Tuesday, 2018-10-23

« Monday, 2018-10-22 Index Wednesday, 2018-10-24 »
*** rcernin has joined #openstack-keystone00:11
*** rcernin_ has quit IRC00:12
*** rcernin has quit IRC00:13
*** rcernin has joined #openstack-keystone00:14
*** aojea has joined #openstack-keystone00:39
*** aojea has quit IRC00:44
*** dmellado has joined #openstack-keystone00:51
openstackgerritMerged openstack/keystone master: Add caching on trust role validation to improve performance  https://review.openstack.org/60896301:06
*** imacdonn has quit IRC01:23
*** imacdonn has joined #openstack-keystone01:23
*** markvoelker has joined #openstack-keystone01:25
*** Dinesh_Bhor has joined #openstack-keystone01:42
*** idlemind has joined #openstack-keystone01:53
*** Dinesh_Bhor has quit IRC01:59
openstackgerritAdrian Turjak proposed openstack/keystone master: Implement auth receipts spec  https://review.openstack.org/61123002:02
openstackgerritAdrian Turjak proposed openstack/keystone master: Implement auth receipts spec  https://review.openstack.org/61123002:04
vishakhakmalloc: for https://review.openstack.org/#/c/610479/ , I have updated a document patch for it. Pl review02:31
*** Dinesh_Bhor has joined #openstack-keystone02:35
*** dave-mccowan has quit IRC02:57
*** munimeha1 has quit IRC03:01
*** Dinesh_Bhor has quit IRC03:37
*** aojea has joined #openstack-keystone04:16
*** aojea has quit IRC04:20
*** Dinesh_Bhor has joined #openstack-keystone04:42
kmallocvishakha: thnx!05:27
vishakhakmalloc: Aslo have some doubt for https://review.openstack.org/#/c/607897/, I posted the comment in it05:35
*** spsurya has joined #openstack-keystone05:49
kmallocvishakha: commented06:13
vishakhakmalloc: working on it. Thanks for the quick review :)06:14
*** ebukha has joined #openstack-keystone06:19
*** ayoung has quit IRC06:39
*** Dinesh_Bhor has quit IRC06:52
*** pcaruana has joined #openstack-keystone06:56
*** jaosorior has quit IRC07:02
*** felipemonteiro has joined #openstack-keystone07:04
*** jaosorior has joined #openstack-keystone07:05
*** rcernin has quit IRC07:06
*** rdopiera has joined #openstack-keystone07:09
*** Dinesh_Bhor has joined #openstack-keystone07:16
*** felipemonteiro has quit IRC07:22
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Implement scope_type checking for grant api  https://review.openstack.org/61261507:33
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Implement scope_type checking for grant api  https://review.openstack.org/61261507:35
openstackgerritMerged openstack/keystone master: Flask comment/docstring cleanup  https://review.openstack.org/60983707:39
openstackgerritMerged openstack/keystone master: Cleanup test_wsgi  https://review.openstack.org/60983807:39
*** ebukha has quit IRC07:52
*** xek has joined #openstack-keystone07:55
*** xek_ has joined #openstack-keystone08:01
*** xek has quit IRC08:03
openstackgerritMerged openstack/keystone master: Make collection_key and member_key raise if unset  https://review.openstack.org/61012908:05
openstackgerritwangxiyuan proposed openstack/keystone master: nit: remove useless code  https://review.openstack.org/61262508:08
openstackgerritwangxiyuan proposed openstack/keystone master: nit: remove useless code  https://review.openstack.org/61262508:09
*** pvradu has joined #openstack-keystone08:16
*** mvkr has quit IRC08:26
*** ebukha has joined #openstack-keystone08:27
*** dmellado has quit IRC08:34
*** mvkr has joined #openstack-keystone08:51
*** Dinesh_Bhor has quit IRC08:54
*** ebukha has quit IRC08:56
*** adriant has quit IRC09:09
*** adriant has joined #openstack-keystone09:10
*** adriant has quit IRC09:13
*** adriant has joined #openstack-keystone09:14
*** adriant has quit IRC09:16
*** dmellado has joined #openstack-keystone09:18
*** bzhao__ has quit IRC09:20
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Fix spelling in explicit domain id specification  https://review.openstack.org/61264409:20
