Tuesday, 2017-03-21

*** edmondsw has joined #openstack-keystone		00:03
*** edmondsw has quit IRC		00:08
*** rderose has quit IRC		00:20
*** jlopezgu has quit IRC		00:21
*** masber has joined #openstack-keystone		00:24
*** agrebennikov has quit IRC		00:26
*** dikonoor has joined #openstack-keystone		00:28
*** catintheroof has joined #openstack-keystone		00:35
*** guoshan has joined #openstack-keystone		00:39
*** gyee_ has quit IRC		00:40
*** donu7 has quit IRC		00:41
*** Aqsa has quit IRC		00:43
*** adrian_otto has quit IRC		00:50
*** Shunli has joined #openstack-keystone		00:52
*** zsli_ has joined #openstack-keystone		00:52
*** zsli_ has quit IRC		00:52
*** Shunli has quit IRC		00:52
*** Shunli has joined #openstack-keystone		00:52
*** browne has quit IRC		01:01
*** guoshan has quit IRC		01:01
*** guoshan has joined #openstack-keystone		01:02
*** dikonoor has quit IRC		01:03
*** guoshan has quit IRC		01:03
*** guoshan has joined #openstack-keystone		01:03
*** prashkre has joined #openstack-keystone		01:04
*** catintheroof has quit IRC		01:08
*** guoshan has quit IRC		01:12
*** liujiong has joined #openstack-keystone		01:16
*** jamielennox is now known as jamielennox\|away		01:16
*** prashkre has quit IRC		01:22
*** prashkre has joined #openstack-keystone		01:23
*** amrith has joined #openstack-keystone		01:23
amrith	greetings keystone folks. when requesting a token from keystone, can one specify a timeout (token life)? https://developer.openstack.org/api-ref/identity/v2/?expanded=authenticate-detail#authenticate doesn't provide any obvious way to do it. is it the case that the only solution is to change the global in /etc/keystone/keystone.conf token expiration?	01:26
*** jamielennox\|away is now known as jamielennox		01:28
*** lespaul has quit IRC		01:41
*** JDub has joined #openstack-keystone		01:48
*** knangia has quit IRC		01:51
*** guoshan has joined #openstack-keystone		01:52
*** browne has joined #openstack-keystone		01:53
*** JDub has quit IRC		01:56
*** zhurong has joined #openstack-keystone		01:57
*** pramodrj07 has joined #openstack-keystone		01:59
*** pramodrj07 has quit IRC		02:01
*** browne has quit IRC		02:02
*** MasterOfBugs has quit IRC		02:02
*** adrian_otto has joined #openstack-keystone		02:15
*** wangqun has joined #openstack-keystone		02:15
*** ravelar has quit IRC		02:17
*** agrebennikov has joined #openstack-keystone		02:47
*** aojea has joined #openstack-keystone		02:48
*** zsli_ has joined #openstack-keystone		02:52
*** aojea has quit IRC		02:53
*** Shunli has quit IRC		02:54
*** masber has quit IRC		02:54
*** nicolasbock has quit IRC		03:02
*** zhurong has quit IRC		03:05
*** adrian_otto has quit IRC		03:06
openstackgerrit	Merged openstack/oslo.policy master: Use Sphinx 1.5 warning-is-error https://review.openstack.org/446608	03:11
*** masber has joined #openstack-keystone		03:15
*** spzala has joined #openstack-keystone		03:19
*** zhurong has joined #openstack-keystone		03:22
*** namnh has joined #openstack-keystone		03:22
*** dave-mccowan has quit IRC		03:29
*** adrian_otto has joined #openstack-keystone		03:32
*** Aurelgadjo has joined #openstack-keystone		03:37
*** Aurelgad1o has quit IRC		03:40
*** links has joined #openstack-keystone		03:44
*** MarkMielke has joined #openstack-keystone		03:46
*** namnh_ has joined #openstack-keystone		03:55
*** namnh has quit IRC		03:58
*** spzala has quit IRC		04:05
*** adrian_otto has quit IRC		04:06
*** adrian_otto has joined #openstack-keystone		04:07
*** jamielennox is now known as jamielennox\|away		04:12
*** zhurong has quit IRC		04:12
*** d0ugal has quit IRC		04:16
*** prashkre has quit IRC		04:17
*** d0ugal has joined #openstack-keystone		04:17
*** adrian_otto has quit IRC		04:29
*** spzala has joined #openstack-keystone		04:47
*** spzala has quit IRC		04:51
*** zhurong has joined #openstack-keystone		05:00
openstackgerrit	wingwj proposed openstack/python-keystoneclient master: Remove log translations in python-keystoneclient https://review.openstack.org/447805	05:05
*** spzala has joined #openstack-keystone		05:11
*** spzala has quit IRC		05:15
*** zhurong has quit IRC		05:40
*** richm has quit IRC		05:43
*** rcernin has joined #openstack-keystone		05:43
*** guoshan has quit IRC		05:46
*** markvoelker has quit IRC		05:53
*** rcernin has quit IRC		05:57
openstackgerrit	D G Lee proposed openstack/keystonemiddleware master: Remove log translations https://review.openstack.org/447841	06:00
*** knangia has joined #openstack-keystone		06:02
*** guoshan has joined #openstack-keystone		06:07
*** prashkre has joined #openstack-keystone		06:08
*** adriant has quit IRC		06:14
openstackgerrit	ZhangHongtao proposed openstack/keystone master: Remove log translate https://review.openstack.org/447858	06:15
*** agrebennikov has quit IRC		06:20
openstackgerrit	wingwj proposed openstack/keystone master: Remove log translations in keystone https://review.openstack.org/447864	06:21
openstackgerrit	Siyi Luo proposed openstack/oslo.policy master: Remove log translations https://review.openstack.org/447867	06:23
*** aojea has joined #openstack-keystone		06:30
*** jaosorior has joined #openstack-keystone		06:31
openstackgerrit	wingwj proposed openstack/python-keystoneclient master: Remove log translations in python-keystoneclient https://review.openstack.org/447805	06:38
*** aojea has quit IRC		06:54
*** markvoelker has joined #openstack-keystone		06:54
*** markvoelker has quit IRC		06:58
*** david-lyle has quit IRC		07:02
*** spzala has joined #openstack-keystone		07:18
openstackgerrit	D G Lee proposed openstack/keystonemiddleware master: Remove log translations https://review.openstack.org/447841	07:20
