Thursday, 2017-09-07

« Wednesday, 2017-09-06 Index Friday, 2017-09-08 »
*** gyee has quit IRC00:04
*** chrisshattuck has quit IRC00:11
*** thorst has quit IRC00:18
*** thorst has joined #openstack-keystone00:18
*** itlinux has joined #openstack-keystone00:18
*** catintheroof has joined #openstack-keystone00:18
*** thorst has quit IRC00:23
openstackgerritchenaidong1 proposed openstack/keystone master: Remove duplicate code  https://review.openstack.org/49987200:24
*** catintheroof has quit IRC00:31
*** thorst has joined #openstack-keystone00:32
*** jamesbenson has joined #openstack-keystone00:35
*** thorst has quit IRC00:39
*** jamesbenson has quit IRC00:40
*** thorst has joined #openstack-keystone00:40
openstackgerritchenaidong1 proposed openstack/keystone master: Policy exception  https://review.openstack.org/50118100:44
*** thorst has quit IRC00:44
openstackgerritchenaidong1 proposed openstack/keystone master: Policy exception  https://review.openstack.org/50118100:47
*** harlowja has quit IRC00:48
*** aahh has quit IRC00:54
*** agrebennikov has quit IRC01:05
*** thorst has joined #openstack-keystone01:08
*** thorst has quit IRC01:09
*** zhurong has joined #openstack-keystone01:14
*** chrisshattuck has joined #openstack-keystone01:38
*** ricolin has joined #openstack-keystone01:42
*** otleimat has quit IRC01:42
*** chrisshattuck has quit IRC01:49
*** aselius has quit IRC01:59
*** markvoelker has quit IRC02:11
*** thorst has joined #openstack-keystone02:15
*** thorst has quit IRC02:15
*** chrisshattuck has joined #openstack-keystone02:18
*** itlinux has quit IRC02:37
*** zxy has quit IRC02:39
*** itlinux has joined #openstack-keystone02:40
*** itlinux has quit IRC02:41
*** zxy has joined #openstack-keystone02:42
*** chrisshattuck has quit IRC02:44
*** chrisshattuck has joined #openstack-keystone02:47
*** chrisshattuck has quit IRC02:57
*** iurygregory has quit IRC03:10
*** iurygregory has joined #openstack-keystone03:10
*** markvoelker has joined #openstack-keystone03:11
*** itlinux has joined #openstack-keystone03:19
*** chrisshattuck has joined #openstack-keystone03:29
*** markvoelker has quit IRC03:46
*** harlowja has joined #openstack-keystone04:06
*** jamesbenson has joined #openstack-keystone04:12
*** thorst has joined #openstack-keystone04:16
*** jamesbenson has quit IRC04:16
*** stevemar has quit IRC04:19
*** charz has quit IRC04:19
*** charz_ has joined #openstack-keystone04:20
*** gagehugo has quit IRC04:20
*** spotz has quit IRC04:20
*** jistr|off has quit IRC04:20
*** gagehugo has joined #openstack-keystone04:20
*** thorst has quit IRC04:21
*** kevinbenton has quit IRC04:21
*** spotz has joined #openstack-keystone04:22
*** kevinbenton has joined #openstack-keystone04:23
*** jistr has joined #openstack-keystone04:24
*** stevemar has joined #openstack-keystone04:26
*** iurygregory has quit IRC04:30
*** iurygregory has joined #openstack-keystone04:36
*** zhurong has quit IRC04:38
*** dims has quit IRC04:40
*** markvoelker has joined #openstack-keystone04:43
*** boris_42 has joined #openstack-keystone04:52
*** zhurong has joined #openstack-keystone05:08
*** harlowja has quit IRC05:11
*** pcaruana has joined #openstack-keystone05:15
*** markvoelker has quit IRC05:16
*** thorst has joined #openstack-keystone05:17
*** chrisshattuck has quit IRC05:21
*** thorst has quit IRC05:22
*** chrisshattuck has joined #openstack-keystone05:31
*** chrisshattuck has quit IRC05:33
*** jaosorior has joined #openstack-keystone05:39
*** chrisshattuck has joined #openstack-keystone05:42
*** rybridges1 has quit IRC05:47
*** markvoelker has joined #openstack-keystone06:13
*** thorst has joined #openstack-keystone06:18
*** thorst has quit IRC06:23
*** jmlowe has quit IRC06:29
*** jaosorior has quit IRC06:33
*** cfriesen has quit IRC06:42
*** markvoelker has quit IRC06:47
*** rcernin has joined #openstack-keystone06:53
openstackgerritShan Guo proposed openstack/keystone master: Update links in keystone  https://review.openstack.org/50158907:03
