Tuesday, 2018-07-03

*** threestrands_ has joined #openstack-keystone		00:07
*** threestrands_ has quit IRC		00:07
*** threestrands_ has joined #openstack-keystone		00:07
*** threestrands_ has quit IRC		00:08
*** threestrands_ has joined #openstack-keystone		00:09
*** threestrands_ has quit IRC		00:09
*** threestrands_ has joined #openstack-keystone		00:09
*** threestrands has quit IRC		00:10
*** threestrands_ has quit IRC		00:10
*** threestrands_ has joined #openstack-keystone		00:10
*** threestrands_ has quit IRC		00:11
*** threestrands_ has joined #openstack-keystone		00:12
*** threestrands_ has quit IRC		00:13
*** threestrands_ has joined #openstack-keystone		00:13
*** threestrands_ has quit IRC		00:13
*** threestrands_ has joined #openstack-keystone		00:13
*** threestrands_ has quit IRC		00:14
*** threestrands_ has joined #openstack-keystone		00:15
*** threestrands_ has quit IRC		00:15
*** threestrands_ has joined #openstack-keystone		00:15
*** threestrands_ has quit IRC		00:16
*** threestrands_ has joined #openstack-keystone		00:16
*** edmondsw has joined #openstack-keystone		00:23
*** edmondsw has quit IRC		00:28
openstackgerrit	Merged openstack/oslo.policy master: Fix requirements and convert to stestr https://review.openstack.org/579169	00:33
*** blake has quit IRC		00:48
*** blake has joined #openstack-keystone		00:49
*** blake has quit IRC		00:53
*** dklyle has quit IRC		00:55
*** blake has joined #openstack-keystone		01:13
*** masber has joined #openstack-keystone		01:13
*** blake has quit IRC		01:14
*** blake has joined #openstack-keystone		01:16
*** blake has quit IRC		01:17
openstackgerrit	wangxiyuan proposed openstack/keystone master: Add auto increase primary key for unified limit https://review.openstack.org/576025	01:30
*** tonytan4ever has joined #openstack-keystone		01:35
*** tonytan4ever_brb has quit IRC		01:38
*** annp has joined #openstack-keystone		01:52
*** blake has joined #openstack-keystone		01:55
*** blake has quit IRC		01:55
*** mylu has quit IRC		01:57
*** tonytan4ever has quit IRC		01:57
*** tonytan4ever has joined #openstack-keystone		01:57
*** mylu has joined #openstack-keystone		02:21
*** tonytan4ever_brb has joined #openstack-keystone		02:39
*** tonytan4ever has quit IRC		02:41
*** tonytan4ever_brb has quit IRC		02:41
*** tonytan4ever has joined #openstack-keystone		02:42
*** mylu has quit IRC		02:43
*** felipemonteiro has joined #openstack-keystone		02:50
*** felipemonteiro has quit IRC		02:58
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Add support for enforce_call to set value on flask.g https://review.openstack.org/578189	03:10
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Address minor comments from initial impl RBACEnforcer https://review.openstack.org/579342	03:10
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Flesh out and add testing for flask_RESTful scaffolding https://review.openstack.org/578190	03:10
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Move keystone.server.common to keystone.server https://review.openstack.org/579746	03:10
kmalloc	lbragstad: ^ sorry for another huge change (mostly tests)	03:11
*** felipemonteiro has joined #openstack-keystone		03:30
*** felipemonteiro has quit IRC		03:38
*** tonytan4ever_brb has joined #openstack-keystone		04:14
*** tonytan4_ has joined #openstack-keystone		04:15
*** tonytan4ever_brb has quit IRC		04:15
*** tonytan4ever has quit IRC		04:16
*** vigneshwar has joined #openstack-keystone		04:24
vigneshwar	hello..	04:24
vigneshwar	how a system can automatically revoke the keys when it is compromised ?	04:24
