Friday, 2018-06-29

« Thursday, 2018-06-28 Index Saturday, 2018-06-30 »
*** gyee has quit IRC00:32
*** Dinesh_Bhor has joined #openstack-keystone00:37
*** masber has joined #openstack-keystone00:58
*** gagehugo has joined #openstack-keystone01:30
*** itlinux has joined #openstack-keystone01:43
*** liuzz has joined #openstack-keystone01:52
*** liuzz_ has quit IRC01:54
*** hoonetorg has quit IRC01:57
*** hoonetorg has joined #openstack-keystone01:57
*** tonytan4ever_brb has joined #openstack-keystone01:58
*** itlinux has quit IRC01:58
*** tonytan4ever has quit IRC02:01
gagehugokmalloc: ack02:22
openstackgerritNeha Alhat proposed openstack/keystonemiddleware master: Register session conf options from keystoneauth  https://review.openstack.org/57800803:13
*** liuzz_ has joined #openstack-keystone03:31
*** liuzz has quit IRC03:32
*** itlinux has joined #openstack-keystone03:32
*** itlinux has quit IRC03:37
*** sheel has joined #openstack-keystone03:39
*** alex_xu has quit IRC04:15
*** alex_xu has joined #openstack-keystone04:15
*** masber has quit IRC04:29
*** AlexeyAbashkin has joined #openstack-keystone04:48
*** vishakha has quit IRC05:02
openstackgerritAdrian Turjak proposed openstack/keystone master: [WIP] Implement auth receipts spec  https://review.openstack.org/57228605:04
openstackgerritAdrian Turjak proposed openstack/keystone master: [WIP] Implement auth receipts spec  https://review.openstack.org/57228605:13
*** vishakha has joined #openstack-keystone05:16
*** pcaruana has joined #openstack-keystone05:20
adriantcmurphy, lbragstad, kmalloc: auth receipt patch is up, still 'wip' because there are some small bits in the unit tests that I'm not entirely sure of, but it is mostly done with unit tests for the auth part as a whole in test_v3_auth and provider unit tests that are mostly a copy and paste from token provider tests05:23
adriantfeedback appreciated, and I still haven't had the chance to manually test the damn thing in a devstack... so that's my Monday plan.05:24
openstackgerritMerged openstack/keystone master: Add new "How Can I Help?" contributor guide  https://review.openstack.org/57881405:44
openstackgerritMerged openstack/keystone master: Migrate all password hashes to the new location if needed  https://review.openstack.org/57666005:44
*** sheel has quit IRC05:45
*** AlexeyAbashkin has quit IRC05:51
*** parthiban has joined #openstack-keystone05:54
parthibanhello all. Can someone explain me key revocation system of OpenStack as given in https://wiki.openstack.org/wiki/Security/Guidelines#key_revocation?05:54
*** AlexeyAbashkin has joined #openstack-keystone06:01
*** vishakha has quit IRC06:06
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add support for enforce_call to set value on flask.g  https://review.openstack.org/57818906:07
openstackgerritMorgan Fainberg proposed openstack/keystone master: Update Scaffolding (flask) for json home documents  https://review.openstack.org/57819006:07
*** nicolasbock has joined #openstack-keystone06:10
*** Alexey_Abashkin has joined #openstack-keystone06:13
*** AlexeyAbashkin has quit IRC06:15
*** Alexey_Abashkin is now known as AlexeyAbashkin06:15
*** vishakha has joined #openstack-keystone06:19
*** sonuk has joined #openstack-keystone06:24
openstackgerritwangxiyuan proposed openstack/keystone-tempest-plugin master: Clean up the auto generated domain  https://review.openstack.org/57906306:25
*** sonuk_ has quit IRC06:27
*** AlexeyAbashkin has quit IRC06:33
*** martinus__ has joined #openstack-keystone06:35
cmurphyadriant: awesome06:40
*** sapd__ has joined #openstack-keystone06:42
*** sapd_ has quit IRC06:42
*** tonytan4ever_brb has quit IRC06:44
*** sapd__ has quit IRC06:44
*** sapd__ has joined #openstack-keystone06:45
cmurphyparthiban: ask in #openstack-security or attend their meeting http://eavesdrop.openstack.org/#Security_SIG_meeting06:45
parthibanthanks cmurphy06:45