*** aojea has joined #openstack-keystone07:13
*** aojea has quit IRC07:13
*** aojea has joined #openstack-keystone07:13
*** tesseract has joined #openstack-keystone07:13
*** chrisshattuck has joined #openstack-keystone07:36
*** markvoelker has joined #openstack-keystone07:44
*** jamesbenson has joined #openstack-keystone07:48
*** jamesbenson has quit IRC07:52
*** ioggstream has joined #openstack-keystone07:54
*** tbh_ has joined #openstack-keystone07:59
*** markvoelker has quit IRC08:17
*** jaosorior has joined #openstack-keystone08:17
*** thorst has joined #openstack-keystone08:20
*** thorst has quit IRC08:24
*** jaosorior has quit IRC08:50
*** oomichi has quit IRC08:53
*** oomichi has joined #openstack-keystone08:54
*** markvoelker has joined #openstack-keystone09:14
*** mvk has joined #openstack-keystone09:16
*** jaosorior has joined #openstack-keystone09:47
*** markvoelker has quit IRC09:48
*** edmondsw has joined #openstack-keystone09:54
*** jamesbenson has joined #openstack-keystone09:56
*** edmondsw has quit IRC09:58
*** jamesbenson has quit IRC10:01
*** Summer has joined #openstack-keystone10:02
*** jmlowe has joined #openstack-keystone10:08
*** jmlowe_ has joined #openstack-keystone10:11
*** jmlowe has quit IRC10:14
*** thorst has joined #openstack-keystone10:21
*** zhurong has quit IRC10:23
*** thorst has quit IRC10:26
*** chrisshattuck has joined #openstack-keystone10:33
*** chrisshattuck has quit IRC10:33
*** markvoelker has joined #openstack-keystone10:45
*** Summer has quit IRC10:51
*** szaher has quit IRC11:07
*** ioggstream has quit IRC11:17
*** markvoelker has quit IRC11:17
*** tbh_ has quit IRC11:19
*** zhurong has joined #openstack-keystone11:20
*** thorst has joined #openstack-keystone11:22
*** thorst has quit IRC11:30
*** raildo has joined #openstack-keystone11:55
*** szaher has joined #openstack-keystone11:59
*** thorst has joined #openstack-keystone12:01
*** thorst_ has joined #openstack-keystone12:03
*** thorst__ has joined #openstack-keystone12:05
*** thorst has quit IRC12:05
*** thorst_ has quit IRC12:07
*** dims has joined #openstack-keystone12:07
*** catintheroof has joined #openstack-keystone12:11
*** markvoelker has joined #openstack-keystone12:15
*** jaosorior has quit IRC12:15
*** dave-mccowan has joined #openstack-keystone12:20
*** markvoelker has quit IRC12:24
*** markvoelker has joined #openstack-keystone12:24
*** zhurong has quit IRC12:25
*** edmondsw has joined #openstack-keystone12:32
*** catintheroof has quit IRC12:33
*** catintheroof has joined #openstack-keystone12:38
*** dave-mcc_ has joined #openstack-keystone12:39
*** dave-mccowan has quit IRC12:42
*** edmondsw has quit IRC12:43
*** edmondsw has joined #openstack-keystone12:43
*** jaosorior has joined #openstack-keystone12:44
*** edmondsw has quit IRC12:48
*** edmondsw has joined #openstack-keystone12:54
*** raildo has quit IRC13:02
*** raildo has joined #openstack-keystone13:03
*** zhouyaguo has joined #openstack-keystone13:08
zhouyaguoHi, Can anybody kindly help to merge this? https://review.openstack.org/#/c/500891/ , another oslo.db commit is blocked by this one. Thanks very much.13:10
*** edmondsw_ has joined #openstack-keystone13:14
*** edmondsw has quit IRC13:15
cmurphyzhouyaguo: done13:18
*** itlinux has quit IRC13:19
*** raildo has quit IRC13:20
*** catintheroof has quit IRC13:27
*** catintheroof has joined #openstack-keystone13:27
*** edmondsw_ is now known as edmondsw13:29
zhouyaguocmurphy: hey, Thank you very much for ur help.13:29
*** raildo has joined #openstack-keystone13:31
*** jamesbenson has joined #openstack-keystone13:32
*** raildo has quit IRC13:35
*** raildo has joined #openstack-keystone13:36
*** catintheroof has quit IRC13:37
*** catintheroof has joined #openstack-keystone13:37
*** catintheroof has quit IRC13:39
*** catintheroof has joined #openstack-keystone13:40
*** f13o has joined #openstack-keystone13:42
*** f13o has quit IRC13:42
*** thegreenhundred has joined #openstack-keystone13:50
knikollao/13:57
*** dave-mcc_ is now known as dave-mccowan13:57
*** cfriesen has joined #openstack-keystone14:01
*** agrebennikov has joined #openstack-keystone14:10
*** ayoung_ has joined #openstack-keystone14:18
*** ayoung_ has quit IRC14:19
*** aojea has quit IRC14:27
*** edmondsw has quit IRC14:30
*** lucasxu has joined #openstack-keystone14:36
*** edmondsw has joined #openstack-keystone14:37
*** lucasxu has quit IRC14:41
openstackgerritMerged openstack/keystone master: Replace DbMigrationError with DBMigrationError  https://review.openstack.org/50089114:42
