Wednesday, 2018-10-17

*** gyee has quit IRC		00:17
openstackgerrit	ayoung proposed openstack/keystone-specs master: Explicit Domain Ids https://review.openstack.org/611201	00:24
*** felipemonteiro has joined #openstack-keystone		00:29
*** lbragstad-503 is now known as lbragstad		00:58
*** imacdonn has quit IRC		01:09
*** felipemonteiro has quit IRC		01:10
adriant	kmalloc: I'm trying to redo the auth receipts stuff and I'm getting a little lost with the flask refactor.	01:11
adriant	previously I used to get the receipt_id directly from the request object in authenticate_for_token	01:12
adriant	(with a change to the webob request object to expose the correct header as a property)	01:12
adriant	how do I now get the receipt_id into that function? or can i just grab it directly from the global flask request object?	01:14
adriant	for now i'm just going to try:	01:17
adriant	receipt_id = flask.request.headers.get(authorization.AUTH_RECEIPT_HEADER, None)	01:17
*** dave-mccowan has joined #openstack-keystone		01:19
adriant	oh but it gets worse... that function now returns a token rather than a response	01:20
adriant	which means I probably do need to raise an InsufficientAuthMethods exception and handle the creation of a receipt in the next layer up :/	01:21
*** imacdonn has joined #openstack-keystone		01:22
adriant	which looks just as ugly in a way :(	01:23
openstackgerrit	wangxiyuan proposed openstack/keystone master: Allow registered limit's region_id to be None https://review.openstack.org/610887	01:35
*** felipemonteiro has joined #openstack-keystone		01:42
*** Dinesh_Bhor has joined #openstack-keystone		01:48
wxy-xiyuan	lbragstad: this is the limit CRUD patch for sdk: https://review.openstack.org/#/q/topic:unified_limit+(status:open+OR+status:merged), I'll update my oslo.limit patch once sdk release a new version.	01:57
lbragstad	wxy-xiyuan awesome - i was going to review that yesterday and ran out of time	01:57
lbragstad	i'll be sure to review it tomorrow though	01:57
wxy-xiyuan	cc kmalloc, mordred, vishakha if you are interested.	01:58
wxy-xiyuan	lbragstad: cool.	01:58
wxy-xiyuan	lbragstad: BTW, the guidelines for naming policies is approved, what's the next step, start coding in each project?	01:59
lbragstad	wxy-xiyuan yep - i think so	01:59
lbragstad	now that we have something concrete to reference	01:59
wxy-xiyuan	lbragstad: using policy deprecation mechanism, right?	02:00
lbragstad	correct	02:00
wxy-xiyuan	lbragstad: nice.	02:00
lbragstad	some examples here https://docs.openstack.org/oslo.policy/latest/reference/api/oslo_policy.policy.html#oslo_policy.policy.DeprecatedRule	02:01
wxy-xiyuan	lbragstad: clear guidelines. Thanks.	02:02
lbragstad	wxy-xiyuan no problem - let me know if you have questions, chances are we can probably continue improving the guidelines	02:03
adriant	lbragstad: Adjutant doesn't yet have a dedicated meeting time. Mostly not enough devs yet, or from external companies. But should organise one so that people have a chance to pop in and ask questions if needed.	02:11
adriant	also, lbragstad, since kmalloc is probably asleep, are you able to help with a couple of question regarding the flask auth rework?	02:12
lbragstad	you might be able to do it with the global request object	02:13
lbragstad	the auth stuff was a mess in the first place	02:13
lbragstad	the auth receipt comes from the header, right?	02:14
adriant	yeah	02:14
adriant	that part I'm fine with, but now I'm stuck on how to handle returning the receipt	02:15
lbragstad	ok - so it will have to come from the global request object or flask	02:15
lbragstad	oh?	02:15
adriant	in my old code i replaced this with a return response that made the receipt: https://github.com/openstack/keystone/blob/master/keystone/api/_shared/authentication.py#L209	02:15
adriant	but since this function no longer returns a request	02:15
adriant	the only option I can see that isn't awful is to catch this error, and then make/return the receipt elsewhere	02:16
