Thursday, 2019-07-18

« Wednesday, 2019-07-17 Index Friday, 2019-07-19 »
*** jamesmcarthur has quit IRC00:06
*** jamesmcarthur has joined #openstack-keystone00:08
*** jamesmcarthur has quit IRC00:09
*** jamesmcarthur has joined #openstack-keystone00:09
openstackgerritColleen Murphy proposed openstack/keystone master: Update API version for access rules  https://review.opendev.org/67137400:13
*** jamesmcarthur has quit IRC00:33
*** jamesmcarthur has joined #openstack-keystone00:33
*** jamesmcarthur has quit IRC00:39
*** gyee has quit IRC00:46
ileixecmurphy: yes I saw your comments in my report. I understand what's diffrerence01:07
ileixeThanks cmurphy and vishakha :)01:07
*** jamesmcarthur has joined #openstack-keystone01:09
ileixeAnd.. one more thing to ask, what's the best practice for multi region deployment keystone community says?01:10
ileixeI consider federation though, I felt it looks like for the hybrid or many many cloud01:10
ileixeI just want to maintain multi region (geologically seperated) deployment with one source(LDAP). Federdations looks heavy for the use case.01:11
ileixeCould you guys shed light on ? T_ T01:12
*** jamesmcarthur has quit IRC01:15
*** jamielennox has joined #openstack-keystone01:16
*** imacdonn has quit IRC01:16
*** imacdonn has joined #openstack-keystone01:17
*** joshualyle has quit IRC01:23
*** whoami-rajat has joined #openstack-keystone01:31
*** ileixe has quit IRC01:37
*** jamesmcarthur has joined #openstack-keystone01:40
*** ileixe has joined #openstack-keystone01:45
*** jamielennox has quit IRC02:52
*** jamesmcarthur has quit IRC02:54
*** jamesmcarthur has joined #openstack-keystone02:55
*** jamesmcarthur has quit IRC02:59
*** redrobot has quit IRC03:32
*** jamesmcarthur has joined #openstack-keystone03:35
*** Guest99405 has joined #openstack-keystone03:39
*** jamesmcarthur has quit IRC05:10
*** shyamb has joined #openstack-keystone05:15
*** shyamb has quit IRC05:39
*** pcaruana has joined #openstack-keystone05:44
*** shyamb has joined #openstack-keystone05:56
*** joshualyle has joined #openstack-keystone06:21
*** sapd1 has quit IRC06:37
*** rcernin has quit IRC06:44
openstackgerritJose Castro Leon proposed openstack/keystone master: Allow to filter endpoint groups by name  https://review.opendev.org/65835906:58
*** xek has joined #openstack-keystone07:06
*** vishakha has joined #openstack-keystone07:07
*** shyamb has quit IRC07:27
*** dancn has joined #openstack-keystone08:12
*** shyamb has joined #openstack-keystone08:19
*** new_student1411 has joined #openstack-keystone08:37
*** tkajinam has quit IRC08:40
*** xek has quit IRC08:42
*** xek has joined #openstack-keystone08:43
*** xek has quit IRC08:47
*** xek has joined #openstack-keystone08:51
*** xek has quit IRC08:52
*** xek has joined #openstack-keystone09:26
openstackgerritVishakha Agarwal proposed openstack/keystone master: Remove [signing] config  https://review.opendev.org/65943409:26
*** jamesmcarthur has joined #openstack-keystone10:15
*** jamesmcarthur has quit IRC10:19
*** new_student1411 has quit IRC10:23
*** shyamb has quit IRC10:23
*** shyam89 has joined #openstack-keystone10:23
*** new_student1411 has joined #openstack-keystone10:23
*** shyam89 has quit IRC10:29
*** whoami-rajat has quit IRC10:30
*** takamatsu has joined #openstack-keystone10:37
*** shyamb has joined #openstack-keystone10:46
*** joshualyle has quit IRC11:24
*** shyamb has quit IRC11:29
*** tesseract has joined #openstack-keystone11:38
*** new_student1411 has quit IRC11:49
*** kplant has joined #openstack-keystone11:58
mnaserfyi something i just saw in #openstack-infra (and i ran into a while back) .. the application credential api is actually functional *even* if an environment does not have application_credential listed as an authentication method12:22