gagehugoo/14:51
lbragstado/14:52
*** chrisshattuck has joined #openstack-keystone14:52
*** zhouyaguo has quit IRC14:58
*** chrisshattuck has joined #openstack-keystone15:02
knikollalbragstad: quick sync up on global role assignments?15:07
lbragstadknikolla: sure - just wrapping something up quick15:07
knikollasure15:07
lbragstadknikolla: ok - what's up15:08
knikollalbragstad: reporting in to help. so far did a first pass on all the reviews.15:09
lbragstadknikolla: nice - i need to look at those again, i know there is feedback15:10
lbragstadand i need to address it15:10
lbragstadknikolla: i think we're still on the oslo bits15:11
lbragstadknikolla: https://etherpad.openstack.org/p/keystone-global-roles-poc15:11
lbragstadsince all of #1 and #2 are done except #2.115:11
knikollalbragstad: yep, was just checking that.15:11
knikollalbragstad: what would be a realistic goal for the few remaining days?15:13
lbragstadknikolla: that's a good questin15:13
lbragstadquestion*15:13
lbragstadi don't know if we'll get the whole PoC done15:13
lbragstadbut, something that might be useful would be a couple patches to oslo that show how to consume global roles?15:13
lbragstadand relaying theinformation into the project?15:14
lbragstador proposing a patch to nova that reworks the policy bits to recognize that?15:14
knikollai can take up the nova bits15:14
lbragstadi think that'd be powerful since it shows the developers of other projects how they use this new thign15:14
knikollaagree15:14
lbragstadand if we connect the dots properly, it should be helpful15:15
lbragstadso - in order for that to happen15:15
lbragstadwe need15:15
lbragstad1.) oslo to understand globally scoped token15:15
lbragstadtokens*15:15
lbragstad2.) scope to be integrated into the DocumentedRuleDefault object15:15
*** otleimat has joined #openstack-keystone15:15
lbragstad3.) patch to nova showcasing how it all works15:16
lbragstadam i missing anything?15:16
knikollalbragstad: that should be pretty much it.15:16
knikollaavoiding any client side tooling.15:16
lbragstadyeah15:17
lbragstadlike horizon you mean?15:17
knikollakeystoneauth, osc, etc. yeah15:17
lbragstadright15:17
lbragstadi think that's out of scope at this point15:18
knikollayep.15:18
lbragstadi can work on getting patch up to oslo.policy that includes scope15:19
lbragstadin the DocumentedRuleDefault object15:19
knikollai'll pick up the nova changes then15:19
knikollalbragstad: the interface will be as described in the oslo.policy spec right?15:20
knikollaif so, i have all i need to start and we can meet up in the middle.15:20
lbragstadknikolla: which interface?15:21
lbragstadadding scope?15:21
lbragstadwe should include that here -https://review.openstack.org/#/c/500207/15:21
lbragstadhttps://review.openstack.org/#/c/500207/15:21
knikollalbragstad: yeah15:22
knikollai mean the way to use the DocumentedRuleDefault will be as described in the spec15:23
lbragstadoh - yeah15:23
lbragstadright now the only thing in the spec is how to include scope in the rule definition15:23
lbragstadbut exposing its attributes in an example would be useful15:23
knikollalbragstad: the oslo.policy enforce method also has to be modified right?15:25
lbragstadknikolla:  i *think* so, but i haven't dug into that in detail yet15:26
lbragstadi assume it needs to be able to handle global scope from the context and global scope from the policy rule15:26
*** nicolasbock has joined #openstack-keystone15:26
knikollalbragstad: because my gut feeling is that it would be enough to define the rule with global scope and modify the enforce method and it **should** work globally for all projects15:27
*** itlinux has joined #openstack-keystone15:27
knikollaat least those that have policy in code.15:27
lbragstadyeah - the only remaining question is what oslo.context does with scope15:30
lbragstadbecause most projects use the context supplied through oslo.context and don't consume the token directly15:31
knikollaso we need to extend oslo.context with is_global15:32
lbragstadknikolla: yeah - or something along those lines15:32
knikollaand tie that in to how the context is created15:32
knikollaand how the context is consumed by the policy enforcer15:32