adriant	but I'm not sure a try except here is that nice: https://github.com/openstack/keystone/blob/master/keystone/api/auth.py#L315	02:16
adriant	but that's what I'm doing right now	02:16
lbragstad	hmm	02:16
lbragstad	well - let's start with that and see if we can flush out better alternatives in the process?	02:16
lbragstad	this has happened a couple times with the flask refactor	02:17
adriant	I was curious where the actual error handling for unauthorised is handled right now, but I can't find a flask "handle_exception" function defined anywhere in so	02:17
adriant	so I'm a little confused	02:17
lbragstad	where we need to massage flask to handle specific things we did a long time ago	02:17
adriant	because in that same exception handling layer is another possible option for making/returning the receipt	02:17
lbragstad	handle_exception is in flaks	02:18
lbragstad	flask	02:18
lbragstad	like flask/app.py	02:19
lbragstad	so we don't really have access to that	02:19
adriant	oh wait, sorry thought you could define an exception handler to replace the default one	02:19
* adriant hasn't used flask in ages		02:19
lbragstad	http://flask.pocoo.org/snippets/127/	02:21
lbragstad	just an example of subclassing handle_exception	02:21
adriant	just reading through http://flask.pocoo.org/docs/1.0/patterns/apierrors/?highlight=exception#implementing-api-exceptions now	02:21
lbragstad	ok - i'm going to have to run, but feel free to leave messages if you find something	02:22
lbragstad	and i'll follow up	02:22
adriant	I think I'm just lost and confused and asking really pointless questions	02:22
adriant	so don't mind me too much about that :P	02:23
adriant	will throw up some code and we can start from there	02:23
lbragstad	+1 kmalloc and i can take a poke at it tomorrow	02:23
lbragstad	thanks for continuing to work on this, adriant	02:23
adriant	lbragstad: np! I'm just sorry it's taken me this long to get back to it	02:24
*** Dinesh_Bhor has quit IRC		02:44
*** Dinesh_Bhor has joined #openstack-keystone		02:49
*** felipemonteiro has quit IRC		03:00
vishakha	wxy-xiyuan: Looking in it	03:23
*** dklyle has quit IRC		03:25
*** dave-mccowan has quit IRC		03:33
openstackgerrit	Merged openstack/keystone master: Convert S3 and EC2 auth to flask native dispatching https://review.openstack.org/609500	03:56
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Fixing update unified limit api-ref https://review.openstack.org/610000	03:59
openstackgerrit	Adrian Turjak proposed openstack/keystone master: Implement auth receipts spec https://review.openstack.org/611230	04:00
*** Dinesh_Bhor has quit IRC		04:07
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Fixing update unified limit api-ref https://review.openstack.org/610000	04:07
*** Dinesh_Bhor has joined #openstack-keystone		04:39
*** pcaruana has quit IRC		04:46
*** shyamb has joined #openstack-keystone		04:58
*** annp has quit IRC		05:23
*** obre has quit IRC		05:40
*** obre has joined #openstack-keystone		05:41
*** Dinesh_Bhor has quit IRC		05:49
*** Dinesh_Bhor has joined #openstack-keystone		06:01
*** Dinesh_Bhor has quit IRC		06:15
*** obre has quit IRC		06:16
*** obre has joined #openstack-keystone		06:17
*** Dinesh_Bhor has joined #openstack-keystone		06:23
*** pcaruana has joined #openstack-keystone		06:34
*** shyamb has quit IRC		06:52
*** rdopiera has joined #openstack-keystone		07:00
openstackgerrit	Merged openstack/keystone master: Update API version to 3.11 https://review.openstack.org/608216	07:05
openstackgerrit	Merged openstack/keystone master: Added test case update registered limit with region https://review.openstack.org/610005	07:05
*** rcernin has quit IRC		07:09
*** shyamb has joined #openstack-keystone		07:46
*** Dinesh_Bhor has quit IRC		08:25
*** adriant has quit IRC		08:29
*** adriant has joined #openstack-keystone		08:29
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Set Default and resource limit as defined schema https://review.openstack.org/610479	08:36
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Fixing update unified limit api-ref https://review.openstack.org/610000	08:44
