Friday, 2017-03-10

« Thursday, 2017-03-09 Index Saturday, 2017-03-11 »
*** ayoung has quit IRC00:02
*** ngupta has quit IRC00:09
*** ngupta has joined #openstack-keystone00:10
*** ngupta has quit IRC00:14
*** markvoelker has quit IRC00:15
*** jose-phillips has quit IRC00:17
*** lamt has quit IRC00:19
*** guoshan has quit IRC00:20
*** jose-phillips has joined #openstack-keystone00:29
*** catintheroof has quit IRC00:29
*** catintheroof has joined #openstack-keystone00:30
*** catintheroof has quit IRC00:30
*** jamielennox is now known as jamielennox|away00:36
*** ravelar1 has joined #openstack-keystone00:36
*** jamielennox|away is now known as jamielennox00:37
*** ravelar1 has quit IRC00:41
*** catintheroof has joined #openstack-keystone00:42
*** jose-phillips has quit IRC00:44
*** adrian_otto has joined #openstack-keystone00:46
*** jose-phillips has joined #openstack-keystone00:53
*** thorst has joined #openstack-keystone00:53
*** jose-phillips has quit IRC00:53
*** jose-phillips has joined #openstack-keystone00:54
*** zhurong has joined #openstack-keystone00:56
*** ayoung has joined #openstack-keystone00:57
*** tovin07 has joined #openstack-keystone00:58
*** browne has quit IRC01:10
*** markvoelker has joined #openstack-keystone01:15
*** liujiong has joined #openstack-keystone01:16
*** ravelar1 has joined #openstack-keystone01:18
*** markvoelker has quit IRC01:20
*** ravelar1 has quit IRC01:22
*** MasterOfBugs has quit IRC01:31
*** chris_hultin is now known as chris_hultin|AWA01:34
*** frontrunner has joined #openstack-keystone01:43
*** adrian_otto has quit IRC01:44
*** thorst has quit IRC01:45
*** ravelar1 has joined #openstack-keystone01:59
*** ravelar1 has quit IRC02:03
*** browne has joined #openstack-keystone02:08
*** markvoelker has joined #openstack-keystone02:17
*** adrian_otto has joined #openstack-keystone02:21
*** agrebennikov has quit IRC02:21
*** markvoelker has quit IRC02:23
*** rderose has quit IRC02:28
*** adrian_otto has quit IRC02:29
*** browne has quit IRC02:50
*** ravelar1 has joined #openstack-keystone03:00
*** ravelar1 has quit IRC03:04
*** asettle has quit IRC03:07
*** frontrunner has quit IRC03:09
*** adrian_otto has joined #openstack-keystone03:10
*** lucasxu has joined #openstack-keystone03:10
*** thorst has joined #openstack-keystone03:13
*** wangqun has joined #openstack-keystone03:16
*** wangqun has quit IRC03:17
*** thorst has quit IRC03:18
*** wangqun has joined #openstack-keystone03:18
*** lucasxu has quit IRC03:31
openstackgerritOpenStack Proposal Bot proposed openstack/ldappool master: Updated from global requirements  https://review.openstack.org/43196803:31
*** links has joined #openstack-keystone03:38
*** lucasxu has joined #openstack-keystone03:40
*** adrian_otto has quit IRC03:40
*** adrian_otto has joined #openstack-keystone03:41
*** adrian_otto has quit IRC03:43
*** prashkre has joined #openstack-keystone03:44
*** ravelar has quit IRC03:55
*** catintheroof has quit IRC03:57
*** catintheroof has joined #openstack-keystone03:58
*** catintheroof has quit IRC03:59
*** ravelar1 has joined #openstack-keystone04:01
*** ravelar1 has quit IRC04:06
*** nicolasbock has quit IRC04:07
*** knangia has quit IRC04:11
*** adrian_otto has joined #openstack-keystone04:11
*** thorst has joined #openstack-keystone04:14
*** david-lyle has quit IRC04:16
*** thorst has quit IRC04:18
*** prashkre has quit IRC04:22
*** lucasxu has quit IRC04:24
*** adrian_otto1 has joined #openstack-keystone04:38
*** adrian_otto has quit IRC04:40
*** ravelar1 has joined #openstack-keystone04:43
*** wangqun has quit IRC04:45
*** wangqun has joined #openstack-keystone04:46
*** ravelar1 has quit IRC04:47
*** adrian_otto1 has quit IRC04:57
*** thorst has joined #openstack-keystone05:15
*** thorst has quit IRC05:19
*** adriant has quit IRC05:41
*** richm has quit IRC05:43
*** prashkre