lbragstadright - because contexts are created by some information in the token15:32
lbragstadknikolla: https://docs.openstack.org/oslo.context/latest/user/usage.html#context-variables for example15:33
knikollalbragstad: yep15:34
knikollalbragstad: i'll look into that. your changes make issuing a global token possible right?15:35
lbragstadyep15:35
lbragstadknikolla: you can get a globally scoped token with https://review.openstack.org/#/c/498577/15:36
knikollalbragstad: will deploy a devstack with it today and extend the context in nova to work with global tokens.15:36
lbragstadwhich is the last patch in the series for the PoC as far as keystone patches go15:36
lbragstadknikolla: awesome - i'll starting tinkering with oslo.policy and adding scope today15:37
knikollalbragstad: great!15:37
*** aselius has joined #openstack-keystone15:48
*** zhouyaguo has joined #openstack-keystone15:52
*** panbalag has joined #openstack-keystone15:52
*** itlinux has quit IRC15:55
*** itlinux has joined #openstack-keystone15:58
panbalagHello. I'm trying to exercise password_regex option in keystone.conf, but it doesn't seem to be working. I opened a bug https://bugs.launchpad.net/keystone/+bug/1715684 Can anyone take a look at it and let me know if I'm not defining the regex correctly or is it a valid bug?16:00
openstackLaunchpad bug 1715684 in OpenStack Identity (keystone) "password_regex option in keystone.conf not working" [Undecided,New]16:00
*** itlinux has quit IRC16:06
kmallocstevemar: is Topol going to be at the PTG?16:07
*** raildo has quit IRC16:08
kmallocI don't see him in IRC or I'd ask him directly16:08
lbragstadpanbalag: are you sure that option is being set in the [security_compliance] section of the configuration file?16:08
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/conf/security_compliance.py#L9416:08
panbalaglbragstad: Yeah. it is set.16:10
*** raildo has joined #openstack-keystone16:12
lbragstadpanbalag: do you have any logging in keystone when you make that request?16:12
lbragstadpanbalag: we have tests locally that exercise this - https://github.com/openstack/keystone/blob/40653eac50de22d3838349ce80be8ac7b3e2fbcc/keystone/tests/unit/test_v3_identity.py#L104616:12
*** raildo has quit IRC16:13
*** lucnbbktp has joined #openstack-keystone16:15
panbalaglbragstad: no logs in keystone.log - maybe i can turn on debug mode and try16:15
lbragstadpanbalag: yeah - that might be helpful16:15
lbragstadpanbalag: are you using the identity sql backend?16:16
lbragstador ldap?16:16
lbragstadi assume sql?16:16
panbalaglbragstad: sql16:16
lbragstadok16:16
lbragstadjust double checking16:16
panbalaglbragstad: this is the only option to turn on debug mode right? "insecure_debug = true"16:17
lbragstadpanbalag: that and https://github.com/openstack/keystone/blob/master/etc/keystone.conf.sample#L14116:18
gagehugopanbalag lbragstad I can't recreate that bug16:18
gagehugoThe password does not match the requirements: 1 letter, 1 digit, 7 chars. (HTTP 400) (Request-ID: req-6bc397d5-5cdb-460c-8c30-8bd6edac13ec)16:18
panbalaglbragstad: strange - i'm not seeing any logs in keystone.log even after turning on debug mode.16:20
panbalaglbragstad: does httpd logs show anything related to keystone?16:21
lbragstadgagehugo: are you working off master?16:22
gagehugoyup16:22
lbragstadpanbalag: what version of openstack are you using?16:22
panbalaglbragstad: Pike16:23
lbragstadpanbalag: how are you running keystone? in apache?16:26
lbragstadhttpd i mean?16:26
gagehugoI'm running it behind apache16:26
panbalaglbragstad: yes16:27
lbragstadpanbalag: ok - trying to recreate with pike quick16:27
*** jaosorior has quit IRC16:30
lbragstadyeah - i can't recreate this either16:31
*** lucnbbktp has quit IRC16:31
lbragstadi get 400 on Pike when i try to create a user with password as 'password' using the regex in the description16:32
*** raildo has joined #openstack-keystone16:33
lbragstadpanbalag: are you use you're not interacting with a keystone node that doesn't have the new configuration changes?16:34
lbragstador hasn't been bounced?16:34
panbalaglbragstad: double checking16:35
*** itlinux has joined #openstack-keystone16:36
gagehugolbragstad no rush but can you look at https://bugs.launchpad.net/keystone/+bug/1714179 as well, I think what I posted was the consensus about extras b/c we looked into doing that same thing as the bug mentions16:38
