*** dave-mccowan has joined #openstack-sdks | 00:54 | |
*** whoami-rajat has joined #openstack-sdks | 01:12 | |
*** openstackstatus has quit IRC | 02:22 | |
*** openstack has joined #openstack-sdks | 02:25 | |
*** ChanServ sets mode: +o openstack | 02:25 | |
*** Dinesh_Bhor has quit IRC | 02:49 | |
adriant | mordred: is there a way to initialise the SDK while specifying the identity url (or telling it to reuse the auth_url) so you can use it to query your own project list without having to scope? Because it fails if I don't give it a project ID when it tries to get identity url from the catalog. | 03:08 |
---|---|---|
adriant | can I just do: | 03:09 |
adriant | connection.Connection(auth=dict(...with no project id), identity_url='https://auth.example.com') ? | 03:09 |
adriant | Not sure if that's ultimately a keystoneauth thing | 03:17 |
*** dave-mccowan has quit IRC | 03:40 | |
*** mordred has quit IRC | 04:14 | |
*** Shrews has quit IRC | 04:14 | |
*** mordred has joined #openstack-sdks | 04:21 | |
*** Shrews has joined #openstack-sdks | 04:21 | |
*** markvoelker has joined #openstack-sdks | 04:35 | |
*** mordred has quit IRC | 04:37 | |
*** Shrews has quit IRC | 04:37 | |
*** markvoelker has quit IRC | 04:40 | |
*** Shrews has joined #openstack-sdks | 04:44 | |
*** mordred has joined #openstack-sdks | 04:45 | |
*** markvoelker has joined #openstack-sdks | 05:06 | |
openstackgerrit | Ian Wienand proposed openstack/openstacksdk master: Replace openstack.org git:// URLs with https:// https://review.openstack.org/642652 | 05:44 |
*** slaweq_ has joined #openstack-sdks | 06:00 | |
*** lastmikoi has quit IRC | 06:03 | |
*** slaweq has quit IRC | 06:07 | |
*** lastmikoi has joined #openstack-sdks | 06:09 | |
*** e0ne has joined #openstack-sdks | 06:18 | |
*** masayukig[m] is now known as masayukig[m]1 | 06:35 | |
*** masayukig[m]1 is now known as masayukig[m]2 | 06:35 | |
*** Luzi has joined #openstack-sdks | 06:53 | |
*** gtema has joined #openstack-sdks | 08:02 | |
*** tssurya has joined #openstack-sdks | 08:08 | |
*** holser_ has joined #openstack-sdks | 08:10 | |
*** e0ne has quit IRC | 08:17 | |
*** e0ne has joined #openstack-sdks | 08:23 | |
*** ralonsoh has joined #openstack-sdks | 08:36 | |
*** e0ne has quit IRC | 08:39 | |
*** jpena|off is now known as jpena | 08:44 | |
*** ttsiouts has joined #openstack-sdks | 08:49 | |
*** dtantsur|afk is now known as dtantsur | 08:52 | |
*** jpich has joined #openstack-sdks | 09:01 | |
*** ttsiouts has quit IRC | 09:04 | |
*** ttsiouts has joined #openstack-sdks | 09:05 | |
*** tosky has joined #openstack-sdks | 09:44 | |
openstackgerrit | Kailun Qin proposed openstack/python-openstackclient master: Fix: set invalid None project_id on range creation https://review.openstack.org/642707 | 09:47 |
openstackgerrit | Kailun Qin proposed openstack/python-openstackclient master: Fix: incorrect check when no shared/private input https://review.openstack.org/642708 | 09:49 |
openstackgerrit | Kailun Qin proposed openstack/python-openstackclient master: Fix: incorrect check when no shared/private input https://review.openstack.org/642708 | 10:10 |
*** e0ne has joined #openstack-sdks | 10:16 | |
*** cdent has joined #openstack-sdks | 10:22 | |
openstackgerrit | Glenn Van de Water proposed openstack/python-openstackclient master: Fix service discovery in functional tests https://review.openstack.org/642074 | 10:36 |
*** dave-mccowan has joined #openstack-sdks | 11:23 | |
*** ttsiouts has quit IRC | 11:45 | |
*** ttsiouts has joined #openstack-sdks | 11:45 | |
openstackgerrit | Merged openstack/openstacksdk master: Replace openstack.org git:// URLs with https:// https://review.openstack.org/642652 | 11:48 |
openstackgerrit | Merged openstack/openstacksdk master: Deprecate VolumeDetail and BackupDetail classes https://review.openstack.org/642107 | 11:48 |
