Friday, 2018-06-15

« Thursday, 2018-06-14 Index Saturday, 2018-06-16 »
*** jmlowe has quit IRC00:40
*** germs has joined #openstack-keystone00:45
*** germs has quit IRC00:45
*** germs has joined #openstack-keystone00:45
*** jmlowe has joined #openstack-keystone00:45
*** germs has quit IRC00:50
*** r-daneel has joined #openstack-keystone00:52
*** Dinesh_Bhor has joined #openstack-keystone00:54
openstackgerritwangxiyuan proposed openstack/keystone master: Unified limit update APIs Refactor  https://review.openstack.org/55955201:06
*** gyee has quit IRC01:09
*** lifeless_ has quit IRC01:13
*** lifeless has joined #openstack-keystone01:13
*** lifeless_ has joined #openstack-keystone01:24
*** lifeless has quit IRC01:25
*** lifeless has joined #openstack-keystone01:40
*** lifeless_ has quit IRC01:41
*** markvoelker has joined #openstack-keystone01:47
*** lifeless has quit IRC01:54
*** lifeless has joined #openstack-keystone02:00
*** zxy has quit IRC02:03
*** ayoung has joined #openstack-keystone02:20
*** zxy has joined #openstack-keystone02:21
*** markvoelker has quit IRC02:21
*** fiddletwix has quit IRC02:26
*** boris_42_ has quit IRC02:38
*** germs has joined #openstack-keystone02:46
*** germs has quit IRC02:46
*** germs has joined #openstack-keystone02:46
*** germs has quit IRC02:50
*** germs has joined #openstack-keystone02:50
*** germs has quit IRC02:50
*** germs has joined #openstack-keystone02:50
larsksAnybody around? I have a question about keystone + horizon + websso, and horizon's OPENSTACK_KEYSTONE_URL setting...02:55
larsksTripleo sets OPENSTACK_KEYSTONE_URL to the internal api endpoint, but this seems odd because when trying to use sso it appears to redirect the browser to that url, which would suggest it should be using the public endpoint (on the theory that "internal" means "unavaiable outside of the openstack cluster itself")02:56
*** germs has quit IRC03:00
*** annp has joined #openstack-keystone03:03
*** d0ugal_ has joined #openstack-keystone03:17
*** d0ugal has quit IRC03:17
*** markvoelker has joined #openstack-keystone03:18
*** david-lyle has joined #openstack-keystone03:30
*** dklyle has quit IRC03:32
*** markvoelker has quit IRC03:51
*** ykarel_ has joined #openstack-keystone04:08
openstackgerritAdrian Turjak proposed openstack/keystone master: [WIP] Implement auth receipts spec  https://review.openstack.org/57228604:17
*** dmellado has quit IRC04:23
*** stlbigdog has joined #openstack-keystone04:23
adriantlbragstad, cmurphy, kmalloc: Receipt implementation is ready for cursory review. I've still marked it as [WIP] because I don't yet have unit tests for the provider logic, but the unit tests for MFA workflow and receipt consumption are there and passing. So the provider probably works as intended, but I will of course make dedicated tests for it to04:25
adriantmatch the similar tests the token provider has.04:25
adriantI've yet to actually test consuming a receipt myself in a working keystone test deployment, but I'll do that next week. I'll get my code working in devstack and see how that goes, but I don't expect issues.04:26
*** stlbigdog has quit IRC04:31
*** germs has joined #openstack-keystone04:37
*** germs has quit IRC04:37
*** germs has joined #openstack-keystone04:37
*** germs has quit IRC04:41
*** markvoelker has joined #openstack-keystone04:48
*** links has joined #openstack-keystone04:55
openstackgerritMerged openstack/keystone master: Store JSON Home Resources off the composing router  https://review.openstack.org/57473505:09
*** nicolasbock has joined #openstack-keystone05:14
*** nicolasbock has quit IRC05:18
*** pcaruana has quit IRC05:18
*** markvoelker has quit IRC05:21
*** ykarel__ has joined #openstack-keystone05:50
*** ykarel_ has quit IRC05:53
cmurphyadriant: awesome! will try to have a look soon06:13
