Wednesday, 2017-09-27

« Tuesday, 2017-09-26 Index Thursday, 2017-09-28 »
*** thorst has joined #openstack-keystone00:08
*** thorst has quit IRC00:09
*** nicolasbock has quit IRC00:35
*** nicolasbock has joined #openstack-keystone00:42
*** MeltedLux has joined #openstack-keystone00:50
*** Shunli has joined #openstack-keystone00:58
*** thorst has joined #openstack-keystone01:06
*** thorst has quit IRC01:06
*** panbalag has joined #openstack-keystone01:10
*** aselius has quit IRC01:16
*** shengping has joined #openstack-keystone01:34
*** shengping has quit IRC01:54
*** thorst has joined #openstack-keystone02:07
*** erlon has quit IRC02:48
*** thorst has quit IRC02:48
*** panbalag has quit IRC02:58
*** jamesbenson has joined #openstack-keystone03:05
*** itlinux has joined #openstack-keystone03:12
*** aojea has joined #openstack-keystone03:17
*** nicolasbock has quit IRC03:21
*** aojea has quit IRC03:22
*** gyee has quit IRC03:33
*** itlinux has quit IRC03:41
*** thorst has joined #openstack-keystone03:45
*** jamesbenson has quit IRC04:13
*** thorst has quit IRC04:16
*** jaosorior has joined #openstack-keystone04:19
*** jdennis has joined #openstack-keystone04:23
*** spotz_ has joined #openstack-keystone04:24
*** bigjools_ has joined #openstack-keystone04:25
*** cburgess has quit IRC04:29
*** spotz has quit IRC04:29
*** jrist has quit IRC04:29
*** jdennis1 has quit IRC04:29
*** iurygregory has quit IRC04:29
*** obre has quit IRC04:29
*** bigjools has quit IRC04:29
*** chrome0 has quit IRC04:29
*** cburgess has joined #openstack-keystone04:30
*** chrome0 has joined #openstack-keystone04:31
*** john5223_ has quit IRC04:32
*** jrist has joined #openstack-keystone04:36
*** obre has joined #openstack-keystone04:36
*** iurygregory has joined #openstack-keystone04:36
*** Shunli has quit IRC04:42
*** zhurong has joined #openstack-keystone05:13
*** thorst has joined #openstack-keystone05:13
*** aojea has joined #openstack-keystone05:42
*** thorst has quit IRC05:47
*** jamesbenson has joined #openstack-keystone06:01
*** jamesbenson has quit IRC06:06
*** rcernin has joined #openstack-keystone06:39
*** thorst has joined #openstack-keystone06:45
*** cfriesen_ has quit IRC06:46
*** lamt has quit IRC07:16
*** Dinesh_Bhor has quit IRC07:17
*** thorst has quit IRC07:17
*** Dinesh_Bhor has joined #openstack-keystone07:21
*** tesseract has joined #openstack-keystone07:21
*** jaosorior has quit IRC07:31
*** ioggstream has joined #openstack-keystone07:41
*** jaosorior has joined #openstack-keystone07:46
*** efried has quit IRC08:08
*** zhurong has quit IRC08:11
*** thorst has joined #openstack-keystone08:14
*** efried has joined #openstack-keystone08:19
*** zhurong has joined #openstack-keystone08:29
*** chlong has quit IRC08:49
*** thorst has quit IRC08:50
*** mvk has quit IRC09:34
*** jamesbenson has joined #openstack-keystone09:38
*** josecastroleon has joined #openstack-keystone09:41
*** jamesbenson has quit IRC09:42
*** thorst has joined #openstack-keystone09:47
*** afazekas is now known as afazekas|seek4fo09:48
openstackgerritThomas Duval proposed openstack/oslo.policy master: Modification to add additional information in the HTTPCheck request.  https://review.openstack.org/49846709:53
*** josecastroleon has quit IRC10:00
*** d0ugal has joined #openstack-keystone10:03
*** thorst has quit IRC10:18
*** zhurong has quit IRC10:20
*** mvk has joined #openstack-keystone10:48
*** d0ugal has quit IRC10:48
*** nicolasbock has joined #openstack-keystone11:00
*** d0ugal has joined #openstack-keystone11:02
*** nicolasbock has quit IRC11:04
*** timothyb89 has quit IRC11:11
*** jaosorior is now known as jaosorior_sick11:12
*** thorst has joined #openstack-keystone11:15
*** thorst has quit IRC11:27
*** pcaruana has joined #openstack-keystone11:27
*** panbalag has joined #openstack-keystone11:35
*** panbalag has quit IRC11:38
*** ioggstream has quit IRC11:39
*** dave-mccowan has joined #openstack-keystone11:50
*** thorst has joined #openstack-keystone11:55
*** dave-mccowan has quit IRC12:01
*** dave-mccowan has joined #openstack-keystone12:04
*** afazekas|seek4fo is now known as afazekas12:09
*** raildo has joined #openstack-keystone12:13
*** edmondsw has joined #openstack-keystone12:17
*** ioggstream has joined #openstack-keystone12:20
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000512:44