*** ttsiouts has quit IRC | 11:50 | |
*** jpena is now known as jpena|lunch | 11:56 | |
*** gtema has quit IRC | 12:08 | |
*** ttsiouts has joined #openstack-sdks | 12:09 | |
*** jpich has quit IRC | 12:14 | |
*** gtema has joined #openstack-sdks | 12:16 | |
*** jpich has joined #openstack-sdks | 12:16 | |
*** markvoelker has quit IRC | 12:18 | |
*** markvoelker has joined #openstack-sdks | 12:18 | |
openstackgerrit | Glenn Van de Water proposed openstack/python-openstackclient master: Fix service discovery in functional tests https://review.openstack.org/642074 | 12:20 |
*** e0ne has quit IRC | 12:36 | |
*** jpena|lunch is now known as jpena | 13:00 | |
mordred | adriant: hrm. that's a good question. I would assume we're just passing through to ksa - but we might be doing something wrong there | 13:04 |
*** gtema has quit IRC | 13:05 | |
mordred | adriant: that said - the unscoped keystone actions may need some thought - because we do try to run discovery when conn.identity gets created. let's see if we can't come up with a solution :) | 13:06 |
*** slaweq_ is now known as slaweq | 13:08 | |
*** dave-mccowan has quit IRC | 13:22 | |
*** irclogbot_2 has quit IRC | 13:26 | |
*** e0ne has joined #openstack-sdks | 13:28 | |
*** irclogbot_2 has joined #openstack-sdks | 13:29 | |
*** dave-mccowan has joined #openstack-sdks | 13:35 | |
*** gtema has joined #openstack-sdks | 13:43 | |
*** openstack has joined #openstack-sdks | 15:41 | |
*** ChanServ sets mode: +o openstack | 15:41 | |
*** e0ne has quit IRC | 15:45 | |
*** ttsiouts has joined #openstack-sdks | 15:48 | |
*** dulek has joined #openstack-sdks | 15:51 | |
openstackgerrit | Artem Goncharov proposed openstack/openstacksdk master: WIP Split OpenStackCloud into reasonable pieces https://review.openstack.org/642218 | 15:54 |
*** e0ne has joined #openstack-sdks | 15:58 | |
*** ttsiouts has quit IRC | 16:14 | |
*** ttsiouts has joined #openstack-sdks | 16:14 | |
openstackgerrit | Glenn Van de Water proposed openstack/python-openstackclient master: Fix service discovery in functional tests https://review.openstack.org/642074 | 16:30 |
*** holser_ has quit IRC | 16:31 | |
*** tssurya has quit IRC | 16:40 | |
*** e0ne has quit IRC | 16:55 | |
*** ttsiouts has quit IRC | 17:01 | |
*** ttsiouts has joined #openstack-sdks | 17:01 | |
*** ttsiouts has quit IRC | 17:06 | |
*** jpich has quit IRC | 17:26 | |
mordred | gtema: no - there will be no git:// protocol support from opendev - so if you wanna try it out, cloning over https:// is the way to go (it'll also be the only way to go in the future) | 17:30 |
*** gtema has quit IRC | 17:33 | |
*** dtantsur is now known as dtantsur|afk | 17:39 | |
*** e0ne has joined #openstack-sdks | 18:02 | |
*** e0ne has quit IRC | 18:06 | |
*** e0ne_ has joined #openstack-sdks | 18:21 | |
*** gmann is now known as gmann_afk | 18:26 | |
*** e0ne_ has quit IRC | 18:41 | |
*** jpena is now known as jpena|off | 18:44 | |
*** ttsiouts has joined #openstack-sdks | 19:29 | |
*** ralonsoh has quit IRC | 19:48 | |
*** cdent has quit IRC | 20:13 | |
*** e0ne has joined #openstack-sdks | 20:20 | |
*** dave-mccowan has quit IRC | 20:24 | |
*** gmann_afk is now known as gmann | 20:54 | |
adriant | mordred: for context, in cases where you are doing multi-project actions, or writing tools for them, you don't really need to know ahead of time what projects you have. So you can auth, get a list, and then create an SDK per project (per region), and do your actions. | 20:54 |
adriant | the solution I've helped someone go with is to use keystone auth to get a session, get the token from that, then use raw requests against the auth url (and correct user_projects path) to then get their project list, and then use that to further make their SDKs per project. | 20:56 |
adriant | It's not a terrible solution, but the need to actually go directly to the endpoint and handle the json yourself is lacking a bit of elegance | 20:56 |
adriant | although... I wonder | 20:57 |
