Friday, 2018-01-19

« Thursday, 2018-01-18 Index Saturday, 2018-01-20 »
*** spzala has quit IRC00:09
*** david-lyle has quit IRC00:10
*** dklyle has joined #openstack-keystone00:10
*** spzala has joined #openstack-keystone00:10
*** phalmos has quit IRC00:19
*** esp has quit IRC00:25
*** esp has joined #openstack-keystone00:28
*** dklyle is now known as david-lyle00:52
openstackgerritMerged openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/53493700:59
*** pramodrj07 has joined #openstack-keystone01:05
*** lbragstad has joined #openstack-keystone01:09
*** ChanServ sets mode: +o lbragstad01:09
*** edmondsw has joined #openstack-keystone01:12
*** bigdogstl has quit IRC01:14
wxylbragstad: a lot of tests failed when i turn on FKs, http://logs.openstack.org/30/126030/17/check/openstack-tox-py27/4d7a61c/testr_results.html.gz01:15
lbragstadwxy: i just saw your comment on the review - sounds like i missed a step01:16
lbragstadI can try and recreate01:16
lbragstadi thought there was just one boolean to switch01:16
*** edmondsw has quit IRC01:16
wxylbragstad: we lost the root domain <<keystone.domain.root>>. So when we enable FK, it will fail for creating the "default" domain.01:18
wxylbragstad: what's more, the sqlite FK only works in one connection. It means that we should open the FK every time we connect to sqlite. Enable the FK for the global engine does nothing actually.01:20
lbragstadhuh01:21
lbragstadinteresting01:21
*** daidv has quit IRC01:22
*** daidv has joined #openstack-keystone01:22
*** esp has quit IRC01:24
wxyso I disable the FK for the test by default. We can enable it step by step for all the test. It's not a small work. For example, i enabled FK for limit provider. So that the test can pass now. https://review.openstack.org/#/c/524109/35/keystone/tests/unit/limit/test_backends.py L37101:29
*** zhurong has joined #openstack-keystone01:29
*** bigdogstl has joined #openstack-keystone01:45
*** bigdogstl has quit IRC01:50
openstackgerritMerged openstack/keystoneauth master: Updated from global requirements  https://review.openstack.org/53493601:53
openstackgerritMerged openstack/keystoneauth master: Shift additional_user_agent in the stack  https://review.openstack.org/45625901:53
*** bigdogstl has joined #openstack-keystone01:57
*** kukacz_ has quit IRC02:00
openstackgerritMerged openstack/oslo.policy master: Updated from global requirements  https://review.openstack.org/53510102:00
*** kukacz_ has joined #openstack-keystone02:01
lbragstadwxy: here you mean? https://review.openstack.org/#/c/524109/35/keystone/tests/unit/limit/test_backends.py@37102:07
wxylbragstad: yeah02:07
*** pramodrj07 has quit IRC02:08
*** bigdogstl has quit IRC02:09
lbragstadoh - so that *would* fail if https://review.openstack.org/#/c/524109/35/keystone/tests/unit/test_backend_sql.py@1271 was False?02:12
wxylbragstad: yes.02:12
lbragstadahh...02:12
lbragstadok - i'm testing something for application credentials quick, but i should be able to pull those patches again02:13
lbragstadand retest02:13
wxylbragstad: OK. I'm refreshing the patch as well, base on your comments. :)02:14
lbragstadwxy: awesome - i was finally able to go through them today02:14
lbragstadmost of my comments were style related02:15
wxylbragstad: I think they are all good. To make the code more pythonic and beautiful. I'm happy to make the patches better.02:16
lbragstadwxy: i noticed the tests setup a service and region for each test case... i spent some time trying to refactor them to use setUpClass instead of just setUp, which gets run for each test and not just once for the whole moduel02:18
lbragstadbut i think we'll have to refactor more of the testing infrastructure because setUpClass is a classmethod and doesn't have access to self.post utility methods and whatnot... either way, we can do more of that in the future, just something i was tinkering with to see if we could improve perofrmnace02:19