has joined #openstack-keystone06:04
*** jaosorior has joined #openstack-keystone06:09
*** aojea has joined #openstack-keystone06:12
*** Shunli has joined #openstack-keystone06:12
*** markvoelker has joined #openstack-keystone06:21
*** markvoelker has quit IRC06:25
*** rcernin has joined #openstack-keystone06:35
*** markvoelker has joined #openstack-keystone06:44
*** aojea has quit IRC06:49
*** markvoelker has quit IRC06:54
*** thorst has joined #openstack-keystone07:16
*** aojea has joined #openstack-keystone07:20
*** thorst has quit IRC07:21
*** xek has quit IRC07:37
*** edmondsw has joined #openstack-keystone07:39
*** tesseract has joined #openstack-keystone07:42
*** edmondsw has quit IRC07:44
*** aojea has quit IRC07:47
*** pnavarro has quit IRC07:47
*** aojea has joined #openstack-keystone07:53
*** prashkre has quit IRC07:57
*** h5t4_ has joined #openstack-keystone08:12
*** aojea has quit IRC08:14
*** aojea has joined #openstack-keystone08:15
*** prashkre has joined #openstack-keystone08:17
*** thorst has joined #openstack-keystone08:17
*** aojea has quit IRC08:19
*** thorst has quit IRC08:22
openstackgerritMerged openstack/ldappool master: Updated from global requirements  https://review.openstack.org/43196808:26
*** jaosorior is now known as jaosorior_breakf08:33
*** prashkre has quit IRC08:39
*** jaosorior_breakf is now known as jaosorior08:48
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** pnavarro has joined #openstack-keystone09:08
*** thorst has joined #openstack-keystone09:18
*** thorst has quit IRC09:23
*** henrynash has joined #openstack-keystone09:27
*** Shunli has quit IRC09:27
*** henrynash has quit IRC09:27
*** henrynash has joined #openstack-keystone09:32
*** aasthad has quit IRC09:42
*** rdo has quit IRC09:46
*** rdo has joined #openstack-keystone09:48
*** prashkre has joined #openstack-keystone09:51
*** rdo has quit IRC09:56
*** wangqun has quit IRC09:58
*** rdo has joined #openstack-keystone09:58
*** asettle has joined #openstack-keystone10:03
*** edmondsw has joined #openstack-keystone10:04
*** aloga_ has joined #openstack-keystone10:06
*** aojea has joined #openstack-keystone10:08
*** edmondsw has quit IRC10:09
*** zhurong has quit IRC10:10
*** henrynash has quit IRC10:13
*** richm has joined #openstack-keystone10:14
*** thorst has joined #openstack-keystone10:19
*** liujiong has quit IRC10:23
*** thorst has quit IRC10:23
*** tovin07 has quit IRC10:27
*** openstackgerrit has quit IRC10:33
*** guoshan has joined #openstack-keystone10:51
*** henrynash has joined #openstack-keystone10:52
*** nicolasbock has joined #openstack-keystone11:07
*** thorst has joined #openstack-keystone11:20
*** thorst has quit IRC11:24
*** links has quit IRC11:37
*** tuan_ has joined #openstack-keystone11:41
*** abhishek_k has quit IRC11:48
*** henrynash has quit IRC11:50
tuan_Hi Keystone community11:53
tuan_if someone online, may i have some questions related to the user cred passing11:53
tuan_as i know that we do not pass the normal user cred when creating client11:54
tuan_except admin11:54
*** links has joined #openstack-keystone11:54
tuan_could some body explain to me the reasons of security in this case11:54
tuan_thinks in advanced11:54
breton.цшт 1912:01
breton:(12:01
*** aojea has quit IRC12:02
*** guoshan has quit IRC12:04
*** raildo has joined #openstack-keystone12:10
*** sileht has quit IRC12:17
*** sileht has joined #openstack-keystone12:18
*** sileht has quit IRC12:18
*** sileht has joined #openstack-keystone12:18
*** catintheroof has joined #openstack-keystone12:34
*** thorst has joined #openstack-keystone12:43
*** guoshan has joined #openstack-keystone12:43
*** frontrunner has joined #openstack-keystone12:55
*** sileht has quit IRC13:03
*** sileht has joined #openstack-keystone13:03
*** sileht has quit IRC13:03
*** sileht has joined #openstack-keystone13:03
*** sileht has quit IRC13:08
*** sileht has joined #openstack-keystone13:08
*** sileht has quit IRC13:08
*** sileht has joined #openstack-keystone13:10
*** guoshan has quit IRC13:12
bretonhttps://bitbucket.org/ianb/paste/issues/20/ *sigh*13:13
