Friday, 2017-09-29

*** catintheroof has quit IRC		00:06
stevelle001	Anyone able to help me refine this search: looking for design decisions leading to tokens always being returned in headers, instead of in body	00:14
*** thorst has quit IRC		00:15
SamYaple	stevelle001: you want to find a conversation/spec that talks about whether the auth tokens should be passed via the hedears or in the body?	00:24
*** alex_xu has joined #openstack-keystone		00:25
*** alex_xu has quit IRC		00:25
*** alex_xu has joined #openstack-keystone		00:25
*** thorst has joined #openstack-keystone		00:26
*** rcernin has quit IRC		00:29
stevelle001	SamYaple: that's what I'm hoping for, particularly in terms of the operations which create tokens	00:29
stevelle001	also hello again	00:30
SamYaple	im not sure tht exists, if i understand you correctly. The auth header is parsed by keystonemiddleware, and middleware doesnt dig into the body is my undertanding	00:35
SamYaple	stevelle001: hi!	00:35
*** zhurong has joined #openstack-keystone		00:38
*** itlinux has joined #openstack-keystone		00:38
stevelle001	I'm only interested in the keystone api itself, not how the header is used on other service APIs (handled by the middleware). See https://github.com/openstack/keystone-specs/blob/master/attic/v3/identity-api-v3.rst "While token objects do have identifiers, they are not passed in resource URL's nor are they included in the objects themselves." I'm	00:40
stevelle001	trying to get a clear idea of why the OS_TOKEN isn't in the resource.	00:40
*** thorst has quit IRC		00:40
stevelle001	I know I'm not asking that very clearly	00:40
*** aselius has quit IRC		00:45
SamYaple	Oh i see you question now. I don't have an answer for you though. someone else will come along though, im sure	00:46
*** thorst has joined #openstack-keystone		00:47
*** thorst has quit IRC		00:51
samueldmq	stevelle001: SamYaple: hi, that's somewhat a historical decision	00:52
stevelle001	I figured as much	00:52
samueldmq	but I think it had something to do with being safer to be transmitted at the header? I'm not sure	00:52
SamYaple	easier to parse maybe	00:52
samueldmq	but I think kmalloc may know it	00:52
*** erlon has quit IRC		00:53
stevelle001	I assumed it was to prevent security issues -> logging the response body. wanted to find the discussion to consider fully	00:54
kmalloc	Yep	00:55
kmalloc	Mostly to help eliminate logging, especially of the request itself containing secure data.	00:55
stevelle001	request payloads are not treated the same, only response	00:56
stevelle001	was hoping to get a little insight into that too	00:56
stevelle001	I couldn't find a cve for this when I looked	00:56
*** thorst has joined #openstack-keystone		00:58
*** thorst has quit IRC		01:00
*** thorst has joined #openstack-keystone		01:00
*** thorst_ has joined #openstack-keystone		01:01
*** thorst has quit IRC		01:04
*** thorst_ has quit IRC		01:05
*** panbalag has joined #openstack-keystone		01:07
*** tommylikehu has joined #openstack-keystone		01:11
*** panbalag has left #openstack-keystone		01:11
*** Shunli has joined #openstack-keystone		01:27
*** sbezverk has joined #openstack-keystone		01:31
*** markvoelker has joined #openstack-keystone		01:38
*** itlinux has quit IRC		01:39
*** jamesbenson has joined #openstack-keystone		01:44
*** jamesbenson has quit IRC		01:49
*** zhurong has quit IRC		01:50
*** zhurong has joined #openstack-keystone		01:58
*** thorst has joined #openstack-keystone		02:02
*** gyee has quit IRC		02:09
*** markvoelker has quit IRC		02:13
*** dave-mcc_ has quit IRC		02:13
*** rcernin has joined #openstack-keystone		02:20
*** itlinux has joined #openstack-keystone		02:24
*** spotz has quit IRC		02:29
*** lbragstad has joined #openstack-keystone		02:31
*** ChanServ sets mode: +o lbragstad		02:31
*** spotz has joined #openstack-keystone		02:37
*** jamesbenson has joined #openstack-keystone		02:38
*** itlinux has quit IRC		02:50
*** markvoelker has joined #openstack-keystone		03:10
*** zhurong has quit IRC		03:12
*** markvoelker has quit IRC		03:42