*** Ebukha has joined #openstack-keystone09:22
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Update policy security roadmap  https://review.openstack.org/60244309:31
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Implement scope_type checking for grant api  https://review.openstack.org/61261509:31
*** mvkr has quit IRC09:36
openstackgerritLance Bragstad proposed openstack/keystone master: Use request_body_json function  https://review.openstack.org/61249209:39
openstackgerritLance Bragstad proposed openstack/keystone master: Pass context objects to policy enforcement  https://review.openstack.org/60553909:41
openstackgerritVishakha Agarwal proposed openstack/keystone master: Adding 'date' for trust_flush  https://review.openstack.org/60789709:43
*** mvkr has joined #openstack-keystone09:50
*** Ebukha has quit IRC09:50
openstackgerritLance Bragstad proposed openstack/keystone master: Implement scope_types for user API  https://review.openstack.org/61117909:51
*** Ebukha has joined #openstack-keystone10:00
*** pvradu has quit IRC10:00
*** pvradu has joined #openstack-keystone10:00
*** xek_ has quit IRC10:03
*** pvradu_ has joined #openstack-keystone10:05
*** Dinesh_Bhor has joined #openstack-keystone10:07
*** xek has joined #openstack-keystone10:07
*** pvradu has quit IRC10:09
*** Dinesh_Bhor has quit IRC10:15
openstackgerritMerged openstack/keystone-specs master: Fix spelling in explicit domain id specification  https://review.openstack.org/61264410:31
*** Ebukha_ has joined #openstack-keystone11:01
*** Ebukha has quit IRC11:01
*** markvoelker has quit IRC11:45
*** Ebukha_ is now known as Ebukha11:55
*** dave-mccowan has joined #openstack-keystone12:07
odyssey4melbragstad: you around? I'd like to ask a question about https://bugs.launchpad.net/openstack-ansible/+bug/1793389 - I'm wondering whether keystone doesn't already have something built-in to flush the cache?12:10
openstackLaunchpad bug 1793389 in openstack-ansible "Upgrade to Ocata: Keystone Intermittent Missing 'options' Key" [Medium,Fix released] - Assigned to Alex Redinger (rexredinger)12:10
lbragstadodyssey4me checking12:11
odyssey4melbragstad: https://review.openstack.org/608066 has been added, rather than our previous strategy which was https://github.com/openstack/openstack-ansible/blob/master/scripts/upgrade-utilities/playbooks/memcached-flush.yml run just before the general upgrade - but that wasn't sufficient in this case... it seemed to fail the first time and needed to be redone12:12
lbragstadinteresting12:13
lbragstadi suppose users are being cached and that breaks things12:13
lbragstadsince it looks like that cached user doesn't have the options attribute12:14
lbragstadso are you asking if keystone has a better way to flush the cache?12:15
lbragstador has a way to flush the cache natively?12:15
odyssey4melbragstad: I'm wondering whether keystone either understands these changes and will flush/invalidate cache automatically... or yes, whether it has a native capability.12:16
odyssey4meThis might be a good thing for keystone-doctor, or something similar.12:16
odyssey4meInvliadating the entire cache obviously has some performance implications.12:17
lbragstadright12:17
cmurphyi don't think our sqlalchemy migrations understand about invalidating relevant caches12:17
lbragstadwell - it is going to be hard to write something in process that understand when deployers are going to upgrade12:17
lbragstadnot sure if this is a good option but...12:17
cmurphyyeah12:17
odyssey4meRight, but in-process may be able to understand that the object it's looking at is an old version?12:18
lbragstadwe could handle that exception and manually invalidate the region12:18
odyssey4meor that12:18
lbragstadsince we've seen this specific exception crop up a couple times for the same exact reason12:18
lbragstadand after a certain amount of time, we can remove that try/except12:18