*** threestrands_ has quit IRC		04:25
*** tonytan4_ has quit IRC		04:56
*** tonytan4ever has joined #openstack-keystone		04:57
*** tonytan4ever has quit IRC		05:01
*** tonytan4ever has joined #openstack-keystone		05:31
*** vishakha has quit IRC		05:39
*** edmondsw has joined #openstack-keystone		05:48
*** vishakha has joined #openstack-keystone		05:51
*** edmondsw has quit IRC		05:53
*** vigneshwar has quit IRC		06:10
*** felipemonteiro has joined #openstack-keystone		06:19
*** nicolasbock has joined #openstack-keystone		06:42
*** gongysh has joined #openstack-keystone		06:43
*** openstackgerrit has quit IRC		06:49
*** felipemonteiro has quit IRC		06:49
*** rcernin has quit IRC		06:55
*** martinus__ has joined #openstack-keystone		06:59
*** tesseract has joined #openstack-keystone		07:06
*** sonuk has joined #openstack-keystone		07:07
*** sonuk_ has quit IRC		07:09
*** ispp has joined #openstack-keystone		07:15
*** josecastroleon has joined #openstack-keystone		07:18
*** amoralej\|off is now known as amoralej		07:19
*** vishakha has quit IRC		07:21
*** peereb has joined #openstack-keystone		07:21
*** ispp has quit IRC		07:27
*** openstackgerrit has joined #openstack-keystone		07:29
openstackgerrit	Nguyen Hung Phuong proposed openstack/keystone-specs master: fix tox python3 overrides https://review.openstack.org/579791	07:29
*** vishakha has joined #openstack-keystone		07:33
*** vigneshwar has joined #openstack-keystone		07:36
*** edmondsw has joined #openstack-keystone		07:36
*** edmondsw has quit IRC		07:41
*** ispp has joined #openstack-keystone		07:42
*** cz2 has quit IRC		08:14
*** cz2 has joined #openstack-keystone		08:16
*** mvk has quit IRC		08:28
*** vigneshwar has quit IRC		08:33
*** mvk has joined #openstack-keystone		08:55
*** gongysh has quit IRC		09:03
*** sonuk_ has joined #openstack-keystone		09:04
*** sonuk has quit IRC		09:08
*** edmondsw has joined #openstack-keystone		09:25
*** edmondsw has quit IRC		09:29
*** aloga has joined #openstack-keystone		09:32
*** aloga has quit IRC		09:46
*** nicolasbock has quit IRC		09:55
*** gongysh has joined #openstack-keystone		09:56
*** chrome0 has quit IRC		10:18
openstackgerrit	Merged openstack/oslo.policy master: Pass dictionary as creds in policy tests https://review.openstack.org/578994	10:25
*** mvk has quit IRC		10:35
*** gongysh has quit IRC		11:24
*** aojea_ has joined #openstack-keystone		11:37
*** alee has joined #openstack-keystone		11:43
*** mvk has joined #openstack-keystone		11:45
alee	hey - anyone around that can help me with a devstack install on centos 7 -- I get an error about Unable to find 'uuid' driver in 'keystone.token.provider' when trying to bootstrap keystone	11:46
*** amoralej is now known as amoralej\|lunch		11:46
alee	how do I just tell devstack to use fernet tokens?	11:46
alee	lbragstad, ^^ ?	11:46
alee	ah -- nm - bad setting in loacl,conf	11:49
*** mchlumsky has joined #openstack-keystone		11:57
*** voelzmo has joined #openstack-keystone		11:59
*** aojea_ has quit IRC		12:00
*** chrome0 has joined #openstack-keystone		12:00
*** mchlumsky has quit IRC		12:10
*** raildo has joined #openstack-keystone		12:10
*** mchlumsky has joined #openstack-keystone		12:11
*** aojea has joined #openstack-keystone		12:32
frickler	would it make sense to remove the v2 parts from paste.ini here by default? http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini#n86	12:34
frickler	seems like that may be confusing for deployers	12:35
frickler	currently they are only dropped in devstack: http://git.openstack.org/cgit/openstack-dev/devstack/tree/lib/keystone#n217	12:35
frickler	I could also see some value in dropping the admin endpoint completely	12:36
