Tuesday, 2017-01-24

« Monday, 2017-01-23 Index Wednesday, 2017-01-25 »
*** thorst_ has joined #openstack-keystone00:00
*** antwash_ has joined #openstack-keystone00:00
*** antwash_ has quit IRC00:01
*** edmondsw has quit IRC00:04
*** portdirect is now known as portdirect_awayz00:10
*** thorst_ has quit IRC00:17
*** thorst_ has joined #openstack-keystone00:17
*** stingaci has joined #openstack-keystone00:17
*** thorst_ has quit IRC00:22
*** stingaci has quit IRC00:22
*** agrebennikov__ has quit IRC00:25
*** adrian_otto has joined #openstack-keystone00:36
*** thorst_ has joined #openstack-keystone00:42
*** portdirect_awayz is now known as authz00:43
*** thorst_ has quit IRC00:44
*** authz is now known as portdirect00:45
*** hoangcx has joined #openstack-keystone00:47
*** portdirect is now known as pd_00:48
*** stingaci has joined #openstack-keystone00:50
*** stingaci has quit IRC00:54
*** browne has quit IRC00:56
*** jamielennox is now known as jamielennox|away01:02
*** jamielennox|away is now known as jamielennox01:17
*** stingaci has joined #openstack-keystone01:22
*** mvk has quit IRC01:26
*** stingaci has quit IRC01:27
*** esp_ has quit IRC01:27
*** markvoelker has joined #openstack-keystone01:27
stevemaro/01:33
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370801:33
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users tests  https://review.openstack.org/42370501:37
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370801:37
*** r1chardj0n3s is now known as r1chardj0n3s_afk01:44
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370801:44
stevemarmorgan: rderose catching up now from what happened today01:44
rderosestevemar: morgan has a couple patches up: https://review.openstack.org/#/c/424220/01:45
rderosehttps://review.openstack.org/#/c/423909/01:45
stevemarrderose: i noticed!01:45
rderosestevemar: :) but both require an API change (I think)01:46
rderosestevemar: I think morgan is also testing out a user options list that would dynamically add user attributes01:46
rderosestevemar: I still maintain that deprecation is out-of-scope for my PCI patch, but totally understand morgan's concern01:47
rderosestevemar: btw been working with zzzeek on this one: https://review.openstack.org/#/c/409874/01:48
rderosestevemar: it's ready01:48
stevemarnice01:48
stevemarjust looking through all my email01:48
stevemarlots of stuff to review01:48
rderosestevemar: cool01:48
*** stingaci has joined #openstack-keystone01:55
*** adrian_otto has quit IRC01:56
*** stingaci has quit IRC01:59
*** Marcellin__ has quit IRC01:59
*** edmondsw has joined #openstack-keystone02:22
*** jlwhite has quit IRC02:26
*** stingaci has joined #openstack-keystone02:28
*** antwash has quit IRC02:28
*** stingaci has quit IRC02:32
*** jose-phillips has quit IRC02:44
*** harlowja has quit IRC02:44
*** ravelar has quit IRC02:48
*** thorst_ has joined #openstack-keystone02:49
*** thorst_ has quit IRC02:49
*** edmondsw has quit IRC02:51
*** edmondsw has joined #openstack-keystone02:52
*** edmondsw has quit IRC02:54
*** jlwhite has joined #openstack-keystone02:54
*** edmondsw has joined #openstack-keystone02:54
*** antwash has joined #openstack-keystone02:56
*** tovin07 has quit IRC02:56
*** edmondsw has quit IRC02:59
*** stingaci has joined #openstack-keystone03:01
*** stingaci has quit IRC03:05
*** tovin07 has joined #openstack-keystone03:07
*** chris_hultin|AWA is now known as chris_hultin03:17
*** chris_hultin is now known as chris_hultin|AWA03:21
*** jlwhite has quit IRC03:26
*** antwash has quit IRC03:27
*** stingaci has joined #openstack-keystone03:33
*** thorst_ has joined #openstack-keystone03:33
*** thorst_ has quit IRC03:34
*** stingaci has quit IRC03:37
*** furface has quit IRC03:37
*** nicolasbock has quit IRC03:54
*** jerrygb_ has quit IRC04:02
*** stingaci has joined #openstack-keystone04:06
*** antwash has joined #openstack-keystone04:08
*** jerrygb has joined #openstack-keystone04:09
*** antwash has quit IRC04:09
*** antwash has joined #openstack-keystone04:09
*** jerrygb has quit IRC04:10
*** stingaci has quit IRC04:10
stevemarrderose / lbragstad https://review.openstack.org/#/c/414720/ is ready i think04:12
rderosecool, let me take a look04:12
*** antdwash has joined #openstack-keystone04:25
*** jlwhite has joined #openstack-keystone04:26
morganstevemar: o/04:34
stevemarmorgan: o/04:34
morganstevemar: might have a patch ready that does the soft-options thing in like 10m04:34
morganturns out it is a lot easier than i thought04:34
*** MasterOfBugs has quit IRC04:34
morganalso zzzeek helped a lot04:34
morgan(only for user so far) but it should be straight forward overall04:35
stevemarmorgan: whats a soft-option?04:35
morgandefine an option in code04:35
morganlike "ignore_password_expiry":04:35
morganand then when you set that on [user] objects it is automatically stored in a dict like interface in a separate table04:36
morganso we don't need a top-level column for each thing04:36
morganmeaning long term we can support queries on "all users that ignore password expiry"04:37
morganand we can even support top-level options that could be set by non-admins04:37
morganexample: moving default_project_id to a user-settable option04:37
morganand it also lays the framework for domain options, aka PCI-DSS options enabled per-domain04:38
morganetc04:38
*** stingaci has joined #openstack-keystone04:38
morganit basically is waht i was advocating to change 'extras' to, but only for the options we specifically define/support within keystone04:38
morgananything not defined as a keystone-specific option falls through to 'extras' as per normal04:39
stevemarah04:39
stevemarnice04:39
stevemarmorgan: should the mfa_enabled and mfa_rules be done that way, too?04:39
morganpossible to do that instead04:39
morgandepends on how much MFA rules will be used. it is more expensive to store options in this manner than a standard orm relationship04:40
morganbecause it is a per-user-per-option = a row when set04:40
morganbut in short, yes MFA rules and MFA enabled could be done this way04:40
morganthough MFA rules i would still put a specific API to set in place04:41
stevemarthats true04:41
morganbut the backend could use this new system04:41
morganlet me push the code (pre-tests) up and you can take a look and let me know which way you want me to go with MFA rules.04:42
* stevemar looks at release schedule04:42
morganthe only reason for the specific MFA rules API is because it'll be more likely to land.04:42
*** antwash has quit IRC04:42
*** antdwash is now known as antwash04:42
morganvs trying to do policy work within the update-user mechanism04:42
*** antdwash has joined #openstack-keystone04:42
*** stingaci has quit IRC04:42
*** antdwash has quit IRC04:43
*** antwash_ has joined #openstack-keystone04:43
morganok here let me push this up04:43
*** antwash_ has quit IRC04:43
morganyou take a look, the next step is tests: define an option, set the option, load the option, delete the option, null the option, overwrite the option, set multiple options and make sure options not specified aren't touched04:44
morganabout ~6 tests to add04:44
openstackgerritMorgan Fainberg proposed openstack/keystone: WIP- Code-Defined Resource-specific Options  https://review.openstack.org/42433404:44
morganit is currently based on the MFA rules bit, but i could un-wind that not too terribly04:44
morganit isn't a ton of code04:45
*** diazjf has joined #openstack-keystone04:49
*** diazjf has quit IRC04:50
stevemarmorgan: i had comments about the mfa code (first patch)04:50
stevemarotherwise it looks fine04:50
stevemarmorgan: we may want to pop those attributes for v2 user API calls?04:51
*** antwash_ has joined #openstack-keystone04:56
*** antwash_ has quit IRC04:56
*** antwash_ has joined #openstack-keystone04:57
*** dikonoor has joined #openstack-keystone04:59
morganyeah probably04:59
morganbut that is super easy to do.05:00
morganesp. with the new options code05:00
morganjust use the resource object to pop the names off in the filter05:00
*** chrisplo_ has quit IRC05:00
morganstevemar: so...05:00
morganstevemar: thoughts? go with the option code and restructure. it makes the MFA rules stuff much much much simpler and no migration scripts05:00
