*** aginwala has quit IRC | 00:01 | |
*** jbell8 has quit IRC | 00:03 | |
*** markvoelker has quit IRC | 00:05 | |
*** aginwala has joined #openstack-keystone | 00:06 | |
*** EinstCrazy has quit IRC | 00:07 | |
*** chlong has quit IRC | 00:09 | |
*** EinstCrazy has joined #openstack-keystone | 00:10 | |
notmorgan | . | 00:10 |
---|---|---|
notmorgan | ooh looks like gerribot is out to lunch | 00:10 |
notmorgan | stevemar, bknudson, dstanek, ayoung: https://review.openstack.org/#/c/255599/ | 00:11 |
openstackgerrit | Morgan Fainberg proposed openstack/keystone: Add `keystone-manage bootstrap` command https://review.openstack.org/255599 | 00:11 |
notmorgan | or it's just sllooooowwww | 00:11 |
*** gokrokve has joined #openstack-keystone | 00:13 | |
*** EinstCrazy has quit IRC | 00:15 | |
openstackgerrit | Henrique Truta proposed openstack/keystone: Add backend support for deleting a projects list https://review.openstack.org/245916 | 00:16 |
RichardRaseley | Can someone help me better understand the difference between the token persistence backend driver and the cache backend module? | 00:21 |
*** tonytan4ever has quit IRC | 00:21 | |
*** RichardRaseley has quit IRC | 00:25 | |
*** jbell8 has joined #openstack-keystone | 00:28 | |
*** atiwari2 has joined #openstack-keystone | 00:29 | |
*** atiwari1 has quit IRC | 00:31 | |
*** gokrokve_ has joined #openstack-keystone | 00:39 | |
*** arunkant_ has quit IRC | 00:39 | |
*** gildub has quit IRC | 00:40 | |
openstackgerrit | Merged openstack/keystone: Remove invalid TODO related to bug 1265071 https://review.openstack.org/253636 | 00:40 |
openstack | bug 1265071 in OpenStack Identity (keystone) "extra column is required for new models, otherwise unit tests fail" [Low,Fix released] https://launchpad.net/bugs/1265071 - Assigned to David Stanek (dstanek) | 00:40 |
openstackgerrit | Merged openstack/keystone: Remove exposure of routers at package level https://review.openstack.org/253119 | 00:40 |
openstackgerrit | Merged openstack/keystone: Refactor: Use Federation constants where possible https://review.openstack.org/252949 | 00:40 |
openstackgerrit | Merged openstack/keystone: Create new version of assignment driver interface https://review.openstack.org/242853 | 00:41 |
*** gokrokve has quit IRC | 00:41 | |
notmorgan | jamielennox|away: i think this is correct https://review.openstack.org/#/c/254399/ it seems to be | 00:41 |
notmorgan | jamielennox|away: but want a 2x check from you | 00:42 |
*** sigmavirus24_awa is now known as sigmavirus24 | 00:48 | |
openstackgerrit | Merged openstack/keystone: Create V9 Role Driver https://review.openstack.org/247805 | 00:50 |
*** notmyname has left #openstack-keystone | 00:51 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 00:51 |
openstackgerrit | Merged openstack/keystone: Use new_policy_ref consistently https://review.openstack.org/247257 | 00:52 |
openstackgerrit | Merged openstack/keystone: Remove unfixable FIXME https://review.openstack.org/255419 | 00:52 |
*** EinstCrazy has joined #openstack-keystone | 00:52 | |
openstackgerrit | Merged openstack/keystone: Ensure endpoints returned is filtered correctly https://review.openstack.org/250032 | 00:52 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 00:53 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 00:54 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 00:56 |
*** aginwala has quit IRC | 00:56 | |
*** jbell8 has quit IRC | 00:57 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 00:57 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 01:00 |
*** EinstCra_ has joined #openstack-keystone | 01:01 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 01:01 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 01:03 |
*** EinstCrazy has quit IRC | 01:04 | |
notmorgan | wow... lots of config updates | 01:05 |
notmorgan | wonder if something is weird w/ the bot | 01:05 |
*** chlong has joined #openstack-keystone | 01:05 | |
*** markvoelker has joined #openstack-keystone | 01:05 | |
*** aginwala has joined #openstack-keystone | 01:06 | |
openstackgerrit | Morgan Fainberg proposed openstack/keystone: Add `keystone-manage bootstrap` command https://review.openstack.org/255599 | 01:09 |
*** john5223 is now known as zz_john5223 | 01:10 | |
*** markvoelker has quit IRC | 01:11 | |
*** terryyao has joined #openstack-keystone | 01:12 | |
*** sigmavirus24 is now known as sigmavirus24_awa | 01:16 | |
*** chlong has quit IRC | 01:23 | |
*** browne has quit IRC | 01:23 | |
*** atiwari1 has joined #openstack-keystone | 01:27 | |
*** atiwari2 has quit IRC | 01:29 | |
*** tonytan4ever has joined #openstack-keystone | 01:33 | |
*** atiwari2 has joined #openstack-keystone | 01:38 | |
*** chenke__ has quit IRC | 01:40 | |
*** atiwari1 has quit IRC | 01:40 | |
*** chenke__ has joined #openstack-keystone | 01:41 | |
*** steveng has quit IRC | 01:42 | |
*** terryyao has quit IRC | 01:43 | |
openstackgerrit | Merged openstack/keystone: Use assertDictEqual instead of assertEqualPolicies https://review.openstack.org/251482 | 01:43 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 01:44 |
*** lhcheng has joined #openstack-keystone | 01:44 | |
*** ChanServ sets mode: +v lhcheng | 01:44 | |
*** wangqun has joined #openstack-keystone | 01:45 | |
*** _cjones_ has quit IRC | 01:47 | |
*** terryyao has joined #openstack-keystone | 01:47 | |
*** richm has joined #openstack-keystone | 01:48 | |
*** jamielennox|away is now known as jamielennox | 01:48 | |
*** aginwala has quit IRC | 01:48 | |
*** lhcheng has quit IRC | 01:49 | |
ayoung | notmorgan, guessing that they were all rebases done singly | 01:51 |
notmorgan | no idea | 01:51 |
jamielennox | notmorgan: i'm not sure i understand what that patch is trying to do | 01:52 |
jamielennox | you're skipping auth validation when there's no plugin | 01:52 |
jamielennox | fine | 01:52 |
notmorgan | jamielennox: basically yes | 01:53 |
notmorgan | it's the "hey we aren't actually doing anything magic with session cause we don't have a plugin for this" | 01:53 |
jamielennox | but it's not really backwards compatible and it'll be a bit of an unusual result for people who have misconfigured things | 01:53 |
notmorgan | it's the OCC way of saying "be a requests thing, not a keystoneauth thing" | 01:53 |
jamielennox | do endpoints work there, or ADMIN_TOKEN, i know that was mordred's initial use case | 01:54 |
jamielennox | something something swift | 01:54 |
notmorgan | jamielennox: yep | 01:54 |
*** boris-42_ has quit IRC | 01:54 | |
*** dolphm has quit IRC | 01:54 | |
notmorgan | swift | 01:54 |
notmorgan | that is the reasoning | 01:54 |
* notmorgan also has 1st pass to kill admin_token | 01:54 | |
notmorgan | :) | 01:54 |
notmorgan | just need to tell bandit "no the try/except/pass is FINE" | 01:54 |
*** wangqun has quit IRC | 01:54 | |
*** johnthetubaguy has quit IRC | 01:54 | |
*** wangqun has joined #openstack-keystone | 01:54 | |
*** dolphm has joined #openstack-keystone | 01:54 | |
notmorgan | ayoung: is #nosec "ok" to use or should i really be "not" doing try/except/pass? | 01:55 |
*** wangqun has quit IRC | 01:55 | |
*** wangqun has joined #openstack-keystone | 01:56 | |
jamielennox | i like try/except/pass if there is a decent exception mentioned | 01:56 |
*** boris-42_ has joined #openstack-keystone | 01:56 | |
*** wangqun has quit IRC | 01:56 | |
*** wangqun has joined #openstack-keystone | 01:57 | |
*** johnthetubaguy has joined #openstack-keystone | 01:57 | |
*** ayoung has quit IRC | 01:58 | |
*** rcernin has quit IRC | 02:01 | |
*** aginwala has joined #openstack-keystone | 02:03 | |
*** tqtran has quit IRC | 02:04 | |
notmorgan | jamielennox: i think i've covered it here | 02:05 |
notmorgan | it's an ensurance the default domain is there | 02:05 |
notmorgan | because we *require* it for this action | 02:05 |
notmorgan | so, make sure it is in place | 02:05 |
notmorgan | unfortunately we don't bubble up the real exception to the manager | 02:06 |
notmorgan | so i have to guess w/ the UnexpectedError | 02:06 |
notmorgan | i guess i could reach in and match the message | 02:06 |
*** ayoung has joined #openstack-keystone | 02:08 | |
*** ChanServ sets mode: +v ayoung | 02:08 | |
openstackgerrit | Jamie Lennox proposed openstack/keystoneauth: Use SAML2 requests plugin https://review.openstack.org/255056 | 02:09 |
jamielennox | prefer no to, but sometimes theres on other choice - where's the default domain problem coming from? | 02:10 |
*** wangqun has quit IRC | 02:12 | |
*** wangqun has joined #openstack-keystone | 02:12 | |
notmorgan | well https://review.openstack.org/#/c/255599/ | 02:12 |
notmorgan | here i'm trying to re-work how we bootstrap keystone | 02:12 |
notmorgan | i'd like to drop the "create the default domain" in the sql migrations while we're at it | 02:12 |
*** terryyao has quit IRC | 02:13 | |
*** wangqun has quit IRC | 02:14 | |
*** wangqun has joined #openstack-keystone | 02:14 | |
*** wangqun has quit IRC | 02:16 | |
*** wangqun has joined #openstack-keystone | 02:16 | |
*** terryyao has joined #openstack-keystone | 02:18 | |
*** pumaranikar has joined #openstack-keystone | 02:26 | |
*** wangqun has quit IRC | 02:29 | |
*** pumaranikar has quit IRC | 02:31 | |
*** browne has joined #openstack-keystone | 02:32 | |
*** links has joined #openstack-keystone | 02:33 | |
jamielennox | notmorgan: i'm pretty sure i know the answer to this but there's not much value in running the v3cloudsample policy file just in keystone right? | 02:35 |
*** aginwala has quit IRC | 02:38 | |
stevemar | jamielennox: not really | 02:40 |
jamielennox | stevemar: so i got the request at summit to do a devstack install so that tempest could test the domain admin based model | 02:41 |
jamielennox | i know we don't recommend it but enough people use the domain admin concept now because of this that tempest wants to test it | 02:41 |
*** richm has quit IRC | 02:41 | |
jamielennox | but in playing with devstack i'm not sure there's a whole lot of point because you would need to have a similar file for nova or neutron to understand domain admins | 02:42 |
jamielennox | and i don't want to write all those | 02:42 |
stevemar | jamielennox: thanks for abandoning a bunch of old OSC patches | 02:42 |
jamielennox | stevemar: trying to clean up a little | 02:43 |
notmorgan | jamielennox: not not really... but easy to enhance it to be more cloud-admin friendly | 02:43 |
notmorgan | jamielennox: and we should do domain admin and start pushing that down to the othe rprojects | 02:43 |
