Friday, 2017-10-13

« Thursday, 2017-10-12 Index Saturday, 2017-10-14 »
kmallocSamYaple: roles can exist only in a single domain?00:02
kmallocwhen was that added?00:02
*** oikiki has quit IRC00:03
*** oikiki has joined #openstack-keystone00:05
SamYaplekmalloc: idk. forever ago00:06
SamYaplelet me check00:06
SamYaplei think its always be apart of the v3 api00:06
*** sbezverk has quit IRC00:06
kmallocah mitaka00:07
SamYaplenope 3.600:07
SamYapleyea00:07
kmallocno it was was very recent00:07
kmalloc(for a value of recent)00:07
kmallocthe answer is: I doubt anyone uses it00:07
SamYapleseems like a decent idea. make it literally imposible for any user or group outside of a domain to use the role00:08
SamYaplegood for auditing00:08
kmalloceh. it's a bit wonky00:08
kmallocand i don't know if it works liek that.00:08
SamYapleno im doing that right now00:08
SamYaplejust it seemed like an edge feature so i was worried about unknown future breakage00:09
kmallocits really easy to screw it all up. this is another case of *eh* not sure why we even bothered00:09
SamYapledont want to rely on something thats going to break because no one uses it00:09
kmallocand now we're stuck with it00:09
SamYapleyea that00:09
SamYaplei bet you the way im using it was the original rationale00:09
SamYapleah looks like it was made with the intention of allowing cloud providers to provide roles to customers that made sense to them, but it does work like i thought it did00:15
SamYapleit piggy-backs off of implied roles00:16
SamYapleso this actually seems like the core gets used and tested alot00:17
*** thorst has joined #openstack-keystone00:29
*** thorst has quit IRC00:32
*** Shunli has joined #openstack-keystone00:42
*** AlexeyAbashkin has joined #openstack-keystone00:42
*** AlexeyAbashkin has quit IRC00:47
*** thorst has joined #openstack-keystone01:10
*** thorst has quit IRC01:20
openstackgerritzhengliuyang proposed openstack/keystone master: Improper handle about building list of token deletion  https://review.openstack.org/47510001:36
*** AlexeyAbashkin has joined #openstack-keystone01:45
*** markvoelker has joined #openstack-keystone01:47
*** AlexeyAbashkin has quit IRC01:49
*** aselius has quit IRC01:53
*** thorst has joined #openstack-keystone01:59
*** thorst has quit IRC02:00
*** mgagne has quit IRC02:19
*** markvoelker has quit IRC02:21
*** chris_hultin has quit IRC02:21
*** comstud has quit IRC02:22
*** chris_hultin|AWA has joined #openstack-keystone02:22
*** mgagne has joined #openstack-keystone02:22
*** mgagne is now known as Guest5368002:22
*** chris_hultin|AWA is now known as chris_hultin02:22
*** comstud has joined #openstack-keystone02:23
*** oikiki has quit IRC02:32
*** oikiki has joined #openstack-keystone02:39
*** dave-mccowan has quit IRC02:41
*** AlexeyAbashkin has joined #openstack-keystone02:43
*** AlexeyAbashkin has quit IRC02:48
*** links has joined #openstack-keystone02:51
*** oikiki has quit IRC03:00
*** thorst has joined #openstack-keystone03:10
*** thorst has quit IRC03:15
*** nicolasbock has quit IRC03:16
*** markvoelker has joined #openstack-keystone03:18
*** wes_dillingham has quit IRC03:35
*** edmondsw has joined #openstack-keystone03:38
*** jaosorior has joined #openstack-keystone03:45
*** edmondsw has quit IRC03:45
*** markvoelker has quit IRC03:51
*** daidv has quit IRC04:00
*** daidv has joined #openstack-keystone04:01
*** mvk has joined #openstack-keystone04:20
*** pcaruana has joined #openstack-keystone04:27
*** mvk has quit IRC04:31
*** aojea has joined #openstack-keystone04:33
*** zxy has quit IRC04:37
*** aojea has quit IRC04:37
*** mvk has joined #openstack-keystone04:45