*** rmascena has joined #openstack-keystone		12:51
*** raildo has quit IRC		12:51
*** edmondsw has joined #openstack-keystone		13:01
*** ispp has quit IRC		13:02
*** ispp has joined #openstack-keystone		13:06
*** aojea has quit IRC		13:06
*** edmondsw has quit IRC		13:06
knikolla	o/	13:10
*** rmascena__ has joined #openstack-keystone		13:17
*** rmascena has quit IRC		13:20
*** amoralej\|lunch is now known as amoralej		13:25
lbragstad	alee: yep - i think you can tell devstack to override keystone's default, but the default token provider is fernet	13:40
lbragstad	frickler: yeah - we considered doing that this release	13:41
lbragstad	i want to say kmalloc had a patch for it some where?	13:41
alee	lbragstad, yeah - I had overridden to uuid by mistake	13:41
lbragstad	aha	13:41
frickler	lbragstad: oh, there's https://review.openstack.org/#/c/571979/6/etc/keystone-paste.ini , I was looking at an older checkout. so I think you are fine, just might want to amend the devstack code accordingly	13:46
*** jmlowe has quit IRC		13:51
lbragstad	frickler: i'm looking now, but does that cleanup need to happen in lib/keystone?	13:52
kmalloc	lbragstad: hmm?	13:55
kmalloc	frickler: in this release paste-ini is gone	13:56
kmalloc	lbragstad: ^ that already merged.	13:56
kmalloc	well, paste-ini is there, but it is no longer used at all	13:57
lbragstad	yeah	13:57
kmalloc	frickler: https://github.com/openstack/keystone/blob/master/etc/keystone-paste.ini#L1-L5	13:57
kmalloc	we can fix devstack to not care about paste-ini for keystone too.	13:58
kmalloc	i have not spun up a patch for that.	13:58
kmalloc	lbragstad: sorry about the giant flask-restful testing patch.	13:59
kmalloc	lbragstad: but we have full testing of flask bits now.	14:00
kmalloc	lbragstad: but at this point i feel confident i can start converting APIs to flask.	14:02
kmalloc	(our testing will need a lot of cleanup too, but that can be done independantly)	14:02
*** s10 has joined #openstack-keystone		14:04
lbragstad	awesome	14:04
lbragstad	i'll trade you some flask reviews for unified limit reviews :)	14:04
kmalloc	yep	14:07
kmalloc	i think we can land the flask stuff now, the only functionality impacting change is the json_home move to flask	14:07
kmalloc	which was needed as the first step	14:07
kmalloc	anyway, i'm drinking coffee and heat pad on shoulder, can review in a moment	14:08
kmalloc	(unified limits)	14:08
s10	http://lists.openstack.org/pipermail/openstack-dev/2018-May/130415.html — Hello. Will this issue be fixed until rocky release? This is an annoying blocker for the process of upgrading our clouds and some components to queens. We fixed it with reverting commit, but I'm not sure, that this is correct way to solve this issue.	14:08
kmalloc	but i think limits is mostly ready	14:08
kmalloc	s10: i am reading that email. it's super long	14:10
kmalloc	s10: iirc the keystoneauth bit was already fixed.	14:10
frickler	kmalloc: yes, would be great if you could amend devstack to not deploy the paste file if it is not needed anymore. better testing and also folks use devstack as reference for other deployment methods	14:11
kmalloc	s10: trying to remember what the result of the server side discussion was	14:11
lbragstad	s10: i thought mordred had a patch for that	14:11
kmalloc	lbragstad: ksa for sure.	14:11
kmalloc	lbragstad: i think server was... maybe "doing an ok thing" when we talked about it.	14:11
kmalloc	i'll try and refresh my memory here.	14:11
kmalloc	frickler: sure. yeah, we only kept the paste-ini in keystone's sdist so we didn't break triple-o for example.	14:12
kmalloc	frickler: i'll see about getting a fix to devstack here	14:12
mordred	what did I do?	14:14