jamielennox | i think domain admin isn't actually a bad model we just never got it pushed out to other projects | 02:44 |
*** chlong has joined #openstack-keystone | 02:44 | |
*** timcline has joined #openstack-keystone | 02:44 | |
jamielennox | but i'm not sure there's an advantage to tempest testing domain admin if the only ones with a domain aware policy file is keystone | 02:44 |
*** aginwala has joined #openstack-keystone | 02:44 | |
jamielennox | i guess i could change the is_admin definition of all projects... | 02:45 |
jamielennox | is there a reason we never merged https://review.openstack.org/#/c/212345/7 | 02:47 |
*** Guest71412 has quit IRC | 02:47 | |
*** gildub has joined #openstack-keystone | 02:48 | |
*** timcline has quit IRC | 02:49 | |
stevemar | no idea | 02:52 |
openstackgerrit | Morgan Fainberg proposed openstack/keystone: Add `keystone-manage bootstrap` command https://review.openstack.org/255599 | 02:54 |
notmorgan | stevemar: ^ so bootstrap - another "well we talked about this so here we go" | 02:58 |
*** tonytan4ever has quit IRC | 02:58 | |
*** terryyao has quit IRC | 02:59 | |
*** terryyao has joined #openstack-keystone | 03:00 | |
stevemar | notmorgan: i'll see about it in a few, watching tv! | 03:02 |
notmorgan | stevemar: no excuse! :P | 03:02 |
*** aginwala has quit IRC | 03:02 | |
*** tsymanczyk has joined #openstack-keystone | 03:02 | |
*** tsymanczyk is now known as Guest94431 | 03:03 | |
*** boris-42_ has quit IRC | 03:03 | |
*** aginwala has joined #openstack-keystone | 03:06 | |
*** markvoelker has joined #openstack-keystone | 03:07 | |
*** aginwala has quit IRC | 03:10 | |
*** markvoelker has quit IRC | 03:12 | |
*** RichardRaseley has joined #openstack-keystone | 03:14 | |
*** steveng has joined #openstack-keystone | 03:15 | |
openstackgerrit | Jamie Lennox proposed openstack/keystoneauth: Remove confusing documentation https://review.openstack.org/255651 | 03:16 |
*** topol has joined #openstack-keystone | 03:17 | |
*** ChanServ sets mode: +v topol | 03:17 | |
ayoung | jamielennox, did you see my followon to implied_roles? | 03:18 |
jamielennox | ayoung: no | 03:19 |
jamielennox | ayoung: spec or code? | 03:19 |
ayoung | jamielennox, https://review.openstack.org/#/c/240720/ code | 03:19 |
ayoung | that would be a better start for dealing with the domain admin model. It means we could start applying changes to the other services policy files | 03:20 |
jamielennox | ayoung: hmm, that does break a little what i was planning on for tempest | 03:20 |
ayoung | jamielennox, why? | 03:21 |
jamielennox | so tempest wants to be able to run with the v3 cloud policy file | 03:21 |
jamielennox | i was looking at doing a devstack to support that | 03:21 |
jamielennox | but if you remove admin_domain_id then i can't sed to replace it | 03:21 |
*** topol has quit IRC | 03:22 | |
jamielennox | as much as we said v3cloudsample wasn't supported apparently there are enough people out there using it and requesting tempest test it that they want to | 03:22 |
*** spandhe has quit IRC | 03:27 | |
*** gyee has quit IRC | 03:41 | |
*** gokrokve_ has quit IRC | 03:42 | |
*** timcline has joined #openstack-keystone | 03:45 | |
*** terryyao has quit IRC | 03:48 | |
*** timcline has quit IRC | 03:50 | |
*** flwang1 has quit IRC | 03:55 | |
*** lhcheng has joined #openstack-keystone | 03:58 | |
*** ChanServ sets mode: +v lhcheng | 03:58 | |
openstackgerrit | Jamie Lennox proposed openstack/keystonemiddleware: Use load_from_options_getter for auth plugins https://review.openstack.org/255661 | 04:02 |
*** lhcheng has quit IRC | 04:03 | |
*** jasonsb has joined #openstack-keystone | 04:11 | |
*** terryyao has joined #openstack-keystone | 04:28 | |
ayoung | jamielennox, I guess I could leave it alone and do a different policy file.... | 04:28 |
ayoung | there is no real benfit to breaking that one. But don't put any more effort in to it, I think. I'll have to figure out how to do the new one, but I kindof like that. | 04:29 |
jamielennox | ayoung: i'm not sure what to do about that | 04:31 |
jamielennox | ayoung: really it made me want to be able to set something from conf so i didn't have to find the id, insert into policy file and reboot :) | 04:31 |
ayoung | jamielennox, so...I'll leave cloudsample alone, but you shouldn't do any tempest work on it either | 04:31 |
jamielennox | ayoung: this is what i'm coming to to | 04:32 |
ayoung | lets focus on a new policy file that is maintainable | 04:32 |
jamielennox | i told andreaf_ i would get him something i can test, but if i replace just that keystone policy file it doesn't become a coherent system | 04:32 |
jamielennox | all the other projects are still using the policy file they had before | 04:33 |
jamielennox | so there still needs to be an admin project for them | 04:33 |
*** steveng has quit IRC | 04:34 | |
jamielennox | ayoung: i'll need to ask him again what he wants to do, because i don't want to maintain a full set of domain based policy scripts in tempest/devstack which is the only real way to do it | 04:34 |
ayoung | unified policy file | 04:35 |
jamielennox | yea | 04:35 |
jamielennox | because all i want to change is the definition of is_admin | 04:35 |
ayoung | jamielennox, none of the other services used domains | 04:37 |
jamielennox | ayoung: no, but they need to know what global admin is | 04:37 |
jamielennox | like not project based | 04:37 |
ayoung | I think I have a hack that will work with the cloud_admin file without breaking it | 04:37 |
jamielennox | ayoung: just leave it in there as an OR statement | 04:38 |
ayoung | if the old admin_domain_id is the last thing in the line, it might trigger an exception, but it will be when policy was supposed to fail anyway | 04:38 |
jamielennox | though i don't expect i'm going to get that to work | 04:38 |
ayoung | jamielennox, that is why I had thies https://review.openstack.org/#/c/165908/ | 04:39 |
jamielennox | ayoung: what was being raised? | 04:45 |
jamielennox | oh, i'm guessing keyerror | 04:45 |
jamielennox | yea, we need to standardize what goes into that and not just dump the token | 04:45 |
jamielennox | ayoung: you would at least need a lot more logging in that patch | 04:45 |
jamielennox | ayoung: a failure to enforce policy - particularly like httpcheck is bad | 04:46 |
*** timcline has joined #openstack-keystone | 04:46 | |
jamielennox | ayoung: i don't know that code well enough but if it really is a keyerror we should fix that instead | 04:46 |
jamielennox | like just use .get() | 04:47 |
*** fawadkhaliq has joined #openstack-keystone | 04:48 | |
ayoung | jamielennox, if we do that it means that we can never run policy off an optional field | 04:49 |
ayoung | but the Or means that if one things fails, the other should succeed. Erroring out means that it always fails | 04:50 |
ayoung | key error was due to changing token formats | 04:50 |
*** timcline has quit IRC | 04:50 | |
*** timcline has joined #openstack-keystone | 04:51 | |
jamielennox | ayoung: throwing an exception is not failing - it's misconfiguration | 04:52 |
jamielennox | ayoung: i was thinking it would mean we could always ignore optional fields | 04:52 |
jamielennox | so linking policy enforcement keys to token contents is bad | 04:53 |
ayoung | 500 errors are not the way to tell your users that there is something wrong with the site | 04:53 |
jamielennox | ayoung: maybe, but otherwise they'll get 401s and think they've done something wrong with their password | 04:53 |
ayoung | just deny access and move on | 04:53 |
ayoung | OK...I think I have it | 04:54 |
jamielennox | it's not about telling users, it's about telling admins they screwed up | 04:54 |
*** steveng has joined #openstack-keystone | 04:54 | |
*** timcline has quit IRC | 04:55 | |
jamielennox | httpretty is dead! https://review.openstack.org/#/c/183745/ | 04:59 |
stevemar | \o/ | 05:01 |
jamielennox | stevemar: did all the extensions to core things merge/ | 05:07 |
*** markvoelker has joined #openstack-keystone | 05:07 | |
*** markvoelker has quit IRC | 05:12 | |
openstackgerrit | ayoung proposed openstack/keystone: Implied Roles https://review.openstack.org/242614 | 05:24 |
openstackgerrit | ayoung proposed openstack/keystone: Updated Cloudsample https://review.openstack.org/240720 | 05:24 |
*** RichardRaseley has quit IRC | 05:24 | |
*** david8hu has quit IRC | 05:25 | |
stevemar | jamielennox: i believe so | 05:32 |
stevemar | jamielennox: how much do you like me | 05:39 |
stevemar | i'll fix https://bugs.launchpad.net/keystoneauth/+bug/1517858 myself :P | 05:40 |
openstack | Launchpad bug 1517858 in keystoneauth "Correct the examples in keystoneauth documentation" [Low,Confirmed] | 05:40 |
*** Nirupama has joined #openstack-keystone | 05:41 | |
openstackgerrit | Steve Martinelli proposed openstack/keystoneauth: small fix to missing parameters in documentation https://review.openstack.org/255677 | 05:45 |
stevemar | jamielennox: you gotta return the favor for ^ | 05:45 |
*** RichardRaseley has joined #openstack-keystone | 05:48 | |
jamielennox | stevemar: ah, nice | 05:50 |
jamielennox | stevemar: i just +2ed but really you should use Default for name not default | 05:51 |
jamielennox | stevemar: cause you know that confuses people already | 05:51 |
*** timcline has joined #openstack-keystone | 05:52 | |
*** timcline has quit IRC | 05:56 | |
*** RichardRaseley has quit IRC | 05:56 | |
*** steveng has quit IRC | 05:58 | |
*** aginwala has joined #openstack-keystone | 06:00 | |
*** links has quit IRC | 06:01 | |
*** links has joined #openstack-keystone | 06:01 | |
*** steveng has joined #openstack-keystone | 06:02 | |
stevemar | jamielennox: everything confuses everyone all the time | 06:05 |
stevemar | notmorgan: ^ theres an easy one there for you to punt off into the gate | 06:05 |
*** steveng has quit IRC | 06:06 | |
stevemar | jamielennox: i've also learned that i'm perpetually behind on everything | 06:06 |
stevemar | i need time to stand still for like a week | 06:06 |
stevemar | so i can catch up | 06:06 |
*** steveng has joined #openstack-keystone | 06:07 | |
*** RichardRaseley has joined #openstack-keystone | 06:07 | |
jamielennox | stevemar: i heard rumours of this about being PTL | 06:09 |
openstackgerrit | Jamie Lennox proposed openstack/keystone: Perform middleware tests with webtest https://review.openstack.org/244440 | 06:09 |
