Tuesday, 2019-08-13

« Monday, 2019-08-12 Index Wednesday, 2019-08-14 »
*** markvoelker has quit IRC00:39
*** gyee has quit IRC00:40
*** markvoelker has joined #openstack-keystone00:44
*** dave-mccowan has quit IRC00:58
adriantcmurphy, kmalloc: before I go into datetime parsing madness, will keystone ever respond with anything other than a format like: "2015-11-07T02:58:43.578887Z" ?01:48
adriant^ can the timezone be different, can the subseconds be dropped, etc.01:48
kmallocUhm.01:49
kmallocThere are time normalizing functions we use01:49
adriantyes, but can those be configured?01:49
kmallocUse that and adhere to the same standard in the code01:49
kmallocNo01:49
adriantkmalloc: this is for me parsing datetime in keystoneauth01:49
adriantso if I hardcode a datetime parse function for datetime strings from keystone, it will be unlikely to need to be too smart a function?01:50
kmallocUh. KSA can’t use Oslo timeutils.01:50
adriantexactly01:50
kmallocUnlikely.01:50
adriantso it has to be a standalone function since pulling in libraries is a nope01:51
kmallocYeah. Let me eat dinner and think about that a bit more01:51
adriantI was just deciding how far down the rabbit hole I needed to go01:51
kmallocBut I think you’re on a safe path.01:51
adriantkk01:51
adriantas long as the date string format can't change (and is always in UTC) then that's easy for me.01:52
kmallocLook at how we handle the token expiry01:53
kmallocKSA has to parse that.01:53
kmallocWe should be consistent there with receipts and such01:54
kmallocSo, safe bet is use the same mechanism.01:54
adriantkmalloc: yes! Good point02:05
kmallocAmazing what a little food/calories does to spark the brain working.02:05
* adriant is still recovering from a cold02:06
adriantso I have a better excuse for zombie logic02:06
adriantthere is a iso_parse util function... I  am an idiot for missing it02:06
kmallocI am now entering food coma02:06
kmallocDry aged beef, with wild mushrooms, aged cheddar, and fire roasted broccolini02:07
kmalloc;)02:07
adriantooooo02:07
adriantfancy02:07
*** spsurya has joined #openstack-keystone02:12
openstackgerritAdrian Turjak proposed openstack/keystoneauth master: add support for auth_receipts and multi-method auth  https://review.opendev.org/67504902:37
openstackgerritAdrian Turjak proposed openstack/keystoneauth master: add support for auth_receipts and multi-method auth  https://review.opendev.org/67504902:46
*** whoami-rajat has joined #openstack-keystone04:18
*** dave-mccowan has joined #openstack-keystone04:56
*** dave-mccowan has quit IRC05:01
*** jaosorior has quit IRC05:24
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system reader and member for endpoint_groups  https://review.opendev.org/67527205:33
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system_admin for endpoint_groups  https://review.opendev.org/67553605:38
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system_admin for endpoint_groups  https://review.opendev.org/67553605:40
*** pcaruana has joined #openstack-keystone05:40
*** pcaruana has quit IRC05:49
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add tests for domain users interacting with endpoint_groups  https://review.opendev.org/67610806:22
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system reader and member for endpoint_groups  https://review.opendev.org/67527206:28
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system_admin for endpoint_groups  https://review.opendev.org/67553606:28
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system_admin for endpoint_groups  https://review.opendev.org/67553606:29
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add tests for domain users interacting with endpoint_groups  https://review.opendev.org/67610806:30
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add tests for project users interacting with endpoint_groups  https://review.opendev.org/67611506:38
*** ivve has joined #openstack-keystone06:43
*** tesseract has joined #openstack-keystone07:17
*** rcernin has quit IRC07:21
*** dancn has joined #openstack-keystone07:36
*** pcaruana has joined #openstack-keystone07:45
*** xek has joined #openstack-keystone07:53
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add tests for project users interacting with endpoint_groups  https://review.opendev.org/67611508:26
*** jaosorior has joined #openstack-keystone08:26
*** dancn has quit IRC08:32
*** dancn has joined #openstack-keystone08:37
*** trident has quit IRC08:54
*** trident has joined #openstack-keystone09:08
*** takamatsu has joined #openstack-keystone09:23
*** trident has quit IRC09:25
*** trident has joined #openstack-keystone09:32
fricklerI have an issue with application credentials and users that have role assigned only via a group and not directly. those users can create ac's, but when trying to use them, keystone responds with a 404. is that a known issue? this bug looks related but only talks about external groups iiuc https://bugs.launchpad.net/keystone/+bug/180911609:41
openstackLaunchpad bug 1809116 in OpenStack Identity (keystone) "[rfe] Renewable Application Credentials" [High,In progress] - Assigned to Kristi Nikolla (knikolla)09:41