lbragstadperformance*02:19
openstackgerritLance Bragstad proposed openstack/keystone master: Add system column to app cred table  https://review.openstack.org/53556902:19
lbragstadcmurphy: ^02:20
*** spzala has quit IRC02:20
*** spzala has joined #openstack-keystone02:21
*** spzala has quit IRC02:21
*** spzala has joined #openstack-keystone02:21
wxylbragstad: yeah. I tried move it to super class at PS14, but it influenced many other tests. It's the reason I moved them down.02:23
lbragstadaha - so if i set https://review.openstack.org/#/c/524109/35/keystone/tests/unit/test_backend_sql.py@1271 to False i get 3 test failures02:27
lbragstadwhich looks right - because they are expecting reference limit failures..02:27
lbragstadnice02:27
wxy:)02:28
*** harlowja has quit IRC02:31
lbragstadwxy: you're just always two steps ahead!02:32
lbragstadi'll retract my -1 then02:32
wxylbragstad: I spent all my last two days for digging the sqlite FK problems. lol02:34
lbragstadyeah... that's good because that patch has been in review for a *long* time02:34
lbragstadwxy: if we do merge this patch with the workaround to bypass fk because tests fail, we should open a bug to go chase those tests down and fix them02:38
*** namnh has joined #openstack-keystone02:40
*** bigdogstl has joined #openstack-keystone02:40
*** bigdogstl has quit IRC02:45
*** threestrands_ has joined #openstack-keystone02:49
*** threestrands_ has quit IRC02:49
*** threestrands_ has joined #openstack-keystone02:49
lbragstadwxy: do you have any other questions for me on the comments i had?02:50
*** threestrands has quit IRC02:51
wxylbragstad: no more. Others can be dealt in the review. And agree to open a bug to track it. I'll try to fix them one by one.02:53
lbragstadi don't think it's a huge deal to fix those immediately, just as long as we don't lose track of the work (that's the important bit)02:54
lbragstadIMO02:54
wxysure.02:55
*** bigdogstl has joined #openstack-keystone03:03
*** andreaf has quit IRC03:07
*** lbragstad has quit IRC03:08
*** bigdogstl has quit IRC03:13
*** andreaf has joined #openstack-keystone03:36
*** bigdogstl has joined #openstack-keystone03:37
openstackgerritwangxiyuan proposed openstack/keystone master: Force SQLite to properly deal with foreign keys  https://review.openstack.org/12603003:39
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider  https://review.openstack.org/52410903:39
openstackgerritwangxiyuan proposed openstack/keystone master: Implement policies for limits  https://review.openstack.org/53014303:39
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411003:39
openstackgerritwangxiyuan proposed openstack/keystone master: Improve limit sql backend  https://review.openstack.org/53558703:39
*** AlexeyAbashkin has joined #openstack-keystone03:44
*** jappleii__ has joined #openstack-keystone03:44
*** jappleii__ has quit IRC03:45
*** jappleii__ has joined #openstack-keystone03:45
*** jappleii__ has quit IRC03:46
*** threestrands_ has quit IRC03:46
*** lbragstad has joined #openstack-keystone03:46
*** ChanServ sets mode: +o lbragstad03:46
*** jappleii__ has joined #openstack-keystone03:47
*** esp has joined #openstack-keystone03:47
*** esp has left #openstack-keystone03:47
*** jappleii__ has quit IRC03:48
*** AlexeyAbashkin has quit IRC03:48
*** jappleii__ has joined #openstack-keystone03:48
*** rcernin has quit IRC03:49
*** rcernin has joined #openstack-keystone03:49
*** bigdogstl has quit IRC03:51
*** abhi89 has joined #openstack-keystone04:01
*** lbragstad has quit IRC04:02
*** bigdogstl has joined #openstack-keystone04:17
*** ayoung has quit IRC04:22
*** bigdogstl has quit IRC04:22
*** bigdogstl has joined #openstack-keystone04:24
*** deepak_ has joined #openstack-keystone04:26
deepak_hey , can we use oauthlib in replace of oauthclient as https://github.com/google/oauth2client/releases/tag/v4.1.004:27