bretonhas anybody used ksm with django?13:13
*** links has quit IRC13:17
*** guoshan has joined #openstack-keystone13:20
*** edmondsw has joined #openstack-keystone13:23
dolphmbreton: i have not, but it will certainly work13:25
bretoni guess it will require writing a custom django middleware that will proxy requests to ksm13:29
*** links has joined #openstack-keystone13:31
*** dave-mccowan has joined #openstack-keystone13:32
bretonand hooking all options13:32
*** guoshan has quit IRC13:33
bretonhm, what do i do -- extend django-openstack-auth or write separate thing...13:35
*** links has quit IRC13:39
*** spilla has joined #openstack-keystone13:41
*** lamt has joined #openstack-keystone13:47
*** aojea has joined #openstack-keystone13:52
*** aloga_ has quit IRC13:59
*** openstackgerrit has joined #openstack-keystone14:16
openstackgerritAnthony Washington proposed openstack/oslo.policy master: oslopolicy-sample-generator description support  https://review.openstack.org/44333014:16
*** prashkre has quit IRC14:16
*** tuan_ has quit IRC14:22
*** Dinesh_Bhor has quit IRC14:23
*** tuan_ has joined #openstack-keystone14:26
*** ravelar has joined #openstack-keystone14:35
dstanektuan_: i'm not sure i understand the question14:42
tuan_dstanek: Hi, thank you for replying me14:43
tuan_it is about the general security in authentication14:43
tuan_it means that we do not provide the creds of normal users when requesting token from keystone14:44
tuan_for example, when a user wants to use novaclient to talk to keystone14:45
tuan_by some reason the token is expired14:45
tuan_and he wants to refresh the token14:45
tuan_without providing the his creds14:46
tuan_Is it a good way to go for security problem?14:46
*** agrebennikov has joined #openstack-keystone14:46
*** aojea_ has joined #openstack-keystone14:48
dstanektuan_: so you want to trade in an old token for a new one so that you don't have to present your credentials again?14:49
tuan_yeap14:49
tuan_since providing creds which are not admin one14:50
tuan_it is a safe way14:50
tuan_it is my concern that it is safe enough to provide the normal user creds when trying to trade a new token14:50
*** aojea has quit IRC14:52
dolphmare UUID tokens being rebuilt on validation now? cc- lbragstad14:53
dstanektuan_: the point of expiring the token is so that it can't be used. if you want to use expired ones then why not lengthen the expiration period?14:55
tuan_well, for some reasons that we just set the expiration time is 1h but some our actions take more than 1h14:56
tuan_meanwhile those actions require tokens14:56
lbragstaddolphm yeah14:57
dolphmravelar: ^14:57
tuan_i would like to ask about the security reasons that if we want to trade again token14:57
dstanektuan_: so you are talking about long running operations and not the user themselves trying to get another token...14:57
tuan_no, the user tries to get another token14:57
tuan_but by providing her/his creds seems to be not safe?14:58
tuan_this is my question14:58
dstanektuan_: why would providing the credentials again not be safe?14:58
lbragstaddolphm ravelar it's this big ole if statement - https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L535-L63314:59
tuan_It is actually my question :D14:59
dstanektuan_: there is also ongoing work to create a *new* thing like an API key that would last longer than a token14:59
tuan_is it totally safe or not14:59
tuan_dstanek: oh, really, do we have bp of it14:59
tuan_is it the service token besides the user token15:00
dstanektuan_: it should be if you're running over SSL. the biggest concern is that you store credentials in a file on disk, which is what API keys would avoid15:00