*** markvoelker has joined #openstack-keystone04:49
*** mvk has quit IRC04:50
*** pcaruana has quit IRC04:56
*** cristicalin has joined #openstack-keystone05:10
*** thorst has joined #openstack-keystone05:11
*** thorst has quit IRC05:15
*** jaosorior has quit IRC05:17
*** chlong has joined #openstack-keystone05:20
*** markvoelker has quit IRC05:22
*** cristicalin has quit IRC05:23
*** edmondsw has joined #openstack-keystone05:27
*** pcaruana has joined #openstack-keystone05:30
*** jaosorior has joined #openstack-keystone05:30
*** oikiki has joined #openstack-keystone05:31
*** edmondsw has quit IRC05:32
*** pcaruana has quit IRC05:39
*** rcernin has joined #openstack-keystone05:41
*** cristicalin has joined #openstack-keystone05:43
*** oikiki has quit IRC05:49
*** spectr has quit IRC05:58
*** spectr has joined #openstack-keystone05:58
*** cristicalin has quit IRC06:17
*** markvoelker has joined #openstack-keystone06:19
*** markvoelker has quit IRC06:52
*** pcaruana has joined #openstack-keystone07:07
*** thorst has joined #openstack-keystone07:12
*** edmondsw has joined #openstack-keystone07:15
*** thorst has quit IRC07:17
*** edmondsw has quit IRC07:20
*** tesseract has joined #openstack-keystone07:22
*** AlexeyAbashkin has joined #openstack-keystone07:24
*** spectr has quit IRC07:26
*** tesseract has quit IRC07:26
*** rcernin has quit IRC07:26
*** pcaruana has quit IRC07:26
*** mvk has joined #openstack-keystone07:37
*** spectr has joined #openstack-keystone07:40
*** pcaruana has joined #openstack-keystone07:40
*** rcernin has joined #openstack-keystone07:40
*** spectr has quit IRC07:43
*** pcaruana has quit IRC07:44
*** pcaruana has joined #openstack-keystone07:44
*** spectr has joined #openstack-keystone07:44
*** markvoelker has joined #openstack-keystone07:50
*** ioggstream has joined #openstack-keystone07:55
*** AlexeyAbashkin has quit IRC08:10
*** AlexeyAbashkin has joined #openstack-keystone08:11
*** thorst has joined #openstack-keystone08:12
*** thorst has quit IRC08:17
*** markvoelker has quit IRC08:23
*** itlinux has joined #openstack-keystone08:33
*** itlinux has quit IRC08:36
*** johnthetubaguy has quit IRC08:39
*** johnthetubaguy has joined #openstack-keystone08:40
*** thorst has joined #openstack-keystone08:41
*** thorst has quit IRC08:45
*** aojea has joined #openstack-keystone08:47
*** rcernin has quit IRC08:59
*** spectr has quit IRC08:59
*** pcaruana has quit IRC08:59
*** AlexeyAbashkin has quit IRC09:03
*** AlexeyAbashkin has joined #openstack-keystone09:03
*** edmondsw has joined #openstack-keystone09:04
*** edmondsw has quit IRC09:08
*** rcernin has joined #openstack-keystone09:12
*** spectr has joined #openstack-keystone09:12
*** pcaruana has joined #openstack-keystone09:13
*** AlexeyAbashkin has quit IRC09:15
*** AlexeyAbashkin has joined #openstack-keystone09:15
*** markvoelker has joined #openstack-keystone09:20
*** Shunli has quit IRC09:22
*** belmoreira has joined #openstack-keystone09:29
*** chlong has quit IRC09:40
*** markvoelker has quit IRC09:53
*** itlinux has joined #openstack-keystone10:00
*** sbezverk has joined #openstack-keystone10:14
*** daidv has quit IRC10:15
*** itlinux has quit IRC10:21
*** aojea has quit IRC10:22
*** aojea has joined #openstack-keystone10:23
*** belmoreira has quit IRC10:26
*** aojea has quit IRC10:27
*** thorst has joined #openstack-keystone10:42
*** thorst_ has joined #openstack-keystone10:45
*** aojea has joined #openstack-keystone10:46
*** jaosorior has quit IRC10:47
*** thorst has quit IRC10:47
*** aojea has quit IRC10:47
*** pcaruana has quit IRC10:48
*** thorst_ has quit IRC10:49
*** markvoelker has joined #openstack-keystone10:50
openstackgerritColleen Murphy proposed openstack/keystone-specs master: Propose JWT as a new token provider  https://review.openstack.org/51180611:00
