Thursday, 2018-12-13

« Wednesday, 2018-12-12 Index Friday, 2018-12-14 »
*** erus has quit IRC00:01
*** erus has joined #openstack-keystone00:04
*** itlinux has joined #openstack-keystone00:11
*** itlinux has quit IRC00:11
*** dklyle has joined #openstack-keystone00:53
*** gyee has quit IRC01:08
*** dave-mccowan has joined #openstack-keystone01:17
*** erus has quit IRC01:44
*** Dinesh_Bhor has joined #openstack-keystone01:59
*** Dinesh_Bhor has quit IRC02:09
*** Dinesh_Bhor has joined #openstack-keystone02:10
*** dave-mccowan has quit IRC02:14
*** itlinux has joined #openstack-keystone02:18
*** mhen has quit IRC02:27
*** mhen has joined #openstack-keystone02:28
*** gagehugo has quit IRC02:55
openstackgerritMerged openstack/keystone master: Bump oslo.policy and oslo.context versions  https://review.openstack.org/62324803:04
openstackgerritMerged openstack/keystone master: Remove example usage from admin guide  https://review.openstack.org/62463703:19
openstackgerritMerged openstack/keystone master: Delete outdated keystonemiddleware doc  https://review.openstack.org/62464503:19
openstackgerritMerged openstack/keystone master: Move identity sources doc to admin guide  https://review.openstack.org/62435103:19
*** dklyle has quit IRC03:22
*** imus has quit IRC03:28
*** erus has joined #openstack-keystone03:43
*** gagehugo has joined #openstack-keystone04:04
*** itlinux has quit IRC04:11
*** itlinux has joined #openstack-keystone04:43
*** itlinux has quit IRC05:11
*** gagehugo has quit IRC05:12
*** rcernin has quit IRC07:09
*** pcaruana has joined #openstack-keystone07:12
*** dklyle has joined #openstack-keystone08:07
*** imacdonn has quit IRC08:23
*** imacdonn has joined #openstack-keystone08:24
*** dklyle has quit IRC08:27
*** Dinesh_Bhor has quit IRC08:31
*** Dinesh_Bhor has joined #openstack-keystone08:32
*** xek has joined #openstack-keystone08:32
*** rledisez has joined #openstack-keystone08:41
*** amoralej|off is now known as amoralej09:02
openstackgerritNeha Alhat proposed openstack/python-keystoneclient master: Add return-request-id-to-caller function(v3/contrib)  https://review.openstack.org/62489809:09
*** trident has quit IRC09:16
*** trident has joined #openstack-keystone09:19
*** sayalilunkad has quit IRC09:31
*** erus has quit IRC09:39
*** erus has joined #openstack-keystone09:42
*** markvoelker has joined #openstack-keystone09:46
*** erus has quit IRC09:49
*** erus has joined #openstack-keystone09:51
*** erus has quit IRC09:57
*** mpasserini1 has joined #openstack-keystone10:11
*** erus has joined #openstack-keystone10:14
*** trident has quit IRC10:15
*** trident has joined #openstack-keystone10:15
*** erus has quit IRC10:19
*** erus has joined #openstack-keystone10:22
*** mvkr has quit IRC10:24
*** erus has quit IRC10:29
*** sayalilunkad has joined #openstack-keystone10:35
*** erus has joined #openstack-keystone10:36
*** mvkr has joined #openstack-keystone10:56
*** mvkr has quit IRC11:16
*** mvkr has joined #openstack-keystone11:16
*** tobias-urdin is now known as tobias-urdin_afk11:41
*** tobias-urdin_afk is now known as tobias-urdin11:42
*** tobias-urdin is now known as tobias-urdin_afk11:43
*** amoralej is now known as amoralej|lunch12:03
*** raildo has joined #openstack-keystone12:08
*** Dinesh_Bhor has quit IRC12:14
*** shrasool has joined #openstack-keystone12:14
*** markvoelker has quit IRC12:24
openstackgerritColleen Murphy proposed openstack/keystone master: Consolidate service catalog docs  https://review.openstack.org/62467312:33
openstackgerritColleen Murphy proposed openstack/keystone master: Reorganize admin guide  https://review.openstack.org/62497212:33
*** tobias-urdin_afk is now known as tobias-urdin12:53
*** markvoelker has joined #openstack-keystone13:10
openstackgerritGhanshyam Mann proposed openstack/keystone master: Add irrelevant-files for grenade-py3 jobs  https://review.openstack.org/62498813:14
*** amoralej|lunch is now known as amoralej13:27
*** irclogbot_1 has quit IRC13:30
*** irclogbot_1 has joined #openstack-keystone13:46
*** yan0s has joined #openstack-keystone13:48
yan0shi all,13:48
yan0scan you tell me in which mysql table I can find the user-role relation>13:48
yan0s?13:48
yan0sI guess local_user - role13:49
*** irclogbot_1 has quit IRC13:52
*** stuartgr has joined #openstack-keystone13:56
*** markvoelker has quit IRC14:03
lbragstadyan0s that's going to be in the assignment and system_assignment tables14:05
*** irclogbot_1 has joined #openstack-keystone14:09
*** imus has joined #openstack-keystone14:10
*** mchlumsky has joined #openstack-keystone14:22
jrossercould i get some advice about integration between ceph radosgw and keystone, specifically this https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/s3_token.py14:25