kmalloc	mordred: nothing, mostly me sucking at vacation ;)	14:14
kmalloc	mordred: was the long email of doom regarding catalog and ksa and internal interfaces	14:14
kmalloc	mordred: we fixed ksa iirc	14:14
mordred	cool. I'll go with that	14:15
kmalloc	frickler: https://review.openstack.org/#/c/579882/	14:17
kmalloc	frickler: don't know if it will work, but that is an initial stab at it.	14:17
frickler	kmalloc: great, I'll be watching the results, thanks	14:18
*** tonytan4ever has quit IRC		14:18
s10	lbragstad, kmalloc: keystoneauth wasn't fixed, I don't see anything in https://review.openstack.org/#/q/project:openstack/keystoneauth relevant to this issue	14:18
*** jmlowe has joined #openstack-keystone		14:18
kmalloc	frickler: if it doesn't work let me know, or feel free to help fix the issues. i have zero issue with someone picking up and helping on a patch.	14:19
kmalloc	s10: i was almost certain we did something about that.	14:19
kmalloc	s10: aha, ok, so i've been rooting around in this code. when the value of public_endpoint is set in keystone.conf it overrides a lot of stuff	14:22
kmalloc	s10: server side, keystone makes a best effort to know what the requesting URL is but for reasons (x-forwarded-for, etc) it doesn't always work.	14:23
kmalloc	in most cases public_endpoint is not needed for keystone, but we also have eliminated the distinction between admin and public endpoints [they are the same wsgi app now, I get there is reason to have internal still though]	14:24
*** rmascena__ has quit IRC		14:24
cmurphy	I think this is the relevant bug (still open) https://bugs.launchpad.net/keystoneauth/+bug/1733052	14:24
openstack	Launchpad bug 1733052 in keystoneauth "Usage of internal URL in clouds.yaml causes a 404" [Undecided,Confirmed]	14:24
kmalloc	cmurphy: yep, i think that is the bug	14:25
kmalloc	the bulk of the issue is ksa	14:25
*** wxy\| has joined #openstack-keystone		14:25
kmalloc	but the "server bug" mordred was referencing is in-fact by design when using "public-endpoint"	14:25
kmalloc	i think the only solution is to run a separate keystone process (same database) with a different "public_endpoint" value if the value must be set (discovery doc)	14:26
kmalloc	the WSGI environment doesn't contain all the knowledge we need to build the "what host did this client request via" all the time.	14:26
mordred	or to use relative paths and not full urls in the discovery doc	14:27
kmalloc	mordred: unfortunately, that is an API Breaking Change(tm)	14:27
mordred	"/v3" is valid for the urls	14:27
mordred	kmalloc: it is? ksa completely supports it as a data value	14:27
kmalloc	mordred: since behavior. - i'm happy to make that change.	14:27
kmalloc	but, would need signoff that we are allowed to break the behavior and implied current contract.	14:27
kmalloc	in the discovery doc*	14:28
kmalloc	server side	14:28
kmalloc	if the discovery doc behaves a certain way right now, it's a breaking change to change the data coming out :P	14:28
kmalloc	like i said, 100% ok changing it with the correct "yes, please do it" [I assume TC?]	14:29
*** mvk has quit IRC		14:29
kmalloc	i think it would be a good change (FTR) to use relative paths.	14:30
kmalloc	i just don't want to run afoul of our API contracts (implied or explicit)	14:30
*** raildo has joined #openstack-keystone		14:30
lbragstad	in case anyone is interested - https://review.openstack.org/#/c/579690/3 should enable some testing jobs for the oslo.limit library	14:32
kmalloc	lbragstad: do you want to add keystone-core to oslo-limit?	14:35
kmalloc	lbragstad: or are we already?	14:35
kmalloc	not related to the infra bits there, obviously	14:35