*** bigdogstl has quit IRC04:29
*** Dinesh_Bhor has joined #openstack-keystone04:30
*** bigdogstl has joined #openstack-keystone04:35
*** abhishek has joined #openstack-keystone04:37
*** links has joined #openstack-keystone04:37
*** namnh has quit IRC04:38
*** Dinesh_Bhor has quit IRC04:39
*** zhurong has quit IRC04:39
*** abhi89 has quit IRC04:39
*** Dinesh_Bhor has joined #openstack-keystone04:45
*** Dinesh_Bhor has quit IRC04:53
*** Dinesh_Bhor has joined #openstack-keystone04:55
*** bigdogstl has quit IRC04:57
*** zhurong has joined #openstack-keystone05:19
*** harlowja has joined #openstack-keystone05:21
openstackgerritMerged openstack/keystoneauth master: Use stestr in tox.ini  https://review.openstack.org/53476305:29
*** Dinesh_Bhor has quit IRC05:43
*** Dinesh_Bhor has joined #openstack-keystone05:43
*** Dinesh_Bhor has quit IRC05:47
*** Dinesh_Bhor has joined #openstack-keystone05:49
*** jappleii__ has quit IRC05:52
*** bigdogstl has joined #openstack-keystone05:56
*** bigdogstl has quit IRC06:07
*** jaosorior has joined #openstack-keystone06:11
*** logan- has quit IRC06:16
*** harlowja has quit IRC06:29
*** annp has joined #openstack-keystone06:33
*** abhi89 has joined #openstack-keystone06:37
*** logan- has joined #openstack-keystone06:40
*** abhishek has quit IRC06:40
*** pcaruana has joined #openstack-keystone06:44
*** lamt has quit IRC07:02
*** bigdogstl has joined #openstack-keystone07:02
*** namnh has joined #openstack-keystone07:03
*** bigdogstl has quit IRC07:14
openstackgerritwangxiyuan proposed openstack/keystone master: Force SQLite to properly deal with foreign keys  https://review.openstack.org/12603007:17
openstackgerritwangxiyuan proposed openstack/keystone master: Improve limit sql backend  https://review.openstack.org/53558707:17
openstackgerritwangxiyuan proposed openstack/keystone master: Add limit provider  https://review.openstack.org/52410907:17
openstackgerritwangxiyuan proposed openstack/keystone master: Implement policies for limits  https://review.openstack.org/53014307:17
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411007:17
*** Dinesh_Bhor has quit IRC07:19
*** Dinesh_Bhor has joined #openstack-keystone07:20
*** bigdogstl has joined #openstack-keystone07:25
*** bigdogstl has quit IRC07:30
*** daidv has quit IRC07:33
*** daidv has joined #openstack-keystone07:33
*** bigdogstl has joined #openstack-keystone07:37
*** rcernin has quit IRC07:43
*** bigdogstl has quit IRC07:44
*** tbh_ has joined #openstack-keystone07:59
*** zeus has quit IRC08:05
*** rm_work has quit IRC08:08
*** bigdogstl has joined #openstack-keystone08:10
*** AlexeyAbashkin has joined #openstack-keystone08:13
*** markvoelker has quit IRC08:14
*** tesseract has joined #openstack-keystone08:16
*** harlowja has joined #openstack-keystone08:17
*** rm_work has joined #openstack-keystone08:20
*** bigdogstl has quit IRC08:20
*** namnh_ has joined #openstack-keystone08:26
*** jmccrory has quit IRC08:26
*** gus has quit IRC08:27
*** annp has quit IRC08:28
*** namnh has quit IRC08:28
*** gus has joined #openstack-keystone08:29
*** annp has joined #openstack-keystone08:29
*** jmccrory has joined #openstack-keystone08:33
*** jamielennox has quit IRC08:33
*** harlowja has quit IRC08:37
*** namnh has joined #openstack-keystone08:40
*** Dinesh_Bhor has quit IRC08:42
*** Dinesh_Bhor has joined #openstack-keystone08:42
*** namnh_ has quit IRC08:43
*** jmccrory has quit IRC08:50
*** jmccrory has joined #openstack-keystone08:52
*** namnh has quit IRC08:54
*** rm_work has quit IRC08:56
*** josecastroleon has joined #openstack-keystone08:59
*** homeski has quit IRC09:02
*** bigdogstl has joined #openstack-keystone09:13
openstackgerritwangxiyuan proposed openstack/keystone master: Expose unified limit APIs  https://review.openstack.org/52411009:23