*** irclogbot_1 has quit IRC14:27
jrosserwe are load testing radosgw and each s3 request results in a POST to the s3token keystone endpoint, which is causing enourmous load on the keystone api processes14:28
yan0sso I have accidentally deleted the admin role14:32
yan0show can I use the cli client with the OS_TOKEN ?14:32
yan0sopenstack --os-token $OS_TOKEN --os-url http://10.0.0.28:5000/v3 role add --project admin --user admin admin14:33
yan0sthis seems not to be enough14:33
yan0sI get The request you have made requires authentication. (HTTP 401)14:34
*** irclogbot_1 has joined #openstack-keystone14:35
*** markvoelker has joined #openstack-keystone14:36
ayoungyan0s, needs to be enabled in the config file.  Or rerun bootstrap14:37
ayoungbootstrap is your best bet, I think;14:37
ayounghttps://docs.openstack.org/keystone/pike/admin/identity-bootstrap.html14:37
cmurphyyes bootstrap will recover the admin role14:37
yan0sI'm using juju so I'm not sure that's the best way14:42
yan0sfor me14:42
openstackgerritColleen Murphy proposed openstack/keystone-specs master: Add spec for immutable roles  https://review.openstack.org/62469214:48
cmurphyyan0s: does juju use the bootstrap command? rerunning it manually should be safe and idempotent14:50
*** Shilpa has joined #openstack-keystone14:59
*** gagehugo has joined #openstack-keystone14:59
*** ShilpaSD has quit IRC15:02
gagehugoo/15:02
*** itlinux has joined #openstack-keystone15:07
*** mpasserini1 has quit IRC15:25
*** markvoelker has quit IRC15:38
openstackgerritMoisés Guimarães de Medeiros proposed openstack/oslo.policy master: WIP: Use oslo.config instead of argparse.  https://review.openstack.org/62503816:00
*** yan0s has quit IRC16:04
*** alexchadin has joined #openstack-keystone16:07
*** morgan is now known as kmalloc16:09
*** alexchadin has quit IRC16:10
kmallocjrosser: that isn't surprising. radosgw (and most s3 requests in openstack) do not cache relevant responses.16:11
kmalloccmurphy: ++ on the immutable resource option16:11
kmalloccmurphy: spec. it's also why I added the resource-options-for-all spec :)16:11
jrosserkmalloc: are those responses cacheable in theory?16:39
kmallocjrosser: the data / validation is cachable16:40
kmallocbut the responses afaik are not16:40
kmallocbecause it's signed16:40
kmallocit's one of those tough things to deal with16:40
kmallocso you have to cache the key data directly rather than the response from keystone16:41
kmallocit's ... weird.16:41
kmallocjrosser: also ... i thought we punted that middleware over to the swift3 team.16:42
timburkeyes, and now it's back in upstream swift16:43
kmalloctimburke: let me open a bug to officially deprecate that in ksm package then16:44
timburkejrosser: as of https://review.openstack.org/#/c/603529/ it's even got caching16:44
kmalloctimburke: thanks, i thought so.16:44
kmalloctimburke: yay caching!16:44
jrosserso if i was wanting to improve this ,, where should i start?16:44
jrosserbecause i'm doing 700 req/sec S3 and thats crippling keystone16:45
kmalloctimburke: i'll tag you on my review to officially deprecate in ksm shortly16:45
kmalloctimburke: then in a cycle or two we can just drop the KSM code :)16:45
kmalloctimburke: will reduce confusion i think16:45
*** shrasool has quit IRC16:45
timburkejrosser: i *think* https://github.com/openstack/swift/blob/master/swift/common/middleware/s3api/s3token.py should be a drop-in replacement for whichever version you're currently using -- you could try it out, see how it goes16:46
timburkekmalloc: sounds good16:46
kmalloccmurphy: i'd like to see immutable expanded to users, projects, roles, etc as well16:47
kmalloccmurphy: ftr.16:47
cmurphykmalloc: okay16:48
cmurphykmalloc: what, if anything, besides roles should default to immutable in bootstrap?16:48
cmurphyadmin user?16:48
kmalloccmurphy: hmmmmm nothing from bootstrap but the roles imop16:48
kmallocimo*16:48
cmurphymmk16:48
kmallocbut the option should be there for the other resources.16:48
kmalloci can totally see folks wanting to secure those things.16:49
jrossertimburke: thanks! we'll certainly have a go with that16:49
kmallocand i expect immutable to disable update of anything *except* the immutable flag, so it works like chattr +i does (rough analogue)16:49
kmalloci see resource_options as being like extended attributes in the linux filesystem (in broad strokes)16:50