*** xek has quit IRC09:41
*** xek has joined #openstack-keystone09:42
*** dancn has quit IRC10:04
*** rcernin has joined #openstack-keystone10:08
*** jaosorior has quit IRC11:04
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system reader and member for policies  https://review.opendev.org/67616211:16
*** rcernin has quit IRC11:31
*** trident has quit IRC11:34
*** trident has joined #openstack-keystone11:40
*** dancn has joined #openstack-keystone11:56
*** ivve has quit IRC12:09
*** raildo has joined #openstack-keystone12:47
*** jaosorior has joined #openstack-keystone12:47
*** cwright has joined #openstack-keystone13:01
*** cwright has quit IRC13:01
*** cwright has joined #openstack-keystone13:03
*** pcaruana has quit IRC13:23
*** lbragstad has joined #openstack-keystone13:32
cmurphyfrickler: known issue and just fixed on master https://bugs.launchpad.net/keystone/+bug/177396713:39
openstackLaunchpad bug 1773967 in keystone (Ubuntu) "Application credentials can't be used with group-only role assignments" [Undecided,New]13:39
fricklercmurphy: hmm, interesing timing. however, I have tested on a fresh devstack installation that has that patch included and am still seeing the issue13:44
fricklersteps to reproduce: create a new user without any roles&project. add it to the "nonadmins" group from devstack. create app creds with that user. see a 404 when trying to use them13:46
fricklerI'm also failing to understand how that patch fixes anything about groups13:47
fricklerhmm, the test looks like it's doing exactly what I'm doing, though. maybe it is more explicit about ids, let me do some more testing13:50
cmurphyi just tried it and it worked13:54
gagehugoo/13:55
*** whoami-rajat has quit IRC13:59
*** pcaruana has joined #openstack-keystone14:00
*** lbragstad has quit IRC14:02
fricklercmurphy: silly me, I was lacking the /v3 part in the os-auth-url for my test. everything works as it should now, sorry for the confusion and thanks for the pointer. is there a chance to get this fix backported to stable branches?14:07
cmurphyfrickler: sure https://review.opendev.org/67620014:10
fricklercmurphy: thanks, the really interesting branch for me currently is still queens, but if we go step by step, that's o.k. ;)14:11
*** jaosorior has quit IRC14:15
*** whoami-rajat has joined #openstack-keystone14:25
*** dancn has quit IRC14:56
*** dave-mccowan has joined #openstack-keystone14:58
*** dave-mccowan has quit IRC15:04
vishakhacmurphy, gagehugo Could you help me with the get policy [1] https://review.opendev.org/#/c/676162/. its showing the wrong rest API call [2]15:34
cmurphyvishakha: did you mean to link to a paste? what's the issue?15:37
vishakhahttps://zuul.opendev.org/t/openstack/build/92d90262a86a4aa2bb0b8f70014210ab , the get_policy Rest call is failing15:38
gagehugohmm15:38
gagehugoheh 41815:39
gagehugovishakha s/policy/policies15:40
cmurphy^15:40
cmurphythe policy doc is wrong15:40
gagehugoyup15:41
vishakhaIn code too , its https://github.com/openstack/keystone/blob/master/keystone/common/policies/policy.py#L2515:41
cmurphythat's what i meant15:41
cmurphythat's wrong15:41
cmurphythe api-ref is right https://docs.openstack.org/api-ref/identity/v3/#policies15:41
vishakhaohk. Thanks. I will push a patch to correct it.15:42
vishakhacmurphy gagehugo Thanks15:43
cmurphynp15:43
cmurphymeeting in 17 minutes in #openstack-meeting-alt15:43
cmurphybnemec: good suggestion re https://review.opendev.org/67580715:44
cmurphyi keep forgetting the upgrade check exists15:44
cmurphymaybe it would be okay to use that instead of doing the hacky workaround in the controller15:44
*** gyee has joined #openstack-keystone15:44
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system reader and member for policies  https://review.opendev.org/67616215:46
bnemecHappy to help. :-)15:47
bnemecI also tend to forget about upgrade checks, but then we don't really have them in Oslo.15:48
bnemecI'm not sure whether they're a replacement for the runtime check though. Are they considered a mandatory part of the upgrade?15:49
cmurphyi don't think so15:49
knikollacmurphy: will miss weekly meeting as I'm not feeling well today.15:56
*** shyamb has joined #openstack-keystone15:57
kmallocknikolla: feel better15:57
cmurphyknikolla: okay, get well soon15:58
*** vesper11 has quit IRC15:58
*** vesper11 has joined #openstack-keystone16:00
cmurphymeeting now in #openstack-meeting-alt16:01
*** markvoelker has quit IRC16:02
*** spsurya has quit IRC16:04
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system reader and member for policies  https://review.opendev.org/67616216:11
*** markvoelker has joined #openstack-keystone16:12
*** shyamb has quit IRC16:15
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system reader and member for endpoint_groups  https://review.opendev.org/67527216:15
openstackgerritVishakha Agarwal proposed openstack/keystone master: Implement system_admin for endpoint_groups  https://review.opendev.org/67553616:16
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add tests for domain users interacting with endpoint_groups  https://review.opendev.org/67610816:16
