| *** threestrands has joined #openstack-keystone | 02:51 | |
| *** evrardjp has quit IRC | 04:35 | |
| *** evrardjp has joined #openstack-keystone | 04:35 | |
| *** vishalmanchanda has joined #openstack-keystone | 05:18 | |
| *** dancn has joined #openstack-keystone | 06:50 | |
| *** xek_ has quit IRC | 07:03 | |
| *** bengates has joined #openstack-keystone | 07:28 | |
| *** bengates has quit IRC | 07:29 | |
| *** bengates has joined #openstack-keystone | 07:29 | |
| *** xek has joined #openstack-keystone | 08:10 | |
| *** rcernin has quit IRC | 08:13 | |
| *** threestrands has quit IRC | 08:20 | |
| *** tkajinam has quit IRC | 08:23 | |
| *** kmalloc has joined #openstack-keystone | 08:45 | |
| *** gshippey has joined #openstack-keystone | 09:58 | |
| openstackgerrit | Merged openstack/oslo.policy master: Bump default tox env from py37 to py38 https://review.opendev.org/722860 | 10:18 |
|---|---|---|
| openstackgerrit | Merged openstack/oslo.policy master: Add py38 package metadata https://review.opendev.org/722725 | 10:18 |
| *** bengates has quit IRC | 10:43 | |
| *** bengates_ has joined #openstack-keystone | 10:43 | |
| *** kmalloc has quit IRC | 10:54 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Update keystone Making an API Change doc https://review.opendev.org/720581 | 11:06 |
| kklimonda | cmurphy: (regarding "more friendly error message in the browser") thanks for your comment, would that change (to make keystone return a custom html page instead of json) be something you'll accept upstream? if so, any suggestions on what to take into account (other than Accept header) when implementing that? | 11:23 |
| *** raildo has joined #openstack-keystone | 12:09 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Update doc id-manage.rst https://review.opendev.org/723403 | 12:36 |
| *** lbragstad has joined #openstack-keystone | 12:59 | |
| *** spsurya_ has joined #openstack-keystone | 13:27 | |
| *** tkajinam has joined #openstack-keystone | 13:42 | |
| *** irclogbot_0 has joined #openstack-keystone | 14:08 | |
| *** irclogbot_0 has quit IRC | 14:12 | |
| *** irclogbot_3 has joined #openstack-keystone | 14:22 | |
| *** irclogbot_3 has quit IRC | 14:25 | |
| *** irclogbot_1 has joined #openstack-keystone | 14:26 | |
| *** irclogbot_1 has quit IRC | 14:29 | |
| *** irclogbot_1 has joined #openstack-keystone | 14:30 | |
| *** manuvakery has joined #openstack-keystone | 14:32 | |
| *** irclogbot_1 has quit IRC | 14:35 | |
| *** irclogbot_0 has joined #openstack-keystone | 14:36 | |
| *** irclogbot_0 has quit IRC | 14:39 | |
| *** irclogbot_2 has joined #openstack-keystone | 14:40 | |
| *** irclogbot_2 has quit IRC | 14:45 | |
| *** irclogbot_3 has joined #openstack-keystone | 14:46 | |
| *** beekneemech is now known as bnemec | 14:50 | |
| *** irclogbot_3 has quit IRC | 14:51 | |
| *** irclogbot_0 has joined #openstack-keystone | 14:52 | |
| *** tkajinam has quit IRC | 14:54 | |
| *** irclogbot_0 has quit IRC | 14:55 | |
| *** irclogbot_3 has joined #openstack-keystone | 14:56 | |
| *** irclogbot_3 has quit IRC | 14:59 | |
| *** irclogbot_3 has joined #openstack-keystone | 15:00 | |
| *** irclogbot_3 has quit IRC | 15:03 | |
| *** irclogbot_0 has joined #openstack-keystone | 15:04 | |
| *** irclogbot_0 has quit IRC | 15:07 | |
| *** irclogbot_2 has joined #openstack-keystone | 15:08 | |
| *** irclogbot_2 has quit IRC | 15:11 | |
| *** irclogbot_0 has joined #openstack-keystone | 15:12 | |
| *** irclogbot_0 has quit IRC | 15:15 | |
| *** irclogbot_3 has joined #openstack-keystone | 15:16 | |
| *** irclogbot_3 has quit IRC | 15:19 | |
| *** irclogbot_0 has joined #openstack-keystone | 15:20 | |
| *** irclogbot_0 has quit IRC | 15:23 | |
| *** irclogbot_1 has joined #openstack-keystone | 15:24 | |
| *** irclogbot_1 has quit IRC | 15:27 | |
| *** irclogbot_1 has joined #openstack-keystone | 15:28 | |
| *** irclogbot_1 has quit IRC | 15:31 | |
| *** irclogbot_3 has joined #openstack-keystone | 15:37 | |
| cmurphy | kklimonda: personally i think it would be accepted. i would look at what we do with the SSO callback HTML page https://opendev.org/openstack/keystone/src/branch/master/keystone/api/auth.py#L105 and also this old review which probably should have been accepted a while ago https://review.opendev.org/632213 for inspiration | 15:40 |
| bnemec | So, this is bad, right? https://github.com/openstack/nova/blob/347d656c35fdf0c309039a7c1f352f82c6950868/nova/policies/base.py#L36 | 15:41 |
| bnemec | Adding a scope check right into the rule basically does an end-run around enforce_scope and doesn't allow deployer to turn it off easily. | 15:41 |
| cmurphy | we ended up doing that in keystone because of the reason in the comment, the ideal end state is to have scope_type=system and rule=role:reader but if enforce_scope is false then it just becomes rule=role:reader which would be too permissive | 15:48 |