*** spzala has quit IRC		07:23
*** tesseract has joined #openstack-keystone		07:35
*** spzala has joined #openstack-keystone		07:43
*** pnavarro has joined #openstack-keystone		07:44
*** maciejjozefczyk has quit IRC		07:45
*** spzala has quit IRC		07:48
*** spzala has joined #openstack-keystone		07:50
*** spzala has quit IRC		07:54
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** spzala has joined #openstack-keystone		08:02
*** spzala has quit IRC		08:07
*** voelzmo has joined #openstack-keystone		08:10
*** pcaruana has joined #openstack-keystone		08:11
*** aojea has joined #openstack-keystone		08:21
openstackgerrit	Siyi Luo proposed openstack/oslo.policy master: Remove log translations https://review.openstack.org/447867	08:27
*** knangia has quit IRC		08:31
-openstackstatus- NOTICE: Wiki is broken with database problems, we are working to resolve it		08:31
*** ChanServ changes topic to "Wiki is broken with database problems, we are working to resolve it"		08:31
*** zhurong has joined #openstack-keystone		08:34
*** spzala has joined #openstack-keystone		08:38
*** ChanServ changes topic to "Meeting Agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h"		08:39
-openstackstatus- NOTICE: Wiki problems have been fixed, it's up and running		08:39
*** Aqsa has joined #openstack-keystone		08:40
*** spzala has quit IRC		08:42
*** markvoelker has joined #openstack-keystone		08:55
*** markvoelker has quit IRC		09:00
*** openstackgerrit has quit IRC		09:03
*** mvk has quit IRC		09:17
*** spzala has joined #openstack-keystone		09:26
*** spzala has quit IRC		09:31
*** spzala has joined #openstack-keystone		09:38
*** spzala has quit IRC		09:43
*** markvoelker has joined #openstack-keystone		09:56
*** mvk has joined #openstack-keystone		09:58
*** markvoelker has quit IRC		10:00
*** zhurong has quit IRC		10:05
*** nicolasbock has joined #openstack-keystone		10:08
*** liujiong_lj has joined #openstack-keystone		10:09
*** namnh_ has quit IRC		10:09
*** liujiong has quit IRC		10:09
*** richm has joined #openstack-keystone		10:11
*** liujiong_lj has quit IRC		10:12
*** jaosorior is now known as jaosorior_brb		10:14
*** spzala has joined #openstack-keystone		10:15
*** spzala has quit IRC		10:19
*** zhurong has joined #openstack-keystone		10:24
*** jamielennox\|away is now known as jamielennox		10:30
*** guoshan has quit IRC		10:48
*** spzala has joined #openstack-keystone		10:51
*** rmascena has joined #openstack-keystone		10:52
*** spzala has quit IRC		10:56
*** aojea_ has joined #openstack-keystone		11:01
*** aojea has quit IRC		11:03
*** jamielennox is now known as jamielennox\|away		11:05
*** jamielennox\|away is now known as jamielennox		11:12
*** mvk has quit IRC		11:12
*** openstackgerrit has joined #openstack-keystone		11:22
openstackgerrit	wingwj proposed openstack/keystone master: Remove log translations in keystone https://review.openstack.org/447864	11:22
Dinesh_Bhor	jamielennox: Hi, may I have your attention on this? https://review.openstack.org/#/c/447377/	11:23
*** mvk has joined #openstack-keystone		11:25
*** guoshan has joined #openstack-keystone		11:40
*** wangqun has quit IRC		11:48
*** edmondsw has joined #openstack-keystone		12:00
*** edmondsw has quit IRC		12:05
*** edmondsw has joined #openstack-keystone		12:26
*** dave-mccowan has joined #openstack-keystone		12:37
*** jaosorior_brb is now known as jaosorior		12:38
*** zhurong has quit IRC		12:39
*** guoshan has quit IRC		12:48
*** markvoelker has joined #openstack-keystone		12:48
*** dave-mccowan has quit IRC		12:49
openstackgerrit	Rob Crittenden proposed openstack/keystone master: Include the requested URL in authentication errors https://review.openstack.org/446720	12:54
openstackgerrit	Merged openstack/oslo.policy master: oslopolicy-sample-generator description support https://review.openstack.org/443330	12:56
*** kencjohnston_ has quit IRC		12:56
*** dave-mccowan has joined #openstack-keystone		12:57
dstanek	amrith: i don't think there is a per token way to do that	13:01
amrith	dstanek, thanks. I'm playing with just bumping it in keystone.conf for now	13:03
amrith	thanks	13:03
dstanek	did you have a usecase where you wanted to limit some of the tokens to a shorter expiration?	13:03
*** zsli_ has quit IRC		13:06
*** kbaegis has joined #openstack-keystone		13:08
*** voelzmo has quit IRC		13:10
*** guoshan has joined #openstack-keystone		13:15
*** links has quit IRC		13:24
*** voelzmo has joined #openstack-keystone		13:26
*** spilla has joined #openstack-keystone		13:29
*** voelzmo has quit IRC		13:30
*** guoshan has quit IRC		13:34
*** adrian_otto has joined #openstack-keystone		13:40
*** agrebennikov has joined #openstack-keystone		13:51
*** spzala has joined #openstack-keystone		13:55
lbragstad	is anyone else getting this running `tox -e pep8` on python-keystoneclient master - http://cdn.pasteraw.com/m9gjo2vvsqbzvjfs5tc3aauj0dflbob	13:57
*** catintheroof has joined #openstack-keystone		13:57
*** adrian_otto has quit IRC		13:58
*** voelzmo has joined #openstack-keystone		14:02
*** voelzmo has quit IRC		14:06
*** voelzmo has joined #openstack-keystone		14:06
gagehugo	https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt	14:08
gagehugo	pbr===2.0.0	14:08
gagehugo	but the requrement is wanting < 2.0.0	14:09
gagehugo	that's odd	14:09
gagehugo	lbragstad: https://review.openstack.org/#/c/439355/	14:13
lbragstad	gagehugo huh - i swear i approved that before	14:14