morgan(at least for now, unless we want to snarf config values -> user option)05:01
*** antwash_ has quit IRC05:02
*** chrisplo_ has joined #openstack-keystone05:03
morganstevemar: actually... no i think we want to maintain the values even in v2.05:04
morganstevemar: now that i think about it05:04
morganthey would be no different in this case than "extras"05:04
*** adrian_otto has joined #openstack-keystone05:08
*** dikonoor has quit IRC05:09
*** stingaci has joined #openstack-keystone05:11
*** jerrygb has joined #openstack-keystone05:11
*** adriant has quit IRC05:14
*** stingaci has quit IRC05:15
openstackgerritSteve Martinelli proposed openstack/keystone: Add user_mfa_rules table  https://review.openstack.org/41816605:15
*** jerrygb has quit IRC05:16
stevemarfixed minor comments ^05:16
*** henrynash has joined #openstack-keystone05:16
*** ChanServ sets mode: +v henrynash05:16
*** henrynash has quit IRC05:16
*** Jack_V has joined #openstack-keystone05:17
*** dikonoor has joined #openstack-keystone05:19
*** adrian_otto1 has joined #openstack-keystone05:19
*** severion has joined #openstack-keystone05:22
*** adrian_otto has quit IRC05:23
morganstevemar: hehe i'll be respinning that on top of the new options patch i think05:32
stevemarmorgan: +2 your mfa stuff except the controller changes05:32
stevemaralso needs routes :)05:32
morganyep.05:32
*** martinlopes has joined #openstack-keystone05:34
*** thorst_ has joined #openstack-keystone05:35
*** thorst_ has quit IRC05:40
*** adrian_otto1 has quit IRC05:41
*** stingaci has joined #openstack-keystone05:44
*** adrian_otto has joined #openstack-keystone05:46
*** stingaci has quit IRC05:48
*** adrian_otto has quit IRC05:51
stevemarmorgan: gn for now05:52
*** adrian_otto has joined #openstack-keystone05:52
*** adrian_otto has quit IRC06:11
*** adrian_otto has joined #openstack-keystone06:11
*** stingaci has joined #openstack-keystone06:16
*** stingaci has quit IRC06:21
*** zzzeek has quit IRC06:29
*** harlowja has joined #openstack-keystone06:34
*** richm has quit IRC06:42
*** martinlopes has quit IRC06:43
*** stingaci has joined #openstack-keystone06:48
*** adrian_otto has quit IRC06:50
*** stingaci has quit IRC06:52
*** stingaci has joined #openstack-keystone06:57
*** jerrygb has joined #openstack-keystone07:00
*** stingaci has quit IRC07:01
*** martinlopes has joined #openstack-keystone07:05
*** jerrygb has quit IRC07:06
*** martinlopes has quit IRC07:06
openstackgerritMaroun Maroun proposed openstack/python-keystoneclient: Fix boto version strip regex  https://review.openstack.org/42447107:11
*** chrisplo has joined #openstack-keystone07:24
*** harlowja has quit IRC07:26
*** chrisplo_ has quit IRC07:26
*** chrisplo has quit IRC07:28
*** mvk has joined #openstack-keystone07:35
*** thorst_ has joined #openstack-keystone07:36
*** tesseract has joined #openstack-keystone07:37
*** mvk has quit IRC07:40
*** thorst_ has quit IRC07:40
*** mvk has joined #openstack-keystone07:50
*** openstackgerrit has quit IRC08:03
*** openstackgerrit has joined #openstack-keystone08:44
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Imported Translations from Zanata  https://review.openstack.org/42451008:44
*** pcaruana has joined #openstack-keystone08:45
*** pnavarro has joined #openstack-keystone08:52
*** zzzeek has joined #openstack-keystone09:00
*** jerrygb has joined #openstack-keystone09:02
openstackgerritMaroun Maroun proposed openstack/python-keystoneclient: Fix boto version strip regex  https://review.openstack.org/42447109:06
*** jerrygb has quit IRC09:08
*** thorst_ has joined #openstack-keystone09:30
*** thorst_ has quit IRC09:35
*** mvk has quit IRC09:41
openstackgerritMerged openstack/keystone: Add queries for federated attributes in list_users  https://review.openstack.org/41472009:56
*** hoangcx has quit IRC10:06
*** thiagolib has joined #openstack-keystone10:14
*** mvk has joined #openstack-keystone10:16
*** sileht has quit IRC10:27
*** sileht has joined #openstack-keystone10:27
openstackgerritRodrigo Duarte proposed openstack/keystone: Add missing parentheses  https://review.openstack.org/42457910:54
*** jerrygb has joined #openstack-keystone11:04
*** jerrygb has quit IRC11:09
*** richm has joined #openstack-keystone11:11
*** aloga has quit IRC11:17
*** edmondsw has joined #openstack-keystone11:20
*** dikonoo has joined #openstack-keystone11:22
*** edmondsw has quit IRC11:24
*** dikonoor has quit IRC11:26
*** thorst_ has joined #openstack-keystone11:31
Dinesh_BhorHi all, is there anyone who can help me in understanding what is the difference between 'is_admin' and 'is_admin_project' and in which case the 'is_admin_project' is used in policy checking?11:33
*** sm1235 has quit IRC11:35
*** thorst_ has quit IRC11:36
*** nicolasbock has joined #openstack-keystone11:44
*** pd_ is now known as portdirect11:47
*** aloga has joined #openstack-keystone11:54
*** dikonoo has quit IRC12:03
*** catintheroof has joined #openstack-keystone12:16
*** gema has joined #openstack-keystone12:29
*** edmondsw has joined #openstack-keystone12:41
*** edmondsw has quit IRC12:45
*** thorst_ has joined #openstack-keystone12:47
*** jerrygb has joined #openstack-keystone13:05
*** jerrygb has quit IRC13:10
*** AlexeyAbashkin has joined #openstack-keystone13:16
*** edmondsw has joined #openstack-keystone13:18
*** dave-mccowan has joined #openstack-keystone13:18
*** edmondsw has quit IRC13:20
*** edmondsw has joined #openstack-keystone13:20
*** jlwhite has quit IRC13:27
*** antwash has quit IRC13:27
*** severion has quit IRC13:39
*** v1k0d3n has quit IRC13:39
*** spotz_zzz is now known as spotz13:39
*** v1k0d3n has joined #openstack-keystone13:40
*** spotz is now known as spotz_zzz13:45
openstackgerritMerged openstack/keystonemiddleware: Imported Translations from Zanata  https://review.openstack.org/42451013:45
openstackgerritMerged openstack/keystone: Add missing parentheses  https://review.openstack.org/42457913:55
*** thiagolib has quit IRC13:58
*** lamt has joined #openstack-keystone14:01
*** v1k0d3n has quit IRC14:08
*** v1k0d3n has joined #openstack-keystone14:09
*** spotz_zzz is now known as spotz14:13
*** jperry has joined #openstack-keystone14:21
*** flaper87 has quit IRC14:24
*** thiagolib has joined #openstack-keystone14:27
*** agrebennikov__ has joined #openstack-keystone14:33
openstackgerritRodolfo Alonso Hernandez proposed openstack/keystone: Remove dogpile.core dependencies  https://review.openstack.org/42467314:35
*** spotz is now known as spotz_zzz14:38
*** v1k0d3n has quit IRC14:39
*** severion has joined #openstack-keystone14:39
lbragstadlooks like https://review.openstack.org/#/c/403898/ is in need of a rebase14:42
*** jerrygb has joined #openstack-keystone14:44
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370814:45
*** jerrygb_ has joined #openstack-keystone14:47
*** jerrygb__ has joined #openstack-keystone14:49
*** jerrygb has quit IRC14:51
*** jerrygb_ has quit IRC14:52
*** severion has quit IRC14:52
*** v1k0d3n has joined #openstack-keystone14:52
*** lamt has quit IRC14:52
*** knikolla has joined #openstack-keystone14:54
knikollao/14:54
knikollayay, irc bouncer is back online14:54
*** belmoreira has joined #openstack-keystone14:55
*** spotz_zzz is now known as spotz15:00
*** jerrygb has joined #openstack-keystone15:01
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389815:02
*** chris_hultin|AWA is now known as chris_hultin15:03
*** pnavarro has quit IRC15:05
*** jerrygb__ has quit IRC15:05
*** markvoelker has quit IRC15:18
*** pnavarro has joined #openstack-keystone15:19
*** chris_hultin is now known as chris_hultin|AWA15:19
*** markvoelker has joined #openstack-keystone15:21
*** jaosorior has joined #openstack-keystone15:25
*** ravelar has joined #openstack-keystone15:32
openstackgerritMaroun Maroun proposed openstack/python-keystoneclient: Fix boto version strip regex  https://review.openstack.org/42470015:34
*** edtubill has joined #openstack-keystone15:36
openstackgerritKristi Nikolla proposed openstack/keystone: Fixed unraised exception in _disallow_write for LDAP  https://review.openstack.org/42470415:36