odyssey4meI guess this is the sort of thing versioned objects was designed to handle, but I don't think keystone is using that?12:19
lbragstadyeah - we don't use versioned objects12:19
lbragstadok - so this affects upgrades to ocata12:20
lbragstadwhich is the oldest supported release12:20
lbragstadwe'd have to write the patch, apply it to stein, rocky, queens, pike, and finally ocata12:20
lbragstadand then remove it from master, since it wouldn't be applicable anymore?12:21
lbragstadand possibly remove it from other branches, too?12:21
cmurphyyou can submit it directly to ocata if it only affects ocata12:21
cmurphythe stable policy isn't so strict that you need to apply patches where it doesn't make sense12:21
lbragstadcool - so maybe it's easier than i thought12:22
cmurphybut a related question is about ffu12:22
odyssey4mewell, that's an option of course - but would this not perhaps happen again some time in the future?12:22
cmurphyodyssey4me: right this would only be a bandaid on the one problem12:22
lbragstadwell - are ffu an online thing?12:23
lbragstadbetter question - do ffu operate under the assumption there will be service downtime?12:23
odyssey4meThe ideal would be that any patch that changes things will not have an exception if the object is missing the new stuff, but that's pretty hard to enferce because it requires reviewers to think about it. Although I suppose that's a testable thing.12:24
lbragstadthe last time we had to deal with something like that was with password hashing12:25
cmurphyyeah so it's bound to come up again12:25
lbragstadiirc - we had to think pretty hard about the upgrade path12:25
lbragstads/path/paths/12:25
odyssey4meI suppose handling the exception with flushing the cache is the ultimate back-stop. If somehow the triggering of that in gates could see it happening and raise a warning/error, prompting the patch author to handle things more gracefully for the new patch, that'd be better. The backstop is still there though.12:26
lbragstadtechnically - we would have caught this with online migration testing12:28
lbragstaddepending on the test, i think12:28
lbragstadbut since this is technically in the authentication path, it would be pretty common12:29
openstackgerritDmitry Tantsur proposed openstack/keystoneauth master: Make new-style single endpoint version discovery actually work for ironic  https://review.openstack.org/61268012:29
*** tobberydberg has quit IRC12:30
*** markvoelker has joined #openstack-keystone12:36
odyssey4melbragstad cmurphy is that bug sufficient - should I add keystone to it?12:36
*** markvoelker has quit IRC12:37
lbragstadsure - we can at least document the approach12:37
cmurphymaybe we could have a special RFE bug for keystone? would be good to have a proper consistent approach in keystone eventually12:40
*** aojea_ has joined #openstack-keystone12:42
*** aojea_ has quit IRC12:55
*** aojea_ has joined #openstack-keystone12:56
lbragstadyeah - agreed12:57
lbragstadwould the RFE before finding ways to deal with this then?12:58
lbragstadand we can track 1793389 for this specific fix?12:58
cmurphysure12:58
lbragstadcmurphy odyssey4me https://review.openstack.org/#/c/612686/112:58
odyssey4melbragstad: thanks - I'll watch it, and notify our folks to see if they have any feedback and can test it when it's ready for that13:00
lbragstadsounds good13:01
lbragstadcc kmalloc ^13:01
*** bnemec has joined #openstack-keystone13:08
*** aojea_ has quit IRC13:17
*** aojea_ has joined #openstack-keystone13:18
*** aojea_ has quit IRC13:22
*** ayoung has joined #openstack-keystone13:28
*** aojea_ has joined #openstack-keystone13:45
*** aojea_ has quit IRC13:48
*** aojea_ has joined #openstack-keystone13:52
*** aojea_ has quit IRC13:55
*** aojea_ has joined #openstack-keystone13:56
*** Ebukha has quit IRC13:57
*** edmondsw has joined #openstack-keystone14:00
*** aojea_ has quit IRC14:00
knikollao/14:16