*** catintheroof has quit IRC15:00
dstanektuan_: a spec is in progress. the idea came out of the last day of the PTG15:00
*** catintheroof has joined #openstack-keystone15:01
*** lamt has quit IRC15:01
tuan_dstanek: So it means that with SSL, providing creds is totally safe15:01
antwashtuan_ : https://review.openstack.org/#/c/438761/15:03
tuan_antwash: Thank you15:03
antwashnp :)15:04
dstanektuan_: yes. if providing credentials to keystone wasn't safe then we'd be doing something wrong. the only thing that could be unsafe is the password on disk or in transit, but keystone itself can't do anything about that15:04
*** david-lyle has joined #openstack-keystone15:05
tuan_dstanek: Yeah, i totally agree on that15:05
tuan_i just want to check back since i saw a providing creds when refreshing token in congress15:06
tuan_https://review.openstack.org/#/c/160063/1/congress/datasources/glancev2_driver.py15:06
tuan_i doubt that this creds are not provided through API15:06
*** lamt has joined #openstack-keystone15:08
*** david-lyle_ has joined #openstack-keystone15:08
*** david-lyle_ has quit IRC15:08
*** david-lyle has quit IRC15:08
*** lucasxu has joined #openstack-keystone15:09
*** jaugustine has joined #openstack-keystone15:10
*** lamt has quit IRC15:10
*** chlong_ has joined #openstack-keystone15:15
*** phalmos has joined #openstack-keystone15:18
*** lucasxu has quit IRC15:20
bretonwhy do we use service user to check user's token?15:23
*** jaosorior has quit IRC15:24
*** rderose has joined #openstack-keystone15:24
bretonwhy can't we use user token to check user token?15:24
*** rderose has quit IRC15:24
*** rderose has joined #openstack-keystone15:24
*** Jack_I has joined #openstack-keystone15:31
*** lucasxu has joined #openstack-keystone15:32
*** h5t4_ has quit IRC15:32
baffleI'm trying to migrate our old keystone installation to a newer version. I'm getting a bit stuck with the token cache backend; I guess the old memcache_pool is no longer an option, but what is the alternative? Not SQL. And dogpile.cache.mysql/redis seems to only handle 1 backend? I'm so confused. Oh, and we can't switch to fernet yet. PKI.15:32
bretonbaffle: how newer is the version? PKI was removed some time ago. memcache_pool is now in oslo_cache instead of keystone.15:34
*** rdo has quit IRC15:35
baffleOld version is kilo, new is mitaka. For now.15:36
baffle(Nova is icehouse. Don't ask.)15:36
*** rdo has joined #openstack-keystone15:36
baffleIf I understand correctly, PKI was deprecated in M, and will be removed in O.15:37
bretonbaffle: oh, memcache_pool is still still there in M15:37
bretonbaffle: PKI was already removed in O15:38
bafflebreton: Okay. So if I just keep memache_pool in M, I can use that while I migrate everything else, so I can switch to Fernet, then I can go M->N->O and beyond.15:40
bretonbaffle: probably yes.15:41
*** chris_hultin|AWA is now known as chris_hultin15:43
bafflebreton: But I an still a little confused with regards to caching of everything else in keystone that needs caching.. Does every keystone instance have their own non-shared cache?15:44
bretonbaffle: no, all keystone instances should share cache and each instance must have the same set of memcache servers.15:49
lbragstadravelar you're still talking about https://bugs.launchpad.net/keystone/+bug/1511775 specifically, right?15:49
openstackLaunchpad bug 1511775 in OpenStack Identity (keystone) "Revoking a role revokes the unscoped token for a user" [Medium,In progress]15:49
ravelarlbragstad right, just acknowledging dolphm's comment about the direction we can now take with your change in making uuid and fernet both built at token validation time15:50
ravelarits the first comment on the bug15:50
ravelarthat's what I was referring to15:51