openstackLaunchpad bug 1714179 in OpenStack Identity (keystone) "keystone project can not update or search extra filed" [Undecided,Invalid] - Assigned to 曾永明 (zengyongming)16:38
gagehugobefore we did tags16:38
*** thorst__ has quit IRC16:39
*** thorst has joined #openstack-keystone16:43
*** rcernin has quit IRC16:45
*** thorst has quit IRC16:48
*** thorst_ has joined #openstack-keystone16:48
lbragstadgagehugo: yeah - that makes sense16:48
*** itlinux has quit IRC16:48
lbragstadgagehugo: we've had the stance of moving away from extras and discouraging it's use for a long time16:48
gagehugolbragstad yeah16:49
*** edmondsw has quit IRC16:49
lbragstadstepping away for lunch quick16:50
*** junbo has quit IRC16:50
*** itlinux has joined #openstack-keystone16:51
*** edmondsw has joined #openstack-keystone16:51
*** edmondsw_ has joined #openstack-keystone16:55
*** junbo has joined #openstack-keystone16:55
*** edmondsw has quit IRC16:56
*** edmondsw_ has quit IRC16:57
*** edmondsw has joined #openstack-keystone16:57
*** edmondsw has quit IRC17:00
*** zhouyaguo has quit IRC17:02
*** itlinux has quit IRC17:02
*** charz_ has quit IRC17:04
*** charz has joined #openstack-keystone17:07
panbalaglbragstad: found that it works on the undercloud ("The password does not match the requirements: None. (HTTP 400)") and not on the overcloud. do you have a tripleo deployment that you can check on?17:08
*** edmondsw has joined #openstack-keystone17:10
*** edmondsw has quit IRC17:14
*** itlinux has joined #openstack-keystone17:15
*** ricolin has quit IRC17:16
*** panbalag has quit IRC17:18
*** harlowja has joined #openstack-keystone17:19
*** edmondsw has joined #openstack-keystone17:21
*** aahh has joined #openstack-keystone17:21
*** itlinux has quit IRC17:21
*** tesseract has quit IRC17:23
*** chlong has joined #openstack-keystone17:24
*** edmondsw has quit IRC17:25
*** edmondsw has joined #openstack-keystone17:33
*** raildo has quit IRC17:33
*** panbalag has joined #openstack-keystone17:35
*** edmondsw has quit IRC17:37
*** edmondsw has joined #openstack-keystone17:37
*** edmondsw has quit IRC17:49
*** jmlowe has joined #openstack-keystone17:55
*** jmlowe_ has quit IRC17:57
*** edmondsw has joined #openstack-keystone17:59
*** jmlowe has quit IRC18:06
*** jmlowe has joined #openstack-keystone18:06
*** panbalag has quit IRC18:14
*** edmondsw has quit IRC18:18
*** edmondsw has joined #openstack-keystone18:24
*** dims has quit IRC18:34
stevemarkmalloc: i believe he is not going18:35
*** dims has joined #openstack-keystone18:36
kmallocdarn18:36
kmallocyou?18:36
*** dims has quit IRC18:41
*** edmondsw has quit IRC18:44
*** dims has joined #openstack-keystone18:45
stevemarkmalloc: same, unfortunately18:46
stevemarkmalloc: henrynash will be there18:46
kmallocstevemar: bah, two of the people I wanted to bug aren't going to be there.18:47
kmallochenry is nice to see, but he wasn't on the short list of folks I wanted to bug.18:47
*** edmondsw has joined #openstack-keystone18:48
*** edmondsw has quit IRC18:48
stevemarkmalloc: i feel honored to have made the list :)18:50
*** boris_42 has quit IRC18:50
*** chlong has quit IRC18:51
*** chlong_ has joined #openstack-keystone18:51
kmallocstevemar: hehe18:52
*** aojea has joined #openstack-keystone18:54
*** edmondsw has joined #openstack-keystone18:54
*** edmondsw has quit IRC18:57
*** edmondsw has joined #openstack-keystone18:57
*** edmondsw has quit IRC18:58
*** aojea has quit IRC18:58
*** edmondsw_ has joined #openstack-keystone19:05
openstackgerritGage Hugo proposed openstack/keystone master: Adds Bandit #nosec flag to instances of SHA1  https://review.openstack.org/50011519:06
*** chlong_ has quit IRC19:07
*** chlong_ has joined #openstack-keystone19:08
kmallocgagehugo: commented on bug 1714179 and commented. you're spot on19:09
openstackbug 1714179 in OpenStack Identity (keystone) "keystone project can not update or search extra field" [Undecided,Invalid] https://launchpad.net/bugs/1714179 - Assigned to 曾永明 (zengyongming)19:09
*** edmondsw_ has quit IRC19:09
gagehugokmalloc ok cool19:11
*** chlong__ has joined #openstack-keystone19:12
knikollalbragstad: i'm having issues with assigning a global role19:13
