Thursday, 2017-01-19

*** DinaBelova has joined #openstack-keystone		00:02
*** NikitaKonovalov has joined #openstack-keystone		00:03
*** freerunner has joined #openstack-keystone		00:03
openstackgerrit	Gage Hugo proposed openstack/keystone: Allow user to change own expired password https://review.openstack.org/404022	00:05
*** david-lyle has quit IRC		00:05
*** adrian_otto has quit IRC		00:07
*** lamt has joined #openstack-keystone		00:10
*** adrian_otto has joined #openstack-keystone		00:12
openstackgerrit	Richard Avelar proposed openstack/keystone: WIP extend users API to add federated object https://review.openstack.org/418624	00:15
*** stingaci has joined #openstack-keystone		00:19
*** adrian_otto has quit IRC		00:20
*** browne has quit IRC		00:21
*** adrian_otto has joined #openstack-keystone		00:21
*** stingaci has quit IRC		00:23
*** catintheroof has joined #openstack-keystone		00:23
*** browne has joined #openstack-keystone		00:25
*** adrian_otto has quit IRC		00:34
*** adrian_otto has joined #openstack-keystone		00:36
*** jamielennox\|away is now known as jamielennox		00:37
*** thorst has joined #openstack-keystone		00:39
*** thorst has quit IRC		00:42
*** hoangcx has joined #openstack-keystone		00:50
*** lamt has quit IRC		00:51
*** harlowja has joined #openstack-keystone		00:52
*** ravelar has quit IRC		01:07
*** thorst has joined #openstack-keystone		01:11
*** thorst has quit IRC		01:11
*** catintheroof has quit IRC		01:13
*** catintheroof has joined #openstack-keystone		01:14
*** catintheroof has quit IRC		01:14
*** edmondsw has joined #openstack-keystone		01:18
*** edmondsw has quit IRC		01:23
openstackgerrit	Ron De Rose proposed openstack/keystone: PCI-DSS Force users to immediately change their password upon first use https://review.openstack.org/403916	01:37
*** lucas__ has joined #openstack-keystone		01:38
*** browne has quit IRC		01:39
*** tqtran has quit IRC		01:49
*** adrian_otto has quit IRC		01:51
rderose	is there a way to tell if a user is a service user?	01:56
*** markvoelker has joined #openstack-keystone		01:59
rderose	I guess if they have the service role...	01:59
stevemar	rderose: nope	01:59
rderose	stevemar: darn	01:59
stevemar	thats a sketchy way of determining	01:59
stevemar	whats up?	01:59
rderose	stevemar: yeah... was trying to see if I could automatically ignore service users for PCI	02:00
rderose	stevemar: domain scoped PCI is the answer. we'll have to do that in pike.	02:02
stevemar	rderose: i said that in N :P	02:03
rderose	haha	02:03
stevemar	per-domain PCI, just like how we have per-domain LDAP	02:04
stevemar	its the same code, should be easy to do	02:04
rderose	stevemar: right	02:04
rderose	stevemar: don't worry about N, no one really believes PTLs	02:05
rderose	:)	02:05
stevemar	rderose: damn whoever was PTL in N	02:06
rderose	haha	02:06
stevemar	PTL elections are open!!!!!!!!!! http://lists.openstack.org/pipermail/openstack-dev/2017-January/110441.html	02:06
stevemar	rderose: yeah, with per-domain PCI we'll be able to remove a lot of the "here are a list of user IDs i don't want things to happen to"	02:08
rderose	stevemar: yep, exactly	02:09
*** thorst has joined #openstack-keystone		02:15
stevemar	gagehugo: hmm, looking at http://paste.openstack.org/show/595484/	02:19
stevemar	gagehugo: it seems you didn't run the modified code?	02:19
stevemar	File "/usr/local/lib/python2.7/dist-packages/osc_lib/shell.py", line 457, in prepare_to_run_command	02:19
stevemar	self.client_manager.auth_ref	02:19
*** thorst has quit IRC		02:20
stevemar	if you had set "auth_required = False" in the command class of userSetPassword, then we shuoldn't be entering that branch	02:20
stevemar	if cmd.auth_required:	02:20
stevemar	self.client_manager.setup_auth()	02:20
stevemar	if hasattr(cmd, 'required_scope') and cmd.required_scope:	02:20
stevemar	# let the command decide whether we need a scoped token	02:20
stevemar	self.client_manager.validate_scope()	02:20
stevemar	# Trigger the Identity client to initialize	02:20
stevemar	self.client_manager.auth_ref	02:20
stevemar	return	02:20
stevemar	gagehugo: i'll play around with it	02:21
stevemar	gagehugo: how did you set your user to be expired?	02:21
gagehugo	stevemar: I think I did, I can try again	02:25
gagehugo	stevemar: I have a bunch of users from previous tests and a bunch of them are expired	02:26
gagehugo	otherwise I just change their database values	02:26
*** links has joined #openstack-keystone		02:33
*** darrenc_ has joined #openstack-keystone		02:35
*** r1chardj0n3s_ has joined #openstack-keystone		02:37
gagehugo	stevemar: oh, http://paste.openstack.org/show/595484/ is incorrect, I did required_auth instead of auth_required	02:37
*** hoangcx_ has joined #openstack-keystone		02:38
*** gus__ has joined #openstack-keystone		02:38
*** charz_ has joined #openstack-keystone		02:40
*** BrAsS_mOnKeY has joined #openstack-keystone		02:40
*** rvba` has joined #openstack-keystone		02:41
*** mtreinish_ has joined #openstack-keystone		02:41
*** tlbr_ has joined #openstack-keystone		02:41
*** hoangcx has quit IRC		02:41
*** adriant has quit IRC		02:41
*** briancurtin has quit IRC		02:41
*** wasmum has quit IRC		02:41
*** hyakuhei has quit IRC		02:41
*** rvba has quit IRC		02:41
*** g2 has quit IRC		02:41
*** rm_work has quit IRC		02:41
*** r1chardj0n3s has quit IRC		02:41
*** darrenc has quit IRC		02:41
*** gus has quit IRC		02:41
*** mjb has quit IRC		02:41
*** jamielennox has quit IRC		02:41
*** tlbr has quit IRC		02:41
*** mtreinish has quit IRC		02:41
*** charz has quit IRC		02:41
*** mtreinish_ is now known as mtreinish		02:41
*** mjb has joined #openstack-keystone		02:42
gagehugo	stevemar: http://paste.openstack.org/show/595519/ is the modified one	02:42
stevemar	gagehugo: thats interesting	02:43
stevemar	it actually fired off the request	02:43
stevemar	File "/home/ghugo/python-openstackclient/openstackclient/identity/v3/user.py", line 438, in take_action	02:43
stevemar	identity_client.users.update_password(current_password, password)	02:43
*** yarkot has quit IRC		02:44
stevemar	well, it got to the client anyway, thats good	02:44
stevemar	it failed to fire off the request	02:44
gagehugo	hmm	02:45
stevemar	looks like it failed ehre: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/session.py#L349	02:46
stevemar	we need it to get to line 430 :)	02:47
*** BrAsS_mOnKeY is now known as g2		02:47
*** agrebennikov_ has joined #openstack-keystone		02:47
*** yarkot has joined #openstack-keystone		02:50
stevemar	gagehugo: i guess we could just do a straight requests call	02:50
gagehugo	hmm	02:51
*** adriant has joined #openstack-keystone		02:51
*** markvoelker has quit IRC		02:56
stevemar	gagehugo: this is where we bug jamielennox when he's online :P	03:00
*** rm_work has joined #openstack-keystone		03:00
*** wasmum has joined #openstack-keystone		03:01
*** hyakuhei has joined #openstack-keystone		03:01
*** henrynash has joined #openstack-keystone		03:03
*** ChanServ sets mode: +v henrynash		03:03
gagehugo	stevemar: heh	03:06
gagehugo	I dont think I found anything else that used auth_require = False	03:06
*** markvoelker has joined #openstack-keystone		03:10
*** diazjf has joined #openstack-keystone		03:11
*** jamielennox\|away has joined #openstack-keystone		03:12
*** jamielennox\|away is now known as jamielennox		03:12
*** ChanServ sets mode: +v jamielennox		03:12
*** woodster_ has quit IRC		03:15
*** MasterOfBugs has quit IRC		03:18
*** adrian_otto has joined #openstack-keystone		03:19
*** adrian_otto has quit IRC		03:29
*** thorst has joined #openstack-keystone		03:30
stevemar	gagehugo: just `openstack list commands`	03:34
stevemar	jamielennox: gagehugo and i have questions for you!	03:34
*** adrian_otto has joined #openstack-keystone		03:35
stevemar	jamielennox: check out https://review.openstack.org/#/c/404022/ ping me when you're online	03:35
*** thorst has quit IRC		03:36
* stevemar is trying to decide which patch he should review first		03:37
gagehugo	ah	03:40
*** henrynash has quit IRC		03:44
*** henrynash has joined #openstack-keystone		03:44
*** ChanServ sets mode: +v henrynash		03:44
*** liyuenan has joined #openstack-keystone		03:46
liyuenan	hi everyone!	03:46
liyuenan	i have a question about openstackclient	03:46
liyuenan	when i run openstack user list --os-cloud opnfv	03:47
