Friday, 2016-12-02

« Thursday, 2016-12-01 Index Saturday, 2016-12-03 »
ayoungthe Nova one still fails aon a tempest test.  Not sure why, but it is trying to call an admin API that is not allowed without adming+project...they must set it some other way00:00
ayoungjamielennox, http://logs.openstack.org/48/384148/9/check/gate-grenade-dsvm-neutron-multinode-ubuntu-xenial/3ed7b7b/00:01
ayoungWorking on tempest once I can get a stable run with no changes.00:02
*** ayoung has quit IRC00:07
*** lamt has quit IRC00:14
*** jamielennox is now known as jamielennox|away00:17
*** adrian_otto has joined #openstack-keystone00:20
*** jamielennox|away is now known as jamielennox00:23
*** ayoung has joined #openstack-keystone00:29
*** ChanServ sets mode: +v ayoung00:29
*** duonghq_ is now known as duonghq00:29
*** gyee has joined #openstack-keystone00:31
*** ChanServ sets mode: +v gyee00:31
openstackgerritKen'ichi Ohmichi proposed openstack/keystone: Remove CONF.os_inherit.enabled  https://review.openstack.org/40567900:32
morganayoung: commented on your RBAC spec00:33
*** diazjf has joined #openstack-keystone00:33
*** code-R has joined #openstack-keystone00:34
ayoungmorgan, on https://review.openstack.org/#/c/391624/  ?  Where?00:40
*** hoangcx has joined #openstack-keystone00:41
morganclicked post, looks like it didn't go through the 1st time00:42
morganit is posted now00:42
morganayoung: i assume if someone wants to just continue with the current policy implementation, they can do so for now.00:46
ayoungmorgan, absolutely00:46
morganperfect00:46
*** jamielennox is now known as jamielennox|away00:46
ayoungmorgan, so the rules are fetch and cache00:47
ayoungno reason to fetch them on each token validation.  THe way I originally wrote it was that you would do the rbac check in Keystone during token validation, but jamielennox|away pointed out that would break token caching.  This is the compromise00:48
morganayoung: it just wasn't clear the way you had it phrased.00:48
ayoungI was trying to write out what happened the first time.  Caching is discussed later00:49
*** agrebennikov has quit IRC00:51
*** jamielennox|away is now known as jamielennox00:53
morganright, note what i said, adding "if needed" into that sentence makes it have a ton of wiggle room00:55
morganeither get each time, cache, do something else wild00:55
morgannone of my comments (i think) warranted a -100:56
ayoungmorgan, so you like?  Think we can get this for Ocata?00:56
morganjust answers in-line00:56
morgani think it's doable00:56
ayounganswers posted00:56
morganthe biggest request i'd have is to implement a boot-strapping cli option00:57
morganjust for initial import vs needing to do OSC work00:57
morgan*every* time i stand up a cloud. you likely know the rules you want to apply initially.00:57
morganand we can just directly inject them into the DB via the internal interfaces.00:57
morganbut again, not really a show-stopper if not doable00:58
ayoungI think bootstrap can set the default trivially.  I need to figure out how to implement that without creating another table, though00:58
morgani wouldn't do it via bootstrap00:58
morganitself that is00:58
morgani probably would isolate it to a separate command (just like dbsync is separate)00:58
ayoungSay we had a verb "ALL"00:58
ayoungand something the same for the verb patterns.00:58
morgan"ANY" :)00:58
morganbut yeah, that works for me00:59
adriantmorgan: sadly didn't get a chance look over the MFA spec. Will look at it tonight. Just had my head too deep into billing and business logic...00:59
ayoung"ANY" "ANY" "Member" would make sense00:59
morganadriant: np00:59
morganadriant: i hope you find it covers the bases well00:59
morganayoung: yeah that is kind of my thought00:59
morganANY is better than ALL00:59
morganALL implies always00:59
ayoungmorgan, ++01:00
ayoungadd that to the spec comments, would you?01:00
morgansure.01:00
ayoungmorgan, so long as admin implied Member, we can make the default be Member for any API01:01
morganposted01:02
morganadded exactly what you said, "ANY" "ANY" "<role>"01:02
morgani mean it might even be doable with bootstrap itself01:02
*** code-R has quit IRC01:03
*** code-R has joined #openstack-keystone01:04
*** gyee has quit IRC01:06
*** zhangjl has joined #openstack-keystone01:08
*** edmondsw has joined #openstack-keystone01:13
*** edmondsw has quit IRC01:17
*** jrist has joined #openstack-keystone01:18
*** guoshan has joined #openstack-keystone01:18
*** dave-mccowan has joined #openstack-keystone01:24
*** liujiong has joined #openstack-keystone01:37
*** code-R has quit IRC01:39
openstackgerritayoung proposed openstack/keystone: URL pattern based RBAC Management Interface  https://review.openstack.org/40180801:46
