Monday, 2019-06-17

« Sunday, 2019-06-16 Index Tuesday, 2019-06-18 »
*** dave-mccowan has joined #openstack-keystone00:20
*** markvoelker has joined #openstack-keystone00:24
*** markvoelker has quit IRC00:28
adriantcmurphy_afk, kmalloc, ayoung: I'd like to take over https://review.opendev.org/#/c/618144/ and rewrite it to be API based because it's a topic that keeps coming up and I really would love and API to just do it.01:17
adriantI know there was strong opposition to it but I think even at one point during some discussions at Berlin kmalloc was slowly being convinced that an API approach was the only really sane solution.01:19
adrianta system scope only API that has clearly documented warnings01:19
kmallocAgain, I'm still a pretty firm -1 on that. So very many security issues (API driven). But I won't block it01:20
kmallocAt least we can make it system scope... Which is a little better.01:21
*** markvoelker has joined #openstack-keystone01:24
*** markvoelker has quit IRC01:29
*** dave-mccowan has quit IRC01:45
adriantkmalloc: I just increasingly have pressure to be able to reparent projects, because we have cases where some of our bigger customers manage the resources of others, and eventually the project ownership needs to move to another customer. We try and encourage them to always have that second customer signup on their own, so they always own the project01:53
adriant, but often it isn't know that this change of ownership will actually happen01:53
adriantso the worry is that once we start down the sub-tree path this will all be impossible. Currently changing ownership on a flat project is easy, but a project halfway down a tree will not be doable01:54
adriantkmalloc: I understand your security worries, but they are kind of unwarranted if you are an admin. If you are using trees you know about roles and role inheritance, you know that moving a project will change that. if you as an admin fuck up, it's your fault for using what is documented as a powerful tool.01:56
adriantthere are so many other ways right now to pretty much kill a whole cluster as an admin, so this is really just a low level level of worry :P01:57
kmallocSo like I said. I won't block it, but if asked, I'm -1.02:22
kmallocI am -2 if it's not system scope ;)02:22
kmallocThere is a lot of "here are Kevlar shoes, please no foot gunning" in keystone.02:23
kmallocAnd we do need to cover that.02:23
kmallocAnd by not blocking I wont score it negative outside of other wildly problematic things.02:25
*** whoami-rajat has joined #openstack-keystone03:12
*** markvoelker has joined #openstack-keystone03:26
*** markvoelker has quit IRC03:31
*** awalende has joined #openstack-keystone04:23
*** awalende has quit IRC04:27
*** vishalmanchanda has joined #openstack-keystone05:18
*** markvoelker has joined #openstack-keystone05:28
*** markvoelker has quit IRC05:32
*** rcernin has quit IRC06:02
*** xek has joined #openstack-keystone06:58
*** rcernin has joined #openstack-keystone07:00
*** trident has quit IRC07:06
*** trident has joined #openstack-keystone07:08
*** tesseract has joined #openstack-keystone07:24
*** markvoelker has joined #openstack-keystone07:29
*** markvoelker has quit IRC07:34
*** Horrorcat has joined #openstack-keystone08:27
*** markvoelker has joined #openstack-keystone08:30
*** markvoelker has quit IRC08:35
*** imacdonn has quit IRC08:40
*** imacdonn has joined #openstack-keystone08:40
*** pcaruana has joined #openstack-keystone08:52
*** tkajinam has quit IRC09:00
openstackgerritJames Page proposed openstack/keystone master: token: consistently decode binary types  https://review.opendev.org/66561709:13
*** josecastroleon has joined #openstack-keystone09:20
*** jamespage has joined #openstack-keystone09:25
*** rcernin has quit IRC09:36
*** markvoelker has joined #openstack-keystone10:32
*** markvoelker has quit IRC10:36
*** sri-cah has joined #openstack-keystone11:43
*** jaosorior has joined #openstack-keystone11:47
*** starborn has joined #openstack-keystone11:56
*** jaosorior has quit IRC12:02
*** jdennis has joined #openstack-keystone12:24
*** josecastroleon has quit IRC12:26
sri-cahhi all, I ran into an issue with the zero-downtime upgrade path between queens and rocky when caching is enabled and was directed here from #openstack12:28