lbragstadin case folks didn't see this yesterday - https://github.com/yahoo/openstack-collab/tree/master/keystone-federation-ocata14:31
*** felipemonteiro has joined #openstack-keystone14:38
ayounglbragstad, OK...I think I have a plan to roll in the system-roles changes for an existing site:14:39
ayoungwe make use of is_admin_project as a way to turn off admin later on14:39
ayoungbasically, the same plan as I had for using is_admin_project, but instead of migrating people from admin-on-anywhere to admin-on-admin, we migrate the from admin-on-anywhere to system scope14:40
ayoungthe enforcement of is_admin_project will let people with admin-anywhere continue to function14:40
ayoungbut we start training people to request admin scoped tokens, make sure horizon works with them, etc14:40
ayoungonce an org is ready to go full service scoped tokens, we enable an admin_project:  it can be a bogus one14:41
ayoungthat will disable is_admin_project rule in policy.  Then we can start removing them from the policy files.14:41
ayoungMake sense?14:41
lbragstadnot really - but i'm in the middle of parsing something else at the moment14:41
ayoungNot, perhaps, as intuitive as I would have liked.14:41
ayoungIts ok.  GO back and read this later whne you have the bandwith free14:42
lbragstadsounds good - thanks ayoung14:42
ayounglbragstad, I like uuid.uuid3(uuid.NAMESPACE_OID, str(string)).hex14:43
ayounggah...but it is python2 specific14:44
ayoungnope...I'm just in the dumbs this morning14:47
ayoungkmalloc, if we go with the oath approach, do we then want to specify the UUIDs for the namespaces in the config files?  So, instead of uuid.uuid5(uuid.NAMESPACE_OID, 'admin').hex   we'd have uuid.uuid5(CONF.roles.namespace, 'admin').hex14:52
ayoungWas there an edge call today?  I called in but no-one was there14:54
lbragstadwe ended early14:57
knikollawhere are people staying in berlin? looks like all the hotels recommended by the foundation are pretty far from the venue15:01
ayoungknikolla, we have an Air BnB15:04
ayoungIts actually closer than some of the hotels, I think15:06
knikollainteresting, i didn't look into airbnbs15:08
mordredlbragstad, cmurphy, kmalloc: https://review.openstack.org/#/c/612680/ <-- should fix issues in the bifrost gate ... ironic updated to have proper version discovery docs, but one of our workarounds was unhappy :)15:10
kmallocAhhh15:14
kmallocOk15:14
mordredkmalloc: I think we'll need a bugfix release with that patch in it once it lands15:23
*** wxy| has joined #openstack-keystone15:34
kmalloc++15:36
kmalloc+2/+a15:37
*** mvkr has quit IRC15:39
ayoungAre we meeting today?  Anyone have anything for the Agenda?15:46
ayounghttps://etherpad.openstack.org/p/keystone-weekly-meeting15:46
*** felipemonteiro has quit IRC16:09
*** rdopiera has quit IRC16:15
*** gyee has joined #openstack-keystone16:16
*** ayoung has quit IRC16:21
*** pvradu_ has quit IRC16:37
*** raildo has joined #openstack-keystone16:55
*** Ebukha has joined #openstack-keystone16:57
*** ayoung has joined #openstack-keystone17:03
* kmalloc goes back to lurk mode.17:03
*** pvradu has joined #openstack-keystone17:04
*** wxy| has quit IRC17:05
openstackgerritMerged openstack/keystoneauth master: Make new-style single endpoint version discovery actually work for ironic  https://review.openstack.org/61268017:06
*** dnguyen has joined #openstack-keystone17:07
*** pvradu has quit IRC17:09
kmallocmordred: ^17:12
*** lbragstad is now known as lbragstad_f00d17:17
openstackgerritMerged openstack/keystone master: Adding 'date' for trust_flush  https://review.openstack.org/60789717:23
*** dnguyen has quit IRC17:33
*** dnguyen has joined #openstack-keystone17:34
*** pvradu has joined #openstack-keystone17:42
*** lbragstad_f00d is now known as lbragstad17:45
*** felipemonteiro has joined #openstack-keystone17:45
*** aojea has joined #openstack-keystone17:46
*** pvradu has quit IRC17:53
lbragstadayoung OH!17:55