cmurphylbragstad: kmalloc ^ please feel free to submit changes if you feel like it11:01
*** nicolasbock has joined #openstack-keystone11:09
*** raildo has joined #openstack-keystone11:09
*** nicolasbock has quit IRC11:14
*** aojea has joined #openstack-keystone11:18
*** edmondsw has joined #openstack-keystone11:20
*** erlon has joined #openstack-keystone11:23
*** markvoelker has quit IRC11:23
*** aojea has quit IRC11:23
*** nicolasbock has joined #openstack-keystone11:26
*** thorst has joined #openstack-keystone11:53
*** jdennis has quit IRC11:54
*** MaxPC has joined #openstack-keystone12:12
*** wes_dillingham has joined #openstack-keystone12:13
*** markvoelker has joined #openstack-keystone12:15
*** aojea has joined #openstack-keystone12:19
*** aojea has quit IRC12:23
openstackgerritColleen Murphy proposed openstack/keystone-specs master: Propose JWT as a new token provider  https://review.openstack.org/51180612:24
*** efried is now known as fried_rice12:26
openstackgerritprashkre proposed openstack/keystone master: Handle ldap size limit exeeded exception  https://review.openstack.org/51182212:29
*** dave-mccowan has joined #openstack-keystone12:42
*** links has quit IRC12:45
*** dave-mccowan has quit IRC12:47
*** pcaruana has joined #openstack-keystone12:48
*** panbalag has joined #openstack-keystone12:55
*** spectr has quit IRC12:57
*** josecastroleon has quit IRC12:59
*** panbalag has left #openstack-keystone12:59
*** spectr has joined #openstack-keystone13:01
*** jistr is now known as jistr|mtg13:08
*** jmlowe has quit IRC13:12
*** aojea has joined #openstack-keystone13:20
*** aojea has quit IRC13:24
*** jdennis has joined #openstack-keystone13:33
*** chlong has joined #openstack-keystone13:33
*** rcernin has quit IRC13:44
*** dansmith is now known as superdan13:47
*** dave-mccowan has joined #openstack-keystone13:48
*** d0ugal has quit IRC13:48
lbragstadcmurphy: woo!13:49
*** dave-mcc_ has joined #openstack-keystone13:55
gagehugoo/13:56
*** dave-mccowan has quit IRC13:57
*** jmlowe has joined #openstack-keystone13:59
*** d0ugal has joined #openstack-keystone14:03
*** slunkad has quit IRC14:11
*** aojea has joined #openstack-keystone14:20
*** catintheroof has joined #openstack-keystone14:23
*** aojea has quit IRC14:25
*** Dinesh_Bhor has quit IRC14:34
*** dave-mcc_ is now known as dave-mccowan14:35
*** magicboiz has joined #openstack-keystone14:36
lbragstadcmurphy: thanks again for taking the time to write that up - nicely done14:40
cmurphylbragstad: i had a lot of run reading rfcs late into the night :)14:41
cmurphyfun*14:41
lbragstadcmurphy: i can tell!14:41
lbragstadbecause you distilled the information nicely :)14:41
cmurphy:D14:42
*** rcernin has joined #openstack-keystone14:45
*** spectr has quit IRC14:46
*** MaxPC has quit IRC14:52
knikollao/14:54
*** jistr|mtg is now known as jistr14:58
*** rcernin has quit IRC15:03
*** bhagyashris has quit IRC15:16
*** aojea has joined #openstack-keystone15:21
*** alex_xu has quit IRC15:22
*** aojea has quit IRC15:25
*** alex_xu has joined #openstack-keystone15:31
*** gyee has joined #openstack-keystone15:32
lbragstadif anyone is looking for reviews - more eyes on https://review.openstack.org/#/c/484483/31 and https://review.openstack.org/#/c/486757/24 would be good15:49
lbragstadgagehugo: responded - https://review.openstack.org/#/c/499726/1215:51
*** chlong has quit IRC15:53
*** AlexeyAbashkin has quit IRC15:55
*** MaxPC has joined #openstack-keystone16:08
*** magicboiz has quit IRC16:12
*** magicboiz has joined #openstack-keystone16:13
*** lnxnut_ has quit IRC16:16
knikollalbragstad: looking.16:18