openstackgerrit | Jamie Lennox proposed openstack/keystone: Make AuthContext depend on auth_token middleware https://review.openstack.org/255686 | 06:09 |
jamielennox | stevemar: woop ^ | 06:10 |
*** gildub has quit IRC | 06:10 | |
jamielennox | ah, damn, that class is still marked as private | 06:16 |
openstackgerrit | Jamie Lennox proposed openstack/keystonemiddleware: Make BaseAuthProtocol public https://review.openstack.org/255691 | 06:24 |
*** chlong has quit IRC | 06:28 | |
*** jaosorior has joined #openstack-keystone | 06:29 | |
*** topol has joined #openstack-keystone | 06:34 | |
*** ChanServ sets mode: +v topol | 06:34 | |
*** ajayaa has joined #openstack-keystone | 06:35 | |
*** topol has quit IRC | 06:38 | |
*** gildub has joined #openstack-keystone | 06:47 | |
*** links has quit IRC | 06:49 | |
*** spandhe has joined #openstack-keystone | 06:49 | |
*** chlong has joined #openstack-keystone | 06:49 | |
*** RichardRaseley has quit IRC | 06:50 | |
*** spandhe_ has joined #openstack-keystone | 06:50 | |
ajayaa | Hi guys. What is the use of path_vars variable in routers of each component such as assignment, identity etc.? | 06:52 |
ajayaa | stevemar, jamielennox, rodrigods ^^ | 06:52 |
*** timcline has joined #openstack-keystone | 06:53 | |
*** spandhe has quit IRC | 06:53 | |
*** spandhe_ is now known as spandhe | 06:53 | |
*** jdennis has quit IRC | 06:57 | |
*** timcline has quit IRC | 06:57 | |
*** jdennis has joined #openstack-keystone | 07:00 | |
stevemar | ajayaa: link? | 07:00 |
stevemar | aren't those the variables that are passed in as part of the API request | 07:00 |
stevemar | so DELETE /v3/users/aad7393d79a | 07:00 |
stevemar | the aad7...9a part would be in path_vars | 07:00 |
stevemar | thats if i recall correctly... | 07:01 |
ajayaa | stevemar https://github.com/openstack/keystone/blob/master/keystone/assignment/routers.py#L69 | 07:01 |
ajayaa | for e.g. | 07:01 |
ajayaa | Yes. | 07:01 |
stevemar | oh that stuff | 07:01 |
stevemar | that's used for JSON home support | 07:01 |
stevemar | each one corresponds to the /{var_name}/ in the API | 07:02 |
ajayaa | Why do we return something different when the mime type is json/home? | 07:02 |
ajayaa | Is it to help clients to determine what resources/apis does the service expose? | 07:02 |
ajayaa | Rephrasing my question, what is JSON home and how is it useful? | 07:03 |
ajayaa | stevemar ^^ | 07:03 |
*** chlong has quit IRC | 07:04 | |
ajayaa | This might sound naive. I am not an api expert. :) | 07:04 |
notmorgan | omg... | 07:04 |
notmorgan | moving sucks sometimes :P | 07:04 |
notmorgan | on the plus side... have most stuff unpacked now. | 07:05 |
*** links has joined #openstack-keystone | 07:05 | |
*** aginwala has quit IRC | 07:05 | |
*** markvoelker has joined #openstack-keystone | 07:08 | |
*** flwang1 has joined #openstack-keystone | 07:09 | |
*** rcernin has joined #openstack-keystone | 07:11 | |
*** steveng has quit IRC | 07:12 | |
*** steveng1 has joined #openstack-keystone | 07:12 | |
*** markvoelker has quit IRC | 07:13 | |
stevemar | notmorgan: got a stable ABI question for you | 07:14 |
notmorgan | stevemar: i have an answer that is probably not useful | 07:14 |
notmorgan | stevemar: lets see if the match | 07:14 |
notmorgan | they* | 07:14 |
stevemar | notmorgan: this patch: https://review.openstack.org/#/c/233069/ | 07:14 |
*** steveng1 is now known as steveng | 07:14 | |
stevemar | breton is moving around the truncated decorator, which is fine | 07:15 |
notmorgan | yah | 07:15 |
stevemar | but now we have https://github.com/openstack/keystone/blob/master/keystone/assignment/V8_role_backends/sql.py#L27 | 07:15 |
stevemar | is the decorator part of the stable interface? | 07:15 |
notmorgan | uhmmm. | 07:16 |
notmorgan | we should keep a reference to the decorator in the old spot | 07:16 |
notmorgan | for consistency | 07:16 |
notmorgan | so we don't break anyone who is still refernecing it for the old driver version | 07:16 |
notmorgan | i mean... it isn't imperative, but to be nice to fokls, it would be ideal to just [in the old location] truncated = <new location>.truncated | 07:17 |
notmorgan | with a note that it'll be moved when the driver interface X,Y,Z is removed | 07:17 |
notmorgan | or some such | 07:17 |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Fix exposition of bug about limiting with ldap https://review.openstack.org/234226 | 07:17 |
notmorgan | but i mean... you could also let this one slide | 07:17 |
* notmorgan shrugs | 07:17 | |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Make @truncated common for all backends https://review.openstack.org/233069 | 07:17 |
* ajayaa reading https://tools.ietf.org/html/draft-nottingham-json-home-02 stevemar, am I in the right path? | 07:19 | |
*** chlong has joined #openstack-keystone | 07:20 | |
notmorgan | ajayaa: it's pretty good eh? | 07:20 |
notmorgan | :) | 07:20 |
ajayaa | notmorgan, don't know! I want to learn what json/home is. If you have a better suggestion then the above one, I would take it. :) | 07:22 |
notmorgan | ajayaa: that is about as good as it gets. | 07:22 |
*** topol has joined #openstack-keystone | 07:22 | |
*** ChanServ sets mode: +v topol | 07:22 | |
notmorgan | but... in short: JSON response that gives you relavant info about what is on the server | 07:22 |
notmorgan | something machine parsable that owuld be the equivalant of an index | 07:23 |
notmorgan | the alternative is an XML doc | 07:23 |
stevemar | notmorgan: /me doesn't understand how pep8 and our new legacy tests are passing with a references to that removed function | 07:23 |
notmorgan | that describes where resources/APIs are | 07:23 |
notmorgan | stevemar: uhmmmmmm. | 07:23 |
stevemar | oh there we go! | 07:23 |
stevemar | a failure yay | 07:23 |
notmorgan | stevemar: heh | 07:23 |
ajayaa | notmorgan, Thanks. That's the kind of explanation I was looking for. | 07:24 |
stevemar | notmorgan: on another note, i think oauth stuff is broken | 07:26 |
stevemar | womp womp | 07:26 |
*** dims_ has joined #openstack-keystone | 07:26 | |
stevemar | something is going all screwy with signature calculation | 07:27 |
stevemar | i think it may be the oslo request id being in the header | 07:27 |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Make @truncated common for all backends https://review.openstack.org/233069 | 07:27 |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Limiting for fake LDAP https://review.openstack.org/247749 | 07:28 |
notmorgan | stevemar: yay oauth | 07:28 |
notmorgan | stevemar: eventually i think oauth is going to be really useful... | 07:28 |
stevemar | notmorgan: another reason we need functional tests :@ | 07:28 |
notmorgan | stevemar: like when I get us all sub-url mounted in devstack >.> | 07:28 |
notmorgan | and people can use oauth for all apis, vs needing to oauth and then get a token :( | 07:29 |
notmorgan | buuuuttt.t...... | 07:29 |
notmorgan | until then... yes functional tests | 07:29 |
notmorgan | make them happen! | 07:29 |
notmorgan | :) | 07:29 |
notmorgan | ajayaa: it's a simple explination but it gets the gist of what is being attempted | 07:30 |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Use @truncated in ldap for users https://review.openstack.org/233070 | 07:35 |
*** aginwala has joined #openstack-keystone | 07:38 | |
*** browne has quit IRC | 07:40 | |
ajayaa | notmorgan, I like simple explanations. On the same note, Bill gates recommends this book "Thing Explainer: Complicated Stuff in Simple Words" in which the author explains very complicated subjects in simple ideas. | 07:41 |
notmorgan | ajayaa: I have the book | 07:42 |
notmorgan | it's fantastic | 07:42 |
notmorgan | Randall Munroe is pretty darn good at the stuff | 07:42 |
ajayaa | :) | 07:42 |
notmorgan | i mean... XKCD is fun. | 07:42 |
notmorgan | Thing Explainer is entertaining | 07:42 |
ajayaa | I am yet to read this book. stacked up in my reading list though. Reading "Thinking fast and slow" now. :) | 07:43 |
ajayaa | yep, XKCD is fun. | 07:43 |
notmorgan | ajayaa: https://twitter.com/MdrnStm/status/674455084164448257 that is the next book i am reading | 07:44 |
notmorgan | (actually just starting) | 07:45 |
*** topol has quit IRC | 07:45 | |
notmorgan | and i have ~3 other similar books i'm going to start soon | 07:45 |
*** topol has joined #openstack-keystone | 07:46 | |
*** ChanServ sets mode: +v topol | 07:46 | |
ajayaa | looks fancy. I would ask about your opinions/thoughts after you finish it. | 07:47 |
openstackgerrit | Steve Martinelli proposed openstack/keystone: Enable limiting in ldap for groups https://review.openstack.org/234849 | 07:49 |
*** spandhe_ has joined #openstack-keystone | 07:53 | |
*** timcline has joined #openstack-keystone | 07:53 | |
*** spandhe has quit IRC | 07:54 | |
*** spandhe_ is now known as spandhe | 07:54 | |
notmorgan | ajayaa: the zingerman's books are really fantastic | 07:57 |
notmorgan | can't say enough good things about them | 07:57 |
notmorgan | if you are into reading about leadership and running teams, etc | 07:57 |
notmorgan | some people really aren't | 07:57 |
notmorgan | considering the role I tend to fall into in an org/group/open source | 07:58 |
*** fawadkhaliq has quit IRC | 07:58 | |
notmorgan | it's really good for me to read them, and i def. learn a lot/benefit from them | 07:58 |
*** timcline has quit IRC | 07:58 | |
*** fawadkhaliq has joined #openstack-keystone | 07:58 | |
*** terryyao has quit IRC | 08:01 | |
*** topol has quit IRC | 08:03 | |
openstackgerrit | Merged openstack/keystoneauth: small fix to missing parameters in documentation https://review.openstack.org/255677 | 08:04 |
*** terryyao_ has joined #openstack-keystone | 08:04 | |
*** dansmith has quit IRC | 08:05 | |
*** chlong has quit IRC | 08:05 | |
*** jgriffith has quit IRC | 08:05 | |
*** sirushti has quit IRC | 08:05 | |
breton | stevemar: thanks for reviews! | 08:06 |
stevemar | breton: np! | 08:07 |
stevemar | breton: it takes me a while, but i usually get around to reviewing | 08:07 |
stevemar | breton: nice job on that stuff btw | 08:07 |
*** dansmith has joined #openstack-keystone | 08:07 | |
*** dansmith is now known as Guest17779 | 08:07 | |
stevemar | it wasn't easy | 08:08 |
*** _cjones_ has joined #openstack-keystone | 08:10 | |
*** jgriffith has joined #openstack-keystone | 08:11 | |
*** sirushti has joined #openstack-keystone | 08:11 | |
*** _cjones_ has quit IRC | 08:11 | |
*** _cjones_ has joined #openstack-keystone | 08:12 | |
openstackgerrit | Boris Bobrov proposed openstack/python-keystoneclient: Support `truncated` flag returned by keystone https://review.openstack.org/250473 | 08:12 |
