Tuesday, 2019-03-12

*** dave-mccowan has joined #openstack-sdks00:54
*** whoami-rajat has joined #openstack-sdks01:12
*** openstackstatus has quit IRC02:22
*** openstack has joined #openstack-sdks02:25
*** ChanServ sets mode: +o openstack02:25
*** Dinesh_Bhor has quit IRC02:49
adriantmordred: is there a way to initialise the SDK while specifying the identity url (or telling it to reuse the auth_url) so you can use it to query your own project list without having to scope? Because it fails if I don't give it a project ID when it tries to get identity url from the catalog.03:08
adriantcan I just do:03:09
adriantconnection.Connection(auth=dict(...with no project id), identity_url='https://auth.example.com') ?03:09
adriantNot sure if that's ultimately a keystoneauth thing03:17
*** dave-mccowan has quit IRC03:40
*** mordred has quit IRC04:14
*** Shrews has quit IRC04:14
*** mordred has joined #openstack-sdks04:21
*** Shrews has joined #openstack-sdks04:21
*** markvoelker has joined #openstack-sdks04:35
*** mordred has quit IRC04:37
*** Shrews has quit IRC04:37
*** markvoelker has quit IRC04:40
*** Shrews has joined #openstack-sdks04:44
*** mordred has joined #openstack-sdks04:45
*** markvoelker has joined #openstack-sdks05:06
openstackgerritIan Wienand proposed openstack/openstacksdk master: Replace openstack.org git:// URLs with https://  https://review.openstack.org/64265205:44
*** slaweq_ has joined #openstack-sdks06:00
*** lastmikoi has quit IRC06:03
*** slaweq has quit IRC06:07
*** lastmikoi has joined #openstack-sdks06:09
*** e0ne has joined #openstack-sdks06:18
*** masayukig[m] is now known as masayukig[m]106:35
*** masayukig[m]1 is now known as masayukig[m]206:35
*** Luzi has joined #openstack-sdks06:53
*** gtema has joined #openstack-sdks08:02
*** tssurya has joined #openstack-sdks08:08
*** holser_ has joined #openstack-sdks08:10
*** e0ne has quit IRC08:17
*** e0ne has joined #openstack-sdks08:23
*** ralonsoh has joined #openstack-sdks08:36
*** e0ne has quit IRC08:39
*** jpena|off is now known as jpena08:44
*** ttsiouts has joined #openstack-sdks08:49
*** dtantsur|afk is now known as dtantsur08:52
*** jpich has joined #openstack-sdks09:01
*** ttsiouts has quit IRC09:04
*** ttsiouts has joined #openstack-sdks09:05
*** tosky has joined #openstack-sdks09:44
openstackgerritKailun Qin proposed openstack/python-openstackclient master: Fix: set invalid None project_id on range creation  https://review.openstack.org/64270709:47
openstackgerritKailun Qin proposed openstack/python-openstackclient master: Fix: incorrect check when no shared/private input  https://review.openstack.org/64270809:49
openstackgerritKailun Qin proposed openstack/python-openstackclient master: Fix: incorrect check when no shared/private input  https://review.openstack.org/64270810:10
*** e0ne has joined #openstack-sdks10:16
*** cdent has joined #openstack-sdks10:22
openstackgerritGlenn Van de Water proposed openstack/python-openstackclient master: Fix service discovery in functional tests  https://review.openstack.org/64207410:36
*** dave-mccowan has joined #openstack-sdks11:23
*** ttsiouts has quit IRC11:45
*** ttsiouts has joined #openstack-sdks11:45
openstackgerritMerged openstack/openstacksdk master: Replace openstack.org git:// URLs with https://  https://review.openstack.org/64265211:48
openstackgerritMerged openstack/openstacksdk master: Deprecate VolumeDetail and BackupDetail classes  https://review.openstack.org/64210711:48
*** ttsiouts has quit IRC11:50
*** jpena is now known as jpena|lunch11:56
*** gtema has quit IRC12:08
*** ttsiouts has joined #openstack-sdks12:09
*** jpich has quit IRC12:14
*** gtema has joined #openstack-sdks12:16
*** jpich has joined #openstack-sdks12:16
*** markvoelker has quit IRC12:18
*** markvoelker has joined #openstack-sdks12:18
openstackgerritGlenn Van de Water proposed openstack/python-openstackclient master: Fix service discovery in functional tests  https://review.openstack.org/64207412:20
*** e0ne has quit IRC12:36
*** jpena|lunch is now known as jpena13:00
mordredadriant: hrm. that's a good question. I would assume we're just passing through to ksa - but we might be doing something wrong there13:04
*** gtema has quit IRC13:05
mordredadriant: that said - the unscoped keystone actions may need some thought - because we do try to run discovery when conn.identity gets created. let's see if we can't come up with a solution :)13:06