*** aojea_ has joined #openstack-keystone		14:39
*** kashyap has joined #openstack-keystone		14:42
*** jmlowe has quit IRC		14:43
kashyap	Hi folks, wonder if anyone has clues as to what this error could mean:	14:43
kashyap	2018-06-28 12:25:06.394 [./foobar.neutron-all/var/log/neutron/server.log-20180629] 1167 WARNING keystonemiddleware.auth_token [req-eac3ef0c-e50c-4f60-b895-fbea11ba6a39 afda1fc4262a4dc09190ce0c17e314bc b9d43f27231e4f3a9456f225f8b2c2e7 - - -] Identity response: {"error": {"message": "Could not find token: c779675e926a41f1b62184b15d63e0f5", "code": 404, "title": "Not Found"}}	14:43
* kashyap should probably ask in a different forum, as this is a devel channel		14:44
lbragstad	kmalloc: that's already been done https://review.openstack.org/#/admin/groups/1885,members	14:44
* kashyap wonders if "Could not find token" implies it is a time out error		14:44
lbragstad	i set that up with bnemec when we created the library, is it showing up properly for you?	14:44
*** aojea_ has quit IRC		14:45
openstackgerrit	Merged openstack/oslo.limit master: Convert tox.ini to using stestr https://review.openstack.org/579685	14:45
lbragstad	kashyap: that means the token is either invalid or expired	14:45
*** jmlowe has joined #openstack-keystone		14:45
lbragstad	you should try reauthenticating for a new token	14:46
kashyap	lbragstad: Hmm, it is the one hour keystone token timeout, is it?	14:46
lbragstad	kashyap: that's configurable so it depends on your deployment	14:46
lbragstad	the default is 1 hour though	14:46
kashyap	lbragstad: Yeah, saw it in the code - the 1 hr	14:46
kashyap	lbragstad: In what kinds of deployments people extend the time timeout?	14:47
lbragstad	i'm not quite sure, i would think most people don't extend it	14:47
lbragstad	we don't recommend extending the token expiration time	14:47
kashyap	lbragstad: Nod; thanks for the explanation.	14:47
kashyap	Was debugging a random Nova bug report that trickled down to the above error	14:48
lbragstad	i believe you can configure services to validate tokens that are expired - if you're having issues with long running operations	14:48
lbragstad	(e.g. backups in cinder or uploading images in glance)	14:49
kmalloc	s10: so, yes, we should fix KSA in Rocky, and if possible backport to Queens [it's a bug]. Keystone server is a bit harder to fix.	14:49
kashyap	lbragstad: Yeah, good guess -- it is a long-running operation, a live migration.	14:49
kmalloc	kashyap: yeah, we have a way [i don't know how well uspoorted it is	14:50
kmalloc	to validate a token and ignore the expiration for just such a case	14:50
cmurphy	it is supported	14:50
cmurphy	this is what service tokens are for	14:50
kashyap	Oh, interesting	14:50
lbragstad	kashyap: https://github.com/openstack/keystone/blob/e3d5da0f77e81542bb581936457929253e676508/keystone/conf/token.py#L119	14:50
kmalloc	right, but is there something the service needs to do / be configred to do?	14:50
* kashyap clicks		14:50
*** edmondsw has joined #openstack-keystone		14:51
kmalloc	cmurphy: ^ e.g. does Cinder need to know how to do that.	14:51
kashyap	cmurphy: Where can I read a bit more about service tokens?	14:51
cmurphy	https://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/implemented/service-tokens.html	14:51
kmalloc	aha	14:51
kmalloc	perfect	14:51
cmurphy	we don't see to have actual docs lol	14:51
cmurphy	seem*	14:51
lbragstad	allow_expired_window is the keystone configuration option, but it has a reasonable default already (2 days)	14:51
kmalloc	lbragstad: right.	14:52
kmalloc	cmurphy: phsaw, who needs docs! :P	14:52
lbragstad	jamielennox: did some work to incorporate that into keystonemiddleware	14:52