*** aginwala has quit IRC | 08:13 | |
*** heha37 has joined #openstack-keystone | 08:14 | |
*** links has quit IRC | 08:14 | |
*** mhickey has joined #openstack-keystone | 08:18 | |
*** fawadkhaliq has quit IRC | 08:21 | |
stevemar | jamielennox: | 08:23 |
stevemar | poke | 08:23 |
stevemar | i have a question in https://review.openstack.org/#/c/212345/7/keystonemiddleware/auth_token/_cache.py | 08:23 |
stevemar | won't return memcache.Client(*args, **kwargs) be run even if memcache = None | 08:23 |
stevemar | ? | 08:23 |
*** belmoreira has joined #openstack-keystone | 08:25 | |
*** spandhe has quit IRC | 08:29 | |
stevemar | jamielennox: poke, review https://review.openstack.org/#/c/250473/ when you get a chance | 08:32 |
*** e0ne has joined #openstack-keystone | 08:32 | |
*** pnavarro has joined #openstack-keystone | 08:35 | |
*** lhcheng has joined #openstack-keystone | 08:38 | |
*** ChanServ sets mode: +v lhcheng | 08:38 | |
jamielennox | stevemar: might be bed time | 08:41 |
jamielennox | i think the memcache thing is fine | 08:41 |
jamielennox | if it hasn't been imported it will be | 08:41 |
jamielennox | then it will always be available | 08:41 |
*** steveng has quit IRC | 08:46 | |
*** terryyao_ has quit IRC | 08:51 | |
*** e0ne has quit IRC | 08:52 | |
*** links has joined #openstack-keystone | 08:52 | |
*** flwang1 has quit IRC | 08:53 | |
*** terryyao_ has joined #openstack-keystone | 08:54 | |
*** timcline has joined #openstack-keystone | 08:54 | |
*** timcline has quit IRC | 08:59 | |
*** fhubik has joined #openstack-keystone | 09:01 | |
*** terryyao_ has quit IRC | 09:02 | |
*** terryyao_ has joined #openstack-keystone | 09:07 | |
openstackgerrit | Merged openstack/keystone: refactor: move the common code to manager layer https://review.openstack.org/255070 | 09:08 |
*** markvoelker has joined #openstack-keystone | 09:09 | |
*** jamielennox is now known as jamielennox|away | 09:09 | |
*** markvoelker has quit IRC | 09:14 | |
openstackgerrit | Merged openstack/keystone: Remove keystoneclient tests https://review.openstack.org/240474 | 09:15 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 09:26 |
*** hogepodge has quit IRC | 09:26 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 09:27 |
*** hogepodge has joined #openstack-keystone | 09:28 | |
*** flwang1 has joined #openstack-keystone | 09:30 | |
*** openstackgerrit has quit IRC | 09:32 | |
*** openstackgerrit has joined #openstack-keystone | 09:32 | |
*** andreykurilin__ has joined #openstack-keystone | 09:35 | |
*** flwang1 has quit IRC | 09:36 | |
andreykurilin__ | hi everyone! How can I configure devstack to install both v2(identity by default) and v3? | 09:37 |
*** _cjones_ has quit IRC | 09:40 | |
*** links has quit IRC | 09:42 | |
*** _cjones_ has joined #openstack-keystone | 09:42 | |
*** _cjones_ has quit IRC | 09:43 | |
*** _cjones_ has joined #openstack-keystone | 09:43 | |
*** fawadkhaliq has joined #openstack-keystone | 09:44 | |
*** _cjones_ has quit IRC | 09:45 | |
*** steveng has joined #openstack-keystone | 09:45 | |
*** terryyao_ has quit IRC | 09:45 | |
*** EinstCra_ has quit IRC | 09:50 | |
*** e0ne has joined #openstack-keystone | 09:51 | |
*** timcline has joined #openstack-keystone | 09:55 | |
*** links has joined #openstack-keystone | 09:55 | |
*** pgbridge has joined #openstack-keystone | 09:58 | |
*** jistr has joined #openstack-keystone | 09:59 | |
*** timcline has quit IRC | 10:00 | |
*** briancurtin has quit IRC | 10:01 | |
*** briancurtin has joined #openstack-keystone | 10:03 | |
*** EinstCrazy has joined #openstack-keystone | 10:04 | |
*** links has quit IRC | 10:04 | |
*** links has joined #openstack-keystone | 10:17 | |
*** fhubik is now known as fhubik_brb | 10:23 | |
*** markvoelker has joined #openstack-keystone | 10:25 | |
*** markvoelker has quit IRC | 10:29 | |
*** lhcheng has quit IRC | 10:33 | |
*** fhubik_brb is now known as fhubik | 10:34 | |
*** EinstCrazy has quit IRC | 10:38 | |
*** _cjones_ has joined #openstack-keystone | 10:47 | |
*** lhinds has quit IRC | 10:50 | |
*** chenke_ has joined #openstack-keystone | 10:52 | |
*** _cjones_ has quit IRC | 10:52 | |
*** aix has joined #openstack-keystone | 10:54 | |
*** chenke__ has quit IRC | 10:55 | |
*** timcline has joined #openstack-keystone | 10:56 | |
*** timcline has quit IRC | 11:00 | |
*** heha37 has quit IRC | 11:03 | |
*** dims_ has quit IRC | 11:04 | |
*** pgbridge has quit IRC | 11:05 | |
*** alexpro has joined #openstack-keystone | 11:30 | |
*** EinstCrazy has joined #openstack-keystone | 11:30 | |
samueldmq | morning keystoners | 11:42 |
samueldmq | andreykurilin__: hi, it already does | 11:42 |
andreykurilin__ | samueldmq: hi! but service catalog doesn't include identity v3 service :( | 11:44 |
samueldmq | andreykurilin__: hm, I think we have changed it to include versionless URL in the catalog | 11:46 |
samueldmq | andreykurilin__: it means htttps://keystone:5000/ (without v2.0 or v3), this way the clients make the discovery themselves | 11:47 |
samueldmq | andreykurilin__: what do you want to do ? have a v3 only cloud ? test v3? | 11:47 |
andreykurilin__ | samueldmq: testing both v2 and v3. breton already pointed me to http://developer.openstack.org/api-ref-identity-v3.html#listIdentityVersions | 11:48 |
breton | samueldmq: > I think we have changed it to include versionless URL in the catalog | 11:49 |
breton | samueldmq: no, we haven't | 11:49 |
*** _cjones_ has joined #openstack-keystone | 11:49 | |
*** _cjones_ has quit IRC | 11:53 | |
*** pnavarro is now known as pnavarro|lunch | 11:55 | |
samueldmq | breton : hmm, thanks for checking, iircc jamielennox|away has a patch up for this | 11:55 |
*** timcline has joined #openstack-keystone | 11:57 | |
samueldmq | breton: andreykurilin__: that's true, the patch from versionless url haven't merged yet https://review.openstack.org/#/c/182923/ | 11:58 |
*** fhubik is now known as fhubik_brb | 11:59 | |
*** fhubik_brb is now known as fhubik | 12:00 | |
*** fawadkhaliq has quit IRC | 12:01 | |
*** timcline has quit IRC | 12:01 | |
*** jsheeren has joined #openstack-keystone | 12:02 | |
*** gildub has quit IRC | 12:08 | |
*** fhubik is now known as fhubik_brb | 12:13 | |
*** fhubik_brb is now known as fhubik | 12:14 | |
*** aix has quit IRC | 12:14 | |
*** jsheeren has quit IRC | 12:17 | |
openstackgerrit | Merged openstack/keystone: Fix exposition of bug about limiting with ldap https://review.openstack.org/234226 | 12:18 |
*** fhubik is now known as fhubik_brb | 12:19 | |
openstackgerrit | Merged openstack/keystone: Make @truncated common for all backends https://review.openstack.org/233069 | 12:21 |
*** raildo-afk is now known as raildo | 12:22 | |
*** fhubik_brb is now known as fhubik | 12:25 | |
*** markvoelker has joined #openstack-keystone | 12:26 | |
*** markvoelker has quit IRC | 12:30 | |
*** doug-fish has joined #openstack-keystone | 12:32 | |
*** fhubik is now known as fhubik_brb | 12:35 | |
*** jsheeren has joined #openstack-keystone | 12:36 | |
*** topol has joined #openstack-keystone | 12:42 | |
*** ChanServ sets mode: +v topol | 12:42 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/254444 | 12:42 |
*** atiwari1 has joined #openstack-keystone | 12:46 | |
*** jaosorior has quit IRC | 12:47 | |
*** openstackgerrit has quit IRC | 12:47 | |
*** jaosorior has joined #openstack-keystone | 12:47 | |
*** openstackgerrit has joined #openstack-keystone | 12:47 | |
*** atiwari2 has quit IRC | 12:48 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 12:49 |
*** atiwari1 has quit IRC | 12:50 | |
*** _cjones_ has joined #openstack-keystone | 12:50 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 12:51 |
*** topol has quit IRC | 12:51 | |
*** atiwari1 has joined #openstack-keystone | 12:52 | |
*** aix has joined #openstack-keystone | 12:55 | |
*** fhubik_brb is now known as fhubik | 12:55 | |
*** _cjones_ has quit IRC | 12:57 | |
*** flwang has quit IRC | 12:57 | |
*** swebb has quit IRC | 12:57 | |
*** crinkle has quit IRC | 12:57 | |
*** flwang has joined #openstack-keystone | 12:57 | |
*** timcline has joined #openstack-keystone | 12:57 | |
*** crinkle has joined #openstack-keystone | 12:57 | |
*** timcline has quit IRC | 13:02 | |
*** swebb has joined #openstack-keystone | 13:03 | |
openstackgerrit | Dina Belova proposed openstack/keystone: === WIP === Integrate OSprofiler in Keystone https://review.openstack.org/103368 | 13:06 |
*** markvoelker has joined #openstack-keystone | 13:08 | |
openstackgerrit | Henrique Truta proposed openstack/keystone: Add backend support for deleting a projects list https://review.openstack.org/245916 | 13:11 |
*** gordc has joined #openstack-keystone | 13:17 | |
*** Anticimex has quit IRC | 13:18 | |
*** ajayaa has quit IRC | 13:20 | |
*** fhubik is now known as fhubik_brb | 13:20 | |
*** fhubik_brb is now known as fhubik | 13:26 | |
*** Anticimex has joined #openstack-keystone | 13:29 | |
*** fhubik has quit IRC | 13:35 | |
*** jsheeren has quit IRC | 13:35 | |
*** ninag has joined #openstack-keystone | 13:40 | |
*** pauloewerton has joined #openstack-keystone | 13:42 | |
*** dims has joined #openstack-keystone | 13:43 | |
*** Nirupama has quit IRC | 13:45 | |
*** dims has quit IRC | 13:48 | |
*** zhiyan has quit IRC | 13:51 | |
*** zhiyan has joined #openstack-keystone | 13:53 | |
*** _cjones_ has joined #openstack-keystone | 13:53 | |
*** dims_ has joined #openstack-keystone | 13:57 | |
*** _cjones_ has quit IRC | 13:57 | |
*** openstackstatus has quit IRC | 13:57 | |
*** links has quit IRC | 13:57 | |
*** timcline has joined #openstack-keystone | 13:58 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 13:59 | |
*** topol has joined #openstack-keystone | 14:01 | |
*** ChanServ sets mode: +v topol | 14:01 | |
*** timcline has quit IRC | 14:03 | |
*** topol has quit IRC | 14:05 | |
*** fawadkhaliq has joined #openstack-keystone | 14:16 | |
*** fawadkhaliq has quit IRC | 14:17 | |
*** pnavarro|lunch is now known as pnavarro | 14:17 | |
*** fawadkhaliq has joined #openstack-keystone | 14:17 | |
*** breitz has quit IRC | 14:19 | |
*** breitz has joined #openstack-keystone | 14:19 | |
*** alejandrito has joined #openstack-keystone | 14:22 | |
*** RichardRaseley has joined #openstack-keystone | 14:23 | |
*** petertr7_away is now known as petertr7 | 14:25 | |
*** Ephur has joined #openstack-keystone | 14:32 | |
*** andrewbogott has quit IRC | 14:36 | |
*** andrewbogott has joined #openstack-keystone | 14:36 | |
*** Guest17779 is now known as dansmith | 14:36 | |
*** dansmith is now known as Guest18124 | 14:37 | |
*** Guest18124 is now known as dansmith | 14:37 | |
*** _cjones_ has joined #openstack-keystone | 14:54 | |
*** _cjones_ has quit IRC | 14:59 | |
*** petertr7 is now known as petertr7_away | 14:59 | |
*** boris-42_ has joined #openstack-keystone | 14:59 | |
openstackgerrit | Tom Cocozzello proposed openstack/python-keystoneclient: WIP set up incude names for list role assignments https://review.openstack.org/255392 | 15:00 |