*** antwash has joined #openstack-keystone15:40
*** jlwhite has joined #openstack-keystone15:41
*** jaugustine has joined #openstack-keystone15:42
*** jose-phillips has joined #openstack-keystone15:42
*** chris_hultin|AWA is now known as chris_hultin15:43
dstanekrderose: do enterprise tools force a password reset on the second login after an admin says you must reset?15:47
*** adrian_otto has joined #openstack-keystone15:47
rderosedstanek: I believe they force reset on the first login15:48
dstanekrderose: before you can actually use the system right?15:48
rderosedstanek: right15:49
rderosedstanek: you are forced on the change password screen15:49
*** mvk has quit IRC15:49
dstanekrderose: that's all i was really saying about our implementation. i'd rather it be like that15:50
dstanekthen it's more like other systems and the change is much simplier15:50
knikollawe no longer require a token to change the password. maybe reject issuing tokens altogether until password is changed.15:52
rderosedstanek: I see the point, now that, that patch has merged15:52
dstanekknikolla: exactly15:53
dstanekrderose: the other bonus is that technically you would not need to have that list because we allow control of expiration date via the api right?15:54
rderosedstanek knikolla: I guess what don't like about though, is what password expires means. Does it mean you only have access to the system until the password expires.15:54
rderosedstanek: knikolla: I guess not15:54
rderosedstanek: knikolla: now it simply means, you need to update your password15:54
knikollarderose: in my opinion, password expires means the ability of the password to give you a token.15:55
dstanekto me password expired means you need to change it now15:55
rderosedstanek: knikolla: okay, makes sense then15:55
knikollapassword expired, no new token. if you have an old one, it should still be valid. this is how i see it.15:55
knikollaold token*15:55
dstaneksince we allow self password changes for expired passwords we took off the extra 'you need to checkin with your admin' constraint15:56
rderosedstanek: we don't allow control over expiration via the API15:56
*** antwash_ has joined #openstack-keystone15:56
dstanekrderose: damn :-(15:56
rderosedstanek: but!15:56
rderosedstanek: we could add it :)15:56
rderosedstanek: however, it would only be valid for local users15:57
rderosedstanek: as it would have no impact on ldap users and probably should throw an error15:57
dstanekrderose: yeah, that may be something to bring up to morgan as a design alternative.15:58
rderosedstanek: currently, password expires is being returned in the response, but not allowed in the request15:58
rderosedstanek: yeah15:58
dstanekrderose: how do admins force their service users to not expire now? is that in a config?15:59
morgandstanek: easy with my alternative15:59
morganactually15:59
dstanekmorgan: what was your alternative? an attribute on the user?16:00
rderosedstanek: ignore list16:00
morgandstanek: yes.16:00
morgandstanek: but it's a code-based option that is converted to an attribute16:00
morganso no migrations needed, just define the option in code and then next release can start using it16:00
morgan(one migration ot implement the storage table per resource type)16:00
morganit's extras... but indexable16:01
morganand defined in code, with validators16:01
dstanekmorgan: why not just add it to the model?16:01
morganit is part of the model16:01
morganhold on...16:01
morganlet me show you and example16:01
dstaneki mean the data model instead of using extas16:02
morganit isn't "extras"16:02
morganhold on, writing a commit message16:02
dstaneklol, ok16:03
dstanekrderose: ^ just make morgan mad and he'll write the code16:04
*** jose-phillips has quit IRC16:05
openstackgerritMorgan Fainberg proposed openstack/keystone: Code-Defined Resource-specific Options  https://review.openstack.org/42433416:05
morgandstanek: ^16:05
morgandstanek: so, the workflow is you define an option in the code, aka "ignore_password_expiry"16:06
rderosedstanek: haha16:06
rderosedstanek: exactly16:06
morganthis has a type, and name, and a 4-character-id16:06
morganif the "name" (in this case "ignore_password_expiry") is in the user update ref, it is extracted, validated, and stored in an associated attribute mapper (SQL dict representation)16:06
*** dmellado has quit IRC16:07
morganwhen you load the user_ref, it is placed into the ref like any other attribute16:07
morganthe advantage here is no migration is needed to add a column per option16:07
morganthis opens the door for code-defined options for things like ignoring password expiry, domain-by-domain pci-dss enforcement16:07
morganetc16:07
morganeach resource type would get an options table16:08
rderosemorgan: sweet!16:08
morganthe exception would be if you expect the option to be used *every single time*16:08
morganwhich case, you would make it a column16:08
rderosemorgan: what about impact to the API?16:08
morganlike (for example) name16:08
morganrderose: none16:08
morganrderose: this is all done internally in the storage system16:08
rderosemorgan: we're not adding attributes to the request, cool16:08
*** jerrygb has quit IRC16:08
rderosemorgan: how about to the response?16:08
morganthe only possible change needed is schema changes16:08
morganthe response would now include these new values in the JSON16:09
morganbut only if they are set16:09
morganif you want to unset an option, set the value to "None" in the update request16:09
*** jerrygb has joined #openstack-keystone16:09
morganyou can also set options on create, since it is hooked into ".from_dict" on the model16:09
rderosemorgan: would be nice if we could hide from the response16:09
morganyou don't want to hide thise from the response16:10
rderosemorgan: actually, maybe not16:10
rderoseyeah, rethinking that16:10
morganthese are values on the Resource that would be applied on updates.16:10
morganor set.16:10
rderosehow about query parameters on these new attributes?16:10
morgannot implemented yet16:10
rderoseokayu16:10
morganbut future proofed to be able to do that16:10
rderosegotcha16:10
morganthis design is specifically so we *can* filter/query on it16:10
dstanekmorgan: i'll take a look16:11
morganand it also allows us to look at implementing policy allowing updates for options by the user themself16:11
morganand easing back .update_user or similar APIs from being "admin-only"16:11
morgangive it fidelity to say "these settings are settable by role XXXX"16:11
morganor "object owner (self) in the case of a user"16:12
morgan(or a new API) *shrug*16:12
rderosemorgan: wow! nice16:12
morganthe thought was to convert MFA rules over to this and your password expiry/lockout changes16:12
*** antwash_ has quit IRC16:12
rderosemorgan: we can have our cake and eat too!16:12
rderose:)16:12
morgancode changes are much, much smaller and no special encoding for things in LDAP (Ldap will say "hah, no") without using the shadow-user mechanisms16:13
morganand since this is tied to the main user object16:13
morganit works with local and non-local users, options may not apply to non-local users16:13
rderoseright16:13
morganbut it avoids wonkyness and creating a non-local user object16:13
morganfor a local user and vice versa16:13
*** antwash_ has joined #openstack-keystone16:14
morgani've been meaning to implement this type of setup for a while now16:14
morganthis was me being frustrated at some choices from newton and needing to get it out16:14
rderosemorgan: how do you set the options for nonlocal users?16:14
morganto be fair, i haven't run the complete unit tests on it16:14
morganas long as you can do an update to the user16:15
*** dougshelley66 has joined #openstack-keystone16:15
morganwhich may need some changes16:15
stevemardougshelley66: o/16:15
rderosemorgan: update will only be called by sql backend16:15
stevemardougshelley66: i hear you have questions16:15
dougshelley66hi stevemar16:15
dougshelley66yes - my question is16:15
morganright we might need to make some changes to allow Option16:15
morganbut eh for now it's local users only16:15
dougshelley66the trove-api service seems to always be authenticating a token using the admin endpoint16:16