*** cfriesen has quit IRC		03:48
*** lbragstad has quit IRC		04:00
*** links has joined #openstack-keystone		04:02
*** zhurong has joined #openstack-keystone		04:20
*** markvoelker has joined #openstack-keystone		04:39
*** tonytan4ever has joined #openstack-keystone		04:42
*** tonytan4ever_brb has quit IRC		04:43
*** aojea has joined #openstack-keystone		04:46
*** aojea has quit IRC		04:50
*** jamesbenson has quit IRC		04:59
*** markvoelker has quit IRC		05:12
*** Shunli has quit IRC		05:15
*** rcernin has quit IRC		05:15
*** tonytan4ever has quit IRC		05:15
*** tonytan4ever has joined #openstack-keystone		05:15
*** pcaruana has joined #openstack-keystone		05:24
*** aojea has joined #openstack-keystone		05:26
*** pcaruana has quit IRC		05:29
*** rcernin has joined #openstack-keystone		05:52
openstackgerrit	Jamie Lennox proposed openstack/keystone master: Remove middleware reference to PARAMS_ENV and CONTEXT_ENV https://review.openstack.org/508410	05:59
openstackgerrit	Jamie Lennox proposed openstack/keystone master: Move auth header definitions into authorization https://review.openstack.org/508411	05:59
openstackgerrit	Jamie Lennox proposed openstack/keystone master: Remove the TokenAuth middleware https://review.openstack.org/508412	05:59
*** aojea has quit IRC		06:00
*** josecastroleon has quit IRC		06:00
*** markvoelker has joined #openstack-keystone		06:09
*** aojea has joined #openstack-keystone		06:10
*** tonytan4ever_brb has joined #openstack-keystone		06:10
*** tonytan4ever has quit IRC		06:12
*** masber has joined #openstack-keystone		06:15
*** jmlowe has quit IRC		06:20
*** tonytan4ever_brb has quit IRC		06:42
*** markvoelker has quit IRC		06:43
*** jamesbenson has joined #openstack-keystone		06:48
*** jamesbenson has quit IRC		06:52
*** ioggstream has joined #openstack-keystone		06:58
*** pcaruana has joined #openstack-keystone		07:04
*** aojea has quit IRC		07:30
*** masber has quit IRC		07:31
*** iogg has joined #openstack-keystone		07:35
*** ioggstream has quit IRC		07:39
*** markvoelker has joined #openstack-keystone		07:40
*** markvoelker has quit IRC		08:12
*** jaosorior has joined #openstack-keystone		08:37
*** sbezverk has quit IRC		08:38
*** belmoreira has joined #openstack-keystone		08:38
*** iogg is now known as ioggstream		09:01
*** markvoelker has joined #openstack-keystone		09:09
*** aojea has joined #openstack-keystone		09:15
*** markvoelker has quit IRC		09:43
*** aojea has quit IRC		09:49
*** adriant has quit IRC		10:06
*** stevemar has quit IRC		10:06
*** stevemar has joined #openstack-keystone		10:07
*** aojea has joined #openstack-keystone		10:09
*** aojea has quit IRC		10:12
*** aojea has joined #openstack-keystone		10:12
*** aojea_ has joined #openstack-keystone		10:18
*** aojea has quit IRC		10:19
*** adriant has joined #openstack-keystone		10:22
*** jamesbenson has joined #openstack-keystone		10:24
*** masber has joined #openstack-keystone		10:28
*** jamesbenson has quit IRC		10:28
*** masber has quit IRC		10:32
*** aojea_ has quit IRC		10:35
*** zhurong has quit IRC		10:36
*** markvoelker has joined #openstack-keystone		10:40
*** aojea has joined #openstack-keystone		10:50
*** markvoelker has quit IRC		11:12
*** sapd_ has quit IRC		11:17
*** sapd_ has joined #openstack-keystone		11:17
*** sapd_ has quit IRC		11:17
*** sapd_ has joined #openstack-keystone		11:18
*** edmondsw has quit IRC		11:21
*** sapd_ has quit IRC		11:23
*** sapd_ has joined #openstack-keystone		11:24
*** aojea has quit IRC		11:27
*** suramya_ has joined #openstack-keystone		11:29
*** raildo has joined #openstack-keystone		11:55
*** stevelle001 has quit IRC		11:56
*** thorst has quit IRC		12:00
*** thorst has joined #openstack-keystone		12:00
*** sapd__ has joined #openstack-keystone		12:03
*** sapd__ has quit IRC		12:03
*** sapd_ has quit IRC		12:03
*** sapd__ has joined #openstack-keystone		12:04
*** markvoelker has joined #openstack-keystone		12:09
*** tonytan4ever has joined #openstack-keystone		12:13
*** edmondsw has joined #openstack-keystone		12:13
*** tonytan4ever has