*** aojea has joined #openstack-keystone16:22
*** pcaruana has quit IRC16:23
*** aojea has quit IRC16:27
*** fried_rice is now known as fried_rice_injer16:28
*** fried_rice_injer is now known as friedrice_injera16:29
kmalloccmurphy: niiicE!16:31
kmalloccmurphy: added comments (lbragstad cc)16:37
*** wes_dillingham has quit IRC16:42
lbragstadkmalloc: awesome - i can spin a new version today16:45
*** wes_dillingham has joined #openstack-keystone16:53
*** ioggstream has quit IRC17:02
*** magicboiz has quit IRC17:03
*** magicboiz has joined #openstack-keystone17:05
*** mvk has quit IRC17:14
samueldmqlbragstad: cmurphy: kmalloc would be great to get a couple of eyes on bug 171874717:15
openstackbug 1718747 in OpenStack Identity (keystone) "Unable to delete domain with users in it" [High,In progress] https://launchpad.net/bugs/1718747 - Assigned to Samuel de Medeiros Queiroz (samueldmq)17:15
samueldmq#link https://review.openstack.org/#/q/status:open+topic:bug/171874717:15
samueldmqI've got patches for keystone master + backport and tests in tempest17:15
*** magicboiz has quit IRC17:19
*** magicboiz has joined #openstack-keystone17:19
lbragstadsamueldmq: sure thing - I saw the patches posted for review, I'll take a look after lunch17:20
samueldmqthanks17:21
samueldmqFYI jenkins is passing on them all, it's zull -1 there17:21
*** aojea has joined #openstack-keystone17:23
*** catintheroof has quit IRC17:25
*** catintheroof has joined #openstack-keystone17:25
*** AlexeyAbashkin has joined #openstack-keystone17:27
*** mvk has joined #openstack-keystone17:27
*** aojea has quit IRC17:27
*** AlexeyAbashkin has quit IRC17:28
*** catintheroof has quit IRC17:29
*** nicolasbock has quit IRC17:42
SamYapleoh nice cmurphy! JWT would be sweer17:45
SamYaplesweet*17:45
SamYapleive done a good bit with them fairly recently17:46
*** aselius has joined #openstack-keystone17:53
*** Guest53680 is now known as mgagne18:14
*** mgagne has quit IRC18:14
*** mgagne has joined #openstack-keystone18:14
*** aojea has joined #openstack-keystone18:23
openstackgerritMerged openstack/keystone master: Updated from global requirements  https://review.openstack.org/51101518:24
samueldmqcmurphy: lbragstad: why do we need bearer tokens? as we do recheck/revalidate entities (projects, user,roles,etc) at token validation time?18:24
samueldmqI might be missing something really basic18:24
*** magicboiz has quit IRC18:25
lbragstadeven though we rebuild the entire context at validation time, the token is still considered a bearer token18:25
lbragstad(because it gives the power to the bearer)18:25
*** magicboiz has joined #openstack-keystone18:25
lbragstadso if I create a token and give it to you, there is nothing preventing keystone from thinking you're me18:26
lbragstadin order to get over the bearer token hurdle, we'd need to be able to assert the token belongs to the person or thing that passed it to keystone18:26
lbragstad(signed requests or something like that)18:27
lbragstad(which might require some out-of-band trust relationship between the user and keystone)18:27
*** aojea has quit IRC18:28
lbragstadi think we need bearer tokens - at least for the time being, because we don't have any other way to operator18:29
lbragstadoperate*18:30
lbragstadyou'd need to teach keystone and all the other services to do something like validate signed requests18:30
samueldmqlbragstad: (because it gives the power to the bearer) ...18:30
samueldmqhmm I though it was because the token itself was bearer, like carrying info within it18:30