*** slaweq_ is now known as slaweq13:08
*** dave-mccowan has quit IRC13:22
*** irclogbot_2 has quit IRC13:26
*** e0ne has joined #openstack-sdks13:28
*** irclogbot_2 has joined #openstack-sdks13:29
*** dave-mccowan has joined #openstack-sdks13:35
*** gtema has joined #openstack-sdks13:43
*** openstack has joined #openstack-sdks15:41
*** ChanServ sets mode: +o openstack15:41
*** e0ne has quit IRC15:45
*** ttsiouts has joined #openstack-sdks15:48
*** dulek has joined #openstack-sdks15:51
openstackgerritArtem Goncharov proposed openstack/openstacksdk master: WIP Split OpenStackCloud into reasonable pieces  https://review.openstack.org/64221815:54
*** e0ne has joined #openstack-sdks15:58
*** ttsiouts has quit IRC16:14
*** ttsiouts has joined #openstack-sdks16:14
openstackgerritGlenn Van de Water proposed openstack/python-openstackclient master: Fix service discovery in functional tests  https://review.openstack.org/64207416:30
*** holser_ has quit IRC16:31
*** tssurya has quit IRC16:40
*** e0ne has quit IRC16:55
*** ttsiouts has quit IRC17:01
*** ttsiouts has joined #openstack-sdks17:01
*** ttsiouts has quit IRC17:06
*** jpich has quit IRC17:26
mordredgtema: no - there will be no git:// protocol support from opendev - so if you wanna try it out, cloning over https:// is the way to go (it'll also be the only way to go in the future)17:30
*** gtema has quit IRC17:33
*** dtantsur is now known as dtantsur|afk17:39
*** e0ne has joined #openstack-sdks18:02
*** e0ne has quit IRC18:06
*** e0ne_ has joined #openstack-sdks18:21
*** gmann is now known as gmann_afk18:26
*** e0ne_ has quit IRC18:41
*** jpena is now known as jpena|off18:44
*** ttsiouts has joined #openstack-sdks19:29
*** ralonsoh has quit IRC19:48
*** cdent has quit IRC20:13
*** e0ne has joined #openstack-sdks20:20
*** dave-mccowan has quit IRC20:24
*** gmann_afk is now known as gmann20:54
adriantmordred: for context, in cases where you are doing multi-project actions, or writing tools for them, you don't really need to know ahead of time what projects you have. So you can auth, get a list, and then create an SDK per project (per region), and do your actions.20:54
adriantthe solution I've helped someone go with is to use keystone auth to get a session, get the token from that, then use raw requests against the auth url (and correct user_projects path) to then get their project list, and then use that to further make their SDKs per project.20:56
adriantIt's not a terrible solution, but the need to actually go directly to the endpoint and handle the json yourself is lacking a bit of elegance20:56
adriantalthough... I wonder20:57
adriantkmalloc: can you list your projects via KeystoneAuth?20:57
* adriant goes to read the code20:57
mordredadriant: cause if I don't have a project id when I get the token, I don't get a catalog, right? thus the "re-use the auth_url as the identity_url" piece, yeah?20:58
adriantyep20:58
adriantyou have an empty catalog20:59
adriantso it need to do discovery20:59
adrianti want a way to bypass that step20:59
adriant"use this custom catalog instead" potentially20:59
mordredadriant: so - if you set identity_endpoint_override to the auth_url - it'll skip discovery20:59
adriantah!20:59
adriantperfect20:59
adriantso "<service_type>_endpoint_override" works?21:00
adriantfor all services?21:00
mordredlet me know if that works - if it does, I think it might be nice to figure out how to make conn.identity.list_projects - or at least conn.list_projects be able to do this without the user needing to know that specific piece of magic21:00
mordredadriant: yes!21:00
adriantcool21:00
adriantand yeah, ideally having the unscoped actions able to natively reuse the auth_url for identity could be cool21:00
adriantbut that could also be a pain21:01
mordredyeah. the biggest hurdle would be getting conn.identity to not fall over when it gets created21:01
mordredwhich is why this one might be better up at the Connection layer so we can bypass that stuff21:01
adriantidentity_endpoint_override seems to work21:04
mordred\o/21:06
mordredcool. then I think we should definitely update Connection.list_projects to do the right thing21:06
mordredthat said - I wonder if we can make the proxy creation smarter if service_type is identity - and to look at the auth stuff, look for project info, and if it's not there go ahead and set the endpoint_override ...21:07
* mordred goes digging21:07
adriantmordred: specifically the endpoint I'm actually after for this use case is conn.identity.user_projects() which is the non-admin one21:09
* adriant isn't sure what the same on in the cloud layer is21:09
adriantone*21:09
mordredhrm. we might not have that one in the cloud layer ... but that's a really good point21:09
adriantif one exists in the connection layer for listing a user's own projects then that would work too21:10
mordredI think it's worth making conn.identity work without project info then21:10
mordredit shouldn't be too hard - just need to inspect the auth args a smidge :)21:10