*** Dinesh_Bhor has joined #openstack-keystone		09:06
wxy-xiyuan	lbragstad: look forward to get your thought: https://review.openstack.org/#/c/611216 I'm not quite sure the way is correct.	09:06
openstackgerrit	Merged openstack/oslo.policy master: Add minor nits in testing documentation https://review.openstack.org/611111	09:09
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Remove deprecated token_flush https://review.openstack.org/609277	09:10
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Remove deprecated token_flush https://review.openstack.org/609277	09:12
*** shyamb has quit IRC		09:14
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Remove deprecated token_flush https://review.openstack.org/609277	09:15
vishakha	cmurphy: waiting four comment on https://review.openstack.org/#/c/606912/	09:25
vishakha	s/four/for	09:25
*** shyamb has joined #openstack-keystone		09:38
*** Emine has joined #openstack-keystone		09:40
*** Dinesh_Bhor has quit IRC		09:42
*** shyamb has quit IRC		09:48
*** shyamb has joined #openstack-keystone		09:48
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Adding 'date' for trust_flush https://review.openstack.org/607897	10:05
*** shyam89 has joined #openstack-keystone		10:09
*** Emine has quit IRC		10:10
*** shyamb has quit IRC		10:13
*** Emine has joined #openstack-keystone		10:13
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Fixing update unified limit api-ref https://review.openstack.org/610000	10:18
*** Emine has quit IRC		10:30
*** Dinesh_Bhor has joined #openstack-keystone		10:30
*** pooja_jadhav has quit IRC		10:41
*** xek has joined #openstack-keystone		10:41
*** Dinesh_Bhor has quit IRC		10:50
*** Emine has joined #openstack-keystone		10:50
cmurphy	vishakha: sorry i'm sort of afk this week, will try to check asap	11:13
*** shyam89 has quit IRC		11:16
*** pcaruana has quit IRC		11:28
*** shyam89 has joined #openstack-keystone		11:28
*** pooja_jadhav has joined #openstack-keystone		11:35
*** mvkr has quit IRC		11:46
*** raildo has joined #openstack-keystone		11:56
*** shyam89 has quit IRC		12:11
*** shyam89 has joined #openstack-keystone		12:11
*** shyam89 has quit IRC		12:13
*** shyam89 has joined #openstack-keystone		12:13
*** dave-mccowan has joined #openstack-keystone		12:14
*** shyamb has joined #openstack-keystone		12:15
*** shyam89 has quit IRC		12:18
*** pcaruana has joined #openstack-keystone		12:24
*** mvkr has joined #openstack-keystone		12:53
*** mchlumsky has joined #openstack-keystone		13:15
*** dklyle has joined #openstack-keystone		13:16
*** shyamb has quit IRC		13:22
*** dklyle has quit IRC		13:31
*** e0ne has joined #openstack-keystone		13:39
e0ne	cmurphy: thanks a lot for you reviews and commend for Horizon bugs	13:39
*** dims has quit IRC		13:40
*** jmlowe has quit IRC		13:49
lbragstad	wxy-xiyuan nice work on the zaqar patch, just a few comments inline but that's on the right track for sure	13:56
*** jmlowe has joined #openstack-keystone		13:58
*** munimeha1 has joined #openstack-keystone		13:59
*** dims has joined #openstack-keystone		14:03
ayoung	https://review.openstack.org/#/c/611201/ lbragstad cmurphy please defile it with all your comments!	14:05
ayoung	deface?	14:05
* lbragstad puts a post-it on his monitor		14:05
ayoung	vishakha, add keystone-core to a review that is important. We'll all see it	14:05
ayoung	vishakha, reviewed	14:12
*** sapd1_ has quit IRC		14:13
cmurphy	e0ne: you're welcome, if you want to thank me you could bump https://bugs.launchpad.net/horizon/+bug/1794710 to someone's priority, it's really broken and i don't know how to fix it ;)	14:16
openstack	Launchpad bug 1794710 in OpenStack Dashboard (Horizon) "WebSSO initial redirect 404s" [High,Confirmed]	14:16
*** sapd1_ has joined #openstack-keystone		14:16
cmurphy	ayoung: will look tonight	14:16
*** dims has quit IRC		14:16
e0ne	cmurphy: TBH, I tested this feature last time in Pike. I'll try to find few hours next week to dig into it early next week	14:17
