Thursday, 2019-03-28

« Wednesday, 2019-03-27 Index Friday, 2019-03-29 »
openstackgerritIlya Sviridov proposed openstack/keystone master: IAM integration  https://review.openstack.org/64829600:27
*** lbragstad has joined #openstack-keystone00:45
*** ChanServ sets mode: +o lbragstad00:45
*** lbragstad has quit IRC00:57
*** jamesmcarthur has joined #openstack-keystone00:58
*** ileixe has joined #openstack-keystone01:03
*** jamesmcarthur has quit IRC01:07
*** awalende has joined #openstack-keystone01:13
*** gyee has quit IRC01:16
*** awalende has quit IRC01:18
*** sapd1 has joined #openstack-keystone01:35
*** jhesketh has joined #openstack-keystone02:12
*** whoami-rajat has joined #openstack-keystone02:58
*** erus has quit IRC03:28
*** erus has joined #openstack-keystone03:29
*** ileixe has quit IRC04:29
*** shyamb has joined #openstack-keystone04:44
*** rcernin has quit IRC04:47
*** erus has quit IRC04:47
*** erus has joined #openstack-keystone04:47
*** shyamb has quit IRC04:53
*** erus has quit IRC04:53
*** erus has joined #openstack-keystone04:54
*** ileixe has joined #openstack-keystone04:57
*** rcernin has joined #openstack-keystone05:01
*** shyamb has joined #openstack-keystone05:03
*** markvoelker has joined #openstack-keystone05:04
*** whoami-rajat has quit IRC05:07
*** erus has quit IRC05:48
*** erus has joined #openstack-keystone05:48
*** rcernin has quit IRC06:03
*** shyamb has quit IRC06:27
*** whoami-rajat has joined #openstack-keystone06:31
*** shyamb has joined #openstack-keystone06:38
*** rcernin has joined #openstack-keystone06:47
*** rcernin has quit IRC06:47
*** rcernin has joined #openstack-keystone06:48
*** ileixe has quit IRC07:02
*** phasespace has quit IRC07:02
*** ileixe has joined #openstack-keystone07:03
*** pcaruana has joined #openstack-keystone07:20
*** shyamb has quit IRC07:36
*** erus has quit IRC07:36
*** erus has joined #openstack-keystone07:36
*** shyamb has joined #openstack-keystone07:46
*** phasespace has joined #openstack-keystone07:46
*** rcernin has quit IRC07:48
*** erus has quit IRC07:48
*** erus has joined #openstack-keystone07:49
*** shyamb has quit IRC07:56
*** rcernin has joined #openstack-keystone08:04
*** tkajinam has quit IRC08:09
*** awalende has joined #openstack-keystone08:16
*** zlangi has joined #openstack-keystone08:24
*** erus has quit IRC08:26
*** erus has joined #openstack-keystone08:26
*** zlangi has quit IRC08:35
*** shyamb has joined #openstack-keystone08:47
*** ileixe has quit IRC09:18
*** ileixe has joined #openstack-keystone09:29
*** shyamb has quit IRC09:37
*** shyamb has joined #openstack-keystone09:44
openstackgerritColleen Murphy proposed openstack/keystone master: Raise METHOD NOT ALLOWED instead of 500 error on protocol create  https://review.openstack.org/64824110:00
cmurphykmalloc: ^ fixed the unit test for that10:00
cmurphycan only get the expected flask response by using test_client()10:01
*** shyamb has quit IRC10:03
*** shyamb has joined #openstack-keystone10:12
*** melwitt has quit IRC10:26
*** melwitt has joined #openstack-keystone10:32
*** hoonetorg has quit IRC10:39
*** hoonetorg has joined #openstack-keystone10:52
*** mvkr has joined #openstack-keystone11:09
*** whoami-rajat has quit IRC12:10
*** markvoelker has quit IRC12:20
*** whoami-rajat has joined #openstack-keystone12:20
*** lbragstad has joined #openstack-keystone12:30
*** ChanServ sets mode: +o lbragstad12:30
*** shyamb has quit IRC12:38
*** jamesmcarthur has joined #openstack-keystone12:45
*** mchlumsky has joined #openstack-keystone12:47
*** lbragstad has quit IRC12:49
jdenniscmurphy: are the keystone meeting minutes archived somewhere (hopefully where you can search across all the minutes)12:50
*** shyamb has joined #openstack-keystone12:50
*** raildo has joined #openstack-keystone12:52
cmurphyjdennis: they're archived here http://eavesdrop.openstack.org/meetings/keystone/2019/ so not very searchable unless you want to download all of them12:52