liyuenan	it failed	03:47
*** MasterOfBugs has joined #openstack-keystone		03:47
liyuenan	ERROR: Cloud opnfv was not found.	03:47
liyuenan	But I had create cloud.yaml in ~/.config/openstack	03:48
liyuenan	T.T	03:49
openstackgerrit	Ken Johnston proposed openstack/keystone: Fix typo in main docs page https://review.openstack.org/422371	03:49
*** diazjf has quit IRC		03:50
*** nicolasbock has quit IRC		03:50
*** henrynash has quit IRC		03:51
*** henrynash has joined #openstack-keystone		03:51
*** ChanServ sets mode: +v henrynash		03:51
*** adrian_otto has quit IRC		03:54
stevemar	liyuenan: hmm, what does `openstack --version` say?	03:58
*** adrian_otto has joined #openstack-keystone		03:58
stevemar	liyuenan: the docs for clouds.yaml are here: http://docs.openstack.org/developer/python-openstackclient/configuration.html#clouds-yaml	03:59
*** ayoung has quit IRC		04:03
*** edtubill has joined #openstack-keystone		04:04
*** adrian_otto has quit IRC		04:04
openstackgerrit	Ken Johnston proposed openstack/keystone: Readability enhancements to architecture doc https://review.openstack.org/422375	04:07
*** henrynash has quit IRC		04:07
*** jerrygb has quit IRC		04:10
*** liyuenan has quit IRC		04:17
*** stingaci has joined #openstack-keystone		04:21
*** edtubill has quit IRC		04:21
*** adrian_otto has joined #openstack-keystone		04:22
*** stingaci has quit IRC		04:26
*** agrebennikov_ has quit IRC		04:28
*** briancurtin has joined #openstack-keystone		04:31
*** agrebennikov_ has joined #openstack-keystone		04:33
*** thorst has joined #openstack-keystone		04:33
*** thorst has quit IRC		04:38
*** liyuenan has joined #openstack-keystone		04:38
*** adrian_otto has quit IRC		04:38
liyuenan	stevemar: openstack version is 3.7.0	04:39
*** adrian_otto has joined #openstack-keystone		04:40
stevemar	liyuenan: can you paste your clouds.yaml? (but remove the password?)	04:41
liyuenan	https://thepasteb.in/p/1jhn2rvpZKMSB	04:42
*** nkinder has joined #openstack-keystone		04:42
liyuenan	there is my cloud.yml	04:43
*** henrynash has joined #openstack-keystone		04:46
*** ChanServ sets mode: +v henrynash		04:46
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	04:52
*** lucas__ has quit IRC		04:53
MasterOfBugs	Hi All	04:59
MasterOfBugs	I am getting this error while stacking	04:59
MasterOfBugs	is this normal?	04:59
*** dikonoor has joined #openstack-keystone		04:59
MasterOfBugs	+lib/keystone:init_keystone:510 rm -rf /etc/keystone/credential-keys/	04:59
MasterOfBugs	2017-01-18 21:12:42.028 \| +lib/keystone:init_keystone:511 /usr/local/bin/keystone-manage --config-file /etc/keystone/keystone.conf credential_setup	04:59
MasterOfBugs	2017-01-18 21:12:42.781 \| usage: keystone-manage [bootstrap\|db_sync\|db_version\|domain_config_upload\|fernet_rotate\|fernet_setup\|mapping_purge\|mapping_engine\|pki_setup\|saml_idp_metadata\|ssl_setup\|token_flush]	04:59
MasterOfBugs	2017-01-18 21:12:42.781 \| keystone-manage: error: argument command: invalid choice: 'credential_setup' (choose from 'bootstrap', 'db_sync', 'db_version', 'domain_config_upload', 'fernet_rotate', 'fernet_setup', 'mapping_purge', 'mapping_engine', 'pki_setup', 'saml_idp_metadata', 'ssl_setup', 'token_flush')	04:59
MasterOfBugs	2017-01-18 21:12:42.822 \| +lib/keystone:init_keystone:1 exit_trap	05:00
MasterOfBugs	2017-01-18 21:12:42.827 \| +./stack.sh:exit_trap:487 local r=2	05:00
MasterOfBugs	2017-01-18 21:12:42.832 \| ++./stack.sh:exit_trap:488 jobs -p	05:00
MasterOfBugs	2017-01-18 21:12:42.836 \| +./stack.sh:exit_trap:488 jobs=	05:00
MasterOfBugs	2017-01-18 21:12:42.841 \| +./stack.sh:exit_trap:491 [[ -n '' ]]	05:00
MasterOfBugs	2017-01-18 21:12:42.845 \| +./stack.sh:exit_trap:497 kill_spinner	05:00
MasterOfBugs	2017-01-18 21:12:42.850 \| +./stack.sh:kill_spinner:383 '[' '!' -z '' ']'	05:00
MasterOfBugs	2017-01-18 21:12:42.854 \| +./stack.sh:exit_trap:499 [[ 2 -ne 0 ]]	05:00
MasterOfBugs	2017-01-18 21:12:42.858 \| +./stack.sh:exit_trap:500 echo 'Error on exit'	05:00
MasterOfBugs	2017-01-18 21:12:42.858 \| Error on exit	05:00
MasterOfBugs	2017-01-18 21:12:42.862 \| +./stack.sh:exit_trap:501 generate-subunit 1484773774 188 fail	05:00
MasterOfBugs	2017-01-18 21:12:43.282 \| +./stack.sh:exit_trap:502 [[ -z /opt/stack/logs/stack ]]	05:00
MasterOfBugs	2017-01-18 21:12:43.287 \| +./stack.sh:exit_trap:505 /home/otc/devstack/tools/worlddump.py -d /opt/stack/logs/stack	05:00
MasterOfBugs	2017-01-18 21:12:43.313 \| df: '/var/lib/ureadahead/debugfs/tracing': No such file or directory	05:00
MasterOfBugs	2017-01-18 21:12:43.712 \| +./stack.sh:exit_trap:511 exit 2	05:00
stevemar	MasterOfBugs: http://paste.openstack.org/ is your friend :)	05:00
MasterOfBugs	how can i work around this?	05:00
liyuenan	stevemar: could you see my cloud.yml?	05:00
MasterOfBugs	sorry	05:01
MasterOfBugs	http://paste.openstack.org/show/595533/	05:01
MasterOfBugs	cloud.yml?	05:01
MasterOfBugs	can u please tell me the location?	05:01
*** nkinder has quit IRC		05:02
liyuenan	MasterOfBugs: it is anohter question about openstackclient. :)	05:03
stevemar	MasterOfBugs: looks like you're using a newer version of devstack on an old keystone branch?	05:03
stevemar	trying to set up mitaka ?	05:03
MasterOfBugs	yes	05:03
stevemar	liyuenan: looking now	05:03
MasterOfBugs	mitaka	05:03
stevemar	MasterOfBugs: using devstack's master branch i assume?	05:04
liyuenan	stevemar: thankyou!	05:04
*** herdesh has quit IRC		05:04
MasterOfBugs	yes	05:04
MasterOfBugs	i am using master branch with stable/mitaka for keystone	05:04
MasterOfBugs	my local.conf	05:04
MasterOfBugs	http://paste.openstack.org/show/595534/	05:04
MasterOfBugs	is it a good idea or shall i change everything to itaka?	05:05
MasterOfBugs	mitaka*	05:05
stevemar	MasterOfBugs: can't do that, gotta use the same devstack branch as the branch of openstack you want	05:05
stevemar	MasterOfBugs: so ... something like git clone https://github.com/openstack-dev/devstack.git -b stable/mitaka	05:05
stevemar	to get the mitaka branch of devstack	05:05
stevemar	then it'll download and install a mitaka version of OpenStack for you	05:06
MasterOfBugs	Cool!	05:06
MasterOfBugs	I will give it a shot	05:06
stevemar	MasterOfBugs: consider getting a new VM, the one you used may be tainted	05:06
stevemar	liyuenan: alright, now you :)	05:06
MasterOfBugs	Cool. WIll try it in a new VM	05:06
liyuenan	stevemar: :)	05:06
MasterOfBugs	Thanks a lot Steve for your help	05:07
MasterOfBugs	:)	05:07
stevemar	MasterOfBugs: np	05:07
stevemar	liyuenan: can you run a command with --debug and paste it ?	05:08
liyuenan	OK,wait a minute	05:08
stevemar	liyuenan: hmm, a simple thing to try? remove the "----" from your clouds.yaml?	05:09
liyuenan	stevemar: http://paste.openstack.org/show/595536/	05:09
stevemar	liyuenan: here's what i use: http://paste.openstack.org/show/595535/	05:09
*** jerrygb has joined #openstack-keystone		05:10
liyuenan	I think the openstack couldn't found the cloud.yml	05:12
stevemar	liyuenan: mine is at /etc/openstack/	05:12
stevemar	called clouds.yaml, not clouds.yml, not sure if that makes a difference	05:12
liyuenan	i'll move to /etc/openstck and try again	05:12
stevemar	liyuenan: http://paste.openstack.org/show/595537/	05:13
stevemar	liyuenan: signing off for the night, but i think its a small issue with either the directory or file name extension or adding '---' to the top, file a bug at http://bugs.launchpad.net/os-client-config if it's any of those things	05:15
*** jerrygb has quit IRC		05:15
*** adrian_otto1 has joined #openstack-keystone		05:16
*** adrian_otto has quit IRC		05:16
liyuenan	stevemar: http://paste.openstack.org/show/595539/	05:17
liyuenan	I had found the problem. I didn't install os-client-conf currectly!	05:23
liyuenan	Thank you!	05:24
*** agrebennikov_ has quit IRC		05:31
*** adriant has quit IRC		05:37
*** adrian_otto1 has quit IRC		05:39
*** adrian_otto has joined #openstack-keystone		05:43
*** adrian_otto has quit IRC		05:43
*** Jack_I has joined #openstack-keystone		05:46
*** liyuenan has quit IRC		05:49
*** liyuenan has joined #openstack-keystone		05:51
*** liyuenan has quit IRC		05:52
*** henrynash has quit IRC		05:53
*** lucas__ has joined #openstack-keystone		06:02
MasterOfBugs	Hi All	06:25
MasterOfBugs	Can anyone tell me how to update theb Babel package	06:26
MasterOfBugs	?	06:26