*** jmlowe has quit IRC12:48
*** Suramya has joined #openstack-keystone12:50
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013712:52
*** panbalag has joined #openstack-keystone12:54
*** panbalag has left #openstack-keystone12:54
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000513:01
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013713:09
openstackgerritSuramya proposed openstack/keystone master: Reorganize api-ref: v3 domains  https://review.openstack.org/50513513:10
*** jistr is now known as jistr|call13:12
*** lucasxu has joined #openstack-keystone13:14
*** nkinder has quit IRC13:23
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000513:24
*** lbragstad has joined #openstack-keystone13:27
*** ChanServ sets mode: +o lbragstad13:27
*** sbezverk has joined #openstack-keystone13:27
*** chlong has joined #openstack-keystone13:29
*** josecastroleon has joined #openstack-keystone13:30
*** chlong has quit IRC13:31
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013713:32
*** jmlowe has joined #openstack-keystone13:34
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000513:40
*** ayoung has quit IRC13:44
openstackgerritMerged openstack/oslo.policy master: Modification to add additional information in the HTTPCheck request.  https://review.openstack.org/49846713:45
*** lifeless has quit IRC13:46
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013713:48
*** lifeless has joined #openstack-keystone13:54
*** dave-mccowan has quit IRC13:54
*** Drankis has joined #openstack-keystone14:06
*** alex_xu has quit IRC14:18
*** alex_xu has joined #openstack-keystone14:21
*** dave-mccowan has joined #openstack-keystone14:26
*** jistr|call is now known as jistr14:27
*** jamesbenson has joined #openstack-keystone14:29
*** jmlowe has quit IRC14:31
*** jmlowe has joined #openstack-keystone14:37
*** dave-mccowan has quit IRC14:38
*** josecastroleon has quit IRC14:39
*** Drankis has quit IRC14:40
*** alex_xu has quit IRC14:44
*** dave-mccowan has joined #openstack-keystone14:44
*** jmlowe has quit IRC14:48
*** jmlowe has joined #openstack-keystone14:48
*** alex_xu has joined #openstack-keystone14:49
*** dave-mcc_ has joined #openstack-keystone14:49
*** dave-mccowan has quit IRC14:51
hrybackilbragstad: regarding https://review.openstack.org/#/c/507434 -- I did confirm that the patch is in both master and stable/pike14:58
*** Suramya has quit IRC14:58
lbragstadhrybacki: so https://review.openstack.org/#/c/507434 is a backport to stable/ocata from https://review.openstack.org/#/c/465530/ which merged to master 30 hours ago14:59
*** cfriesen_ has joined #openstack-keystone15:00
hrybackilbragstad: it was cherry-picked against ocata 30 hours ago but on master (now Pike) on Aug 1 IIRC15:01
knikollao/15:01
lbragstadhrybacki: bah - i'm backwards today15:01
hrybackilbragstad: no worries: https://github.com/openstack/keystone/commit/630d9b58fd957e8bb27a99ac5cd73a58826c6fc2 for verifcation15:02
hrybackio/ knikolla15:02
*** jmlowe has quit IRC15:03
*** jmlowe has joined #openstack-keystone15:04
*** gyee has joined #openstack-keystone15:05
hrybackiany cores able to review/+2 ^^? I know there are two LP's associated with it and live deployments being affected15:05
lbragstadhrybacki: kmalloc and stevemar should kick that through15:08
hrybackilbragstad: ack, thanks15:14
*** chlong has joined #openstack-keystone15:17
*** ayoung has joined #openstack-keystone15:19
*** josecastroleon has joined #openstack-keystone15:21
gagehugoo/15:31
*** jmlowe has quit IRC15:32
*** rcernin has quit IRC15:43
*** josecastroleon has quit IRC15:44
kmallocWill do shortly15:51
kmallocGetting setup for the day15:51
*** erlon has joined #openstack-keystone15:55
*** timothyb89 has joined #openstack-keystone16:03
*** sbezverk has quit IRC16:03
*** r-daneel has joined #openstack-keystone16:12
*** tesseract has quit IRC16:24
*** jmlowe has joined #openstack-keystone16:35
kmalloclbragstad: pushed through16:36
hrybackikmalloc++16:36
hrybackithanks!16:36
*** david-lyle has quit IRC16:40
*** mvk has quit IRC16:44
*** d0ugal has quit IRC16:50
*** ioggstream has quit IRC16:50
stevemarlbragstad: ?16:53
hrybackistevemar there was a review being backported but it's now approved16:55