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add tests for project users interacting with endpoint_groups  https://review.opendev.org/67611516:17
*** tesseract has quit IRC16:43
*** mvkr has quit IRC17:45
*** markvoelker has quit IRC18:12
*** markvoelker has joined #openstack-keystone18:15
*** manuvakery has quit IRC18:28
*** mrhillsman has joined #openstack-keystone18:51
openstackgerritColleen Murphy proposed openstack/keystone master: Move list_trusts enforcement to default policies  https://review.opendev.org/67580719:00
*** ivve has joined #openstack-keystone19:14
*** mvkr has joined #openstack-keystone19:24
*** mvkr has quit IRC19:30
gyeecmurphy, kmalloc, we still support writable LDAP?19:32
cmurphygyee: no19:33
*** whoami-rajat has quit IRC19:33
gyeecmurphy, https://review.opendev.org/#/c/674782/2/keystone/identity/backends/ldap/common.py line 185719:33
gyeewonder if we should just deprecate that whole thing19:34
kmallocgyee: no.19:36
gyeeI think emulation mixin was for writable LDAP19:37
*** markvoelker has quit IRC20:10
*** markvoelker has joined #openstack-keystone20:28
openstackgerritColleen Murphy proposed openstack/keystone master: Move list_trusts enforcement to default policies  https://review.opendev.org/67580720:45
openstackgerritColleen Murphy proposed openstack/keystone master: Move delete_trust enforcement to default policies  https://review.opendev.org/67627720:45
openstackgerritColleen Murphy proposed openstack/keystone master: Add immutable roles status check  https://review.opendev.org/67550920:46
*** xek has quit IRC21:04
*** markvoelker has quit IRC21:07
*** raildo has quit IRC21:12
openstackgerritMerged openstack/keystone master: Run 'tempest-ipv6-only' job in gate  https://review.opendev.org/67190321:29
*** dancn has joined #openstack-keystone21:33
adriantcmurphy: can I do a follow up patch unrelated to MFA to KeystoneAuth to get rid of the '>>> ' in the examples... so that they can be easily copy and pasted?21:53
cmurphyadriant: sure21:54
adriantBecause I can't think of how many times I've done that, and then been annoyed at having to clean up those21:54
adriantcool21:54
openstackgerritColleen Murphy proposed openstack/keystone master: Move delete_trust enforcement to default policies  https://review.opendev.org/67627721:59
openstackgerritColleen Murphy proposed openstack/keystone master: Move get_trust enforcement to default policies  https://review.opendev.org/67628321:59
*** markvoelker has joined #openstack-keystone22:10
*** markvoelker has quit IRC22:14
openstackgerritColleen Murphy proposed openstack/keystone master: Move delete_trust enforcement to default policies  https://review.opendev.org/67627722:28
openstackgerritColleen Murphy proposed openstack/keystone master: Move get_trust enforcement to default policies  https://review.opendev.org/67628322:28
openstackgerritColleen Murphy proposed openstack/keystone master: Move list_roles_for_trust enforcement to policies  https://review.opendev.org/67628422:28
*** ivve has quit IRC22:36
*** tkajinam has joined #openstack-keystone22:59
openstackgerritColleen Murphy proposed openstack/keystone master: Add protection tests for trusts API  https://review.opendev.org/67572023:13
openstackgerritColleen Murphy proposed openstack/keystone master: Move list_trusts enforcement to default policies  https://review.opendev.org/67580723:13
openstackgerritColleen Murphy proposed openstack/keystone master: Move delete_trust enforcement to default policies  https://review.opendev.org/67627723:13
openstackgerritColleen Murphy proposed openstack/keystone master: Move get_trust enforcement to default policies  https://review.opendev.org/67628323:13
openstackgerritColleen Murphy proposed openstack/keystone master: Move list_roles_for_trust enforcement to policies  https://review.opendev.org/67628423:13
openstackgerritColleen Murphy proposed openstack/keystone master: Move get_role_for_trust enforcement to policies  https://review.opendev.org/67628723:13
*** markvoelker has joined #openstack-keystone23:25
*** markvoelker has quit IRC23:36
openstackgerritAdrian Turjak proposed openstack/keystoneauth master: add support for auth_receipts and multi-method auth  https://review.opendev.org/67504923:51
adriantcmurphy: cool, I think I've now addressed all your concerns :)23:53
adriantI'd very heavily suggest setting up an environment and testing it out. While I don't think the patch is very far from a mergable state, I'd think we need enough people to confirm we are happy with the new interfaces before we set them in stone and have to maintain them!23:56
adriantmordred: https://review.opendev.org/675049 is in a state where your feedback/testing would be really valuable.23:57
adriantespecially the new MultiFactor loader, since in theory that should now actually allow MFA via the cli23:57
mordredadriant: cool! I'll look at it first thing in the morning23:57
adriantawesome :)23:58
adriantand then later we can chat about token caching for the cli tools23:58
adriantbecause we'll want a "login" action with MFA that then stores a token, and switchin the cli to using that cached token23:58
« Monday, 2019-08-12 Index Wednesday, 2019-08-14 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!