*** Dinesh_Bhor has quit IRC06:32
*** Dinesh_Bhor has joined #openstack-keystone06:34
*** aojea_ has joined #openstack-keystone06:36
*** pcaruana has joined #openstack-keystone06:44
*** martinus__ has joined #openstack-keystone06:51
*** ykarel_ has joined #openstack-keystone06:52
*** ykarel__ has quit IRC06:55
*** ykarel_ is now known as ykarel07:07
*** rcernin has quit IRC07:08
*** germs has joined #openstack-keystone07:08
*** germs has quit IRC07:08
*** germs has joined #openstack-keystone07:08
*** AlexeyAbashkin has joined #openstack-keystone07:13
*** germs has quit IRC07:13
*** Dinesh_Bhor has quit IRC07:13
*** blake has joined #openstack-keystone07:16
*** tesseract has joined #openstack-keystone07:17
*** Dinesh_Bhor has joined #openstack-keystone07:17
*** markvoelker has joined #openstack-keystone07:18
*** AlexeyAbashkin has quit IRC07:29
*** AlexeyAbashkin has joined #openstack-keystone07:29
*** blake_ has joined #openstack-keystone07:29
*** blake has quit IRC07:32
*** blake_ has quit IRC07:34
*** blake has joined #openstack-keystone07:34
*** AlexeyAbashkin has quit IRC07:39
*** AlexeyAbashkin has joined #openstack-keystone07:39
*** markvoelker has quit IRC07:50
*** aojea_ has quit IRC07:53
*** AlexeyAbashkin has quit IRC08:00
*** AlexeyAbashkin has joined #openstack-keystone08:01
*** d0ugal_ has quit IRC08:04
*** d0ugal has joined #openstack-keystone08:04
*** d0ugal has quit IRC08:04
*** d0ugal has joined #openstack-keystone08:04
*** threestrands has quit IRC08:20
*** Dinesh_Bhor has quit IRC08:27
*** Dinesh_Bhor has joined #openstack-keystone08:29
*** s10 has joined #openstack-keystone08:29
openstackgerritwangxiyuan proposed openstack/keystoneauth master: Add minimum verion for requirements  https://review.openstack.org/57568508:32
*** AlexeyAbashkin has quit IRC08:45
*** AlexeyAbashkin has joined #openstack-keystone08:45
*** ykarel is now known as ykarel|lunch08:47
*** markvoelker has joined #openstack-keystone08:48
openstackgerritwangxiyuan proposed openstack/keystoneauth master: Add minimum version for requirements  https://review.openstack.org/57568508:51
*** lifeless has quit IRC08:57
*** blake has quit IRC08:59
openstackgerritwangxiyuan proposed openstack/keystone master: Remove a uesless function  https://review.openstack.org/57569409:02
*** AlexeyAbashkin has quit IRC09:03
*** AlexeyAbashkin has joined #openstack-keystone09:03
*** germs has joined #openstack-keystone09:09
*** germs has quit IRC09:09
*** germs has joined #openstack-keystone09:09
openstackgerritwangxiyuan proposed openstack/keystone master: Remove get_catalog usage from contrib  https://review.openstack.org/57569609:10
*** lifeless has joined #openstack-keystone09:10
*** AlexeyAbashkin has quit IRC09:12
*** AlexeyAbashkin has joined #openstack-keystone09:13
*** germs has quit IRC09:14
*** markvoelker has quit IRC09:22
*** AlexeyAbashkin has quit IRC09:22
*** AlexeyAbashkin has joined #openstack-keystone09:22
*** ykarel|lunch is now known as ykarel09:25
openstackgerritwangxiyuan proposed openstack/keystone master: Remove get_catalog from manage layer  https://review.openstack.org/57570409:30
*** liuzz_ has quit IRC09:33
*** Dinesh_Bhor has quit IRC09:34
*** sapd_ has joined #openstack-keystone09:35
*** Dinesh_Bhor has joined #openstack-keystone09:38
*** lifeless has quit IRC09:38
*** lifeless has joined #openstack-keystone09:45
*** Dinesh_Bhor has quit IRC09:47
*** rcernin has joined #openstack-keystone10:06
*** cristicalin has joined #openstack-keystone10:17
*** markvoelker has joined #openstack-keystone10:18
*** lifeless_ has joined #openstack-keystone10:22
*** lifeless has quit IRC10:23
*** AlexeyAbashkin has quit IRC10:24
*** cristicalin has quit IRC10:25
*** lifeless_ has quit IRC10:39
*** lifeless has joined #openstack-keystone10:41
*** markvoelker has quit IRC10:51
*** lifeless_ has joined #openstack-keystone10:55
*** lifeless has quit IRC10:56
*** AlexeyAbashkin has joined #openstack-keystone10:57
*** raildo has joined #openstack-keystone10:59
*** lifeless has joined #openstack-keystone11:00
*** lifeless_ has quit IRC11:01
*** lifeless has quit IRC11:05
*** germs has joined #openstack-keystone11:10
*** germs has quit IRC11:10
*** germs has joined #openstack-keystone11:10
*** lifeless has joined #openstack-keystone11:10
*** germs has quit IRC11:14
*** lifeless_ has joined #openstack-keystone11:15
*** lifeless has quit IRC11:15
*** annp has quit IRC11:16
*** AlexeyAbashkin has quit IRC11:27
*** AlexeyAbashkin has joined #openstack-keystone11:28
openstackgerritMerged openstack/keystone-specs master: Update links in README  https://review.openstack.org/57463711:36
