Thursday, 2019-03-14

*** jamesmcarthur has joined #openstack-keystone		00:13
*** jamesmcarthur has quit IRC		00:16
*** erus has quit IRC		00:16
*** jamesmcarthur has joined #openstack-keystone		00:16
*** erus has joined #openstack-keystone		00:16
*** xek has joined #openstack-keystone		00:23
*** dklyle has quit IRC		00:31
*** dklyle has joined #openstack-keystone		00:31
*** jamesmcarthur has quit IRC		00:31
*** gyee has quit IRC		00:39
*** dklyle has quit IRC		00:46
*** jamesmcarthur has joined #openstack-keystone		00:57
*** jamesmcarthur has quit IRC		00:57
*** jamesmcarthur has joined #openstack-keystone		00:57
*** jamesmcarthur has quit IRC		01:23
*** jamesmcarthur has joined #openstack-keystone		01:24
*** jamesmcarthur has quit IRC		01:26
*** jamesmcarthur has joined #openstack-keystone		01:27
*** adriant has joined #openstack-keystone		01:33
*** whoami-rajat has joined #openstack-keystone		02:02
*** jamesmcarthur has quit IRC		02:47
*** dave-mccowan has joined #openstack-keystone		02:49
*** dave-mccowan has quit IRC		02:54
*** hoonetorg has quit IRC		02:59
*** erus has quit IRC		02:59
*** erus has joined #openstack-keystone		03:00
*** hoonetorg has joined #openstack-keystone		03:12
*** jamesmcarthur has joined #openstack-keystone		03:13
*** jamesmcarthur has quit IRC		03:17
*** vishakha has joined #openstack-keystone		03:56
*** lbragstad has quit IRC		05:00
vishakha	lbragstad: Could you elaborate about https://review.openstack.org/#/c/642102/	06:24
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Add role assignment test coverage for domain members https://review.openstack.org/638593	06:58
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Add role assignment test coverage for domain admins https://review.openstack.org/638597	06:59
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Add role assignment testing for project users https://review.openstack.org/639718	06:59
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Add role assignment testing for project users https://review.openstack.org/639718	07:03
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Remove assignment policies from policy.v3cloudsample.json https://review.openstack.org/640943	07:06
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Remove assignment policies from policy.v3cloudsample.json https://review.openstack.org/640943	07:12
*** markvoelker has quit IRC		07:19
*** pcaruana has joined #openstack-keystone		08:07
*** awalende has joined #openstack-keystone		08:08
*** pcaruana has quit IRC		08:11
*** tkajinam__ has quit IRC		08:13
openstackgerrit	Chason Chan proposed openstack/keystone master: Fix the incorrect release name of project guide https://review.openstack.org/642972	08:18
*** erus has quit IRC		08:18
*** erus has joined #openstack-keystone		08:19
cmurphy	rm_work: thanks for looking, responded and will fix if necessary	08:23
rm_work	kk :)	08:23
*** pcaruana has joined #openstack-keystone		08:23
*** hoonetorg has quit IRC		08:32
*** hoonetorg has joined #openstack-keystone		08:45
rm_work	cmurphy: the commit you quoted is the wrong one	09:20
cmurphy	rm_work: oh, I see I was confusing Rocky with ROCKY	09:24
rm_work	yeah	09:24
rm_work	https://github.com/openstack/oslo.log/commit/d68a895ee8e61b5c9d4ef368e7f04252e84649e9	09:25
cmurphy	fixed	09:27
rm_work	thx :)	09:27
*** pcaruana has quit IRC		09:48
openstackgerrit	Pavlo Shchelokovskyy proposed openstack/keystone master: DNM test bootstrap under more sec-comp https://review.openstack.org/643266	10:09
pas-ha	strange, https://review.openstack.org/#/c/638398/ hangs in 'Ready to Submit' with +2+W o_0 should I probably rebase it? it is based on not latest patchset of the parent change in a series	10:11
pas-ha	cmurphy: can you take a look?	10:11
cmurphy	pas-ha: i think you'll have to rebase it, it's based on ps1 of https://review.openstack.org/638397	10:13
pas-ha	yep, will do now	10:13
openstackgerrit	Pavlo Shchelokovskyy proposed openstack/keystone master: Mention allow_expired_window in fernet FAQ https://review.openstack.org/638398	10:14
*** erus has quit IRC		10:14
cmurphy	reapproved	10:14
pas-ha	thanks :-)	10:14
