Monday, 2018-12-17

« Sunday, 2018-12-16 Index Tuesday, 2018-12-18 »
openstackgerritZhongcheng Lao proposed openstack/keystone master: Fixes missing name on filtered queries  https://review.openstack.org/62392801:13
*** Dinesh_Bhor has joined #openstack-keystone01:52
*** dave-mccowan has joined #openstack-keystone02:07
*** Dinesh_Bhor has quit IRC02:10
*** Dinesh_Bhor has joined #openstack-keystone02:21
*** mhen has quit IRC02:24
*** mhen has joined #openstack-keystone02:25
*** dave-mccowan has quit IRC02:47
*** dklyle has joined #openstack-keystone03:20
*** lbragstad has joined #openstack-keystone03:26
*** ChanServ sets mode: +o lbragstad03:26
*** Dinesh_Bhor has quit IRC03:51
*** Dinesh_Bhor has joined #openstack-keystone03:52
*** itlinux has quit IRC03:59
*** itlinux has joined #openstack-keystone04:29
*** itlinux has quit IRC04:30
*** dklyle has quit IRC05:16
*** itlinux has joined #openstack-keystone05:32
*** rcernin has joined #openstack-keystone05:46
*** markvoelker has joined #openstack-keystone05:47
*** rcernin has quit IRC05:47
*** markvoelker has quit IRC05:51
*** Dinesh_Bhor has quit IRC06:06
*** rcernin has joined #openstack-keystone06:09
*** rcernin has quit IRC06:09
*** rcernin has joined #openstack-keystone06:09
*** rcernin has quit IRC06:09
*** Dinesh_Bhor has joined #openstack-keystone06:41
*** itlinux has quit IRC07:09
*** itlinux has joined #openstack-keystone07:23
*** Dinesh_Bhor has quit IRC07:29
*** Emine has joined #openstack-keystone07:33
*** Dinesh_Bhor has joined #openstack-keystone07:35
*** markvoelker has joined #openstack-keystone07:48
*** Dinesh_Bhor has quit IRC07:57
*** pcaruana has joined #openstack-keystone08:18
*** amoralej|off is now known as amoralej08:31
openstackgerritwangxiyuan proposed openstack/keystone master: Ensure change is addressed for unified limit table  https://review.openstack.org/62149708:37
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain_id column for limit  https://review.openstack.org/62020208:37
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level limit support - Manager  https://review.openstack.org/62146808:37
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level limit support - API  https://review.openstack.org/62277308:37
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level support for strict-two-level-model  https://review.openstack.org/62315308:37
openstackgerritwangxiyuan proposed openstack/keystone master: Update project depth check  https://review.openstack.org/62398408:37
openstackgerritwangxiyuan proposed openstack/keystone master: Release note for domain level limit  https://review.openstack.org/62401908:37
openstackgerritwangxiyuan proposed openstack/keystone master: [api-ref] add domain level limit support  https://review.openstack.org/62456208:37
*** yan0s has joined #openstack-keystone08:45
*** alexchadin has joined #openstack-keystone08:47
*** Dinesh_Bhor has joined #openstack-keystone09:17
*** Dinesh_Bhor has quit IRC09:56
*** lbragstad has quit IRC10:10
*** xek has joined #openstack-keystone10:16
*** yan0s has quit IRC10:30
*** yan0s has joined #openstack-keystone10:50
*** raildo has joined #openstack-keystone12:47
*** markvoelker has quit IRC13:05
*** amoralej is now known as amoralej|lunch13:12
openstackgerritMoisés Guimarães de Medeiros proposed openstack/oslo.policy master: Add ability for policy-checker to read configuration  https://review.openstack.org/61665913:13
*** sapd1__ has joined #openstack-keystone13:18
*** alexchadin has quit IRC13:24
*** dave-mccowan has joined #openstack-keystone13:26
*** erus has joined #openstack-keystone13:39
*** dave-mccowan has quit IRC13:42
*** gagehugo has joined #openstack-keystone13:42
*** mvkr has quit IRC13:46
*** pcaruana has quit IRC13:50
*** lbragstad has joined #openstack-keystone13:58
*** ChanServ sets mode: +o lbragstad13:58
*** lbragstad has quit IRC13:59
openstackgerritColleen Murphy proposed openstack/keystone master: DNM: test lower constraints change  https://review.openstack.org/62560113:59
*** lbragstad has joined #openstack-keystone14:04
*** ChanServ sets mode: +o lbragstad14:04
*** pcaruana has joined #openstack-keystone14:05
*** amoralej|lunch is now known as amoralej14:06
*** dave-mccowan has joined #openstack-keystone14:07
*** dave-mccowan has quit IRC14:11
*** mchlumsky has joined #openstack-keystone14:11
*** aojea_ has joined #openstack-keystone14:16
*** mvkr has joined #openstack-keystone14:22
*** beekneemech is now known as bnemec15:00
*** pcaruana has quit IRC15:29
lbragstado/15:38