*** annp has quit IRC06:51
*** sapd_ has joined #openstack-keystone06:52
*** annp has joined #openstack-keystone06:52
*** vrv_ has joined #openstack-keystone06:54
*** Dinesh_Bhor has quit IRC06:54
*** sapd__ has quit IRC06:54
*** annp has quit IRC06:57
*** amoralej|off is now known as amoralej07:07
*** tesseract has joined #openstack-keystone07:10
*** annp has joined #openstack-keystone07:11
openstackgerritwangxiyuan proposed openstack/keystone-tempest-plugin master: Clean up the auto generated domain  https://review.openstack.org/57906307:14
openstackgerritwangxiyuan proposed openstack/keystone master: Add auto increase primary key for unified limit  https://review.openstack.org/57602507:23
openstackgerritwangxiyuan proposed openstack/keystone master: Add registered_limit_id column for limit  https://review.openstack.org/57775107:23
*** tosky has joined #openstack-keystone07:32
*** ispp has joined #openstack-keystone07:37
*** ispp has quit IRC07:55
openstackgerritMerged openstack/keystone master: Fix keystone-manage mapping_purge with --type option  https://review.openstack.org/55439707:59
openstackgerritMerged openstack/keystone master: Add Flask-RESTful and update flask minimum(s)  https://review.openstack.org/57441407:59
openstackgerritMerged openstack/keystone master: Implement scaffolding for Flask-RESTful use  https://review.openstack.org/57441507:59
*** d0ugal has joined #openstack-keystone08:02
*** ispp has joined #openstack-keystone08:14
openstackgerritwangxiyuan proposed openstack/keystone-tempest-plugin master: Clean up the auto generated domain  https://review.openstack.org/57906308:18
*** mvk has quit IRC09:20
*** neha_alhat has joined #openstack-keystone09:45
neha_alhatcmurphy: The zuul check is not working on this patch https://review.openstack.org/#/c/578008/, is it because of circular dependency set?09:47
cmurphyneha_alhat: correct, zuul won't allow circular dependencies09:47
neha_alhatcmurphy: can you guide be what can be done in this case09:49
cmurphyneha_alhat: in the general case, there's usually a way to do a three or four-step patch series such that there are backwards compatible intermediate steps and finally cleanup steps10:01
cmurphybut in this case, I think the fact that glance is breaking is an indication that this is a breaking change, we can't just remove those options10:02
cmurphyother projects are likely to be in a similar position, not just glance10:02
cmurphyplus there is this: http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n91910:02
*** mvk has joined #openstack-keystone10:05
*** ispp has quit IRC10:07
neha_alhatcmurphy: In such circular dependency case, what exact steps do I need to take to avoid failure?10:11
neha_alhatcmurphy: I am not clear about this: way to do a three or four-step patch series such that there are backwards compatible intermediate steps and finally cleanup steps10:12
cmurphyneha_alhat: it doesn't matter because I think this needs a different solution, I don't think working around the circular dependency is the answer10:18
cmurphybut I don't have a precise solution to give you right now, I'll need to dig into it10:18
*** ispp has joined #openstack-keystone10:19
neha_alhatcmurphy: there is an alternative solution to this that is mentioned in commit message of https://review.openstack.org/#/c/578008/10:20
neha_alhatcmurphy: I can directly register spli_logger conf option like other options(insecuare, cafile)10:20
cmurphyneha_alhat: that might work better10:21
neha_alhatcmurphy: ok, thanks10:21
*** ispp has quit IRC10:34
*** linkmark has joined #openstack-keystone10:50
*** mvk has quit IRC10:52
*** ispp has joined #openstack-keystone10:58
*** d0ugal_ has joined #openstack-keystone11:03
*** d0ugal has quit IRC11:05
*** edmondsw has joined #openstack-keystone11:32
*** tonytan4ever has joined #openstack-keystone11:36
*** annp has quit IRC11:39
*** ispp has quit IRC11:43
*** ispp has joined #openstack-keystone11:45
openstackgerritMerged openstack/keystone master: Keystone adheres to public_endpoint opt only  https://review.openstack.org/57450212:09