*** yikun has quit IRC11:43
*** markvoelker has joined #openstack-keystone11:48
openstackgerritMerged openstack/keystone master: Ensure default roles created during bootstrap  https://review.openstack.org/57224311:50
*** edmondsw has joined #openstack-keystone12:01
*** markvoelker has quit IRC12:03
*** markvoelker has joined #openstack-keystone12:03
hrybackiwoo openstackgerrit++12:28
*** cristicalin has joined #openstack-keystone12:31
*** cristicalin has quit IRC12:33
openstackgerritDavid Rabel proposed openstack/keystone master: Fix typo in docs  https://review.openstack.org/57426612:38
*** AlexeyAbashkin has quit IRC12:38
*** ykarel has quit IRC12:39
*** ykarel has joined #openstack-keystone12:39
*** AlexeyAbashkin has joined #openstack-keystone12:40
openstackgerritDavid Rabel proposed openstack/keystone master: Clarify complicated sentence in docs  https://review.openstack.org/57426612:43
*** lifeless_ has quit IRC12:46
*** AlexeyAbashkin has quit IRC12:50
*** AlexeyAbashkin has joined #openstack-keystone12:50
*** rcernin has quit IRC13:02
knikollao/13:03
knikollalarsks: hi there13:05
larsksknikolla: Howdy!13:05
larsksDo I have some questions for you.13:06
knikollayup, I was reading back the irc logs13:06
knikollalarsks: are you around the office today?13:06
larsksI could be.  Are you going to be there?13:07
knikollayep. i'm usually there everyday13:07
larsksAwesome. I will come on in.  Probably I'll arrive a little after 10-ish.13:07
knikollaCool. I have a meeting 11-1, but except that I should be free.13:08
*** germs has joined #openstack-keystone13:11
*** germs has quit IRC13:11
*** germs has joined #openstack-keystone13:11
*** germs has quit IRC13:15
*** dave-mcc_ has joined #openstack-keystone13:16
*** jmlowe has quit IRC13:18
*** r-daneel has quit IRC13:20
*** links has quit IRC13:27
*** ykarel is now known as ykarel|away13:31
knikollapo kaloj mire13:32
knikollaerrr.. wrong window13:32
* knikolla facepalm13:32
openstackgerritMerged openstack/python-keystoneclient master: fix a typo in docstring  https://review.openstack.org/57310813:36
*** dave-mcc_ has quit IRC13:39
*** ykarel|away has quit IRC13:40
lbragstadkmalloc: knikolla thaks for the ksc reviews!13:46
lbragstadthanks*13:46
lbragstadonce https://review.openstack.org/#/c/559552/17 and https://review.openstack.org/#/c/569741/3 merge - we can start getting those client patches in13:46
*** dansmith is now known as superdan13:47
*** lbragstad is now known as elbragstad13:48
*** r-daneel has joined #openstack-keystone13:50
*** jmlowe has joined #openstack-keystone13:57
*** AlexeyAbashkin has quit IRC14:06
*** r-daneel_ has joined #openstack-keystone14:07
*** r-daneel has quit IRC14:08
*** r-daneel_ is now known as r-daneel14:08
*** sapd_ has quit IRC14:10
*** sapd has quit IRC14:10
*** dave-mccowan has joined #openstack-keystone14:15
openstackgerritDavid Rabel proposed openstack/keystone master: Clarify complicated sentence in docs  https://review.openstack.org/57426614:22
*** mvenesio has joined #openstack-keystone14:22
*** germs has joined #openstack-keystone14:23
*** germs has quit IRC14:23
*** germs has joined #openstack-keystone14:23
*** AlexeyAbashkin has joined #openstack-keystone14:58
*** pcaruana has quit IRC15:01
*** r-daneel has quit IRC15:03
*** r-daneel has joined #openstack-keystone15:04
*** gyee has joined #openstack-keystone15:52
*** Guest54251 has quit IRC15:54
*** Guest54251 has joined #openstack-keystone15:54
*** Guest54251 is now known as awestin115:55
*** awestin1 has quit IRC15:55
*** awestin1 has joined #openstack-keystone15:55
*** awestin1 has quit IRC15:55
*** awestin1 has joined #openstack-keystone15:55