lbragstad	i guess not	14:14
lbragstad	i also saw a bunch of reviews proposing pbr 2.0.0 to stable branches	14:14
lbragstad	which i thought was strange - but the release team didn't seem to think it would be a problem	14:15
* lbragstad shrugs		14:15
gagehugo	yeah there's one for stable/ocata as well: https://review.openstack.org/#/c/443881/	14:16
*** guoshan has joined #openstack-keystone		14:16
*** prashkre has quit IRC		14:16
Dinesh_Bhor	lbragstad: Hi, looks like this: https://review.openstack.org/#/c/439355/ will fix the failing test cases: https://bugs.launchpad.net/python-keystoneclient/+bug/1673761	14:18
openstack	Launchpad bug 1673761 in python-keystoneclient "py27 and py35 test cases are failing on current master" [Medium,In progress] - Assigned to Dinesh Bhor (dinesh-bhor)	14:18
*** chlong has joined #openstack-keystone		14:18
lbragstad	Dinesh_Bhor yeah - i just hit that, too	14:18
lbragstad	Dinesh_Bhor I've approved it	14:18
*** prashkre has joined #openstack-keystone		14:18
Dinesh_Bhor	lbragstad: I will abandon my patch: https://review.openstack.org/#/c/447377/ Could you please mark that bug as fixed then?	14:19
lbragstad	Dinesh_Bhor yeah - i'll do that once the patch from the proposal bot merges	14:19
*** knangia has joined #openstack-keystone		14:19
Dinesh_Bhor	lbragstad: ok, thanks a lot	14:19
lbragstad	Dinesh_Bhor no problem - thanks for keeping me posted	14:20
lbragstad	stevemar dolphm notmorgan we're going to need someone to come through and start doing some stable reviews - https://review.openstack.org/#/c/443808/ https://review.openstack.org/#/c/443810/ https://review.openstack.org/#/c/443881/	14:21
* lbragstad refills coffee		14:22
notmorgan	I might need to step down as stable core	14:22
notmorgan	we will see how the week or next two progress	14:22
*** prashkre has quit IRC		14:23
*** chlong has quit IRC		14:24
dolphm	lbragstad: i can do that today	14:24
*** guoshan has quit IRC		14:25
*** lamt has joined #openstack-keystone		14:27
*** guoshan has joined #openstack-keystone		14:28
*** guoshan has quit IRC		14:30
lbragstad	notmorgan thanks for the heads up	14:33
lbragstad	dolphm ack - thank you	14:33
*** kbaegis has quit IRC		14:39
*** rderose has joined #openstack-keystone		14:42
*** kbaegis has joined #openstack-keystone		14:42
dolphm	stevemar: lbragstad: are the "clean up release notes" patches still applicable to stable branches?	14:48
lbragstad	dolphm i asked stevemar that question when I rebased a couple of them	14:48
dolphm	i've skipped reviewing those because it sounded like a mistake from some comment somewhere	14:48
dolphm	lbragstad: probably from you then	14:48
lbragstad	a lot of the commit titles were referencing specific branches but the patches themselves were proposed to mismatching branches	14:49
*** david-lyle has joined #openstack-keystone		14:49
lbragstad	and i'm not entirely sure if that how it was suppose to be because they were backports or not	14:49
lbragstad	that's	14:50
lbragstad	*	14:50
dolphm	lbragstad: no word back from stevemar though?	14:51
* lbragstad double checks logs		14:51
dolphm	lbragstad: also, i think the -1 can be reversed https://review.openstack.org/#/c/438354/	14:51
*** ravelar has joined #openstack-keystone		14:51
*** lamt has quit IRC		14:52
lbragstad	dolphm done	14:52
lbragstad	dolphm https://review.openstack.org/#/c/429178/1//COMMIT_MSG	14:54
*** lamt has joined #openstack-keystone		14:54
openstackgerrit	Anthony Washington proposed openstack/oslo.policy master: Add release note for 439070 https://review.openstack.org/448139	14:55
*** belmoreira has joined #openstack-keystone		14:56
*** dave-mccowan has quit IRC		15:02
*** guoshan has joined #openstack-keystone		15:04
*** lamt has quit IRC		15:08
*** guoshan has quit IRC		15:08
*** david-lyle has quit IRC		15:09
*** kbaegis has quit IRC		15:09
*** phalmos has joined #openstack-keystone		15:15
*** david-lyle has joined #openstack-keystone		15:15
*** guoshan has joined #openstack-keystone		15:17
*** guoshan has quit IRC		15:21
*** dave-mccowan has joined #openstack-keystone		15:23
knikolla	o/	15:26
lbragstad	o/	15:29
*** jrist has quit IRC		15:33
*** phalmos_ has joined #openstack-keystone		15:33
*** phalmos has quit IRC		15:34
*** phalmos_ has quit IRC		15:34
*** phalmos has joined #openstack-keystone		15:36
*** adrian_otto has joined #openstack-keystone		15:38
*** jrist has joined #openstack-keystone		15:40
openstackgerrit	Richard Avelar proposed openstack/keystone master: Don't persist revocation events when deleting a role https://review.openstack.org/444424	15:50
*** adrian_otto has quit IRC		15:52
*** auvipy has joined #openstack-keystone		15:54
*** david-lyle has quit IRC		15:54
openstackgerrit	Richard Avelar proposed openstack/keystone master: Don't persist rev event when deleting access token https://review.openstack.org/447549	15:55
*** jlopezgu has joined #openstack-keystone		15:56
openstackgerrit	Richard Avelar proposed openstack/keystone master: Don't persist rev event when deleting access token https://review.openstack.org/447549	15:56
*** david-lyle has joined #openstack-keystone		16:01
*** adrian_otto has joined #openstack-keystone		16:01
*** lamt has joined #openstack-keystone		16:03
*** lamt has quit IRC		16:05
*** lamt has joined #openstack-keystone		16:06
*** spzala has quit IRC		16:10
EmilienM	lbragstad: hey, would it make sense to revert https://review.openstack.org/#/c/439194/ and restore the spec? I don't want to have to approve https://review.openstack.org/#/c/445592/ and fix it in tripleo only	16:19