*** dims has joined #openstack-keystone		14:19
*** openstackgerrit has quit IRC		14:36
*** munimeha1 has quit IRC		14:49
*** knikolla has quit IRC		14:49
*** openstackgerrit has joined #openstack-keystone		14:58
openstackgerrit	ayoung proposed openstack/keystone-specs master: Explicit Domain Ids https://review.openstack.org/611201	14:58
ayoung	cmurphy, e0ne I'll take a look. I think I wrote the original impl	14:59
e0ne	ayoung: thanks. feel free to ping me if you need any help	15:00
ayoung	e0ne, https://review.openstack.org/611349	15:05
ayoung	it will probably start a small storm	15:05
e0ne	:)	15:06
ayoung	e0ne, what is your launchpad id? Or add yourself as a reviewer, please	15:06
e0ne	ayoung: done. my launchpad id is the same as IRC nickname	15:07
ayoung	GOt it	15:07
ayoung	e0ne, and, since you approved the change that broken things, you are on the hook to fix it anyway!	15:08
e0ne	ayoung: sure, let's wait for CI	15:08
ayoung	e0ne, I leave it to you.	15:08
e0ne	I'm pretty sure that CI will pass on your patch	15:09
ayoung	e0ne, what do you think should be done WRT to the bug that lead to the breaking patch?	15:09
e0ne	ayoung: I'll re-open it	15:10
*** xek has quit IRC		15:13
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement scope_type checking for credentials https://review.openstack.org/594547	15:16
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove obsolete credential policies https://review.openstack.org/597187	15:16
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Pass context objects to policy enforcement https://review.openstack.org/605539	15:25
*** xek has joined #openstack-keystone		15:43
*** itlinux has joined #openstack-keystone		15:50
*** xek has quit IRC		15:51
*** xek has joined #openstack-keystone		15:57
*** munimeha1 has joined #openstack-keystone		16:24
*** knikolla has joined #openstack-keystone		16:24
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement system reader role in users API https://review.openstack.org/611179	16:42
lbragstad	kmalloc ^	16:42
lbragstad	for whenever you get back	16:42
*** e0ne has quit IRC		16:46
*** mvkr has quit IRC		17:01
kmalloc	lbragstad: why are we worried about 404 vs 403?	17:17
lbragstad	so - the 404 could be returned without a user being authenticated to perform that action	17:19
lbragstad	when they should get a 403	17:19
lbragstad	right?	17:19
kmalloc	if someone is not authenticated, it would be a 403	17:20
lbragstad	if some is authenticated, it should be a 404, yeah?	17:20
kmalloc	yeah	17:20
lbragstad	ok	17:20
kmalloc	the test looks correct now.	17:20
kmalloc	fwiw	17:20
lbragstad	i noticed this isn't tested in the credentials patch either	17:20
lbragstad	i'll update that one, too	17:20
kmalloc	ah	17:20
kmalloc	ok so we're missing the "if not authenticated, 403"	17:20
kmalloc	fwiw, the RBACEnforcer has that logic built in	17:21
kmalloc	in all cases, not-authenticated bounces with a 403	17:21
kmalloc	and we do test that	17:21
kmalloc	if .enforce_call is used	17:21
lbragstad	yeah - that's the default behavior	17:21
kmalloc	so this case probably doesn't need explicit 403 check	17:21
lbragstad	if ! authenticated; raise 403	17:21
lbragstad	but what about with 404?	17:21
kmalloc	and that behavior isn't configurable in policy.json	17:22
kmalloc	it is hard-coded	17:22
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Support KWARGS in the cache key generating function(s). https://review.openstack.org/611120	17:24
kmalloc	ayoung: commented on explicit domain_id spec	17:36
kmalloc	mostly just a couple questions for discussion purposes	17:36
kmalloc	nothing that would block it from landing as is	17:36
kmalloc	ayoung: +1 for now, +2 as we capture discussion	17:36
kmalloc	lbragstad: https://review.openstack.org/#/c/611121/ security (minor) issue with caching	17:37
kmalloc	lbragstad: needs quick eyes.,	17:37
kmalloc	lbragstad: might need backporting.	17:37
openstackgerrit	Corey Bryant proposed openstack/ldappool master: py3 ldap does not allow bytes for DN/RDN/field names https://review.openstack.org/611401	17:44