*** ykarel|away has joined #openstack-keystone16:05
*** dave-mccowan has quit IRC16:06
*** ayoung has quit IRC16:18
*** jmlowe has quit IRC16:23
*** s10 has quit IRC16:24
*** ayoung has joined #openstack-keystone16:25
*** sonuk_ has joined #openstack-keystone16:27
*** sonuk has quit IRC16:30
*** jmlowe has joined #openstack-keystone16:32
*** r-daneel has quit IRC16:33
*** r-daneel has joined #openstack-keystone16:33
*** ykarel|away has quit IRC16:43
*** spilla has joined #openstack-keystone16:49
*** sonuk has joined #openstack-keystone16:49
*** sonuk_ has quit IRC16:52
hrybackilbragstad[m]: when you were porting keystone RuleDefaults->DocumentedRuleDefaults, did you come up with any debugging tricks? I'm porting Barbican atm and the tracebacks provide no insight: https://paste.fedoraproject.org/paste/fwp8~9AqxkV9mextJx97qw16:58
elbragstadlooks like a package error16:58
hrybackielbragstad: ? lemme show you the diff16:59
hrybackihttps://paste.fedoraproject.org/paste/dofFQtmjKYriMb358LPeSA17:00
hrybackilbragstad[m]: note that I've seen this before -- I thought it was related to syntax of the DocumentedRuleDefault but this should be fine17:01
hrybackiseen it before* while updating other rules in barbican17:01
*** tesseract has quit IRC17:01
elbragstadhrybacki: do you have anything posted to gerrit yet?17:02
*** sonuk_ has joined #openstack-keystone17:03
hrybackilbragstad[m]: https://review.openstack.org/575218 -- note that I'm presently working in orders.py17:04
elbragstadand you're getting that error running the tests?17:05
hrybackiaye, after I update the next rule `order:get`17:05
hrybackithat latest patchset is passing17:06
*** sonuk has quit IRC17:07
elbragstadhrybacki: http://paste.openstack.org/show/723561/17:13
elbragstad^ fixes it for me17:13
elbragstadi think it's because you're passing description as an empty string17:13
elbragstadand when you use the DocumentedRuleDefault class, that specific attribute is required17:14
kmallocelbragstad: hrm, i was going to move limits to flask next, but if we're actively iterating i'll pass on it to a different subsystem17:14
hrybackiAhhhh! Thanks lbragstad[m]17:14
elbragstadhrybacki: https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L107317:14
elbragstadhrybacki: it's odd that error isn't more apparent in the trace though17:14
hrybackiI'll look into making that exception more apparent17:14
elbragstadi'm not sure why17:14
elbragstadkmalloc: yeah - that makes sense, we can hold off on flakifying limits17:15
elbragstadthose reviews for unified limits are pretty squared away in my opinion though17:15
kmallocright17:15
elbragstadif you did want to start with that api, you probably could after those merge17:16
elbragstad(they contain most of the changes we wanted to make to that API)17:16
kmallocfair enough i can work some magic :)17:16
kmalloci need to score those, i was almost done reviewing when i had a phone call17:16
elbragstadthe unified limit patches?17:16
kmallocyeah17:16
elbragstadoh - awesome17:16
kmalloc:)17:17
elbragstadthanks for taking a look17:17
kmalloc:P17:17
elbragstadif we merge those we can hopefully do a release of ksc next week and rev the requirement in osc for CLI support17:17
kmallocyah that would be good.17:17
kmalloci am so looking forward to osc moving to sdk17:17
kmallocftr.17:17
elbragstadthat'd actually make testing all of wxy's stuff alot easier17:17
openstackgerritMerged openstack/keystone master: Clarify complicated sentence in docs  https://review.openstack.org/57426617:19
kmallocelbragstad: we need to fix the limits db table17:19
kmallocelbragstad: it's using the UUID as PK17:20
kmallocthat is a _must_ fix this cycle.17:20
* kmalloc grumps.17:20
kmallocI need to write a linting check that fails if someone does that.17:20
kmalloci'm getting tired of arguing the same point. it's bad for the DB to use UUIDs as the PK.17:20
kmallocthe PK needs to be autoinc int, uuid is the user-facing resource.17:21
kmallocid./17:21
kmallocelbragstad: how do we fix this with "no downtime" upgrades... new pivot table, right?17:22