*** erus has joined #openstack-keystone		10:14
openstackgerrit	Merged openstack/keystone master: Mention allow_expired_window in fernet FAQ https://review.openstack.org/638398	11:06
*** pcaruana has joined #openstack-keystone		11:32
*** dave-mccowan has joined #openstack-keystone		11:46
*** erus has quit IRC		11:46
*** erus has joined #openstack-keystone		11:46
*** raildo has joined #openstack-keystone		12:39
*** jamesmcarthur has joined #openstack-keystone		12:47
erus	o/	12:59
*** breton has quit IRC		12:59
*** dklyle has joined #openstack-keystone		13:01
knikolla	o/	13:08
*** vishakha has quit IRC		13:24
*** lbragstad has joined #openstack-keystone		13:26
*** ChanServ sets mode: +o lbragstad		13:26
*** jamesmcarthur has quit IRC		13:27
efried	Hello people, especially those like mordred and cmurphy who know things about service catalogs!	13:36
ayoung	Uh oh	13:38
efried	I see this:	13:38
efried	{"endpoints": [{"url": "https://198.72.124.146/baremetal", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "291bd0b6757442e5a85194c0cd4ea1af"}], "type": "baremetal", "id": "d199b74eb26e4309be92c89d08188fdb", "name": "ironic"}], "user": {"password_expires_at": null, "domain": {"id": "default", "name": "Default"}, "id": "a5235b0353dc4ceb8866e40224c3ad89", "name": "tempest-BaremetalBasicOpsAndRescue	13:38
efried	["MU18vYw5SAycqg1UwAJDsQ"], "issued_at": "2019-03-13T00:10:34.000000Z"}	13:38
efried	...which looks to me like the ironic API isn't producing proper versioned endpoint data	13:38
cmurphy	efried: you mean in the service catalog?	13:39
efried	cmurphy: I... think so?	13:39
cmurphy	that endpoint is set by the operator	13:39
cmurphy	it should be okay for it to be unversioned	13:39
efried	It's hard for me to tell. I don't have a way to set this up locally, so I'm trying to piggback on a CI job.	13:40
cmurphy	efried: where do you see it?	13:40
efried	http://logs.openstack.org/99/642899/2/check/ironic-tempest-ipa-wholedisk-bios-agent_ipmitool-tinyipa/3832d5c/job-output.txt.gz#_2019-03-13_00_10_47_729947	13:41
efried	here's a bit of the backstory:	13:42
efried	I'm trying to get rid of ironicclient	13:42
efried	So I wrote something that, for one particular API call, bypasses ironicclient and goes directly through the ksa adapter: https://review.openstack.org/#/c/642899/	13:42
efried	I'm getting EndpointNotFound()	13:42
efried	http://logs.openstack.org/99/642899/2/check/ironic-tempest-ipa-wholedisk-bios-agent_ipmitool-tinyipa/3832d5c/controller/logs/screen-n-cpu.txt.gz?#_Mar_13_00_10_37_081097	13:42
lbragstad	did you pull that snippet from the token body?	13:43
cmurphy	efried: that endpoint "url": "https://198.72.124.146/baremetal" is set by devstack so it should be correct	13:43
efried	so I went and looked at the configs, which... seem fine? (The only weirdness I noticed was that nova.conf's ironic section is using admin creds instead of service creds - not sure if that's significant)	13:43
lbragstad	https://docs.openstack.org/keystone/latest/contributor/service-catalog.html introductory doc for devs consuming service catalogs	13:43
efried	lbragstad: the snippet comes from me searching the devstack log for 'catalog' and finding a json dump of what looks like a service catalog? At least, the other services listed in there seem to have versioned endpoints listed.	13:44
efried	looking at where that EndpointNotFound is coming from, it looks like get_endpoint, which would be odd, because the nova path that works - the one that's feeding an already-determined endpoint to ironicclient - is using get_endpoint to do it.	13:46
*** jamesmcarthur has joined #openstack-keystone		13:46
cmurphy	with the discovery mechanism in ksa it should be okay for it to be unversioned, ksa will figure out the right thing	13:46
cmurphy	so you must be circumventing that somehow	13:46
*** vishakha has joined #openstack-keystone		13:47
efried	heh, my whole purpose in life right now is to stop circumventing it, which is what the ironicclient business does in various convoluted ways.	13:48
efried	that's the thing - the way the ironicclient is working, we may have been doing stuff wrong service catalog-wise for years and covering it up.	13:48