EmilienM	lbragstad: if it's a matter of human resource, please let me know and I can look internaly	16:20
lbragstad	EmilienM i'm not sure a revert would be the answer but a new spec could be proposed that goes through the official process	16:20
EmilienM	lbragstad: ok I see	16:21
lbragstad	EmilienM we removed the older spec because it was outdated and somewhat inaccurate	16:21
EmilienM	lbragstad: i'll try to push some efforts into this	16:21
lbragstad	EmilienM cool - i'll be on the look out for a new proposal	16:21
EmilienM	ok	16:22
EmilienM	thx	16:22
*** kbaegis has joined #openstack-keystone		16:23
*** voelzmo has quit IRC		16:25
*** belmoreira has quit IRC		16:25
*** jaosorior has quit IRC		16:29
openstackgerrit	Richard Avelar proposed openstack/keystone master: Remove unnecessary revocation events revoke grant https://review.openstack.org/448192	16:39
*** rmascena has quit IRC		16:45
*** Daviey_ is now known as Daviey		16:49
*** jaosorior has joined #openstack-keystone		16:55
*** aojea_ has quit IRC		16:59
*** kbaegis has quit IRC		17:00
lbragstad	mfisch ping - curious if you'd be able to confirm dstanek's latest comment here https://bugs.launchpad.net/keystone/+bug/1578401	17:04
openstack	Launchpad bug 1578401 in OpenStack Identity (keystone) "tokens in memcache have no/improper expiration" [Low,Confirmed] - Assigned to David Stanek (dstanek)	17:04
*** rmascena has joined #openstack-keystone		17:05
dstanek	lbragstad: looking at the meeting etherpad now. the answer to the py3 spec is no. we never merged a 3.4 spec - it was about moving the py3. 3.4 was just the latest at that time.	17:05
lbragstad	ah - so that spec merged but it was never implemented?	17:05
dstanek	lbragstad: we already are py3 compatible	17:06
dstanek	http://git.openstack.org/cgit/openstack/keystone/tree/setup.cfg#n19	17:06
lbragstad	dstanek you said that there were a couple things we still needed to do to get better 3.5 coverage?	17:06
dstanek	to my knowledge there is no work to be done. i have a personal goal to add some unicode testing, but that's just testing	17:06
lbragstad	ok - so i should be able to update our community goals for pike	17:07
lbragstad	to reflect that information	17:07
*** kbaegis has joined #openstack-keystone		17:07
dstanek	lbragstad: yep. we've had the py3 tag for quite a while now	17:07
lbragstad	nice - i'll propose that patch then	17:09
lbragstad	grabbing lunch	17:09
dstanek	lbragstad: mfisch: i believe that they reason we don't use oslo.cache is that we don't want to force it on middleware consumers. limiting deps and all that. so that's why there is a different.	17:09
dstanek	my patch was merely a hack to make oslo.cache entries in memcache look more like memcache.py entries.	17:10
lbragstad	ah	17:10
dstanek	lbragstad: that was so looong ago...it's all coming back to me now	17:12
*** kbaegis has quit IRC		17:27
*** kbaegis has joined #openstack-keystone		17:27
*** spzala has joined #openstack-keystone		17:27
*** lamt has quit IRC		17:29
*** catintheroof has quit IRC		17:30
*** catintheroof has joined #openstack-keystone		17:30
*** prashkre has joined #openstack-keystone		17:31
*** spzala has quit IRC		17:32
*** david-lyle_ has joined #openstack-keystone		17:37
*** david-lyle has quit IRC		17:38
*** spzala has joined #openstack-keystone		17:38
*** nkinder has quit IRC		17:39
*** spzala has quit IRC		17:41
*** spzala has joined #openstack-keystone		17:41
lbragstad	ping agrebennikov, amakarov, annakoppad, antwash, ayoung, bknudson, breton, browne, chrisplo, cmurphy, davechen, dolphm, dstanek, edmondsw, edtubill, gagehugo, henrynash, hrybacki, jamielennox, jaugustine, jgrassler, knikolla, lamt, lbragstad, kbaikov, ktychkova, morgan, nishaYadav, nkinder, notmorgan, portdirect, raildo, ravelar, rderose, rodrigods, roxanaghe, samueldmq, SamYaple, shaleh, spilla, srwilkers,	17:50
lbragstad	StefanPaetowJisc, stevemar, topol, shardy, ricolin	17:50
lbragstad	reminder that the weekly keystone meeting will be starting in ~10 minutes in #openstack-meeting	17:50
gagehugo	o/	17:51
rodrigods	:)	17:52
*** nkinder has joined #openstack-keystone		17:53
notmorgan	whoa, i spy an nkinder in the channel	17:55
dstanek	lbragstad: can't wait!	17:57
nkinder	notmorgan: hey!	17:57
lbragstad	dstanek get your coffee now ;)	17:57
*** jaosorior has quit IRC		17:57
dstanek	lbragstad: way ahead of you water is already on its way to a boil	17:58
lbragstad	dstanek make a cup for me	17:58
*** spzala has quit IRC		17:59
dstanek	lbragstad: np. i'll drink it for you too!	18:01
*** spzala has joined #openstack-keystone		18:01
*** lamt has joined #openstack-keystone		18:01
lbragstad	dstanek you're such a good friend!	18:01
lbragstad	#amaze	18:01
*** markd_ has quit IRC		18:04
*** spzala has quit IRC		18:05
*** spzala has joined #openstack-keystone		18:07
*** spzala has quit IRC		18:10
*** spzala has joined #openstack-keystone		18:10
*** aojea has joined #openstack-keystone		18:17
*** mvk has quit IRC		18:18
*** spzala has quit IRC		18:27
*** Aqsa has quit IRC		18:28
*** tesseract has quit IRC		18:31
*** henrynash has joined #openstack-keystone		18:31
*** henrynash has left #openstack-keystone		18:31
*** henrynash has joined #openstack-keystone		18:33
*** spzala has joined #openstack-keystone		18:34
*** henrynash has quit IRC		18:36
*** henrynash has joined #openstack-keystone		18:38
*** spzala has quit IRC		18:38
*** pcaruana has quit IRC		18:39
*** Tahvok has left #openstack-keystone		18:40
*** aojea has quit IRC		18:40
*** Tahvok has joined #openstack-keystone		18:40
*** rmascena has quit IRC		18:44
*** aojea has joined #openstack-keystone		18:46
*** david-lyle_ has quit IRC		18:46
openstackgerrit	Richard Avelar proposed openstack/keystone master: Extend User API to support federated attributes https://review.openstack.org/426449	18:49