dstanekbreton: baffle: same set of memcached server *and* they should be listed in the config in the same order15:51
lbragstadravelar aha -15:51
lbragstadthat makes sense15:51
ravelarlbragstad yes :)15:52
lbragstadravelar yeah - so in order to fix that bug - it might just be a matter of not persisting a revocation event when we remove a role from a user15:52
bretondstanek: > *and* they should be listed in the config in the same order15:52
bretondstanek: oh wow, i thought we fixed that15:52
*** chris_hultin is now known as chris_hultin|AWA15:52
dstanekbreton: we can't. that's how memcached works15:53
ravelarlbragstad at all?15:53
bretondstanek: well, we can. sort(list_of_servers) :p15:53
bafflebreton: So, if I understand correctly, the only working option is oslo_cache.memcache_pool if you have multiple keystone servers? Since the dogpile.cache.* seems to not really support HA. Or you could work around it by having a redis cluster behind LB..15:53
lbragstadravelar right - i think so15:53
lbragstadravelar if a user has a role on a project and they get a token scoped to that project, everything works, right?15:53
ravelarlbragstad but isn't the role + user_id revoked together to ensure they cant use that role for that project anymore?15:54
lbragstadravelar if that role is removed from the user on that project, they shouldn't have any more valid role assignments for the scope of that token15:54
bretonbaffle: dogpile.cache.memcache should work too. memcache_pool is just a funny version of dogpile.cache.memcache, with old tweaks.15:54
lbragstadravelar so when they go to validate that token - they are going to hit this piece of code15:54
bafflebreton: So there is support for specifying multiple servers in dogpile.cache.memcache? It wasn't really obvious from any docs I saw. :)15:54
ravelarlbragstad but what if they have multiple roles on a project?15:55
*** chris_hultin|AWA is now known as chris_hultin15:55
lbragstadravelar https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L32815:55
lbragstadravelar then we should still consider it a valid token15:55
ravelarlbragstad but how is that solved by not revoking a role + userid at all?15:55
bretonbaffle: i think yes15:55
ravelarlbragstad I am missing something15:55
lbragstadravelar because it's all rebuilt at validation time ;)15:55
ravelarvidyo right now mister!15:56
ravelarlol15:56
lbragstadok - meet in my room15:57
ravelark15:57
*** rcernin has quit IRC15:59
bafflebreton: Hmm, seems "url" can be a string, or list of strings, so I guess so. What is recommended? oslo_cache.memcache_pool or dogpile.cache.memcache? I would assume the using oslo_cache is the way forward, but memcache_pool probably has lots of magic..15:59
baffleErrr. dogpile.cache way forward I mean.16:00
*** jaybeers has joined #openstack-keystone16:02
bretonbaffle: i can recommend you only oslo_cache.memcache_pool, because we used it in Mirantis OpenStack, it worked fine and we didn't try anything else. But most of folks here use dogpile.cache.memcache.16:03
bretonsorry, got to go16:04
bafflebreton: Thanks! :)16:09
*** nishaYadav has joined #openstack-keystone16:16
* nishaYadav waves hello o/16:17
*** chlong_ has quit IRC16:19
*** nishaYadav_ has joined #openstack-keystone16:24
*** nishaYadav has quit IRC16:24
*** thorst is now known as thorst_afk16:27
openstackgerritKristi Nikolla proposed openstack/keystone master: Remove keystone.common.ldap  https://review.openstack.org/43820916:27
*** henrynash has joined #openstack-keystone16:28
*** pnavarro has quit IRC16:28
knikollao/16:28
*** henrynash has quit IRC16:29
*** jaosorior has joined #openstack-keystone16:34
gagehugoknikolla: o/16:41
*** jaosorior has quit IRC16:42
*** dims_ has quit IRC16:45
openstackgerritKristi Nikolla proposed openstack/keystone master: Remove keystone.common.ldap  https://review.openstack.org/43820916:47