*** dave-mcc_ has quit IRC17:06
kmARChi all, I'm trying to figure out how to connect to keystone via CLI. Using openstackclient >v3.0.0 I have multiple options, like v3oidc{clientcredentials,password}. Unfortunately both these result in a HTTP405, Method not allowed error. Reason is, the auth plugin tries to `POST` to my keycloak IDP server at one point, however it says: "Allow: HEAD, GET, OPTIONS"17:09
kmARC_authentication_ seems to work, if I give in a wrong password, I get authentication error17:09
kmARCThe current setup also works with horizon17:09
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy master: External Policy hook should support SSL  https://review.openstack.org/49178317:09
kmARCAny insights where I should start looking?17:09
stevemarhrybacki: yay17:10
*** dave-mccowan has joined #openstack-keystone17:11
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/50000517:11
*** david-lyle has joined #openstack-keystone17:13
*** pcaruana has quit IRC17:14
*** itlinux has joined #openstack-keystone17:17
*** tonytan4ever has joined #openstack-keystone17:18
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy master: http/https check rules as stevedore extensions  https://review.openstack.org/50709817:19
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements  https://review.openstack.org/47013717:19
*** nkinder has joined #openstack-keystone17:35
*** aselius has joined #openstack-keystone17:37
*** itlinux has quit IRC17:51
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Specification for system roles  https://review.openstack.org/46476317:56
lbragstadknikolla: cmurphy hrybacki kmalloc ^17:57
hrybackiwoo17:57
lbragstadi reworked the entire global roles specification to fit the conversations from the PTG17:57
kmalloclbragstad: https://review.openstack.org/#/c/507098/6 please note my comment17:57
*** cfriesen_ has quit IRC17:57
kmallocoslo.policy related things17:57
lbragstadi also added a section that highlights the difference between system and global17:57
lbragstadkmalloc: ack17:57
lbragstadcc dims ^17:58
kmallocmordred: https://review.openstack.org/#/c/464763/17 (see above), this is of interest to you, shade, and generally people running/consuming clouds (cc fungi ) would like your views as well17:58
dimslbragstad : ack thanks will line it up for later17:58
mordredlbragstad, kmalloc: ack. it's open in a window17:59
kmalloclbragstad: one comment, but otherwise that represents what we discussed18:03
*** cfriesen_ has joined #openstack-keystone18:03
kmalloclbragstad: i'd like to see what other folks thing18:03
kmallocthink*18:03
lbragstadsame here18:03
lbragstadfwiw - it felt way more natural to use the term system over global18:03
kmallocyeah, that bit makes this a lot easier to understand18:04
lbragstadright - its a lot more clear what a "system" operation is versus a "global" operation18:05
kmallocdims: removed the -1, entrypoints are a security risk18:08
lbragstadI also modified the path to include system, which i think will help if we eventually want make it a hierarchy18:08
kmallocdims: i would, given full license to do so, remove their uses from openstack or at least keystone and all security-related things18:09
kmallocbut i wont hold this up. i've voiced my concerns18:09
dimskmalloc : if we get to a point when someone can inject a python package to be installed ... they already own you. no?18:10
dimskmalloc : ack and thanks18:10
kmallocnot really, you can register any entrypoint namespace18:10
kmallocthis could allow *any* pythong package to register something that could be loaded by oslo.policy18:11
kmallocand if the module conflicts... you get both back, depending on how things are built in stevedore among other places you could grab the wrong one18:11
kmallocwhich is name-sorted18:11
kmallocit's ... lets just say entrypoints are not fun in this regard18:11
dimsunderstood kmalloc18:11
*** pcaruana has joined #openstack-keystone18:15
cfriesen_just wondering if there is any documentation on what caching backends are recommended for keystone.  I found https://docs.openstack.org/keystone/latest/admin/identity-caching-layer.html but it doens't really have opinions.18:35
cfriesen_kmalloc: with respect to https://review.openstack.org/#/c/505345/ (limiting the endpoints returned) are you saying that "give me the endpoints for this region/service-type" would be slower than "give me all the endpoints for all service types across ~20 regions"?18:36