quit IRC		12:18
*** aojea has joined #openstack-keystone		12:20
*** markvoelker has quit IRC		12:29
*** markvoelker has joined #openstack-keystone		12:29
*** 07IAA8DSW has joined #openstack-keystone		12:29
*** 5EXAACMRJ has joined #openstack-keystone		12:29
*** 07IAA8DSW has quit IRC		12:33
*** 5EXAACMRJ has quit IRC		12:34
*** jmlowe has joined #openstack-keystone		12:35
*** hoonetorg has joined #openstack-keystone		12:35
*** panbalag has joined #openstack-keystone		12:38
*** catintheroof has joined #openstack-keystone		13:03
Dinesh_Bhor	Hi all, can anyone take a look at this and add his/her opinion? http://lists.openstack.org/pipermail/openstack-dev/2017-September/122725.html	13:14
*** lbragstad has joined #openstack-keystone		13:15
*** ChanServ sets mode: +o lbragstad		13:15
*** ioggstream has quit IRC		13:20
*** efried is now known as fried_rice		13:21
Dinesh_Bhor	lbragstad, dstanek: It will be great if you reply to this or add comment on the bug directly: http://lists.openstack.org/pipermail/openstack-dev/2017-September/122725.html	13:21
*** tonytan4ever has joined #openstack-keystone		13:27
*** dansmith is now known as superdan		13:34
*** links has quit IRC		13:39
*** suramya_ has quit IRC		13:43
*** Dinesh_Bhor has quit IRC		13:48
knikolla	o/	13:53
*** cfriesen has joined #openstack-keystone		13:56
*** sbezverk has joined #openstack-keystone		13:59
*** jamesbenson has joined #openstack-keystone		14:00
*** jamesbenson has quit IRC		14:04
*** aojea has quit IRC		14:16
openstackgerrit	Colleen Murphy proposed openstack/keystonemiddleware master: Rename auth_uri to www_authenticate_uri https://review.openstack.org/508522	14:21
openstackgerrit	Colleen Murphy proposed openstack/keystonemiddleware master: Rename auth_uri to www_authenticate_uri https://review.openstack.org/508522	14:21
*** aojea has joined #openstack-keystone		14:24
openstackgerrit	Colleen Murphy proposed openstack/keystonemiddleware master: Rename auth_uri to www_authenticate_uri https://review.openstack.org/508522	14:28
*** jaosorior has quit IRC		14:33
gagehugo	o/	14:37
knikolla	gagehugo: o/	14:40
*** aojea has quit IRC		14:42
*** aojea has joined #openstack-keystone		14:46
*** knasim-wrs has joined #openstack-keystone		14:53
knasim-wrs	hi experts, quick question on keystone admin and public apps... before Newton, when keystone was running under eventlets we had certain operations that were not allowed over publicURL. But now with gunicorn running 2 separate app instances, I don't see any distinction between admin and public apps	15:01
*** rcernin has quit IRC		15:01
knasim-wrs	what does the keystone-admin app provide that the keystone-public app doesn't?	15:01
lbragstad	knasim-wrs: good question - the keystone-admin app and keystone-public app was a thing we had to do with the v2.0 API	15:01
lbragstad	the v2.0 API isolated admin functionality to keystone-admin and public functionality to the keystone-public app	15:02
lbragstad	when we implemented v3, we combined both applications and manage policy for what you can and can't do in the application itself	15:02
lbragstad	that way you don't have to host two separate identity applications for full functionality	15:02
knasim-wrs	so we are on Identity V3, does that mean I can have one or the other and it'd be equal? Right now I have 2 gunicorn apps (port 35357 and 5000)	15:03
lbragstad	some of that history is actually documented https://docs.openstack.org/keystone/latest/contributor/http-api.html	15:03
lbragstad	v3 doesn't care or change functionality if it is run on 5000 versus 35357	15:04
lbragstad	the v3 api should be the same regardless	15:04
knasim-wrs	thanks a lot Lance. This is very helpful for us	15:05
lbragstad	knasim-wrs: anytime!	15:05
*** aojea has quit IRC		15:05
knasim-wrs	now that we are migrating to Ocata, I can get rid of one of the app	15:06
lbragstad	knasim-wrs: so long as you aren't deploying v2.0 in anyway	15:06
lbragstad	knasim-wrs: but yeah, that would be awesome, because we removed almost all v2.0 bits in queens	15:06