dstanekwife's here so it's lunch time. morgan, i'll take a deep look a little later. i'm very curious about the possiblilites16:16
morganthis is framework that makes a lot of this easier16:16
dougshelley66via the keystoneauth1 component16:16
morgandstanek: ++16:16
*** pcaruana has quit IRC16:16
rderosemorgan: yeah, you could use shadow users and call update to update the options from core16:16
dougshelley66is there a way to get it to use public16:16
dougshelley66seems like there is an "interface" option but we don't know how to set it16:16
morganstevemar: https://review.openstack.org/#/c/424334/16:16
stevemardougshelley66: do you set the options in trove.conf file?16:16
morganrderose: options are set in update_user for now16:16
dougshelley66yes we have a keystone_authtoken section16:16
stevemarah16:16
dougshelley66but it wasn't clear if "interface" is valid in there?16:16
dougshelley66is it?16:16
morganrderose: but we can work through what that looks like for non-local users future looking16:17
morgani'm thinking it's values that are still updatable just for values that aren't stored on non-local user object16:17
stevemardougshelley66: you should be able to set interface...16:17
stevemarlet me look up the option16:17
morganthis is all future proofing work + fix some architectural issues in one fell-swoop16:17
dougshelley66oh ok - it didn't seem to dump that one in the CONF output16:17
dougshelley66but we can trhy that16:18
morgani feel bad it's ~500 lines, but ... it is what was needed.16:18
morganand it's tested.16:18
rderosemorgan: local and nonlocal are still tied to a user object. if you called driver.update and then shadow.update # update the options16:18
morganright.16:18
rderosemorgan: it would apply to all users (just a thought)16:18
morganso we can make that work for options16:18
morgan:)16:18
dougshelley66stevemar it isn't working - doesn't seem to pick it up16:18
morganto start it'll probably be just for local users (current workflow)16:18
morganbut in short, look at the code16:19
rderosemorgan: to keep simple ;)16:19
rderosecool, will do16:19
*** lamt has joined #openstack-keystone16:20
*** phalmos has joined #openstack-keystone16:21
stevemardougshelley66: hmm... why isn't it picking it up..16:22
dougshelley66the trove-api.log dumps all the options of [keystone_authtoken] and i don't see it in there16:22
dougshelley66if I hack keystoneauth1/identity/base.py and force interface = public, it works16:23
dougshelley66but clearly that isn't a good solution :)16:23
stevemar:)16:23
dougshelley66keystoneauth1 seems to have a option called interface...is it expected in a different CONF section?16:23
morganrderose: fwiw, looks like it is passing unit tests *phew*16:24
rderosemorgan: nice!16:24
stevemardougshelley66: ah, maybe jamielennox intended it to be part of the session/adapter code instead of an option16:24
openstackgerritRichard Avelar proposed openstack/keystone: Change unit test class to a less generic name  https://review.openstack.org/42472616:25
dougshelley66stevemar sure but it looks like you can specify --os-interface somewhere16:25
stevemardougshelley66: yeah, with the adapter code16:25
dougshelley66i assume that meant there was a CONF variable somewhere16:25
stevemardougshelley66: where do you set the keystone session in trove?16:25
stevemarlooks lik in here? https://github.com/openstack/trove/blob/master/trove/common/glance_remote.py16:26
dougshelley66would this be done in apipaste?16:26
*** phalmos has quit IRC16:26
dougshelley66hmm that code is only used in the multi-region setup16:26
dougshelley66so not in-band to what i'm doing16:27
openstackgerritRichard Avelar proposed openstack/keystone: Change unit test class to a less generic name  https://review.openstack.org/42472716:28
*** phalmos has joined #openstack-keystone16:28
stevemardougshelley66: hmm, where are you using it in trove then?16:29
morganzzzeek: thanks for the help yesterday16:30
stevemaris lbragstad around today?16:30
lbragstadstevemar i am16:31
dougshelley66i'm not certain - it seems like this is happening in the api service before "trove" code gets called16:31
stevemardougshelley66: i suggest coming back in an hour or two and bugging jamielennox :)16:31
samueldmqhey all16:32
samueldmqanyone looking at bug #165903016:32
openstackbug 1659030 in OpenStack Identity (keystone) "The proxy server received an invalid response from an upstream server" [Undecided,New] https://launchpad.net/bugs/165903016:32
samueldmqThe proxy server could not handle the request <em><a href="/v2.0/tokens">POST&nbsp;/v2.0/tokens</a></em>.<p>16:33
samueldmqReason: <strong>Error reading from remote server</strong></p></p>16:33
samueldmqI've never seen that16:33
dougshelley66stevemar ok thx16:33
stevemardougshelley66: sorry for passing the buck :P16:35
stevemarsamueldmq: i suspect its a misconfiguration, but we should look into it16:35
stevemarlbragstad we need a game plan for the last few patches16:35
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table  https://review.openstack.org/40987416:36
lbragstadstevemar ok - https://etherpad.openstack.org/p/keystone-sprint-to-ocata16:36
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users tests  https://review.openstack.org/42370516:36
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370816:36
stevemarlbragstad: i was hoping you (and dstanek?) could test out rderose's changes for adding domain id to the user table?16:36
stevemarusing rolling upgrades of course16:36
stevemari ask you because you had automation setup already when you tested the fernet credential setup16:37
morganstevemar: when did we implement rolling upgrades?16:37
lbragstadyeah - i can do that this afternoon16:37
lbragstadmorgan Newton16:37
morganhmm.16:37
morganso. in Q we can squash the old migrate repo down to "Newton"16:37
lbragstadmorgan we don't have the project tag asserted for keystone yet because it's not tested in the gate16:37
morganand stick with rolling upgrades from there16:37
morganor in P we can squash?16:38
stevemarwe can probably squash in P16:38
morganok lets plan to do that16:38
stevemarmorgan: don't divert this train :P16:38
morganstevemar: hahahahaha but i like being a diversion16:38
stevemarlbragstad: in the mean time, rderose and i will review morgan's patches for code defined option and MFA -- you good with that rderose?16:39
stevemardstanek: you can float between helping lbragstad and reviewing morgan's patches16:39
stevemarthat sound good to everyone?16:39
morganstevemar: the MFA will probably be rebased on the option one if folks like it16:39
morganstevemar: so review the option one first16:40
morganif so, i'll rebase onto that and make the MFA thing no-migrations16:40
morganso look at the mfa patches in light of that16:40
lbragstadyeah - that should work. I have a few meeting this afternoon but i'll block off some time to test manually16:40
morganand if folks have no issues i'll start rolling the MFA stuff up (API wise) today16:41
rderosestevemar: hell yeah!16:41
rderosestevemar: just need to re-spin the setting the domain for federated users due to ravelar patch16:42
knikollanice teamwork :)16:42
openstackgerritRichard Avelar proposed openstack/keystone: Verbose breakup of method into seperate methods  https://review.openstack.org/42474016:42
rderoseknikolla: ++16:43
lbragstadwho here is familiar with the id mapping stuff?16:43
stevemarlbragstad: henry is :P16:45
*** diazjf has joined #openstack-keystone16:45
lbragstadstevemar of course he is :)16:46
lbragstadstevemar alright - well i'm gonna take a stab at this,16:46
stevemaryesssh16:47
*** dmellado has joined #openstack-keystone16:48
knikollalbragstad: which one is that?16:50
*** dmellado has quit IRC16:53
openstackgerritRodolfo Alonso Hernandez proposed openstack/keystone: Remove dogpile.core dependencies  https://review.openstack.org/42467316:54
*** browne has joined #openstack-keystone16:55
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370816:56
lbragstadstevemar https://bugs.launchpad.net/keystone/+bug/165864116:57
openstackLaunchpad bug 1658641 in OpenStack Identity (keystone) "Moving/disabling LDAP users break Keystone queries depending on role ID" [Undecided,New]16:57