MasterOfBugs	ContextualVersionConflict: (Babel 2.2.0 (/usr/local/lib/python2.7/dist-packages), Requirement.parse('Babel>=2.3.4'), set(['castellan']))	06:26
MasterOfBugs	I am getting this error	06:26
gagehugo	pip install Babel 2.3.4	06:26
gagehugo	pip install --upgrade Babel might work too?	06:27
MasterOfBugs	Cool Gotcha	06:27
MasterOfBugs	I uninstalled and installed	06:27
MasterOfBugs	:)	06:27
MasterOfBugs	Thanks a lot gage	06:27
gagehugo	np!	06:27
*** lucas__ has quit IRC		06:27
MasterOfBugs	:)	06:27
*** thorst has joined #openstack-keystone		06:34
*** thorst has quit IRC		06:39
*** richm has quit IRC		06:42
*** hoangcx_ has quit IRC		06:56
*** jerrygb has joined #openstack-keystone		07:00
*** jerrygb has quit IRC		07:05
*** stingaci has joined #openstack-keystone		07:19
*** hoangcx has joined #openstack-keystone		07:22
*** stingaci has quit IRC		07:23
*** masber has quit IRC		07:30
*** voelzmo has joined #openstack-keystone		07:38
*** voelzmo has quit IRC		07:39
*** voelzmo has joined #openstack-keystone		07:43
breton	oh wow	07:52
breton	stable/ocata	07:52
*** haplo37_ has quit IRC		08:00
*** hoangcx_ has joined #openstack-keystone		08:01
*** hoangcx has quit IRC		08:03
*** haplo37_ has joined #openstack-keystone		08:03
*** stingaci has joined #openstack-keystone		08:06
*** tesseract has joined #openstack-keystone		08:13
*** openstackgerrit has quit IRC		08:33
*** masber has joined #openstack-keystone		08:34
*** thorst has joined #openstack-keystone		08:35
*** thorst has quit IRC		08:39
*** hoangcx_ is now known as hoangcx		08:45
*** zzzeek has quit IRC		09:00
*** zzzeek has joined #openstack-keystone		09:00
*** pnavarro has joined #openstack-keystone		09:20
*** arunkant has quit IRC		09:29
*** hyakuhei has quit IRC		09:36
*** hyakuhei has joined #openstack-keystone		09:36
*** hyakuhei has quit IRC		09:36
*** hyakuhei has joined #openstack-keystone		09:36
*** mvk has quit IRC		09:54
*** hoangcx has quit IRC		10:07
*** masber has quit IRC		10:26
*** jerrygb has joined #openstack-keystone		10:28
*** mvk has joined #openstack-keystone		10:30
*** jerrygb has quit IRC		10:33
*** thorst has joined #openstack-keystone		10:35
*** thorst has quit IRC		10:40
*** masber has joined #openstack-keystone		10:41
*** r1chardj0n3s_ is now known as r1chardj0n3s		10:43
*** masber has quit IRC		11:06
*** richm has joined #openstack-keystone		11:11
*** zhugaoxiao has joined #openstack-keystone		11:14
*** ayoung has joined #openstack-keystone		11:25
*** ChanServ sets mode: +v ayoung		11:25
*** zhugaoxiao has quit IRC		11:29
*** zhugaoxiao has joined #openstack-keystone		11:29
stevemar	breton: only ksm/ksa/pycadf for now	11:29
*** nicolasbock has joined #openstack-keystone		11:36
*** ayoung has quit IRC		12:06
*** edmondsw has joined #openstack-keystone		12:07
*** masber has joined #openstack-keystone		12:20
*** jerrygb has joined #openstack-keystone		12:29
*** jerrygb has quit IRC		12:34
*** thorst has joined #openstack-keystone		12:37
*** catintheroof has joined #openstack-keystone		12:43
*** dave-mccowan has joined #openstack-keystone		12:48
stevemar	o/	13:01
*** links has quit IRC		13:11
*** jerrygb has joined #openstack-keystone		13:13
*** ayoung has joined #openstack-keystone		13:14
*** ChanServ sets mode: +v ayoung		13:14
*** AlexOughton has quit IRC		13:20
*** AlexOughton has joined #openstack-keystone		13:21
*** ayoung has quit IRC		13:25
*** ayoung has joined #openstack-keystone		13:27
*** ChanServ sets mode: +v ayoung		13:27
*** Jack_I has quit IRC		13:27
*** agrebennikov_ has joined #openstack-keystone		13:31
*** ayoung has quit IRC		13:38
*** lucas__ has joined #openstack-keystone		13:38
*** ayoung has joined #openstack-keystone		13:38
*** ChanServ sets mode: +v ayoung		13:38
*** ayoung has quit IRC		13:39
dstanek	stevemar: morning	13:40
*** ayoung has joined #openstack-keystone		13:43
*** ChanServ sets mode: +v ayoung		13:43
*** agrebennikov_ has quit IRC		13:47
stevemar	dstanek: ahoy	13:48
dstanek	stevemar: ha, i just commented on the review	13:55
dstanek	stevemar: for webob i was going to submit a second patch, but ran out of time	13:55
stevemar	ah	13:56
stevemar	dstanek: don't forget to review the stuff here: https://etherpad.openstack.org/p/keystone-sprint-to-ocata :)	13:56
*** markvoelker has quit IRC		13:57
dstanek	stevemar: already on it :-) test for auto provising are running now	13:57
*** markvoelker has joined #openstack-keystone		14:01
*** lamt has joined #openstack-keystone		14:02
*** lamt has quit IRC		14:04
*** openstackgerrit has joined #openstack-keystone		14:13
openstackgerrit	Merged openstack/keystone: switch @hybrid_property to @property https://review.openstack.org/421468	14:13
*** agrebennikov_ has joined #openstack-keystone		14:14
*** ayoung has quit IRC		14:16
knikolla	o/	14:31
openstackgerrit	Merged openstack/keystone: Fix typo in main docs page https://review.openstack.org/422371	14:32
*** dikonoor has quit IRC		14:36
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add documentation for auto-provisioning https://review.openstack.org/421573	14:53
*** nkinder has joined #openstack-keystone		14:53
*** edmondsw_ has joined #openstack-keystone		14:55
*** edmondsw has quit IRC		14:56
*** v1k0d3n has joined #openstack-keystone		15:00
openstackgerrit	Ron De Rose proposed openstack/keystone: Add domain_id to the user table https://review.openstack.org/409874	15:04
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	15:05
openstackgerrit	Ken Johnston proposed openstack/keystone: Readability enhancements to architecture doc https://review.openstack.org/422375	15:07
*** adrian_otto has joined #openstack-keystone		15:14
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement federated auto-provisioning https://review.openstack.org/415895	15:16
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add documentation for auto-provisioning https://review.openstack.org/421573	15:17
*** edtubill has joined #openstack-keystone		15:19
*** lucas__ has quit IRC		15:20
*** lucas__ has joined #openstack-keystone		15:21
*** jaugustine has joined #openstack-keystone		15:23
*** MasterOfBugs has quit IRC		15:23
*** sheel has quit IRC		15:27
*** markvoelker_ has joined #openstack-keystone		15:28
openstackgerrit	Ron De Rose proposed openstack/keystone: Add domain_id to the user table https://review.openstack.org/409874	15:28
*** markvoelker has quit IRC		15:29
*** markvoelker has joined #openstack-keystone		15:31
*** jaosorior has joined #openstack-keystone		15:31
*** ayoung has joined #openstack-keystone		15:31
*** ChanServ sets mode: +v ayoung		15:31
*** adrian_otto has quit IRC		15:31
*** lucas__ has quit IRC		15:32
*** markvoelker_ has quit IRC		15:33
openstackgerrit	Ron De Rose proposed openstack/keystone: Set the domain for federated users https://review.openstack.org/408332	15:34
*** ravelar has joined #openstack-keystone		15:34
*** lamt has joined #openstack-keystone		15:40
*** dikonoor has joined #openstack-keystone		15:42
*** chris_hultin\|AWA is now known as chris_hultin		15:45
*** chris_hultin is now known as chris_hultin\|AWA		15:45
stevemar	rderose: i guess you still need to do a migration for federated users even if you just add the domain_id to the federated_users table?	15:46
stevemar	rderose: mucking around with FKs of the user table makes my ears perk up	15:46
stevemar	thats why i was asking to isolate it to federated_users table, far fewer deployments have things in there	15:47
*** chris_hultin\|AWA is now known as chris_hultin		15:47
rderose	stevemar: yeah, totally understand	15:48
rderose	stevemar: tried really hard to make it simple, but eventually came to this design	15:49
rderose	stevemar: the domain_id is needed in the user table, as all users (including federated) should belong to a domain	15:50
rderose	stevemar: and it's needed in the local_user table to enforce domain_id/name uniqueness	15:50
*** mvk has quit IRC		15:50
rderose	stevemar: user.id, user.domain_id -> local_user.user_id, local_user.domain_id (composite fk) solves both of these	15:51