efried	though it's surely more likely to be my eff up.	13:48
efried	ks_loading.load_adapter_from_conf_options(	13:49
efried	CONF, confgrp, session=ksa_session, auth=ksa_auth,	13:49
efried	min_version=min_version, max_version=max_version, raise_exc=False)	13:49
efried	...where the session and the auth are the same ones ironicclient is using.	13:49
*** erus has quit IRC		13:49
efried	old path: we take that adapter and do get_endpoint() on it, and then pass that endpoint into ironicclient construction	13:50
vishakha	lbragstad: Could you elaborate about https://review.openstack.org/#/c/642102/. As I need also need to see for domain reader failing for assignments	13:50
*** erus has joined #openstack-keystone		13:50
lbragstad	vishakha sure - i can take a look	13:51
vishakha	lbragstad: Thanks.	13:52
vishakha	lbragstad: https://review.openstack.org/641925 needs one more +2.	13:53
* cmurphy reads nova code		13:53
mordred	efried: looking	13:53
cmurphy	oh good mordred is here	13:54
efried	cmurphy: couple years ago I (with help from mordred) reworked the way nova talks to ironic so we could import all the ksa conf options and sort of use them.	13:56
mordred	yeah. that was some fun	13:56
efried	so before that, the conf just had a direct API endpoint in it; and now we're trying to use the service catalog in some way	13:56
mordred	I keep wanting to followup on that and get you some code that just makes you an sdk connection object	13:56
efried	but the ironicclient was still in the way, so basically we're now constructing a whole ksa adapter, getting the endpoint from it, and then throwing the rest of it away. The endpoint gets passed down into ironicclient which constructs a whole nother ksa adapter with it.	13:57
efried	I'm trying to unwind that mess and go direct through the ksa adapter, starting with https://review.openstack.org/#/c/642899/	13:58
mordred	oh weird ... you're getting endpoint not found in catalog.	13:59
* mordred is still coffeeing - may take a few minutes to come all the way up to speed here		13:59
efried	mordred: But I'm getting EndpointNotFound at request time	14:00
efried	apparently the get_endpoint we did before constructing the ironicclient worked	14:01
efried	(I just added a debug log to verify that; but there's no other way the ironicclient construction would be working.)	14:01
mordred	efried: yeah. I mean ... ??what??	14:01
efried	heh. which part what?	14:02
mordred	all of it :)	14:02
efried	mordred: In this PoC I'm just trying to swap out one of the API calls to go direct vs through the ironicclient.	14:02
mordred	actually - ironicclient could be running discovery	14:02
efried	So I'm still building the ironicclient with the same session and auth as are going into the ksa adapter	14:03
efried	that ironicclient is built with an endpoint_override - which we get by doing get_endpoint() from the ksa adapter we (previously) threw away	14:03
mordred	that session is going to have that auth plugin attached to it, which means it'll have catalog/auth_url in it - so it's possible the get_endpoint is failing, triggering that exception, but falling through you get ironic_url = None and then ironicclient does something different	14:04
mordred	maybe	14:04
efried	if ironic_url = None, it should blow up. But that's why I'm logging it to make sure.	14:04
efried	we'll know in a bit, once that job runs.	14:04
mordred	it still doesn't explain why the adapter wouldn't work when you use it :)	14:04
efried	ikr	14:05
mordred	efried: I put in an autohold so we can poke on the node when it fails	14:07
mordred	efried: because that's ... very strange	14:07
efried	mordred: ooo, what's an autohold? That sounds... magical.	14:09
efried	is it a special power that only you have?	14:09
mordred	efried: well, I'm not the only one - but we can tell zuul that if a job fails, don't delete the node it ran on	14:09
efried	and then like log into it somehow	14:10
efried	that ^ is a power I don't have afaik	14:10
mordred	efried: useful sometimes for debugging extra strange things where otherwise one might be just submitting new print statements over and over again in a loop and waiting 3 hours	14:10