*** mvk has joined #openstack-keystone		18:53
lbragstad	dstanek o/	19:00
lbragstad	breton o/	19:00
dstanek	hey lbragstad	19:01
dstanek	long time no see	19:01
breton	lbragstad: o/	19:01
lbragstad	we have a lot of carry over stuff from the meeting - if anyone is interested in hanging out here to continue talking about stuff we can	19:01
*** henrynash has quit IRC		19:02
lbragstad	(er, i'll block of time to do so)	19:02
dstanek	i'm hanging out	19:02
lbragstad	ok - so tags	19:02
lbragstad	all i was trying to say is that if we do tags, we should default the tag policies to the same policies required for projects	19:03
lbragstad	thinking that it would make it so that it was restrictive	19:03
gagehugo	lbragstad: ++	19:03
*** rmascena has joined #openstack-keystone		19:04
gagehugo	that is the intended goal	19:05
dstanek	lbragstad: but ayoung had a good point	19:05
lbragstad	otherwise - we'd have to put the tag stuff off until policy was a little more granular, right?	19:05
dstanek	the current design is either admin only (for some definition of admin) or anybody	19:05
*** lamt has quit IRC		19:06
dstanek	so i think that won't do anything	19:06
dstanek	we have to decide if the binary admin vs. everybody matters.	19:07
dstanek	if we do what both to work in the same installation they we'd have to bake that into the design	19:07
lbragstad	so the problem is the domain-admin case, right?	19:08
dstanek	tags may have their own policy. you could do domain scoped tags (but i see lots of problems here), and i could probably think of other solutions	19:08
dstanek	lbragstad: it's cloud admin vs everyone else	19:08
lbragstad	because its introducing a level in between "admin" and "everyone else" that we currently can't solve for.	19:09
dstanek	we could with policy	19:09
lbragstad	but not with default policy	19:09
lbragstad	per ayoung's security concern	19:09
breton	i'll have to pass now	19:10
breton	but please review https://review.openstack.org/#/c/437533/	19:10
dstanek	lbragstad: right. we would have to allow people to include policy along with the tag	19:10
gagehugo	each tag would have to have it's own policy?	19:11
*** chlong has joined #openstack-keystone		19:13
dstanek	gagehugo: sure, it could	19:13
*** spzala has joined #openstack-keystone		19:13
dstanek	it depends on if we care about that usecase right now or not	19:13
gagehugo	ah	19:13
dstanek	we could also defer because the policy thing would be easy to add on later	19:14
*** spzala has quit IRC		19:15
*** spzala has joined #openstack-keystone		19:15
*** aojea has quit IRC		19:17
*** aojea has joined #openstack-keystone		19:18
lbragstad	the usecase would allow project owners to have their own tags, but also have tags they can't modify that are only viewable/editable by the cloud admin	19:18
dstanek	lbragstad: yes, exactly	19:18
dstanek	at a minimum we need to document that case.	19:19
lbragstad	right	19:19
lbragstad	i don't see a problem with clearly documenting that case and encouraging deployers to not use tags until we figure out how to address that case if it applies to them	19:20
dstanek	breton: is it a viable option to just use the group from the token to create the trust and not check them at use time?	19:20
*** auvipy has quit IRC		19:20
dstanek	lbragstad: or to only use tags for the admin-only case	19:20
lbragstad	and don't support project owner tags (or advertise that both can't be achieved in a secure model today)	19:21
*** aojea has quit IRC		19:22
lbragstad	gagehugo so maybe what we do is modify the spec to detail how tags are expected to work with default policy from the perspective of an administrator, domain-admin, and user	19:23
gagehugo	lbragstad: sure	19:25
gagehugo	I wonder if we can ask operators about this at Boston	19:25
gagehugo	admin vs users for tags	19:25
lbragstad	That should give us the opportunity to put a big red sticker on there that says "if you rely on domain-admin functionality to provision projects, but want to use tags for sensitive information that domain-admins aren't support to see, don't use this"	19:25
dstanek	lbragstad: gagehugo: the thing i like about the current proposal is that there is no 'create_tag' api, but there may need to be in the future if we need to associate policy with a tag	19:25
lbragstad	dstanek what would an example of that look like?	19:26
*** gyee has joined #openstack-keystone		19:26
dstanek	POST /tags {'tag': 'dev', 'policy': 'rule:cloud_admin'}	19:28
dstanek	then policy would be checked within the context of the policy file. do the existing rules are there	19:28
gagehugo	hmm	19:29
dstanek	other than setting policy you wouldn't need to use create	19:30
lbragstad	then you'd associate an existing tag like you normally would using PUT?	19:32
samueldmq	hi keystone!	19:32
dstanek	lbragstad: yeah, the editing of a project wouldn't change	19:33
gagehugo	so just the creation would be separate	19:33
lbragstad	but - how does the policy of adding or removing of a tag to or from a project get enforced?	19:34
lbragstad	the policy would have to be pulled from the tag reference?	19:35
dstanek	lbragstad: the API that is currently being proposed as well as create/update project would have to enforce	19:35
samueldmq	uhh my review list is huge	19:35
dstanek	gagehugo: lbragstad: this is just one possible solution for if/when we care about this usecase	19:36