lbragstadknikolla id mapping is a specific backend/database for providing public ids for multi-domain backends that don't generate UUID-like ID (i think)16:58
morganyes16:59
morganwe need ids to be somewhat controlled by keystone16:59
morganif LDAP (multildap) all provide the same IDs we have issues16:59
morgansince IDs need to be globally unique16:59
lbragstadright16:59
morganso we have mapping, which does Sha256(LDAP-provided-id, domain_id)16:59
morganguaranteeing uniqueness16:59
*** dmellado has joined #openstack-keystone16:59
morganand consistent16:59
morganit is not uuid though17:00
morganit is explicitly longer17:00
knikollamorgan: understood17:00
*** tqtran has joined #openstack-keystone17:00
ayoungmorgan, I'm watching this https://www.youtube.com/watch?v=WvnXemaYQ5017:00
lbragstadwhich is nice when you purge all mappings for a domain17:00
ayoungkubernetes uses the word namespace to mean what we call "projects" and "domains"17:00
morganyep17:00
ayoungCLusterRoles are global roles (is_admin_project=True)17:01
ayoungand Roles are what we do17:01
morganand we suck for calling our stuff domains and projects17:01
morgan(tenant was a better name)17:01
ayoungyep17:01
ayoungbut we can call them all namespaces in the future17:01
ayoungsince kubernetes is going to devour openstack anyway17:01
ayoungRoleBindings are role assignments17:02
* ayoung should write up a translation doc17:02
openstackgerritRodolfo Alonso Hernandez proposed openstack/keystone: Remove dogpile.core dependencies  https://review.openstack.org/42467317:02
openstackgerritRichard Avelar proposed openstack/keystone: WIP extend users API to add federated object  https://review.openstack.org/41862417:04
ayoungAnd they did the "You have to have a role to assign a role"17:04
stevemarlbragstad: i saw that bug, nice bug, should get fixed in P though17:06
lbragstadstevemar agreed - i'm not really sure how we can fix it besides documenting the behavior though17:06
stevemarlbragstad: oh we can probably do something17:07
stevemarlbragstad: maybe if an old ID is looked up and not found, we can self-clean17:07
ayounglbragstad, watch https://www.youtube.com/watch?v=WvnXemaYQ50  when you get a chance17:08
openstackgerritKristi Nikolla proposed openstack/keystone: WIP: Remove LDAP delete logic and associated tests  https://review.openstack.org/42434417:08
morganstevemar: https://bugs.launchpad.net/keystone/+bug/165905117:10
openstackLaunchpad bug 1659051 in OpenStack Identity (keystone) "Use CORS set_defaults" [Undecided,New]17:10
*** dave-mccowan has quit IRC17:11
samueldmqstevemar: perhaps I can query logstash to see how often that happen ?17:12
morganstevemar: https://bugs.launchpad.net/keystone/+bug/165905317:13
openstackLaunchpad bug 1659053 in OpenStack Identity (keystone) "use uuids with pycadf" [Undecided,New]17:13
stevemarmorgan: both good bugs ++17:16
morganoooh weird17:21
morganwe don't call .latent() anywhere17:21
morganlooks like a bug in oslo.middleware17:23
morganthen17:23
ayoungmorgan, guess who asks the first question at the end of the preso?17:27
morganyou?17:27
morgan;)17:27
ayoungnot I17:27
morganwho?17:27
ayoungmorgan, I was not at kubeconf17:27
morganahh. topol?17:27
ayoung++17:27
morganhaha17:28
ayoung"I worked on a different open source project that..."17:28
*** diazjf has quit IRC17:28
morganayoung: topol has been learning from you how to phrase the questions :)17:28
ayoungmorgan, I think the most interesting part of the K8S architecture is that K8S owns the service catalog17:29
lbragstadinteresting - they have a mix of traditional and scoped rbac17:29
ayounglbragstad, right17:29
morganayoung: yeah17:29
lbragstadmorgan and i were just talking about unscoped roles17:30
morganlbragstad: like i said we may want to revisit that17:30
morgan^_^17:30
ayounglbragstad, so for the RBAC  stuff, you go to the service catalog to get the name of the resource17:30
ayoungso where I have "match the URL" they just match the resource17:30
lbragstadthat's if you're applying any scope to RBAC17:30
ayoungwhich means that, at the API server level, they need to be able to go from URL back to resource type17:30
ayounglbragstad, actually for ClusterRoles, too17:31
ayounglbragstad, so orthogonal to scope17:31
lbragstadform the presentatin it sounds like they keep namespaces and cluster roles mutually exclusive17:31
lbragstadfrom*17:31
ayounglbragstad, yeah, it seems to.  But they do the RBAC the same way from roles or cluster roles to resources17:32
* lbragstad keeps watching17:32
ayoungit would be like if we had a separate field in the token "Cluster_roles" and then policy was "cluster_role:admin:" which would not match the same thing as role:admin17:33
lbragstadright - or only make cluster roles available in unscoped tokens17:33
lbragstadavailable/viewable17:33
dougshelley66jamielennox would you be able to answer a quick q17:34
lbragstadyes - https://youtu.be/WvnXemaYQ50?t=22m15s17:35
dougshelley66jamielennox i notice that interface default to 'admin' here - https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/httpclient.py#L25317:36
ayoungdougshelley66, hes in Australia17:36
ayoungprobably dead asleep...or he should be17:36
dougshelley66is there any way (like a conf setting) that we can override that17:36
dougshelley66ayoung ah ok thx17:36
dougshelley66well if anyone else can answer my question.....17:36
dougshelley66:)17:36
lbragstaddougshelley66 he is usually in our keystone team meeting, and sometimes available after that17:36
lbragstad(which is in 20 minutes)17:37
ayoungdougshelley66, you want to change the default interface used for talking to keystone to be the public one instead of admin, cuz admin is inside the firewall?17:37
dougshelley66yes exactly17:41
dougshelley66is that possible17:41
*** spilla has joined #openstack-keystone17:42
*** belmoreira has quit IRC17:42
*** adrian_otto has quit IRC17:43
*** mvk has joined #openstack-keystone17:44
*** d34dh0r53 is now known as ID-Ten-T17:45
openstackgerritBoris Bobrov proposed openstack/keystone: Enable trusts for federated users  https://review.openstack.org/41554517:45
*** phalmos_ has joined #openstack-keystone17:47
*** ID-Ten-T is now known as blarnath17:48
*** blarnath is now known as d34dh0r5317:48
*** phalmos has quit IRC17:50
*** dave-mccowan has joined #openstack-keystone17:51
*** jose-phillips has joined #openstack-keystone17:56
*** esp_ has joined #openstack-keystone17:58
*** nishaYadav has joined #openstack-keystone17:59
morgancough18:00
stevemarmorgan: o/18:00
morgansomeone is slacking today18:00
* morgan looks at stevemar, lbragstad, etc.18:01
* morgan looks at the clock18:01
stevemaro_O18:01
morgandid we cancel the keystone meeting?18:01
*** adrian_otto has joined #openstack-keystone18:03
openstackgerritRichard Avelar proposed openstack/keystone: Change unit test class to a less generic name  https://review.openstack.org/42472718:19
dougshelley66ayoung any thoughts?18:23
ayoungdougshelley66, use the V3 api, and have everything on both ports18:25
ayounguneset the public_api value inside of keystone.conf18:25
ayoungunset18:25
dougshelley66ayoung you are saying we need to change the configuration of keystone?18:29
*** dave-mccowan has quit IRC18:30
dougshelley66i was hoping we could cause the client configuration to change (the client in this case is coming from the trove-api service)18:30
ayoungdougshelley66, if you use the V3 API, it should not matter admin vs public endpoint18:31
ayoungthat is all trove18:31
dougshelley66from what we can tell this is happening in the WSGI pipeline, it is calling the authtoken factory18:31
dougshelley66during that instantiation, keystoneauth1 is attempting to contact keystone on the admin port18:32
ayoungdougshelley66, as I said, remove the public_api value inside keystone.conf18:37
ayoungthat keeps it from using the right port18:37
ayoungBut WSGI pipeline should be using Admin, as it is inside the Firewall.18:38
dougshelley66in this case the customer has Trove configured in a VM18:39
dougshelley66which only has access to the public endpionts18:39
*** tesseract has quit IRC18:39
dougshelley66ayoung i'm not certain where to find "public_api"...I don't see that value in /etc/keystone/keystone.conf18:40