efried	yeah, that was the bit I wanted to avoid	14:10
mordred	efried: yah - once we've got the node, I'll put your ssh key on it	14:10
efried	nice	14:10
*** ksavich has joined #openstack-keystone		14:12
*** rcernin has quit IRC		14:17
* kmalloc is very interested in the result from the ironic-ksa node		14:41
brtknr	whats the fastest way to get valid keystone token? I've implemented this which does it in 50ms: https://github.com/brtknr/client-keystone-auth-python but I'd like to beat the go client which does it in 14ms...	14:46
cmurphy	brtknr: using keystoneauth would be faster than going through openstacksdk https://docs.openstack.org/keystoneauth/latest/	14:48
*** erus has quit IRC		14:48
cmurphy	not sure anything in python is going to beat go though	14:48
*** erus has joined #openstack-keystone		14:49
brtknr	cmurphy: thanks :) i'll give that a shot	14:49
ayoung	brtknr, Rust and direct HTTP calls	14:50
ayoung	https://github.com/dtantsur/rust-openstack	14:50
brtknr	Oooh nice, been meaning to dive into rust	14:51
*** mordred has quit IRC		14:51
ayoung	brtknr, but the real thing you want to do is reduce any additional calls. Python/Java whateve is going to kill you at start up, but after that it is a wash, and the real thing to look for is places where clients do negotiation of versioning. If you know you are going with the v3 api, password based auth, you can do the direct call via curl	14:52
ayoung	nothing is going to be faster than that. Then the trick is to optimize on the server side	14:52
ayoung	https://docs.openstack.org/keystone/pike/api_curl_examples.html	14:53
ayoung	that is CLI, and thus has to parse data, which you should be able to inline	14:53
ayoung	also, drop the service catalog, and make sure that the user only has direct assigned tokens, is not a member of any groups, anything that can optimize the data fetched on the server side	14:54
ayoung	hell, to really cheat, ask for an unscoped token	14:54
ayoung	brtknr, make sense?	14:54
brtknr	ayoung: yeah im trying to digest what youve said	14:56
*** mordred has joined #openstack-keystone		14:57
*** awalende has quit IRC		14:59
*** awalende has joined #openstack-keystone		14:59
*** awalende has quit IRC		15:04
*** awalende has joined #openstack-keystone		15:04
*** awalende has quit IRC		15:09
*** mordred has quit IRC		15:23
*** mordred has joined #openstack-keystone		15:29
openstackgerrit	Pavlo Shchelokovskyy proposed openstack/keystone master: DNM test bootstrap under more sec-comp https://review.openstack.org/643266	15:34
efried	mordred, kmalloc, cmurphy, lbragstad: (let me know if you want to be untagged from this topic) following the ksa->ironic thingy	15:47
efried	First thing, my debug log shows that ksa_adp.get_endpoint() worked:	15:47
efried	Mar 14 14:26:48 ubuntu-bionic-ovh-gra1-0003816856 nova-compute[14692]: ERROR nova.virt.ironic.client_wrapper [None req-09e1aeeb-4daf-4433-bf9b-ce3485658e78 None None] EFRIED: endpoint: https://217.182.142.75/baremetal	15:47
mordred	AWESOME	15:47
efried	well, it worked for the thing that happened before we got into doing the real request.	15:48
efried	haven't gotten any further yet.	15:48
efried	(I didn't instrument ksa itself)	15:48
kmalloc	Hm. It looks sane so far.	15:49
efried	still got the same EndpointNotFound later on	15:49
kmalloc	Like... It should be working...but it is doing something odd.	15:49
efried	which isn't surprising.	15:49
openstackgerrit	Pavlo Shchelokovskyy proposed openstack/keystone master: DNM test bootstrap under more sec-comp https://review.openstack.org/643266	15:50
mordred	efried: yeah. my AWESOME was sarcasm	15:51
mordred	efried: you're getting a different error in that patch	15:55
efried	I am?	15:55
mordred	Mar 14 14:27:47.473168 ubuntu-bionic-ovh-gra1-0003816856 nova-compute[14692]: ERROR nova.virt.ironic.driver [None req-23cfa410-9926-4c9f-90e9-bcbd0a56461f None None] An unknown error has occurred when trying to get the list of nodes from the Ironic inventory. Error: StrictVersion instance has no attribute 'version'	15:55
