Monday, 2019-08-26

« Sunday, 2019-08-25 Index Tuesday, 2019-08-27 »
*** jamesmcarthur has joined #openstack-keystone00:17
*** markvoelker has joined #openstack-keystone00:20
*** markvoelker has quit IRC00:25
*** itlinux_ has joined #openstack-keystone00:46
*** itlinux has quit IRC00:49
*** jamesmcarthur has quit IRC01:33
*** jamesmcarthur has joined #openstack-keystone02:14
*** jamesmcarthur has quit IRC02:37
*** masayukig has joined #openstack-keystone02:41
*** markvoelker has joined #openstack-keystone02:55
*** markvoelker has quit IRC03:00
*** jamesmcarthur has joined #openstack-keystone03:04
*** rcernin_ has joined #openstack-keystone03:15
*** rcernin has quit IRC03:15
*** jamesmcarthur has quit IRC03:33
*** markvoelker has joined #openstack-keystone04:20
*** markvoelker has quit IRC04:25
*** itlinux has joined #openstack-keystone04:31
*** itlinux_ has quit IRC04:34
*** beekneemech has quit IRC05:16
*** bnemec has joined #openstack-keystone05:20
*** jaosorior has joined #openstack-keystone05:51
*** dancn has joined #openstack-keystone05:53
*** shyamb has joined #openstack-keystone05:54
*** rcernin_ has quit IRC06:18
*** dancn has quit IRC06:33
*** takamatsu has joined #openstack-keystone06:34
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add tests for domain users for policy association  https://review.opendev.org/67846706:37
*** dancn has joined #openstack-keystone06:40
*** takamatsu has quit IRC06:42
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add tests for project users for policy association  https://review.opendev.org/67847106:48
*** trident has quit IRC07:01
*** itlinux has quit IRC07:03
*** itlinux has joined #openstack-keystone07:04
*** trident has joined #openstack-keystone07:10
*** jawad_axd has joined #openstack-keystone07:13
*** xek has joined #openstack-keystone07:25
*** shyamb has quit IRC07:27
*** shyam89 has joined #openstack-keystone07:27
*** shyam89 has quit IRC07:30
openstackgerritVishakha Agarwal proposed openstack/keystone master: Remove system policy and its association from policy.v3cloudsample.json  https://review.opendev.org/67847507:31
*** ivve has joined #openstack-keystone07:54
*** markvoelker has joined #openstack-keystone08:02
*** markvoelker has quit IRC08:07
*** tkajinam has quit IRC08:30
openstackgerritNikita Kalyanov proposed openstack/keystone master: Fix caching behavior  https://review.opendev.org/67723909:05
*** rcernin_ has joined #openstack-keystone09:13
*** rcernin_ has quit IRC09:42
*** markvoelker has joined #openstack-keystone10:05
*** markvoelker has quit IRC10:10
*** xek has quit IRC10:11
*** jaosorior has quit IRC10:26
*** xek has joined #openstack-keystone10:26
*** markvoelker has joined #openstack-keystone10:35
*** markvoelker has quit IRC10:40
*** shyamb has joined #openstack-keystone10:46
*** tesseract has joined #openstack-keystone11:12
*** shyamb has quit IRC11:14
*** shyamb has joined #openstack-keystone11:24
*** vishakha has joined #openstack-keystone11:25
*** cp has quit IRC11:41
*** cp has joined #openstack-keystone11:42
*** jaosorior has joined #openstack-keystone11:44
*** jroll has quit IRC11:44
*** jroll has joined #openstack-keystone11:45
*** rcernin_ has joined #openstack-keystone11:53
*** markvoelker has joined #openstack-keystone12:00
*** shyamb has quit IRC12:24
*** rcernin_ has quit IRC12:32
*** xek_ has joined #openstack-keystone12:42
*** xek_ has quit IRC12:47
*** jamesmcarthur has joined #openstack-keystone12:47
*** jmlowe has quit IRC12:56
*** jmlowe has joined #openstack-keystone13:15
*** dave-mccowan has joined #openstack-keystone13:20
*** elbragstad is now known as lbragstad13:31
lbragstado/13:36
*** jamesmcarthur has quit IRC13:44
*** jamesmcarthur has joined #openstack-keystone13:47
*** psousa1 has joined #openstack-keystone13:49
psousa1Hi there, I'm trying to configure keystone with 2 regions, but have some doubts about the endpoints connectivity. When I try to connect to the remote site it always tries to connect to the internal api network GET call to identity for http://192.168.24.11:35357/v3/services, instead of the external routed network. Is there a way to change this behavior? Thanks13:52