breton | it seems that trusts don't work with fernet tokens | 15:00 |
* breton verifying | 15:00 | |
*** Ephur has quit IRC | 15:00 | |
*** pumaranikar has joined #openstack-keystone | 15:00 | |
lbragstad | breton yeah I was just looking at that | 15:00 |
lbragstad | breton I have s pile of meetings today, but let me know if you can verify it | 15:01 |
breton | ack | 15:01 |
*** vgridnev has joined #openstack-keystone | 15:02 | |
*** rderose has joined #openstack-keystone | 15:02 | |
*** petertr7_away is now known as petertr7 | 15:02 | |
bknudson | service catalog meeting in #openstack-meeting-cp | 15:03 |
*** atiwari2 has joined #openstack-keystone | 15:03 | |
*** davechen has joined #openstack-keystone | 15:05 | |
*** atiwari1 has quit IRC | 15:05 | |
*** tonytan4ever has joined #openstack-keystone | 15:11 | |
*** richm has joined #openstack-keystone | 15:12 | |
openstackgerrit | Ghe Rivero proposed openstack/keystone: Create neutron service in sample_data.sh https://review.openstack.org/208215 | 15:13 |
*** kairat has joined #openstack-keystone | 15:14 | |
*** petertr7 is now known as petertr7_away | 15:16 | |
*** RichardRaseley has quit IRC | 15:16 | |
ayoung | bknudson, is there an agenda link here somewhere? | 15:18 |
bknudson | ayoung: https://wiki.openstack.org/wiki/ServiceCatalogTNG#Mitaka_Goals | 15:18 |
bknudson | ayoung: oops, agenda is https://wiki.openstack.org/wiki/Meetings/ServiceCatalogTNG#Service_Catalog_TNG_Meeting | 15:18 |
*** petertr7_away is now known as petertr7 | 15:18 | |
ayoung | bknudson, how did TENANT_ID get in there for all those services>? That is not vanilla? | 15:19 |
bknudson | ayoung: they copied what nova did | 15:19 |
*** lxsli has left #openstack-keystone | 15:21 | |
ayoung | but the other services don't support it | 15:21 |
ayoung | do they? | 15:21 |
*** slberger has joined #openstack-keystone | 15:22 | |
bknudson | ayoung: that's what the question is, anne is going to check if the other services have the project ID in the catalog entry | 15:27 |
bknudson | maybe there aren't any other than nova | 15:27 |
bknudson | there's a mailing list topic | 15:27 |
bknudson | ayoung: you already commented on the mailing list topic | 15:29 |
ayoung | bknudson, looking at the wiki list it looks like nova, cinder , trove , and heat. HEAT? REally, woulda thiught those guuysd knew better... | 15:32 |
*** tonytan4ever has quit IRC | 15:32 | |
*** timcline has joined #openstack-keystone | 15:33 | |
*** fawadkhaliq has quit IRC | 15:37 | |
openstackgerrit | Merged openstack/keystoneauth: Remove confusing documentation https://review.openstack.org/255651 | 15:39 |
*** roxanaghe has joined #openstack-keystone | 15:49 | |
*** tonytan4ever has joined #openstack-keystone | 15:52 | |
*** tonytan4ever has quit IRC | 15:53 | |
*** _cjones_ has joined #openstack-keystone | 15:56 | |
*** tonytan4ever has joined #openstack-keystone | 15:58 | |
*** _cjones_ has quit IRC | 16:01 | |
*** wanghua has quit IRC | 16:03 | |
*** topol has joined #openstack-keystone | 16:05 | |
*** ChanServ sets mode: +v topol | 16:05 | |
*** pgbridge has joined #openstack-keystone | 16:09 | |
*** joseppc has joined #openstack-keystone | 16:09 | |
zigo | Any idea why I get this? https://mitaka-jessie.pkgs.mirantis.com/job/python-keystonemiddleware/6/console | 16:15 |
*** csoukup has joined #openstack-keystone | 16:15 | |
*** ajayaa has joined #openstack-keystone | 16:15 | |
*** haneef has quit IRC | 16:18 | |
ayoung | zigo, bug | 16:19 |
*** fawadkhaliq has joined #openstack-keystone | 16:19 | |
ayoung | zigo, so, Bind was an artifact of when we were headed toward PKI tokens | 16:19 |
ayoung | it meant that you needed a second form of auth along with the token | 16:20 |
*** e0ne has quit IRC | 16:20 | |
bknudson | zigo: these tests are working on my local system... | 16:20 |
*** diazjf has joined #openstack-keystone | 16:21 | |
ayoung | bknudson, I think we can drop bind from the API | 16:21 |
bknudson | ayoung: we can drop token binding? | 16:21 |
bknudson | did it ever work? | 16:21 |
bknudson | I thought it was used with kerberos | 16:22 |
*** aix has quit IRC | 16:22 | |
zigo | bknudson: It works on devstack (tm) | 16:22 |
zigo | :) | 16:22 |
ayoung | bknudson, you can't do kerberos to eventlet, so no | 16:22 |
zigo | What I don't get is that it builds fine on my laptop, and the env should be the same as in my jenkins ... :( | 16:23 |
notmorgan | zigo: oh hi | 16:23 |
notmorgan | zigo: you're here | 16:23 |
zigo | notmorgan: Like every day! :) | 16:23 |
notmorgan | zigo: so. debconf stuff. | 16:23 |
ayoung | it was a good idea, and maybe someone picked it up and ran with it, but if its not mathrock's group, (and they don't) I don't know who would be so bold. KC does nto support negotiate on connections other than to Keystione, and keuystone didn;'t soupport x509, so it would have to be a very customized install. | 16:23 |
notmorgan | zigo: whn you're done talking w/ ayoung | 16:23 |
bknudson | zigo: looks like "Expose bind data via AccessInfo" is in keystoneauth 1.2.0, but you're running with "1.1.0-2" | 16:24 |
*** rderose has quit IRC | 16:24 | |
notmorgan | zigo: specifically i thnk we need to revisit the whole "you as a package maintainer controlling when the service starts and stops" | 16:24 |
zigo | bknudson: Oh, got it, so I just need to upgrade keysotneauth1 in my jenkins, easy enought, thanks ! :) | 16:25 |
bknudson | zigo: are you building ksm master? that's got keystoneauth1>=2.1.0 | 16:25 |
bknudson | ok, great | 16:25 |
bknudson | can't promise that's going to fix all the issues, but the missing bind property is pretty obvious | 16:25 |
ayoung | notmorgan, I'm going to write a spec for bootstrap | 16:26 |
notmorgan | ayoung: sounds good | 16:26 |
notmorgan | ayoung: and feel free to run with/change/update that patchset | 16:26 |
bknudson | ayoung: notmorgan: would it be better to expose create_user, etc., in keystone-manage ? | 16:26 |
ayoung | ++ | 16:26 |
notmorgan | ayoung: it's probably 90% done | 16:26 |
zigo | notmorgan: I do need to have keystone service started so I can use its API. | 16:26 |
ayoung | bknudson, so, that is the catch | 16:26 |
ayoung | I don't think so | 16:27 |
notmorgan | recommendation i had was to source the password from OS_* variables | 16:27 |
bknudson | if I've got a ldap backend create user isn't going to work | 16:27 |
ayoung | bknudson, we can't remove anything that Horizon uses | 16:27 |
ayoung | and we probably should not duplicate | 16:27 |
notmorgan | zigo: auto configuring a service in the catalog or anywhere seems *verY* broken for a complex system like openstack | 16:27 |
notmorgan | zigo: i'll contest that debconf should not try and setup openstack at all | 16:27 |
bknudson | ayoung: I don't understand the comment. I didn't suggest removing anything. | 16:27 |
ayoung | but...yeah, I guess we need it | 16:27 |
notmorgan | via the apis | 16:27 |
notmorgan | just base install and let people do the real work with other tools. | 16:27 |
notmorgan | packaging shouldn't be trying to standup a complex system like openstack | 16:28 |
notmorgan | imo | 16:28 |
zigo | notmorgan: It's entirely optional, but very useful for me for my CI. | 16:28 |
ayoung | bknudson, yeah, I retract the objection. Was thinkg "don't duplicate API ability" but of course we need to | 16:28 |
ayoung | as they say around here "DER" | 16:28 |
zigo | notmorgan: I do run a CI without anything but preseed and packages. | 16:28 |
zigo | I don't want to drop this. | 16:28 |
zigo | Plus preseeding is very helpful too. | 16:28 |
notmorgan | and i think encoding this into the packages is the wrong choice in every case. | 16:29 |
notmorgan | i told you you'd disagree with me when i pinged you earlier ;) | 16:29 |
zigo | notmorgan: I know many people don't agree... :) | 16:29 |
bknudson | ayoung: well, I'd prefer not to duplicate anything either, but prefer duplication to admin token. | 16:29 |
zigo | notmorgan: Though again, it's optional, and by the Debian policy, it isn't on the way to do anything with a configuration manager. | 16:29 |
notmorgan | zigo: but it is the default behavior, is it not? | 16:30 |
* zigo found that the issue was that python-keystoneauth1 wasn't registered to use the correct debian/mitaka branch, so it was building an older version in my jenkins... :P | 16:30 | |
notmorgan | zigo: can i at least encourage it to be the non-default behavior | 16:30 |
zigo | notmorgan: No, the default behavior is to do nothing. | 16:30 |
notmorgan | ok | 16:30 |
*** ajayaa has quit IRC | 16:30 | |
notmorgan | i was misinformed/ran into something trying to autoconfigure in the past | 16:30 |
zigo | No automated dbconfig, no API registration, etc. | 16:31 |
notmorgan | zigo: i have too many things that try and auto-restart apache | 16:31 |
notmorgan | or drop configs and restart things. | 16:31 |
notmorgan | out of the box | 16:31 |
zigo | notmorgan: I'd like to avoid restarting apache too. | 16:31 |
zigo | notmorgan: Though that's a more general issue here. | 16:32 |
zigo | notmorgan: If we get loads of API using a single Apache instance, restarting Apache because of any upgrade is crazy. | 16:32 |
notmorgan | yep | 16:32 |
zigo | uwsgi is much nicer in this regard. | 16:32 |
notmorgan | eh. | 16:33 |
bknudson | zigo: why wouldn't you use uwsgi? | 16:33 |
notmorgan | apache -> uwsgi is just fine | 16:33 |
notmorgan | vhosts are easy to config and reload is safe | 16:33 |
notmorgan | or graceful | 16:33 |
bknudson | if you're transitioning from eventlet I'd think uwsgi would be the easiest | 16:34 |
notmorgan | bknudson: i agree | 16:34 |
zigo | bknudson: Because upstream is telling me that Apache is *the* solution ! :) | 16:34 |
zigo | And I'm trying to just listen ... | 16:34 |
notmorgan | zigo: apache is the recommended solution because of the heavy reliance on mod_shib and that mod_wsgi was a lower barrier to entry | 16:34 |