*** itlinux has quit IRC15:40
gagehugoo/15:41
*** pcaruana has joined #openstack-keystone15:51
*** dklyle has joined #openstack-keystone15:59
*** gyee has joined #openstack-keystone16:10
*** yan0s has quit IRC16:17
*** Emine has quit IRC16:24
*** pcaruana has quit IRC16:28
*** itlinux has joined #openstack-keystone16:40
*** Emine has joined #openstack-keystone16:48
kmalloclbragstad: reminder, as of tomorrow i'm on vacation until ~jan 1417:11
kmalloci'll be turning my bouncer off17:11
lbragstadcool17:11
lbragstadsee you next year then ;)17:11
kmallocif there is an emergency, just drop me a line/text/ghangout17:11
kmallocnot that i expect it17:11
kmallocbut, hey i'm available if something really does come up17:11
* lbragstad has a feeling it is going to be pretty quiet17:11
*** erus has quit IRC17:18
*** erus has joined #openstack-keystone17:18
openstackgerritLance Bragstad proposed openstack/keystone master: Remove protocol policies from v3cloudsample.json  https://review.openstack.org/62535717:18
openstackgerritLance Bragstad proposed openstack/keystone master: Remove protocol policies from v3cloudsample.json  https://review.openstack.org/62535717:19
kmallocthats the hope17:25
kmallocbut you know, sometimes... sometimes it isn't quiet17:26
*** sapd1__ has quit IRC17:29
*** Emine has quit IRC17:54
*** Emine has joined #openstack-keystone17:54
*** Emine has quit IRC17:58
lbragstadstepping away to grab lunch18:07
*** ayoung has joined #openstack-keystone18:11
*** imacdonn has quit IRC18:24
*** imacdonn has joined #openstack-keystone18:24
*** amoralej is now known as amoralej|off18:33
*** mvkr has quit IRC18:44
*** mchlumsky has quit IRC19:09
*** Emine has joined #openstack-keystone19:10
*** erus has quit IRC19:15
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role for users  https://review.openstack.org/60548519:17
*** erus has joined #openstack-keystone19:17
*** mvkr has joined #openstack-keystone19:20
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member role user test coverage  https://review.openstack.org/62331719:25
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in users API  https://review.openstack.org/62331819:25
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain reader functionality for user API  https://review.openstack.org/62331919:25
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain member functionality for user API  https://review.openstack.org/62332019:25
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain admin functionality for user API  https://review.openstack.org/62332119:25
openstackgerritLance Bragstad proposed openstack/keystone master: Add explicit testing for project users and the user API  https://review.openstack.org/62332219:25
openstackgerritLance Bragstad proposed openstack/keystone master: Remove user policies from policy.v3cloudsample.json  https://review.openstack.org/62332319:25
openstackgerritGage Hugo proposed openstack/keystone master: Ignore user/domain not found on initial validate  https://review.openstack.org/62569919:53
openstackgerritGage Hugo proposed openstack/keystone master: Add random pause when user/domain not found  https://review.openstack.org/62570019:54
kmallocgagehugo: FYI that domain not found bit... that will severely impact test runtime20:03
gagehugokmalloc: yup20:03
gagehugounfortunately20:04
kmallocgagehugo: potentially at least... i am generally against that.20:04
gagehugoI posted both of those to see what hurts worse20:04
kmallocthis is in-fact a case where i'd like to see an option to enable or disable it.20:04
gagehugosure20:04
kmallocright.20:04
kmallocwe can hold on options for the moment20:04
kmallocThis one is one of those things i would like to see disabled for test cases / tempest outside of explicit testing20:05
kmallocand it can be enabled by default... but i don't want to have a case where we blow out our test runtimes20:05
*** aojea has joined #openstack-keystone20:05
kmallocif that makes sense.20:05
gagehugoyeah, I agree20:06
*** aojea_ has quit IRC20:06
kmalloci'm mostly telling you cause i am on vacation soon(tm) for a while20:06
kmalloc:)20:06
kmalloci also don't feel like my request for options should block work.20:06