sri-cahthe problem occurs during the phase when the two versions run alongside and both cache token validity information12:28
sri-cahqueens simply uses a dict, while rocky uses a dedicated class for this, and since things that are put into the cache are simply pickled there is trouble12:29
sri-cah(if now one keystone instance loads the token validity from the cache, that was written by a node running the other version a token will spuriously fail to validate)12:31
sri-cahour current workaround is to disable the cache during the upgrade, but that may not be feasible all production environments due to the additional load12:32
*** markvoelker has joined #openstack-keystone12:33
*** markvoelker has quit IRC12:38
*** dave-mccowan has joined #openstack-keystone12:42
*** vishalmanchanda has quit IRC12:57
*** lbragstad has joined #openstack-keystone13:12
*** raildo has joined #openstack-keystone13:15
*** beekneemech is now known as bnemec13:18
openstackgerritLance Bragstad proposed openstack/keystone master: Update unified limit documentation  https://review.opendev.org/66493313:24
*** pcaruana|afk| has joined #openstack-keystone13:26
*** pcaruana has quit IRC13:26
*** markvoelker has joined #openstack-keystone13:34
*** markvoelker has quit IRC13:39
*** pcaruana has joined #openstack-keystone13:48
*** mchlumsky has joined #openstack-keystone13:48
*** pcaruana|afk| has quit IRC13:51
kmallocsri-cah: interesting, I think we can make a minor change to force a cache-key difference. Can you open a bug on this please13:58
sri-cahyes14:01
sri-cahis a cache key difference safe though?14:01
sri-cahif I am right, then calling DELETE on a token will update the revocation_events in the database and invalidate the cache14:02
sri-cahso if two instances already have the validity cached, and the token is then revoked, will both caches be invalidated correctly14:02
sri-cah(if so, another possible workaround would be to seperate the caches during the upgrade run, which may have less of a performance impact than disabling caching altogether)14:03
*** jaosorior has joined #openstack-keystone14:23
kmallocsri-cah: i.am not sure a delete on an invalid token (already deleted) would work. A separate cache would be the easiest upgrade path14:25
kmallocBut with a separate cache, you do run the risk of old cache being valid while new cache is not. I don't have a good solution off the top of my head short of encapsulation of the cache data. Really, this is a case where, again, rolling upgrades are poorly thought out14:28
kmallocI would probably just isloate the cache to a new cache instance and take the hit for short term validity leaking on the old system during upgrade.14:29
*** ayoung has quit IRC14:35
*** markvoelker has joined #openstack-keystone14:35
sri-cahyes, this workaround sounds like a good solution, the bug report will be there soon – I have sadly lost the logs showing the problem to log rotation, but I can point to the offending code (or recreate the failing state and generate new logs)14:37
*** markvoelker has quit IRC14:40
kmallocah, if you have another round or can find the logs/duplicate that would be great. but i think i can see what you're seeing.14:40
kmallocwe just need to update the docs to say "spin up new cache" and solve the issue14:40
*** jamesmcarthur has joined #openstack-keystone14:44
sri-cahI finished the bug report: <https://bugs.launchpad.net/keystone/+bug/1833085> let me know, if you need any more details14:45
openstackLaunchpad bug 1833085 in OpenStack Identity (keystone) "Zero-downtime upgrades lead to spurious token validation failures when caching is enabled" [Undecided,New]14:45
gagehugoo/14:46
*** pcaruana has quit IRC14:47
*** jaosorior has quit IRC14:49
kmallocsri-cah: thanks!14:52
sri-cahkmalloc: thanks for helping me14:54
