Tuesday, 2019-11-05

« Monday, 2019-11-04 Index Wednesday, 2019-11-06 »
openstackgerritEric Fried proposed openstack/python-openstackclient master: Add redirect testing  https://review.opendev.org/69292900:01
openstackgerritEric Fried proposed openstack/python-openstackclient master: Deflate .htaccess  https://review.opendev.org/69293000:01
openstackgerritEric Fried proposed openstack/python-openstackclient master: WIP: identity: autogenerate docs  https://review.opendev.org/69293100:01
*** jawad_axd has joined #openstack-sdks00:04
*** Qiming has quit IRC00:05
*** Qiming has joined #openstack-sdks00:05
*** jawad_axd has quit IRC00:08
openstackgerritMerged openstack/python-openstackclient master: neutron: autogenerate docs  https://review.opendev.org/69176700:41
*** jawad_axd has joined #openstack-sdks00:46
*** dave-mccowan has joined #openstack-sdks00:48
*** jawad_axd has quit IRC00:50
*** mriedem has joined #openstack-sdks00:51
*** jawad_axd has joined #openstack-sdks01:07
*** jawad_axd has quit IRC01:11
*** slaweq_ has joined #openstack-sdks01:35
*** slaweq__ has joined #openstack-sdks01:38
*** slaweq_ has quit IRC01:41
*** dave-mccowan has quit IRC01:43
*** jawad_axd has joined #openstack-sdks01:48
*** jawad_axd has quit IRC01:53
*** dave-mccowan has joined #openstack-sdks01:59
*** enriquetaso has joined #openstack-sdks02:05
*** dave-mccowan has quit IRC02:08
*** enriquetaso has quit IRC02:10
*** slaweq__ has quit IRC02:23
*** slaweq__ has joined #openstack-sdks02:42
*** slaweq has joined #openstack-sdks02:44
*** slaweq__ has quit IRC02:46
*** mriedem has quit IRC02:47
*** jawad_axd has joined #openstack-sdks02:50
*** ricolin has joined #openstack-sdks02:53
*** jawad_axd has quit IRC02:55
*** ricolin has quit IRC03:35
*** slaweq has quit IRC03:40
*** ricolin has joined #openstack-sdks03:41
*** ricolin has quit IRC03:57
*** ricolin has joined #openstack-sdks03:57
*** ricolin has quit IRC04:13
*** jdwidari has quit IRC05:10
*** ricolin has joined #openstack-sdks05:23
*** slaweq has joined #openstack-sdks05:24
*** slaweq_ has joined #openstack-sdks05:27
*** slaweq has quit IRC05:29
*** slaweq_ has quit IRC05:45
*** ricolin has quit IRC05:50
*** jawad_axd has joined #openstack-sdks07:15
*** slaweq_ has joined #openstack-sdks07:15
*** ricolin has joined #openstack-sdks07:17
*** slaweq__ has joined #openstack-sdks07:20
*** slaweq_ has quit IRC07:22
*** gtema has joined #openstack-sdks07:44
*** ricolin_ has joined #openstack-sdks07:45
*** ricolin has quit IRC07:47
openstackgerritBence Romsics proposed openstack/openstacksdk master: Add router add/remove route operations  https://review.opendev.org/67432407:53
openstackgerritBence Romsics proposed openstack/openstacksdk master: Handle HTTP errors in add/remove router interface calls  https://review.opendev.org/68730407:53
*** ricolin_ has quit IRC08:04
*** ricolin_ has joined #openstack-sdks08:04
*** slaweq has joined #openstack-sdks08:19
*** slaweq__ has quit IRC08:19
*** tosky has joined #openstack-sdks08:30
*** ricolin_ has quit IRC08:37
*** gtema has quit IRC08:40
*** gtema has joined #openstack-sdks08:40
*** jpena|off is now known as jpena08:42
*** gtema has quit IRC08:45
*** gtema has joined #openstack-sdks08:45
*** ralonsoh has joined #openstack-sdks08:52
openstackgerritThomas Bechtold proposed openstack/openstacksdk master: update OVH vendor entry  https://review.opendev.org/69296108:53