kmallocelbragstad: can we change the "ID" value to "limit_id" on the api17:22
kmallocwhile we're making changes?17:22
*** sonuk has joined #openstack-keystone17:22
kmallocand registered_limit_id17:22
*** germs has quit IRC17:24
*** germs has joined #openstack-keystone17:24
*** germs has quit IRC17:24
*** germs has joined #openstack-keystone17:24
*** germs has quit IRC17:24
*** sonuk_ has quit IRC17:24
*** sonuk_ has joined #openstack-keystone17:25
openstackgerritMerged openstack/oslo.limit master: fix tox python3 overrides  https://review.openstack.org/57395417:27
kmallocelbragstad: -1 on the unified limit, i just want to translate the current "ID" emitted on the wire to "limit_id" and "registered_limit_id"17:28
kmallocrespectively17:28
kmallocnot "id" in the ref.17:28
*** sonuk has quit IRC17:28
kmallocso i can go through and fix the db table(s) to use autoinc int as the "id"17:29
kmallocbehind the scenes for PK purposes and FK purposes.17:29
kmallocbefore we have too much data in the table(s).17:29
kmallocelbragstad: also is it safe to assume we will do a drop/recreate of the table or do i need to jump through hoops for migrating data ?17:30
kmallocelbragstad: also +2 as soon as we adjust what is emitted on the wire for the ID.17:30
*** dave-mccowan has joined #openstack-keystone17:33
elbragstadahh17:35
elbragstadso - id will be autoinc17:35
elbragstadand limit_id/registered_limit_id will be uuid17:35
elbragstadmakes sense17:36
elbragstadis that something we want to track with a bug?17:36
mnaseri've been wrestling this for close to an hour17:41
mnaserkeystonemiddleware keeps making v2.0 requests that obviously 40417:42
mnaserhttps://docs.openstack.org/keystone/queens/admin/identity-auth-token-middleware.html doesn't exactly give me what i need (and im guessing the fact no domain info is here = why it uses v2.0)17:42
elbragstadmnaser: hmm - that's strange, i would have expected the auth_uri ending in /v3 to be enough17:45
*** pcichy has quit IRC17:46
cmurphymight be the missing domain problem?17:46
mnaserwell17:46
mnaseras i speak17:46
mnaseri find this https://docs.openstack.org/keystonemiddleware/queens/api/keystonemiddleware.auth_token.html#configuration17:46
mnaserthats the more appropriate config structure that worked17:46
kmallocelbragstad: yeah i'll spin up the patch for it shortly17:48
cmurphyah you already said you suspected the domain thing17:48
elbragstadwe should probably update https://docs.openstack.org/keystone/queens/admin/identity-auth-token-middleware.html17:48
kmallocelbragstad: just getting some more coffee and then i'll upgrade to a +2.17:48
mnaseryeah that should match, i can push up a patch when i have a second fixing this17:49
kmallocmnaser: sounds good.17:49
elbragstadthanks mnaser17:49
openstackgerritGage Hugo proposed openstack/keystone master: Remove a useless function  https://review.openstack.org/57569417:49
cmurphywe also have stuff like this all over ksm http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/_auth.py#n14 i'm kind of surprised stuff works at all17:49
kmalloccmurphy: well, ksa isn't dropping v2 support, but i guess new ksm can drop it now.17:50
*** spilla has quit IRC17:50
* kmalloc adds a bug+task in trello for that17:50
*** spilla has joined #openstack-keystone17:51
*** boris_42_ has joined #openstack-keystone17:53
kmallochttps://bugs.launchpad.net/keystonemiddleware/+bug/177717717:53
openstackLaunchpad bug 1777177 in keystonemiddleware "eliminate v2 keystone support" [Medium,Triaged]17:53
mnaserjackpot on that bug # kmalloc17:54
kmallocmnaser: right?!17:54
kmallocmnaser: only thing better would be 177777117:55
kmallocbut bug #1777771 likely wont be us... because you know.. LP bug numbers :P17:55
cmurphykmalloc: it's not so much that ksm "supports" v2, it's that from a cursory glance it looks like it only uses v2, e.g. here http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/_auth.py#n7517:55
kmalloccmurphy: right, and removal of v2.0 support will solve that.17:56