*** dklyle has joined #openstack-keystone14:55
*** sri-cah has quit IRC15:05
openstackgerritLance Bragstad proposed openstack/oslo.limit master: Remove ProjectClaim object from oslo.limit  https://review.opendev.org/66570815:18
openstackgerritLance Bragstad proposed openstack/oslo.limit master: Remove verification functionality  https://review.opendev.org/66570915:18
openstackgerritLance Bragstad proposed openstack/oslo.limit master: Remove __enter__ and __exit__ methods from Enforcer  https://review.opendev.org/66571015:18
openstackgerritLance Bragstad proposed openstack/oslo.limit master: Add skeleton enforce() method to Enforcer  https://review.opendev.org/66571115:18
lbragstadcc johnthetubaguy ^15:18
lbragstadi started ripping thing apart based on our discussion last week15:18
lbragstadfigure we can build up from the last patch15:19
*** jamesmcarthur_ has joined #openstack-keystone15:21
*** jamesmcarthur has quit IRC15:25
*** joshualyle has joined #openstack-keystone15:25
*** jdennis has quit IRC15:28
*** tesseract has quit IRC15:38
*** pcaruana has joined #openstack-keystone15:40
*** jdennis has joined #openstack-keystone15:47
*** gyee has joined #openstack-keystone15:49
*** gyee has quit IRC15:49
*** awalende has joined #openstack-keystone15:50
*** awalende has quit IRC15:52
*** awalende has joined #openstack-keystone15:53
*** trident has quit IRC15:56
*** awalende has quit IRC15:57
*** trident has joined #openstack-keystone15:58
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system scope and default roles for token API  https://review.opendev.org/66523115:58
*** awalende has joined #openstack-keystone16:04
lbragstadjohnthetubaguy i also gave the unified limit documentation in keystone a facelift - you should be able to use that instead of referencing the spect (i tried to pull all the important information over)16:05
lbragstadhttps://review.opendev.org/#/c/664933/16:05
*** awalende has quit IRC16:05
*** awalende has joined #openstack-keystone16:05
*** awalende has quit IRC16:08
*** awalende has joined #openstack-keystone16:08
*** gyee has joined #openstack-keystone16:11
*** lbragstad has quit IRC16:26
*** cmurphy_afk is now known as cmurphy16:28
*** lbragstad has joined #openstack-keystone16:28
*** whoami-rajat has quit IRC16:29
lbragstadcmurphy is https://trello.com/c/KGGkNijR/55-oslolimit-interface supposed to have links to cards in the Tasks To Do column?16:31
* lbragstad knows he's asked this before16:31
*** markvoelker has joined #openstack-keystone16:37
cmurphylbragstad: yes it should, i think i meant to do that last week...16:38
lbragstadcmurphy ok, cool16:40
lbragstadjust checking16:40
lbragstadi wasn't sure if i should move that card out of the list16:40
*** markvoelker has quit IRC16:42
cmurphylbragstad: fixed it16:42
lbragstadthanks cmurphy16:44
lbragstadmoved one of those into "in progress"16:45
*** whoami-rajat has joined #openstack-keystone16:48
*** awalende has quit IRC16:52
*** awalende has joined #openstack-keystone16:53
*** awalende has quit IRC16:57
*** keerthigd__ has joined #openstack-keystone17:17
*** trident has quit IRC17:27
*** trident has joined #openstack-keystone17:29
*** markvoelker has joined #openstack-keystone17:37
*** markvoelker has quit IRC17:43
*** jamesmcarthur_ has quit IRC17:57
*** freerunner has quit IRC17:57
*** freerunner has joined #openstack-keystone18:00
*** awalende has joined #openstack-keystone18:01
openstackgerritLance Bragstad proposed openstack/keystone master: Update the meaning of low-hanging-fruit  https://review.opendev.org/65914118:13