*** slaweq has quit IRC09:04
*** jpich has joined #openstack-sdks09:06
*** cdent has joined #openstack-sdks09:12
*** tosky has quit IRC09:13
*** cdent has quit IRC09:18
*** tosky has joined #openstack-sdks09:36
*** cdent has joined #openstack-sdks09:36
*** dtantsur|afk is now known as dtantsur10:26
*** cdent has quit IRC10:46
*** cdent has joined #openstack-sdks11:12
*** gtema has quit IRC11:49
*** gtema has joined #openstack-sdks11:51
*** jdwidari has joined #openstack-sdks12:09
*** jdwidari has quit IRC12:12
*** gtema has quit IRC12:26
*** gtema has joined #openstack-sdks12:28
*** mnasiadka has joined #openstack-sdks12:29
*** jpena is now known as jpena|lunch12:32
*** tosky_ has joined #openstack-sdks12:42
*** gtema has quit IRC12:44
*** tosky has quit IRC12:45
*** tosky_ is now known as tosky12:59
*** cdent has quit IRC13:07
openstackgerritEric Fried proposed openstack/python-openstackclient master: Update a stale doc reference to use :neutron-doc:  https://review.opendev.org/69260513:09
openstackgerritEric Fried proposed openstack/python-openstackclient master: common: autogenerate docs  https://review.opendev.org/69198913:09
openstackgerritEric Fried proposed openstack/python-openstackclient master: openstack.cli: autogenerate docs  https://review.opendev.org/69291413:09
openstackgerritEric Fried proposed openstack/python-openstackclient master: compute: autogenerate docs  https://review.opendev.org/69291613:09
openstackgerritEric Fried proposed openstack/python-openstackclient master: Add redirect testing  https://review.opendev.org/69292913:09
openstackgerritEric Fried proposed openstack/python-openstackclient master: Deflate .htaccess  https://review.opendev.org/69293013:09
openstackgerritEric Fried proposed openstack/python-openstackclient master: WIP: identity: autogenerate docs  https://review.opendev.org/69293113:09
efrieddtroyer: trivial rebase to resolve merge conflict ^13:09
efriedcouple of those already had your +A13:09
*** jangutter has joined #openstack-sdks13:10
*** gtema has joined #openstack-sdks13:10
*** jdwidari has joined #openstack-sdks13:17
*** gtema has quit IRC13:34
*** gtema has joined #openstack-sdks13:39
dtroyerefried: thanks, will have a look after the next call (or during depending on how it goes :)13:48
efriedno hurry13:49
*** gtema has quit IRC13:53
*** mriedem has joined #openstack-sdks13:58
*** gtema has joined #openstack-sdks14:00
*** cdent has joined #openstack-sdks14:10
*** goldyfruit_ has joined #openstack-sdks14:19
mnasiadkaHi there14:23
mnasiadkaAny idea how to request a system scoped token in Ansible os_* modules that are using openstacksdk?14:24
*** slaweq has joined #openstack-sdks14:26
efriedmnasiadka: There are many words in there that I don't know. The people most likely to be able to answer your question are probably all at the summit/PTG in Shanghai at the moment, so you may want to ask your question on the mailing list, or wait until next week.14:30
openstackgerritEric Fried proposed openstack/python-openstackclient master: identity: autogenerate docs  https://review.opendev.org/69293114:31
*** slaweq_ has joined #openstack-sdks14:31
*** slaweq has quit IRC14:32
mnasiadkaefried: It was my plan to wait until next week, but I decided it won't hurt to ask now, and in a week ;-)14:32
efriedgood plan :)14:32
*** jangutter has quit IRC14:33
gtemathe only opportunity to influence the token scope is not to specify project_name, but both domain_name and user_domain_name14:33
gtemathis will give you domain scoped token14:34
*** goldyfruit___ has joined #openstack-sdks14:34
gtemaif you do not specify domain_name, but project_name - you get project scoped token14:34
*** goldyfruit_ has quit IRC14:36
mnasiadkagtema: we have a bug opened in Kolla (https://bugs.launchpad.net/kolla-ansible/+bug/1850656), we're trying to find the proper approach.14:37
openstackLaunchpad bug 1850656 in kolla-ansible train "Deploy will fail if keystone.conf has '[oslo_policy]/enforce_scope=true'" [Medium,In progress] - Assigned to Radosław Piliszek (yoctozepto)14:37
mnasiadkagtema: seems for identity:create_endpoint we need system scoped token...14:38
gtemaand this with Ansible (facepalm). efried, do you know how to get system scoped token from Keystone?14:39