openstackgerritwangxiyuan proposed openstack/keystone master: Add api-ref for registered limits  https://review.openstack.org/53568809:23
*** bigdogstl has quit IRC09:24
*** abhishek has joined #openstack-keystone09:24
*** abhi89 has quit IRC09:26
*** Dinesh_Bhor has quit IRC09:31
*** rm_work has joined #openstack-keystone09:36
*** jamielennox has joined #openstack-keystone09:46
*** pcaruana has quit IRC09:50
*** vishu1810 has joined #openstack-keystone09:52
*** bigdogstl has joined #openstack-keystone09:52
*** pcaruana has joined #openstack-keystone09:53
*** pcaruana has quit IRC09:53
*** pcaruana has joined #openstack-keystone09:54
*** vishu1810 has left #openstack-keystone09:54
*** bigdogstl has quit IRC10:01
*** tbh_ has quit IRC10:09
*** markvoelker has joined #openstack-keystone10:15
openstackgerritwudong proposed openstack/keystone master: Fix outdated links  https://review.openstack.org/53522810:34
*** zhurong has quit IRC10:41
openstackgerritColleen Murphy proposed openstack/keystone master: Fix outdated links  https://review.openstack.org/53522810:48
*** markvoelker has quit IRC10:49
*** daidv has quit IRC10:58
*** bigdogstl has joined #openstack-keystone11:03
*** bigdogstl has quit IRC11:14
*** markvoelker has joined #openstack-keystone11:46
*** raildo has joined #openstack-keystone11:48
*** annp has quit IRC11:55
*** frickler has joined #openstack-keystone12:00
*** bigdogstl has joined #openstack-keystone12:00
*** markvoelker has quit IRC12:20
rabelcmurphy: do you really think it's necessary describing indentation fixes in more detail? referring to your comment on https://review.openstack.org/#/c/534860/12:21
rabelthese mistakes are actually quite common and if you build the docs you see it directly. but it's somehow hard to describe12:21
cmurphyrabel: just without context it looks like a noop change, i did have to build the docs to see the difference12:23
cmurphyi wasn't asking for a long paragraph, just "the extra indentation causes this section to render as a quoted section which is unintentional"12:24
rabelah ok. i can do that. :)12:24
cmurphysweet, and thanks for fixing it :)12:24
*** hogepodge has quit IRC12:26
*** andreykurilin has quit IRC12:27
*** dansmith has quit IRC12:27
*** d34dh0r53 has quit IRC12:27
*** rarora has quit IRC12:27
*** d34dh0r53 has joined #openstack-keystone12:28
*** bigjools_ has joined #openstack-keystone12:28
*** dansmith has joined #openstack-keystone12:28
*** hogepodge has joined #openstack-keystone12:28
*** dansmith is now known as Guest8664912:28
*** bigjools has quit IRC12:28
*** deepak_ has quit IRC12:28
*** andreykurilin has joined #openstack-keystone12:29
*** dgonzalez has quit IRC12:30
*** dgonzalez has joined #openstack-keystone12:32
*** bigdogstl has quit IRC12:32
*** deepak_ has joined #openstack-keystone12:40
*** bigdogstl has joined #openstack-keystone13:02
*** efried is now known as fried_rice13:05
*** szaher has quit IRC13:07
*** bigdogstl has quit IRC13:17
*** markvoelker has joined #openstack-keystone13:17
*** links has quit IRC13:28
*** markvoelker has quit IRC13:29
*** edmondsw has joined #openstack-keystone13:29
*** markvoelker has joined #openstack-keystone13:29
*** bigdogstl has joined #openstack-keystone13:35
*** bigdogstl has quit IRC13:40
*** bigdogstl has joined #openstack-keystone13:42
*** sambetts|afk is now known as sambetts13:44
*** bigdogstl has quit IRC13:46
*** bigdogstl has joined #openstack-keystone13:47
*** aojea_ has joined #openstack-keystone13:50
*** aojea__ has joined #openstack-keystone13:55
*** aojea_ has quit IRC13:58
*** aojea_ has joined #openstack-keystone14:01
*** bigdogstl has quit IRC14:02
*** aojea__ has quit IRC14:04
*** aojea__ has joined #openstack-keystone14:05
*** aojea_ has quit