cmurphythere's obviously some other logic that makes it do the right thing based on context17:56
kmallocso it's not confusing17:56
cmurphyright17:56
kmallocand it will eliminate the issue mnaser is having :)17:56
kmallocbecause it doesn't work except the v3 way ^_^.17:56
* kmalloc is happy v2.0 is dead.17:56
kmallocDEAD I SAY!17:56
cmurphykmalloc: is there anything i should include about the flaskification progress in the update email?17:59
kmallochm17:59
kmallocthat is well underway?18:00
kmallocand we'll be starting to move APIs to flask dispatching [handled by the flask framework] this next week18:00
cmurphyokie18:01
*** fiddletwix has joined #openstack-keystone18:06
kmallocelbragstad: i am not looing forward to re-writing @protected =/18:23
kmallocelbragstad: because that is next on the list to do for flaskification18:23
elbragstadit's probably going to be a pain, but i am looking forward to the result18:23
elbragstadi can't wait to see that go away18:24
kmallocso... i *think* the way I'm going to handle it is do an @decorator for *all* methods on a resource [automatic flask thing] that will throw a huge error if enforce isn't called18:24
kmallocand allow for explicit excemptions18:24
kmallocfor unprotected APIs18:24
kmallocalso, this is somewhat hard to write tests for18:25
kmallocthankfully with flask we get MOST coverage for free atm18:25
kmallocok, so ... today: 1) I'll fix limits so we can push that through.18:25
kmalloc2) flaskification ick.18:25
*** rmascena has joined #openstack-keystone18:27
elbragstadthat sounds good18:27
*** raildo has quit IRC18:30
*** r-daneel_ has joined #openstack-keystone18:31
*** r-daneel has quit IRC18:32
*** r-daneel_ is now known as r-daneel18:32
gagehugoelbragstad Is there a reason to keep the templated get_catalog? https://github.com/openstack/keystone/blob/master/keystone/catalog/backends/templated.py#L19618:39
gagehugolooking at https://review.openstack.org/#/c/575704/ now18:40
elbragstadnot that i know of?18:40
elbragstadif v2 was the only thing using it18:40
elbragstadthen it's probably safe to remove, unless it was exposed via the API?18:40
kmallocthe templated catalog was used for some CMS systems18:41
kmallochence the move to yaml18:41
kmallocwith a deprecation cycle on the templated backend18:41
kmallocelbragstad, gagehugo: https://review.openstack.org/#/c/483514/18:41
kmallocand the follow up18:41
gagehugokmalloc that's it18:42
kmalloci'd be inclined to just do the deprecation/new catalog18:42
gagehugoI vaguely remembered seeing something and couldn't remember18:42
kmallocand not remove things from the old templated backend18:42
kmalloci +2 all the work (tests included) on the filesystem catalog, but I don't feel safe +2ing the code as I wrote a huge chunk of it18:42
kmallocwe should also add a .watch/.inotify so changes to the filesystem catalog are loaded18:43
kmalloc(same mechanism as we have for policy.json loading) if it's not already there (I haven't looked inf a few days and don't remember)18:43
*** brad[] has joined #openstack-keystone19:13
*** s10 has joined #openstack-keystone19:14
hrybackido we have anything near as verbose as https://wiki.openstack.org/wiki/Barbican/Policy for keystone?19:16
hrybackiexpanding ^^ as I audit their API. Will be pretty good doc when complete19:16
*** felipemonteiro has joined #openstack-keystone19:17
*** s10 has quit IRC19:21
*** s10 has joined #openstack-keystone19:21
*** s10 has quit IRC19:25
*** felipemonteiro has quit IRC19:30
kmallocelbragstad: i... i think our limit tests are not comprehensive19:32
kmallocelbragstad: because i made changes to the api and nothing broke.19:32
kmallocthis worries me.19:32
elbragstad?19:32
kmalloci made the API translate to "registered_limit_id" and "limit_id" from id19:33
kmallocand nothing broke.19:33
kmallocthat worries me.19:33
elbragstadcan you post what you have/19:33
* kmalloc is digging in more to try and get this change to the proposed patch(es)19:33
elbragstadi'm trying to wrap up the last osc patch19:33
elbragstadfor project limits19:33