*** d0ugal_ has quit IRC12:15
*** d0ugal_ has joined #openstack-keystone12:16
openstackgerritMerged openstack/keystone master: pycrypto is not used by keystone  https://review.openstack.org/57883312:17
*** liuzz_ has quit IRC12:19
*** raildo has joined #openstack-keystone12:22
*** rcernin has quit IRC12:29
*** tonytan4ever has quit IRC12:36
*** mvenesio has joined #openstack-keystone12:45
*** peereb has joined #openstack-keystone12:46
*** openstackgerrit has quit IRC12:49
*** mvenesio has quit IRC12:51
*** jmlowe has quit IRC12:58
cwrightHi, I noticed in the comment above the `notification_opt_out` setting there is a message that says:13:04
cwright -- "By default, all notifications related to authentication are automatically suppressed."13:04
cwrightHow do I unsuppress these notifications related to authentication?13:04
*** openstackgerrit has joined #openstack-keystone13:05
openstackgerritMerged openstack/keystone master: Refactor trust roles check  https://review.openstack.org/57850913:05
*** d0ugal_ has quit IRC13:12
*** amoralej is now known as amoralej|lunch13:13
*** d0ugal has joined #openstack-keystone13:13
*** d0ugal has quit IRC13:13
*** d0ugal has joined #openstack-keystone13:13
openstackgerritMerged openstack/keystone master: Simple usage docs for implied roles  https://review.openstack.org/57591113:17
cmurphycwright: the default value for notifications to out out of is the list [identity.authenticate.success, identity.authenticate.pending, identity.authenticate.failed], so if you do want to opt in to those notifications you'd set notification_opt_out explicitly to empty13:20
*** bhagyashris_ is now known as bhagyashris13:21
cwrightcmurphy: thank you.  I have a followup question:13:21
cwrighthttps://docs.openstack.org/ceilometer/queens/admin/telemetry-measurements.html#openstack-identity13:21
cwrightam i correct in understanding that these are the only 3 meters emitted via notifications?13:22
cmurphycwright: hrm no i don't think so, I think we emit notifications for every API action13:25
cmurphyhttps://docs.openstack.org/keystone/latest/advanced-topics/event_notifications.html13:25
cmurphyhttps://docs.openstack.org/keystone/latest/advanced-topics/event_notifications.html#supported-events13:25
cwrightcmurphy: thanks. this has been quite confusing because it seems that by default keystone suppresses the only 3 metrics that ceilometer tracks for identity.13:27
cmurphythat is confusing13:28
cmurphyI'm not sure why that is13:28
cmurphylbragstad: knikolla I wasn't at any of the edge meetings this week, did anything happen in them worth mentioning in https://etherpad.openstack.org/p/keystone-team-newsletter ?13:34
lbragstadcmurphy: we just stepped through how federation works13:36
lbragstadspecifically the authentication path because people wanted to know how it would be affected by site connectivity issues (e.g. a deployment losing contact with the identity provider)13:37
*** mvk has joined #openstack-keystone13:37
lbragstadpretty much what was recapped in http://lists.openstack.org/pipermail/edge-computing/2018-June/000304.html13:38
cmurphyokay cool13:39
cmurphyyour end_date is in my past13:54
lbragstadoh - good call13:54
cmurphyi was using start_date = 'June 23, 2018 12:00 AM CST' end_date = 'June 29, 2018 11:59 PM CST' but i've never been sure if i was off by one on either end13:54
*** jistr is now known as jistr|mtg13:54
cmurphyalso i didn't have the oslo libs13:54
lbragstadhttp://paste.openstack.org/show/724598/13:56
cmurphylgtm13:57
*** ispp has quit IRC13:57
* cmurphy runs away for a bit14:00
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Bump sphinx to match lower requirements  https://review.openstack.org/57916914:08
*** jistr|mtg is now known as jistr14:09
*** d0ugal has quit IRC14:15
*** d0ugal has joined #openstack-keystone14:16
*** amoralej|lunch is now known as amoralej14:22
openstackgerritMorgan Fainberg proposed openstack/keystone master: Address minor comments to 404 error detection  https://review.openstack.org/57821614:24