adriant | kmalloc: can you list your projects via KeystoneAuth? | 20:57 |
* adriant goes to read the code | 20:57 | |
mordred | adriant: cause if I don't have a project id when I get the token, I don't get a catalog, right? thus the "re-use the auth_url as the identity_url" piece, yeah? | 20:58 |
adriant | yep | 20:58 |
adriant | you have an empty catalog | 20:59 |
adriant | so it need to do discovery | 20:59 |
adriant | i want a way to bypass that step | 20:59 |
adriant | "use this custom catalog instead" potentially | 20:59 |
mordred | adriant: so - if you set identity_endpoint_override to the auth_url - it'll skip discovery | 20:59 |
adriant | ah! | 20:59 |
adriant | perfect | 20:59 |
adriant | so "<service_type>_endpoint_override" works? | 21:00 |
adriant | for all services? | 21:00 |
mordred | let me know if that works - if it does, I think it might be nice to figure out how to make conn.identity.list_projects - or at least conn.list_projects be able to do this without the user needing to know that specific piece of magic | 21:00 |
mordred | adriant: yes! | 21:00 |
adriant | cool | 21:00 |
adriant | and yeah, ideally having the unscoped actions able to natively reuse the auth_url for identity could be cool | 21:00 |
adriant | but that could also be a pain | 21:01 |
mordred | yeah. the biggest hurdle would be getting conn.identity to not fall over when it gets created | 21:01 |
mordred | which is why this one might be better up at the Connection layer so we can bypass that stuff | 21:01 |
adriant | identity_endpoint_override seems to work | 21:04 |
mordred | \o/ | 21:06 |
mordred | cool. then I think we should definitely update Connection.list_projects to do the right thing | 21:06 |
mordred | that said - I wonder if we can make the proxy creation smarter if service_type is identity - and to look at the auth stuff, look for project info, and if it's not there go ahead and set the endpoint_override ... | 21:07 |
* mordred goes digging | 21:07 | |
adriant | mordred: specifically the endpoint I'm actually after for this use case is conn.identity.user_projects() which is the non-admin one | 21:09 |
* adriant isn't sure what the same on in the cloud layer is | 21:09 | |
adriant | one* | 21:09 |
mordred | hrm. we might not have that one in the cloud layer ... but that's a really good point | 21:09 |
adriant | if one exists in the connection layer for listing a user's own projects then that would work too | 21:10 |
mordred | I think it's worth making conn.identity work without project info then | 21:10 |
mordred | it shouldn't be too hard - just need to inspect the auth args a smidge :) | 21:10 |
adriant | although it could end up a lot of work, might be worth investigating if other projects have any unscope APIs :/ | 21:10 |
mordred | it's a good question | 21:11 |
mordred | kmalloc, cmurphy: ^^ ? do we know if non-keystone use unscoped apis? | 21:11 |
adriant | I have a feeling probably not many | 21:11 |
mordred | yeah - seems more like a thing that's needed for keystone and doesn't make a TON of sense elsewhere | 21:11 |
mordred | maybe the nova calls that deal with hosts and hypervisors? | 21:12 |
adriant | those would be system scope | 21:12 |
adriant | Yeah, i think there probably aren't many. | 21:13 |
cmurphy | mordred: adriant no, only keystone uses unscoped tokens, it's only useful for getting a scoped token | 21:13 |
adriant | although some of the Keystone APIs don't need scope: list (user) projects, change password, etc? | 21:14 |
cmurphy | you can list your own projects with an unscoped token, change password i'm not 100% sure though it would make sense | 21:15 |
cmurphy | oh change password doesn't require a token at all | 21:16 |
adriant | yeah, that's right, you just need your old password | 21:20 |
*** e0ne has quit IRC | 21:26 | |
kmalloc | mordred: what cmurphy said | 21:41 |
kmalloc | unscoped tokens should die IMO | 21:41 |
kmalloc | but we can't make them go away | 21:41 |