ayoungdougshelley66, public_uri?18:40
ayoungnear the top...18:40
ayoungits off the top of my head18:40
dougshelley66ah do you mean "public_endpoint"?18:40
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n2718:41
ayoungdougshelley66, yeah18:41
ayoungit is a nasty piece of code18:41
*** nishaYadav has quit IRC18:43
morganrderose: where should i move the option code to in shadow users backend18:47
*** raildo has joined #openstack-keystone18:49
rderosemorgan: https://github.com/openstack/keystone/blob/master/keystone/identity/shadow_backends/sql.py18:50
morganayoung: https://review.openstack.org/#/c/424334/18:50
morganrderose: and it will keep all the same refs and such?18:50
morganrderose: so the table will be the same, just move that bit of code andw e should be good?18:50
morgan(and the tests should work the same or do i need to call the update differently?)18:50
*** diazjf has joined #openstack-keystone18:51
rderosemorgan: hmm...18:51
morganrderose: because i don't see an update user call there?18:51
morganthis is attributes on the main User() ref object18:52
rderosemorgan: yeah, you'd have to add an update method, the model could stay the same (I think)18:52
rderosemorgan: for update, you would then make 2 calls in core.py => driver.update() and shadow.update()18:52
morganwell more to the point, how much extra code mechanism is needed to make that update method work18:52
morganhm.18:53
morganbecause the normal driver.update wouldn't affect non-local users?18:53
rderosebecause driver.update() may point to ldap18:53
rderoseright18:53
morganwell considering ldap no longer does writes.18:53
ayoungmorgan, options for what?18:54
morgani think we need to re-think that18:54
rderoseyep18:54
morganrderose: so this is probably ok for now as is18:54
rderosemorgan: the problem is list_users18:54
ayoungis that optional data?18:54
morganayoung: for any resource specific option furture looking18:54
morganayoung: rather than using "extras" or a top level column18:54
rderosemorgan: yeah, I'm okay as is.  it just would be really cool to be able to apply new attributes to ALL users18:54
ayoungmorgan, I don't know what you mean.  But I think I hate it.18:54
rderoseayoung: :)18:55
morganayoung: allows us to define in code "ignore_passwoird_expiry" [pci-dss]18:55
morganrather than needing to lump it into keystone.config18:55
morgan(conf file)18:55
morganor make a new column for everything18:55
ayoungper user....18:55
morganbecause it's absurd for limited/narrow use case18:55
morganthis is an option that would be per-<resource>18:55
morganlong term, if we had a domain that enforced pci-dss things like expiring passwords18:56
morganor MFA18:56
ayoungbecause you made it general purpose18:56
morganor...18:56
morganwhatever18:56
morganwe can implement18:56
morganeasily18:56
ayoungso we could do per-project stuff with this later, too18:56
morganthat is the plan18:56
ayoungYep. I am sure of it.18:56
ayoungI hate it.18:56
morganall of the resource-types managed by keystone would have options.18:56
ayoung+218:56
morganthe key is the option must be defined in code18:57
morganor it wont be stored this way and will just fall into "extras"18:57
morganthis is not a generic key-value-store for anyone18:57
morgani also see things that we have long been loathe to remove (default_projecT_id)18:57
morganbecoming one of these18:57
samueldmq2 minutes left18:58
*** dave-mccowan has joined #openstack-keystone18:58
samueldmqjust fyi18:58
morganstevemar: wrong channel18:58
samueldmqno minutes left here18:58
morganerm samueldmq ^18:58
morganhehe18:58
*** phalmos_ has quit IRC18:58
stevemarmorgan: i had the right channel :P18:58
samueldmqlol18:58
morganayoung: anyway hate it or not, trying to unwind some ick we have in keystone that has required headaches for narrowly used features, but is supported across the whole of keystone18:59
samueldmqmorgan: sorry :) looks like I missclicked18:59
morganayoung: figured your review on it would be good in either case :)18:59
morganrderose: if you want to take a crack ad what moving the stuff to shadow users would look like...18:59
rderosemorgan: yeah, was thinking that18:59
morganrderose: but i think we can probably get away from that by putting some conditionals in since LDAP write is dead19:00
morganneeding to do two updates is problematic19:00
morganbut if we need to... then we can19:00
rderosemorgan: the 2 update doesn't bother so much much as now when you call list_users, you'd have to tack on the extra attributes19:01
morganrderose: how crazy would it be to migrate everything to shadow-user, and only fall through the basic stuff from LDAP.19:02
morganso LDAP driver always layers behind sql at some point19:02
morgansince we require SQL for keystone to function19:02
morganLDAP back end can be very narrowly scoped to the current properties we have for reading19:02
morganeverything else can be extracted via SQL and layered in.19:02
morganincluding the options.19:03
morganif you pass an option that would hit LDAP for store, we raise out a 403 [with information]19:03
rderosehmm...19:03
morganwe've already done most of this work by killing read/write ldap19:03
rderosemorgan: right and all users that have authenticated are in sql already19:04
morganand shadow user stuff is hidden from end users.19:04
morganyep19:04
morgani see a pike target here19:04
rderose:)19:04
morganso on that note, we leave the options for now where they are19:04
rderosecool19:04
knikolla++ interesting19:04
morganand then all users get support once we make the next move19:04
rderosemorgan: sounds good19:05
morganrderose: ok cool, please let me know any other feedback on that patch then19:05
morganknikolla: you should review too19:05
rderosemorgan: thanks, will get to it this afternoon19:05
morganrderose: because next step is to move MFA rules to it, the ignore_password_expiry and lockout, then continue from there19:05
rderosegotchea19:06
rderose*gotcha19:06
morganrderose: and sooner = lands this cycle if no one complains.19:06
rderoseright19:06
knikollamorgan: sounds good.19:07
knikollai'm finally at a point where i can spend more than 50% of my time on keystone.19:07
morganknikolla: https://review.openstack.org/#/c/424334/3 is the review ftr19:07
morganadrian_otto: ping19:07
morganactually...19:07
*** phalmos has joined #openstack-keystone19:08
knikollamorgan: if we remove a user_option from code, will there be a corresponding migration that cleans up everything with that id from the user_options table?19:11
rderosemorgan: quick question, what about v2? are we filtering these options out for v2?19:12
morganyou could. you could also just leave it. when/if the user is updated if the option is no longer there it will be filtered out (we could explicitly do that in the update code), it also wont leak to the API if the option disappeared19:12
morganrderose: no. i don't see a reason to, we long had "extra" this is no different19:12
morganrderose: and v2 is disappearing soon(tm) anyway19:12
rderosemorgan: ok, cool19:12
morganknikolla: it might be worth adding a tiny bit more code to look for options and strip them from the DB if they are no longer registered... likewise19:13
morganmaybe we don't want to do that?19:13
morganif the user is deleted... we're cascading the delete to this table anyway19:14
*** MasterOfBugs has joined #openstack-keystone19:14
knikollamorgan: i'm just being pedantic. leaving it there is probably fine for now.19:14
morganif the option is removed, it will no longer show in the user_ref19:15
morganit basically would just linger in the table but be unused19:15
morganas it stands19:15
morganand the value(s) would not be changable either w/o direct SQL access19:16
knikollakeystone-manage command for cleanup?19:16
morgannah19:16
morganif anything i'd put it in the storage code19:16
morganmake non-existent opts work like an explicit None19:17
morganand pop them from the attribute map19:17
morganso on update old options no longer defined disappear19:17
adrian_ottomorgan: here19:17
morganadrian_otto: sent you the question in a PM :)19:17
morgandidn't hit tab before i typed ^_^19:17
morganyou already responded.19:17