*** ispp has joined #openstack-keystone14:29
*** spilla has joined #openstack-keystone14:33
gagehugoo/14:36
* kmalloc dozes more.14:37
*** ispp has quit IRC14:40
*** ninag has joined #openstack-keystone14:43
*** ninag has quit IRC14:43
knikollao/14:46
*** d0ugal has quit IRC14:55
*** josecastroleon has quit IRC14:56
*** josecastroleon has joined #openstack-keystone14:56
hrybackio/15:00
*** d0ugal has joined #openstack-keystone15:01
*** josecastroleon has quit IRC15:01
*** alex_xu has quit IRC15:06
*** alex_xu has joined #openstack-keystone15:09
*** openstack has quit IRC15:22
*** openstack has joined #openstack-keystone15:23
*** ChanServ sets mode: +o openstack15:23
*** d0ugal has quit IRC15:23
*** gyee has joined #openstack-keystone15:24
*** afazekas is now known as afazekas|pto15:29
*** felipemonteiro has joined #openstack-keystone15:29
*** kashyap has joined #openstack-keystone15:30
kashyapHi folks, what is the default expiry time of a Keystone token?15:30
* kashyap goes in search of docs meanwhile15:30
gagehugokashyap one hour I think15:31
kashyapgagehugo: I see, thanks.  Wonder where in the source I can look at it?15:31
gagehugohttps://github.com/openstack/keystone/blob/master/keystone/conf/token.py#L4715:31
*** d0ugal__ has joined #openstack-keystone15:32
* kashyap clicks15:32
kashyapgagehugo: Most excellent; thanks15:32
*** d0ugal_ has quit IRC15:32
*** fiddletwix has quit IRC15:42
*** tesseract has quit IRC15:42
*** d0ugal__ has quit IRC15:42
*** parthiban has quit IRC15:46
*** edmondsw has quit IRC15:48
*** fried_rice has joined #openstack-keystone15:51
kmallocgagehugo: o/15:51
fried_riceHowdy folks.  This bug https://bugs.launchpad.net/nova/+bug/1778498 is currently assigned to nova, but I think y'all would be better qualified to have a first look at it.  Would you mind?15:51
openstackLaunchpad bug 1778498 in OpenStack Compute (nova) "cannot launch instance" [Undecided,New]15:51
*** edmondsw has joined #openstack-keystone15:52
knikollafried_rice: no adapters for htpp://15:54
knikollathere's a typo in the url15:54
fried_riceoh, dang, nice spot knikolla, thanks.15:54
fried_riceknikolla: Forgive my ignorance - does that URL come from a service catalog entry?15:55
fried_ricei.e. a user error, not a code bug?15:55
knikollafried_rice: catalog entry or nova.conf15:55
fried_ricebeaut, thank you.15:55
*** kashyap has left #openstack-keystone15:59
*** jenglisch_ has joined #openstack-keystone16:02
*** rledisez has quit IRC16:09
*** szaher has quit IRC16:09
*** mugsie has quit IRC16:09
*** adriant has quit IRC16:09
*** yuxin_ has quit IRC16:09
*** zigo has quit IRC16:09
*** baffle has quit IRC16:09
*** jenglisch has quit IRC16:09
*** lbragstad is now known as elbragstad16:11
*** toddnni has quit IRC16:12
*** fiddletwix has joined #openstack-keystone16:13
*** rledisez has joined #openstack-keystone16:14
*** szaher has joined #openstack-keystone16:14
*** mugsie has joined #openstack-keystone16:14
*** adriant has joined #openstack-keystone16:14
*** yuxin_ has joined #openstack-keystone16:14
*** zigo has joined #openstack-keystone16:14
*** baffle has joined #openstack-keystone16:14
*** toddnni has joined #openstack-keystone16:14
*** knikolla[m] has quit IRC16:18
*** lbragstad[m] has quit IRC16:18
*** ayoung has quit IRC16:22
*** spilla has quit IRC16:38
*** pcaruana has quit IRC16:40
*** fried_rice is now known as fried_rolls16:51
openstackgerritLance Bragstad proposed openstack/keystone master: Remove token bind capabilities  https://review.openstack.org/57752416:54
openstackgerritLance Bragstad proposed openstack/keystone master: Introduce new TokenModel object  https://review.openstack.org/55912916:54
openstackgerritLance Bragstad proposed openstack/keystone master: Add serialization for TokenModel object  https://review.openstack.org/57843416:54