jdenniscmurphy: thanks, I'm trying to research a customer RFE and there is a chance it was once a blueprint, last time I looked at keystone's bp list there were quite a few but not there are just 3, were the abondoned bp removed and if so are they archived somewhere?12:56
cmurphyjdennis: they were converted into RFE bugs, so you can probably find it in https://bugs.launchpad.net/keystone/+bugs?field.tag=rfe12:56
jdenniscmurphy: many thanks12:57
cmurphyyou're welcome12:57
jdenniscmurphy: btw, that federation bug with mellon we worked on a while back required a fix to the Lasso library, that fix merged upstream recently12:58
*** ileixe has quit IRC13:00
cmurphyjdennis: good to hear, i suppose we should close the bug but i'm not sure when the fix will land in which distros/packages13:00
*** lbragstad has joined #openstack-keystone13:02
*** ChanServ sets mode: +o lbragstad13:02
jdenniscmurphy: the RFE I was researching was the ability to force a specific UUID when a user is created, I recall a discussion on this topic (at one of the OpenStack conferences?) and issues were raised but that's all I recall. Do you remember anything with respect to forcing a specific UUID to a user?13:04
cmurphyjdennis: it comes up fairly often13:05
cmurphyjdennis: this is what we have currently proposed http://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/explicit-domains-ids.html13:05
cmurphyayoung has some patches up but they didn't make it into stein13:05
jdenniscmurphy: thanks13:05
*** lbragstad has quit IRC13:07
*** erus has quit IRC13:15
*** erus has joined #openstack-keystone13:16
*** lbragstad has joined #openstack-keystone13:17
*** ChanServ sets mode: +o lbragstad13:17
*** jhesketh has quit IRC13:18
*** itlinux has quit IRC13:26
*** shyamb has quit IRC13:26
gagehugoo/13:27
lbragstadgood UGT13:37
cmurphy\o13:37
zigoHi there.13:45
zigoWhat changed in Stein that makes it impossible for me to bootstrap the admin user correctly? What do I need to do?13:46
zigoA new role or something?13:46
zigoLooks like to me, there's some policy change or something...13:46
zigoIs it the new --bootstrap-service-name thing?13:46
kmallocThanks :)13:49
zigoAh no, my bad.13:50
zigoUnrelated.13:50
kmallocI was 2x checking if the 405 was really correct13:50
zigoSo, what's wrong?13:50
kmallocOtherwise it's good13:50
cmurphyzigo: what problem are you having?13:50
cmurphykmalloc: i'm still slightly doubtful but will defer to you13:51
kmallocYeah let me confirm, I might respin to 404 this morning.13:51
kmallocI just barely woke up 3 minutes ago. :P13:51
zigocmurphy: You are not authorized to perform the requested action: identity:create_project. (HTTP 403) (Request-ID: req-b84c5980-c4f5-4cd1-8783-c6083d7382f4)13:51
zigocmurphy: That's when my package does: openstack project create --or-show service --description "Default Debian service project"13:51
*** jamesmcarthur has quit IRC13:52
zigoThis used to work in Rocky...13:52
cmurphylbragstad: want to tackle that ^13:52
lbragstadzigo how are you bootstrapping the admin user?13:53
knikollao/13:54
zigo        export OS_BOOTSTRAP_USERNAME=${ADMIN_USER_NAME}13:55
zigo        export OS_BOOTSTRAP_PROJECT_NAME=${ADMIN_TENANT_NAME}13:55
zigo        export OS_BOOTSTRAP_PASSWORD=${ADMIN_USER_PW}13:55
zigosu keystone -s /bin/sh -c 'keystone-manage bootstrap --bootstrap-role-name admin --bootstrap-service-name keystone --bootstrap-region-id regionOne --bootstrap-admin-url http://IP:5000 --bootstrap-public-url http://IP:5000 --bootstrap-internal-url http://IP:5000'13:55
*** erus has quit IRC13:55
knikollaadriant: whenever you are around i have a few questions about adjutant unit tests.13:55
zigocmurphy: Like this...13:55
*** erus has joined #openstack-keystone13:55
lbragstadoh.. you're not getting that error when you do bootstrap per se13:57
lbragstadyou're getting a 403 immediately after you run bootstrap and try creating a service project, right?13:57