*** shyamb has joined #openstack-keystone12:23
*** mflynn has joined #openstack-keystone12:32
*** raildo has joined #openstack-keystone12:34
*** stingrayza_ has joined #openstack-keystone12:43
*** stingrayza has quit IRC12:46
*** new_student1411 has joined #openstack-keystone12:47
*** stingrayza has joined #openstack-keystone12:51
*** stingrayza_ has quit IRC12:55
*** mvkr_ has quit IRC12:56
*** shyamb has quit IRC13:05
*** Guest99405 is now known as redrobot13:13
*** ag-47 has joined #openstack-keystone13:17
*** hoonetorg has quit IRC13:28
*** ag-47 has quit IRC13:32
*** beekneemech has joined #openstack-keystone13:36
*** bnemec has quit IRC13:37
*** vishakha has quit IRC13:42
*** raildo has quit IRC13:50
*** whoami-rajat has joined #openstack-keystone13:55
*** jamesmcarthur has joined #openstack-keystone14:19
*** jamesmcarthur has quit IRC14:23
*** jamesmcarthur has joined #openstack-keystone14:24
kmallocmnaser: right. authenticating with application credentials requires the auth method, app-cred API is part of the API, and APIs are not optional or configurable. Maybe we should explicitly 403 that API if the auth method is not present. Right now the way to handle it would be to update policy.json to disallow the api14:26
kmallocs/configurable/removable14:26
mnaserkmalloc: yeah it has caused confusion in the past when the api responds successfully but you cant authenticate with it14:27
mnaserbut yeah i think a 403 is application_credentials is not configured makes sense...14:27
kmallocmnaser: can you open a bug for us as an RFE for that change?14:35
kmallocmnaser: actually, i'll go ahead and open the bug14:35
*** lbragstad has joined #openstack-keystone14:36
kmallocmnaser: https://bugs.launchpad.net/keystone/+bug/183706114:39
openstackLaunchpad bug 1837061 in OpenStack Identity (keystone) "RFE: Application Credential API (CRUD) to 403 if app-cred auth method not enabled" [Wishlist,New]14:39
kmallocmnaser: please feel free to add any other info to the bug.14:39
*** jamesmcarthur has quit IRC14:43
mnaserkmalloc: added a bit, thanks! :)14:47
kmallocthis should be a pretty easy change, just need to confirm everyone is ok with it before we make it.14:48
cmurphyileixe: we don't have much of a best practices guide for multi-region/multi-site, federation is one way but multiple keystones backed by a single distributed ldap is another simpler way, and another way is just using one keystone and just using regular keystone regions for the other openstack services14:58
cmurphykmalloc: mnaser whoa no i don't think we should change the CRUD api to 403 if the auth method is disabled, that would be an api break15:00
cmurphythe crud api and the auth api are unrelated apis15:00
kmalloccmurphy: i am simply translating to an RFE so we can document/clearly communicate the change.15:00
kmalloci wasn't advocating for it, just commenting it is an easy change if we decide on the direction.15:00
kmallochaving a "paper trail" for confirming/denying the change and discussing it is important15:01
cmurphyfair enough15:01
cmurphyi'm expressing that i'm against it :)15:01
kmalloccmurphy: please add that to the bug report :)15:02
cmurphyo715:02
kmalloc^_^15:08
kmallocalso good mornin.15:08
kmallochow's your area of the PNW this morning?15:08
cmurphyit's lovely, blue skies right now and will have a high of 75F today15:09
cmurphyit's been a very mild summer15:09
cmurphylbragstad: want to take a look at https://review.opendev.org/669790 when you get a minute?15:21
kmalloccmurphy: it's grey and cold here in seattle15:21
cmurphykmalloc: that is unfortunate15:22
*** hoonetorg has joined #openstack-keystone15:26
lbragstadcmurphy done15:36
kplantcmurphy: wouldn't the single keystone be a bad idea due to latency and lack of redundancy?15:36
cmurphylbragstad: tyty15:37