IRC14:08
*** lbragstad has joined #openstack-keystone14:10
*** ChanServ sets mode: +o lbragstad14:10
*** aojea_ has joined #openstack-keystone14:11
*** aojea__ has quit IRC14:13
*** bigdogstl has joined #openstack-keystone14:20
*** aojea__ has joined #openstack-keystone14:20
*** aojea_ has quit IRC14:24
*** bigdogstl has quit IRC14:25
*** david-lyle has quit IRC14:27
*** aojea_ has joined #openstack-keystone14:28
*** aojea__ has quit IRC14:29
*** david-lyle has joined #openstack-keystone14:29
*** jistr is now known as jistr|mtg14:30
*** aojea__ has joined #openstack-keystone14:30
*** aojea_ has quit IRC14:34
*** josecastroleon has quit IRC14:35
*** aojea_ has joined #openstack-keystone14:36
openstackgerritMerged openstack/keystone master: Fix indentation in docs  https://review.openstack.org/53486014:37
openstackgerritMerged openstack/keystone master: Make entries in policy_mapping.rst consistent  https://review.openstack.org/53488514:37
openstackgerritMerged openstack/keystone master: Fix outdated links  https://review.openstack.org/53522814:37
openstackgerritMerged openstack/keystone master: Add ability to list all system role assignments  https://review.openstack.org/52440714:37
*** aojea__ has quit IRC14:39
*** aojea_ has quit IRC14:44
*** bhagyashris has quit IRC14:46
*** spzala has quit IRC14:49
lbragstadcmurphy: just double checking here, but for project_id and application credentials, we're going to make sure the manager/controller always populates it until we're ready to open up the functionality right?14:50
*** spzala has joined #openstack-keystone14:50
*** bigdogstl has joined #openstack-keystone14:51
cmurphylbragstad: yeah, the user has no control over it and it's just taken from their current scope, which right now can only be project scope. I think when system-scope is fully functional it will be easyish to make the adjustment and have it be seamless14:52
*** jmlowe has quit IRC14:52
lbragstad++14:55
lbragstadso - project_id and system should be mutually exclusive then14:56
cmurphyyeah14:56
*** bigdogstl has quit IRC14:56
lbragstadbut we'll just control that constraint in the application credential manager?14:56
cmurphyi think it would be controlled befoe they even hit the create endpoint, becaues they need to get a scoped token and i assume a token can only have either project or system scope14:58
cmurphyso if they have a valid token then they can create a valid application credential14:59
*** jmlowe has joined #openstack-keystone15:00
lbragstadoh - sure...15:00
lbragstadbut we won't rely on the db to make that judgement, right?15:00
cmurphyoh i guess we could add a constraint on the db but i don't think we really need to15:01
lbragstadright15:01
lbragstadi agree15:01
lbragstadit would be possible to create an application credential with both, or neither defined, but i don't think the business logic should allow that15:02
cmurphyright15:02
lbragstadcool15:02
lbragstadnew patch on the way15:02
openstackgerritLance Bragstad proposed openstack/keystone master: Add system column to app cred table  https://review.openstack.org/53556915:03
*** jistr|mtg is now known as jistr15:04
*** bigdogstl has joined #openstack-keystone15:04
*** bigdogstl has quit IRC15:09
*** spilla has joined #openstack-keystone15:11
*** samuelbartel__ has quit IRC15:11
*** bigdogstl has joined #openstack-keystone15:13
*** raildo has quit IRC15:19
*** zeus has joined #openstack-keystone15:26
*** zeus is now known as Guest5533715:27
*** Guest55337 is now known as zeus`15:29
*** zeus` is now known as Guest5154215:29
*** bigdogstl has quit IRC15:29
*** Guest51542 is now known as zeus15:30
*** zeus has quit IRC15:30
*** zeus has joined #openstack-keystone15:30
*** raildo has joined #openstack-keystone15:36
*** bigdogstl has joined #openstack-keystone15:39
*** bigdogstl has quit IRC15:44
*** phalmos has joined #openstack-keystone15:44
cmurphylbragstad: was keystoneauth going to be released this week? did we miss that deadline?15:49