zigolbragstad: Exactly, yes.14:02
zigoWhen I'm supposed to be admin, and it's supposed to be ok ...14:04
lbragstadare you supplying policy overrides in your policy file?14:04
zigolbragstad: What's that?14:04
zigoI'm just shipping the normal /etc/keystone/policy.json ...14:04
lbragstaddoes it contain anything?14:04
zigolbragstad: Sure, all the rules generated by oslo-policy-sample-generator ...14:05
zigoWhen I edit it, and remove the restrictions, of course, it starts to work.14:05
zigoThough what I wonder is why can't the admin user do stuff by default ...14:05
zigoMy Debian package hasn't changed much since Rocky.14:05
lbragstadwhat do the keystone logs say when you do this?14:05
zigoLooking ...14:06
zigolbragstad: http://paste.openstack.org/show/748536/14:07
*** erus has quit IRC14:07
zigothe policy requires ['system'] scope <--- What's that?14:07
*** erus has joined #openstack-keystone14:07
lbragstadzigo it's a new concept that was introduced in Queens and we're starting to roll it out across projects, but heavily in keystone this release14:08
lbragstadzigo how familiar are you with RBAC authorization in OpenStack?14:09
cmurphyit should have no effect if [oslo_policy]/enforce_scope=false which should be the default14:09
zigolbragstad: Well, I've been packaging OpenStack in Debian since 2011, wrote my own installer, etc...14:09
lbragstadunless there is an override14:09
zigoSo  I know what the roles are for.14:09
lbragstadzigo awesome14:10
lbragstadzigo system scope is a way for services to protect their deployment level APIs14:10
lbragstadultimately, it's a way to solve the problem where anyone with the `admin` role on a project can do anything in the deployment by default14:10
zigocmurphy: You are right, it looks like enforce_scope is set to false by default.14:11
lbragstadzigo can you paste the actual policy check string for identity:update_project ?14:11
cmurphyzigo: but what lbragstad said is right, if you are overriding the policy files - which you are, if you're generating those files and installing them in /etc/keystone - then enforce_scope doesn't matter14:11
lbragstadenforce_scope = False will just give you warning that someone is using the wrong scope to access a resource14:12
lbragstad(e.g., someone using a project-scoped token to update a project)14:12
*** mvkr has quit IRC14:12
zigo"identity:update_project": "role:admin and system_scope:all"14:13
zigoSo, how do I get my script to gain the system_scope token type? :)14:13
* lbragstad grabs a link 14:13
lbragstadso - it looks like oslo policy isn't OR'ing the policies when they are generated14:14
*** erus has quit IRC14:14
lbragstadalso - if you're not overriding a policy, you probably don't need to have it in your policy file (which should help mitigate issues like this)14:14
lbragstadwe keep all the defaults in code now14:15
*** erus has joined #openstack-keystone14:15
zigolbragstad: Do you mean I should replace the "and" by an "or" ?14:15
lbragstadthis is an exmaple of how you would get a system-scoped token directly from the API https://developer.openstack.org/api-ref/identity/v3/index.html?expanded=token-authentication-with-scoped-authorization-detail#id3014:15
lbragstadoh - no14:16
lbragstadthe default policy for identity:update_project is https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/project.py#n12914:16
zigolbragstad: Ok for the json bits, but in my Debian package maintainer script, I'm just with the shell ...14:17
lbragstadbut - notice we deprecated the *old* policy, which was project specific14:17
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies/project.py#n65 is the old policy14:17
lbragstadin the event the operator isn't overriding the policy14:17
lbragstadoslo.policy will apply a logical OR to those two policies14:17
lbragstadwhich allows for smoother upgrades14:18
lbragstadand less security holes when people switch to the new release14:18