*** edmondsw has joined #openstack-keystone01:49
*** browne has quit IRC01:50
*** edmondsw has quit IRC01:54
*** diazjf has quit IRC02:02
*** adrian_otto has quit IRC02:16
*** tqtran has quit IRC02:18
*** dave-mccowan has quit IRC02:20
*** edmondsw has joined #openstack-keystone02:26
*** dave-mccowan has joined #openstack-keystone02:30
*** edmondsw has quit IRC02:30
*** guoshan has quit IRC02:40
*** Ephur has quit IRC02:52
*** guoshan has joined #openstack-keystone02:53
*** namnh has joined #openstack-keystone02:55
openstackgerritKen'ichi Ohmichi proposed openstack/keystone: Remove CONF.os_inherit.enabled  https://review.openstack.org/40567903:01
*** edmondsw has joined #openstack-keystone03:02
*** edmondsw has quit IRC03:07
*** jamielennox is now known as jamielennox|away03:11
*** diazjf has joined #openstack-keystone03:12
*** diazjf has quit IRC03:16
*** browne has joined #openstack-keystone03:17
*** browne has quit IRC03:18
openstackgerritayoung proposed openstack/keystone: Refactor Authorization:  https://review.openstack.org/38716103:19
*** jamielennox|away is now known as jamielennox03:20
stevemari find it funny that morgan and ayoung are both in full keystone mode at the same time03:21
*** browne has joined #openstack-keystone03:22
*** masber has joined #openstack-keystone03:26
*** masber has quit IRC03:26
*** cheran has quit IRC03:27
openstackgerritMerged openstack/keystone-specs: Fix python version to 2.7 for docs  https://review.openstack.org/40507403:28
*** dave-mccowan has quit IRC03:28
*** jamielennox is now known as jamielennox|away03:30
*** jamielennox|away is now known as jamielennox03:37
openstackgerritayoung proposed openstack/keystone: Refactor is_admin  https://review.openstack.org/38771003:38
openstackgerritayoung proposed openstack/keystone: Add is_admin_project check to policy.json  https://review.openstack.org/25763603:38
openstackgerritayoung proposed openstack/oslo.policy: Convert Exceptions to failures.  https://review.openstack.org/16590803:44
*** code-R has joined #openstack-keystone03:44
*** browne has quit IRC03:47
*** links has joined #openstack-keystone03:52
openstackgerritKen'ichi Ohmichi proposed openstack/keystone: Remove CONF.os_inherit.enabled  https://review.openstack.org/40567903:54
openstackgerritayoung proposed openstack/keystone: IAM Models  https://review.openstack.org/18465103:55
*** nicolasbock has quit IRC03:56
*** guoshan has quit IRC03:59
ayoungstevemar, what are we doing about APIs now with specs, since we moved the old API doc into the attick in keystone-specs?04:00
stevemarayoung: they are all stored here: https://github.com/openstack/keystone/tree/master/api-ref/source04:01
ayoungstevemar, so they don't go in the specs anymore, right?04:01
stevemaryou can propose a brief outline of the APIs within the spec, if you like, but nothing crazy detailed04:02
ayoungto what degree are we fleshing out the apis...04:02
ayoungah ok04:02
stevemarenough to convey the idea04:02
*** zhangjl has quit IRC04:02
*** Marcellin__ has quit IRC04:08
*** code-R has quit IRC04:11
*** kanikasingh has joined #openstack-keystone04:12
*** code-R has joined #openstack-keystone04:14
*** kanikasingh has quit IRC04:15
*** udesale has joined #openstack-keystone04:19
*** adrian_otto has joined #openstack-keystone04:20
*** zhangjl has joined #openstack-keystone04:24
*** code-R has quit IRC04:28
openstackgerritayoung proposed openstack/keystone-specs: Tokens with subsets of roles  https://review.openstack.org/18697904:37
stevemarayoung: thank you for cleaning up your older specs04:39
stevemarcrinkle: not sure if you're around yet, but folks are interested to hear your opinions on https://review.openstack.org/#/c/390948/04:55
stevemardavechen: easy one: https://review.openstack.org/#/c/404806/ :)04:57
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/40581605:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/40581705:06
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/40581805:06
ayoungstevemar, wanted to get to that for a while05:06
ayoungstevemar, most of them are still good, but I've canned a couple.  The endpoint subset one is going to come up again in the future, but I think we can conquer that one with RBAC....maybe.05:07