knikollaerr.. .globally assigning a role19:13
lbragstadknikolla: what's up?19:13
*** chlong_ has quit IRC19:14
knikollalbragstad: http://paste.openstack.org/show/620666/19:15
knikolladoing this http://paste.openstack.org/show/620667/19:16
lbragstadhuh - it looks like it's not picking up the UserGlobal bit19:18
lbragstadknikolla: or actually, it looks like sql doesn't like the fact your passing UserGlobal19:20
lbragstadto sql19:20
knikollalbragstad: yup. type is enum and it doesn't include UserGlobal19:21
knikollaenum('UserProject','GroupProject','UserDomain','GroupDomain')19:22
lbragstadwasn't that that included in a previous patch?19:22
knikollalbragstad: needs a db migration19:22
lbragstadknikolla: doesn't is just need to be done in the sql model?19:23
lbragstadhttps://review.openstack.org/#/c/494338/7/keystone/assignment/backends/sql.py19:23
knikollalbragstad: i'm guessing it's not enough. http://paste.openstack.org/show/620668/19:24
lbragstadknikolla: that's weird, because it passes unit tests19:25
lbragstadi wonder if that's something to do with sqlite or whatnot19:25
knikollalbragstad: there is no enum in sqlite AFAIK19:26
*** chlong__ has quit IRC19:26
*** chlong_ has joined #openstack-keystone19:27
kmalloceuw, using enum?19:29
lbragstadwell - the RoleAssignment backend uses Enum19:29
kmallocoh man19:30
lbragstadsee line 336 https://review.openstack.org/#/c/494338/7/keystone/assignment/backends/sql.py19:30
*** pcaruana has quit IRC19:31
kmallocuhm.19:31
kmalloci think that is very very highly mysql specific19:31
knikollalbragstad: i see that, but that's the model definition, needs a matching migration19:31
kmallocin optimised implementation19:31
kmallocas in... that might be a bad idea19:31
kmalloceh19:32
*** chlong_ has quit IRC19:32
kmallocit's in most backends...19:32
kmallocbut i really *really* would not use it19:32
kmalloci would make the code smart.19:32
*** chlong_ has joined #openstack-keystone19:33
lbragstaddamn- https://github.com/openstack/keystone/blob/af4e98c770d771144463e6dd49cb4b559d48c403/keystone/common/sql/migrate_repo/versions/067_kilo.py#L18819:33
kmallocthat way new types are *not* needing enum changes19:33
kmallocand migrations19:33
kmallocso can we not use enum?19:33
kmallocoh bah19:33
kmallocwe should really make that go away19:33
kmalloclbragstad: suggest migrate away from ENUM and make it in-code19:33
knikolla++19:34
kmallocsince we already have it... but we can use this as an opportunity to nuke it in the schema19:34
knikollakmalloc: is there anything at all that enum brings to the table in terms of optimization?19:34
kmalloclooking into it, but i think it's just leaning on the engine to enforce19:34
kmallocyeah it's very much just enforcement19:36
kmalloci don't think it really adds any optimisations in the backend19:36
kmallocafaict19:36
knikollai support nuking them then19:36
kmallocah19:37
kmallochere is the benefit19:37
*** edmondsw has joined #openstack-keystone19:37
lbragstadso - it sounds like we need a patch before https://review.openstack.org/#/c/494338/ that moved Enum into code?19:37
kmallocENUM('value1','value2',...)1 or 2 bytes, depending on the number of enumeration values (65,535 values maximum)19:37
*** thorst_ has quit IRC19:37
kmallocit uses 1 or 2 bytes of storage instead of the whole string in the table19:37
kmallocso indexes *and* values are much smaller, you store the data once19:38
kmallocthat said... *eh*, not sure we should worry about that kind of optimization19:38
knikollawe could tinyint if size is a concern19:38
kmallocwe aren't really .. well19:38
knikollastill... they're actually quite readable as they clearly enumerate the values19:39
*** chlong__ has joined #openstack-keystone19:41
*** chlong_ has quit IRC19:43
*** thorst has joined #openstack-keystone19:43
lbragstadso do we want to remove the Enum support from the backend and move everything into the application or do we want to add two other types in a migration?19:44
kmalloci think they're pretty evil19:44
*** panbalag has joined #openstack-keystone19:44
kmalloclets ask mordred19:45
kmallocmordred: view on ENUM DB schema type?19:45
kmallocwe aren't really constrained in storage (it's not a lot of storage)19:45