lbragstadthat's all that i meant by the oslo.policy OR comment14:18
lbragstadyou can do something like `openstack project create --or-show service --description "some description" --os-system-scope all`14:20
lbragstador you can specify it in an RC file14:20
zigolbragstad: Can't I just use --os-system-scope all when I'm doing the bootstraping?14:20
lbragstador you can define system-scope in clouds.yaml https://pasted.tech/pastes/b7fe96e3a12fcaa4eecf8e87aa3d882776c1a20f.raw14:20
zigoMy code is here: https://salsa.debian.org/openstack-team/services/keystone/blob/debian/stein/debian/keystone.postinst.in#L3614:20
lbragstadso line 93 is what fails?14:21
zigoYeah...14:21
zigoAnd the lines after that...14:21
lbragstadso - you can add export OS_SYSTEM_SCOPE=all at line 4214:22
zigoAh, thanks ! :)14:22
lbragstad`export OS_SYSTEM_SCOPE=all`14:22
lbragstadbut...14:23
zigoNot working...14:24
*** erus has quit IRC14:24
lbragstadsorry - it might need to  go up a level14:24
*** erus has joined #openstack-keystone14:24
lbragstadworking on a diff for you14:24
lbragstadon sec14:24
lbragstadone sec*14:24
* zigo .oO( Hopefully, puppet-openstack is fixed for this bits already...)14:25
*** awalende has quit IRC14:27
*** jamesmcarthur has joined #openstack-keystone14:27
*** awalende has joined #openstack-keystone14:27
zigoFYI, I looked into https://docs.openstack.org/keystone/latest/admin/bootstrap.html and these things aren't documented at all. I would strongly suggest the team to edit the doc before the final release, otherwise, you wont get a happy debian developer's kindly asking for help, but very frustrated users ! :)14:27
kmallocThe core of the issue seems to be the sample generator14:27
kmallocYou're overriding the in-code policy14:28
lbragstadhttps://pasted.tech/pastes/0267672e544438935dbcef2fa3115caada794d59.raw14:28
kmallocBy providing a policy file at all14:28
* lbragstad isn't sure if the sample generator should generate OR'd policies14:28
kmallocIt should not14:28
zigoRight, that's what I was saying: --os-system-scope all a bit everywhere ! :)14:29
zigoThanks.14:29
zigoWill try that.14:29
kmallocIf no policy is overridden, there should be no policy on disk14:29
kmallocOn-disk policy is to change behavior, and prevent the "OR"14:29
zigokmalloc: For Debian users, it's much nicer to have a plain text file that tells what's going on, rather than nothing.14:30
zigoOh...14:30
zigokmalloc: So, basically, if I remove the file, then everything will work again?14:30
zigoGot ya ...14:30
kmallocIt should!14:30
*** whoami-rajat has quit IRC14:30
kmalloc:)14:30
zigoLet me try then.14:30
kmallocWe might want to add a sample with deprecated option14:30
kmallocFor the cases like zigo, explicitly opted in to generate it and provide the "or"14:31
*** awalende has quit IRC14:32
lbragstadzigo but.. even if you remove the file, at some point in the future you might be in the same predicament14:32
kmallocYeah.14:32
kmallocBut that would be clearly in upgrade docs.14:32
lbragstadultimately, you'll need to update clients to ask for the right scope when working with specific resourecs14:32
lbragstadresources*14:32
lbragstadfor example, this would fix the issue for you https://pasted.tech/pastes/cb5b02a4edfdefea9739eac707f93a80f79003c7.raw14:32
lbragstader... future-proof your script by always using a system-scoped token when dealing with project resources14:33
kmallocI'll be back post coffee.14:33
zigoIf I remove the policy.json, then keystone just crashes ...14:33
zigoFileNotFoundError: [Errno 2] No such file or directory: '/etc/keystone/policy.json'14:33
zigoSo, not an option.14:33
lbragstad(because using a project-scoped token to access projects violates tenancy)14:33
lbragstadzigo remove the path to that file in your /etc/keystone/keystone.conf14:33
*** phasespace has quit IRC14:36
lbragstadyou could be setting that file in keystone.conf https://docs.openstack.org/keystone/latest/configuration/config-options.html#oslo_policy.policy_file14:36