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/40587705:12
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/40588905:13
*** diazjf has joined #openstack-keystone05:14
*** voelzmo has joined #openstack-keystone05:16
*** voelzmo has quit IRC05:16
*** voelzmo has joined #openstack-keystone05:16
*** voelzmo has quit IRC05:23
*** guoshan has joined #openstack-keystone05:35
*** adriant has quit IRC05:43
*** jaosorior has joined #openstack-keystone06:06
*** code-R has joined #openstack-keystone06:11
openstackgerritMerged openstack/keystone: More info in schema validation error  https://review.openstack.org/40500606:12
*** edmondsw has joined #openstack-keystone06:19
*** adrian_otto has quit IRC06:19
*** diazjf has quit IRC06:20
*** edmondsw has quit IRC06:23
davechenstevemar: +2ed, not that easy ;)06:27
crinklestevemar: commented06:32
*** openstackgerrit has quit IRC06:33
*** openstackgerrit has joined #openstack-keystone06:41
openstackgerritMerged openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/40581706:41
*** richm has quit IRC06:42
*** josecastroleon has joined #openstack-keystone06:49
*** guoshan has quit IRC07:03
openstackgerritMerged openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/40587707:08
*** code-R_ has joined #openstack-keystone07:09
*** code-R has quit IRC07:10
*** jaosorior has quit IRC07:10
*** jaosorior has joined #openstack-keystone07:11
*** jrist has quit IRC07:14
*** jrist has joined #openstack-keystone07:15
*** edmondsw has joined #openstack-keystone07:16
*** voelzmo has joined #openstack-keystone07:17
*** jamielennox is now known as jamielennox|away07:18
*** edmondsw has quit IRC07:20
openstackgerritMerged openstack/keystone: Validate token issue input  https://review.openstack.org/40480607:21
openstackgerritMerged openstack/keystone: Updated from global requirements  https://review.openstack.org/40581607:21
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/40581807:23
*** voelzmo has quit IRC07:23
openstackgerritMerged openstack/keystone: Minor fix in role_assignments api-ref  https://review.openstack.org/38177707:26
*** voelzmo has joined #openstack-keystone07:36
*** GB21 has joined #openstack-keystone07:36
*** rcernin has joined #openstack-keystone07:40
*** jamielennox|away is now known as jamielennox07:44
*** edmondsw has joined #openstack-keystone07:52
*** josecastroleon has quit IRC07:52
*** GB21 has quit IRC07:54
*** josecastroleon has joined #openstack-keystone07:55
*** edmondsw has quit IRC07:57
*** openstackgerrit has quit IRC08:03
*** GB21 has joined #openstack-keystone08:07
*** amoralej|off is now known as amoralej08:15
*** edmondsw has joined #openstack-keystone08:29
*** edmondsw has quit IRC08:33
*** guoshan has joined #openstack-keystone08:47
*** GB21 has quit IRC08:56
*** zzzeek has quit IRC09:00
*** code-R has joined #openstack-keystone09:01
*** zzzeek has joined #openstack-keystone09:01
*** code-R_ has quit IRC09:04
*** guoshan has quit IRC09:12
*** guoshan has joined #openstack-keystone09:14
*** zhangjl has left #openstack-keystone09:15
*** zhugaoxiao has joined #openstack-keystone09:16
*** GB21 has joined #openstack-keystone09:19
*** guoshan has quit IRC09:29
*** voelzmo has quit IRC09:29
*** aloga has quit IRC09:29
*** aloga has joined #openstack-keystone09:30
*** voelzmo has joined #openstack-keystone09:32
*** DinaBelova has quit IRC09:37
*** DinaBelova has joined #openstack-keystone09:39
*** edmondsw has joined #openstack-keystone09:41
*** asettle has joined #openstack-keystone09:42
*** GB21 has quit IRC09:45
*** edmondsw has quit IRC09:46
*** voelzmo has quit IRC09:47
*** rcernin has quit IRC09:49
*** rcernin has joined #openstack-keystone09:50
*** davechen is now known as davechen_afk09:52
*** zhugaoxiao has quit IRC09:54
*** code-R has quit IRC09:54
*** code-R has joined #openstack-keystone09:54
*** GB21 has joined #openstack-keystone09:58
*** liujiong has quit IRC10:09
*** voelzmo has joined #openstack-keystone10:19
*** code-R has quit IRC10:21
*** code-R has joined #openstack-keystone10:22
*** pnavarro has joined #openstack-keystone10:22
*** code-R_ has joined #openstack-keystone10:25
*** xiaoyang has quit IRC10:25
*** tesseract has joined #openstack-keystone10:27
*** code-R has quit IRC10:27
*** tesseract is now known as Guest7998610:27
*** code-R_ has quit IRC10:32
*** code-R has joined #openstack-keystone10:32
*** asettle__ has joined #openstack-keystone10:39
*** asettle has quit IRC10:42
*** asettle__ is now known as asettle10:42
*** code-R_ has joined #openstack-keystone10:48
*** code-R has quit IRC10:51
*** hoangcx has quit IRC10:52
*** udesale has quit IRC10:54
*** duonghq has quit IRC10:57
*** richm has joined #openstack-keystone11:12
*** namnh has quit IRC11:15
*** nicolasbock has joined #openstack-keystone11:36
*** pnavarro has quit IRC11:37
*** GB21 has quit IRC11:50
samueldmqgood morning keystone11:55