*** MasterOfBugs has joined #openstack-keystone		19:36
samueldmq	dstanek: lbragstad: gagehugo: is there a spec on what you guys are talking about ?	19:36
dstanek	it's my off the cuff reaction so i'd need to spend some time actually thinking through all of the issues	19:37
lbragstad	samueldmq yeah - the project tags spec https://review.openstack.org/#/c/431785/	19:37
samueldmq	lbragstad: thanks	19:37
lbragstad	for now - if we want to make progress with it, i would say that we need to document the expected behavior of using tags from various user perspectives	19:37
*** kbaegis has quit IRC		19:37
*** kbaegis has joined #openstack-keystone		19:38
dstanek	lbragstad: yep. in my mind there are just a few steps. doc the usecase that was brought up in the current spec. decide if we care about it. if we do then decide if we care now (update spec) or later (new spec).	19:39
gagehugo	ok	19:40
*** kbaegis has quit IRC		19:40
*** kbaegis has joined #openstack-keystone		19:41
ayoung	gagehugo, really what you want is project "groups" where a project-group admin can decided to add or remove a project from the group	19:41
lbragstad	gagehugo dstanek cool - so i think we've made progress	19:41
ayoung	I know that tags are the cool way to talk about things, but they really are for socialized organization of content	19:42
ayoung	And I know that Kubernetes uses Labels for all this kind of stuff, but K8S labels are scoped by namespace	19:42
dstanek	ayoung: what is the difference between a group and a tag?	19:43
ayoung	dstanek, a tag is something the project admin can add or remove from a project.	19:43
*** kbaegis has quit IRC		19:43
ayoung	a group is an external entity that can add or remove the project itself from the grouping	19:43
ayoung	its all in "who can affect the change of relationship" I guess	19:43
*** nicodemus_ has joined #openstack-keystone		19:44
nicodemus_	hello	19:44
dstanek	ayoung: what i was proposing is tags in a very similar way	19:44
*** kbaegis has joined #openstack-keystone		19:44
dstanek	i've worked in cms system where tags where owned by groups and could only be added by that group	19:44
ayoung	dstanek, I'm OK if that is what we are doing. I just think the term "Tags" indicates that the project admin can add them	19:45
ayoung	and what we really mean is that the tag itslef is a scope of responsibility	19:45
nicodemus_	I have two keystone servers (v. Mitaka) loadbalanced under haproxy... one keystone works like a charm, but the second one is showing the following error: http://paste.openstack.org/show/603678/	19:45
nicodemus_	the config between them both is the same, and both use the same memcached servers	19:46
ayoung	nicodemus_, what kind of tokens?	19:46
dstanek	nicodemus_: do they have the same fernet keys?	19:46
nicodemus_	has anyone seen such behavior? someone that could point me to where to look, perhaps?	19:46
nicodemus_	yes, fernet tokens	19:47
lbragstad	nicodemus_ they need to share the same key repository	19:47
nicodemus_	and the keys are the same	19:47
ayoung	nicodemus_, I think you lie	19:47
ayoung	Heh	19:47
nicodemus_	ayoung, maybe I'm mistaken :P let me check	19:47
ayoung	seriously, though, it looks like the tokens issued by one keystone are not honored by the other	19:47
dstanek	nicodemus_: 'cksum *' both key resositories	19:48
lbragstad	nicodemus_ the contents of each key should be the same	19:48
ayoung	nicodemus_, so, confirm that, and then come back. Check permissions on the files, too, just to be sure	19:48
dstanek	nicodemus_: lots of people have had similar issues because they were rotating on each node instead of rotating on one and syncing the result	19:48
nicodemus_	hmm the checksum of both keys in both server in /etc/keystone/fernet-keys are the same...	19:49
lbragstad	nicodemus_ what about file permissions?	19:49
lbragstad	(though I would think it would fail before getting to that point in validation)	19:50
ayoung	nicodemus_, you are using a single Database for the Keystone backend? Users in SQL and so on?	19:50
nicodemus_	yeah, all files in /etc/keystone are owned by the keystone user	19:50
nicodemus_	both keystone servers point to the same MySQL database	19:50
dstanek	nicodemus_: the DB and memcache shouldn't matter for this case. this is the server not being able to decrypt the token	19:51
nicodemus_	strangely enough, only one of the two keystone servers is complaining	19:51
lbragstad	nicodemus_ and both are the same version?	19:52
ayoung	dstanek, you sure? There is a 404 at the end of the error, I wondered if maybe that was based on a failed lookup for one of the elements inside the fernet payload	19:52
*** MasterOfBugs has quit IRC		19:52
notmorgan	ayoung: afair we don't negative cache, so memcache should not be an issue	19:52
nicodemus_	yes... I had a mismatching python-keystonemiddleware, but now both are the same version of keystone	19:52
ayoung	notmorgan, if he restatrts memcached does that dump all the caches?	19:53
*** lamt has joined #openstack-keystone		19:53
dstanek	nicodemus_: ayoung: this is where that error message comes from - http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/providers/fernet/token_formatters.py#n91	19:53
notmorgan	ayoung: yes. memcache would dump the cache (new ram allocation) if memcache is restarted	19:54
*** spzala has quit IRC		19:54
notmorgan	ayoung: but like i said, we don't negative cache.	19:54
lbragstad	yeah - this is the only place we use that - https://github.com/openstack/keystone/blob/7de0a759e22a48391ce78e0c1fd5cceb16f1a1d8/keystone/token/providers/fernet/token_formatters.py#L90-L94	19:54