*** yan0s has joined #openstack-keystone14:37
*** mvkr has joined #openstack-keystone14:37
zigolbragstad: If I set policy_file to empty, then keystone tries to load /etc/keystone which is a directory, then fails and crashes ...14:38
zigoThe only way I see that will fix my issue is to edit the policy.json and get rid of the system scope stuff there.14:38
zigoWhich is quite annoying, and counter-productive considering what the team's done.14:38
lbragstadwhat do you have set in your configuration file that's policy related?14:39
zigolbragstad: Absolutely nothing, just the default, as per the generated config file.14:40
zigohttp://paste.openstack.org/show/748537/14:41
zigoThat's my keystone.conf14:41
zigoQuite pristine ...14:41
lbragstadhttps://pasted.tech/pastes/e4a87a0ece29f49a4cde8de8990220892a1d4077.raw is what i have14:41
zigoThis config I pasted is the one set by the package, which only sets the db and nothing more. I have a more rich thing in production, fixed by puppet-keystone.14:42
lbragstadthat makes sense14:43
lbragstaddoes https://pasted.tech/pastes/cb5b02a4edfdefea9739eac707f93a80f79003c7.raw work for you?14:44
zigoShould I just sed -i 's/ and system_scope:all//g' ?14:44
zigolbragstad: Nope, it fails too...14:44
lbragstadi wouldn't, because some day in the future we're going to remove the deprecated policies14:44
lbragstadon the same line?14:44
zigoOh...14:44
lbragstador on another line?14:44
zigoNope, it fails too.14:46
lbragstaddo you have a log?14:47
zigoOh, hang on.14:47
zigopolicy.json missing14:47
*** itlinux has joined #openstack-keystone14:47
lbragstadalso - i removed the project specific bits since they're not need if you're only call system-specific APIs https://pasted.tech/pastes/a08473fc3de72bd9a5aa54ad166bd5d579e09833.raw14:49
lbragstadnot needed*14:50
zigoI still get: You are not authorized to perform the requested action: identity:update_project.: keystone.exception.ForbiddenAction: You are not authorized to perform the requested action: identity:update_project.14:50
zigoIs it a security risk if I just get rid of the " and system_scope:all" in policy.json ?14:51
lbragstadyeah - it would be14:53
zigo:/14:53
lbragstadbecause then a user with `admin` on a project can modify projects14:53
lbragstador the service catalog14:53
lbragstadyou could just use a completely empty policy file, too14:53
zigoWell, why would I give the admin flag?14:53
zigoI mean role...14:53
lbragstadto allow APIs to be more self-serviceable might be an example of why someone would need admin on a project, or domain14:56
lbragstadbut if you remove the override all together, the default and the deprecated default should be pulled from keystone14:56
zigoWell, told ya, when I set an empty value for policy_file, then keystone just crashes at start ... :/14:57
zigoSo I can't just "remove the file".14:57
lbragstadthat blows my mind, because i haven't used a policy file or defined one in configuration in a long time14:59
lbragstadwhat if you just remove the contents?14:59
*** erus has quit IRC15:01
*** erus has joined #openstack-keystone15:01
zigotrying...15:04
lbragstadbnemec any idea on that?15:05
bnemecI'm not sure you want to set an empty value for policy_file. That's not necessarily the same thing as leaving it unset.15:07
lbragstadwell - i think the crux of it was that keystone was crashing when it *wasn't* set15:08
lbragstadwhich is strange because I haven't set a value for policy_file in keystone for a long time15:08
bnemecYeah, but there's a default value of 'policy.json' in oslo.policy, so if your deployment is creating an empty one in the right location you might not notice.15:09
bnemecI have no idea if that's the case, but it's one possibility.15:09
bnemecOh, and projects can override the default for that: https://github.com/openstack/oslo.policy/blob/master/oslo_policy/opts.py#L10715:10