samueldmqayoung: hi, want to continue on https://review.openstack.org/279263 ?11:59
*** GB21 has joined #openstack-keystone12:05
*** rcernin has quit IRC12:12
*** rcernin has joined #openstack-keystone12:15
*** thiagolib has quit IRC12:28
*** GB21 has quit IRC12:29
stevemarcrinkle: danke12:49
stevemarrodrigods: hmm, things are failing in ksc regardless of the test :( https://review.openstack.org/#/c/405889/112:50
samueldmqstevemar: o/12:51
stevemarsamueldmq: o\12:56
*** jrist has quit IRC12:59
*** rcernin has quit IRC13:06
*** rcernin has joined #openstack-keystone13:08
*** links has quit IRC13:17
*** lamt has joined #openstack-keystone13:17
ayoungsamueldmq, ah I might take another look after the current batch of patches around that13:19
ayoungsamueldmq, did you take a look at the 3 I have doing similiar stuff? I need for Bug 968696 work13:20
openstackbug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)13:20
*** dave-mccowan has joined #openstack-keystone13:21
ayoungsamueldmq, it starts here https://review.openstack.org/#/c/387161/613:21
samueldmqayoung: so perhaps that patch is invalid ? or you think it just needs rework?13:22
ayoungsamueldmq, I probably duplicated a lot of what you put in there.  Sorry.  We were on the same track13:22
samueldmqayoung: no problem at all, you're probably more familiar with that code and can push it quickly, better.13:23
samueldmqayoung: I'll abandon mine and focus on reviewing yours13:23
ayoungDidn't realize you had that in the works.  But my guess is it would be hard to rebase your patch right now, as much as the code base has changed13:23
*** jaosorior is now known as jaosorior_brb13:24
ayoungsamueldmq, TYVM.  The fact that you worked through this means you will understand my code changes.  Very valuable13:24
samueldmqayoung: ++ no worries at all. I am happy to have you looking at that13:24
samueldmqayoung: :)13:24
ayoungsamueldmq, close to getting the is_admin_project check in to here and Nova...13:24
ayoungfunny that Keystone is the worst project for it.13:24
samueldmqayoung: hehe13:24
*** dave-mcc_ has joined #openstack-keystone13:32
*** nishaYadav has joined #openstack-keystone13:34
*** nishaYadav is now known as Guest7889113:35
*** dave-mccowan has quit IRC13:35
*** Guest78891 has quit IRC13:35
*** nishaYadav_ has joined #openstack-keystone13:35
*** openstackgerrit has joined #openstack-keystone13:37
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947213:37
*** code-R_ has quit IRC13:37
nishaYadav_hey all o/13:37
stevemaro\13:38
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947213:39
ayoungrodrigods, is Julia Varlamov your outreachy person?13:40
stevemarayoung: nope, shes mirantis i think13:44
openstackgerritJulia Varlamova proposed openstack/keystone: Change DevStack plugin to setup multi-Keystone  https://review.openstack.org/39947213:48
*** jvarlamova has joined #openstack-keystone13:48
ayoungstevemar, so the LDAP code in Devstack has bit rotted. In an Ubuntu system, at least, the way you have to initialize open ldap seems to have changed13:49
ayoungI'm tempted to leave it in place for a while, but try to get an LDAP server set up as part of the Keystone devstack plugin instead13:50
ayoungrodrigods, ^^ probably something you should know, too13:51
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389813:56
openstackgerritayoung proposed openstack/keystone: Refactor Authorization:  https://review.openstack.org/38716114:04
*** spzala has joined #openstack-keystone14:04
openstackgerritayoung proposed openstack/keystone: Refactor is_admin  https://review.openstack.org/38771014:05
openstackgerritayoung proposed openstack/keystone: Add is_admin_project check to policy.json  https://review.openstack.org/25763614:06
*** code-R has joined #openstack-keystone14:07
*** code-R_ has joined #openstack-keystone14:09
*** code-R has quit IRC14:11
*** faizy has joined #openstack-keystone14:21
ayoungstevemar, samueldmq lbragstad dstanek instead of calling the rbac entity "url_pattern" should I call it "api_access_rule"?14:25