*** Jack_I has joined #openstack-keystone		15:53
*** spzala has joined #openstack-keystone		16:01
*** lamt has quit IRC		16:02
*** adrian_otto has joined #openstack-keystone		16:03
*** voelzmo has quit IRC		16:04
*** david-lyle has joined #openstack-keystone		16:06
*** lamt has joined #openstack-keystone		16:13
*** thorst is now known as thorst_afk		16:19
*** lucas__ has joined #openstack-keystone		16:22
*** lamt has quit IRC		16:25
*** lamt has joined #openstack-keystone		16:30
*** hrybacki is now known as hrybacki\|afkish		16:32
*** links has joined #openstack-keystone		16:37
*** thorst_afk is now known as thorst_		16:37
*** lucas__ has quit IRC		16:44
*** edtubill has quit IRC		16:51
*** david-lyle has quit IRC		16:55
*** spzala has quit IRC		16:56
*** jistr is now known as jistr\|afk		16:57
openstackgerrit	Lance Bragstad proposed openstack/keystone: Add documentation for auto-provisioning https://review.openstack.org/421573	16:58
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement federated auto-provisioning https://review.openstack.org/415895	16:58
*** edtubill has joined #openstack-keystone		17:01
*** diazjf has joined #openstack-keystone		17:03
*** pnavarro has quit IRC		17:04
*** lamt has quit IRC		17:05
*** lamt has joined #openstack-keystone		17:06
*** links has quit IRC		17:11
*** ravelar has quit IRC		17:12
*** dikonoor has quit IRC		17:14
lbragstad	stevemar what specifically did you want added here - https://etherpad.openstack.org/p/keystone-pike-ptg ?	17:15
lbragstad	just things to talk about during the PTG?	17:15
*** ravelar has joined #openstack-keystone		17:18
*** david-lyle has joined #openstack-keystone		17:18
*** david-lyle has quit IRC		17:18
*** pnavarro has joined #openstack-keystone		17:19
*** mvk has joined #openstack-keystone		17:19
openstackgerrit	David Stanek proposed openstack/keystone: Small fixes for WebOb 1.7 compatibiltity https://review.openstack.org/422234	17:21
openstackgerrit	David Stanek proposed openstack/keystone: DO NOT MERGE test of webob 1.7.1 https://review.openstack.org/422774	17:21
openstackgerrit	Samuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS https://review.openstack.org/403898	17:23
morgan	o/	17:23
morgan	dstanek: but I WANT TO MERGE IT. presses button :P	17:23
*** david-lyle has joined #openstack-keystone		17:28
*** stingaci has quit IRC		17:28
dstanek	morgan: i won't get in your way	17:29
morgan	;)	17:33
*** browne has joined #openstack-keystone		17:37
*** stingaci has joined #openstack-keystone		17:39
*** stingaci has quit IRC		17:39
*** stingaci has joined #openstack-keystone		17:39
stevemar	lbragstad: yes, i'm not sure how the PTG will go :P	17:39
stevemar	lbragstad: treat it like a midcycle maybe?	17:40
stevemar	list of big topics to talk about ?	17:40
lbragstad	stevemar i'm assuming you just want people to dump ideas in there?	17:40
stevemar	mmhmm	17:40
lbragstad	and then we'll sort them into buckets?	17:40
stevemar	lbragstad: well, i won't be PTL at the PTG, so its not my problem :D	17:40
stevemar	ok ok, not problem, but the structure is not for me to decide :D	17:41
lbragstad	stevemar you seem way too excited about those two statements	17:41
*** stingaci has quit IRC		17:42
dstanek	lbragstad: ++	17:42
stevemar	lbragstad: you have no idea	17:43
lbragstad	lol	17:43
*** adrian_otto has quit IRC		17:46
*** diazjf has quit IRC		17:54
*** lucas has joined #openstack-keystone		17:56
*** jistr\|afk is now known as jistr		18:01
*** jdennis has quit IRC		18:03
*** lucas has quit IRC		18:04
*** jdennis has joined #openstack-keystone		18:07
*** stingaci has joined #openstack-keystone		18:08
stevemar	rderose: yeah, the code is just hard to read and test	18:08
rderose	stevemar: I know and the triggers just make it 10x worse	18:09
rderose	stevemar: appreciate the review	18:09
stevemar	rderose: i'll muster up the energy to review it again today	18:10
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	18:12
morgan	ugh.	18:14
rderose	stevemar: cool, thx	18:15
*** adrian_otto has joined #openstack-keystone		18:17
*** david-lyle has quit IRC		18:18
*** catinthe_ has joined #openstack-keystone		18:18
*** catintheroof has quit IRC		18:18
morgan	stevemar: i don't know how this previously even worked.	18:25
morgan	stevemar: the methods [] in the token body seems.... wonky as hell	18:25
morgan	oooh i see it now	18:26
morgan	rolls eyes	18:26
kfox1111	is anyone using cephfs for fernet key storage?	18:32
lbragstad	kfox1111 not that I am aware of	18:33
kfox1111	k. just curious. :)	18:33
lbragstad	kfox1111 sounds interesting though	18:33
kfox1111	yeah. looking at ways to implement it in kolla-kubernetes.	18:35
kfox1111	could do it as a read only cephfs mount on all the keystone containers,	18:36
lbragstad	kfox1111 ah - then do the rotation using ceph	18:36
kfox1111	and a scheduledjob container that does the rolling with rw access to cephfs.	18:36
*** spilla has joined #openstack-keystone		18:37
*** hrybacki\|afkish is now known as hrybacki\|sick		18:40
morgan	kfox1111: is cephfs stable?	18:40
morgan	kfox1111: i haven't used it in ages, but it wasn't really before, only rbd was	18:40
*** stingaci has quit IRC		18:41
openstackgerrit	Samuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS https://review.openstack.org/403898	18:49
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add user_mfa_rules table https://review.openstack.org/418166	18:50
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Auth Method Handlers now return a response object always https://review.openstack.org/420955	18:50
*** Jack_V has joined #openstack-keystone		18:54
*** lucas has joined #openstack-keystone		18:55
kfox1111	morgan: it became stable in jewel.	18:57
kfox1111	been using it for about a year though without issue on a fairly large storage system.	18:58
*** Jack_I has quit IRC		18:58
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add SQL Upgrade Tests for MFA rules https://review.openstack.org/422817	19:02
*** lucas has quit IRC		19:02
*** voelzmo has joined #openstack-keystone		19:05
*** voelzmo has quit IRC		19:05
*** lucas has joined #openstack-keystone		19:06
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: WIP: Test cross domain implied roles https://review.openstack.org/422819	19:07
dstanek	samueldmq: you around?	19:08
dstanek	samueldmq: lbragstad has force my hand and i need to finish the federation mapping documentation revisions i started. was hoping you could take a peek and see if it helps clear things up?	19:09
dstanek	i just need to rebase on top of lbragstad's new stuff	19:09
*** voelzmo has joined #openstack-keystone		19:10
*** MasterOfBugs has joined #openstack-keystone		19:12
*** jose-phillips has joined #openstack-keystone		19:14
*** diazjf has joined #openstack-keystone		19:15
catinthe_	guys, quick question, should a domain admin (not a cloud admin) be able to modify project quotas ?	19:19
lbragstad	dstanek sure	19:19
lbragstad	dstanek do you have a link?	19:19
dstanek	lbragstad: i will in just a few. making a few doc changes that i mentioned in your review. and then i'll cherry pick mine on top	19:20
lbragstad	dstanek cool	19:20
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Expose bug for cross domain implied roles https://review.openstack.org/422819	19:20
rodrigods	hey ^ we need eyes on this (and in the related bug)	19:22
catinthe_	rodrigods: quick question, should a domain admin (not a cloud admin) be able to modify project quotas ?	19:24
rodrigods	catinthe_, i'd say yes	19:24
catinthe_	rodrigods: you'd say yes ? or is yes ?	19:25
rodrigods	catinthe_, i would say yes	19:25
catinthe_	rodrigods: sorry but i need to confirm to check if its an horizon bug	19:26
*** ravelar has quit IRC		19:26
rodrigods	the tricky part is because other services aren't aware of domains	19:26
catinthe_	or a feature not supported by keystone	19:26
rodrigods	catinthe_, this is missing	19:26
catinthe_	rodrigods: sure, but cloud admin on a domain enabled is able to modify them using keystone as proxy	19:26
catinthe_	rodrigods: so, isnt that possible from a domain admin perspective ?	19:27
rodrigods	catinthe_, this is something that should be enforced via policy	19:27
rodrigods	since other services aren't "domain aware"	19:27
rodrigods	they can't	19:27
*** adrian_otto has quit IRC		19:28
*** tesseract has quit IRC		19:29
* stevemar will be in a metal tube tomorrow		19:31
dstanek	lbragstad: uggg... i have to word-smith for projects	19:31