knasim-wrs	thanks Lance. I'll keep that in mind, last I remembered as of Newton, Neutron was still using Identity V2 so need to make sure its moved onto V3 in Ocata/Pike	15:07
*** aselius has joined #openstack-keystone		15:08
lbragstad	knasim-wrs: we had a big push to move everything to v3	15:09
*** belmoreira has quit IRC		15:14
*** aojea has joined #openstack-keystone		15:15
*** panbalag has quit IRC		15:21
*** dave-mccowan has joined #openstack-keystone		15:21
*** aojea has quit IRC		15:25
lbragstad	FYI - http://lists.openstack.org/pipermail/openstack-dev/2017-September/122886.html	15:30
*** d0ugal has joined #openstack-keystone		15:31
knasim-wrs	thanks Lance. One more question:	15:33
knasim-wrs	to prevent people from deleting the admin user or the services users / services project, I've added hacks inside the Keystone code but I realize that it'd be better to do this as RBAC rules	15:34
*** chlong has quit IRC		15:35
knasim-wrs	something like: identity:delete_project: not services:%(target.project.name)	15:35
knasim-wrs	does RBAC allow NOT rules?	15:36
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add policy for project tags https://review.openstack.org/486757	15:37
lbragstad	knasim-wrs: oslo.policy appears to support it - but i've never experiemented with NOT specifically https://docs.openstack.org/oslo.policy/latest/reference/api/oslo_policy.policy.html	15:39
knasim-wrs	thanks a bunch Lance!	15:39
lbragstad	gagehugo: i think you're changes are failing because of https://review.openstack.org/#/c/508511/	15:39
lbragstad	knasim-wrs: yep - let me know how that works for you	15:40
*** nkinder has quit IRC		15:40
gagehugo	:(	15:40
lbragstad	gagehugo: i added a depends on to https://review.openstack.org/#/c/486757/	15:41
lbragstad	we'll see if that clears things up	15:41
gagehugo	lbragstad thanks!	15:41
gagehugo	I figured things will just move slow until the issues with zuul3 get fixed	15:41
lbragstad	yeah...	15:42
lbragstad	i'm going through keystone changes to see if there is anything else that might affect us	15:42
gagehugo	rip those changes I made for skipping jobs	15:44
*** nkinder has joined #openstack-keystone		15:44
gagehugo	I'm reading the new zuul stuff now	15:44
lbragstad	we haven't had a lot of stuff enter the gate recently so we might not seem	15:47
lbragstad	see much*	15:47
gagehugo	oh they have the skipping in there now, cool	15:51
gagehugo	https://git.openstack.org/cgit/openstack-infra/project-config/tree/zuul.d/projects.yaml#n16834	15:52
knikolla	irrelevant-files, i like the naming.	15:52
gagehugo	knikolla ++	15:53
knikolla	gagehugo: ksm doesn't have that section	15:53
gagehugo	yeah I'll edit https://review.openstack.org/#/c/504243/ for zuul3	15:54
knikolla	gagehugo: cool!	15:54
openstackgerrit	Gage Hugo proposed openstack/python-keystoneclient master: DNM: This is a change that makes keystoneclient.session.Session explode https://review.openstack.org/503207	15:57
*** zzzeek has quit IRC		15:58
*** zzzeek has joined #openstack-keystone		15:59
*** sbezverk has quit IRC		16:04
*** ioggstream has joined #openstack-keystone		16:12
lbragstad	gagehugo: https://review.openstack.org/#/c/484483/ passes though	16:18
gagehugo	\o/	16:20
*** jmlowe has quit IRC		16:20
lbragstad	only one comment on that patch, just to make sure we don't miss updating the specification	16:21
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add project tags api-ref documentation and reno https://review.openstack.org/472396	16:21
*** jamesbenson has joined #openstack-keystone		16:23
*** itlinux has joined #openstack-keystone		16:23
gagehugo	lbragstad https://review.openstack.org/#/c/508339/	16:24
*** ioggstream has quit IRC		16:26
*** pcaruana has quit IRC		16:26
*** jamesbenson has quit IRC		16:27
lbragstad	gagehugo: nice - thanks!	16:28
SamYaple	lbragstad: so my issue was timeouts. lots of em	16:34
SamYaple	one of the nova tables had like a million entries (and no indexing) so the db was returning ultraslow like	16:34
SamYaple	somehow that manifested in middleware getting NotFound exceptions	16:35
lbragstad	SamYaple: whoa...	16:35
