| *** vishalmanchanda has joined #openstack-keystone | 00:00 | |
| *** NM has joined #openstack-keystone | 00:02 | |
| *** threestrands has joined #openstack-keystone | 00:12 | |
| *** NM has quit IRC | 00:32 | |
| *** lbragstad_ has joined #openstack-keystone | 00:38 | |
| *** jamesmcarthur has quit IRC | 00:39 | |
| *** lbragstad_ has quit IRC | 00:44 | |
| *** lbragstad_ has joined #openstack-keystone | 01:09 | |
| *** lbragstad_ has quit IRC | 01:57 | |
| *** NM has joined #openstack-keystone | 02:08 | |
| *** dave-mccowan has joined #openstack-keystone | 02:27 | |
| larsks | Ah, why doesn't keystone let me create arbitrary endpoints? I thought I was going to be clever and create a "heathcheck" endpoint for services, but it will only let me create public, internal, or admin. | 02:30 |
|---|---|---|
| *** dave-mccowan has quit IRC | 02:32 | |
| *** lbragstad_ has joined #openstack-keystone | 02:57 | |
| *** mvkr has quit IRC | 03:11 | |
| *** jamesmcarthur has joined #openstack-keystone | 03:11 | |
| *** mvkr has joined #openstack-keystone | 03:14 | |
| *** lbragstad_ has quit IRC | 03:20 | |
| *** NM has quit IRC | 03:26 | |
| *** jamesmcarthur has quit IRC | 03:31 | |
| *** jamesmcarthur has joined #openstack-keystone | 03:35 | |
| *** jamesmcarthur has quit IRC | 03:40 | |
| adriant | larsks: because that's meant to be the base endpoint for the service in question | 03:41 |
| adriant | while a health endpoint likely is: at "/health" or something | 03:41 |
| adriant | and the while public vs admin thing is mostly a relic, and I think any services doing public vs internal are exposing them on different ports | 03:42 |
| larsks | I mean...I guess? But why not allow the operator to register different names? Maybe I expose different ip addresses to different parts of the organization and I want something besides "internal" and "public". It just seems like a weird thing to restrict. | 03:42 |
| larsks | I mean, what's going to break if I register an endpoint that doesn't use a well known name? | 03:42 |
| adriant | but that's just the 'type' of endpoing | 03:42 |
| adriant | endpoint* | 03:42 |
| adriant | I don't think there is any particular reason. Just that in the context of openstack there hasn't ever needed to be more than those 3 options, only 2 of which are even used these days. | 03:43 |
| adriant | most of the flexibility is in the service name | 03:44 |
| *** dave-mccowan has joined #openstack-keystone | 03:44 | |
| adriant | well, service name and service type | 03:44 |
| adriant | larsks, maybe what you want/need to do is create arbitrary services, and then to those attach endpoints? | 03:46 |
| adriant | is this in the context of openstack or something else? | 03:46 |
| larsks | This is in the context of openstack. I was just surprised that keystone bothered to reject interface names like that. It seems pointlessly proscriptive. It's not a big deal. | 03:47 |
| adriant | "The interface type, which describes the visibility of the endpoint." | 03:48 |
| adriant | it was made to serve a specific purpose, so 'healthcheck' probably wouldn't fit within the scope anyway :P | 03:48 |
| *** dave-mccowan has quit IRC | 04:30 | |
| *** manuvakery has joined #openstack-keystone | 05:02 | |
| *** evrardjp has quit IRC | 05:35 | |
| *** evrardjp has joined #openstack-keystone | 05:35 | |
| *** abdysn has joined #openstack-keystone | 06:19 | |
| *** threestrands has quit IRC | 06:42 | |
| *** dancn has joined #openstack-keystone | 07:00 | |
| *** rcernin has quit IRC | 07:06 | |
| *** bengates has joined #openstack-keystone | 08:07 | |
| *** tkajinam has quit IRC | 08:07 | |
| *** tesseract has joined #openstack-keystone | 08:12 | |
| *** bengates has quit IRC | 08:13 | |
| *** bengates has joined #openstack-keystone | 08:18 | |
| *** gshippey has joined #openstack-keystone | 10:01 | |
| *** Luzi has joined #openstack-keystone | 10:02 | |
| *** xek_ has joined #openstack-keystone | 10:05 | |
| *** vishalmanchanda has quit IRC | 10:09 | |
| *** kplant has joined #openstack-keystone | 11:07 | |
| *** kplant has quit IRC | 11:14 | |