knikollarodrigods: i would appreciate some help on debugging the failures in https://review.openstack.org/#/c/441469/16:49
knikollathey seem to be non-deterministic. I ran it once with 2 failures, recheck showed 14 failures.16:49
knikollaso probably a side effect of something16:50
knikollaayoung: ^^ if you have some spare time too16:50
*** prashkre has joined #openstack-keystone16:53
*** henrynash has joined #openstack-keystone16:54
*** lucasxu has quit IRC16:56
*** lucasxu has joined #openstack-keystone16:58
*** h5t4 has joined #openstack-keystone16:59
*** knangia has joined #openstack-keystone17:00
*** lucasxu has quit IRC17:02
*** aojea_ has quit IRC17:05
*** catintheroof has quit IRC17:07
*** catintheroof has joined #openstack-keystone17:08
*** aasthad has joined #openstack-keystone17:09
samueldmqlbragstad: o/17:17
samueldmqhi keystoners !17:17
ravelarhiiii17:19
lbragstadravelar https://bugs.launchpad.net/keystone/+bug/167188717:20
openstackLaunchpad bug 1671887 in OpenStack Identity (keystone) "Revocation API is used in places where where it doesn't need to be" [Undecided,New]17:20
*** nishaYadav has joined #openstack-keystone17:21
openstackgerritLance Bragstad proposed openstack/keystone master: Don't persist revocation events when deleting a role  https://review.openstack.org/44442417:21
*** nishaYadav_ has quit IRC17:22
*** browne has joined #openstack-keystone17:24
*** david-lyle has joined #openstack-keystone17:28
*** lucasxu has joined #openstack-keystone17:29
*** jaugustine has quit IRC17:29
*** Jack_I has quit IRC17:30
*** lamt has joined #openstack-keystone17:37
notmorganlbragstad: i just had athought on validation of tokens after role is deleted17:39
notmorganre ^17:39
lbragstadnotmorgan yeah?17:40
lbragstadcc ravelar ^17:40
notmorganlbragstad: you might need to make sure the token cannot validate if there at no roles17:40
notmorganin the case that the only role is removed17:40
notmorgansome services may rely on no role == invalid token17:41
notmorgannot sure how a token validation will work with no roles if it is just reconstructing the token17:41
*** nishaYadav_ has joined #openstack-keystone17:41
ravelarlbragstad thats a 404 error right?17:42
ravelaror 401, cant remember17:42
notmorgan40417:43
notmorgansince it is a token validation17:43
notmorgannot new token issuance17:43
notmorganor totally missing a token.17:43
ravelarah right :)17:44
*** nishaYadav has quit IRC17:46
notmorganravelar: for all i know that is how it already workds17:46
notmorganbut i'd like to see a test for that case with the code ^17:47
notmorganjust so we can be sure17:47
*** ravelar has quit IRC17:51
notmorganmordred: if a project has setup requires pbr>=2.0 and requiremends <2.0... this seems like a generally bad idea.17:51
mordrednotmorgan: yes17:51
notmorganmordred: it seems to be ok, but the proposal bot for ksa just proposed <2.0 in requirements.txt17:51
mordredreally?17:51
notmorganyep17:51
notmorganhttps://review.openstack.org/#/c/443809/117:52
notmorganslapped a -2 on that for the moment.17:52
mordrednotmorgan: that's the stable/ocata branch17:52
notmorganoh17:52
notmorganok17:52
notmorgani can' read17:52
mordredI was _really_ concerned :)17:53
notmorganyes, as was I.17:53
lbragstadnotmorgan if someone authenticates for a token, then all role assignments for that user are removed from that project, the token is considered invalid17:53
notmorganlbragstad: if the user has no roles, they cannot auth with that scope17:53
notmorganso validation of that token must fail17:53
lbragstadright17:53
lbragstadwhich it does17:53
notmorganwe just need to make sure since we are nolonger persisting a rev event17:53
notmorganthat we test that case17:53
notmorganissue a token, then remove the roles, then validate the token fails17:54
rodrigodsknikolla, maybe next week a have some time to help debug17:54