openstackgerritLance Bragstad proposed openstack/keystone master: Simplify the token provider API  https://review.openstack.org/54545016:54
openstackgerritLance Bragstad proposed openstack/keystone master: Remove remnants of token bind  https://review.openstack.org/57843516:54
openstackgerritLance Bragstad proposed openstack/keystone master: Cleanup keystone.token.providers.common  https://review.openstack.org/57750716:54
openstackgerritLance Bragstad proposed openstack/keystone master: Remove KeystoneToken object  https://review.openstack.org/57756716:54
*** spilla has joined #openstack-keystone16:57
*** lbragstad[m] has joined #openstack-keystone17:01
*** openstack has quit IRC17:11
*** openstack has joined #openstack-keystone17:12
*** ChanServ sets mode: +o openstack17:12
*** knikolla[m] has joined #openstack-keystone17:13
*** felipemonteiro has quit IRC17:19
*** david-lyle has joined #openstack-keystone17:53
*** dklyle has quit IRC17:56
*** dklyle has joined #openstack-keystone17:57
*** david-lyle has quit IRC17:58
kmalloclbragstad[m], knikolla, this ugly stack to get flask support in place is starting to wind down :)17:59
kmallocyay.17:59
elbragstadkmalloc: ++18:01
elbragstadi might need some input on testing the TokenHandler cache bit18:01
elbragstadi'm also going to review the unified limit migrations today18:01
kmallocsure thing.18:02
kmallocthe cache testing is hard(tm) to do right18:02
elbragstadyeah18:02
kmallocbut basically, always test cache, cached value, backend, invalidated, and pre-invalidated18:02
elbragstadbut all patches in that series should be ready for review up to that point and even after that18:02
*** jmlowe has joined #openstack-keystone18:02
kmalloci'll get some eyes on them in a short bit.18:02
kmallocmy hope is we can get the RBAC Enforcer landed before the token bits [sorry]18:03
elbragstadmeh - that's fine..18:03
kmalloci think adding a couple lines to your code is going to be a bit more straightforward.18:03
elbragstadit gets the policy stuff that hrybacki wants to do going, too18:03
kmallocyep18:04
elbragstadbrb18:04
hrybackieyyy irccloud let me know I was mentioned :')18:05
*** kmalloc is now known as vmalloc18:06
hrybackikmalloc: elbragstad I'm in the Canadian mountains Sunday->Thursday next week. Anything y'all need my eyes on today/tomorrow?18:06
*** vmalloc is now known as kmalloc18:06
*** raildo has quit IRC18:06
*** raildo has joined #openstack-keystone18:07
kmallochm18:08
kmallocwell technically i am on vacation tomorrow->week from Sunday.18:08
kmallocsoooo18:08
kmallochrybacki: eyes on the "json_home" to Flask review would be nice.18:10
kmallochrybacki: https://review.openstack.org/#/c/574736/1318:10
kmallocelbragstad: do you mind if i rename keystone.tests.unit.token to keystone.tests.unit.token_subsystem or keystone_tokens18:12
kmallocelbragstad: it means i can run debug within pycharm (somehow "import token" is catching keystone.tests.unit.token =/)18:12
kmallocso the debugger fails.18:12
kmalloci would love to debug things directly in the IDE.18:12
kmallocand "token" is a python module for tokinzation18:13
kmalloctokenization*18:13
*** josecastroleon has joined #openstack-keystone18:15
hrybackiadded to my list kmalloc ! And enjoy your holiday :)18:16
elbragstadkmalloc: i hit something like that recently, but you can get around it with a flag in stestr i think18:35
*** idlemind has joined #openstack-keystone18:37
*** felipemonteiro has joined #openstack-keystone18:38
*** josecastroleon has quit IRC18:40
*** felipemonteiro_ has joined #openstack-keystone18:40
*** felipemonteiro has quit IRC18:44
kmallocelbragstad: except i can't do "debug" test because i am not using stestr when debugging18:45
elbragstadi thought you could pass arguments directly to stestr (e.g. tox -e py27 -- $ARGUMENTS)18:47
kmallocelbragstad: this isn't stestr18:52
kmallocit runs the test outside of "tox" and "stestr"18:52
kmalloci am using interactive debugging.18:53