samueldmqayoung: example ?14:25
ayoungsamueldmq, in https://review.openstack.org/#/c/391624/14:26
samueldmqayoung: kk I'll review that14:26
ayoungI have a more readable version...I ran tox docs on it, but let me update14:26
ayoungI think I want to change that name...14:26
ayoungsamueldmq, i would define an API as a verb + and URL pattern, and then this entity adds in the role required to execute that API14:27
ayoungcalling the whole thing url_pattern is naming it for only one of its parts14:27
*** marekd has joined #openstack-keystone14:28
*** ChanServ sets mode: +v marekd14:28
ayoungSynecdoche14:29
samueldmqayoung: gotcha, it could simply be "api": "rules" thus just 'api''14:29
samueldmqayoung: api_name might work too, as you want. I got what you meant by changing from url_pattern14:29
ayoungyeah, but having an api api would be funny sounding14:30
ayoungapi_access is more specific14:30
samueldmq++14:30
ayoungso api_access_rule, while long, is more specific14:30
ayoungOK,  keep that in mind while reading, and I will rewrite the spec to update it with that term14:31
ayoungsamueldmq, so domains is a bad example14:33
*** rcernin has quit IRC14:33
ayoungas listing domains is not something we want just anyone to do14:34
samueldmqtalking about 'GET /domains': 'admin' ?14:34
ayoungbut, looking at glance, GET /images14:34
ayoungor GET /v2/servers14:34
samueldmqok, that'd be 'GET /images': 'reader'14:34
ayoungsamueldmq, right14:34
ayoungwe need to set up a role inference rule from superior role to subordinate14:34
ayoungadmin->member->reader14:35
ayoungservice admins will probably be split off of admin, too14:35
ayoungso admin->image_admin14:35
ayoungand that way people that can admin glance cannot necessarily admin nova.14:35
samueldmqayoung: that's the spec jamielennox and dolphm were working on, right ?14:35
ayoungbut that would require policy.json changes, not just rbac14:35
ayoungsamueldmq, yes14:35
ayoungthey needed some more support from rbac enforcement before it was viable14:36
samueldmqayoung: ok. we need to define a roadmap14:36
samueldmqagree in our meeting14:36
ayoung++14:36
samueldmqand start defining the taks to get there14:36
*** amoralej is now known as amoralej|lunch14:36
samueldmqand what spec/initiative addresses what14:36
samueldmqayoung: brb, lunch time14:38
*** code-R_ has quit IRC14:40
ayoungsamueldmq, I am thinkg maybe just `access_rule` instead of `api_access_rule`14:40
dstanekayoung: i do like access_rule14:40
*** code-R has joined #openstack-keystone14:40
samueldmqayoung: ++14:40
samueldmqdstanek: o/14:40
ayoungOK...that is clearer.  I'll go with that in the next pass14:41
*** rcernin has joined #openstack-keystone14:41
dstaneksamueldmq o/14:42
*** jamielennox is now known as jamielennox|away14:45
*** edmondsw has joined #openstack-keystone14:47
stevemarayoung: yeah, its definitely bit-rotted, been meaning to look at it for a while :(14:49
stevemarayoung: maybe we can scam topol into looking at it again :P14:49
*** edmondsw_ has joined #openstack-keystone14:49
ayoungdstanek, I thinl he was trying to give you a high 514:49
ayoungstevemar, Heh14:49
*** edmondsw_ has quit IRC14:50
ayoungstevemar, I'm tempted to use 389ds instead of OpenLDAP for the keystone plugin, as I know that nkinder worked on that for a long time...14:50
stevemardolphm: thanks for abandoning reviews14:55
stevemarerr patches14:55
*** rcernin has quit IRC14:55
dolphmstevemar: you're welcome?14:56
openstackgerritayoung proposed openstack/keystone-specs: Role Check Check from Middleware  https://review.openstack.org/39162414:57
*** rcernin has joined #openstack-keystone14:58
ayoungdolphm, hey, I addressed your performance concern on the "service catalog subset" review.  I think it might actually help performance if we do it right14:58
*** dave-mcc_ has quit IRC14:58
ayounghttps://review.openstack.org/#/c/160909/14:58
ayoungyou said " In our benchmarking, the most significant time impact of the service catalog is not in transmitting it, but in computing it for each token creation and validation request. "14:59
ayoungif we can short circuit that catalog computation and composition, it should speed up the token validation and creation processes.14:59