kmallocwe have 2 options, 1) add types, 2) make the ENUM enforcement in-app19:46
kmalloclbragstad: ftr, adding types (from what i can tell) is an alter and not additive19:46
kmallocunless we pivot to a new column (and will have to do that each-and-every-time we add types)19:46
lbragstadwe do already have this in app https://github.com/openstack/keystone/blob/40653eac50de22d3838349ce80be8ac7b3e2fbcc/keystone/assignment/backends/sql.py#L28-L4019:46
kmalloci'm inclined to say make it in-app logic for future maintainability with rolling upgrade support19:47
kmallocvs endless column pivots19:47
kmallocdo the pivot once19:47
kmallocand then we're in-code for updates instead of migrations19:47
lbragstadyeah19:47
*** thorst has quit IRC19:47
kmallocalso for non-SQL backends, if the app does the logic (in the manager)19:48
kmallocwe can avoid needing to implement that at the driver level each time19:48
lbragstadtrue19:48
kmallocso i'm inclined to say: pivot to in-app and push enforcement to manager19:48
kmallocdrivers really should be very very simplistic19:49
kmallocget/store data19:49
lbragstadyeah19:49
lbragstadagree19:49
kmallocso, then i think the answer is straight forward19:49
kmalloc:)19:49
kmallocin-app vs expand the enum19:49
lbragstadso - we will need a migration19:50
lbragstadto migrate from the enum to a new column19:50
kmallocyep19:50
*** itlinux has joined #openstack-keystone19:50
kmallocand fwiw, i am happy with either a multi-write (write to both columns for a cycle) model in app19:50
kmallocvs triggers19:50
kmallocbut if you want triggers i will review the bits besides the triggers and not -219:51
kmallocor -1 based on that19:51
*** itlinux has quit IRC19:53
*** edmondsw has quit IRC19:53
*** edmondsw has joined #openstack-keystone19:53
lbragstadwe could do a final migration in the contract phase?19:54
*** itlinux has joined #openstack-keystone19:54
*** edmondsw has quit IRC19:58
mordredkmalloc: morning!20:02
*** aojea has joined #openstack-keystone20:02
mordredkmalloc: biggest issue with ENUM in schema is that adding a new value requires a schema change -whereas just using int or tinyint or whatnot with an enum/mapping defined in code does not20:03
mordredkmalloc: otoh - int/tinyint with enum in code has issues with enum in code maybe being out of sync with db ... BUT - since we use ORM layer for all of our db access anyway, we're going to have a code level mapping/definition anyway so I'm not sure it's worth much to push it to the db layer20:04
mordredkmalloc: I see now thatyou have said some of those things already20:04
kmallocmordred: you have confirmed exactly what I expected20:05
openstackgerritLance Bragstad proposed openstack/keystone master: Add backport migrations for Pike  https://review.openstack.org/50185920:05
lbragstadkmalloc: knikolla ^20:05
kmalloclbragstad: i stand by the decisdion to move to in-app logic based on what mordred said20:09
lbragstadsure - working on a patch20:09
*** edmondsw has joined #openstack-keystone20:14
*** itlinux has quit IRC20:15
*** thorst has joined #openstack-keystone20:16
lbragstadkmalloc: do you have a name in mind for the new column?20:17
lbragstad'assignment_type'20:17
lbragstad?20:17
kmallocwfm20:17
*** thorst_ has joined #openstack-keystone20:18
*** thorst has quit IRC20:20
*** aahh has quit IRC20:20
*** thorst_ has quit IRC20:23
*** thorst has joined #openstack-keystone20:24
*** chlong__ has quit IRC20:42
lbragstadknikolla: i should have a patch up relatively soon20:43
lbragstadknikolla: i'm going to rebase all the global role patches to be dependent on the migration20:43
knikollalbragstad: sounds good. i got it to work by manually altering the enum to include UserGlobal.20:44
knikollain mysql20:44
knikollaso now i have a global scoped token and am looking into oslo.context and nova.20:44
lbragstadknikolla: cool - so you're not blocked at least20:44
knikollalbragstad: nope :) no worries20:45
ayounglbragstad, knikolla http://docs.ansible.com/ansible-tower/3.1.4/html/userguide/security.html#rbac-ug20:45
ayoungimplied roles in Ansible20:46
ayoungThe way that Keystone attempts to do RBAC is fast becoming the Norm20:47
ayoungInstead of Global Roles Ansible seems to call them "Singleton roles" but hey20:48