cmurphykplant: on latency, depends on where your regions are and what your latency tolerance is, on redundancy you could have a "single" keystone that is still galera-backed active/active so you could still have some amount of a redundancy15:38
kplanttrue, i guess i meant georedundancy15:39
kplantif cloud b uses cloud a's keystone and cloud a is unavailable15:39
kplantcloud b would also be unavailable15:39
cmurphyyeah you would not have that redundancy15:40
kplantit would be nice to be able to stretch that asynchronously across regions15:41
kplantcough15:41
kplant:>15:41
kmallockplant: thats the whole edge compute design concern in a nutshell.15:48
*** ag-47 has joined #openstack-keystone15:48
kmallockplant: for the most part synchronous replication across a small (2-20) sites tends to be just fine. The other alternative is isolated per-region keystone but replicate identity (LDAP) store to each site. That would require logging in to each region explicitly, but the information would remain the same per keystone endpoint15:49
kmallockplant: more than 20 sites it becomes much harder. more than 100 sites, databases are wonky, more than 1000 sites you need something totally different (eventual consistent data store, etc)15:50
*** dancn has quit IRC15:51
*** beekneemech has quit IRC15:57
*** bnemec has joined #openstack-keystone15:58
*** joshualyle has joined #openstack-keystone16:21
*** gyee has joined #openstack-keystone16:27
openstackgerritMerged openstack/keystone master: update documentation for X.509 tokenless auth  https://review.opendev.org/66979016:54
cmurphyneed more reviews on https://review.opendev.org/604201 before spec freeze next week16:59
cmurphyalso looking for more reviews on https://review.opendev.org/633369 so we can do a ksm release17:00
*** ag-47 has quit IRC17:05
*** xek has quit IRC17:06
*** raildo has joined #openstack-keystone17:30
*** aprice has quit IRC17:45
*** hogepodge has quit IRC17:45
*** aprice has joined #openstack-keystone17:47
*** hogepodge has joined #openstack-keystone17:47
gagehugocmurphy: ksm done18:04
cmurphythanks gagehugo18:05
*** irclogbot_3 has quit IRC18:07
*** altlogbot_0 has quit IRC18:07
*** irclogbot_2 has joined #openstack-keystone18:08
*** altlogbot_0 has joined #openstack-keystone18:08
openstackgerritRaildo Mascena proposed openstack/keystone master: Fixing dn_to_id function for cases were id is not in the DN  https://review.opendev.org/64917719:01
*** lbragstad has quit IRC19:02
*** new_student1411 has quit IRC19:05
*** mflynn has quit IRC19:13
*** jdennis has quit IRC19:37
*** jdennis has joined #openstack-keystone19:37
*** jdennis has quit IRC19:42
*** jdennis has joined #openstack-keystone19:43
*** whoami-rajat has quit IRC19:44
openstackgerritMerged openstack/keystonemiddleware master: Add validation of app cred access rules  https://review.opendev.org/63336919:47
*** jdennis has quit IRC19:56
*** jdennis has joined #openstack-keystone19:56
*** kplant has quit IRC19:57
*** pcaruana has quit IRC20:01
*** tesseract has quit IRC20:05
*** mvkr_ has joined #openstack-keystone20:05
*** blake has joined #openstack-keystone20:38
*** ayoung has quit IRC20:44
*** ayoung has joined #openstack-keystone20:50
*** blake has quit IRC20:58
*** blake has joined #openstack-keystone20:59
*** blake has quit IRC20:59
*** raildo has quit IRC21:04
*** raildo has joined #openstack-keystone21:04
*** raildo has quit IRC21:21
*** joshualyle has quit IRC21:24
*** beekneemech has joined #openstack-keystone21:38
*** beekneemech has quit IRC21:38
*** ayoung has quit IRC21:52
*** bnemec has quit IRC22:03
*** bnemec has joined #openstack-keystone22:13
*** bnemec has quit IRC22:42
*** bnemec has joined #openstack-keystone22:43
*** ivve has quit IRC22:54
*** tkajinam has joined #openstack-keystone22:58
*** rcernin has joined #openstack-keystone23:15
« Wednesday, 2019-07-17 Index Friday, 2019-07-19 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!