lbragstadhmmm15:11
lbragstadhttp://paste.openstack.org/show/748537/ is the configuration file zigo is using15:11
lbragstadand for some reason keystone barfs on that but not on https://pasted.tech/pastes/e4a87a0ece29f49a4cde8de8990220892a1d4077.raw15:12
bnemecI assume keystone is failing on 'policy.json not found' or something like that?15:13
zigolbragstad: An empty policy.json seems to do the trick.15:13
zigoBut then how can I be sure that policy is enforced correctly?15:14
lbragstadwith the system-scope changes to your installation script?15:14
zigolbragstad: For the moment, yeah, it's there...15:14
zigo--os-system-scope all15:14
lbragstadok15:14
zigoI can try without it.15:15
lbragstadhttps://pasted.tech/pastes/5a932d51c7c31945c242d2ca0915d894752fd12315:15
lbragstad^ no policy file defined, no policy file on disk15:15
lbragstadand that allows me to do - https://pasted.tech/pastes/29a3a2c508c0e3825ff6afb9d5192c39ce73102915:16
zigoLooks like it all works without the --os-system-scope all thingy ...15:16
zigoSo, I'll go for the empty policy.json file by default then.15:17
zigoThanks a lot.15:17
lbragstadyeah - that's because keystone is applying a logical OR to the deprecated policy and the new default (which is system-specific)15:17
zigoThough the system-specific one seems kind of failing over, apparently ... :P15:17
lbragstadfalling over?15:17
zigoWell, if there's only that one, then nothing works anymore, as you saw, with the policy.json file on disk.15:18
* lbragstad tries locally15:18
*** erus has quit IRC15:23
*** erus has joined #openstack-keystone15:24
lbragstadzigo bnemec https://pasted.tech/pastes/7ca657728bf0d3f5247ac2a16cb013718e59e81e.raw15:25
lbragstadso that's overriding the update_project policy in policy.yaml with the same policy that zigo  was using15:25
lbragstadand using system-scope to access it from the APIO15:25
lbragstadAPI*15:25
lbragstadfwiw --os-cloud devstack-admin is a project-scoped context15:26
lbragstad--os-cloud devstack-system-admin is a system-scoped context15:26
*** smcginnis has joined #openstack-keystone15:28
*** jhesketh has joined #openstack-keystone15:28
zigoOk, I'm uploading keystone to Debian with the empty policy.json trick then... :P15:33
*** erus has quit IRC15:33
zigoThe package just check if there's no policy.json in /etc/keystone, and creates an empty one if there's none, that's it.15:33
zigoSo an admin can still override ...15:33
*** erus has joined #openstack-keystone15:33
zigoIf the team says it's fine this way, then we're done! :)15:33
*** jhesketh has quit IRC15:34
lbragstadit should be fine since it'll just be using the policies that are registered in code, which should allow for smoother upgrades...15:35
zigo:)15:35
lbragstadbut i find it weird that i can't recreate this issue where keystone crashes because the policy file doesn't exist15:35
zigolbragstad: Are you using devstack?15:35
lbragstadyes15:36
zigolbragstad: Wait for a bit when my package is uploaded to Debian Experimental, then you can try in Buster / Sid directly ...15:36
lbragstadok15:36
zigo(Stein goes to Experimental, since Buster is in freeze and got Rocky in it)15:36
zigoFYI, for Stein, I switched Keystone to use uwsgi, like I'm doing for most OpenStack services these days.15:37
lbragstadnice15:37
*** erus has quit IRC15:51
*** erus has joined #openstack-keystone15:51
cmurphythere are a few more patches for master that we need asap so we can backport to stein https://review.openstack.org/#/c/647737/ https://review.openstack.org/647498 https://review.openstack.org/643937 https://review.openstack.org/647586 https://review.openstack.org/64824115:56
cmurphylbragstad don't look15:56
cmurphyexcept for https://review.openstack.org/64824115:57
*** smcginnis has left #openstack-keystone15:58
lbragstadhttps://review.openstack.org/#/c/648241/3/keystone/tests/unit/test_v3_federation.py,unified@1547 is only testing the absence of the trailing / ?16:00