*** catintheroof has quit IRC20:49
*** catintheroof has joined #openstack-keystone20:49
*** catintheroof has quit IRC20:50
knikollaayoung: interesting20:51
knikollait seems that it's a separate type of role though20:51
ayoungknikolla, yep.20:51
knikollawhile we're keeping one type of role and offering multiple assignment types20:51
ayoungknikolla, Kubernetes does the same thing, calls them CLuster Roles20:52
ayoungand lbragstad 's proposal is to make GLobal Roles, but they are all saying the same thing:  certain roles are scoped to a project, and certain ones apply cross projects20:52
ayoungis_admin_project is a way to shoehorn in that logic without changing the API version.20:53
* lbragstad reads20:53
ayoungthe two global roles are System administrators and System Auditors.   Second one is the Read only role.20:55
*** dave-mccowan has quit IRC20:55
*** itlinux has joined #openstack-keystone20:58
*** thorst has quit IRC21:01
*** itlinux has quit IRC21:01
kmallocayoung: that is a good place to start in general21:01
*** thorst has joined #openstack-keystone21:01
knikollaayoung: we're eventually phasing out is_admin_project with global role assignment right?21:04
*** itlinux has joined #openstack-keystone21:05
*** itlinux has quit IRC21:05
*** thorst has quit IRC21:05
*** panbalag has quit IRC21:09
knikollalbragstad: the context is built from the ksm env variables, and the ksm env variables are built from keystoneauth. so that's gonna need changes to all three even for a poc.21:10
*** itlinux has joined #openstack-keystone21:10
ayoungknikolla, yeah, that is the plan.  But I can see a stumbling block with API version.  Hopefully, we can sneak Global Roles in without a major API version bump21:19
ayoungknikolla, I wonder if the best thing to do is to do it in keystoneauth first, and make it aware of is_admin_project21:22
ayoungthen work backwards to make Global roles happen in Keystone21:24
ayoungthat way, people can start writing their policy rules today as soon as KSA hits21:24
knikollaayoung: i think we might be able to sneak in global roles without a major version bump21:26
knikollait doesn't change anything in a non backwards compat way21:26
ayoungthat is true21:26
ayoungknikolla, I'd try to get the TC blessing on the concept ASAP.  Ideally at the PTG21:27
knikollalbragstad: ^^21:28
lbragstadnoted - we're dedicated almost all of monday and tuesday to policy in the baremetal/vm group21:29
*** edmondsw has quit IRC21:32
*** edmondsw has joined #openstack-keystone21:34
*** chrisshattuck has quit IRC21:36
*** chrisshattuck has joined #openstack-keystone21:37
*** edmondsw has quit IRC21:38
kmallocthe backward incompat change(s) would be like dropping is_admin_project21:45
kmallocbut we could be either/or aware21:45
kmallocno major bump should be required.21:45
lbragstadkmalloc: going to push a wip patch for migrating assignments21:48
lbragstadkmalloc: it's failing the tests but i'd like to get some early eye on it21:48
lbragstadeyes*21:48
kmallocsounds good21:48
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Make assignment type not an Enum  https://review.openstack.org/50188521:51
*** itlinux has quit IRC21:51
kmalloci need to circle up on my recent patches21:51
lbragstadi do too - i have like 50 patches in review right now21:51
kmalloctoo many21:52
lbragstadnevermind 53 - and those are the ones passing jenkins21:52
lbragstad69 in total =/21:53
gagehugoknikolla bah ok21:53
lbragstadstepping away for a bit - but i'll be on later21:54
*** jamesbenson has quit IRC22:03
*** jamesbenson has joined #openstack-keystone22:06
*** jamesbenson has quit IRC22:10
*** thegreenhundred has quit IRC22:11
kmalloclbragstad: commented on the WIP patch22:33
*** chlong has joined #openstack-keystone22:44
*** aojea has quit IRC22:47
*** chlong has quit IRC22:51
*** chlong has joined #openstack-keystone22:52
*** thorst has joined #openstack-keystone22:54
*** thorst has quit IRC22:59
*** itlinux has joined #openstack-keystone23:04
*** itlinux has quit IRC23:04
*** chlong_ has joined #openstack-keystone23:04
*** chlong has quit IRC23:04
*** chlong_ has quit IRC23:09
*** chrisshattuck has quit IRC23:37
*** masunkar has joined #openstack-keystone23:56
« Wednesday, 2017-09-06 Index Friday, 2017-09-08 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!