gtemaI was previously always referring to https://docs.openstack.org/keystone/pike/api_curl_examples.html for samples14:39
efriedgtema: I don't even know what a system scoped token is.14:39
gtemait's kinda neither of both, but is even more powerful14:40
gtemahttps://docs.openstack.org/keystone/stein/admin/tokens-overview.html#system-scoped-tokens14:40
gtemaI hoped you know a bit more than I about Keystone ;-)14:41
efriedhttps://docs.openstack.org/keystone/stein/admin/tokens-overview.html#operation_create_system_token ?14:41
efriedgtema: I know things about ksa, but very little about keystone itself :(14:41
gtemaok, with this link it might be possible to trace down which request is being sent14:42
efriedIt looks like ``--os-system-scope all`` might be the secret sauce you're looking for?14:42
gtemayeah14:42
mnasiadkatried using system-scope: all in the auth dict that os_* Ansible modules consume, but didn't really help :)14:43
gtemamnasiadka, no, forget it. For the moment I doubt it will work14:44
mnasiadkaWell, I found that bit in the python-openstackclient, but not really in openstacksdk - so I thought it will not work :)14:44
gtemaoh, can you try following: in your clouds.yaml or kind of do not specify project_name, domain_name, but 'system: all'14:45
efriedaccording to a release note...14:45
gtemanot system-scope, but really system: all14:45
efriedefried@efried-ThinkPad-W520:~/openstack/python-openstackclient$ cat releasenotes/notes/implement-system-scope-4c3c47996f98deac.yaml14:45
efried---14:45
efriedfeatures:14:45
efried  - |14:45
efried    Add support for system-scope to ``role`` commands. This includes the ability to14:45
efried    generate system-scoped tokens using ``system_scope: all`` in ``cloud.yaml``14:45
efried    or ``OS_SYSTEM_SCOPE=all`` in an environment variable. Support is also14:45
efried    included for managing role assignments on the system using ``--system``14:45
efried    when adding and removing roles.14:45
efried    [`bp system-scope <https://blueprints.launchpad.net/keystone/+spec/system-scope>`_]14:45
efriedso, try that clouds.yaml or env var thing?14:46
mnasiadkaok, so system: all - let's try :)14:46
efriedthe env var ought to map to that --os-system-scope CLI opt as well.14:46
efriedlooks like ``system_scope: all``14:46
gtemahttps://github.com/openstack/python-openstackclient/blob/master/openstackclient/identity/v3/token.py#L20014:47
gtemaaccording to that it is system: all14:47
gtemabut a nice hint - might be changed in future14:47
mnasiadkawithout deprecation? :)14:48
gtemaThis could change in the future when, or if,14:49
gtema            # keystone supports the ability to scope to a subset of the entire14:49
gtema            # deployment system.14:49
mnasiadkaok, makes sense14:49
efriedgtema: it looks like the `system` key is for the API, not the CLI.14:50
gtemayeah, I was searching what KSA will look for14:51
gtemahttps://review.opendev.org/#/c/525687/21/keystone/tests/common/auth.py14:52
gtemamight be still API14:52
efriedhttps://docs.openstack.org/api-ref/identity/v3/index.html?expanded=token-authentication-with-scoped-authorization-detail#authentication-and-token-management14:52
gtemaalso looking to same place - and yes: system is a key for API14:53
efriedmnasiadka: you said SDK, are you trying to write the SDK side of this, or are you working with a CLI?14:53
gtemanow need to reverse it to what should be in clouds.yaml14:53
gtemasdk is used by ansible modules14:53
mnasiadkaefried: I'm just using ansible in Kolla-Ansible (OpenStack deployer), and ansible is using openstacksdk for all openstack modules14:54
gtemaso whatever ansible does go to SDK and it uses KSA14:54
efriedI'm having trouble finding where sdk supports /tokens APIs at all...14:56
gtemait is done by KSA14:57
efriedI suppose you could always just grab a raw identity proxy and POST /tokens manually.14:57