efried	mordred: oh, that was happening before too, seems to do that while everything is still coming up.	15:55
mordred	ok. cool	15:56
mordred	yeah - there's your traceback	15:56
efried	mordred: sooo ... is get_endpoint() only supposed to work once?	15:59
mordred	no - it should always work	16:00
mordred	however ...	16:00
mordred	hang on - checking something	16:00
*** ksavich has quit IRC		16:06
*** jmlowe has quit IRC		16:07
efried	mordred: I may be doing stuff wrong, but (in an ipython session) when I follow the exact steps to construct auth, session, and adapter from conf, that guy's get_endpoint() returns None.	16:07
mordred	but it prints one in the test	16:08
efried	yeah	16:08
efried	so why does it, like, work the first time, but not the second time?	16:08
mordred	efried: can you put the thing you did in ipython into a file so I can look at it?	16:08
efried	...	16:08
efried	mordred: /tmp/f	16:09
mordred	thanks	16:12
efried	mordred: you can see I tried a couple of different tacks	16:13
mordred	yeah	16:14
efried	mordred: here's an interesting thing: when I take the min/max microversion out of the ask, I get an endpointable adapter.	16:17
efried	In [36]: adap3 = utils.get_ksa_adapter('baremetal')	16:17
efried	In [37]: adap3.get_endpoint()	16:17
efried	Out[37]: u'https://217.182.142.75/baremetal'	16:17
efried	so...	16:17
mordred	oh - yeah	16:17
mordred	I mean	16:18
mordred	wait - you mean the min/max version	16:18
efried	In [38]: utils.get_ksa_adapter('baremetal').get_endpoint()	16:19
efried	Out[38]: u'https://217.182.142.75/baremetal'	16:19
efried	In [39]: utils.get_ksa_adapter('baremetal', min_version=(1,46), max_version=(1, float('inf'))).get_endpoint()	16:19
efried	(that second thing returns None)	16:19
efried	which still totally doesn't explain why tf my debug log worked.	16:19
efried	because the adapter that's being constructed there does include those version kwargs	16:19
mordred	yeah. I feel like we're missing something fundamental here	16:21
* efried tries something new...		16:22
mordred	efried: so - I think passing (1,46) to min_version of the adapater constructor is an error	16:24
mordred	efried: since that's min_version for the major api version - not for microversion	16:24
mordred	but ... that doesn't explain why the print worked	16:24
efried	mordred: then how tf is it working for the ir... yeah	16:24
mordred	that should just be min_version=1, max_version=1, float(inf)	16:24
mordred	since we're looking for version 1	16:24
mordred	or - we could just elide those altogether	16:25
efried	which I've demonstrated works in my session.	16:25
mordred	but min_version 1.46 really won't match id=v1	16:25
efried	whoah	16:26
efried	In [8]: utils.get_ksa_adapter('baremetal', min_version=(1,0), max_version=(1, float('inf'))).get_endpoint()	16:26
efried	Out[8]: u'https://217.182.142.75/baremetal/v1/'	16:26
efried	which took quite a long time to run, compared to the other bits	16:26
efried	assume because it was going to the service and doing some real discovery, where the other things weren't.	16:26
efried	but notably, there's now a v1 in there	16:26
efried	unless you've been twiddling the catalog?	16:26
mordred	nope. I mean - that's what the endpoint of the v1 service is	16:27
mordred	which is correct for that adapter to return	16:27
efried	okay, but there's no v1 when I ask for get_endpoint with an adap where I didn't specify versions.	16:27
efried	i.e. I get the unversioned endpoint.	16:28
efried	which makes sense intuitively I suppose	16:28
mordred	yeah. because you didn't ask for versions, so it doesn't do discovery	16:28
mordred	yeah	16:28
mordred	oh - you know what	16:28
efried	please tell me what	16:29
mordred	nova.utils.get_ksa_adapter passes raise_exc=False	16:29
efried	yes	16:29
mordred	does that cause it to not throw on issues and instead just fallback to the catalog url?	16:30
mordred	oh - you're using utils.get_ksa_adapter already in your tests here	16:30
efried	it causes actual requests to return Response when status >= 400 instead of raising HttpError	16:30
mordred	blast. yeah	16:30