lbragstad	it's totally opaque	16:35
SamYaple	indeed. but its fixed now	16:35
SamYaple	so now you can say "ive seen that before!" if it pops up again	16:36
*** edmondsw has quit IRC		16:37
*** itlinux has quit IRC		16:44
*** gyee has joined #openstack-keystone		16:45
*** lnxnut_ has joined #openstack-keystone		16:46
*** itlinux has joined #openstack-keystone		16:47
gagehugo	lbragstad https://review.openstack.org/#/c/507694/ is definitely WIP, I had to whiteboard out the inheritance for those tests :(	16:53
lbragstad	gagehugo: ack - i assume the classes that inherit LDAPIdentity somehow inherit the unit.TestCase class	16:54
gagehugo	there's one in the test_backend_ldap_pool that does	16:55
gagehugo	and another that inherits just LDAPIdentity	16:55
gagehugo	I need to look over it again, there is definitely no reason that each of those tests need to be ran ~8 times	16:57
*** itlinux has quit IRC		17:02
*** aahh has joined #openstack-keystone		17:07
*** jamesbenson has joined #openstack-keystone		17:25
*** NM has joined #openstack-keystone		17:35
*** edmondsw has joined #openstack-keystone		17:37
*** jmlowe has joined #openstack-keystone		17:41
*** dave-mccowan has quit IRC		17:41
*** thorst has quit IRC		17:45
*** raildo has quit IRC		17:45
*** raildo has joined #openstack-keystone		17:51
*** david-lyle has quit IRC		17:56
lbragstad	samueldmq: https://review.openstack.org/#/c/504459/1 looks good, couple suggestions on things we can add	17:56
*** david-lyle has joined #openstack-keystone		17:56
*** NM has quit IRC		18:04
*** hoonetorg has quit IRC		18:06
*** NM has joined #openstack-keystone		18:15
*** boris_42_ has joined #openstack-keystone		18:15
aahh	@lbragstad : any idea why would we encounter this error on devstack http://www.paste.org/86300	18:19
aahh	havent modified any files in it	18:19
lbragstad	aahh: that looks like a pbr bug	18:21
lbragstad	or something is wrong with the dependencies installed	18:21
aahh	was working all good until few minutes back , any suggestions on how to fix	18:23
lbragstad	you could try reinstalling some of the dependencies, or the package that is giving you problems and retry?	18:27
lbragstad	https://ask.openstack.org/en/question/88600/installation-of-openstack-fails-with-attributeerror-module-object-has-no-attribute-add_metaclass/	18:27
lbragstad	sounds like there might be conflicting versions of the same package on the system	18:27
lbragstad	weird stuff happens when system and local packages are both installed	18:27
* lbragstad steps away to grab lunch quick		18:29
knasim-wrs	@lbragstad: the "not" operations worked in Keystone RBAC. Thanks!	18:35
*** thorst has joined #openstack-keystone		18:45
*** thorst has quit IRC		18:50
*** ayoung has joined #openstack-keystone		18:53
ayoung	lbragstad, is gagehugo not working on 968696 anymore? Are you going to drive on with my Nova fix for it?	18:54
*** lbragstad has quit IRC		19:03
*** lbragstad has joined #openstack-keystone		19:07
*** ChanServ sets mode: +o lbragstad		19:07
lbragstad	ayoung: yeah - we need to reassess after the ptg discussions	19:08
lbragstad	if gagehugo isn't able to pick it back up i can try and carve out cycles for it	19:08
lbragstad	(not sure if those messages came through)	19:08
gagehugo	ayoung I wasn't sure if we were continuing with is_admin_project	19:08
ayoung	I thought the idea was to eventually go for the Service Roles, but since those are undefined now, and we can transition from is_admin_project to service roles (I think) this gives a path forward. Was not going to push, though	19:09
lbragstad	gagehugo: i think you dropped yourself from that bug prior to all the discussions in Denver, right?	19:09
gagehugo	lbragstad I stopped working on it once global roles because a thing	19:11
gagehugo	and I wasn't sure what direction we were going in	19:12
lbragstad	gagehugo: ack	19:12
lbragstad	that makes sense	19:12
lbragstad	at the PTG jamielennox made a bunch of point about providing a path from one to the other since is_admin_project is technically in the wild	19:12