kmalloc | I *think* someone was originally trying to use unscoped tokens like we use systemscope going forward, but that might require asking folks that no longer work on OpenStack | 21:41 |
mordred | kmalloc: so - you and adriant have both mentioned this "system" scoped token | 21:52 |
mordred | how does one get one of those? are we missing anything to use those with sdk? | 21:52 |
adriant | kmalloc: I don't think unscoped tokens can go away really if you need to query which project you want to scope to first | 21:59 |
adriant | for things like Horizon (or any GUI) you won't ever provide a project as part of auth. So some auth flow that includes: "here are your projects" and then allows you to scope into one will always be needed | 22:01 |
adriant | we even have some cli tools that only ask for password and username, and then provide you with a list of project options to scope to | 22:01 |
kmalloc | mordred: system scope is new, as in as of Stein. It's done just like scope: {project_id: xxx} | 22:03 |
cmurphy | mordred: it's supported in ksa so it should be transparent to openstacksdk, instead of setting project-id in clouds.yaml you set system-scope | 22:03 |
kmalloc | mordred: ^ what cmurphy said, she's faster at typing than I am clearly | 22:03 |
mordred | neat! | 22:03 |
mordred | it's almost like building these things on top of each other is worth-while! | 22:03 |
kmalloc | right?! | 22:03 |
kmalloc | :) | 22:03 |
kmalloc | some APIs will become system, this is to solve the "Admin" problem | 22:04 |
kmalloc | meaning you wont need an "admin project" for things that are clearly not project/domain scoped | 22:04 |
mordred | \o/ | 22:04 |
adriant | I'm far too happy about that | 22:04 |
adriant | the whole admin-ness problem was such pain | 22:05 |
cmurphy | there is some documentation on system scope https://docs.openstack.org/keystone/latest/contributor/services.html#system-scope and lbragstad wrote some more documentation https://review.openstack.org/#/c/638563/9/doc/source/contributor/services.rst | 22:05 |
*** cdent has joined #openstack-sdks | 22:10 | |
*** whoami-rajat has quit IRC | 22:12 | |
mordred | cmurphy, kmalloc: so - in the scrollback I was talking about making sdk know how to make an adapter without the catalog being present if the service-type is identity and there is no project (or I guess system-scope) info in the auth dict ... does that sound like a something we should push down into ksa instead? | 22:26 |
mordred | (the current sdk workaround for working with unscoped tokens is to set identity_endpoint_override=$auth_url which will cause the adapter to be made without trying to look up identity in the catalog) | 22:27 |
mordred | that SEEMS generic enough - but maybe it's only generic enough in sdk and in ksa it would be a tragedy | 22:28 |
*** tosky has quit IRC | 22:43 | |
*** ttsiouts has quit IRC | 22:45 | |
*** ttsiouts has joined #openstack-sdks | 22:46 | |
*** ttsiouts has quit IRC | 22:50 | |
kmalloc | that is generic enough | 22:52 |
kmalloc | but that sounds like a SDK thing | 22:53 |
kmalloc | less KSA | 22:53 |
kmalloc | i think... | 22:53 |
kmalloc | let me poinder a few more minutes | 22:53 |
mordred | kmalloc: yeah - I'm 99% sure I agree :) | 22:53 |
kmalloc | though i *think* KSA should work in that mode without jumping through hoops | 22:54 |
kmalloc | so a little of ksa fixing and SDK is smart enough to know how to do things | 22:54 |
kmalloc | unscoped tokens suck =/ | 22:54 |
*** cdent has quit IRC | 23:13 | |
mordred | kmalloc: ++ | 23:15 |
mordred | kmalloc: and yeah - I think it's possible that the only issue here is how sdk is creating ksa objects | 23:15 |
mordred | rather than a ksa deficiency itself - but if there is a deficiency, hopefully it's an easy enough one to fix | 23:16 |
*** slaweq has quit IRC | 23:24 | |
*** Qiming has quit IRC | 23:59 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!