openstackgerritMorgan Fainberg proposed openstack/keystone master: Rename keystone.tests.unit.token  https://review.openstack.org/57925018:53
kmallocand it imports "token" behind the scenens and fails.18:53
elbragstadahhh18:53
elbragstadnevermind18:53
kmallocyeah.18:53
kmallocit also shouldn't requiring "know this one crazy invocation, just click here" to debug easily ;)18:54
kmalloceven with stestr18:54
kmallocdebugging should be made as easy as possible :18:55
kmalloc:)18:55
*** spilla has quit IRC18:57
*** spilla has joined #openstack-keystone18:58
*** josecastroleon has joined #openstack-keystone18:59
*** felipemonteiro_ has quit IRC19:00
*** vrv_ has quit IRC19:03
*** peereb has quit IRC19:07
kmallocelbragstad: hrm, bah, this isn't really working.19:08
kmallocstill more work to do to enable proper debugging19:08
* knikolla needs more coffee before i wrap up reviewing rbac enforcer19:09
*** d0ugal__ has joined #openstack-keystone19:18
kmallocknikolla: yeah. i know...19:27
kmallocelbragstad: started reviews for tokenmodel19:27
kmallocelbragstad: most is the same as before, so was easy, some suggestions19:28
kmallocelbragstad: i'm at the "simplify" one and taking a break then will hit it again19:28
*** d0ugal__ has quit IRC19:28
elbragstadsweet19:29
*** ayoung has joined #openstack-keystone19:30
kmallocelbragstad: i think you're missing a test case.19:38
kmallocor two or three19:38
kmallocbut adding comments.19:38
kmallocelbragstad: uh.19:41
kmallocelbragstad: DeprecationWarning: Policy enforcement is depending on the value of trustor_id. This key is deprecated. Please update your policy file to use the standard policy values.19:41
kmalloc  DeprecationWarning) is this something wonky with our tests?19:41
kmallocor something inherent to keystone?19:41
elbragstadthat's oslo.context stuff...19:41
elbragstadi think19:41
kmallocright19:42
elbragstadhttps://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L81 looks familiar19:42
* kmalloc is rooting out deprecation warnings in our tests so we don't have them19:42
kmallocwell at least i have my IDE running unit tests now, sadly it's through tox because it doesn't understand stestr or subunit.19:49
*** spilla has quit IRC19:49
kmallocand running "unittests" is going to take an hour because singlethreaded.19:50
*** josecastroleon has quit IRC19:50
*** edmondsw has quit IRC20:02
*** edmondsw has joined #openstack-keystone20:09
*** fried_rolls is now known as fried_rice20:09
*** edmondsw has quit IRC20:14
kmallocelbragstad: interesting. some of our tests are not as reliable as we'd home.20:17
kmallochope*20:17
kmallocnotably the callback thing(notification registration stuff)20:17
kmallocelbragstad: moving to blinker in flask will be much better20:17
elbragstadgood deal20:17
kmallocknikolla: responded to https://review.openstack.org/#/c/577627/720:21
kmallocknikolla: basically your understanding is correct *and* in a future patch we can update. http_client doesn't implement a 418 or I'd use that (http_client.HTTP_TEAPOT no such attribute) :P20:21
knikollakmalloc: updated to +2.20:25
*** raildo has quit IRC20:26
*** edmondsw has joined #openstack-keystone20:31
*** ayoung has quit IRC21:14
*** martinus__ has quit IRC21:15
*** nicolasbock has quit IRC21:18
elbragstadhttps://review.openstack.org/#/c/576025/12 is pretty solid21:24
elbragstadi tested it a bit locally21:25
*** ayoung has joined #openstack-keystone21:39
elbragstadkmalloc: https://review.openstack.org/#/c/577751/4 looks pretty good to me, too21:41
kmalloc+2 on the pk change21:54
kmalloclooking at the registered_limit code21:55
elbragstadlooks like we'll have to deal with the registered_limit_id being nullable for a release, but that should be ok?21:55
elbragstadwe'll need to make sure we carry logic to handle both cases21:55
kmallocas long as the business logic in code doesn't allow it to be null21:56
kmallocit *can* be null until migrate is rnu21:56
kmallocrun*21:56