*** slaweq_ is now known as slaweq14:59
*** jawad_axd has quit IRC15:00
openstackgerritEric Fried proposed openstack/python-openstackclient master: identity: autogenerate docs  https://review.opendev.org/69293115:01
openstackgerritEric Fried proposed openstack/python-openstackclient master: image: autogenerate docs  https://review.opendev.org/69302515:01
mnasiadkaefried: that's the last option on the table15:03
*** jawad_axd has joined #openstack-sdks15:04
*** slaweq_ has joined #openstack-sdks15:07
*** slaweq has quit IRC15:08
*** jawad_axd has quit IRC15:09
*** slaweq__ has joined #openstack-sdks15:11
*** slaweq_ has quit IRC15:12
gtemaso, it seems to me now, that in clouds.yaml it should really be system_scope under auth section15:15
gtemacan be even a boolean, important that neither of project_xxx nor domain_xxx are present15:16
*** jawad_axd has joined #openstack-sdks15:18
gtemaso when I have 'system_scope: true' in my clouds.yaml the KSA get's really system_scope.15:18
gtemaProblem is that in my case I get empty catalog from keystone back and KSA/SDK doesn't know what to do with it15:19
*** slaweq__ has quit IRC15:19
gtemamnasiadka: you should try it first without ansible at all, whether you can really login with system scope. This requires also a heavy admin user privileges, from what I understand15:24
*** slaweq__ has joined #openstack-sdks15:47
*** slaweq__ has quit IRC15:52
*** jawad_axd has quit IRC16:02
yoctozeptogtema: this is admin user, with role admin on system all16:04
openstackgerritArtem Goncharov proposed openstack/python-openstackclient master: Switch image to use SDK  https://review.opendev.org/65037416:04
yoctozeptowe just could not get the ansible module to work in the new environ16:05
gtemaI know, I mean I can't verify whether this works at all, since I do not have access currently to admin user16:05
gtemaif you could prepare clouds.yaml config with your admin user and system_scope: true, and then try execute http://paste.openstack.org/show/785811/16:07
*** jpena|lunch is now known as jpena16:11
*** jawad_axd has joined #openstack-sdks16:14
*** jawad_axd has quit IRC16:19
yoctozeptogtema: I see, I'll try to set it up later, thanks16:23
*** gtema has quit IRC16:35
*** jawad_axd has joined #openstack-sdks16:35
*** jawad_axd has quit IRC16:39
*** jpena is now known as jpena|brb16:45
*** jpena|brb is now known as jpena17:27
*** jpich has quit IRC17:49
*** also_stingrayza has joined #openstack-sdks17:52
*** stingrayza has quit IRC17:53
*** goldyfruit___ has quit IRC17:53
*** cdent has quit IRC17:57
*** goldyfruit___ has joined #openstack-sdks17:58
*** also_stingrayza has quit IRC18:35
*** stingrayza has joined #openstack-sdks18:36
*** jpena is now known as jpena|off18:45
*** goldyfruit_ has joined #openstack-sdks18:46
*** goldyfruit___ has quit IRC18:49
*** ralonsoh has quit IRC18:54
*** goldyfruit_ has quit IRC19:14
openstackgerritEric Fried proposed openstack/python-openstackclient master: Refactor AggregateTests  https://review.opendev.org/69307319:37
*** mriedem is now known as mriedem_afk19:38
*** jawad_axd has joined #openstack-sdks20:13
*** tosky has quit IRC20:16
*** mriedem_afk is now known as mriedem20:18
*** goldyfruit_ has joined #openstack-sdks20:33
openstackgerritEric Fried proposed openstack/python-openstackclient master: Refactor AggregateTests  https://review.opendev.org/69307321:32
*** jawad_axd has quit IRC22:12
*** mriedem has quit IRC22:58
*** yoctozepto has quit IRC23:04
*** yoctozepto has joined #openstack-sdks23:04
openstackgerritMerged openstack/python-openstackclient master: Update a stale doc reference to use :neutron-doc:  https://review.opendev.org/69260523:07
*** tobiash has quit IRC23:11
*** tobiash has joined #openstack-sdks23:12
« Monday, 2019-11-04 Index Wednesday, 2019-11-06 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!