| *** kplant has joined #openstack-keystone | 11:17 | |
| *** lbragstad_ has joined #openstack-keystone | 11:43 | |
| *** lbragstad_ has quit IRC | 11:51 | |
| *** raildo has joined #openstack-keystone | 12:08 | |
| *** jamesmcarthur has joined #openstack-keystone | 12:10 | |
| *** jamesmcarthur has quit IRC | 12:14 | |
| *** jamesmcarthur has joined #openstack-keystone | 12:20 | |
| *** jamesmcarthur has quit IRC | 12:36 | |
| *** takamatsu has quit IRC | 12:37 | |
| cmurphy | adriant: you need a new enough version of ksm, keystone will reject a token from ksm if it hasn't set a header indicating it knows to enforce access rules | 12:39 |
| *** jamesmcarthur has joined #openstack-keystone | 12:47 | |
| *** stingrayza has quit IRC | 12:51 | |
| *** lbragstad has joined #openstack-keystone | 12:54 | |
| *** jamesmcarthur has quit IRC | 12:56 | |
| *** jamesmcarthur has joined #openstack-keystone | 12:57 | |
| *** joshualyle has joined #openstack-keystone | 13:01 | |
| *** jamesmcarthur has quit IRC | 13:02 | |
| *** lbragstad has quit IRC | 13:06 | |
| *** jamesmcarthur has joined #openstack-keystone | 13:13 | |
| *** NM has joined #openstack-keystone | 13:21 | |
| *** jamesmcarthur has quit IRC | 13:32 | |
| *** jamesmcarthur has joined #openstack-keystone | 13:32 | |
| *** NM has quit IRC | 13:35 | |
| *** jamesmcarthur has quit IRC | 13:38 | |
| *** NM has joined #openstack-keystone | 13:42 | |
| *** NM has quit IRC | 13:42 | |
| kklimonda | how would keystone behave in a deployment where all database writes are routed to remote mysql cluster, and reads are served locally from asynchronous replica? | 13:51 |
| *** stingrayza has joined #openstack-keystone | 13:52 | |
| kklimonda | I'm trying to figure out a reasonable architecture for multi-region keystone deployment, and right now I'm considering one "master" galera cluster (perhaps split between few DCs) and additional asynchronous replicas for other regions | 13:52 |
| kplant | that sounds a little weird to me. you could run into a situation where a user is created but does not exist in the db the very same keystone reads from | 13:53 |
| kplant | unless you made all operations block, but that'd painfully slow | 13:54 |
| kplant | and no longer async | 13:54 |
| kklimonda | indeed, although I'm not worried about creation of users/projects/domains - for users (as opposed to admins) this is done not via keystone, but a "tenant manager" of sort | 13:55 |
| kplant | that's fair, user creation was just an example | 13:56 |
| *** dave-mccowan has joined #openstack-keystone | 13:56 | |
| kplant | that would apply for any operation you'd expect symmetry | 13:56 |
| kplant | neat idea though | 13:56 |
| kklimonda | yeah, I'm curious how much that would break keystone assumptions | 13:57 |
| kklimonda | synchronous replication scales poorly with additional regions.. | 13:57 |
| kplant | absolutely | 13:57 |
| kplant | any latency crushes sync | 13:57 |
| *** lbragstad has joined #openstack-keystone | 13:57 | |
| kklimonda | I guess I should do a test deployment and run some rally+tempest tests to see how it behaves while I introduce latency | 13:58 |
| kklimonda | but I thought I'd ask first and see if someone has already thought about it and can save me time in case it's just not feasible | 13:58 |
| kplant | have you tried k2k federation? | 13:59 |
| *** jamesmcarthur has joined #openstack-keystone | 14:03 | |
| *** Luzi has quit IRC | 14:05 | |
| kklimonda | no, but I already have external SSO that I will be integrating with | 14:07 |
| kplant | you can still do that with k2k | 14:08 |
| kplant | use your SSO as the IdP and keystone as SP | 14:08 |
| kplant | iirc | 14:08 |
| kklimonda | yes, but then I can't have shared IDs for projects, users etc. | 14:08 |
| kklimonda | I mean, perhaps it's possible if I use "ephemeral" users, but due to another one of the requirements, users must have their own domains | 14:09 |
| *** jamesmcarthur has quit IRC | 14:09 | |
| kplant | gottcha | 14:09 |
| *** dancn has quit IRC | 14:24 | |
| *** dancn has joined #openstack-keystone | 14:30 | |