lbragstadhttps://github.com/yahoo/openstack-collab/blob/master/keystone-federation-ocata/plugin/keystone/auth/plugins/athenz.py#L12317:55
lbragstadhttps://github.com/yahoo/openstack-collab/blob/master/keystone-federation-ocata/plugin/keystone/auth/plugins/athenz.py#L8017:55
lbragstadi'm apparently under-caffeinated17:55
lbragstadi glossed over that17:56
lbragstadwhen you were talking about that earlier17:56
kmallochehe18:14
*** Ebukha has quit IRC18:26
*** felipemonteiro has quit IRC18:34
*** dnguyen has quit IRC18:35
*** irclogbot_3 has joined #openstack-keystone18:35
hrybackiis memcached the norm cache backend for folks in production?18:35
*** dnguyen has joined #openstack-keystone18:37
ayounghrybacki, yep18:57
ayoungkmalloc, ^^ can you tell hrybacki whether or not I am a liar?18:58
hrybackiayoung++ -- im collating best practices18:58
hrybackiayoung: have you ever had issues w/ memcached logs?19:13
ayounghrybacki, not enough first hand experience to say.19:22
*** pcaruana has quit IRC19:23
hrybackiayoung: ack19:23
*** david-lyle has joined #openstack-keystone19:27
*** dklyle has quit IRC19:28
*** lbragstad has quit IRC19:50
*** lbragstad has joined #openstack-keystone19:53
*** ChanServ sets mode: +o lbragstad19:53
*** david-lyle is now known as dklyle19:53
kmalloclbragstad: i think you have a problem with https://review.openstack.org/#/c/605539/18/keystone/common/rbac_enforcer/enforcer.py20:03
kmalloccan we remove the token rendered version from the target dict?20:04
kmalloci.. i don't think we can20:04
kmallocwithout breaking people's custom polcies20:04
kmallocsince we have historically populated that20:04
kmallocmemcached logs?20:05
kmallochrybacki: ^20:05
kmallochrybacki: oh, memcache is afaik almost the only backend for cache people use20:05
kmallocredis is almost never used, hp uses mongo (hah)20:05
kmallocused*20:06
*** openstackgerrit has quit IRC20:06
kmallocfor the most part i don't think anyone has used non-memcache cache layer in openstack20:06
*** mvkr has joined #openstack-keystone20:12
hrybackikmalloc: at least we have one standard :)20:13
lbragstadwut...20:23
kmalloclbragstad: sorry in the credential dict20:24
kmallocnot in the target dict20:24
kmallocif we remove the rendered token from the cred dict (policy), and lookups for token.x.y will fail20:25
kmallocand it has historically been there20:25
kmalloccan we realistically reemove the render?20:25
kmallocif we can, cool.20:25
kmallocbut...20:25
* lbragstad is confused 20:31
*** xek has quit IRC20:41
lbragstadstepping away for a bit20:45
*** openstackgerrit has joined #openstack-keystone20:55
openstackgerritGage Hugo proposed openstack/keystone master: [WIP] Add functional testing gate  https://review.openstack.org/53101420:55
*** mchlumsky has quit IRC21:01
*** felipemonteiro has joined #openstack-keystone21:13
*** xek has joined #openstack-keystone21:14
*** xek has quit IRC21:17
*** dklyle has quit IRC21:19
*** dklyle has joined #openstack-keystone21:20
*** raildo has quit IRC21:23
*** spsurya has quit IRC21:38
*** Ebukha has joined #openstack-keystone21:40
*** Ebukha has quit IRC21:44
*** felipemonteiro has quit IRC21:52
*** felipemonteiro has joined #openstack-keystone21:54
*** dnguyen has quit IRC22:01
*** aojea has quit IRC22:02
*** dnguyen has joined #openstack-keystone22:02
*** felipemonteiro has quit IRC22:12
*** rcernin has joined #openstack-keystone22:24
*** bnemec has quit IRC22:25
*** dnguyen has quit IRC22:55
*** dnguyen has joined #openstack-keystone22:57
*** threestrands has joined #openstack-keystone23:02
*** adriant has joined #openstack-keystone23:08
kmalloclbragstad: sorry i needed a nap after this last weekend.23:20
kmalloclbragstad: i'm back now, we should chat more about that render_token bit now that i'm awake23:20
kmallocwhen you're back23:20
*** idlemind has quit IRC23:38
*** gyee has quit IRC23:46
« Monday, 2018-10-22 Index Wednesday, 2018-10-24 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!