lbragstad	part of that roadmap consisted of building a thing in oslo.policy/context that projects should consume	19:13
lbragstad	that knows how to handle system roles and is_admin_project equally	19:13
lbragstad	thus, shielding the projects from having to care about the implementation detals	19:13
lbragstad	details*	19:13
ayoung	Service scoped roles could have is_admin_project set to true	19:14
ayoung	tokens with Service scoped roles could have is_admin_project set to true	19:14
lbragstad	a system scoped token and a token with is_admin_project are the same thing	19:15
lbragstad	essentially	19:15
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove v2.0 identity APIs https://review.openstack.org/499783	19:17
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove v2.0 token APIs https://review.openstack.org/499784	19:18
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove v2.0 auth APIs https://review.openstack.org/504465	19:18
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add project tags api-ref documentation and reno https://review.openstack.org/472396	19:18
*** knasim-wrs has quit IRC		19:19
*** catintheroof has quit IRC		19:20
*** catintheroof has joined #openstack-keystone		19:20
ayoung	lbragstad, so, we can continue to work on getting the projects to enforce on is_admin_project, which will be a 1-to-1 match with Service scoped rules in the future, and and can add the logic in oslo context once we have service scoped roles implemented.	19:24
*** catintheroof has quit IRC		19:24
ayoung	but, I'm not going to be writing any more code for a bit...new role and all that	19:24
lbragstad	ayoung: yeah - thats fine, i figured you'd be busy with other things	19:26
ayoung	so gagehugo if you want to take https://review.openstack.org/#/c/384148/ and work on it in conjunction with the Nova team, please go ahead and do so, as I think it is the single most important thing that needs to happen in Keystone right now	19:26
ayoung	Even if the rules change, that patch is probably the basis for any other implementation you are going to end up with, so please take it and run with it	19:26
ayoung	same with https://review.openstack.org/#/c/257636/ . lbragstad perhaps the best thing to do is to take that patch and make it look like you want	19:28
gagehugo	ayoung sure	19:28
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add project tags api-ref documentation and reno https://review.openstack.org/472396	19:29
ayoung	lbragstad, gagehugo the one sticking point on the keystone review was that I put the service_role into is_admin_project. This is for services out there, and I think would translate almost directly to a service scoped roles. Do you two agree?	19:30
lbragstad	ayoung: we haven't gotten to service roles yet, or service scoping	19:30
ayoung	lbragstad, that does not matter	19:30
lbragstad	i could see that coming later if system scoping pans out the way we need it to	19:31
ayoung	the question is whether the current usage of the service role should be considered is_admin_project only	19:31
gagehugo	that will be nice if it does translate directly	19:31
ayoung	and I think it needs to be	19:31
ayoung	it is, IIUC, only ever assigned to a service user for validating tokens	19:31
ayoung	lbragstad, look at it this way: would it ever make sense to grant the service_role to someone for an operation scoped to a project? Seems to contradict the meaning of service there	19:34
ayoung	and...I don't think we actually currently use that for anything.	19:34
ayoung	$ grep -rni service_role keystone/* \| fpaste	19:34
ayoung	Uploading (0.6KiB)...	19:34
ayoung	https://paste.fedoraproject.org/paste/UJqHAtz8LeRFVBUyT~WGSQ	19:34
ayoung	only in unit tests. I can remove that line if you want.	19:35
*** thorst has joined #openstack-keystone		19:35
ayoung	and, since we don't use it, I am OK with removing it	19:35
lbragstad	ayoung: i need to dig into the patch, i haven't look at it recently	19:36
ayoung	ah...we do use it, just via the constants	19:36
lbragstad	there's a lot of discussion there and it looks like jamielennox had comments	19:37