*** ravelar has joined #openstack-keystone17:54
ravelarnotmorgan: you're right17:54
ravelarthat is17:54
notmorganpreviously we were 100% covered because rev event occured17:54
notmorgani want to have a test to be sure we maintain the functionality and don't regress17:55
lbragstadright - and now we're covered because we rebuild everything at validation time17:55
lbragstadwe have tests for this - i'll have to go dig them up17:55
notmorganwe have a test for this exact case? where a previously valid token is being re-validated when all roles are removed?17:56
notmorganjust making sure we do17:56
ravelarI will look into this. brb stepping away to get a bite17:57
lbragstadsame here17:57
*** tuan_ has quit IRC17:58
*** henrynash has quit IRC17:59
*** ravelar has quit IRC18:02
*** nishaYadav_ has quit IRC18:06
*** lucasxu has quit IRC18:08
*** nicodemus_ has joined #openstack-keystone18:11
*** ravelar has joined #openstack-keystone18:11
*** lucasxu has joined #openstack-keystone18:15
*** jaugustine has joined #openstack-keystone18:32
nicodemus_Hello18:32
nicodemus_I'm trying to enable CORS on keystone, in order to use a grafana plugin for Gnocchi. Is the "allowed_origin" the only needed parameter for CORS to work? (I'm following the steps from https://docs.openstack.org/developer/gnocchi/grafana.html but grafana insists that Keystone doesn't have CORS properly configured)18:34
*** Jack_I has joined #openstack-keystone18:40
*** henrynash has joined #openstack-keystone18:43
*** Jack_V has joined #openstack-keystone18:43
lbragstadi think our requirements are broken for keystone18:44
*** Jack_I has quit IRC18:46
*** henrynash has quit IRC18:46
*** henrynash has joined #openstack-keystone18:47
*** henrynash has quit IRC18:47
*** henrynash has joined #openstack-keystone18:48
lbragstadinstalling keystone in a venv using the latest master results in http://cdn.pasteraw.com/m04prdfs9vfwl1fqrzmgasz66oifm0l18:48
*** henrynash has quit IRC18:50
*** Jack_I has joined #openstack-keystone18:52
*** Jack_V has quit IRC18:54
*** MasterOfBugs has joined #openstack-keystone19:06
lbragstadsigmavirus do you know why we seem to not allow requests 2.13.0?19:09
lbragstadand by we I mean openstack requirements?19:09
*** aojea has joined #openstack-keystone19:11
*** henrynash has joined #openstack-keystone19:31
openstackgerritMerged openstack/keystone master: Remove keystone.common.ldap  https://review.openstack.org/43820919:41
*** chlong_ has joined #openstack-keystone19:42
*** henrynash has quit IRC19:43
*** dims has joined #openstack-keystone19:49
*** pnavarro has joined #openstack-keystone19:56
*** h5t4 has quit IRC20:01
*** prashkre has quit IRC20:02
*** h5t4_ has joined #openstack-keystone20:03
dstaneklbragstad: http://git.openstack.org/cgit/openstack/requirements/commit/global-requirements.txt?id=08b589c5ad0f0f49d8d5880f3a703cfae43b0a3920:04
lbragstaddstanek hmm - that's seems to break with keystone20:05
*** h5t4_ has quit IRC20:08
*** aojea has quit IRC20:08
*** aojea has joined #openstack-keystone20:09
*** h5t4 has joined #openstack-keystone20:10
*** aojea has quit IRC20:13
*** markvoelker has joined #openstack-keystone20:22
*** shewless has quit IRC20:25
*** raildo has quit IRC20:29
openstackgerritRichard Avelar proposed openstack/keystone master: Add group_members_are_ids to whitelisted options  https://review.openstack.org/44204820:35
*** h5t4 has quit IRC20:42
*** jose-phillips has quit IRC20:43
*** phalmos has quit IRC20:44
*** jose-phillips has joined #openstack-keystone20:46
*** pnavarro has quit IRC20:48
*** lucasxu has quit IRC20:57
*** lucasxu has joined #openstack-keystone20:57
*** henrynash has joined #openstack-keystone21:02
*** henrynash has quit IRC21:05
*** thorst_afk has quit IRC21:26
openstackgerritRichard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order  https://review.openstack.org/43744121:28