notmorgan | also ssl offload | 16:34 |
notmorgan | however, nginx is also a good offload | 16:34 |
bknudson | really it's just allowing us to remove the crappy eventlet code in keystone, and letting uwsgi handle the connections. uwsgi is better at it then we are. | 16:34 |
notmorgan | running keystone in uwsgi is just better than we are at handling connections | 16:35 |
zigo | I get that we all want to get rid of eventlet, no problem. | 16:35 |
notmorgan | but i would *still* not run uwsgi in http mode | 16:35 |
zigo | I just wonder if we are just misslead here, and that we could use something else, still in Python, to do the same job. | 16:35 |
notmorgan | i would still front it with a webserver in any real configuration | 16:35 |
notmorgan | no | 16:35 |
notmorgan | python really does not do what we need. | 16:35 |
zigo | That's what I don't understand! :) | 16:35 |
notmorgan | we are bad at writing wsgi containers | 16:36 |
notmorgan | python doesn't do this well | 16:36 |
zigo | notmorgan: Is it long to explain? :) | 16:36 |
notmorgan | the options are eventlet? asyncio with custom code? | 16:36 |
notmorgan | or uwsgi/mod_wsgi + a very basic entry point | 16:36 |
bknudson | you can't just expose everything to the internet. You need something that's been hardened | 16:36 |
bknudson | maybe uwsgi has been hardened, I don't know. | 16:36 |
notmorgan | i trust mod_Wsgi/uwsgi more than my code for that | 16:36 |
bknudson | but I do know that apache has been. | 16:36 |
notmorgan | they are heavily used and have lots of eyes on it. | 16:37 |
zigo | python-keystonemiddleware builds fine now... and so does Zaqar with it! :) \o/ | 16:37 |
notmorgan | zigo: that is good news | 16:37 |
zigo | I got only 6 server projects and I'm done with Mitaka b1. :) | 16:38 |
bknudson | zaqar doesn't use the ksm fixture? | 16:38 |
notmorgan | anyway. so use uwsgi + mod_uwsgi or uwsgi + mod_proxy, or uwsgi + nginx | 16:38 |
*** rderose has joined #openstack-keystone | 16:39 | |
notmorgan | we mostly test just apache + mod_wsgi, but we could expand that with functional testing in the gate | 16:39 |
bknudson | I don't think we need to test everything. There's too many options. Let's just get rid of specialized code. | 16:40 |
bknudson | we're not going to test every possible http client, either. | 16:41 |
bknudson | although I agree it would be better to test 2 rather than only 1. | 16:42 |
bknudson | so a uwsgi gate job would be handy (we could change devstack's eventlet setup to do uwsgi instead) | 16:42 |
*** rcernin has quit IRC | 16:42 | |
notmorgan | bknudson: yep | 16:43 |
*** vgridnev has quit IRC | 16:47 | |
*** diazjf has quit IRC | 16:47 | |
*** lhcheng has joined #openstack-keystone | 16:52 | |
*** ChanServ sets mode: +v lhcheng | 16:52 | |
*** david-lyle has quit IRC | 16:53 | |
*** petertr7 is now known as petertr7_away | 16:53 | |
*** ninag has quit IRC | 16:59 | |
*** ninag has joined #openstack-keystone | 16:59 | |
*** belmoreira has quit IRC | 17:02 | |
*** ninag_ has joined #openstack-keystone | 17:03 | |
*** ninag has quit IRC | 17:04 | |
*** dims_ has quit IRC | 17:06 | |
*** ninag_ has quit IRC | 17:07 | |
*** ig0r_ has joined #openstack-keystone | 17:11 | |
*** dims has joined #openstack-keystone | 17:12 | |
*** steveng has quit IRC | 17:13 | |
*** ChanServ sets mode: +o dolphm | 17:13 | |
*** diazjf has joined #openstack-keystone | 17:14 | |
*** topol has quit IRC | 17:15 | |
*** dims has quit IRC | 17:16 | |
*** dims has joined #openstack-keystone | 17:17 | |
*** browne has joined #openstack-keystone | 17:19 | |
*** _cjones_ has joined #openstack-keystone | 17:20 | |
*** RichardRaseley has joined #openstack-keystone | 17:24 | |
*** dims has quit IRC | 17:24 | |
*** BAKfr has joined #openstack-keystone | 17:25 | |
*** topol has joined #openstack-keystone | 17:25 | |
*** ChanServ sets mode: +v topol | 17:25 | |
openstackgerrit | Tom Cocozzello proposed openstack/keystone: WIP List assignments with names https://review.openstack.org/249958 | 17:26 |
*** lhcheng_ has joined #openstack-keystone | 17:26 | |
*** gyee has joined #openstack-keystone | 17:27 | |
*** ChanServ sets mode: +v gyee | 17:27 | |
openstackgerrit | Brian Curtin proposed openstack/keystoneauth: Provide a RFC 7231 compliant user agent string https://review.openstack.org/256002 | 17:28 |
*** sigmavirus24 is now known as sigmavirus24_awa | 17:29 | |
*** lhcheng has quit IRC | 17:29 | |
*** singhj has joined #openstack-keystone | 17:29 | |
singhj | Hey guys, does anyone know the difference between --os-url and --os-auth-url? | 17:32 |
*** openstackstatus has joined #openstack-keystone | 17:37 | |
*** tonytan4ever has quit IRC | 17:37 | |
*** ChanServ sets mode: +v openstackstatus | 17:37 | |
*** mhickey has quit IRC | 17:41 | |
*** davechen has left #openstack-keystone | 17:44 | |
*** dims has joined #openstack-keystone | 17:47 | |
lhcheng_ | singhj: --os-url if you are going to use a token for authentication, it is used together with --os-token | 17:47 |
lhcheng_ | singhj: --os-auth-url if you're going to authenticate by password | 17:48 |
*** topol has quit IRC | 17:48 | |
lhcheng_ | singhj: https://github.com/openstack/python-openstackclient/blob/master/doc/source/authentication.rst#authentication-plugins | 17:48 |
singhj | lhcheng_: thank you | 17:49 |
openstackgerrit | Merged openstack/keystone: Updating sample configuration file https://review.openstack.org/254633 | 17:49 |
*** dims has quit IRC | 17:53 | |
*** browne has quit IRC | 17:54 | |
*** roxanaghe has quit IRC | 17:55 | |
*** roxanaghe has joined #openstack-keystone | 17:56 | |
*** dims has joined #openstack-keystone | 17:57 | |
notmorgan | so... | 17:58 |
*** ninag has joined #openstack-keystone | 18:00 | |
*** spandhe has joined #openstack-keystone | 18:01 | |
*** pnavarro has quit IRC | 18:09 | |
stevemar | so | 18:10 |
*** dims has quit IRC | 18:12 | |
*** amit213 has quit IRC | 18:14 | |
*** amit213 has joined #openstack-keystone | 18:15 | |
notmorgan | sooooooooo | 18:17 |
gyee | ayoung, https://review.openstack.org/#/c/177661/, oslo policy is still required | 18:18 |
gyee | ayoung, you want to remove oslo policy dependency? | 18:18 |
ayoung | gyee, you still need it? | 18:19 |
gyee | ayoung, yes, because even though we don't use policy.json, we still using a rule to have more flexibility | 18:19 |
*** aginwala has joined #openstack-keystone | 18:20 | |
ayoung | gyee, and hence the temp dir as well...do we really need that, then? | 18:22 |
gyee | ayoung, sorry, tempdir we don't need | 18:22 |
*** diazjf has quit IRC | 18:22 | |
ayoung | gyee, how is the policy file going to be distributed, then? CMS? | 18:22 |
ayoung | I thought you had decided to put it entirely in the config file | 18:23 |
gyee | ayoung, no need for policy.json, I just need to enforce a rule | 18:24 |
gyee | that can be done dynamically | 18:24 |
gyee | ayoung, a rule is configured in aut_token middleware section | 18:24 |
gyee | I'll create an enforcer to enforce that, no policy.json | 18:25 |
ayoung | gyee, So, I think we need at a minimum to do two things: | 18:25 |
gyee | ayoung, if we agree on using olso policy to do the enforcement, I can cleanup the rest | 18:25 |
ayoung | 1. Make it work for a list of endpoint ids. The same middleware will be executed for admin versus public vbersus private (in the keystone case) | 18:26 |
ayoung | 2) make it work for the service catalog URLS instead of the ids | 18:26 |
gyee | ayoung, both will work with a rule | 18:26 |
ayoung | because the CMS will not know the ID before having to modify auth_token section of the config file | 18:26 |
gyee | since we flatten the catalog and use that for enforcement | 18:26 |
gyee | using a rule is very flexible | 18:27 |
*** topol has joined #openstack-keystone | 18:27 | |
*** ChanServ sets mode: +v topol | 18:27 | |
gyee | ayoung, if we agree on using policy for enforcement, then I can clean the rest. Otherwise, I'll need to duplicate some olso code in there. | 18:32 |
ayoung | gyee, Go for it | 18:32 |
ayoung | policy is fine | 18:32 |
gyee | ayoung, k, I'll cleanup the rest, thanks! | 18:33 |
ayoung | gyee, just you need to match "any" endpoiint defined, not just one | 18:33 |
ayoung | so where youi do | 18:33 |
gyee | ayoung, right | 18:33 |
gyee | we can match anything in the flatten catalog | 18:33 |
ayoung | gyee, but this is from the config file, and so it should be a multistropt I think | 18:34 |
openstackgerrit | Merged openstack/keystone: Updated from global requirements https://review.openstack.org/254444 | 18:34 |
ayoung | for endpoint in service.get('endpoints', []): | 18:34 |
ayoung | gyee ugh...the rules are going to be ugly. Do you ahave a text example in your tests? | 18:35 |
*** dims has joined #openstack-keystone | 18:36 | |
gyee | ayoung, https://review.openstack.org/#/c/177661/30/keystonemiddleware/tests/unit/auth_token/test_endpoint_constraint.py | 18:37 |
gyee | line 67 | 18:37 |
gyee | you can match multiple endpoints by IDs | 18:37 |
ayoung | gyee, ok so it would be | 18:37 |
*** jistr has quit IRC | 18:38 | |
ayoung | endpoint_id:%s' % (self.endpoint[0].id) or endpoint_id:%s' % (self.endpoint[1].id) | 18:38 |
gyee | ayoung, not sure if I understand, what would user need to configure then? | 18:39 |
*** aginwala has quit IRC | 18:39 | |
ayoung | gyee, lets asume that nova has two endpoint on the same phys machine, reading the same conf file | 18:40 |
ayoung | public and admin or whatever | 18:40 |
*** diazjf has joined #openstack-keystone | 18:40 | |
ayoung | gyee, https://wiki.openstack.org/wiki/API_Working_Group/Current_Design/Service_Catalog | 18:43 |
*** aginwala has joined #openstack-keystone | 18:43 | |
*** shaleh has joined #openstack-keystone | 18:44 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/256053 | 18:44 |
*** browne has joined #openstack-keystone | 18:44 | |
gyee | ayoung, so if we flatten the catalog, we can match whatever's in there | 18:45 |
ayoung | gyee, All I am saying is test an Or rule from the config | 18:45 |
gyee | endpoint_id, region, service type, etc | 18:45 |
gyee | ayoung, sure, I can add a few more tests | 18:46 |
ayoung | mnake sure we can say multiple endpoint ids are valid for a single authtoken deploy. Capiche? | 18:46 |
gyee | ayoung, roger that | 18:46 |
*** aginwala has quit IRC | 18:47 | |
ayoung | gyee, we're good. ping me whe you want me to look again | 18:47 |