*** phalmos has quit IRC15:51
lbragstadthe freeze is this week15:53
lbragstadhttps://releases.openstack.org/queens/schedule.html#q-final-lib15:53
*** phalmos has joined #openstack-keystone15:54
lbragstadso i don't think we missed it _yet_15:54
lbragstadtoday is our last day to get things merged for oslo and ksa15:55
cmurphyhrm i think it was yesterday actually http://lists.openstack.org/pipermail/openstack-dev/2018-January/126147.html15:56
cmurphyi guess sean doesn't want to live dangerously and release on a friday15:56
lbragstaddamn15:58
lbragstadi read that email, too15:58
*** kukacz_ has quit IRC15:58
lbragstadso - how do we want to approach ksa changes for things we're landing this release?15:59
*** kukacz has joined #openstack-keystone15:59
cmurphynot sure what our options are16:01
cmurphyI think we'll just have to land them early next release?16:02
cmurphyer s/release/cycle16:03
*** bigdogstl has joined #openstack-keystone16:03
lbragstadwe could do that - and release early16:03
lbragstadlike, as soon a rocky opens16:03
lbragstadthen people will have to grab newer clients to use those features in pike16:04
*** jlvillal has quit IRC16:04
cmurphys/pike/queens16:05
* lbragstad shakes head16:05
lbragstadyeah... queens16:05
*** bigdogstl has quit IRC16:07
cmurphyyeah not ideal but i think early adopters would mostly use the latest client releases from pypi rather than their distro packages anyways?16:09
lbragstadprobably16:09
lbragstadalright - i'll go through and place procedural -2s on all ksa changes16:10
cmurphycould also ask the release team if they'd be willing to make an exception :)16:11
lbragstadi just asked smcginnis in -release :)16:12
lbragstadfrozen unless the a fix is critical16:12
cmurphyi don't think we qualify16:13
lbragstaddouble checking16:13
*** jlvillal has joined #openstack-keystone16:14
*** itlinux has joined #openstack-keystone16:16
*** bigdogstl has joined #openstack-keystone16:18
kmallocask for an exception16:20
kmallocreally, we have minimal things open in ksa16:21
kmallocif we missed the release by a day, it's fair to ask for an exception if we release today16:21
kmallocor well...16:21
kmallocmonday16:21
kmallocbecause no releases on Friday16:21
lbragstadright16:21
lbragstadwe have to release next week anyway16:21
lbragstadafaik the only two exceptions we would need would be for app creds and system scope16:22
kmalloci view "every major initiative in pike is on hold" as relativly critical16:22
kmallocfwiw.16:22
lbragstadin pike?16:22
lbragstads/pike/queens :)16:22
kmallocyes16:22
kmalloci need coffee16:22
kmalloci was reviewing some code that referenced pikle16:23
kmallocpike*16:23
kmalloci also published a bug to public16:23
kmallochttps://bugs.launchpad.net/keystoneauth/+bug/170075116:23
openstackLaunchpad bug 1638978 in keystoneauth "duplicate for #1700751 Debug data isn't sanitized" [Medium,In progress] - Assigned to Dinesh Bhor (dinesh-bhor)16:23
*** bigdogstl has quit IRC16:23
kmalloclbragstad: system scope +2 (in KSA)16:24
kmalloclbragstad: ok i need to go grab coffee and walk the dog.16:24
lbragstadack - if we get exceptions, we'll need to get those merged today16:25
*** jaosorior has quit IRC16:30
lbragstadcmurphy: i think this is what gagehugo ran into yesterday, but i just hit it, too http://paste.openstack.org/show/647127/16:32
cmurphylbragstad: that usually goes away for me if i `pip install -e` again and restart keystone16:34
* lbragstad facepalm16:34
gagehugolbragstad not that exactly, was getting unallowed auth method16:34
*** itlinux has quit IRC16:34
cmurphyi assumed there was some stevedor or setuptools magic that i don't understand but maybe it's a bug16:34
lbragstadnope - reinstalling worked16:34