openstackgerritRichard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order  https://review.openstack.org/43744121:30
dstaneklbragstad: i'm building a new env now...hoping i don't have that issue21:31
lbragstaddstanek let me know if you run into it21:31
lbragstadwe'll have to fix our requirements if so21:31
openstackgerritRichard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order  https://review.openstack.org/43744121:32
*** jose-phillips has quit IRC21:39
samueldmqlbragstad: dstanek: having fun here ?21:43
*** thorst_afk has joined #openstack-keystone21:44
*** henrynash has joined #openstack-keystone21:44
*** henrynash has quit IRC21:46
lbragstadsamueldmq you knowit21:48
*** jose-phillips has joined #openstack-keystone21:49
*** frontrunner has quit IRC21:50
notmorganftr: keysone v3 catalog backend is abysmal21:51
notmorganas is the api to create/manage endpoints21:52
notmorganit's stupid in how it creates new endpoints for every single interface21:52
*** lucasxu has quit IRC21:52
notmorganv2 catalog was in fact superior in almost every way21:52
notmorganthis i think is one of the very few places i think v2 did things far far more correctly21:52
*** lucasxu has joined #openstack-keystone21:52
*** aojea has joined #openstack-keystone21:53
openstackgerritRichard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order  https://review.openstack.org/43744121:55
*** dave-mccowan has quit IRC21:57
samueldmqlbragstad: need a hand with it ?21:59
lbragstadsamueldmq the requests requirements?21:59
samueldmqlbragstad: yeah22:00
samueldmqlbragstad: want me to create a new env and test it ?22:00
lbragstadsamueldmq sure!22:00
lbragstadsamueldmq i've been able to consistently recreate it22:00
*** spilla has quit IRC22:00
samueldmqlbragstad: trying it. how do you do it ? just pip install keystone/ (from the local master version)22:02
samueldmqlbragstad: then "keystone-wsgi-admin -p 35357" in python ?22:02
lbragstadi created a new virtualenv and installed using `pip install -e .`22:02
lbragstadyep22:02
samueldmqlbragstad: it's working for me http://paste.openstack.org/show/602319/22:05
samueldmqwait, testing again, I didn't 'git pull' :-)22:06
dstaneklbragstad: better now, but for a few minutes i was getting 500 errors trying to talk to rackspace identity22:07
samueldmqdstanek: phew!22:08
dstanekneed to grab some dinner. be back in a bit22:11
*** Jack_I has quit IRC22:14
*** jdennis1 has joined #openstack-keystone22:17
*** jdennis has quit IRC22:17
samueldmqworked for me on masters22:18
samueldmqmaster22:18
*** nicodemus_ has quit IRC22:19
lbragstadhmm22:19
lbragstadinteresting - i wonder if it's just something i'm hitting locally then22:19
*** chlong_ has quit IRC22:21
*** catintheroof has quit IRC22:23
*** knikolla has left #openstack-keystone22:31
*** lucasxu has quit IRC22:35
lbragstadstevemar working on reproposing your stable release note changes if you're interested in reviewing them https://review.openstack.org/#/c/429143/222:47
lbragstadanother stable review if anyone is interested https://review.openstack.org/#/c/429179/222:50
*** jaugustine has quit IRC22:54
*** aojea has quit IRC22:57
*** aojea has joined #openstack-keystone22:57
*** aojea has quit IRC23:02
openstackgerritRichard Avelar proposed openstack/keystone master: Add group_members_are_ids to whitelisted options  https://review.openstack.org/44204823:03
*** nicolasbock has quit IRC23:23
*** nicolasbock has joined #openstack-keystone23:27
*** thorst_afk has quit IRC23:27
*** tesseract has quit IRC23:29
*** MasterOfBugs has quit IRC23:34
*** edmondsw has quit IRC23:35
*** edmondsw has joined #openstack-keystone23:37
*** edmondsw has quit IRC23:42
*** chris_hultin is now known as chris_hultin|AWA23:49
« Thursday, 2017-03-09 Index Saturday, 2017-03-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!