kmalloc	lbragstad: +2 on the migrations for limits	14:52
cmurphy	the best docs are in the release notes https://docs.openstack.org/releasenotes/keystonemiddleware/ocata.html	14:52
kmalloc	lbragstad: looking at the rest of the stack now	14:53
s10	kmalloc: should we write this resolution about bug fix and backport somewhere, so it will not be forgotten?	14:53
kashyap	cmurphy: Ah, thanks; /me clicks	14:53
kmalloc	s10: we have the bug that cmurphy linked: https://bugs.launchpad.net/keystoneauth/+bug/1733052 can you confirm that is accurate?	14:53
openstack	Launchpad bug 1733052 in keystoneauth "Usage of internal URL in clouds.yaml causes a 404" [Undecided,Confirmed]	14:54
*** BlackDex has quit IRC		14:54
kmalloc	s10: if so, we can prioritize it and get some eyes on it from the keystone team.	14:54
kmalloc	s10: if that is the same bug, it looks like it.	14:54
*** mvk has joined #openstack-keystone		14:55
s10	kmalloc: yes, this is a same bug	14:55
kmalloc	s10: ah i see your comments there.	14:55
*** edmondsw has quit IRC		14:55
kmalloc	cool	14:55
kmalloc	lbragstad: ^ that bug i've moved to "high" prio, we should get it fixed for rocky.	14:56
kmalloc	lbragstad: and probably backport the fix to queens.	14:56
kashyap	lbragstad: Yeah, two days default is plenty	14:57
kashyap	lbragstad: But that config attribute is not _enabled_ by default, is it?	14:58
kashyap	(No, it isn't.)	14:59
lbragstad	kashyap: the two day time is the default	15:00
kmalloc	lbragstad: the service needs to pass ?allow_expired=True when validating	15:00
kmalloc	https://github.com/openstack/keystone/blob/ccda249e4cb628a0fb8fd7832679a07732a3af3b/keystone/common/authorization.py#L84	15:01
kmalloc	so...	15:01
lbragstad	aha - correct	15:01
kmalloc	so, does cinder, nova, etc do that?	15:01
lbragstad	it's opt in, but it is enabled by default	15:01
kmalloc	exactly. this may be a case of "we have the support" and the services just don't do it	15:01
kashyap	How can "opt in" but "enabled by default" be true at the same time?	15:01
* kashyap re-reads to ensure he isn't misreading		15:01
kmalloc	keystone supports it by default	15:02
kmalloc	turned on	15:02
lbragstad	kashyap: keystone server supports validating expired tokens from service users if and only if the call is made with allow_expired=True	15:02
kmalloc	services must opt into validating with expiration allowed	15:02
lbragstad	but just because we turn it on doesn't mean other services are using it yet	15:02
kashyap	lbragstad: Ah, that sentence is much clearer	15:03
*** peereb has quit IRC		15:05
*** gyee has joined #openstack-keystone		15:05
lbragstad	kashyap: trying to not get into the weeds too much	15:06
kashyap	Nod; thanks.	15:06
lbragstad	but it looks like ksm determines whether or not it should set that by https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L398	15:07
*** voelzmo has quit IRC		15:07
lbragstad	https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L368-L377	15:07
* kashyap clicks		15:07
lbragstad	which you should be able to tinker with through keystonemiddleware configuration https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_opts.py#L202-L215	15:08
lbragstad	so - i guess to enable that feature, you need to specify which roles are "service user roles"	15:08
lbragstad	which will be in your service configuration file in the [keystone_authtoken] section	15:09
*** felipemonteiro_ has joined #openstack-keystone		15:09
*** felipemonteiro__ has joined #openstack-keystone		15:10
*** felipemonteiro_ has quit IRC		15:14
*** felipemonteiro has joined #openstack-keystone		15:16
*** s10 has quit IRC		15:17
lbragstad	then you'll need to make sure the nova service user has that role assignment	15:17