adriantalthough it could end up a lot of work, might be worth investigating if other projects have any unscope APIs :/21:10
mordredit's a good question21:11
mordredkmalloc, cmurphy: ^^ ? do we know if non-keystone use unscoped apis?21:11
adriantI have a feeling probably not many21:11
mordredyeah - seems more like a thing that's needed for keystone and doesn't make a TON of sense elsewhere21:11
mordredmaybe the nova calls that deal with hosts and hypervisors?21:12
adriantthose would be system scope21:12
adriantYeah, i think there probably aren't many.21:13
cmurphymordred: adriant no, only keystone uses unscoped tokens, it's only useful for getting a scoped token21:13
adriantalthough some of the Keystone APIs don't need scope: list (user) projects, change password, etc?21:14
cmurphyyou can list your own projects with an unscoped token, change password i'm not 100% sure though it would make sense21:15
cmurphyoh change password doesn't require a token at all21:16
adriantyeah, that's right, you just need your old password21:20
*** e0ne has quit IRC21:26
kmallocmordred: what cmurphy said21:41
kmallocunscoped tokens should die IMO21:41
kmallocbut we can't make them go away21:41
kmallocI *think* someone was originally trying to use unscoped tokens like we use systemscope going forward, but that might require asking folks that no longer work on OpenStack21:41
mordredkmalloc: so - you and adriant have both mentioned this "system" scoped token21:52
mordredhow does one get one of those? are we missing anything to use those with sdk?21:52
adriantkmalloc: I don't think unscoped tokens can go away really if you need to query which project you want to scope to first21:59
adriantfor things like Horizon (or any GUI) you won't ever provide a project as part of auth. So some auth flow that includes: "here are your projects" and then allows you to scope into one will always be needed22:01
adriantwe even have some cli tools that only ask for password and username, and then provide you with a list of project options to scope to22:01
kmallocmordred: system scope is new, as in as of Stein. It's done just like scope: {project_id: xxx}22:03
cmurphymordred: it's supported in ksa so it should be transparent to openstacksdk, instead of setting project-id in clouds.yaml you set system-scope22:03
kmallocmordred: ^ what cmurphy said, she's faster at typing than I am clearly22:03
mordredneat!22:03
mordredit's almost like building these things on top of each other is worth-while!22:03
kmallocright?!22:03
kmalloc:)22:03
kmallocsome APIs will become system, this is to solve the "Admin" problem22:04
kmallocmeaning you wont need an "admin project" for things that are clearly not project/domain scoped22:04
mordred\o/22:04
adriantI'm far too happy about that22:04
adriantthe whole admin-ness problem was such pain22:05
cmurphythere is some documentation on system scope https://docs.openstack.org/keystone/latest/contributor/services.html#system-scope and lbragstad wrote some more documentation https://review.openstack.org/#/c/638563/9/doc/source/contributor/services.rst22:05
*** cdent has joined #openstack-sdks22:10
*** whoami-rajat has quit IRC22:12
mordredcmurphy, kmalloc: so - in the scrollback I was talking about making sdk know how to make an adapter without the catalog being present if the service-type is identity and there is no project (or I guess system-scope) info in the auth dict ... does that sound like a something we should push down into ksa instead?22:26
mordred(the current sdk workaround for working with unscoped tokens is to set identity_endpoint_override=$auth_url which will cause the adapter to be made without trying to look up identity in the catalog)22:27
mordredthat SEEMS generic enough - but maybe it's only generic enough in sdk and in ksa it would be a tragedy22:28
*** tosky has quit IRC22:43
*** ttsiouts has quit IRC22:45
*** ttsiouts has joined #openstack-sdks22:46
*** ttsiouts has quit IRC22:50
kmallocthat is generic enough22:52
kmallocbut that sounds like a SDK thing22:53
kmallocless KSA22:53
kmalloci think...22:53
kmalloclet me poinder a few more minutes22:53
mordredkmalloc: yeah - I'm 99% sure I agree :)22:53
kmallocthough i *think* KSA should work in that mode without jumping through hoops22:54
kmallocso a little of ksa fixing and SDK is smart enough to know how to do things22:54
kmallocunscoped tokens suck =/22:54
*** cdent has quit IRC23:13
mordredkmalloc: ++23:15
mordredkmalloc: and yeah - I think it's possible that the only issue here is how sdk is creating ksa objects23:15
mordredrather than a ksa deficiency itself - but if there is a deficiency, hopefully it's an easy enough one to fix23:16
*** slaweq has quit IRC23:24
*** Qiming has quit IRC23:59

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!