*** amoralej|lunch is now known as amoralej15:03
*** jhesketh has quit IRC15:04
*** jaosorior_brb is now known as jaosorior15:06
*** jhesketh has joined #openstack-keystone15:06
*** jaosorior has quit IRC15:11
*** dave-mccowan has joined #openstack-keystone15:11
*** jaosorior has joined #openstack-keystone15:12
*** jaosorior has quit IRC15:13
*** jaosorior has joined #openstack-keystone15:13
*** ravelar has joined #openstack-keystone15:19
bretonmorgan: ayoung: stevemar: am i being too paranoid with my concern in https://review.openstack.org/#/c/403866/ ?15:24
ayoungbreton, there is no "too paranoid" only "not paranoid enough"15:26
openstackgerritOndřej Kobližek proposed openstack/python-keystoneclient: Fix Failing tests with openssl >= 1.1.0  https://review.openstack.org/40617515:26
ayoungbreton, I think you are dead on15:26
ayoungbreton, feel free to up that to a -215:27
*** nishaYadav_ has quit IRC15:27
ayoungbreton, I just -2ed it15:28
ayoungbreton, maybe I am being too paranoid here, too, but there is no "too paranoid" with this kind of quahackery.15:29
*** openstackgerrit has quit IRC15:33
*** knasim-wrs has joined #openstack-keystone15:35
*** DinaBelova has quit IRC15:44
*** DinaBelova has joined #openstack-keystone15:44
*** chlong has joined #openstack-keystone15:48
*** pnavarro has joined #openstack-keystone15:48
stevemarturns out ironic got busted by the devstack change too15:49
stevemarstill, only 2 projects, not bad15:49
stevemarbreton: is rally fixed up now?15:49
*** edmondsw has quit IRC15:49
*** knasim-wrs has quit IRC15:50
dstaneki really hate that we don't have auto incrementing ids. makes it so hard to page through the data15:50
*** edmondsw has joined #openstack-keystone15:50
morgandstanek: we could always move to autoinc for all internal PKS and make UUIDs secondary keys15:51
*** Guest79986 has quit IRC15:54
*** edmondsw has quit IRC15:54
dstanekmorgan: similar to what i was just thinking. i was thinking that we can add a new 'order' column as autoinc and not expose that15:54
dstanekit's just an implementation detail15:55
*** edmondsw has joined #openstack-keystone15:55
bretonstevemar: not yet, but the progress is good15:56
bretonstevemar: we have fixed issues with devstack and gates and now fight issues with some assumptions in rally itself16:00
ayoungmorgan, ++++16:01
*** chris_hultin|AWA is now known as chris_hultin16:03
*** rcernin has quit IRC16:05
*** voelzmo has quit IRC16:07
stevemarbreton: *nods*16:07
morgandstanek: responded to your comments in MFA spec16:07
morgandstanek: before i fix the 2 typos16:07
dstanekmorgan: cool, i'll take a look16:08
morgandstanek: the notifications and a "default" rule concept16:08
morgannotifications, not really seeing that as a CADF event16:08
morgan"no valid rules" (aka all required auth plugins are disabled) is not a good way to lock out users, we have "disabled=True" for those cases in the user objects16:09
morganor disable the users' domain16:09
morganetc.16:09
morganif plugins are disabled in keystone.conf, we ignore them as "required".16:09
morganfor the default rules, i can see the use. I was unsure how to implement that cleanly. My goal was to implement this base feature and then work on adding in added featuresets such as defaults once we had this working. (possibly needs to be another table or in keystone.conf etc for "defaults")16:11
*** david-lyle_ has joined #openstack-keystone16:17
dstanekmorgan: i'm just poking at it to see what you are thinking... just commented again16:17
morgancool16:18
*** david-lyle has quit IRC16:19
*** openstackgerrit has joined #openstack-keystone16:20
openstackgerritayoung proposed openstack/keystone-specs: Allow a remote service to Validate Federation Mapping  https://review.openstack.org/24558816:20
*** chlong has quit IRC16:20
*** chlong has joined #openstack-keystone16:21
morgandstanek: ++ responded again, in short keystone does not let auth happen, we will need to expand the error raised to say wich method is not valid16:24
*** adrian_otto has joined #openstack-keystone16:24
dstanekmorgan: that shouldn't be too hard to implement this cycle. is someone going to be doing the client work for it?16:27
morganadriant is going to help on both server and client fronts16:30
morganhe has approval from his PM to be working on this for the cycle. I expect I'll be on the hook for KSA changes though16:31
morganif any are needed16:31
*** jistr is now known as jistr|biab16:33
*** nkinder has quit IRC16:34
*** faizy has quit IRC16:36
*** tqtran has joined #openstack-keystone16:38
*** jaosorior has quit IRC16:38
stevemarmorgan: yep, it'll be nice to get it merged this cycle, since he went ahead and got the upstream time16:39