kmallocin keystone, yes18:41
kmallocit is likely going to be much slower on the keystone side due to how we pull the data from the db18:41
kmallocin the clinet, parsing the data will be faster.18:42
kmallocit'll be a tradeoff18:42
kmalloccfriesen_: i haven't had time to look at the implications18:45
hrybackianyone here muck with aws / ec2 stuff?18:47
*** sbezverk has joined #openstack-keystone18:54
*** pcaruana has quit IRC19:00
*** r-daneel has quit IRC19:02
*** r-daneel has joined #openstack-keystone19:03
*** tonytan4ever has quit IRC19:06
*** tonytan4ever has joined #openstack-keystone19:07
cfriesen_kmalloc: no worries...I expected that we would be able to retrieve the service based on the type, and then look up the endpoint based on the region and service_id.  I assumed this would be faster than retrieving maybe 100+ endpoints and formatting them to send in the response.19:09
kmallocI think we need a lot more index to do that.19:10
kmallocWhich is... Painful with the rolling upgrade support.19:10
*** edmondsw has quit IRC19:15
*** edmondsw has joined #openstack-keystone19:18
*** edmondsw has quit IRC19:23
*** jmlowe has quit IRC19:25
*** edmondsw has joined #openstack-keystone19:47
*** edmondsw has quit IRC19:48
*** edmondsw has joined #openstack-keystone19:48
*** markvoelker has quit IRC19:48
*** markvoelker has joined #openstack-keystone19:49
*** r-daneel has quit IRC20:14
*** r-daneel has joined #openstack-keystone20:15
*** aselius has quit IRC20:17
*** belmoreira has joined #openstack-keystone20:32
*** aojea has quit IRC20:44
*** belmoreira has quit IRC20:44
*** aojea has joined #openstack-keystone20:49
lbragstadkmalloc: ping20:50
kmalloclbragstad: pong20:50
lbragstadkmalloc: so you know how we had the system roles discussion20:51
* kmalloc plays atari with lbragstad 20:51
kmallocuh, yeah20:51
lbragstadand we talked about making the system assignment stuff a lot simpler than the existing assignment api (less kwargs and more explicit methods)?20:51
*** lucasxu has quit IRC20:52
lbragstadkmalloc: do you think it's fine to add a bunch of methods like `list_system_grants_for_user`, `list_system_grants_for_group`, etc...20:52
kmallochm.20:52
lbragstadlike - in the assignment backend?20:53
kmalloci don't think it's an issue20:53
lbragstadthen everything is invoked by the manager?20:53
kmallocyeah.20:53
lbragstadok20:53
lbragstadi'm working through the implementation now and realizing how many method signatures are going to be added to that backend20:53
*** mvk has joined #openstack-keystone21:02
*** thorst has quit IRC21:09
*** ayoung has quit IRC21:10
*** thorst has joined #openstack-keystone21:11
*** thorst has quit IRC21:15
*** raildo has quit IRC21:23
*** thorst has joined #openstack-keystone21:29
*** thorst has quit IRC21:34
*** itlinux has joined #openstack-keystone21:36
*** gyee has quit IRC21:44
*** dave-mccowan has quit IRC21:45
openstackgerritLance Bragstad proposed openstack/keystone master: Add a new table for system role assignments  https://review.openstack.org/50799321:45
openstackgerritLance Bragstad proposed openstack/keystone master: Implement backend logic for system roles  https://review.openstack.org/50799421:45
*** jamesbenson has quit IRC21:55
*** jamesbenson has joined #openstack-keystone21:57
*** dave-mccowan has joined #openstack-keystone21:57
*** thorst has joined #openstack-keystone21:58
*** aojea has quit IRC21:58
*** jamesbenson has quit IRC21:58
*** jamesbenson has joined #openstack-keystone22:00
*** dave-mccowan has quit IRC22:03
*** jamesbenson has quit IRC22:04
*** edmondsw has quit IRC22:23
openstackgerritMerged openstack/keystone master: Migrate to stestr  https://review.openstack.org/50444222:58
*** thorst has quit IRC23:30
*** jmlowe has joined #openstack-keystone23:32
*** jamesbenson has joined #openstack-keystone23:35
*** edmondsw has joined #openstack-keystone23:40
*** jamesbenson has quit IRC23:40
*** edmondsw has quit IRC23:44
*** jmlowe has quit IRC23:52
*** jmlowe has joined #openstack-keystone23:53
*** r-daneel has quit IRC23:58
« Tuesday, 2017-09-26 Index Thursday, 2017-09-28 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!