*** voelzmo has quit IRC		19:33
*** openstackgerrit has quit IRC		19:33
*** adrian_otto has joined #openstack-keystone		19:33
*** voelzmo has joined #openstack-keystone		19:34
*** nkinder has quit IRC		19:39
*** jamiec has joined #openstack-keystone		19:40
*** ravelar has joined #openstack-keystone		19:42
lbragstad	stevemar we don't have http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/support-federated-attr.html tracked in your handy-dandy spreadsheet do we?	19:45
lbragstad	stevemar aha - nevermind...	19:46
*** lucas has quit IRC		19:46
lbragstad	stevemar I see you have that pushed into Pike	19:47
*** lucas has joined #openstack-keystone		19:47
*** david-lyle has joined #openstack-keystone		19:48
stevemar	lbragstad: its on the fence	19:48
stevemar	lbragstad: review it, if it makes it, all good. but i assume its going to be multiple releases	19:48
lbragstad	stevemar it is - i was perusing the stuff in the etherpad and I didn't see it there, but I didn't look at the pike one	19:48
lbragstad	s/etherpad/spreadsheet/ (same thing, right?)	19:49
stevemar	lbragstad: more or less :P	19:49
stevemar	lbragstad: i'm reviewing it, if it lands i'm OK with it	19:49
stevemar	if it doesn't meh	19:49
lbragstad	stevemar cool - i think ravelar has another patch set coming sometime today	19:49
knikolla	lbragstad nice to see you run :)	19:50
lbragstad	knikolla thanks!	19:51
morgan	stevemar: sql tests posted. about to start on the next small batch of auth path	19:54
stevemar	morgan: can i get your take on https://review.openstack.org/#/c/404022/ from a security PoV ?	19:54
morgan	stevemar: sure	19:55
morgan	fwiw, the concept is def something we talked about so yay	19:55
morgan	reviewing code now	19:55
stevemar	morgan: so if PCI is enabled, and a user has an expired password, how can he/she reset it on their own	19:56
morgan	ftr: I am against more config options	19:56
stevemar	basically it involves removing the auth decorator which makes me nervous	19:56
morgan	use policy	19:56
morgan	not more config options	19:56
morgan	reading code things	19:56
*** openstackgerrit has joined #openstack-keystone		19:59
openstackgerrit	Gage Hugo proposed openstack/keystone: Allow user to change own expired password https://review.openstack.org/404022	19:59
*** spilla has quit IRC		20:00
*** lucas has quit IRC		20:01
dstanek	lbragstad: stevemar: keystone-horizon meeting?	20:02
lbragstad	dstanek i'm assuming it's still on... I haven't seen a cancellation notice of any kind.	20:03
dstanek	isn't it supposed to be now or is my calendar fubar?	20:03
*** spilla has joined #openstack-keystone		20:03
lbragstad	dstanek nope - your calendar != fubar	20:04
knikolla	yeah, i have it on calendar for now too	20:05
*** dave-mccowan has quit IRC		20:08
*** dave-mccowan has joined #openstack-keystone		20:09
morgan	gagehugo: bah you just pushed another patch while i was reviewing	20:11
morgan	gagehugo: FYI I'm going to -1 the new one and say "see comments on #19"	20:11
samueldmq	dstanek: hi, I am around now	20:11
samueldmq	Sure a may have a look. Is it up for review yet?	20:11
samueldmq	lbragstad: has shadow mappings merged yet?	20:12
gagehugo	morgan: sure	20:12
lbragstad	samueldmq not yet	20:12
lbragstad	samueldmq i believe it has been approved though	20:12
morgan	gagehugo: in short, don't add another config option	20:13
samueldmq	Kk, If not I will take a final look and approve it.	20:13
samueldmq	Sorry it has been a long week in LCA, timezones, etc	20:14
samueldmq	lbragstad: ^	20:14
morgan	gagehugo: or at the very least do not add a whole extra @protected decorator	20:14
morgan	you can check directly in the controller change passwor dmethod	20:14
morgan	gagehugo: i am unsure if we would allow the changing of passwords at all if you can't change an expired password self-service wise	20:14
lbragstad	samueldmq awesome - thanks!	20:15
morgan	stevemar: ^ cc question re password change	20:15
*** darrenc_ is now known as darrenc		20:15
stevemar	morgan: include gagehugo too	20:15
morgan	stevemar: i was talking to gagehugo ;)	20:15
gagehugo	morgan: so would reverting to how it was done in #16 be better?	20:15
morgan	before we do that, asking steve's opionion	20:15
stevemar	oooo	20:15
gagehugo	morgan: I added the config because I've seen this handled both ways before	20:15
morgan	we have a TON of knobs in keystone and a lot will never be set	20:16
morgan	or used	20:16
morgan	this feels like one of them. my guess is you either can't change your password or you can	20:16
morgan	expired or not	20:16
morgan	but i'm open to the current impl if we think it is super important to have the knob	20:16
gagehugo	ah ok I see what you mean	20:16
morgan	the only hard requirement i have is default it to true	20:16
lbragstad	samueldmq both of my patches have been approved - https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:bp/shadow-mapping	20:16
stevemar	morgan: gagehugo we can have the knob, but set it to true!	20:16
samueldmq	lbragstad: cool. And I assume the docs dstanek was refering to were "Add documentation for auto-provisioning"	20:16
lbragstad	samueldmq but dstanek has another one of the way to improve the docs	20:17
morgan	sane defaults :)	20:17
stevemar	morgan: gagehugo its still going to depend on someone setting the PCI expires knob	20:17
morgan	also the @protected decorator should be sufficient	20:17
stevemar	and i can't imagine someone wants all their users to expire but NOT have this ability	20:17
morgan	you shouldn't need another decorator	20:17
samueldmq	lbragstad: ah okay, so another one based on your docs ^ ?	20:17
morgan	i'm re-looking at that part	20:17
morgan	but i really, really, don't want to add more of these @protected decorators	20:18
gagehugo	dstanek: ^^	20:18
lbragstad	samueldmq yeah - i think he is in the process of working on it now, and cherry-picking it on top of my docs patch	20:18
morgan	it makes security maintenance a nightmare (it already is)	20:18
morgan	but more and more places to manage where things are gated on is not helping us	20:18
samueldmq	lbragstad: Sweet, thanks! I will review it	20:18
stevemar	gagehugo: hehe, did dstanek tell you to add one and morgan tell you not to? :)	20:19
morgan	probably	20:20
gagehugo	stevemar: heh	20:20
gagehugo	I'm fine either way	20:20
morgan	i want to kill the decorators	20:20
morgan	they are stupidly complex and hard to debug	20:20
stevemar	++	20:20
gagehugo	I did have to ask him for help, double decorators is a bit tricky	20:20
morgan	from a pure security and maintenance standpoint, that is sufficient for me to advocate not having more.	20:20
dstanek	add what?	20:20
lbragstad	morgan i feel like you've had this discussion with dstanek before	20:20
morgan	dstanek: @protected_optional	20:20
dstanek	oh, right	20:20
morgan	dstanek: another @protected decorator	20:21
dstanek	you don't what a second decorator?	20:21
morgan	i don't want a 3rd... or is this a 4th?	20:21
dstanek	i didn't like the idea of "softening" the one we have	20:21
morgan	we already did that with callback=<callback>	20:21
lbragstad	sounds like we need a sixth	20:21
lbragstad	;)	20:21
gagehugo	++	20:21
morgan	you could write a callback that does exactly what the new one does if wanted.	20:21
gagehugo	heh	20:21
*** jaugustine has quit IRC		20:21
morgan	but i would make that API unprotected	20:21
lbragstad	moar decorators please!	20:22
morgan	or make it so it can be blocked but doesn't do the whole other protected logic	20:22
morgan	via policy.json	20:22
morgan	it really needs to be an "open" not token-required API	20:22
morgan	or simply a 403 if it is disabled	20:22
morgan	iirc that is what we discussed last time	20:23
morgan	makeing it an open API, most of the time you need it you wont be able to get a token	20:23
dstanek	morgan: a callback is a good idea; i just don't like the 'protected' optionally protecting	20:23
morgan	like i said, I'd go a step further and not do @protected at all	20:24
morgan	it really shouldn't be locked behind a token	20:24
gagehugo	morgan: that was the original design	20:24
morgan	but if we need to lock it optionally, roll the current new decorator into a callback.	20:24
morgan	and pass it as @protected(callback=<callback>)	20:24
morgan	dstanek: is there a reason you want it behind @protected?	20:25
morgan	besides "it was already there"?	20:25
dstanek	@protected(maybe)	20:25
dstanek	morgan: not in particular. that is what the original review was doing to apply policy.	20:26
morgan	yay lbragstad is running for PTL, means I don't have to :P	20:26