*** jamesmcarthur has quit IRC13:52
*** jawad_axd has quit IRC13:53
openstackgerritAlex Schultz proposed openstack/keystoneauth master: Cleanup session on delete  https://review.opendev.org/67413914:12
*** jamesmcarthur has joined #openstack-keystone14:21
openstackgerritLance Bragstad proposed openstack/keystoneauth master: Expose irreversible override with Session connect_retries  https://review.opendev.org/67857614:24
*** jamesmcarthur has quit IRC14:28
*** zigo has joined #openstack-keystone14:30
lbragstadzaneb nice catch on the connect_retries default args14:35
zanebI'm not even sure that's a problem, but it seemed worth pointing out14:38
*** markvoelker has quit IRC14:41
lbragstadyeah14:41
lbragstadas a developer, i think it would be weird to set retries on the session and not be able to override them for a specific request14:42
lbragstadbut - maybe that's not a likely case14:42
lbragstadidk14:42
*** markvoelker has joined #openstack-keystone14:44
kmalloclbragstad: ah, can't reset back to 0?14:55
lbragstadi haven't been able to - that's what i tried to do in the test14:56
lbragstadhttps://review.opendev.org/#/c/678576/14:56
kmalloci know you can override to a different non-zero value14:56
lbragstadhttps://review.opendev.org/#/c/678576/1/keystoneauth1/tests/unit/test_session.py@47214:56
lbragstadyeah - you could do something like call_args = {'connect_retries': 4}14:57
kmalloci added that test14:57
lbragstadyou can override up - but you can't override down(?)14:57
openstackgerritKristi Nikolla proposed openstack/keystone master: Expiring User Group Membership Model  https://review.opendev.org/67746914:57
kmallocyou can override down14:57
kmallocjust not to 014:57
kmallochttps://review.opendev.org/#/c/676648/4/keystoneauth1/tests/unit/test_session.py14:57
kmallochttps://www.irccloud.com/pastebin/yA68a9e5/14:58
kmalloc^14:58
*** dancn has quit IRC14:58
lbragstadok - so you can't unset then14:59
kmallocyeah14:59
kmallocwhich we should support.14:59
lbragstadcool14:59
openstackgerritKristi Nikolla proposed openstack/keystone master: Expiring Group Membership Driver  https://review.opendev.org/67858614:59
gagehugoo/15:00
kmallocso we can't land the patch until we can unset it, i think i know where it is. give me a sec15:00
kmalloclbragstad: we need to check is not none15:01
kmallocand set defaults to none not 015:01
lbragstadcan we do that?15:01
kmalloc connect_retries = connect_retries or self._connect_retries15:01
kmallocchanging the default is fine.15:01
kmallocbecause behavior is the same15:01
lbragstadif someone left if unset - then they'd be assuming the new default of None15:02
knikollao/15:02
lbragstadit unset*15:02
kmallocwhich, behavior should be: none is == 0 retries (logic wise), so we do something like:15:02
lbragstadand if someone set it explicitly, then they should observe the same behavior, yeah, ok15:02
kmallocif connect_retries is None:15:03
kmalloc   connect_retries = self._session_retries <-- should default to 015:03
kmallocso connect_retries always overrides.15:04
lbragstadok15:06
lbragstadcool15:06
kmallocsimple fix and we need to test the zero case as well15:08
lbragstadi didn't write a case for overriding to something smaller that wasn't 015:09
kmalloclbragstad: but i did in the patch ;)15:09
lbragstadah15:09
kmallocso, we're good on that front15:09
kmallocand i could write the inverse but i'm not super worried, any non-zero and a zero case should be fine15:09
kmallocthough maybe it should be if is not None and not < 015:10
kmalloca negative retry is... weird?15:10
lbragstadyeah - i don't think that makes sense for retry logic15:14
lbragstadwe could validate input is None or >=015:15
lbragstaddo we even test negative interger cases?15:15
kmallocno we don't, afaik15:16