ayoung	$ grep -rni RULE_SERVICE_OR_ADMIN keystone/* \| fpaste	19:37
ayoung	Uploading (0.6KiB)...	19:37
ayoung	https://paste.fedoraproject.org/paste/Jrmn84weUIuKojBJH4cSWQ	19:37
ayoung	lbragstad, that was his one comment	19:37
ayoung	service is a role that is assigned to, say the nova service user that calls back to Keystone in order to validate tokens and check revoke status	19:38
ayoung	seems to me to be a hole if we were to let a project level admin or lower perform that operation. So scoping it to a project does not make sense.	19:38
ayoung	If we had a global role for token operations, it would be used here instead	19:39
*** rarora has joined #openstack-keystone		19:50
*** aojea has joined #openstack-keystone		20:09
*** aojea has quit IRC		20:13
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Use stestr directly instead of ostestr https://review.openstack.org/508611	20:37
lbragstad	mtreinish: ^	20:37
*** jmlowe has quit IRC		20:50
kmalloc	lbragstad: are we clear for removing 2.0 stuff now?	20:54
kmalloc	lbragstad: looks like the depends on stuff has been droppeD?	20:54
lbragstad	kmalloc: one of the patches merged and the other didn't need to be a dependency	20:54
lbragstad	a rebase of https://review.openstack.org/#/c/499783/7 should do the trick	20:55
lbragstad	we'll see what the tests say but i'm not expecting any real issues	20:55
kmalloc	great. I'll shove it through if it's all happy	20:55
lbragstad	awesome - there is a bunch of stuff queued up behind it	20:56
kmalloc	yep	20:56
lbragstad	also - https://review.openstack.org/#/c/508611/ would be good to review	20:56
*** thorst has quit IRC		21:10
*** wxy has quit IRC		21:13
*** raildo has quit IRC		21:17
*** aojea has joined #openstack-keystone		21:18
*** edmondsw has quit IRC		21:20
openstackgerrit	Jamie Lennox proposed openstack/keystone master: Check policy_complete on keystone request https://review.openstack.org/508619	21:24
*** mwheckmann has quit IRC		21:26
openstackgerrit	Jamie Lennox proposed openstack/keystone master: Move auth header definitions into authorization https://review.openstack.org/508411	21:27
openstackgerrit	Jamie Lennox proposed openstack/keystone master: Remove the TokenAuth middleware https://review.openstack.org/508412	21:27
jamielennox	ayoung: a present on that: https://review.openstack.org/#/c/507726/	21:29
*** thorst has joined #openstack-keystone		21:30
*** thorst has quit IRC		21:35
openstackgerrit	Jamie Lennox proposed openstack/keystone master: Remove the TokenAuth middleware https://review.openstack.org/508412	21:48
*** hoonetorg has joined #openstack-keystone		21:50
*** thorst has joined #openstack-keystone		21:52
*** thorst has quit IRC		21:56
*** jamesbenson has quit IRC		22:05
*** NM has quit IRC		22:17
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove v2.0 identity APIs https://review.openstack.org/499783	22:18
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove v2.0 token APIs https://review.openstack.org/499784	22:18
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove v2.0 auth APIs https://review.openstack.org/504465	22:18
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove v2.0 test plumbing https://review.openstack.org/506748	22:18
*** d0ugal has quit IRC		22:23
*** aahh has quit IRC		22:23
*** aojea has quit IRC		22:32
*** aojea has joined #openstack-keystone		22:40
*** aojea has quit IRC		22:45
*** thorst has joined #openstack-keystone		22:53
*** aojea has joined #openstack-keystone		22:57
*** aojea has quit IRC		23:02
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware master: Issue a deprecation warning for validating PKI tokens https://review.openstack.org/508631	23:06
openstackgerrit	Jamie Lennox proposed openstack/keystonemiddleware master: gitignore .stestr folder https://review.openstack.org/508632	23:10
*** lbragstad has quit IRC		23:35
*** fried_rice is now known as efried_thbagh		23:40
*** zhurong has joined #openstack-keystone		23:52
*** gyee has quit IRC		23:53

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!