* lbragstad should probably write this stuff down		15:18
lbragstad	kashyap: https://bugs.launchpad.net/keystone/+bug/1779889	15:24
openstack	Launchpad bug 1779889 in OpenStack Identity (keystone) "Lack of documentation for validating expired tokens with service users" [Medium,Triaged]	15:24
openstackgerrit	Kristi Nikolla proposed openstack/keystone master: Added keystone identity provider installation to Devstack plugin https://review.openstack.org/484121	15:34
*** dklyle has joined #openstack-keystone		15:41
*** nicolasbock has joined #openstack-keystone		15:52
kmalloc	lbragstad: meeting today or cancelled?	15:58
lbragstad	it's still on	15:59
kmalloc	ok	15:59
ayoung	kmalloc, what room again?	16:04
kmalloc	-alt	16:04
kmalloc	#openstack-meeting-alt	16:04
*** felipemonteiro__ has quit IRC		16:11
*** felipemonteiro has quit IRC		16:18
*** tesseract has quit IRC		16:20
openstackgerrit	Merged openstack/keystone master: Add auto increase primary key for unified limit https://review.openstack.org/576025	16:22
*** ispp has quit IRC		16:26
*** aojea has joined #openstack-keystone		16:27
openstackgerrit	wangxiyuan proposed openstack/keystone master: Add registered_limit_id column for limit https://review.openstack.org/577751	16:28
*** aojea has quit IRC		16:32
*** wxy\| has quit IRC		16:38
*** wxy\| has joined #openstack-keystone		16:39
*** amoralej is now known as amoralej\|off		16:45
openstackgerrit	wangxiyuan proposed openstack/keystone master: Delete project limits when deleting project https://review.openstack.org/538371	17:01
lbragstad	#startmeeting keystone-office-hours	17:01
openstack	Meeting started Tue Jul 3 17:01:56 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	17:01
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	17:01
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"		17:02
*** ChanServ changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap !!NOTE!! This Channel is Logged ( https://tinyurl.com/OpenStackKeystone )"		17:02
openstack	The meeting name has been set to 'keystone_office_hours'	17:02
*** wxy\| has quit IRC		17:06
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Make keystone.server.flask more interesting for importing https://review.openstack.org/579928	17:11
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Fix keystone.common.rbac_enforcer.__init__.py expoorting https://review.openstack.org/579930	17:14
*** felipemonteiro has joined #openstack-keystone		17:17
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Fix keystone.common.rbac_enforcer.__init__.py exporting https://review.openstack.org/579930	17:19
*** felipemonteiro_ has joined #openstack-keystone		17:21
*** felipemonteiro__ has joined #openstack-keystone		17:23
*** felipemonteiro_ has quit IRC		17:27
*** BlackDex has joined #openstack-keystone		17:29
*** dklyle has quit IRC		17:53
*** edmondsw has joined #openstack-keystone		18:27
*** edmondsw has quit IRC		18:32
*** pcichy has quit IRC		18:46
*** pcichy has joined #openstack-keystone		18:49
*** itlinux has joined #openstack-keystone		18:50
*** felipemonteiro has quit IRC		18:51
*** felipemonteiro__ has quit IRC		19:06
*** felipemonteiro__ has joined #openstack-keystone		19:06
*** dgonzalez has quit IRC		19:14
*** dgonzalez has joined #openstack-keystone		19:16
*** dgonzalez has quit IRC		19:21
*** dgonzalez has joined #openstack-keystone		19:26
*** felipemonteiro_ has joined #openstack-keystone		19:31
*** felipemonteiro__ has quit IRC		19:34
*** felipemonteiro_ has quit IRC		19:37
*** felipemonteiro_ has joined #openstack-keystone		19:37
*** felipemonteiro_ has quit IRC		20:08
*** pcichy has quit IRC		20:10
lbragstad	kmalloc: i worked my way through all flask patches i think	20:15