knikollamorgan: that sounds better.19:20
openstackgerritRichard Avelar proposed openstack/keystone: WIP extend users API to add federated object  https://review.openstack.org/41862419:21
morganknikolla: ok added a comment to the review saying in futue patchset or in a followup19:21
knikollamorgan: ++19:22
morganso i think i need the rderose +1/+2, stevemar ok, and dstanek's view and it should be good to go19:22
dstanekmorgan: where you planning on submitting a patch to remove the ability to change domain_id for a user?19:23
morgandstanek: yes. but that was a little bit further down the list19:23
morganonce i was done with the bulk of this change so it could get some eyes.19:24
dstanekmorgan: cool. just checking. if you don't have time i could whip it up. that would help simplify rderose's patch even further19:25
morgancrap.... looks like we don;'t block project domain_id updates19:26
morgan......19:26
morgani know we had an option for that at some point19:26
morganbut it's just allowed afaict19:26
morgan*rolls eyes*19:26
dstanekmorgan: it's not even deprecated?19:26
morganlooking but doesn't look like it19:26
morganah19:27
morgancontroller blocks it19:27
morgani'm going to push that down to the manager19:27
morganso no going around that19:27
openstackgerritMerged openstack/keystone: Add password expiration queries for PCI-DSS  https://review.openstack.org/40389819:27
morganok so project can't change domain, user is slated to be fixed now19:28
morgandomain can't (obviously)19:28
morganlooking at group, i think that is the last item19:28
morganyep19:28
morganok will fix group, and user19:28
morganwill push the check for project/domain down to the manager19:29
morganshortly19:29
dstaneksounds good, thansk19:29
*** harlowja has joined #openstack-keystone19:41
knikollamorgan: why restrict opt_ids to 4 characters?19:42
stevemarmorgan: yeah, it happened at the manager19:46
stevemarerr controller19:46
openstackgerritMerged openstack/keystone: Fixed unraised exception in _disallow_write for LDAP  https://review.openstack.org/42470419:50
stevemarmorgan: https://review.openstack.org/#/c/424673/19:52
*** diazjf has quit IRC19:54
openstackgerritKristi Nikolla proposed openstack/keystone: WIP: Remove LDAP delete logic and associated tests  https://review.openstack.org/42434419:54
*** diazjf has joined #openstack-keystone19:57
*** flaper87 has joined #openstack-keystone19:59
*** adrian_otto has quit IRC20:12
morganknikolla: 4 characters for the id is a lot of options20:13
morganknikolla: but also not massive space to consume  in storage20:13
morganit could have been an int, string(4) iirc is ~ same size as int.20:14
morganbut also can be more human friendly20:14
rderosemorgan: if I'm creating a new option, am I adding it here: https://review.openstack.org/#/c/424334/3/keystone/identity/backends/identity_resource_options.py20:15
morganrderose: correct20:15
morganfor identity20:15
stevemarmorgan: 4 characters seems like a lot of options20:15
morganstevemar: exactly20:15
morganit is a lot of options20:15
morgannot expecting it to be tons of them used. but also future proofing20:16
morganit might be USR1 USR2 GRP1 GRP220:16
morganbut that is better than 1400 1401 140220:16
morganetc20:16
morganimo20:16
*** adrian_otto has joined #openstack-keystone20:17
*** martinlopes has joined #openstack-keystone20:22
*** diazjf has quit IRC20:23
*** adrian_otto has quit IRC20:24
morgandstanek: about to propose the fix for domain setting20:25
*** nicodemus_ has joined #openstack-keystone20:29
*** jperry has quit IRC20:31
dstanekmorgan: nice20:33
knikollamorgan: ok cool!20:33
*** jperry has joined #openstack-keystone20:33
*** diazjf has joined #openstack-keystone20:40
morgandstanek: looks like we already prevented it at the controller level, this moves it down to the manager to be much more direct about it20:42
*** martinlopes has quit IRC20:43
*** thiagolib has quit IRC20:48
*** martinlopes has joined #openstack-keystone20:51
dstanekmorgan: for users too?20:52
*** martinlopes has quit IRC20:53
morgandstanek: looks like. sortof.. anyway cleaning up the code and being more explicit20:53
* morgan taps foot waiting...20:54
*** diazjf has quit IRC20:55
openstackgerritMaroun Maroun proposed openstack/python-keystoneclient: Fix boto version strip regex  https://review.openstack.org/42484821:00
*** jerrygb_ has joined #openstack-keystone21:01
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Force users to change password upon first use  https://review.openstack.org/40391621:03
*** jerrygb has quit IRC21:03
*** jerrygb_ has quit IRC21:04
*** raildo has quit IRC21:05
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Force users to change password upon first use  https://review.openstack.org/40391621:05
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Force users to change password upon first use  https://review.openstack.org/40391621:05
openstackgerritRon De Rose proposed openstack/keystone: WIP - PCI-DSS Force users to change password upon first use  https://review.openstack.org/40391621:06
stevemarmorgan: ugh meeeeeeetings21:08
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove code supporting moving resources between domains  https://review.openstack.org/42485021:08
morgandstanek: ^21:09
morganstevemar: so,21:09
*** dave-mccowan has quit IRC21:10
dstanekmorgan: looking...21:10
*** adrian_otto has joined #openstack-keystone21:10
morgandstanek: it looks like we blocked it at the controller, but supported at the manager21:11
morganthis change consolidates blocking the domain_id change at the manager21:11
morganprevents things slipping in by avoiding the user/project/group controllers21:11
morganstevemar: looking for a view on https://review.openstack.org/#/c/424334/ before i start rebasing things on it21:11
stevemarmorgan: thanks for spending time in keystone this week and previous21:12
stevemarhelps us out a lot21:12
*** antwash_ has quit IRC21:12
*** antwash_ has joined #openstack-keystone21:13
*** antwash_ has quit IRC21:17
knikolla++21:17
*** ravelar has quit IRC21:17
knikollaespecially the last minute rearchitecture of entire features21:17
*** antwash_ has joined #openstack-keystone21:19
stevemarmorgan: why is the domain check not in a common place?21:20
stevemarkeystone.common.manager.Manager21:20
*** antwash_ has quit IRC21:20
stevemareh, its a metaclass21:20
openstackgerritMorgan Fainberg proposed openstack/keystone: Add auto-cleanup code for undefined options  https://review.openstack.org/42485521:21
morganstevemar: because i didn't push it that far down.21:22
morganwould be easy to do so *shrug*21:22
morganknikolla: ^ your comments on the auto-cleanup.21:22
stevemareh21:22
*** antwash has quit IRC21:23
knikollamorgan: awesome!21:23
morganknikolla: not the nits and name of table21:23
morganbut the auto-cleanup only in there21:23
knikollamorgan: yeah, i figured from the title.21:23
morgani just need to know if i'm putting in the work to rebase things on the code-defined-options or if i should wait.21:24
morganbecause if I am... I'll get to work.21:24
stevemarmorgan: approved domain move, thats gonna conflict with some stuff21:24
morgansince time is a premium.21:24
morganstevemar: that is fine.21:24
morgani don't care about legit conflicts, i care about "is this worth putting the effort in *right now*21:25
morganvs Pike.21:25
morgani can play rebase games as needed21:25
stevemarmorgan: thoughts on https://review.openstack.org/#/c/424673/ ?21:26
*** antwash has joined #openstack-keystone21:26
stevemarmorgan: i don't remember the exact moves that were done in dogpile, but i think that is correct21:26
morgani thought kvs was dead21:26
morgani'd say no don't change it if we're removing kvs21:27
openstackgerritRon De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use  https://review.openstack.org/42485621:27
*** Jack_V has quit IRC21:27
morganbah. deprecated in newton removal in pike21:28
morganlets just hold for a couple weeks on that review21:28
morganand watch the code evaporate as soon as RC is cut21:28
dstaneki think kvs is gone, gone. i think i had to leave some code in there for ldap or some other backend21:29
* lbragstad needs a cup of coffee21:30