*** diazjf has joined #openstack-keystone16:42
*** Zer0Byte__ has joined #openstack-keystone16:43
*** diazjf has quit IRC16:43
*** diazjf has joined #openstack-keystone16:44
*** rcernin has joined #openstack-keystone16:45
*** josecastroleon has quit IRC16:47
*** nkinder has joined #openstack-keystone16:47
*** tqtran_ has joined #openstack-keystone16:50
bretonstevemar: i think we got it fixed now16:52
*** tqtran has quit IRC16:53
*** raildo has quit IRC16:56
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/40623316:58
*** code-R_ has joined #openstack-keystone16:59
*** code-R has quit IRC17:02
*** chlong has quit IRC17:02
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/40623317:10
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/40624617:10
*** asettle has quit IRC17:11
openstackgerritRichard Avelar proposed openstack/keystone: Add unit tests for doctor's caching symptoms  https://review.openstack.org/40624917:11
openstackgerritDavid Stanek proposed openstack/keystone: Move redelegation fields out of extras  https://review.openstack.org/27647417:13
*** spzala has quit IRC17:14
*** spzala has joined #openstack-keystone17:15
openstackgerritRichard Avelar proposed openstack/keystone: Add unit tests for doctor's caching symptoms  https://review.openstack.org/40624917:31
*** chlong has joined #openstack-keystone17:41
*** rcernin has quit IRC17:45
*** rcernin has joined #openstack-keystone17:46
*** raildo has joined #openstack-keystone17:47
samueldmqdstanek: hi17:48
samueldmqdstanek: I am looking at https://review.openstack.org/#/c/27647417:48
samueldmqdstanek: a trust may not be redelegated, in which case redelegated_trust_id and redelegation_count are not present in the extras17:49
samueldmqdstanek: is this correct ?17:49
samueldmqbreton: hi, does my reply to your comment in https://review.openstack.org/#/c/316991/ makes sense to you ?17:52
*** jistr|biab is now known as jistr17:53
*** adrian_otto1 has joined #openstack-keystone17:56
*** adrian_otto has quit IRC17:58
*** faizy has joined #openstack-keystone18:03
*** pnavarro has quit IRC18:03
*** voelzmo has joined #openstack-keystone18:07
*** david-lyle_ is now known as david-lyle18:08
*** pnavarro has joined #openstack-keystone18:08
bretonsamueldmq: thanks, i forgot about it. I will comment on it now.18:10
*** asettle has joined #openstack-keystone18:11
*** diazjf has quit IRC18:13
*** code-R_ has quit IRC18:17
*** code-R has joined #openstack-keystone18:17
*** asettle has quit IRC18:19
samueldmqbreton: thanks18:19
samueldmqstevemar: please see my comment in bug 1616105 and let me know if that makes sense to you18:19
openstackbug 1616105 in python-keystoneclient "Request of large files raises a MemoryError due to logging" [High,In progress] https://launchpad.net/bugs/1616105 - Assigned to Tobias Diaz (int-0)18:19
*** asettle has joined #openstack-keystone18:19
*** pnavarro has quit IRC18:19
*** asettle has quit IRC18:22
stevemarbreton: that is good news18:23
*** daemontool has joined #openstack-keystone18:32
*** daemontool has quit IRC18:38
samueldmqI would like to get a Python review around what to put in a try/except clause18:39
samueldmqif it is better to put only the portion raising the exception or a larger block18:39
*** voelzmo has quit IRC18:39
samueldmqL1297 in https://review.openstack.org/#/c/390948/7/keystone/identity/backends/ldap/common.py18:40
samueldmqcc dstanek ^18:40
*** voelzmo has joined #openstack-keystone18:40
*** voelzmo has quit IRC18:46
*** ravelar has quit IRC19:01
*** spzala has quit IRC19:02
*** adrian_otto1 has quit IRC19:04
*** ravelar has joined #openstack-keystone19:05
*** adrian_otto has joined #openstack-keystone19:06
*** code-R_ has joined #openstack-keystone19:10
*** code-R has quit IRC19:13
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/40624619:16
*** diazjf has joined #openstack-keystone19:16
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Domain included for role in list_role_assignment  https://review.openstack.org/37351619:21
samueldmqstevemar: ^ let's see what jenkins says, I've got a bunch of those erros related to that passlib warning locally19:22
*** faizy has quit IRC19:24
*** adrian_otto has quit IRC19:27
*** ravelar has quit IRC19:27
morgansamueldmq: ideallyyou shiould keep the section in the try as narrow as possible19:31
morgansamueldmq: so that you don't except on un-related calls.  that said, if you are handling logic based on the exception, and the function continues, you will need to have the logic in the try block that would be  impacted by the exception19:33