efried	so I think I have a path forward - which is to twiddle that request to use (1, 0) instead of (1, 46) - though that'll remove some of the functionality we're trying to rely on (more on that in a sec) - but that still doesn't explain why my debug log is hitting.	16:31
mordred	no. it doesn't. and I'd like to figure that out	16:32
mordred	I believe what you want to do is pass 1.46 to default_microversion to the adapter	16:32
mordred	to get the thing you're aiming to do	16:32
efried	re version negotiation: by specifying min=1.46 we're trying to say the ironic service must be at least capable of a certain level. IIUC that's a nonstarter unless the service catalog exposes versioned endpoints, which it's not doing right now (right??)	16:32
mordred	it's a non-starter regardless. discovery doesn't work that way	16:33
efried	Yeah, I don't think I want to say default_microversion. I want to say "blow up if server not capable of at least 1.46"	16:33
efried	I thought that was the whole point of discovery	16:33
efried	or more gently, "give me the endpoint that's capable of at least 1.46"	16:33
mordred	no - the whole point of discovery is to find the appropriate major api version. microversion negotiation is a per-call thingm - or you could do get_endpoint_data and then check to see what the min_microversion is	16:34
mordred	at least - I think that's right. I might also just be stupid	16:34
mordred	but for endpoint discovery, the versions being matched are major api versions	16:35
mordred	yeah. just re-read the docs we wrote way back when	16:36
efried	mordred: pushed a new rev where I build the "direct" adapter without the min/max version flaggage.	16:36
mordred	none of this explains why your log works though	16:36
mordred	efried: yeah -then I think for the nova case here we want to add a call to get_endpoint_data() and then do a version match on endpoint_data.min_microversion	16:37
efried	right. The args getting passed into ironicclient are getting used by ironicclient to do some manual (i.e. outside of ksa) version negotiation. But they should still be breaking that get_endpoint() call.	16:37
mordred	and throw an exception if the min_microversion is too low	16:37
mordred	yeah	16:37
mordred	completely agree	16:37
mordred	maybe add in some logs/prints to print out the arguments that are being passed - and maybe the adapter itself - is it possible something is getting mutated somewhere?	16:38
efried	mordred: um, real nova is monkey patching eventlet, and stuff.	16:38
mordred	yeah. but it's not like setting things into the adapter after it's been created is it?	16:39
mordred	efried: I wonder ... maybe ironicclient is mutating the session/auth objects somehow	16:39
efried	mordred: It is, almost without question, but we haven't created the ironicclient yet at that point.	16:40
mordred	yeah. so yeah - still doesn't explain why the first get_endpoint works	16:40
*** jamesmcarthur has quit IRC		16:42
*** emine__ has quit IRC		16:46
*** jamesmcarthur has joined #openstack-keystone		16:47
efried	mordred: so where from here? Do you want me to start throwing up interdependent patches that instrument ksa as well as nova? Or is there some way we could put in a breakpoint and attach to the n-cpu process at this point to poke around?	16:50
mordred	efried: not sure. it's really weird that we can't reproduce the same thing just by hand :(	16:52
efried	last time this kind of weirdness happened, it turned out to be because monkey_patch(eventlet)	16:52
efried	and when I say "this kind" I mean "happens in ipython but doesn't happen in nova"	16:52
efried	specifically, it was: deepcopy of an object raised an exception when it encountered an attribute that was a lock. But worked fine with eventlet thread patched.	16:53
*** jaosorior has quit IRC		16:57
*** jaosorior has joined #openstack-keystone		16:58
cmurphy	lbragstad: is https://bugs.launchpad.net/keystone/+bug/1805400 done? i don't see any more open changes for it	17:05
openstack	Launchpad bug 1805400 in OpenStack Identity (keystone) "The v3 role API should account for different scopes" [High,In progress] - Assigned to Lance Bragstad (lbragstad)	17:05
lbragstad	um - kind of?	17:06