*** awalende has quit IRC18:23
*** awalende has joined #openstack-keystone18:23
*** keerthigd__ has quit IRC18:25
*** niceplace has quit IRC18:30
*** niceplace has joined #openstack-keystone18:31
*** awalende_ has joined #openstack-keystone18:35
*** markvoelker has joined #openstack-keystone18:38
*** awalende has quit IRC18:39
*** pcaruana has quit IRC18:44
*** markvoelker has quit IRC18:45
*** jamesmcarthur has joined #openstack-keystone18:51
*** dave-mccowan has quit IRC18:54
*** awalende_ has quit IRC19:03
*** awalende has joined #openstack-keystone19:04
*** dave-mccowan has joined #openstack-keystone19:06
*** awalende has quit IRC19:07
*** dave-mccowan has quit IRC19:14
*** pcaruana has joined #openstack-keystone19:17
*** starborn has quit IRC19:24
*** pcaruana has quit IRC19:27
*** ayoung has joined #openstack-keystone19:30
*** trident has quit IRC19:37
*** trident has joined #openstack-keystone19:39
*** markvoelker has joined #openstack-keystone19:40
*** jamesmcarthur has quit IRC19:42
*** markvoelker has quit IRC19:45
*** awalende has joined #openstack-keystone19:55
ayoungkmalloc, what do I need to do to add the explicit_project0id param to JSON home?20:02
ayoungIt changed with the flask stuff and I'm not sure where it goes now20:02
kmallocin the schema bits same as before20:08
kmallochttps://github.com/openstack/keystone/blob/master/keystone/resource/schema.py20:09
kmallocin https://github.com/openstack/keystone/blob/master/keystone/resource/schema.py#L5920:09
*** jamesmcarthur has joined #openstack-keystone20:15
*** xek has quit IRC20:17
*** whoami-rajat has quit IRC20:19
ayoungkmalloc, what about an optional param20:28
*** jamesmcarthur has quit IRC20:28
kmallocshoud be able to use the  validation.nullable20:30
kmallocto make it optional20:30
ayoungkmalloc, so this https://paste.fedoraproject.org/paste/CfsAFIZppxHPt9Sf4SQ31Q20:34
kmallocyeah that should be good. we'll need to filter it on update, but that is fine20:35
kmallocif possible i would make it a create-time-only element20:35
kmallocbut since project has "Extras" it will always need to be filtered out20:36
*** jamesmcarthur has joined #openstack-keystone20:37
ayoungHow do I do that?20:39
kmallocaddd it to the schema20:40
kmallocand in .update_project, pop it off the dict, check if it exists and raise an exception saying it can't be set on update20:40
kmallocso, if project.pop('explicit_id', none): raise exception.blah(somethingsomething)20:41
*** jamesmcarthur has quit IRC20:41
*** markvoelker has joined #openstack-keystone20:41
kmallocthat exception should be raised in the keystone.api flask method(s) [patch] for the project handler.20:42
*** jamesmcarthur has joined #openstack-keystone20:42
kmallochttps://github.com/openstack/keystone/blob/master/keystone/api/projects.py#L18420:42
ayoungkmalloc, what avout this https://paste.fedoraproject.org/paste/NgE~fxVvp2oKv4YuedFXAQ20:42
kmallocyou can do that too20:43
kmallocbut because extras are allowed you still need to filter20:43
kmallocbecause extras allow *any* key to be stored.20:43
*** markvoelker has quit IRC20:46
*** jamesmcarthur has quit IRC21:01
*** jamesmcarthur has joined #openstack-keystone21:15
*** awalende has quit IRC21:28
*** awalende has joined #openstack-keystone21:29
*** awalende has quit IRC21:34
*** markvoelker has joined #openstack-keystone21:42
*** rcernin has joined #openstack-keystone21:43
*** mchlumsky has quit IRC21:43
*** markvoelker has quit IRC21:47
*** raildo has quit IRC21:50
*** awalende has joined #openstack-keystone21:58
*** awalende has quit IRC22:01
*** ChanServ has quit IRC22:09
*** ChanServ has joined #openstack-keystone22:14
*** niven.freenode.net sets mode: +o ChanServ22:14
*** jamesmcarthur has quit IRC22:22
*** jamesmcarthur has joined #openstack-keystone22:22
*** blake has joined #openstack-keystone22:22
*** awalende has joined #openstack-keystone22:34
*** awalende has quit IRC22:38
*** blake has quit IRC22:40
*** markvoelker has joined #openstack-keystone22:43
*** vishwanathj has joined #openstack-keystone22:44
*** markvoelker has quit IRC22:48
*** tkajinam has joined #openstack-keystone22:55
*** awalende has joined #openstack-keystone23:13
*** vishwanathj has quit IRC23:23
*** vishwanathj has joined #openstack-keystone23:24
*** gyee has quit IRC23:28
*** vishwanathj has quit IRC23:28
*** markvoelker has joined #openstack-keystone23:44
*** awalende has quit IRC23:46
*** markvoelker has quit IRC23:48
« Sunday, 2019-06-16 Index Tuesday, 2019-06-18 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!