lbragstadyeah - so if you steal a token of mine, you can do anything i can do18:31
openstackgerritGage Hugo proposed openstack/keystone master: Implement backend logic for project tags  https://review.openstack.org/49972618:31
openstackgerritGage Hugo proposed openstack/keystone master: Implement project tags logic into manager  https://review.openstack.org/49972718:31
openstackgerritGage Hugo proposed openstack/keystone master: Implement project tags API controller and router  https://review.openstack.org/49972818:31
samueldmqsuch as roles, etc18:31
samueldmqlbragstad: hmm I got it18:31
samueldmqthanks for clarifying18:31
lbragstadyep18:31
lbragstadat least that's my take on it18:32
samueldmqwe would need yet another mechanism to check the user in validation time ...18:32
lbragstadi remember having an extensive conversation with dolphm in 2015 about finding a way to do away with bearer tokens18:32
lbragstadbut - we didn't really take it anywhere18:32
*** jmlowe has quit IRC18:33
*** catintheroof has joined #openstack-keystone18:33
gagehugolbragstad moved that logic into the manager18:34
lbragstadgagehugo: awesome - did that fix things for you?18:34
gagehugoyup, I added a test for that situation as well18:34
lbragstadsweet18:34
gagehugowhen filtering on tags & some attribute18:35
* lbragstad goes to review more project tags stuff18:35
gagehugoaddressed your comments too because I was already rebasing everything18:35
gagehugogonna step away for a bit, I'll be on later18:35
*** magicboiz has quit IRC19:07
*** magicboiz has joined #openstack-keystone19:08
*** friedrice_injera is now known as fried_rice19:12
lbragstadcool - i think my comments are all addressed19:13
lbragstadsamueldmq: is the bug here that we can't delete a domain with stuff in it or that we issue a 500 instead of something else? https://bugs.launchpad.net/keystone/+bug/171874719:13
openstackLaunchpad bug 1718747 in OpenStack Identity (keystone) "Unable to delete domain with users in it" [High,In progress] - Assigned to Samuel de Medeiros Queiroz (samueldmq)19:13
samueldmqlbragstad: we can't delete domain with contents at all19:14
samueldmqthe foreign key fails when trying to delete the domain in the database19:15
lbragstadsamueldmq: was it possible to delete a domain with things in it before?19:17
samueldmqlbragstad: yes but only before newton I guess19:17
samueldmqbecause the FK did not exist19:17
lbragstadhug19:17
lbragstadhuh*19:17
samueldmqlbragstad: actually, it fails if you've done the migraiton19:17
samueldmqthat adds the fk19:18
samueldmqin the model we don't have the fk, do new deployments will be fine19:18
samueldmqand things in hte domain is restricted to users19:18
samueldmqgroups in the domain are fine. there is no fk for that case19:18
lbragstadso if you delete a domain that has group it in, it deletes the groups automatically?19:19
*** magicboiz has quit IRC19:20
*** MaxPC has quit IRC19:23
*** aojea has joined #openstack-keystone19:24
lbragstadcc samueldmq ^19:28
samueldmqlbragstad: yes19:29
samueldmqkeystoen deletes the domain first, and as a result of the notification sent19:29
samueldmqit deletes users and groups in that domain19:29
*** aojea has quit IRC19:29
lbragstadah19:29
samueldmqhowever the users have a fk pointing back to domain, so they can't be deleted after the domain is deleted19:29
samueldmqthe domain delete fails with: user.domain_id -> project.id fk failed !19:30
samueldmqlbragstad: the fk is added here https://github.com/openstack/keystone/blob/2bd88d3/keystone/common/sql/expand_repo/versions/014_expand_add_domain_id_to_user_table.py#L140-L14119:31
samueldmqand does not exist in the model19:31