ayoung	dstanek, that sure looks like a key error to me	19:54
*** prashkre has quit IRC		19:54
ayoung	nicodemus_, you can actually perform all the steps manuall;y	19:54
samueldmq	gagehugo: lbragstad: reviewed! couple of comments inline regarding project tags	19:54
ayoung	self.crypto.decrypt(token.encode('utf-8'))	19:54
nicodemus_	so, no doubt the error is from the second keystone server not being able to decrypt tokens issued by the first one	19:54
*** prashkre has joined #openstack-keystone		19:54
gagehugo	samueldmq: thanks	19:54
ayoung	nicodemus_, what release of Keystone is this?	19:55
*** kbaegis has quit IRC		19:55
samueldmq	gagehugo: it is looking well-written btw, could contain less implementation details (as you will see my comments)	19:55
samueldmq	gagehugo: but good job overall	19:56
nicodemus_	ayoung, Mitaka (v 2:9.2.0-0ubuntu1 installed from packages)	19:56
dstanek	samueldmq: you want less details?	19:56
samueldmq	dstanek: implementation details should be in an API ref patch	19:56
lbragstad	samueldmq are you talking abou thte API?	19:56
lbragstad	nicodemus_ this is the cryptography implementation https://github.com/pyca/cryptography/blob/master/src/cryptography/fernet.py#L73	19:56
ayoung	nicodemus_, ok, so you can open a python prompt and actually try to run that code yourself	19:57
nicodemus_	will give it a try	19:57
*** kbaegis has joined #openstack-keystone		19:57
ayoung	import keystone/token/providers/fernet/token_formatters etc and and see	19:57
ayoung	nicodemus_, where are you looking for the keys?	19:57
samueldmq	dstanek: lbragstad: gagehugo: going deep on the behavior in the spec is good. however no need to do depth on implementation details there	19:57
lbragstad	samueldmq which parts are the implementation details?	19:58
ayoung	nicodemus_, its more than just "all the files in /etc/keystone owned by smae user" but specifically the key repos under there having the same content	19:58
nicodemus_	ayoung, it's in [fernet_tokens] key_repository = /etc/keystone/fernet-keys/	19:58
samueldmq	lbragstad: the ones like having all the new APIs described with Request, Parameters, Response and Response Body	19:58
lbragstad	samueldmq i think that's just describing the contact - which could be implemented a bunch of different way	19:58
samueldmq	lbragstad: IMO that should go in a API-ref change, which could go in the same patchset	19:59
*** henrynash has joined #openstack-keystone		19:59
ayoung	nicodemus_, so for example, on my dev server I have http://paste.openstack.org/show/603680/	19:59
ayoung	you need the content of /0 and /1 to be the same on both servers	19:59
ayoung	as those are the keys used to encrypt and decrypt tokens	20:00
nicodemus_	ayoung, I have the same two keys (0 and 1), and just checked that both are the same on both servers	20:00
ayoung	I think only 0 is ever used to encrypt, although I defer to lbragstad	20:00
*** kbaegis has quit IRC		20:00
lbragstad	ayoung nope - it's only allowed to decrypt	20:00
ayoung	lbragstad, and 1 is used to encrypt?	20:00
lbragstad	the only key that is ever allowed to encrypt is the primary key, which is the key with the highest index	20:01
ayoung	ah	20:01
lbragstad	ayoung ++ yep	20:01
dstanek	lbragstad: samueldmq: i have the same opinion on the level of detail in the spec. i think it's good to have the contract in there	20:01
breton	dstanek: very hard to implement	20:01
nicodemus_	that's what I don't understand, I must be missing something	20:01
ayoung	thought it was lowest, but wouldn't trust myself anyway	20:01
breton	dstanek: (re: trusts with federation)	20:01
dstanek	breton: why? (no being a smartass, i don't know :)	20:01
ayoung	nicodemus_, maybe a bad crypto library upgrade?	20:02
*** dave-mccowan has quit IRC		20:02
lbragstad	dstanek i don't think the API contains implementation details, i think it just describes what we should be doing when we receive certain requests (if it contained code snippets of how to do thing, then I'd consider those to be implementation details)	20:02
ayoung	nicodemus_, I'd try it by hand, and see if you can decrypt a token on the failing server	20:02
nicodemus_	ayoung, possibly since there were two pip packages in different versions	20:02
ayoung	nicodemus_, get those in sync, maybe	20:02
samueldmq	dstanek: isn't that implementation detail?	20:02
nicodemus_	two keystone-* pip packages, that is	20:02
dstanek	lbragstad: i know. i was agreeing with you :-P	20:03
lbragstad	samueldmq i would consider an implementation detail to be some specific to how keystone would have to do something	20:03
lbragstad	dstanek sorry - i'm getting my tabs/names mixed up	20:03
samueldmq	lbragstad: like "Utilize the resource_options table for projects.."	20:03
lbragstad	dstanek don't agree with me! ;)	20:03
breton	dstanek: there are not only groups, but also concrete role assignments, and we expect that if we remove concrete assignment, the trust is invalid	20:04
dstanek	lbragstad: so this is implementation detail in a way....and we do have an API doc for the contract....but i like enough of it here for discussion and history	20:04
samueldmq	dstanek: yes that's why I suggested it could be added in the same patch, but as the API-ref docs	20:04
*** kbaegis has joined #openstack-keystone		20:05
dstanek	samueldmq: so when i go to the website for specs and read out the spec. where do i go to see a simplified version of the API that was talked about?	20:05
dstanek	i think this is largely a preference issue and i wouldn't push back on specs written in either way. i would probably write mine more like this	20:06