*** lhcheng_ is now known as lhcheng | 18:48 | |
*** ChanServ sets mode: +v lhcheng | 18:48 | |
*** fawadkhaliq has quit IRC | 18:50 | |
*** aginwala has joined #openstack-keystone | 18:56 | |
*** harlowja has quit IRC | 18:56 | |
*** harlowja has joined #openstack-keystone | 18:56 | |
*** ninag has quit IRC | 18:58 | |
*** ninag has joined #openstack-keystone | 18:58 | |
*** ninag_ has joined #openstack-keystone | 19:02 | |
*** ninag has quit IRC | 19:03 | |
*** zz_john5223 has quit IRC | 19:08 | |
*** tonytan4ever has joined #openstack-keystone | 19:11 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 19:11 | |
*** e0ne has joined #openstack-keystone | 19:13 | |
*** davechen has joined #openstack-keystone | 19:16 | |
*** aginwala has quit IRC | 19:19 | |
*** john5223 has joined #openstack-keystone | 19:21 | |
*** aginwala has joined #openstack-keystone | 19:24 | |
*** jorge_munoz has quit IRC | 19:26 | |
*** diazjf has quit IRC | 19:27 | |
*** r-daneel has joined #openstack-keystone | 19:27 | |
*** ninag_ has quit IRC | 19:32 | |
*** ninag has joined #openstack-keystone | 19:32 | |
breton | has anybody ran into problem with WebSSO when after authentication keystone redirects to http://ip/auth/websso/ instead of http://ip/horizon/auth/websso/ ? | 19:33 |
*** steveng has joined #openstack-keystone | 19:35 | |
stevemar | breton: hmm, maybe that's cause of new horizon stuff putting it all under /horizon | 19:35 |
*** ninag has quit IRC | 19:36 | |
*** rderose has quit IRC | 19:37 | |
*** ninag has joined #openstack-keystone | 19:37 | |
*** kibm has joined #openstack-keystone | 19:38 | |
*** ninag has quit IRC | 19:40 | |
*** ninag has joined #openstack-keystone | 19:41 | |
*** phalmos has joined #openstack-keystone | 19:41 | |
*** ninag has quit IRC | 19:42 | |
gordc | any idea what is throwing this deprecation? http://logstash.openstack.org/#/dashboard/file/logstash.json?query=message:%5C%22deprecated%5C%22%20AND%20loglevel:%5C%22WARNING%5C%22%20AND%20build_branch:%5C%22master%5C%22 | 19:42 |
*** ninag has joined #openstack-keystone | 19:42 | |
bknudson | gordc: which one? | 19:43 |
gordc | bknudson: all of them? they all seem to be from apache/keystone.txt... or is it just ending up there? | 19:45 |
*** ninag has quit IRC | 19:45 | |
*** ninag has joined #openstack-keystone | 19:46 | |
stevemar | bknudson: gordc https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L688 | 19:46 |
bknudson | gordc: so one deprecation is `"admin_workers" from group "eventlet_server" is deprecated for removal.` | 19:46 |
*** diazjf has joined #openstack-keystone | 19:46 | |
bknudson | if you're running in apache you don't need to set admin_workers, admin_bind_host, etc. | 19:46 |
bknudson | it's probably devstack that's setting these options even when it doesn't have to | 19:47 |
bknudson | just because it's easier. | 19:47 |
gordc | bknudson: yep that's what i think. | 19:47 |
*** tqtran has joined #openstack-keystone | 19:47 | |
bknudson | so that might be an easy one to take care of, check if devstack is configured to run keystone in apache and if so skip the settings. | 19:48 |
bknudson | then it'll be logged less, but since there's a gate job that tests keystone in eventlet we can't get rid of it entirely | 19:49 |
*** phalmos has quit IRC | 19:49 | |
stevemar | bknudson: it seems like the old option is being set | 19:49 |
gordc | stevemar: what's the new option? | 19:50 |
breton | stevemar: that's in kilo. But yes, /auth/websso is hardcoded there in kilo | 19:54 |
stevemar | gordc: admin_workers should be in the [eventlet] group | 19:55 |
stevemar | double check that it's not in the [default] group | 19:55 |
gordc | stevemar: [eventlet_server]? | 19:56 |
gordc | or [evenlet] | 19:56 |
stevemar | gordc: you're gonna make me look it up | 19:56 |
gordc | i looked it up | 19:57 |
stevemar | eventlet_server | 19:57 |
gordc | it's already under evenlet_server | 19:58 |
gordc | Option "admin_workers" from group "eventlet_server" is deprecated for removal. Its value may be silently ignored in the future. | 19:58 |
gordc | bknudson: stevemar: meh, i did this https://review.openstack.org/#/c/256078/ | 19:59 |
*** shaleh has quit IRC | 20:00 | |
gordc | please +/- as you like :) | 20:00 |
*** ninag has quit IRC | 20:00 | |
stevemar | gordc: ah right, both the old and the new group are deprecated | 20:01 |
stevemar | everything is deprecated! | 20:01 |
*** ninag has joined #openstack-keystone | 20:01 | |
*** rcernin has joined #openstack-keystone | 20:01 | |
stevemar | gordc: looks good | 20:01 |
gordc | stevemar: no one will let you. deprecation is a dream in openstack | 20:01 |
stevemar | one day we'll remove eventlet | 20:02 |
stevemar | one day | 20:02 |
gordc | stevemar: come to ceilometer or aodh. the dream is real | 20:03 |
gordc | https://review.openstack.org/#/c/240888/ | 20:04 |
*** jasonsb has quit IRC | 20:04 | |
*** ninag has quit IRC | 20:05 | |
breton | deployed keystone and horizon kilo with websso using okta.com as an IdP | 20:09 |
breton | horizon is not ready for websso in kilo :( | 20:09 |
stevemar | hmm | 20:14 |
stevemar | breton: lhcheng has set it up a bunch of times | 20:14 |
*** shaleh has joined #openstack-keystone | 20:16 | |
lhcheng | breton: it should work with kilo, you probably need to get the later version of django_openstack_auth | 20:16 |
lhcheng | breton: what version of django_openstack_auth are you using? | 20:16 |
*** jorge_munoz has joined #openstack-keystone | 20:21 | |
breton | lhcheng: django-openstack-auth==1.2.0 | 20:23 |
lhcheng | breton: 1.2.0 is right, have you set the configuration in horizon to enable websso? | 20:25 |
breton | does d-o-a still fish the url out of the referer? | 20:26 |
breton | lhcheng: I've set it up | 20:26 |
breton | lhcheng: and it works | 20:26 |
lhcheng | breton: oh great | 20:27 |
breton | but for example to support http://ip/horizon/auth/websso instead of http://ip/auth/websso I had to hardcode the suburl in openstack_auth/views.py L63 | 20:27 |
breton | I also terribly disliked that horizon fished the url to validate the token against out of referer | 20:28 |
*** alex_xu has quit IRC | 20:30 | |
lhcheng | breton: ah ayoung fixed that issue in horizon | 20:30 |
breton | lhcheng: which one? With referer or suburl? | 20:30 |
lhcheng | webroot not getting picked up | 20:30 |
lhcheng | it was fixed here: https://github.com/openstack/django_openstack_auth/commit/85b2aaea489f2e89e36bc08b99216939d8076462#diff-a2b178442c61a16a7978d4ecdc3d0964 | 20:31 |
amakarov | lhcheng, nice to see that - the idea looked terrible | 20:32 |
*** alex_xu has joined #openstack-keystone | 20:33 | |
lhcheng | breton: why don't you like the idea of using the referer? | 20:34 |
amakarov | lhcheng, http/https issue | 20:34 |
*** dims has quit IRC | 20:35 | |
*** dims has joined #openstack-keystone | 20:35 | |
amakarov | lhcheng, sorry for intervening :) | 20:36 |
breton | lhcheng: because we already have the keystone url in horizon config | 20:36 |
amakarov | lhcheng, the problem is that referer is an external url, while auth.authenticate operates internally in the cloud | 20:37 |
amakarov | so external url may be inaccessible for this operation | 20:38 |
breton | (or unwanted) | 20:38 |
stevemar | gordc: nooooooo | 20:38 |
stevemar | http://logs.openstack.org/39/256039/1/check/gate-keystonemiddleware-python27/53e9755/testr_results.html.gz | 20:38 |
lhcheng | amakarov: that referer is where keystone will redirect to after federation is completed. | 20:38 |
amakarov | for example: if external urls use https and internal - http | 20:38 |
lhcheng | if keystone can't access horizon, you can't really do websso. | 20:39 |
gordc | stevemar: master? | 20:39 |
openstackgerrit | Sean Perry proposed openstack/keystone: Clean up new_credential_ref usage and surrounding code https://review.openstack.org/246713 | 20:39 |
amakarov | lhcheng, it can, but a bit differently | 20:39 |
stevemar | gordc: stable | 20:39 |
shaleh | another day, another rebase ^^ | 20:39 |
amakarov | lhcheng, as I say: external urls aren't accessible internally | 20:40 |
amakarov | due to https scheme | 20:40 |
amakarov | lhcheng, while the very same url can be served via http flawlessly | 20:40 |
gordc | ... it's because everything is uncapped | 20:40 |
*** e0ne has quit IRC | 20:41 | |
lhcheng | amakarov: hmm user will be switched from https to http site? | 20:41 |
lhcheng | amakarov: login page (https) -> federated login -> keystone (internal http) -> horizon (http?) ? | 20:42 |
amakarov | lhcheng, no. user sits outside the cloud protected by https | 20:42 |
amakarov | lhcheng, services communicate internally using http | 20:43 |
*** jasonsb has joined #openstack-keystone | 20:43 | |
*** jorge_munoz has quit IRC | 20:43 | |
amakarov | lhcheng, we ran into issue, when service extracts url to communicate to another service from referrer | 20:44 |
amakarov | which is for the external user, sitting outside | 20:44 |
amakarov | lhcheng, service tries to do https://public_host_name:5000/whatever | 20:45 |
amakarov | and fails | 20:45 |
amakarov | as all 5000 port requests are served via http only | 20:45 |
amakarov | I mean internal requests | 20:46 |
lhcheng | amakarov: hmm so keystone should redirect to the internal address of horizon? | 20:47 |
*** jaosorior has quit IRC | 20:47 | |
*** jorge_munoz has joined #openstack-keystone | 20:47 | |
*** jaosorior has joined #openstack-keystone | 20:47 | |
gordc | stevemar: i don't get it. it fails because of deprecation warning? | 20:48 |
amakarov | lhcheng, no. External urls should be external, internal - internal | 20:48 |
stevemar | gordc: haven't looked into it yet | 20:48 |
amakarov | lhcheng, and not get mixed | 20:48 |
amakarov | lhcheng, I haven't said a word about redirecting | 20:49 |
stevemar | gyee: push shaleh's last patch: https://review.openstack.org/#/c/246713/ make him a happy camper | 20:49 |
*** steveng has quit IRC | 20:49 | |
shaleh | stevemar: there is something meditative about fixing the same rebase issue every morning | 20:50 |
gyee | stevemar, ack, employee happiness is important :) | 20:50 |
lhcheng | amakarov: I got confused, I thought you were disagreeing about the use of referer in context of websso. | 20:50 |
gyee | shaleh, that or tea :) | 20:51 |
lhcheng | amakarov: I get what you mean about internal and external endpoints. | 20:51 |
shaleh | gyee: tea is preferable :-) | 20:51 |
amakarov | lhcheng, I'm against using external url in internal requests - that's all | 20:52 |
lhcheng | amakarov: this is not for internal requests | 20:52 |