*** erus has quit IRC16:57
*** erus has joined #openstack-keystone16:59
ayoungkmalloc, what do you think of the following:  we have 2 read only roles. one called auditor, which is essentially a read-only admin role.  The other is called reader, and is a read only role for member level operations.18:03
ayoungwould it make sense to align behind that approach?  I think the reader vs. auditor split is valuable18:05
*** gyee has joined #openstack-keystone18:09
kmallocuhm.18:26
kmallochmmm.18:26
kmallocso, i think it doesn't matter waht we call it18:27
kmalloci think it's going to come down to what we define the roles as, system and non-system scope18:27
kmallocone reader role, one two. one called auditor, one that is called omg-im-not-really-an-admin18:28
kmallocdefine what you want the roles to be able to do.18:28
kmallocnaming is fairly irrelevant18:28
lbragstadi'd rather have one instead of two18:30
lbragstadscoping answers part of the question for us18:30
lbragstadhttp://lists.openstack.org/pipermail/openstack-discuss/2018-December/000907.html18:30
*** mvkr has quit IRC18:40
*** jmlowe has quit IRC18:47
* lbragstad steps away for lunch18:52
*** amoralej is now known as amoralej|off19:00
*** imus has quit IRC19:04
*** jmlowe has joined #openstack-keystone19:12
*** mvkr has joined #openstack-keystone19:21
*** pcaruana has quit IRC19:47
*** ayoung has quit IRC19:49
*** shrasool has joined #openstack-keystone19:54
kmalloclbragstad: right. As long as we define it and document it20:13
kmallocit'll work20:14
lbragstadyeah - i just don't want to have operators needing to deal with one reader role meaning something and another meaning something else20:15
lbragstador having different intended usages20:16
lbragstad(e.g., reader is end user specific, but auditor isn't)20:16
openstackgerritMerged openstack/keystone master: Remove message about circular role inferences  https://review.openstack.org/62455320:24
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role for projects  https://review.openstack.org/62421520:25
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member role project test coverage  https://review.openstack.org/62421620:25
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in project API  https://review.openstack.org/62421720:25
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain reader functionality for projects  https://review.openstack.org/62421820:25
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain member functionality for projects  https://review.openstack.org/62421920:25
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain admin functionality for projects  https://review.openstack.org/62422020:25
openstackgerritLance Bragstad proposed openstack/keystone master: Add explicit testing for project users and the project API  https://review.openstack.org/62422120:25
openstackgerritLance Bragstad proposed openstack/keystone master: Remove project policies from policy.v3cloudsample.json  https://review.openstack.org/62422220:25
kmalloclbragstad: i just don't care if it's multiple roles or one as long as it's documented and defined.20:35
*** jmlowe has quit IRC21:01
*** markvoelker has joined #openstack-keystone21:11
*** raildo has quit IRC21:21
*** jmlowe has joined #openstack-keystone21:22
*** xek has quit IRC21:26
*** jmlowe has quit IRC21:26
*** tobias-urdin has quit IRC21:32
*** erus has quit IRC21:36
*** erus has joined #openstack-keystone21:39
*** erus has quit IRC21:44
*** jmlowe has joined #openstack-keystone21:50
*** erus has joined #openstack-keystone21:57
*** dklyle has joined #openstack-keystone22:05
*** markvoelker has quit IRC22:06
*** david-lyle has joined #openstack-keystone22:09
*** dklyle has quit IRC22:12
*** shrasool has quit IRC22:18
*** rcernin has joined #openstack-keystone22:21
*** david-lyle has quit IRC22:23
lbragstadcmurphy good find on ^22:35
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role for projects  https://review.openstack.org/62421522:35
lbragstader...22:35
lbragstad^22:35
lbragstadi ended up finding several holes in the tests22:35
lbragstadi'm sure there are more... but i added some inline comments on the usefulness of some of the functionality22:36
lbragstadspecifically for project users22:36
cmurphycool22:36
lbragstadi'll wait until it gets another look or two before respinning the whole series22:36
*** itlinux has quit IRC22:36
cmurphyi'll take another look tomorrow22:36
lbragstadack - thanks again22:37
*** lbragstad has quit IRC22:37
*** mchlumsky has quit IRC22:45
*** erus has quit IRC23:11
*** erus has joined #openstack-keystone23:12
*** aloga has quit IRC23:32
*** aloga has joined #openstack-keystone23:32
« Wednesday, 2018-12-12 Index Friday, 2018-12-14 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!