samueldmq	dstanek: well, normally you go to the user (api-ref)/deployer docs to learn about the functionality, right?	20:07
samueldmq	not really the specs	20:07
dstanek	although i probably wouldn't put in response code details, etd.	20:07
samueldmq	dstanek: I agree with you, I don't want to bike-shed on that	20:07
dstanek	samueldmq: no. that is the current API. no necessarily related to the spec i am researching	20:07
samueldmq	I thought the spec was supposed to be a developer level agreement on the solution	20:08
samueldmq	not final docs final users were supposed to read	20:08
samueldmq	dstanek: lbragstad: gagehugo: but regarding that spec, again, I am fine with that, it is very well written and easy to read.	20:08
dstanek	breton: wouldn't that be true? you don't validate that the groups are still attached to the user, but you would need to validate that the roles are on the groups that the token claims to have	20:09
nicodemus_	ayoung, apparently it was a versin mismatch in the cryptography package (1.7.2 the working one vs 1.2.3 the broken one)	20:09
ayoung	nicodemus_, good to know	20:09
nicodemus_	lbragstad, dstanek, ayoung thank you all for you help! much appreciated	20:10
ayoung	YW	20:10
dstanek	breton: i may be over simplifiying this, but i was just thinking that upon validation the validation of the groups would be guarded with 'if token is from federated_trust:'	20:10
dstanek	nicodemus_: whoa, that's actually scary	20:10
nicodemus_	someone must have installed something on this server that downgraded cryptography version	20:11
*** MasterOfBugs has joined #openstack-keystone		20:11
dstanek	that's bad for our upgrade story.....	20:12
dstanek	lbragstad: dolphm: ^	20:13
*** henrynash has quit IRC		20:13
breton	dstanek: i would have to fetch concrete role assignments, check them, then do not check group assignments... well, we just don't do that anywhere. We just get "role assignments", wherever they come from, and they get assembled in assinments code	20:15
breton	dstanek: your solution would work too though	20:15
*** browne has joined #openstack-keystone		20:16
breton	i just think that mine will be easier to implement. Maybe i'm wrong.	20:16
* breton should code a POC for the next meeting		20:16
*** rmascena has quit IRC		20:17
dstanek	breton: i'm just wondering about the ephemeral-ness of the user. this could give use the best of both worlds (although trusts would still not be ideal, everything else would)	20:17
*** chlong has quit IRC		20:21
*** lamt has quit IRC		20:23
lbragstad	dstanek interesting	20:24
*** Aqsa has joined #openstack-keystone		20:25
*** clenimar has joined #openstack-keystone		20:26
lbragstad	samueldmq dstanek gagehugo reading the scroll back - just got out of a meeting, one benefit that i see of having the API in the spec is that it makes it really easy to port the API to docs after the implementation lands	20:26
samueldmq	lbragstad: that makes sense if we want to merge the docs after the impl	20:27
*** lamt has joined #openstack-keystone		20:28
*** lamt has quit IRC		20:29
gagehugo	lbragstad: ++, the api-ref is pretty much 90% written then	20:31
*** dave-mccowan has joined #openstack-keystone		20:32
*** aojea has joined #openstack-keystone		20:41
*** chlong has joined #openstack-keystone		20:48
*** phalmos has quit IRC		21:00
*** lamt has joined #openstack-keystone		21:11
*** kbaegis has quit IRC		21:17
*** kbaegis has joined #openstack-keystone		21:17
notmorgan	lbragstad: i know it is a beast but: https://review.openstack.org/#/c/438701/ improves password hash security	21:19
notmorgan	lbragstad: and we store password hashes, so we should aim for the most secure option(s)_	21:20
*** david-lyle has joined #openstack-keystone		21:23
*** spilla has quit IRC		21:24
*** alex_xu has quit IRC		21:37
*** alex_xu has joined #openstack-keystone		21:38
*** chris_hultin\|AWA is now known as chris_hultin		21:41
*** chris_hultin is now known as chris_hultin\|AWA		21:48
*** nicodemus_ has quit IRC		21:49
*** pnavarro has quit IRC		21:54
*** lamt has quit IRC		21:54
*** lamt has joined #openstack-keystone		21:56
*** catintheroof has quit IRC		21:57
*** catintheroof has joined #openstack-keystone		21:58
*** catintheroof has quit IRC		21:58
*** henrynash has joined #openstack-keystone		22:04
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Speed up check_user_in_group for LDAP users https://review.openstack.org/447459	22:17
*** henrynash has quit IRC		22:18
*** browne has quit IRC		22:19
*** chlong has quit IRC		22:27
*** lamt has quit IRC		22:29
*** adrian_otto has quit IRC		22:44
*** adriant has joined #openstack-keystone		22:52
*** aojea has quit IRC		22:53
*** david-lyle has quit IRC		22:57
*** _d34dh0r53_ has joined #openstack-keystone		23:00
*** _d34dh0r53_ has quit IRC		23:00
*** _d34dh0r53_ has joined #openstack-keystone		23:04
*** eglute_s has joined #openstack-keystone		23:04
*** harlowja has quit IRC		23:06
*** eglute_s has quit IRC		23:07
*** _d34dh0r53_ has quit IRC		23:07
*** eglute_s has joined #openstack-keystone		23:34
*** _d34dh0r53_ has joined #openstack-keystone		23:34
*** jamielennox is now known as jamielennox\|away		23:35
*** jamielennox\|away is now known as jamielennox		23:39
*** _d34dh0r53_ has quit IRC		23:46
*** eglute_s has quit IRC		23:46
*** _d34dh0r53_ has joined #openstack-keystone		23:47
*** eglute_s has joined #openstack-keystone		23:47
*** eglute has quit IRC		23:50
*** d34dh0r53 has quit IRC		23:50

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!