lhcheng | amakarov: horizon should be hitting the public endpoint, that's should be the configuration in the settings | 20:53 |
amakarov | lhcheng, agreed | 20:53 |
lhcheng | so it should be: external horizon login page -> external ks endpoint -> federated login -> external ks endpoint -> horizon external endpoint | 20:54 |
amakarov | lhcheng, that's from outside - yes | 20:55 |
amakarov | besides, horizon's openstack_auth issues a request to keystone in the process of websso | 20:56 |
amakarov | lhcheng, so it's not about redirecting the user | 20:56 |
amakarov | it's the internal process talking to another internal process | 20:57 |
shaleh | gyee: I expected git to be smarter with its merges | 20:58 |
amakarov | lhcheng, and the problem was (in our case - IS) that external url was used for this for some reason | 20:58 |
lhcheng | amakarov: ugh, yeah that's bad idea | 20:59 |
amakarov | lhcheng, so I'm happy to know it's fixed :) | 21:00 |
*** gordc has quit IRC | 21:01 | |
lhcheng | amakarov: awesome :) | 21:01 |
gyee | amakarov, what was the fix? burn a hole in your network to let your internal keystone access external horizon endpoint? | 21:03 |
*** petertr7_away is now known as petertr7 | 21:04 | |
*** tonytan4ever has quit IRC | 21:06 | |
*** raildo is now known as raildo-afk | 21:07 | |
stevemar | gyee: you don't have to worry about waiting for jenkins results to +A (referring to https://review.openstack.org/#/c/246713/) | 21:08 |
stevemar | if jenkins fails, then even with a +A, it won't gate | 21:09 |
gyee | stevemar, k, thanks, good to known | 21:09 |
gyee | know | 21:10 |
stevemar | gyee: i'm here to dish out knowledge | 21:10 |
*** sigmavirus24 is now known as sigmavirus24_awa | 21:10 | |
gyee | stevemar, I am enlighten | 21:10 |
*** sigmavirus24_awa is now known as sigmavirus24 | 21:10 | |
stevemar | gyee: you were already enlightened | 21:10 |
gyee | heh | 21:11 |
flwang | stevemar: ping | 21:11 |
*** pauloewerton has quit IRC | 21:11 | |
flwang | stevemar: i was asked an interesting question and i think you may know the anwser | 21:11 |
flwang | stevemar: why keystone's tenant id and user id is using the uuid format without '-'? | 21:11 |
flwang | but most of the other projects' id has the '-' like 0368593a-60ef-48a3-885a-add8dfefe569 | 21:12 |
*** kibm has quit IRC | 21:14 | |
amakarov | gyee, no, just map external hostname to ::1 in /etc/hosts | 21:15 |
gyee | amakarov, that's assuming your network topology allows it | 21:15 |
amakarov | gyee, it was PoC for another task, after all - so it's up to our dev-ops now :) | 21:15 |
gyee | for some deployments, internal network and external network are isolated | 21:15 |
lhcheng | amakarov: you aren't doing dev-ops? lucky you | 21:16 |
amakarov | lhcheng, they'll come to us anyway | 21:16 |
* amakarov going home | 21:18 | |
*** amakarov is now known as amakarov_away | 21:18 | |
*** kairat has quit IRC | 21:20 | |
*** kairat has joined #openstack-keystone | 21:20 | |
openstackgerrit | Fernando Diaz proposed openstack/keystone: WIP: Opt-out certain Keystone Notifications https://review.openstack.org/253780 | 21:20 |
*** atiwari2 has quit IRC | 21:25 | |
*** topol has quit IRC | 21:26 | |
*** chris_19 has joined #openstack-keystone | 21:27 | |
*** atiwari2 has joined #openstack-keystone | 21:27 | |
*** pkarikh has quit IRC | 21:27 | |
*** pkarikh has joined #openstack-keystone | 21:28 | |
*** amakarov_away has quit IRC | 21:28 | |
*** timcline has quit IRC | 21:28 | |
*** amakarov_away has joined #openstack-keystone | 21:28 | |
*** tsufiev has quit IRC | 21:28 | |
*** agireud has quit IRC | 21:31 | |
*** diazjf has quit IRC | 21:31 | |
*** jorge_munoz has quit IRC | 21:32 | |
*** tsufiev has joined #openstack-keystone | 21:32 | |
*** pwp has joined #openstack-keystone | 21:33 | |
*** tonytan4ever has joined #openstack-keystone | 21:34 | |
*** jorge_munoz has joined #openstack-keystone | 21:34 | |
pwp | stevemar: I'm was wondering if you agreed with henry-nash on https://bugs.launchpad.net/keystone/+bug/1218682. | 21:35 |
openstack | Launchpad bug 1218682 in OpenStack Identity (keystone) "User's email format hasn't been checked" [Wishlist,Triaged] | 21:35 |
*** gordc has joined #openstack-keystone | 21:35 | |
pwp | He basically said that since it is an unsupported feature, the clients should handle it and if it is using ldap that it should be handled by the backend server. | 21:35 |
pwp | Do you still think it is something that is likely to be accepted if implemented? I didn't get chance to work on it yesterday because I was sick, so no time would be lost if you just wanted to not support email validation. | 21:37 |
*** diazjf has joined #openstack-keystone | 21:38 | |
*** atiwari1 has joined #openstack-keystone | 21:40 | |
*** atiwari2 has quit IRC | 21:43 | |
*** agireud has joined #openstack-keystone | 21:43 | |
*** agireud has quit IRC | 21:48 | |
*** agireud has joined #openstack-keystone | 21:51 | |
breton | lbragstad: sorry, had not time to poke that fernet and trusts issue | 21:52 |
breton | lbragstad: will do first thing tomorrow morning | 21:52 |
*** ninag has joined #openstack-keystone | 21:58 | |
*** gildub has joined #openstack-keystone | 21:59 | |
*** ninag_ has joined #openstack-keystone | 21:59 | |
*** lhcheng_ has joined #openstack-keystone | 21:59 | |
*** ninag_ has quit IRC | 22:00 | |
*** ninag_ has joined #openstack-keystone | 22:00 | |
*** ninag_ has quit IRC | 22:00 | |
*** ninag has quit IRC | 22:02 | |
*** lhcheng has quit IRC | 22:03 | |
*** aginwala has quit IRC | 22:04 | |
*** petertr7 is now known as petertr7_away | 22:06 | |
*** alex_xu has quit IRC | 22:07 | |
*** alex_xu has joined #openstack-keystone | 22:09 | |
*** hogepodge has quit IRC | 22:10 | |
*** atiwari1 has quit IRC | 22:11 | |
*** roxanaghe has quit IRC | 22:11 | |
*** diazjf has quit IRC | 22:12 | |
*** gyee has quit IRC | 22:12 | |
*** arunkant has quit IRC | 22:12 | |
*** hogepodge has joined #openstack-keystone | 22:13 | |
*** gordc has quit IRC | 22:13 | |
*** roxanaghe has joined #openstack-keystone | 22:13 | |
pwp | stevemar: I'm getting off for a bit. | 22:14 |
*** aginwala has joined #openstack-keystone | 22:14 | |
pwp | I'll be back on later tonight. | 22:14 |
*** arunkant has joined #openstack-keystone | 22:14 | |
*** atiwari has joined #openstack-keystone | 22:15 | |
*** pwp has quit IRC | 22:18 | |
*** atiwari has quit IRC | 22:20 | |
*** gyee has joined #openstack-keystone | 22:20 | |
*** ChanServ sets mode: +v gyee | 22:20 | |
*** david-lyle has joined #openstack-keystone | 22:20 | |
*** atiwari has joined #openstack-keystone | 22:20 | |
*** jamielennox|away is now known as jamielennox | 22:22 | |
*** pumaranikar has quit IRC | 22:27 | |
*** kibm has joined #openstack-keystone | 22:29 | |
*** pumaranikar has joined #openstack-keystone | 22:29 | |
*** pushkaru has joined #openstack-keystone | 22:32 | |
*** pumaranikar has quit IRC | 22:32 | |
*** agireud has quit IRC | 22:32 | |
*** kibm_ has joined #openstack-keystone | 22:33 | |
*** agireud has joined #openstack-keystone | 22:34 | |
*** kibm has quit IRC | 22:36 | |
*** pushkaru has quit IRC | 22:39 | |
browne | bknudson: i replied to your comment in https://review.openstack.org/#/c/236092/ | 22:42 |
browne | a cherry-pick seems troublesome | 22:42 |
*** rcernin has quit IRC | 22:45 | |
*** alejandrito has quit IRC | 22:49 | |
*** KarthikB has joined #openstack-keystone | 22:50 | |
*** KarthikB has quit IRC | 22:50 | |
*** david-lyle has quit IRC | 22:55 | |
*** chris_19 has quit IRC | 22:55 | |
*** openstackstatus has quit IRC | 23:01 | |
*** slberger has left #openstack-keystone | 23:13 | |
*** tonytan4ever has quit IRC | 23:16 | |
*** aginwala has quit IRC | 23:21 | |
*** singhj1 has joined #openstack-keystone | 23:21 | |
*** gildub has quit IRC | 23:21 | |
*** singhj has quit IRC | 23:23 | |
*** singhj1 has quit IRC | 23:26 | |
*** aginwala has joined #openstack-keystone | 23:26 | |
mordred | jamielennox, notmorgan: working on python-novaclient OCC/KSA patches, and they have this pluggable auth thing to provide non-keystone auth | 23:37 |
* notmorgan rolls eyes | 23:37 | |
mordred | nobody wants that code, but it hasn't been 'deprecated' in a way that communicates to users that it's deprecated | 23:37 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file https://review.openstack.org/256053 | 23:37 |
mordred | so we can't remove it directly | 23:37 |
mordred | WHICH | 23:37 |
jamielennox | mordred: yep, it's horrible | 23:38 |
mordred | makes me want to write a plugin wrapper function factory thing that will take one of those auth plugins, wrap it in a ksa auth plugin and deal with it that way | 23:38 |
mordred | how terrible of an idea is that? | 23:38 |
jamielennox | mordred: i looked at doing exactly that and there was a problem - but i can't remember what it is and i think i actually made changes to session to accomodate it | 23:39 |
jamielennox | mordred: so it might work now | 23:39 |
mordred | jamielennox: cool. I'll take a stab at it then and if I run in to problems I'll come scream | 23:40 |
jamielennox | mordred: ++ | 23:40 |
mordred | jamielennox: I've got https://review.openstack.org/#/c/256056/ up as patch #1 | 23:42 |
mordred | need to track down the functional test problem | 23:42 |
openstackgerrit | Akira YOSHIYAMA proposed openstack/oslo.policy: Fixes combined "and" and "or" rule handling https://review.openstack.org/253763 | 23:42 |
jamielennox | mordred: if you can make it work i think the neutron and maybe heat clients have similar stuff because those auth plugins made it into oslo.incubator | 23:45 |
mordred | jamielennox: shudder | 23:45 |
jamielennox | mordred: i could never figure out how they were supposed to work because even the auth_url is coming from the plugin | 23:45 |
mordred | jamielennox: so - if those plugins exist in multiple projects, should we put the code in ksa and then throw deprecations if it's triggered? | 23:45 |
jamielennox | mordred: propose to novaclient for now, but yea i'd be ok with the shim going to KSA | 23:46 |
jamielennox | mordred: just need to figure out who uses it, it's been a while since i dealt with the CLIs | 23:46 |
mordred | kk | 23:47 |
*** atiwari1 has joined #openstack-keystone | 23:47 | |
*** singhj has joined #openstack-keystone | 23:48 | |
*** atiwari has quit IRC | 23:49 | |
*** gildub has joined #openstack-keystone | 23:52 | |
*** csoukup has quit IRC | 23:58 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!