| *** jamesmcarthur has joined #openstack-keystone | 14:39 | |
| *** abdysn has quit IRC | 14:43 | |
| *** jamesmcarthur has quit IRC | 14:44 | |
| *** dancn has quit IRC | 14:58 | |
| *** dancn has joined #openstack-keystone | 14:58 | |
| *** bengates has quit IRC | 15:00 | |
| *** bengates has joined #openstack-keystone | 15:00 | |
| *** beekneemech is now known as bnemec | 15:04 | |
| *** bengates has quit IRC | 15:05 | |
| *** dancn has quit IRC | 15:07 | |
| *** jamesmcarthur has joined #openstack-keystone | 15:18 | |
| *** jamesmcarthur has quit IRC | 15:19 | |
| *** jamesmcarthur_ has joined #openstack-keystone | 15:19 | |
| *** jamesmcarthur_ has quit IRC | 15:47 | |
| *** jamesmcarthur has joined #openstack-keystone | 15:58 | |
| *** jamesmcarthur has quit IRC | 16:35 | |
| *** jamesmcarthur has joined #openstack-keystone | 16:37 | |
| *** jamesmcarthur has quit IRC | 17:00 | |
| *** jamesmcarthur has joined #openstack-keystone | 17:11 | |
| *** evrardjp has quit IRC | 17:35 | |
| *** evrardjp has joined #openstack-keystone | 17:35 | |
| *** joshualyle has quit IRC | 17:55 | |
| *** jamesmcarthur has quit IRC | 18:00 | |
| *** jamesmcarthur has joined #openstack-keystone | 18:08 | |
| *** dancn has joined #openstack-keystone | 18:13 | |
| *** jamesmcarthur has quit IRC | 18:16 | |
| *** jamesmcarthur has joined #openstack-keystone | 18:17 | |
| cmurphy | PSA: the meeting time tomorrow will be different for those of us who are affected by the DST change that just happened in the US | 18:39 |
| *** jamesmcarthur has quit IRC | 18:44 | |
| *** jamesmcarthur has joined #openstack-keystone | 18:56 | |
| *** gyee has joined #openstack-keystone | 19:24 | |
| *** tesseract has quit IRC | 19:33 | |
| *** kplant has quit IRC | 19:34 | |
| *** dave-mccowan has quit IRC | 19:38 | |
| *** lbragstad_ has joined #openstack-keystone | 19:54 | |
| *** lbragstad has quit IRC | 19:57 | |
| *** jamesmcarthur has quit IRC | 20:06 | |
| *** dave-mccowan has joined #openstack-keystone | 20:13 | |
| *** jamesmcarthur has joined #openstack-keystone | 20:14 | |
| *** jamesmcarthur has quit IRC | 20:17 | |
| *** jamesmcarthur has joined #openstack-keystone | 20:18 | |
| *** NM has joined #openstack-keystone | 20:33 | |
| *** xek_ has quit IRC | 20:36 | |
| *** joshualyle has joined #openstack-keystone | 20:40 | |
| *** joshualyle has quit IRC | 20:44 | |
| *** trident has quit IRC | 20:57 | |
| *** jamesmcarthur has quit IRC | 20:58 | |
| *** trident has joined #openstack-keystone | 20:58 | |
| *** jamesmcarthur has joined #openstack-keystone | 20:58 | |
| *** trident has quit IRC | 21:04 | |
| *** dancn has quit IRC | 21:04 | |
| *** trident has joined #openstack-keystone | 21:05 | |
| *** NM has quit IRC | 21:20 | |
| *** rcernin has joined #openstack-keystone | 21:36 | |
| *** jamesmcarthur has quit IRC | 21:47 | |
| adriant | cmurphy: so essentially to make use of access rules you need all your services at Ussuri, or older, but with a forced newer version of KSM? | 21:52 |
| cmurphy | adriant: train, I think, but yes | 21:55 |
| adriant | ok, cool | 21:55 |
| adriant | the docs for access rules in keystone itself only got added in ussuri so I wasn't sure if it's a master feature or last release :P | 21:56 |
| adriant | but train is still far into the future for us :( | 21:56 |
| *** zigo has quit IRC | 22:13 | |
| *** zigo has joined #openstack-keystone | 22:19 | |
| *** tkajinam has joined #openstack-keystone | 22:55 | |
| *** gshippey has quit IRC | 23:01 | |
| *** raildo has quit IRC | 23:17 | |
| *** lbragstad_ has quit IRC | 23:17 | |
| *** jamesmcarthur has joined #openstack-keystone | 23:22 | |
| *** jamesmcarthur has quit IRC | 23:23 | |
| *** gyee has quit IRC | 23:24 | |
| *** jamesmcarthur has joined #openstack-keystone | 23:24 | |
| *** jamesmcarthur has quit IRC | 23:25 | |
| *** jamesmcarthur has joined #openstack-keystone | 23:25 | |
| *** jamesmcarthur has quit IRC | 23:40 | |
| *** jamesmcarthur has joined #openstack-keystone | 23:40 | |
| *** jamesmcarthur has quit IRC | 23:46 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!