samueldmqlbragstad:  wonder what we'd like to do to make model + migration consistent19:31
samueldmqadd another migration to remove the fk? or add the fk in the model?19:31
lbragstadadding the FK to the model shouldn't require a migration19:31
openstackgerritprashkre proposed openstack/keystone master: Handle ldap size limit exeeded exception  https://review.openstack.org/51182219:32
*** AlexeyAbashkin has joined #openstack-keystone19:40
*** AlexeyAbashkin has quit IRC19:44
*** wes_dillingham has quit IRC19:53
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Propose JWT as a new token provider  https://review.openstack.org/51180620:00
*** jmlowe has joined #openstack-keystone20:02
*** gyee has quit IRC20:03
*** raildo has quit IRC20:10
*** MaxPC has joined #openstack-keystone20:21
*** thorst has quit IRC20:23
*** thorst has joined #openstack-keystone20:23
*** aojea has joined #openstack-keystone20:25
*** thorst has quit IRC20:28
*** aojea has quit IRC20:30
*** thorst has joined #openstack-keystone20:44
*** edmondsw has quit IRC20:45
*** thorst has quit IRC20:48
*** MaxPC has quit IRC21:08
*** catintheroof has quit IRC21:10
openstackgerritLance Bragstad proposed openstack/keystone master: Add a new table for system role assignments  https://review.openstack.org/50799321:13
openstackgerritLance Bragstad proposed openstack/keystone master: Implement backend logic for system roles  https://review.openstack.org/50799421:13
*** wes_dillingham has joined #openstack-keystone21:13
lbragstadsamueldmq: targeting this to the releases you've proposed backports for - https://bugs.launchpad.net/keystone/+bug/171874721:26
openstackLaunchpad bug 1718747 in OpenStack Identity (keystone) "Unable to delete domain with users in it" [High,In progress] - Assigned to Samuel de Medeiros Queiroz (samueldmq)21:26
*** aojea has joined #openstack-keystone21:26
*** aojea has quit IRC21:30
*** wes_dillingham has quit IRC21:32
*** dave-mccowan has quit IRC21:34
*** thorst has joined #openstack-keystone21:38
*** AlexeyAbashkin has joined #openstack-keystone21:39
*** thorst has quit IRC21:42
*** wes_dillingham has joined #openstack-keystone21:44
*** AlexeyAbashkin has quit IRC21:44
*** wes_dillingham has quit IRC22:09
openstackgerritLance Bragstad proposed openstack/keystone master: Fix list in caching documentation  https://review.openstack.org/51197422:13
*** aojea has joined #openstack-keystone22:26
*** aojea has quit IRC22:30
*** AlexeyAbashkin has joined #openstack-keystone22:39
*** AlexeyAbashkin has quit IRC22:43
kmalloclbragstad: adding an FK to a model doesn't require a migration... unles the FK doesn't exist22:56
kmallocwhich case the schema must be made to match22:56
kmallocsamueldmq: ^22:56
kmallocbut an FK even in the model shouldn't break things22:56
kmallocit might be be cascade delete22:56
kmallocwhich case, you need to fix the FK. IIRC we explicitly chose to *not* allow cascade delete on anything in domain22:57
kmallocbasically, delete the domain resources explicitly before deleting the domain22:57
kmalloci don't think this is a bug in the way it's written, it might be an intentional choice.22:58
kmalloc[likely]22:58
*** wes_dillingham has joined #openstack-keystone23:11
*** wes_dillingham has quit IRC23:13
*** fried_rice is now known as efried23:23
*** aojea has joined #openstack-keystone23:27
*** aojea has quit IRC23:31
*** AlexeyAbashkin has joined #openstack-keystone23:39
*** AlexeyAbashkin has quit IRC23:43
*** superdan is now known as dansmith23:47
*** markvoelker has quit IRC23:49
« Thursday, 2017-10-12 Index Saturday, 2017-10-14 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!