*** edmondsw has joined #openstack-keystone		20:16
*** felipemonteiro has joined #openstack-keystone		20:17
*** aojea has joined #openstack-keystone		20:21
*** edmondsw has quit IRC		20:21
*** jmlowe has quit IRC		20:26
kmalloc	lbragstad: responded to comments	20:42
kmalloc	lbragstad: specificall the one you -1'd. That is just a double down on policy-in-code	20:42
kmalloc	lbragstad: if a rule isn't defined, we are locked down, it's a safety concern within keystone.	20:42
kmalloc	for security projects (we are one), default closed, open where needed	20:43
lbragstad	i agree about the concern, more or less questioning the backwards compatibility bit?	20:43
kmalloc	i don't think it's backwards incompat	20:43
kmalloc	there is zero reason we have un-accounted for rules with policy-in-code	20:43
kmalloc	or if we do, we should know about it fast	20:43
kmalloc	if we want to reference an action, ensure it is registered	20:45
kmalloc	prior to policy-in-code, the "default open" or "Default closed" was a more reasonable thing to reference	20:45
*** felipemonteiro has quit IRC		20:45
kmalloc	since the definition of the policy itself was in the policy.json	20:46
kmalloc	so, there was a high likelihood of a non-existant action	20:46
kmalloc	with policy-in-code it is impossible (short of a programming error) for a non-existent action	20:46
kmalloc	(an operator can no longer remove an action from policy.json causing a fallback to the default rule)	20:47
*** felipemonteiro has joined #openstack-keystone		20:53
*** raildo has quit IRC		20:54
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Do not use flask.g imported as g https://review.openstack.org/579985	20:55
kmalloc	lbragstad, knikolla, wxy: ^	20:59
*** felipemonteiro has quit IRC		21:02
*** aojea has quit IRC		21:10
openstackgerrit	Lance Bragstad proposed openstack/oslo.policy master: Teach Enforcer.enforce to deal with context objects https://review.openstack.org/578995	21:11
*** martinus__ has quit IRC		21:27
cmurphy	wow this mfa stuff is just completely undocumented http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/resource_options.py#n85	21:38
cmurphy	you have to hunt through the code to find out it's there	21:39
lbragstad	yeah - outside of the original patch, i'm not sure the docs were ever amended https://review.openstack.org/#/c/274901/	21:44
*** felipemonteiro has joined #openstack-keystone		21:55
*** nicolasbock has quit IRC		22:00
*** lbragstad is now known as lbragstad_503		22:02
*** edmondsw has joined #openstack-keystone		22:05
*** rcernin has joined #openstack-keystone		22:09
*** edmondsw has quit IRC		22:09
*** felipemonteiro has quit IRC		22:20
*** dtruong has quit IRC		22:30
*** jmlowe has joined #openstack-keystone		22:36
*** rcernin has quit IRC		22:49
*** rcernin has joined #openstack-keystone		23:02
*** felipemonteiro has joined #openstack-keystone		23:20
*** rcernin_ has joined #openstack-keystone		23:23
*** rcernin has quit IRC		23:24
*** felipemonteiro has quit IRC		23:31
adriant	cmurphy: nope, not at all. It doesn't exists outside of the circle of people who know it from the code :P	23:32
adriant	Which honestly is a good thing until we get the auth receipts done, because using it as is was messy anyway	23:33
*** felipemonteiro has joined #openstack-keystone		23:36
*** felipemonteiro has quit IRC		23:49
*** edmondsw has joined #openstack-keystone		23:53
*** felipemonteiro has joined #openstack-keystone		23:56
*** edmondsw has quit IRC		23:57

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!