lbragstadi just need to slow down :)16:34
cmurphygagehugo: but that would go away when you add 'application_credential' to auth methods right?16:35
gagehugoyup16:35
*** AlexeyAbashkin has quit IRC16:35
*** itlinux has joined #openstack-keystone16:41
*** bigdogstl has joined #openstack-keystone16:41
lbragstadcmurphy: gagehugo kmalloc we have exceptions for app creds and system scope ksa patches16:47
*** ayoung has joined #openstack-keystone16:47
lbragstadwhich client freeze next week, i'll release first thing on monday and we can incorporate them into the clients where we need them16:47
cmurphyokay16:47
lbragstadwith*16:48
lbragstadbefore the final library release and before client freeze16:48
cmurphyfor application credentials at least the ksa and ksc changes are separate and independent16:48
lbragstadcmurphy: ok - so you don't have anything in ksc that depends on ksa?16:49
gagehugook16:49
cmurphylbragstad: i don't think so, the ksc changes are just CRUD changes, they don't need to deal with the auth plugin16:50
lbragstadack16:50
lbragstadi suppose openstack token issue doesn't really make sense for application credentials?16:50
cmurphyah well it does sort of16:51
cmurphyi haven't started looking at osc at all yet16:51
lbragstadso - application credentials are mainly going to be used via ksa16:52
lbragstaddo we expect applications to authenticate with keystone via osc?16:52
cmurphyyes16:52
cmurphydeployment tools for example shell out to ksa16:52
cmurphyor osc16:52
*** bigdogstl has quit IRC16:52
cmurphyi mean shell out to osc16:52
lbragstadok - so in that case there might be something there...16:53
lbragstadbut it's likely similar to what i had to do for system scope16:53
lbragstador my osc patch to get system scope to work16:53
spillasince freeze is in a week, appreciate reviews to get tags through :) https://review.openstack.org/#/c/481284/16:56
lbragstadspilla: sweet - i can review that16:57
spillathanks!16:57
*** gyee has joined #openstack-keystone16:58
*** fried_rice is now known as fried_rolls17:14
lbragstadcmurphy: i checked out your patch locally and i can authenticate for a token with ksa17:16
cmurphyyay17:17
lbragstadcmurphy:  is there a way to look at the methods from the token response using a session object?17:17
cmurphynot sure off the top of my head17:18
lbragstadhah - hell yes there is!17:19
knikollao/17:19
lbragstadhttp://paste.openstack.org/show/647169/17:20
lbragstadcmurphy: whole process, top to bottom http://paste.openstack.org/show/647174/17:23
lbragstadgagehugo: kmalloc knikolla ^ in case you want to try things out17:25
knikollalbragstad: ooo looking nice!17:26
lbragstadthe big thing i wanted to check was that the auth methods in the token response matched application_credentials17:27
*** mvenesio has joined #openstack-keystone17:27
*** pcaruana has quit IRC17:36
cmurphylbragstad: it should work without passing in user_id to ApplicationCredentialMethod, does it?17:36
lbragstadlet me try quick17:36
cmurphyknikolla: can https://review.openstack.org/#/c/452893/ be abandoned?17:37
lbragstadyep - it does17:37
knikollacmurphy: yeah, nothing else from that spec merged. and the spec was removed.17:37
*** bigdogstl has joined #openstack-keystone17:44
openstackgerritLance Bragstad proposed openstack/keystoneauth master: Add documentation and release note for app creds  https://review.openstack.org/53586717:48
lbragstad^ passes everything for me locally17:49
openstackgerritMerged openstack/keystone master: remove _append_null_domain_id decorator  https://review.openstack.org/52784817:49
*** bigdogstl has quit IRC17:51
*** r-daneel has joined #openstack-keystone17:59
knikollaafter lunch i'll be in full code review mode.18:02
lbragstadawesome18:02
lbragstadi'm holding up cmurphy's work with https://review.openstack.org/#/c/535569/18:03