kmallocyeah in a few, i'm adding some more asserts first19:33
elbragstadand i should be able to take a look19:34
*** lifeless has joined #openstack-keystone19:34
kmalloci expect i just need to make it explode if 'id' ever leaks out past the driver.19:34
*** mvenesio has quit IRC19:36
kmallocoh i see ugh, no it's always 'id' but we change that in the driver to be something sane, don't wel19:37
kmalloc?19:37
kmallocthats why it didn't break.19:37
*** david-lyle is now known as dklyle19:37
kmallocyeah, "internal_id"19:37
kmallocso.19:37
kmallocelbragstad: no API change needed.19:38
kmallocjust a sql migration19:38
elbragstadnice19:38
kmallocelbragstad: am i allowed to drop the table and recreate it?19:38
kmallocunder the no-downtime constraints19:38
kmallocbasically the FKs are wrong.19:38
kmallocand it might be easier to just re-create the correct structure19:38
elbragstadyou can write data into a second table i think19:39
kmallocugh19:39
kmallocyou know this "no downtime upgrade" is a nightmare to write code around19:39
elbragstadyeah - i know19:39
kmalloci kindof want to just drop the tag and say "we don't do that"19:39
kmalloci'm going to just drop any registered limits on the floor and just use the new table, it's EXPIRIMENTAL we said we might break you19:40
kmallocthis is a case of "we are breaking you"19:40
kmalloc"re-add the limits"19:40
kmallocsince ksc / osc never had code for this yet, i don't feel like that is wrong... please tell me if i need to be nicer to the data19:41
elbragstadcan you just create a new table with the correct schema and port the data to it?19:42
*** pcichy has joined #openstack-keystone19:43
kmallochm. what are we doing with this data structure...19:44
kmallocwe FK on the resource_name?19:44
kmallocthis is so poorly normalized =/19:45
elbragstadprobably has something to do with registered limits and limits being in two different tables19:45
kmallocright, but we're FKing to a non-indexed name column19:45
kmallochttps://www.irccloud.com/pastebin/74y8dUZZ/19:46
kmallocso, we have an unindexed string search for creation of limit19:46
kmallocss19:46
kmallocif we have a bunch of registered_limits this is going to get ugly19:46
kmallocor we need to index the resource_name columns [fine]19:47
kmallocthat feels like it should be tied to the registered limit, not the registered limit name19:48
kmallocok. so...19:48
kmallocelbragstad: do you want me to just index the name field?19:49
kmallocand.. whoa.19:49
kmallocthere is no unique constraint on registered_limit.resource_name19:49
kmallocso your FK is potentially very wonky.19:50
kmallocelbragstad: and we have issues with non-uniqeness in the sql structure19:51
kmallocbecause the unique constraint of REGION_ID, SERVICE_ID, and RESOURCE_NAME will not be unique in this case:19:52
kmalloc(NULL, SERVICE_ONE, 'cool name')19:52
*** r-daneel has quit IRC19:52
kmalloci can add an indefinite number of those records, because mysql does not consider NULL for uniqueness.19:52
kmallocelbragstad: this is a lot of fixing that is needed.19:53
kmallocand we do a ton of queries on unindexed columns.19:54
elbragstadhnmmm19:56
elbragstadalright - lemme finish this thing up quick and you'll have more of my attention19:56
kmallocyeah19:57
elbragstadsorry - these osc unit tests broke my brain yesterday19:58
elbragstadit's like inception but with mocks19:58
kmallocwell, fwiw, i wouldn't land OSC/KSC changes until we fix the limits stuff19:59
kmallocas it stands, i don't think we should expose this to a wider audience right now.19:59
*** s10 has joined #openstack-keystone19:59
kmallocand yeah OSC is mock-hell in tests.19:59
elbragstadit could be just that i'm not accustomed to using them20:00
elbragstadwe don't rely on mocks a whole lot in keystone, so going to a project that does is a change of pace20:01
elbragstadkmalloc: for the unified limit stuff20:01
elbragstadwe should set aside some time with wxy to walk through stuff so we're all on the same page20:02
elbragstadas far as the improvements we want to make20:02