morgan	i'm inclined to say the API should be open	20:26
morgan	not under @protected	20:26
morgan	at all	20:26
*** stingaci has joined #openstack-keystone		20:26
morgan	gagehugo: so here are the 2 "fixes" needed for me to lift the -1:	20:27
morgan	gagehugo: Default the option to True (if you keep the option)	20:27
gagehugo	morgan: sure	20:28
morgan	gagehugo: either drop @protected from the API or roll the new functionality into the callback=<>	20:28
gagehugo	morgan: dropping it seems easier :)	20:28
morgan	it does.	20:28
morgan	but if we need it, i'll not make dropping it a hard requirement	20:28
morgan	since we already have the option to modify @protected with a callback, we might as well use it.	20:29
gagehugo	true	20:29
openstackgerrit	David Stanek proposed openstack/keystone: Updates to project mapping documentation https://review.openstack.org/422852	20:29
openstackgerrit	David Stanek proposed openstack/keystone: WIP for federated mapping doc improvements https://review.openstack.org/422853	20:29
gagehugo	I almost feel like if we drop the @protected it may not be really worth it to keep the config	20:30
dstanek	lbragstad: samueldmq: ^	20:30
lbragstad	dstanek sweet - thanks!	20:30
dstanek	lbragstad: samueldmq: i'm not done, but i wanted to give samueldmq a preview	20:30
morgan	gagehugo: i have added comments to patchset #20 to the effect of what we discussed here :)	20:30
gagehugo	morgan: thanks	20:31
*** voelzmo has quit IRC		20:31
morgan	gagehugo: so the config option is orthogonal to @protected	20:31
*** stingaci has quit IRC		20:31
morgan	gagehugo: either you want to allow disabling of changing expired passwords or not	20:31
morgan	i personally don't think that option will ever be toggled	20:31
morgan	since you can disable a user with disabled=True	20:31
morgan	rather than locking them due to an expired password	20:31
gagehugo	morgan: yeah. I like giving people choices, but you're probably right that it will probably never be changed if default is true	20:32
gagehugo	and yeah the disabled thing is true too	20:32
morgan	but if you and others think that level of control is needed, i'm not blocking on it	20:32
morgan	i like giving options, i don't like giving options that control every single detail and providing a non-opinionated service. it leads to wildly different experiences depending on many elements in a matrix depending on deployment	20:33
morgan	IMO configs should never affect the end user experience to the core APIs	20:33
morgan	(exception being such as the auth workflow being different for SSO/SAML/OIDC/etc)	20:33
samueldmq	dstanek: cool, looking at it now	20:34
morgan	but the core APIs and how they respond, how they interact, etc should be baseline regardless of the deployment.	20:34
gagehugo	morgan: agreed	20:34
samueldmq	lbragstad: BTW, awesome candidacy email.	20:34
lbragstad	samueldmq thanks :)	20:34
morgan	lbragstad: you know what you're walking into right?	20:35
samueldmq	:)	20:35
morgan	lbragstad: just make sure you're aware of it.	20:35
stevemar	morgan: a blast!	20:35
lbragstad	morgan not a clue	20:35
morgan	stevemar: you're just loopy from doing it 3 cycles in a row. admit it	20:35
stevemar	gagehugo: do you have any questions about morgan's comments?	20:35
*** lucas has joined #openstack-keystone		20:35
morgan	stevemar: ;)	20:35
* lbragstad wonders what all these buttons do!		20:35
stevemar	morgan: delirious	20:35
gagehugo	stevemar: not yet, I'll take a look at them after I get out of this meeting	20:37
gagehugo	closer*	20:37
morgan	gagehugo: you can ignore the comments on #19	20:37
morgan	gagehugo: just the new one on #20 and that will be sufficient imo	20:37
gagehugo	morgan: ok, thanks for looking it over	20:37
morgan	from a pure security standpoint. it's no worse/better than anything else in keystone	20:38
morgan	i don't see it introducing anything new/questionable	20:38
stevemar	nice	20:38
stevemar	thanks morgan	20:38
morgan	or exposing anything weird. we still require old password	20:38
gagehugo	yeah	20:39
morgan	it's just modifying how we allow changing of passwords	20:39
*** adrian_otto has quit IRC		20:39
morgan	once the auth occurs	20:39
dstanek	samueldmq: i see why you were confused about local and remote being rules. we actually defined those as rules in our documentation	20:39
morgan	(old password that is)	20:39
morgan	it would be an issue if we didn't have an explicit passwordexpired exception	20:40
morgan	but since we do, nbd	20:40
morgan	stevemar: i want to point out authenticate_for_token is a TERRIBLE method name	20:40
stevemar	hehe	20:41
stevemar	no one has changed it since G?	20:41
samueldmq	dstanek: :-)	20:41
samueldmq	dstanek: so, on those docs. If the Target there is deployers, I am not sure it's worth it to add all those implementation details.	20:43
*** nicodemus_ has joined #openstack-keystone		20:43
samueldmq	I mean, that can be a long doc for those who Just want to know the principle behind it and anexo example.	20:44
morgan	stevemar: yep.	20:44
morgan	stevemar: it's bad =/	20:44
openstackgerrit	Merged openstack/keystone: Implement federated auto-provisioning https://review.openstack.org/415895	20:44
morgan	but meh	20:44
samueldmq	On the other hand the details are very useful for those who want to know the impl details, like me (not a deployer)	20:45
dstanek	samueldmq: what implementation details?	20:45
dstanek	samueldmq: i only added things you need to know in order to write a mapping	20:45
samueldmq	dstanek: this part do the mapping is entered in a loop and we stop after the first match, this JSON becomes this one internally but with lista instead	20:46
*** pnavarro has quit IRC		20:46
nicodemus_	hello	20:46
*** voelzmo has joined #openstack-keystone		20:46
dstanek	samueldmq: as an operator writing a mapping don't you need to know that?	20:46
dstanek	hi nicodemus_	20:46
*** browne has quit IRC		20:47
*** diazjf has quit IRC		20:47
nicodemus_	what would be the correct way to get the domain-id in an API if I receive a project-scoped token?	20:47
nicodemus_	correct/recommended	20:47
dstanek	samueldmq: i actually thought people would ding me on the opposite. the docs are written from an operator point of view and don't exactly translate to the implementation directly. logically, but not directly	20:48
*** ravelar has quit IRC		20:49
samueldmq	dstanek: yeah, I thought logically could be enough. Like itwas before but applying your commentss.	20:49
dstanek	samueldmq: ?	20:49
*** diazjf has joined #openstack-keystone		20:49
samueldmq	dstanek: I AM not an operator, thats useful to me though	20:49
lbragstad	stevemar where was your etherpad on the things that needed to merge?	20:49
*** browne has joined #openstack-keystone		20:49
dstanek	lbragstad: this one https://etherpad.openstack.org/p/keystone-sprint-to-ocata ?	20:50
lbragstad	dstanek yep	20:50
samueldmq	dstanek: what I was considering to be too detailed is in "how mappings" work, one May Just Skip that If find not useful.	20:51
*** voelzmo has quit IRC		20:51
samueldmq	dstanek: and it is still there for those who want more details. So that makes sense to me	20:51
stevemar	gagehugo: you're getting close!	20:51
gagehugo	stevemar: \o/	20:51
dstanek	samueldmq: if you don't know how they are processed you can't write one	20:52
gagehugo	stevemar: this patch set was definitely interesting to work on	20:52
dstanek	that's why i get asked the same questions all of the time. "Why isn't my last rule being used?" or "Why isn't this in the direct maps? The conditional matches!"	20:53
samueldmq	dstanek: hmm you're right. We stop after the first match, correct?	20:53
samueldmq	dstanek: yes, that's correct. Thanks for clarifying	20:53
dstanek	samueldmq: yep. before i submit for real i'll double check everything. this was just my brain dump after our conversation last week	20:54
samueldmq	:-)	20:54
dstanek	i still need to go through and make sure everything is consistent	20:54
*** ravelar has joined #openstack-keystone		20:54
samueldmq	dstanek: nice!	20:54
dstanek	nicodemus_: v2 or v3?	20:54
nicodemus_	dstanek, v3	20:55
samueldmq	BTW well done lbragstad and dstanek on getting that auto-provisioning done!	20:55
dstanek	nicodemus_: doesn't the token response contain the domain id?	20:55
lbragstad	samueldmq not a problem - thanks for reviewing	20:55
dstanek	samueldmq: that was all lbragstad.	20:55