kmallocwe can always add an option down the road if it's too slow.20:06
kmallocso.. wait ignore user/domain not found... one20:07
gagehugoit shouldn't hurt normal operation, but all the integrated testing may suffer20:07
kmallocwhat are we doing?20:07
kmallocoh20:07
kmallocjust deferring the logic20:07
kmallocdon't do it that way. do not use uuid.20:07
gagehugook20:08
kmallocwhile i would eat my hat if a uuid colided there is a chance20:08
kmallocand if those collide you'd authorize someone20:08
gagehugotrue20:08
kmalloci'd use something that could never be an ID20:08
kmallocbut wont break the backend storage20:08
kmalloci don't know what that is, but definitely not a uuid or a sha256/51220:09
gagehugohmm20:12
kmallocyeah this one is hard.20:15
kmallocit might need to be a fixed non-printable string20:15
kmallocwe control20:15
kmallocor something liek that20:15
lbragstadi just left a comment on both patches20:17
lbragstadso - what if we leveraged the pre/post hooks like we do with the RBAC enforcer?20:18
lbragstadwe could set a flask specific variable for the request and handle that case for authentication, then write a post hook to raise exception.Unauthorized() if it's true20:19
gagehugohmm20:21
gagehugoso we'd still go through the motions regardless, and then throw back unauthorized at the end20:23
lbragstadyeah20:23
lbragstadand if we have access to the flask context, we have access to the global variable20:24
lbragstadso if there are things that happen in the authentication flow that we need to special-case, we might be able to detect it easier20:24
lbragstadkinda keeping inline with cmurphy's suggestion of just processing as much as we can normally and then just throwing the error at the end20:25
kmallocoh totally doable20:26
kmallocthe pre/post hooks are awesome for that20:26
kmallockeep in mind that "g" is mutable by any code20:26
lbragstadright20:26
kmallocso something loading in externally could change it.20:26
kmallocwe could create a dynamic key for each request on G for this20:26
kmalloc(probably should have done that for RBACEnforcer)20:27
kmallocbut it's still ultimately something we need to be aware of when leaning on it20:27
kmallocbut someone could break flask massively20:27
kmallocif they sideload things that change "g" on us20:27
* kmalloc thinks20:27
kmallocyeah just simple pre/post hooks might be the best bet20:27
kmallocin known key/locations20:27
lbragstadthe only thing that should be setting that flask variable should be authentication code20:28
lbragstadthen it's really just a read-only thing20:29
lbragstaddoes that make sense gagehugo ?20:33
gagehugoyeah, I'll play around with it20:33
kmallocjust register it like the RBAC enforcer bits.20:33
kmallocthe pre/post hooks20:34
gagehugook20:34
* gagehugo is a flask padawan20:34
kmallocalso, if you do this, do it where setting a value prevents an exception20:35
kmallocinstead of the inverse.20:35
kmalloce.g. don't set a "we need to throw an exception" set a "don't throw an exception" marker20:35
gagehugook20:35
gagehugoyeah20:35
kmallocand you'll see a couple places where RBACEnforcer has explicit overrides (e.g. in middleware/normalizing/etc)20:35
kmallocyou'll need to add similar exceptions in the same places20:35
kmallocand probably also hook into @unauthenticated_api20:36
lbragstadyeah - sounds like we do something really similar with the rbac enforcer anyway, so it might make for a good template20:40
*** aojea has quit IRC20:42
gagehugook20:45
* gagehugo goes to get a late lunch20:47
*** dmellado has quit IRC21:05
*** erus has quit IRC21:17
*** erus has joined #openstack-keystone21:18
*** Emine has quit IRC21:23
*** raildo has quit IRC21:25
*** rcernin has joined #openstack-keystone21:28
*** xek has quit IRC21:44
*** itlinux has quit IRC22:42
*** Emine has joined #openstack-keystone23:04
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role for groups  https://review.openstack.org/62573223:08
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member test coverage for groups  https://review.openstack.org/62573323:08
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in groups API  https://review.openstack.org/62573423:08
*** Emine has quit IRC23:08
*** itlinux has joined #openstack-keystone23:33
*** Emine has joined #openstack-keystone23:59
« Sunday, 2018-12-16 Index Tuesday, 2018-12-18 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!