kmalloci would just validate like: if connect_retries is None or connect_retries < 015:17
kmallocand in the session one, just force it to be 0 or above.15:17
kmallocbehavior should be 100% the same15:17
kmallocunrelated, i know this isn't passing (pending a tempest change): https://review.opendev.org/#/c/678322/ adds support for resource options to roles and projects15:18
*** jamesmcarthur has joined #openstack-keystone15:18
kmallocthe followup is almost ready, adds immutable15:18
kmallocit need a couple more tests and a fix to ldap tests (remove them?)15:19
kmallocit would have been done already but had an issue that took a chunk of my time last night/today15:19
*** jamesmcarthur has quit IRC15:22
*** jamesmcarthur has joined #openstack-keystone15:22
bnemecHey, can someone provide a sanity check on https://review.opendev.org/#/c/662830 ?15:31
bnemecIt looks reasonable to me, but I would like if someone from keystone could say "that's not totally wrong". :-)15:32
*** gyee has joined #openstack-keystone15:45
*** xek has quit IRC15:51
*** ivve has quit IRC16:00
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add tests for domain users for policy association  https://review.opendev.org/67846716:12
openstackgerritVishakha Agarwal proposed openstack/keystone master: Add tests for project users for policy association  https://review.opendev.org/67847116:15
openstackgerritVishakha Agarwal proposed openstack/keystone master: Remove system policy and its association from policy.v3cloudsample.json  https://review.opendev.org/67847516:16
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Generate PDF documentation  https://review.opendev.org/66998216:32
*** jamesmcarthur has quit IRC16:40
*** tesseract has quit IRC16:57
lbragstadkmalloc gyee pretty easy stable backport https://review.opendev.org/#/c/678610/16:58
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Generate PDF documentation  https://review.opendev.org/66998217:02
*** jamesmcarthur has joined #openstack-keystone17:04
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Generate PDF documentation  https://review.opendev.org/66998217:08
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Generate PDF documentation  https://review.opendev.org/66998217:11
openstackgerritVishakha Agarwal proposed openstack/keystone master: [WIP] Generate PDF documentation  https://review.opendev.org/66998217:12
gyeelbragstad, looks like kmalloc A+ it already :-)17:24
kmallocyup17:27
*** jamesmcarthur has quit IRC17:29
lbragstadoh - sweet17:31
*** psousa1 has quit IRC17:45
*** jamesmcarthur has joined #openstack-keystone17:49
*** jamesmcarthur has quit IRC17:58
*** jamesmcarthur has joined #openstack-keystone18:12
kmalloclbragstad: bandit issue(s) hitting that backport18:25
lbragstadbah18:26
lbragstadbroken gate?18:26
kmallocyep, bandit is detecting a header as a password18:26
*** trident has quit IRC18:40
*** trident has joined #openstack-keystone18:40
lbragstadkmalloc looks like bandit completely fails for me locally18:50
lbragstadit's getting 302 when it tries to pull the upper constrains file defined in tox.ini on stable/queens18:50
kmallocoh fun18:53
kmallocthat is a bug we need to fix, needs to point to opendev18:53
kmallocrather than openstack.org18:54
*** markvoelker has quit IRC18:57
*** xek_ has joined #openstack-keystone18:58
*** ivve has joined #openstack-keystone18:59
lbragstadkmalloc lets see if https://review.opendev.org/#/c/678636/ helps19:00
*** markvoelker has joined #openstack-keystone19:11
lbragstadkmalloc what's the story behind https://opendev.org/openstack/keystone/src/branch/master/keystone/conf/__init__.py#L189-L197 ?19:20
lbragstaddoesn't ``keystone.conf [cache] enabled`` default to true?19:21
lbragstadah - nevermind... https://opendev.org/openstack/oslo.cache/src/branch/master/oslo_cache/_opts.py#L67-L6819:21
lbragstadit defaults to false, but we override it to make sure its always on19:22
openstackgerritMerged openstack/keystone master: Implement system reader and member for policies  https://review.opendev.org/67616219:28