*** rdopiera has quit IRC		17:49
*** dklyle has joined #openstack-keystone		17:52
openstackgerrit	Corey Bryant proposed openstack/keystone master: py3 ldap does not allow bytes for DN/RDN/field names https://review.openstack.org/611190	17:52
openstackgerrit	Corey Bryant proposed openstack/keystone master: py3 ldap does not allow bytes for DN/RDN/field names https://review.openstack.org/611190	17:53
openstackgerrit	ayoung proposed openstack/keystone-specs master: Explicit Domain Ids https://review.openstack.org/611201	17:57
*** ayoung has quit IRC		18:08
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement scope_type checking for credentials https://review.openstack.org/594547	18:09
lbragstad	kmalloc ok ^ that should clearly test the 404 vs 403 differences across the various personas	18:10
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove obsolete credential policies https://review.openstack.org/597187	18:11
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Pass context objects to policy enforcement https://review.openstack.org/605539	18:11
*** david-lyle has joined #openstack-keystone		18:29
*** dklyle has quit IRC		18:29
kmalloc	lbragstad: my brain is a little fried post flask	18:34
lbragstad	yeah...	18:36
lbragstad	that one was a doozy	18:47
openstackgerrit	Merged openstack/keystone master: Remove incorrect copyright notice. https://review.openstack.org/610879	19:29
*** dklyle has joined #openstack-keystone		19:31
*** david-lyle has quit IRC		19:33
*** dklyle has quit IRC		19:37
*** dklyle has joined #openstack-keystone		19:38
kmalloc	and something is now failing with py36 in gate becasue it couldn't find keystone.sample.conjf	19:45
kmalloc	it was just workingt	19:45
kmalloc	....	19:45
kmalloc	oh transient	19:46
kmalloc	i don't know how THAT transient happened	19:46
kmalloc	but...	19:46
lbragstad	yeah - i've seen that one a couple times too	19:47
*** dklyle has quit IRC		19:52
*** dklyle has joined #openstack-keystone		19:55
*** dklyle has quit IRC		20:15
*** xek has quit IRC		20:22
*** mchlumsky has quit IRC		20:22
*** dklyle has joined #openstack-keystone		20:46
*** raildo has quit IRC		20:52
openstackgerrit	Matt Riedemann proposed openstack/keystone master: Implement scaffolding for upgrade checks https://review.openstack.org/608785	20:55
lbragstad	thanks mr	20:56
*** dklyle has quit IRC		20:59
*** dklyle has joined #openstack-keystone		20:59
*** dklyle has quit IRC		21:10
*** dklyle has joined #openstack-keystone		21:10
openstackgerrit	Lance Bragstad proposed openstack/oslo.policy master: WIP: Add domain scope support for scope types https://review.openstack.org/611443	21:12
*** felipemonteiro has joined #openstack-keystone		21:14
*** dklyle has quit IRC		21:17
*** rcernin has joined #openstack-keystone		21:18
*** dklyle has joined #openstack-keystone		21:18
*** felipemonteiro has quit IRC		21:24
*** dklyle has quit IRC		21:40
*** dklyle has joined #openstack-keystone		21:44
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement system reader role in users API https://review.openstack.org/611179	21:44
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement reader role in users API https://review.openstack.org/611179	21:44
*** dklyle has quit IRC		21:52
*** dklyle has joined #openstack-keystone		21:57
*** bnemec has quit IRC		22:01
*** mvkr has joined #openstack-keystone		22:04
*** munimeha1 has quit IRC		22:20
*** itlinux has quit IRC		22:22
*** felipemonteiro has joined #openstack-keystone		22:26
openstackgerrit	Adrian Turjak proposed openstack/keystone master: Implement auth receipts spec https://review.openstack.org/611230	22:31
*** dklyle has quit IRC		22:36
*** itlinux has joined #openstack-keystone		23:22
openstackgerrit	Lance Bragstad proposed openstack/keystone master: WIP: Implement domain and system default roles https://review.openstack.org/611465	23:25
*** lbragstad is now known as lbragstad_503		23:26

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!