*** serverascode has quit IRC19:34
*** ctracey has quit IRC19:34
*** jraim has quit IRC19:34
*** zhiyan has quit IRC19:34
*** morgan has quit IRC19:34
*** edtubill has joined #openstack-keystone19:37
*** diazjf has quit IRC19:39
*** jraim has joined #openstack-keystone19:42
*** diazjf has joined #openstack-keystone19:46
*** ctracey has joined #openstack-keystone19:47
*** josecastroleon has joined #openstack-keystone19:48
*** adrian_otto has joined #openstack-keystone19:49
*** serverascode has joined #openstack-keystone19:50
*** josecastroleon has quit IRC19:52
*** zhiyan has joined #openstack-keystone19:53
*** adrian_otto has quit IRC19:54
*** ravelar has joined #openstack-keystone19:56
*** pnavarro has joined #openstack-keystone20:05
*** adrian_otto has joined #openstack-keystone20:09
*** clenimar has quit IRC20:11
*** adrian_otto has quit IRC20:12
*** adrian_otto has joined #openstack-keystone20:13
*** code-R_ has quit IRC20:19
*** code-R has joined #openstack-keystone20:20
*** morgan has joined #openstack-keystone20:25
*** code-R has quit IRC20:25
*** code-R has joined #openstack-keystone20:25
*** pnavarro has quit IRC20:26
*** edmondsw has quit IRC20:28
*** diazjf has quit IRC20:30
*** code-R_ has joined #openstack-keystone20:30
*** pnavarro has joined #openstack-keystone20:31
*** diazjf has joined #openstack-keystone20:32
*** code-R has quit IRC20:33
samueldmqmorgan: agreed20:35
samueldmqmorgan: would you mind to add your view to that review too ? :)20:36
morganwhich one?20:36
morganmy bouncer was dead for the last 1hr or so20:36
*** chlong has quit IRC20:42
*** amoralej is now known as amoralej|off20:51
*** chlong has joined #openstack-keystone20:55
*** raildo has quit IRC21:01
*** pnavarro has quit IRC21:03
*** iurygregory has quit IRC21:09
openstackgerritayoung proposed openstack/keystone: Fernet token formatter with explicit role  https://review.openstack.org/31007421:21
openstackgerritSamuel Pilla proposed openstack/keystone: api-ref update for roles assignments with names  https://review.openstack.org/40636621:22
*** asettle has joined #openstack-keystone21:26
*** asettle has quit IRC21:28
*** Zer0Byte__ has quit IRC21:29
*** chris_hultin is now known as chris_hultin|AWA21:37
*** edtubill has quit IRC21:39
*** diazjf has quit IRC21:41
*** code-R_ has quit IRC21:43
*** diazjf has joined #openstack-keystone21:55
*** daemontool has joined #openstack-keystone22:04
morganayoung: i agree with samueldmq's question. what does this explicit role buy us?22:04
ayoungmorgan, ok here is the workflow22:04
morganit isn't clear to me why we need the ID vs the name.22:04
ayoungI go to some 3rd party vendor and he says I can do something on your cloud22:05
ayoungin order to do it you have to send me a token22:05
morganoh wait. nvm on my question22:05
ayoungI say "ok, but you are not getting everything what do you need"22:05
ayoungand he says Reader  and I get a token with that role on it22:05
morganderp. because id is better indexed. and fernet payload isn't exposed to the end user22:05
ayoungid is an override for Henry's domain specific roles22:06
ayoungah, yes22:06
ayoungstore the id in the fernet payload22:06
morganyeah i got your part, i was missing the uuid vs name in the token part22:06
morganhow much does this expand the token size?22:06
morganjust making sure we don't run afoul of our upper fernet size limit (default)22:07
* morgan guesses it is about 16bytes22:07
ayoungthe size is roughly one uuid larger, plus a little for encryption22:07
morganjust keep in mind we need to budget what goes in the token really well now.22:08
ayoungit is still under the limit.  We can't add too much more on top of this, but I think these are actually smaller than the Federated version22:08
morganyeah. probably22:08
ayoungwe don't put groups in there, or anything other than the roleid22:08
morganso stupid question...22:10
morganactually i can just look at the code22:10
morganwill comment there22:10
*** jamielennox|away is now known as jamielennox22:22
*** edtubill has joined #openstack-keystone22:23
*** chlong has quit IRC22:44
*** edtubill has quit IRC22:47
*** dave-mccowan has quit IRC22:55
*** daemontool has quit IRC23:13
*** dave-mccowan has joined #openstack-keystone23:16
*** lamt has quit IRC23:23
*** diazjf has quit IRC23:29
« Thursday, 2016-12-01 Index Saturday, 2016-12-03 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!