lbragstadotherwise those two are identical?16:00
cmurphycorrect16:00
cmurphyi think kmalloc is still coffeeing and considering whether that needs to be a 404 or 40516:01
lbragstadok - looks good to me16:03
kmallocYeah.16:04
kmallocI need to check one thing.16:04
kmallocI think the trailing / is all that I changed, and the non trailing / case was already working like the test expected16:05
*** erus has quit IRC16:05
kmallocI want to be sure and in that case a 404 might be better.16:05
kmallocBecause / is routed, but is invalid data.16:05
* bnemec hates significant trailing /'s16:05
kmallocbnemec: it is significant in routing, in rest a /xxxxx is a resource, and without / is a list16:06
*** erus has joined #openstack-keystone16:06
kmallocAnd / without xxxx is saying resource=None (oddly)16:06
bnemecYeah, I'm sure there are good reasons, but I've lost so much time over the years debugging problems that turned out to be because I had/didn't have a trailing / on an address.16:07
bnemecMy face can only take so many palms. :-P16:07
*** gyee has joined #openstack-keystone16:12
*** yan0s has quit IRC16:15
*** erus has quit IRC16:18
*** erus has joined #openstack-keystone16:18
*** whoami-rajat has joined #openstack-keystone16:32
*** jamesmcarthur_ has joined #openstack-keystone17:17
*** jamesmcarthur has quit IRC17:21
*** erus has quit IRC17:25
*** erus has joined #openstack-keystone17:26
*** mvkr has quit IRC17:31
*** itlinux has quit IRC17:46
*** itlinux has joined #openstack-keystone17:47
*** erus has quit IRC18:02
*** erus has joined #openstack-keystone18:03
kmalloccmurphy: ok, so let me try something. i think the trailing slash should be 404 now that i've dug into it18:25
kmallocand a non-trailing slash should be 405.18:26
*** jamesmcarthur_ has quit IRC18:47
cmurphyinteresting18:49
*** rcernin has quit IRC19:36
*** jamesmcarthur has joined #openstack-keystone19:51
*** erus has quit IRC19:51
*** erus has joined #openstack-keystone19:51
*** erus has quit IRC19:57
*** erus has joined #openstack-keystone19:58
*** mchlumsky has quit IRC19:58
*** pcaruana has quit IRC20:08
*** efried has quit IRC20:22
*** efried has joined #openstack-keystone20:26
*** efried has quit IRC20:44
kmalloccmurphy: oh so this bug affects delete *and* patch as well20:52
kmalloccmurphy: =/20:53
kmallocfixing it now20:53
kmalloci'm creating a new resource for it.20:53
kmallocjust no other good way to do it.20:53
*** itlinux has quit IRC20:59
cmurphyo720:59
*** raildo has quit IRC21:03
*** openstackgerrit has quit IRC21:07
redrobotohai again Keystone friends21:14
kmallocgoing to need some serious reworking to handle these cases.21:16
redrobotI was wondering why keystone-manage is installed to different locations in Ubuntu vs Fedora ?21:17
redrobotin Ubuntu it's /usr/local/bin/keystone-manage21:18
redrobotbut in Fedora it's /usr/bin/keystone-manage21:18
redrobotSeems to be a recent change21:19
redrobotI just noticed because it broke the Fedora gate in Barbican21:20
redrobotbecause it's looking for keystone-manage in /usr/local/bin21:20
redrobotAlso noticed there is no Fedora gate for Keystone?21:20
cmurphyredrobot: that's up to the packagers, keystone doesn't control where the distro packages installs the binaries21:21
cmurphyor do you mean in devstack?21:23
cmurphyhttp://git.openstack.org/cgit/openstack-dev/devstack/tree/inc/python#n4121:24
redrobotcmurphy, pip install -e path/to/keystone/repo21:30
redrobotcmurphy, so, neither a package nor devstack.  Just straight pip21:31
*** rcernin has joined #openstack-keystone21:44
kmalloccmurphy: ok so have a fix. this was a when this API was ported. all fixed21:51
*** openstackgerrit has joined #openstack-keystone21:52
openstackgerritMorgan Fainberg proposed openstack/keystone master: Raise METHOD NOT ALLOWED instead of 500 error on protocol create  https://review.openstack.org/64824121:52