kmallocright.20:02
elbragstadbetween the three of us, i'm sure we could get a lot of it squared away20:02
kmallocif you have a few moments this might justify high-bandwidth20:02
*** lifeless has quit IRC20:02
kmallocso i can maek sure things are/aren't intended before consuming wxy's time20:03
*** lifeless has joined #openstack-keystone20:03
kmallocif it's intended and we can fix it easily, i'll just propose fixes.20:03
elbragstadyeah20:04
kmalloclet me know when you have a few/done with OSC20:04
elbragstadok - just about to wrap things up20:04
kmalloci'll hangout and show you what i'm running into and we can make a plan from there (and how deep of enhancements we need) - and we can type results into irc20:05
kmalloc s/hangout/start a hangout/20:05
kmallocis it really only 1pm. it feels like it should be 6pm already (maybe being up at 4am does that)20:07
elbragstadi hear ya..20:08
kmallocswitching computers so i can share screen more easily20:11
elbragstadjust about done20:26
kmallockk20:26
elbragstadtrying to hurry20:26
kmallocLOL20:26
*** r-daneel has joined #openstack-keystone20:27
*** zxy has quit IRC20:34
*** lifeless has quit IRC20:49
elbragstadok - omw20:49
kmallock20:50
*** lifeless has joined #openstack-keystone20:50
elbragstadlinkL20:51
elbragstad?20:51
*** r-daneel has quit IRC20:54
*** r-daneel has joined #openstack-keystone20:54
*** rmascena has quit IRC20:54
openstackgerritMerged openstack/python-keystoneclient master: Remove PyPI downloads  https://review.openstack.org/57327921:08
*** AlexeyAbashkin has quit IRC21:13
elbragstadhttps://etherpad.openstack.org/p/keystone-weekly-meeting21:26
*** edmondsw has quit IRC21:29
*** r-daneel has quit IRC21:39
*** spilla has quit IRC21:44
*** lifeless has quit IRC22:01
elbragstadthere must be a check somewhere that protects the case we thought we'd be able to hit http://paste.openstack.org/show/723566/22:05
elbragstadkmalloc: ^22:06
kmallocmight be that extra FK table_arge22:06
*** felipemonteiro has joined #openstack-keystone22:07
kmallocbut it's still super odd22:08
elbragstadsure - but it might just be internal cleanup?22:08
kmallocright. might not have the broken issues22:09
kmallocand we do need to index anything we search on anyway22:10
kmallocregardless22:10
elbragstadtrue22:12
*** martinus__ has quit IRC22:13
kmallocadded tags to the etherpad22:13
kmallocso it's clear what comes out of this.22:13
elbragstadsweet22:16
*** dave-mccowan has quit IRC22:48
*** lifeless has joined #openstack-keystone22:49
*** edmondsw has joined #openstack-keystone22:50
*** edmondsw has quit IRC22:55
knikolladouble checking before i spend too much time debugging this23:02
knikolladoes listing implied roles work from osc?23:02
knikollaI get AttributeError: 'RoleManager' object has no attribute 'list_inference_roles'23:03
elbragstad?23:04
elbragstadthat seems like a programming error?23:04
knikollaelbragstad: that, or something weird on my install. have a devstack handy to test?23:05
knikollanevermind, it's a programmer error23:07
knikollahttps://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/roles.py#L41823:07
knikollait's using RoleManager, which has the method called list_role_inferences23:07
knikollabut it's calling list_inference_roles (which is in InferenceRuleManager)23:08
knikollahttps://github.com/openstack/python-openstackclient/blob/aa4cdf1dc8050cc91bdd3a871de3edf4ff67033d/openstackclient/identity/v3/implied_role.py#L12823:08
elbragstadahhh23:09
knikollaI'll have a patch for osc tonight23:09
knikollaI'm writing the docs for implied roles also23:10
knikollaso kinda have to have a functional osc to get output23:10
elbragstadthat works23:10
*** gyee has quit IRC23:24
elbragstadand i'm done with osc for the day https://review.openstack.org/#/q/topic:bp/unified-limits+status:open+project:openstack/python-openstackclient23:40
*** s10 has quit IRC23:59
*** s10 has joined #openstack-keystone23:59
« Thursday, 2018-06-14 Index Saturday, 2018-06-16 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!