vs check->gate->merge)15:00
lbragstadi've been buried in ksc and osc patches15:00
kmallocthe other patches are simple15:00
kmallocin comparison15:00
kmallocno functionality changes, just "requirement addition" and scaffolding15:01
kmallocoh, there is one change15:01
kmallocthe compression down to just public_endpoint not admin and public endpoint15:01
kmallocadmin endpoint is only used in our local testing now (fwiw)15:01
kmalloci'll try to get eyes on osc and ksc patches today as well15:01
lbragstadhttps://review.openstack.org/#/q/topic:bp/unified-limits+status:open+(project:openstack/python-keystoneclient+OR+project:openstack/python-openstackclient)15:02
lbragstadthe ksc patches should be good to go15:04
lbragstadthe only one that needs work is the osc patch for project-specific limits15:04
lbragstadthe osc patch for registered limits needs unit tests yet, but it should have complete coverage from a functional testing perspective15:05
*** pcaruana has quit IRC15:24
*** ykarel_ has joined #openstack-keystone15:31
*** ykarel|away has quit IRC15:34
*** spilla has joined #openstack-keystone15:37
*** germs has joined #openstack-keystone15:52
*** germs has quit IRC15:52
*** germs has joined #openstack-keystone15:52
lbragstadthe osc unit tests kinda blow my mind15:53
*** linkmark has joined #openstack-keystone15:53
*** lifeless has quit IRC16:07
*** lifeless has joined #openstack-keystone16:08
*** gyee has joined #openstack-keystone16:19
*** jmlowe has quit IRC16:31
* lbragstad steps away for lunch16:32
*** germs has quit IRC16:32
*** zzzeek has quit IRC16:38
*** germs has joined #openstack-keystone16:41
*** germs has quit IRC16:41
*** germs has joined #openstack-keystone16:41
*** mchlumsky_ has joined #openstack-keystone16:42
*** mchlumsky has quit IRC16:42
*** zzzeek has joined #openstack-keystone16:44
*** germs has quit IRC16:47
kmalloclbragstad: heh17:01
*** felipemonteiro has joined #openstack-keystone17:25
*** tesseract has quit IRC17:30
*** dave-mccowan has quit IRC17:30
*** jmlowe has joined #openstack-keystone17:42
*** pcaruana has joined #openstack-keystone17:43
*** ykarel_ has quit IRC17:58
*** pcaruana has quit IRC18:01
*** pcaruana has joined #openstack-keystone18:06
*** spilla has quit IRC18:10
*** spilla has joined #openstack-keystone18:11
*** felipemonteiro has quit IRC18:19
*** mvenesio has joined #openstack-keystone18:27
*** r-daneel has quit IRC18:28
*** r-daneel has joined #openstack-keystone18:28
openstackgerritLance Bragstad proposed openstack/python-keystoneclient master: Add support for registered limits  https://review.openstack.org/53766818:39
openstackgerritLance Bragstad proposed openstack/python-keystoneclient master: Add support for project-specific limits  https://review.openstack.org/57439118:39
lbragstadkmalloc: knikolla fixed ^18:39
*** germs has joined #openstack-keystone18:43
*** germs has quit IRC18:43
*** germs has joined #openstack-keystone18:43
*** germs has quit IRC18:47
edmondswkmalloc sorry, you caught me while I was presenting to upper mgmt and then it slipped my mind when I got out.18:51
edmondswkmalloc shadow users... I honestly don't know how much they are or are not used with LDAP. I haven't thought about that stuff in a long time and I wasn't all that involved to begin with18:52
edmondswkmalloc you're not talking about code changes, just clearing someones db to get past an issue, right?18:52
*** dave-mccowan has joined #openstack-keystone18:52
edmondswI don't think that would be an issue. I'd want to talk more if we're proposing code changes18:53
*** spilla has quit IRC18:57
kmallocNope, just clearing data in a db19:13
*** felipemonteiro has joined #openstack-keystone19:15
*** lifeless has quit IRC19:37
*** aojea_ has joined #openstack-keystone19:41
*** jmlowe has quit IRC19:43
*** lifeless has joined #openstack-keystone19:53
*** jmlowe has joined #openstack-keystone20:05
*** spilla has joined #openstack-keystone20:05
*** raildo has quit IRC20:12
*** felipemonteiro has quit IRC20:16
*** spilla has quit IRC20:16
*** spilla has joined #openstack-keystone20:27
lamto/ I have a question re: oidc federation: is it possible for the openstack client to use oidc (keycloak atm).  I can get horizon to authenticate and it seems oidc returns an access token back correctly, but when it redirects back to /v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth - I run into 'Connection broken: IncompleteRead(0 bytes read)' - not sure if it is the mod_auth_openidc setting.20:29
*** martinus__ has quit IRC20:36
*** spilla has quit IRC21:13
*** mvenesio has quit IRC21:35
*** mvenesio has joined #openstack-keystone21:36
*** mvenesio has quit IRC21:40
*** dave-mccowan has quit IRC21:45
*** lifeless has quit IRC21:49
*** lifeless has joined #openstack-keystone21:51
*** jmlowe has quit IRC21:52
*** edmondsw has quit IRC21:54
*** jmlowe has joined #openstack-keystone21:59
*** aojea_ has quit IRC22:11
*** mchlumsky_ has quit IRC22:16
*** rcernin has joined #openstack-keystone22:20
*** nicolasbock has quit IRC22:34
knikollalamt: yes22:48
knikollahttps://osticket.massopen.cloud/kb/faq.php?id=1622:48
*** boris_42_ has joined #openstack-keystone22:48
knikollaand https://github.com/CCI-MOC/MOCOSPpuppet/blob/master/keystone/templates/wsgi-keystone.erb#L76-L8922:50
knikollayou need to enable oauth20 on that url so that it works with the access token given.22:51
knikollahope that helps. ping me if you need help.22:52
kmalloclbragstad: +2 on the ksc ones22:53
openstackgerritMorgan Fainberg proposed openstack/keystone master: Store JSON Home Resources off the composing router  https://review.openstack.org/57473522:54
kmalloclbragstad: ^ that had 2x+2+A but rebased out of the chain22:55
kmallocnow22:55
kmalloclbragstad: want to just push it through?22:56
*** threestrands has joined #openstack-keystone22:56
*** threestrands has quit IRC22:56
*** threestrands has joined #openstack-keystone22:56
*** dklyle has quit IRC22:56
*** dklyle has joined #openstack-keystone22:57
*** threestrands has quit IRC22:57
*** threestrands has joined #openstack-keystone22:57
*** threestrands has quit IRC22:57
*** threestrands has joined #openstack-keystone22:57
lamtknikolla: thanks - I will try it out tomorrow23:08
knikollakmalloc: i'll push it23:09
kmallocknikolla: cool thnx23:12
knikolla60% of this week has been meetings so far23:13
knikollai'm happy to look at code23:13
kmallochehe23:13
*** itlinux has joined #openstack-keystone23:29
*** r-daneel has quit IRC23:37
*** lifeless_ has joined #openstack-keystone23:42
*** lifeless has quit IRC23:43
*** markvoelker has quit IRC23:46
« Wednesday, 2018-06-13 Index Friday, 2018-06-15 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!