| cmurphy | if enforce_scope=true then rule:system_scope:all... is a noop | 15:49 |
| cmurphy | it's ugly but it's all we could come up with :( | 15:50 |
| bnemec | Apparently it's breaking new Ussuri deployments of Nova. :-/ | 15:50 |
| cmurphy | it should be OR'd with the old rule so that should not be happening | 15:51 |
| bnemec | Yeah, the deployment in question is also doing the naughty thing of replacing the policy file with defaults in its entirety. | 15:51 |
| cmurphy | yeah that's just not gonna work | 15:51 |
| bnemec | Do you already have a policy PTG session scheduled? Seems like we might need a cross-project sync on this. | 15:58 |
| bnemec | I'm hearing crazy stuff like "YAML policies don't work" and "we need to support people who are generating entire policy files at deploy time." | 15:58 |
| cmurphy | not yet, i'm leaving it to raildo and gmann to set that up | 15:59 |
| bnemec | Ah, good. I was just talking to raildo in the oslo meeting. :-) | 15:59 |
| raildo | yeah, trying my best to catch up everything :) | 16:00 |
| gmann | bnemec: +1, adding PTG discussion can be good. you are adding it on oslo etherpad? or should i do on nova ? | 16:02 |
| cmurphy | "yaml policies don't work" yes they do "we want to generate the policy at deploy time" okay fine you can do that you just need to assign your admin user a role on the system scope | 16:03 |
| *** raildo has quit IRC | 16:26 | |
| *** vesper11 has quit IRC | 16:26 | |
| *** hoonetorg has quit IRC | 16:26 | |
| *** Blinkiz has quit IRC | 16:26 | |
| *** stingrayza has quit IRC | 16:26 | |
| *** bjoernt has quit IRC | 16:26 | |
| *** irclogbot_3 has quit IRC | 16:28 | |
| *** vesper11 has joined #openstack-keystone | 16:29 | |
| *** irclogbot_0 has joined #openstack-keystone | 16:29 | |
| bnemec | gmann: I scheduled Oslo for this time slot, so it will be right away on Monday. I think they wanted cross-project discussions early in the week so that might be good. | 16:30 |
| bnemec | Although I imagine Nova is going to have a lot of time scheduled so either probably works. | 16:30 |
| bnemec | cmurphy: Oh good, I'm not crazy then. | 16:30 |
| bnemec | Well, at least not about this. ;-0 | 16:30 |
| bnemec | Err, ;-) | 16:30 |
| *** hoonetorg has joined #openstack-keystone | 16:31 | |
| *** raildo has joined #openstack-keystone | 16:31 | |
| gmann | bnemec: thanks. let me add the link on nova side and i can check with gibi for cross project. | 16:31 |
| *** Blinkiz has joined #openstack-keystone | 16:32 | |
| *** stingrayza has joined #openstack-keystone | 16:32 | |
| *** bjoernt has joined #openstack-keystone | 16:32 | |
| bnemec | I'll add it to the Oslo etherpad too and we can decide when/where to have the discussion closer to the time. | 16:33 |
| *** evrardjp has quit IRC | 16:35 | |
| *** ChanServ has quit IRC | 16:42 | |
| *** ChanServ has joined #openstack-keystone | 16:45 | |
| *** tepper.freenode.net sets mode: +o ChanServ | 16:45 | |
| *** evrardjp has joined #openstack-keystone | 16:46 | |
| *** bengates_ has quit IRC | 16:47 | |
| *** spsurya_ has quit IRC | 16:55 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Update caching-layer.rst https://review.opendev.org/723624 | 17:16 |
| *** Blinkiz has quit IRC | 17:26 | |
| *** stingrayza has quit IRC | 17:26 | |
| *** bjoernt has quit IRC | 17:26 | |
| *** raildo has quit IRC | 17:26 | |
| *** Blinkiz has joined #openstack-keystone | 17:29 | |
| *** stingrayza has joined #openstack-keystone | 17:29 | |
| *** bjoernt has joined #openstack-keystone | 17:29 | |
| *** raildo has joined #openstack-keystone | 17:29 | |
| *** vishalmanchanda has quit IRC | 17:34 | |
| *** ChanServ has quit IRC | 17:39 | |
| *** ChanServ has joined #openstack-keystone | 17:42 | |
| *** tepper.freenode.net sets mode: +o ChanServ | 17:42 | |
| *** manuvakery has quit IRC | 17:42 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Removes info about deleted function should_cache_fn https://review.opendev.org/723630 | 17:44 |
| *** hoonetorg has quit IRC | 18:02 | |
| *** dmellado has quit IRC | 18:17 | |
| *** dmellado has joined #openstack-keystone | 18:24 | |
| *** dmellado has quit IRC | 18:25 | |
| *** gshippey has quit IRC | 18:32 | |
| *** dmellado has joined #openstack-keystone | 18:33 | |
| *** xek_ has joined #openstack-keystone | 18:46 | |
| *** xek has quit IRC | 18:49 | |
| *** vishakha has quit IRC | 19:49 | |
| *** xek_ has quit IRC | 20:21 | |
| *** rcernin has joined #openstack-keystone | 21:14 | |
| *** raildo has quit IRC | 21:56 | |
| *** dancn has quit IRC | 22:06 | |
| *** dancn has joined #openstack-keystone | 22:10 | |
| *** dancn has quit IRC | 22:15 | |
| *** tkajinam has joined #openstack-keystone | 22:49 | |
| *** tkajinam has quit IRC | 22:49 | |
| *** tkajinam has joined #openstack-keystone | 22:50 | |
| *** lbragstad has quit IRC | 22:56 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!