samueldmq	My pleasure reviewing :)	20:56
dstanek	samueldmq: the only thing i did was a small change to the mapping engine	20:56
samueldmq	Cool. lbragstad has been doing awesome specially this cycle.	20:56
samueldmq	Well, gotta run, brb	20:57
lbragstad	samueldmq later	20:57
nicodemus_	dstanek, to ellaborate: I added some domain support to an API, and just know realize that horizon can make a call with a project-scoped token. So, whta I need to do now (since a project can belong to a single domain) is to ask keystone about the domain ID of the token's project ID	20:57
*** pablo\|500\| has quit IRC		20:57
nicodemus_	dstanek, and before starting to code aimlessly... perhaps you could guide me about the recommended way	20:57
stevemar	spilla: your patch is up next!	21:00
*** lucas has quit IRC		21:01
*** lucas has joined #openstack-keystone		21:01
*** Jack_V has quit IRC		21:03
*** jaugustine has joined #openstack-keystone		21:04
spilla	stevermar: :D	21:05
*** ravelar has quit IRC		21:07
*** ravelar has joined #openstack-keystone		21:08
*** v1k0d3n has quit IRC		21:09
dstanek	stevemar: you guys are approving too fast for me. i think i need to start at the bottom of the list	21:11
dstanek	nicodemus_: i think you'll get back user information if you validate the token	21:12
dstanek	nicodemus_: what do you need the domain for?	21:12
nicodemus_	dstanek, because I have several resources that contain the domain-id metadata, and need to filter those resources to show only the ones that belong to the same domain as the token (even if the token doesn't contain the domain-id)	21:14
dstanek	nicodemus_: gotcha	21:15
nicodemus_	I was thinking issuing a keystone project show with the project ID to get the domain ID, would that be better or worse than validating the token?	21:15
nicodemus_	^^^ meaning importing keystone-client in the code and so on	21:16
openstackgerrit	Richard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users https://review.openstack.org/414720	21:17
dstanek	nicodemus_: we'll do you want to know the domain of the user or the project since they can be different	21:18
nicodemus_	the domain of the project	21:18
dstanek	nicodemus_: them upi	21:19
dstanek	you'll need to query the project	21:19
dstanek	nicodemus_: because the user can scope to a project in a given domain they have access to other resources in that same domain?	21:20
nicodemus_	dstanek, that is correct	21:22
*** slunkad has quit IRC		21:22
dstanek	nicodemus_: that seems like a strange assumption. what is the service you are working on?	21:23
morgan	stevemar: almost done with the base changes for the MFA ruleset	21:24
morgan	stevemar: woo, this is going pretty well.	21:24
stevemar	morgan: nice!	21:24
*** henrynash has joined #openstack-keystone		21:24
*** ChanServ sets mode: +v henrynash		21:24
stevemar	we might just have an MFA story for this cycle ;)	21:24
nicodemus_	dstanek, I'm altering gnocchi, but it is a custom modification that we are trying out	21:24
*** slunkad has joined #openstack-keystone		21:25
dstanek	nicodemus_: cool, i would just not expect to have access to one project because i have access to another in the same domain, for instance	21:26
morgan	stevemar: this opens the doors for much needed simplification but this is basic restructuring. in about ~2 more patches the "load rules" and make sure the methods match at least one rule. The nice thing is if you re-scope, your MFA rules will still match because the methods for the tokens are [token + all previous methods]	21:26
morgan	stevemar: so we will know if an original auth had, say totp, or password + totp, etc	21:26
dstanek	i don't know anything about the gnocchi architecture though so i don't know how it's resources are organized	21:26
stevemar	morgan: thats awesome	21:27
morgan	stevemar: in theory we could require some APIs to have TOTP this way	21:27
morgan	such as administrative things by adding a value to poicy saying methods must be MFA or some such	21:27
nicodemus_	dstanek, the idea is that if the gnocchi API receives a project scoped token, I need to get the domain ID in order to know what resources to show	21:27
morgan	stevemar: meaning a user could disable MFA rules but not act until they re-enabled it	21:28
stevemar	bbiab	21:28
nicodemus_	dstanek, do you know if querying for the project details is something that keystone would cache?	21:28
morgan	nicodemus_: keystone tries to cache many things if possible for both a given request and if you enable memcache caching	21:29
*** voelzmo has joined #openstack-keystone		21:29
*** woodster_ has joined #openstack-keystone		21:30
dstanek	nicodemus_: yep, enable memcache caching and make sure you specifically cache resources	21:30
nicodemus_	morgan, we do have memcache enabled, just wanted to double-check before seeing my keystone suffering under the load :)	21:30
morgan	nicodemus_: it should cache requests for project reference	21:30
morgan	nicodemus_: there are few things (credential backend) and some other stuff we don't cache	21:31
morgan	we also do not cache list operations	21:31
morgan	but if you do get-project(id) basically, it should be cached	21:31
nicodemus_	dstanek, morgan, awesome. Thanks a lot!! :D	21:31
nicodemus_	appreciate it	21:31
morgan	happy to help :)	21:31
dstanek	yw	21:31
* morgan taps foot waiting for unit tests...		21:32
dstanek	this adding domain_id is giving me headaches trying to think about the consequences	21:32
morgan	dstanek: to what are you adding domain_id?	21:32
*** voelzmo has quit IRC		21:33
dstanek	morgan: no i... https://review.openstack.org/#/c/409874	21:34
*** david-lyle has quit IRC		21:35
dstanek	rderose: i don't understand the new constraints in your domain_id patch	21:35
*** nicodemus_ has quit IRC		21:35
*** adrian_otto has joined #openstack-keystone		21:36
rderose	dstanek: the new unique constraint	21:37
rderose	?	21:37
dstanek	rderose: our data model is uber screwy. do we need a unique constraint on the user table for (id, domain)?	21:39
*** david-lyle has joined #openstack-keystone		21:39
dstanek	rderose: is that how you are keeping the local_user values in sync?	21:39
*** david-lyle has quit IRC		21:39
rderose	dstanek: yes, in order to have a composite fk constraint in the child tables, we needs unique constraint in user table	21:39
*** david-lyle has joined #openstack-keystone		21:39
rderose	dstanek: the fk constraint will keep the domain_id (and user_id for that matter) in sync	21:40
rderose	dstanek: having the composite fk (user_id, domain_id) allows us to set the domain_id for all users in the user table	21:41
rderose	dstanek: but also keeps an entry in the local_user table to enforce domain_id + name unique constraint	21:42
*** henrynash has quit IRC		21:45
*** thorst_ has quit IRC		21:45
rderose	dstanek: I know it appears complex, but all we're really doing is creating a composite foreign key between user and local_user, such that:	21:47
rderose	user (id, domain_id) => local_user fk(user_id, domain_id)	21:47
dstanek	do we test upgrades against supported DBs in the gate	21:49
*** bandrus has left #openstack-keystone		21:50
lbragstad	dstanek we have the opportunistic tests, but that's it	21:50
dstanek	lbragstad: that's unfortunate. i don't know if they triggers work :-)	21:51
dstanek	rderose: is there any reason why the triggers handle the user.domain_id differently?	21:53
rderose	dstanek: are you referring to postgresql and mysql?	21:54
dstanek	mysql checks that domain_id is null where pg doen't	21:54
rderose	yeah, for pg, I'm just blindly updating the domain_id	21:55
rderose	pg does triggers differently where you define a function	21:55
*** arunkant has joined #openstack-keystone		21:55
rderose	dstanek: really, for inserts you only need to set the domain_id if it is null	21:56
rderose	dstanek: old code running at that point	21:56
dstanek	any reason? why you don't do nuke the domain_id in mysql/sqlite the same way?	21:56
rderose	dstanek: I could have, but if new code is running, it's being set	21:56
*** diazjf has quit IRC		21:57
openstackgerrit	Samuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS https://review.openstack.org/403898	21:57
rderose	dstanek: the inconsistency is really because I created the mysql and sqlite triggers first, got them working	21:58
rderose	and much later worked on the pg	21:58