kmallocbut it should not be allowed to be null on saves/updates21:56
elbragstadright21:56
elbragstadtechnically the user can't specify a registered limit id on those API21:57
elbragstadAPIs(21:57
elbragstadthey have to specify openstack limit create demo nova cores 4021:57
elbragstadand the `nova cores 40` bit gets resolved to a registered limit21:57
kmallocright21:58
kmalloci think i see a bug in the registered limits code21:58
kmallochelp me step through.21:58
kmalloc1) db_sync expand21:58
kmallocno migration done21:58
kmallocoh wait self.__ blah got it21:59
* elbragstad loves being a rubber duck21:59
kmallocok this is fine.21:59
kmallocwe probably should write to the old locations as well for now22:00
kmallocand the data migrate should find the right registered limit22:00
elbragstadyeah22:00
kmallocoh wait no, migrate is done before everything is on <new>22:00
kmallocsigh22:00
ayoungwhat are we using for a MySQL library?  I don't see it in requirements22:00
kmallocpymysql22:00
elbragstadyeah22:00
kmallocelbragstad: ok so migrate is in Stien.22:00
elbragstadcorrect22:00
elbragstadthis migration is just creating the new column22:00
kmallocbut stien can also skip the 4-phase thing we have now22:01
kmalloci think...22:01
kmalloccan't it?22:01
kmalloccan we Rocky-> New column and everything is run in both places22:01
elbragstadi'm not sure what the 4-phase thing is22:01
ayoungdoes /opt/stack/keystone/lower-constraints.txt  work like requirements?  It has to be in one or the other?22:01
kmallocStien -> Migrate Data and only reference new location22:01
kmallocayoung: lower-constraints is communicating the minimum, in the g-r repo, upper-constraints communicates the "current/max"22:02
ayoungkmalloc, and requirements is going away?22:02
kmallocso keystone's minimum might be different than <project> but everything has the same maximum22:02
kmallocno.22:02
kmallocrequirements is still needed.22:02
kmallocelbragstad: so, back to what i was typing22:03
kmallocelbragstad: Rocky -> write to both locations.22:03
kmallocelbragstad: Stien -> write to new only, migrate any data that hasn't been, constract the table22:03
elbragstadmmmk22:03
kmallocelbragstad: vs Rocky -> write to both, stien migrante, T -> contract22:03
kmalloci think we can just do the wrap up 100% in stien22:04
kmallocayoung: requirements.txt is just less complex, and we do test with the lower-constraints in a job (explicitly).22:04
elbragstadthe only reason we can't do the migrate in Rocky is because we could miss a limit being created by a Queens node during the migration, right?22:04
kmallocright.22:04
elbragstadso we want until we're all the way on Rocky..22:05
elbragstadbefore doing the migrate22:05
kmallocand that is because our steps don't involve "make sure everything is on rocky before running db_sync migrate"22:05
elbragstadok22:05
elbragstadthat seems fine22:05
ayoungkmalloc, elbragstad   Hey, I'm writing a policy editing tool as a Flask service.  Do you think Keystone will host it once I get it functional?  Probably going to get to POC level then turn over to hrybacki and Ozz22:05
kmallocwhere rocky could read from both but only write to <new>, contract would still be in stien22:06
kmallocayoung: depends on usefulness (generallly speaking) and where it fits in to things22:06
ayoungIdea is that it will not be expected to be running after deployment is up22:06
elbragstadthen when Stein opens for development we'll migrate any remaining entries, then drop the old columsn22:06
kmallocelbragstad: right.22:06
elbragstadok - yeah, that makes sense22:06
elbragstadayoung: i'd be interested in playing with it a bit22:06
kmallocelbragstad: stien will only ever look at the new place, and the "migrate" will catch anything missed.22:06
ayoungkmalloc, I'm writing it as an aid to deployers. So, I plan on tying it in with Tripleo undercloud maybe22:07
kmallocayoung: i can't say for sure one way or another until it's more than "i have an idea"22:07