morgandstanek: no21:30
morgandstanek: deprecated (we missed some things) as of N21:30
morganso removing the core of it in pike21:30
morganjust the KVS core is left21:30
morgandstanek: =/21:31
stevemarhehe i +2'ed it21:31
morgandstanek: otherwise it really would be gone gone already21:31
morganstevemar: *shrug* my -1 is more procedural... why update code that is dead ina  week21:31
morganbut i'm fine if you want to push it in21:32
*** antwash has quit IRC21:32
morganfeel free to +A it (i wouldn't complain)21:32
stevemarits technically more correct21:32
dstanekmorgan: i didn't realize that anything was missed21:33
morgandstanek: yeah we missed the entire kvscore when we removed the other kvs code21:33
morgansoooo we had to wait until Pike21:33
morganbecause we only deprecated in NEwton21:33
*** catintheroof has quit IRC21:35
stevemarmorgan: there was something else i thought?21:35
morgantoken kvs backend21:35
morgansame thing21:35
*** catintheroof has joined #openstack-keystone21:35
morganbut caught witht he same deprecation message as kvscore21:35
*** catintheroof has quit IRC21:35
*** nicodemus_ has quit IRC21:36
stevemarthanks morgan21:36
*** antwash has joined #openstack-keystone21:45
openstackgerritMorgan Fainberg proposed openstack/keystone: MERGE-IN-PIKE: Remove KVS code  https://review.openstack.org/42486221:45
morgandstanek: ^ ;)21:46
*** portdirect is now known as portdirect_away21:46
morganstevemar: sooooo21:46
*** pnavarro has quit IRC21:46
morganstevemar: back to the option code21:46
stevemaro/21:46
stevemarmorgan: omg you are tossing up so many things! i can't keep up!21:46
morganstevemar: the option code is the key, if i am rebasing things around it or if we're holding MFA, password-expiry-things, etc21:47
morganstevemar: i'm fine with rebasing around it, just need to know if i should spend the time/energy21:47
*** thorst_ has quit IRC21:55
*** ravelar has joined #openstack-keystone21:58
rderosemorgan: playing with this now21:58
*** antwash has quit IRC21:58
rderosemorgan: I should be able to just do something like this: USER_OPTIONS_LIST = [{'option_id': '1000', 'option_name': 'allow_password_expires'}]21:58
rderoseright?21:59
*** antwash has joined #openstack-keystone21:59
*** antwash has quit IRC22:06
rodrigodsstevemar, knikolla i wonder what the maintainers of testshib.org are thinking with the traffic increase22:09
morganrderose: would need to create a new option object22:12
morganrderose: in the list22:12
rderosemorgan: ah, so: resource_options.ResourceOption('opt1', 'option1')22:13
morganyah22:13
rderosegotcha, hx22:13
rderose*thx22:13
morganand a validator if you want a different one than the basic one that does nothing22:13
lbragstadsamueldmq glad to see your candidacy email :)22:13
morganit also can only store things that can be serialized with oslo.serialization.jsonutils.dumps22:13
rderosemorgan: hmmm...  sqlalchemy.orm.exc.DetachedInstanceError: Parent instance <User at 0x7fc0ed347290> is not bound to a Session; lazy load operation of attribute 'options' cannot proceed22:13
openstackgerritRon De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use  https://review.openstack.org/42485622:14
morganuh22:15
morganhmm. it worked in my tests22:15
rderosemorgan: yeah, still playing with it...22:16
morganwhere did you hit that?22:16
morganand can you provide an example?22:16
*** spilla has quit IRC22:16
rderosemorgan: http://paste.openstack.org/show/596317/22:16
morganhuh22:17
rderosemorgan: https://review.openstack.org/#/c/424856/2/keystone/identity/backends/identity_resource_options.py22:17
morganhow did my test work then?22:17
rderosemorgan: it may be me :)22:17
morganhehe. i can poke at that as soon i am back from lunch22:17
morganif you don't figure it out22:17
morganfwiw, i had that issue early on, but have it all solved by the time my tests were written22:18
morganah hm.22:18
morgani think i see it22:18
rderosecool, where22:18
*** jperry has quit IRC22:19
morgani'll poke post lunch but i think the user.allows_password_expired doesn't do what you're actually looking for22:19
rderoseok22:20
morganit might also be something where the test is just doing something weird.22:21
morganin almost 100% of the cases you always have an active session when touching the models22:21
rderosehmm... okay, let me start undoing things and see if I can find the problem22:21
openstackgerritRon De Rose proposed openstack/keystone: WIP PCI-DSS Force users to change password upon first use  https://review.openstack.org/42485622:23
*** MasterOfBugs has quit IRC22:33
*** pramodrj07 has joined #openstack-keystone22:33
*** martinlopes has joined #openstack-keystone22:34
*** adrian_otto has quit IRC22:41
*** antwash has joined #openstack-keystone22:45
*** lamt has quit IRC22:49
*** antwash has quit IRC22:50
rderosemorgan: okay so, if I download your patch and add this line: https://review.openstack.org/#/c/424856/3/keystone/identity/backends/identity_resource_options.py22:50
rderosemorgan: I get this error:22:50
*** david-lyle has quit IRC22:50
rderosemorgan: http://paste.openstack.org/show/596321/22:50
*** lamt has joined #openstack-keystone22:51
rderosemorgan: and looking at the sql_model.py, I'm seeing what's wrong22:51
*** david-lyle has joined #openstack-keystone22:53
rderosemorgan: *I'm not seeing what's wrong22:57
*** edmondsw has quit IRC22:58
*** jaugustine has quit IRC22:58
*** martinlopes has quit IRC22:59
*** spotz is now known as spotz_zzz23:03
*** harlowja has quit IRC23:08
*** adriant has joined #openstack-keystone23:09
*** jaosorior has quit IRC23:12
*** edtubill has quit IRC23:15
rderosemorgan: around?23:15
*** rm_work has quit IRC23:16
rderosemorgan: tried changing it to eager loading, but still get the same error. need to run an errand, be back shortly.23:16
*** rm_work has joined #openstack-keystone23:17
rderosedstanek: is there anything you want me to change for this one: https://review.openstack.org/#/c/409874/?23:21
rderosedstanek: or, are you still reviewing it?23:21
lbragstadrderose i'm upgrade testing that one as we speak23:21
rderoselbragstad: sweet!23:21
*** sudorandom has quit IRC23:22
*** ravelar1 has joined #openstack-keystone23:23
*** sudorandom has joined #openstack-keystone23:24
morganok back.23:25
morganrderose: i might need to just push the .options handling down into sqly.py only23:26
rderosemorgan: ah, so out of the model?23:26
morganyeah and down to just the backend where we are guaranteed to have a session23:27
morgani don't know why my tests work... but anyway23:27
*** ravelar1 has quit IRC23:28
rderosemorgan: hmm... yeah, it's strange23:28
rderosemorgan: federated_user is almost identical and it works23:28
morganeasy, set a .resource_options attr in .from_dict() and then consume that at the bottom layer where we will instantiate the model23:28
rderosemorgan: in terms user to federated_user relationship23:28
rderosemorgan: something with to_dict that it doesn't like23:28
morganyeah it's probably because i'm touching .options23:29
morganin to_dict23:29
morganso i'll stop doing that23:29
morganeasy23:29
morgangive me a few moments23:29
rderoseokay23:29
rderosemorgan: have to run, but back in about 3023:29
morgancool i should have it pushed by then23:30
*** dave-mccowan has joined #openstack-keystone23:33
*** edmondsw has joined #openstack-keystone23:34
stevemarjamielennox: around?23:36
stevemarjamielennox: can you verify https://review.openstack.org/#/c/423339/ ... ?23:36
*** edmondsw has quit IRC23:38
gagehugolamt: ^23:40
samueldmqlbragstad: o/ thanks23:42
samueldmqlbragstad: glad keystone will be on good hands regardless of the results23:42
jamielennoxstevemar: i'm around23:43
jamielennoxstevemar: that's something we can do?23:44
openstackgerritTin Lam proposed openstack/python-keystoneclient: Allow Multiple Filters of the Same Key  https://review.openstack.org/42333923:53
*** antwash has joined #openstack-keystone23:53
lamtstevemar: added a releasenote for spilla23:54
*** thorst_ has joined #openstack-keystone23:57
*** thorst_ has quit IRC23:57
*** harlowja has joined #openstack-keystone23:58
« Monday, 2017-01-23 Index Wednesday, 2017-01-25 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!