kmalloclbragstad: yep19:29
*** andrein has joined #openstack-keystone19:30
andreinHello everyone, I'm setting up LDAP authentication via the multi-domain feature. I was able to configure my domain, and I've got as far as "You are not authorized for any projects or domains" when I login with my LDAP account. I think it's time to add my LDAP user to my project, but the project is in the default domain. Can I do that, or do I need to create a new project, role etc in the LDAP domain?19:34
*** jamesmcarthur has quit IRC19:53
*** xek_ has quit IRC20:00
*** andrein has quit IRC20:08
*** andrein has joined #openstack-keystone20:09
*** xek has joined #openstack-keystone20:13
*** vishakha has quit IRC20:16
*** david-lyle has quit IRC20:25
*** jmlowe has quit IRC20:38
*** dklyle has joined #openstack-keystone20:39
lbragstadkmalloc you can limit upper constraints in tox.ini?20:46
lbragstadandrein role assignments are not strictly bound to a single domain20:47
lbragstadandrein you can have a user in domain A and they can have role assignments on project in domain B or they can have role assignments on domain B itself20:47
*** xek has quit IRC21:07
kmallocfor bandit21:11
kmallocbecause it is a linter21:11
kmallocytou have to21:11
*** trident has quit IRC21:14
lbragstadhmm21:15
lbragstadkmalloc i see where we have lower bounds using test-requirements.txt but i don't see an example of us limiting an upper bound21:16
kmallocwe did previously21:16
lbragstadi tried digging for an eample21:18
lbragstadexample*21:18
lbragstadnothing jumped out at me21:18
lbragstadi know we've done that using setup.cfg21:18
kmallocah i think it was setup.cfg21:19
kmallocbut anyway21:19
*** trident has joined #openstack-keystone21:20
*** markvoelker has quit IRC21:21
lbragstadok - so start there?21:21
lbragstadhmm - we seem to do that with extras21:22
lbragstader - [extras]21:22
kmallochmm21:23
kmallocyeah i would try that21:23
lbragstadinteresting... bandit isn't even in https://opendev.org/openstack/requirements/raw/branch/stable/queens/upper-constraints.txt21:23
lbragstadi wonder if that's what we need to do21:23
*** trident has quit IRC21:25
*** trident has joined #openstack-keystone21:33
andreinlbragstad, thanks for clearing it up, I tried it and it worked :) I've assigned myself the admin role on the admin project and I can see everything. Except some minor bugs in Horizon, it looks like It works as expected.21:34
lbragstadandrein good deal21:36
kmalloci think linters are weird.21:41
kmallocbut thats just as far as i recall21:41
lbragstadjust commented on the patch - but 1.5.1 works for me locally21:45
lbragstadthe move to bandit 1.6.0 must have included that new token change21:45
lbragstadi asked in #openstack-requirements if there is a process around adding that particular library to stable/queens upper-constraints.txt21:46
kmallocyeah 1.6.0 was as far as i know, was one that had issues21:54
kmallocfor other reasons21:54
*** markvoelker has joined #openstack-keystone22:05
*** trident has quit IRC22:05
*** markvoelker has quit IRC22:10
*** trident has joined #openstack-keystone22:14
*** ivve has quit IRC22:32
*** dklyle has quit IRC22:40
*** jmlowe has joined #openstack-keystone22:41
lbragstadkmalloc updated the bandit review on stable/queens - https://review.opendev.org/#/c/678696/122:45
*** rcernin has joined #openstack-keystone22:45
*** tkajinam has joined #openstack-keystone23:02
*** dave-mccowan has quit IRC23:11
kmalloclbragstad: +2 waiting on zuul23:13
kmallocthen +A23:13
lbragstadkmalloc ty sir23:19
*** dklyle has joined #openstack-keystone23:26
openstackgerritJohn Dennis proposed openstack/keystone master: Federation mapping debug should show direct_maps values  https://review.opendev.org/67870023:37
*** markvoelker has joined #openstack-keystone23:41
*** markvoelker has quit IRC23:46
« Sunday, 2019-08-25 Index Tuesday, 2019-08-27 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!