lbragstad	i created that bug to contain global roles work and domain-specific role work	17:06
lbragstad	so far, i haven't gotten around to making the domain-specific role code consume scope-types properly	17:07
*** gyee has joined #openstack-keystone		17:07
cmurphy	oh got it	17:07
lbragstad	or default roles =/	17:07
cmurphy	sounds like a no then	17:07
lbragstad	but - if you want to reduce scope, close that one, and open another for domain-specific roles, i'm all for it	17:07
lbragstad	just depends on how you want to slice it	17:07
cmurphy	nah if it all has to do with roles and roles isn't done then let's keep it the way it is	17:08
lbragstad	ack	17:08
lbragstad	i still need to do a bit of investigation in the domain-specific roles stuff... those policies should be completely redundant when we implement scope checking on that API	17:09
lbragstad	afaict - scope types makes the entire domain-specific role work irrelevant	17:09
cmurphy	a namespaced role still makes sense for that use case i think	17:10
lbragstad	yeah - i think the functionality is fine, but it's unfortunate we modified the API to account for it	17:12
cmurphy	ah yeah	17:12
lbragstad	and afaict - domain-specific roles only make sense if you can open up role implications to domain admins/users	17:13
lbragstad	otherwise, domain-specific roles are still going to be cut off at the knees because operators need to deploy new policies to incorporate those roles	17:14
cmurphy	right	17:14
lbragstad	if my time-machine didn't have a broken rotatory-gutter and wasn't out of headlight fluid, i'd fire that bad boy up and go back in time to fix it ;)	17:16
cmurphy	damn that's some bad luck	17:17
lbragstad	psh - you're tellin' me	17:17
*** vishakha has quit IRC		17:34
kmalloc	yeah, but we can make implied roles more featureful.	18:29
kmalloc	realistically.	18:29
*** jamesmcarthur has quit IRC		18:30
*** jamesmcarthur has joined #openstack-keystone		18:33
*** gmann is now known as gmann_afk		18:51
*** awalende has joined #openstack-keystone		19:00
*** awalende has quit IRC		19:04
*** mvkr has quit IRC		19:10
openstackgerrit	Merged openstack/oslo.policy master: Corrects tox.ini snippet to point to config file https://review.openstack.org/643186	19:25
openstackgerrit	Merged openstack/keystone master: Fix the incorrect release name of project guide https://review.openstack.org/642972	19:28
openstackgerrit	erus proposed openstack/keystone master: Add new attribute to the federation protocol API https://review.openstack.org/637305	20:01
efried	mordred, kmalloc, cmurphy, lbragstad: The ironic job in https://review.openstack.org/#/c/642899/ is passing!	20:04
efried	we still don't know why the first get_endpoint is working, but we have a path forward \o/	20:05
kmalloc	well then.	20:07
kmalloc	i'll take that as a win	20:07
kmalloc	.... but weird.	20:07
openstackgerrit	Merged openstack/keystone master: Migrate keystone-dsvm-grenade-multinode job to Ubuntu Bionic https://review.openstack.org/641925	20:17
*** jamesmcarthur has quit IRC		20:36
*** erus has quit IRC		20:36
*** erus has joined #openstack-keystone		20:37
efried	kmalloc: Yeah, there's still something funky going on, but if I can get this effort finished up, it ain't gonna matter.	20:38
*** raildo has quit IRC		20:58
*** raildo has joined #openstack-keystone		21:06
openstackgerrit	Gage Hugo proposed openstack/keystone master: Small refactor for create nonlocal user https://review.openstack.org/643457	21:06
*** erus has quit IRC		21:06
*** dustinc has joined #openstack-keystone		21:07
*** erus has joined #openstack-keystone		21:07
*** raildo has quit IRC		21:09
*** itlinux has joined #openstack-keystone		21:18
*** whoami-rajat has quit IRC		21:31
*** erus has quit IRC		21:31
*** erus has joined #openstack-keystone		21:31
*** erus has quit IRC		21:45
*** pcaruana has quit IRC		22:21
*** gmann_afk is now known as gmann		22:40
*** rcernin has joined #openstack-keystone		23:00
*** tkajinam has joined #openstack-keystone		23:02
*** mvkr has joined #openstack-keystone		23:18
*** gyee has quit IRC		23:34

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!