openstackgerritMorgan Fainberg proposed openstack/keystone master: Raise METHOD NOT ALLOWED instead of 500 error on protocol CRUD  https://review.openstack.org/64824121:52
kmalloc^ fixed and should resolve the issue(s)21:52
kmalloccmurphy: probably should hve someone not me/lbragstad backport to stien.21:52
kmalloclbragstad: ^ needs re-+221:52
cmurphykmalloc: so still convinced 405 is right?21:55
*** rcernin has quit IRC21:55
cmurphyglancing at https://specs.openstack.org/openstack/api-sig/guidelines/http/response-codes.html#failure-code-clarifications21:55
kmallocyes. it is consistent21:55
cmurphyIf a request is made to a known resource URI, but the HTTP method used for the request is not supported for that resource, the return code should be 405 Method Not Allowed. The response should include the Allow header with the list of accepted request methods for the resource.21:56
kmallocwhich is done by flask21:56
kmallocthe explicit raise is removed21:56
kmallocthe normalization middleware is now doing it's job and mapping trailing '/' to no trailing '/'21:56
kmallocso OS-FEDERATION/identity_providers/{idp_id}/protcols and  OS-FEDERATION/identity_providers/{idp_id}/protcols/ is the same route21:57
kmallocwhere  OS-FEDERATION/identity_providers/{idp_id}/protcols/{protocol_id} raises a 404 if it doesn't exist or if it fails validation 40021:57
kmalloc(doesn't exist for delete/patch, put for validation)21:57
kmallocin the case of OS-FEDERATION/identity_providers/{idp_id}/protcols and OS-FEDERATION/identity_providers/{idp_id}/protcols/ put, delete, and patch are not routed and should raise 405, the method is not allowed21:58
kmallocit is not acting on a resource21:58
kmalloca similar case for this is in the OS-EP-FILTER api, we have /<project_id>/endpoints and /<project_id>/endpoints/<endpoint_id>21:59
kmallocthis fix makes the IDP protocols API consistent and fixes the 500 errior21:59
kmallocthe added test is redundant but shows explicit fixing in the way keystone is meant to work21:59
kmalloci think i derped this one up when porting os-federation22:00
kmallocinitially22:00
*** rcernin has joined #openstack-keystone22:04
cmurphykmalloc: i think the service provider tests are going to fail, left a comment22:05
openstackgerritMorgan Fainberg proposed openstack/keystone master: Raise METHOD NOT ALLOWED instead of 500 error on protocol CRUD  https://review.openstack.org/64824122:06
kmalloc^22:06
openstackgerritMorgan Fainberg proposed openstack/keystone master: Raise METHOD NOT ALLOWED instead of 500 error on protocol CRUD  https://review.openstack.org/64824122:07
kmallocthere22:07
cmurphylgtm, if that goes through tonight i'll propose the backport when i wake up22:09
kmalloc++22:10
kmallocthis was an annoying fix because i haven't looked at this part of keystone in a while (the flask API bit)22:11
kmallocwasn't too bad to get back into. it would have been a LOT worse with the old wsgi framework (though this wouldn't have happened)22:11
*** awalende has joined #openstack-keystone22:28
*** awalende has quit IRC22:33
*** erus has quit IRC22:39
*** erus has joined #openstack-keystone22:40
adriantknikolla: I doubt you're awake, but feel free to jump into #openstack-adjutant22:47
*** erus has quit IRC22:52
*** whoami-rajat has quit IRC22:52
*** erus has joined #openstack-keystone22:52
*** jamesmcarthur has quit IRC22:57
*** tkajinam has joined #openstack-keystone22:59
*** jamesmcarthur has joined #openstack-keystone23:14
*** adriant has quit IRC23:34
*** jamesmcarthur has quit IRC23:42
*** erus has quit IRC23:42
*** erus has joined #openstack-keystone23:43
*** jamesmcarthur has joined #openstack-keystone23:43
*** jamesmcarthur has quit IRC23:48
*** adriant has joined #openstack-keystone23:49
*** gyee has quit IRC23:57
*** jhesketh has joined #openstack-keystone23:58
« Wednesday, 2019-03-27 Index Friday, 2019-03-29 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!