kmalloc:)22:07
ayoungOK...I'll keep hacking22:07
kmallocbut i don't see why it couldn't be part of keystone if it is generally useful22:07
elbragstadkmalloc: and because migrate is run before standing up the next release, we should be good22:07
kmallocand you know, meets other critiera.22:07
ayoungkmalloc, well I do have this, too:  http://adam.younglogic.com/2018/06/requirements-for-an-openstack-access-control-policy-management-tool/22:07
kmallocelbragstad: exactly22:07
elbragstadok22:07
kmallocayoung: i know, i've seen that :)22:07
ayoung++22:07
kmallocayoung: i'm just being cautious. if i say "YES!" and it's bad, i don't want to have to reverse my decision22:08
kmalloci don't expect it to be bad ;)22:08
ayoungOK,  anyway, that is what I am asking for help on, in case it was not clear.  I'm also hacking in a RHEL system as my dev worksation, and it makes things a little different22:08
ayoungGoal is to have a demo by Berni22:08
kmalloci will add that i'll want to force a threat analysis on it (up front) before we move it into keystone22:08
ayoungBerlin22:08
kmallocso we can get VMT coverage up-front22:08
kmallocrather than way way way late22:09
ayoungI like that22:09
kmallocbut with it being new, it should be easy(ier) to do things like that22:09
*** ckonstanski has joined #openstack-keystone22:10
kmallocayoung: i expect to have a RHEL box to hack on [sortof] sometime... whenever my new laptop (hahah "end of june, riiiiiight") shows up22:10
kmalloci think they just updated to "end of july" *facepalm*22:10
kmallocthat would be corp-issued22:10
ayoungkmalloc, I just got mine, but I was pretty pro-active about it22:10
ayoungthis is your 3 year refresh>?22:10
kmalloci submitted everything, they keep pushing the dates out22:10
kmallocyes. but i was given a >1yr old laptop when i joined22:11
kmallocso, technically it is before 3yrs22:11
ayoungTHis thing is a brick...P50.22:11
kmalloci tried to get a P50.22:11
kmallocit was denied.22:11
ayoungWTAF22:11
kmallocautomatically even though my manager approved it22:11
kmallocyeah. so i went X1C6th22:11
kmallocand i'm going to use it as a RHEL target to check things on22:11
ayoungkmalloc, I'm gobsmacked22:12
kmallocnah, i was also informed it was going to be 2-3months lead to get a p5022:12
kmallocso, i might get a p52, but they haven't certified those.22:12
kmallocsooooooooo22:12
ayoungWow, I must have snuck in under the wire22:12
kmalloci think this is one of those "bad timing"22:12
ayoungI was just barely inside the refresh window, but old machine was acting up22:13
kmallocit's ok, i want to see how RH deals with C0s3 sleep state22:13
kmallocmy guess is the X1C6 is going to be a 4-10W sleep state22:13
kmalloc[absurd]22:13
kmalloci got a bunch of "REFRESH OR ELSE" emails :P22:14
ayoungwhat is the protocol for the SQL url?  I left my working keystone.conf on my old laptop22:14
ayoungsqlalchemy.url = mysql://posse:posse@172.17.0.2/posse22:14
kmallocpy+mysql i think.22:14
ayoungI feel like there was something else there22:14
kmallocmysql+pymysql22:14
kmallocthere we go22:15
kmallocthat22:15
kmallocit says "talk MySQL" and use "pymysql" as the lib22:15
kmallocvs mysqldb22:15
kmalloci knew it had a + in there :)22:15
ayoungkmalloc, TYVM that worked22:18
ayoungand I have an alembic migration now!22:18
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Convert oslo.policy to using stestr  https://review.openstack.org/57929522:20
elbragstadthat should unblock the oslo.policy gates22:20
kmallocayoung: gratz!22:21
kmallocayoung: also alembic is awesome.22:21
*** ckonstanski has quit IRC22:24
openstackgerritMerged openstack/keystone master: Remove unclear wording in parameters  https://review.openstack.org/57723523:13
*** linkmark has quit IRC23:15
ayoungkmalloc, https://github.com/admiyo/posse23:28
ayoungIt is nothing but a placeholder thus far23:28
« Thursday, 2018-06-28 Index Saturday, 2018-06-30 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!