rderose	triggers	21:59
*** lucas has quit IRC		22:00
dstanek	ok, it's doubtful they make a different anyway since i don't think there is a way to change domain_id via the api, is there?	22:00
dstanek	i'd have to check update_user, but i didn't think it would do that	22:01
*** dave-mccowan has quit IRC		22:08
*** thorst_ has joined #openstack-keystone		22:11
*** adriant has joined #openstack-keystone		22:12
rderose	dstanek: correct	22:15
*** thorst_ has quit IRC		22:15
rderose	dstanek: actually, sorry, I believe you can update the domain_id for a user	22:16
rderose	through update_user	22:16
lbragstad	have folks here played with story board much?	22:19
*** ravelar has quit IRC		22:24
stevemar	lbragstad: nope	22:25
openstackgerrit	Gage Hugo proposed openstack/keystone: Allow user to change own expired password https://review.openstack.org/404022	22:26
*** spilla has quit IRC		22:28
lbragstad	stevemar I haven't played with it in a while	22:28
lbragstad	looks a lot different than what I remember!	22:28
lbragstad	https://storyboard-dev.openstack.org/#!/story/62	22:34
*** spilla has joined #openstack-keystone		22:35
*** chris_hultin is now known as chris_hultin\|AWA		22:35
knikolla	arghh, anybody has a minute for git help?	22:35
stevemar	gagehugo: quick release note clean up and you get a +2	22:36
stevemar	knikolla: just state your problem :)	22:36
knikolla	stevemar: i rebased on top of a review, and when i do git-review it's telling me that i will publish both commits (mine and the one i rebased on top of)	22:37
knikolla	maybe rebasing changed the changeid of the previous one	22:37
lbragstad	knikolla it could have	22:38
lbragstad	knikolla if you `git review -d <change-you-want-to-base-off-of>` you should get placed at that exact point in time of the latest ps	22:38
openstackgerrit	Gage Hugo proposed openstack/keystone: Allow user to change own expired password https://review.openstack.org/404022	22:38
gagehugo	stevemar: thanks!	22:38
lbragstad	knikolla then you can do `git review -x <your-change>` to cherry pick on top of it	22:39
lbragstad	knikolla that should only change the patch you cherry picked	22:39
knikolla	lbragstad: will try that! thanks!	22:39
lbragstad	knikolla so you should be able to do `git review --yes --no-rebase` and it shouldn't push a new version of the patch you based your change on	22:40
*** thorst_ has joined #openstack-keystone		22:40
*** thorst_ has quit IRC		22:43
knikolla	lbragstad: http://paste.openstack.org/show/10fsQS7MAapGSnDIe5sa/	22:46
lbragstad	knikolla yeah - that looks good	22:47
rderose	dstanek: saw you pagination comment	22:48
lbragstad	knikolla if you double check - you'll see that rodrigods's commit sha is 9005858a0, which is the same as the latest commit sha here https://review.openstack.org/#/c/422819/	22:48
lbragstad	knikolla so there shouldn't be anything you have locally that is different from what rodrigods has in patch set 2 ^	22:48
rderose	dstanek: originally was executing an update from select statement on the entire table, but ran into table locking	22:49
*** spilla has quit IRC		22:49
rderose	dstanek: have we done pagination before with sqlalchemy? looking for an example...	22:49
knikolla	lbragstad: alright, thanks!	22:49
openstackgerrit	Kristi Nikolla proposed openstack/keystone: Forbid creation of cross-domain implied roles https://review.openstack.org/422904	22:49
lbragstad	knikolla does that make sense?	22:49
lbragstad	knikolla hah - yep! so you're change will be based on rodrigods' now	22:50
knikolla	lbragstad: yes, it makes sense. thanks!	22:50
lbragstad	knikolla no problem!	22:50
knikolla	had somehow avoided basing my work on unmerged patches till now.	22:51
morgan	stevemar: can you taste being not PTL anymore? :)	22:51
morgan	dstanek: i think i removed the "side effect" bit of the plugins mucking around in auth_context	22:53
morgan	dstanek: woo.	22:53
morgan	dstanek: way more work than expected	22:54
morgan	but it's passing now.	22:54
*** adrian_otto has quit IRC		22:56
*** lamt has quit IRC		23:00
*** lamt has joined #openstack-keystone		23:01
stevemar	morgan: it tastes so good!	23:01
openstackgerrit	Kristi Nikolla proposed openstack/keystone: Forbid creation of cross-domain implied roles https://review.openstack.org/422904	23:03
*** david-lyle has quit IRC		23:03
openstackgerrit	Ron De Rose proposed openstack/keystone: Add domain_id to the user table https://review.openstack.org/409874	23:03
morgan	stevemar: our unit tests have gotten really slow again	23:04
openstackgerrit	Kristi Nikolla proposed openstack/keystone: Forbid creation of cross-domain implied roles https://review.openstack.org/422904	23:04
*** lamt has quit IRC		23:06
morgan	rderose: ugh, the shadow stuff that landed in the mapped auth plugin just made for a reallly ugly rebase	23:15
rderose	:) sorry	23:16
rderose	morgan: ^	23:16
morgan	ok now i need to remember --theirs vs --ours	23:17
morgan	if i am rebasing...	23:17
morgan	rderose: do you know if i need --theirs or --ours if i want to get the upstream copy in rebase?	23:18
rderose	morgan: hmm... I don't	23:20
rderose	morgan: haven't done that before	23:21
*** chris_hultin\|AWA is now known as chris_hultin		23:21
*** edtubill has quit IRC		23:22
*** gyee has joined #openstack-keystone		23:22
*** ChanServ sets mode: +v gyee		23:22
*** jaugustine has quit IRC		23:24
morgan	rderose: it is 'ours'	23:25
morgan	rderose: since "ours" is master, and "theirs" is the feature branch i am on	23:25
morgan	never remembers these things	23:25
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add user_mfa_rules table https://review.openstack.org/418166	23:25
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Auth Method Handlers now return a response object always https://review.openstack.org/420955	23:25
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse https://review.openstack.org/422912	23:25
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Add SQL Upgrade Tests for MFA rules https://review.openstack.org/422817	23:26
rderose	morgan: ah, gotcha	23:27
morgan	hmm	23:33
morgan	rderose: can you tell me what is wrong with my migration in 422817?	23:33
morgan	i'm not seeing where i screwed up	23:33
morgan	but the table isn't being created?	23:33
rderose	hmm... looking	23:35
openstackgerrit	Morgan Fainberg proposed openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse https://review.openstack.org/422912	23:36
*** gyee has quit IRC		23:36
morgan	rderose: or it is an issue with the test	23:36
rderose	morgan: I don't think it's an issue with the test	23:38
*** jaosorior has quit IRC		23:38
rderose	morgan: btw you don't need this line I think: session = self.sessionmaker()	23:38
morgan	yeh	23:39
morgan	that is the pep8 fai;l	23:39
morgan	but that doesn't tell me why the py35 test failed	23:39
rderose	morgan: where is migration 14?	23:39
rderose	morgan: I only see the test	23:39
*** gyee has joined #openstack-keystone		23:39
*** ChanServ sets mode: +v gyee		23:39
*** furface has joined #openstack-keystone		23:39
rderose	morgan: ah, got it	23:40
morgan	sorryt prev patch	23:40
morgan	yeH	23:40
*** thorst_ has joined #openstack-keystone		23:44
dstanek	rderose: i'm actually curious to know what would happen if all the users were modfied at once. table locking for some period of time?	23:45
rderose	dstanek: yep, table locking	23:46
rderose	that's why I switched to doing row by row	23:46
rderose	dstanek: I first took that approach, updating all at once, but ran into table locking in my migration tests	23:47
*** thorst_ has quit IRC		23:48
dstanek	rderose: is it doing it row-by-row now?	23:51
dstanek	so autocommitting i mean	23:52
rderose	dstanek: I'm pulling all local_users and then updating the user table row-by-row	23:53
*** MasterOfBugs has quit IRC		23:53
rderose	dstanek: so the update statement is getting executing within the for loop for each record	23:53
dstanek	is it autocommitting?	23:54
rderose	dstanek: if it does that by default, yes	23:54
rderose	dstanek: checking	23:54
rderose	dstanek: yeah, it looks like sqlalchemy will issue a commit automatically:	23:56
rderose	http://docs.sqlalchemy.org/en/latest/core/connections.html	23:57
rderose	dstanek: hmm...	23:57
rderose	dstanek: it will issue a commit automatically, sorry had to read that twice	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!