lbragstadany reviews there would be awesome so we can get the application credential stuff back on track18:03
lbragstadi'm also going to straighten up the ksc patches to system assignment CRUD18:04
lbragstadthen we can get those merged with the app cred CRUD and project tags osc patch on monday18:05
lbragstador early next week18:05
* lbragstad runs away to get lunch quick18:06
*** bigdogstl has joined #openstack-keystone18:09
*** esp has joined #openstack-keystone18:12
*** bigdogstl has quit IRC18:13
*** AlexeyAbashkin has joined #openstack-keystone18:16
*** bigdogstl has joined #openstack-keystone18:17
*** AlexeyAbashkin has quit IRC18:20
*** bigdogstl has quit IRC18:22
*** bigdogstl has joined #openstack-keystone18:23
*** bigdogstl has quit IRC18:28
openstackgerritMerged openstack/keystoneauth master: Implement system scope  https://review.openstack.org/52966518:37
*** bigdogstl has joined #openstack-keystone18:43
*** bigdogstl has quit IRC18:47
* gagehugo is back from lunch18:48
*** sambetts is now known as sambetts|afk18:48
*** bigdogstl has joined #openstack-keystone18:50
*** dave-mcc_ has joined #openstack-keystone18:53
*** bigdogstl has quit IRC18:56
*** bigdogstl has joined #openstack-keystone19:01
*** mvenesio has quit IRC19:08
*** bigdogstl has quit IRC19:13
*** itlinux has quit IRC19:20
*** bigdogstl has joined #openstack-keystone19:21
*** bigdogstl has quit IRC19:25
*** itlinux has joined #openstack-keystone19:28
*** phalmos has quit IRC19:29
*** harlowja has joined #openstack-keystone19:31
lbragstadcmurphy: i'm just noticing a bunch of things with the scope_types patches19:36
cmurphylbragstad: yeah?19:36
lbragstadresponding inline to most of them19:36
lbragstadbut here is an example of my epiphany https://review.openstack.org/#/c/526153/19:36
cmurphylbragstad: ah yeah i was making assumptions that it was already locked down somehow19:39
lbragstad:( i should have been more clear about that19:39
lbragstadI think a lot of those APIs are going to need additional code to check project scope in the API19:40
lbragstadwhich was part of the FIXME discussion we had in the meeting recently (last week?)19:40
lbragstadwe can close bug 968696 without all of those bits done...19:41
openstackbug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)19:41
lbragstadbut it will be more useful once we get the project-scoped bits check in the APIs themselves19:41
lbragstad(because we'll actually be giving power to project administrators without exposing too much information about the deployment19:42
openstackgerritMerged openstack/keystone master: Handle TODO notes for using new_user_ref  https://review.openstack.org/53487919:42
cmurphylbragstad: i guess my confusion comes from the fact that right now they have to have a project scope in order to do things like create_domain_config19:42
lbragstadtrue..19:43
lbragstadi guess that would mean that the upgrade path would be;19:43
lbragstad1.) admin has to grant themselves admin on the system19:43
lbragstad2.) grant all admins admin on the system19:43
lbragstad3.) teach them how to use system scope19:43
lbragstad4.) flip the enforcement bit in configuration19:44
cmurphy5) add logic to understand what "project" scope means in the new world and add back the "projec" scope_type19:44
cmurphyproject*19:45
lbragstad++19:45
lbragstadstep 5 is what gives the power to project administrators19:45
*** AlexeyAbashkin has joined #openstack-keystone19:45
lbragstador administrators that are not system administrators19:45
cmurphyso probaby almost everything that's ADMIN_REQUIRED right now should only have a system scope_type?19:45
lbragstad:-/19:46
lbragstadpretty much19:46
lbragstadbecause we don't really do any project-scoped token checks in code at all19:46
lbragstadotherwise - what would it look like if we kept scope_types as ['system', 'project']?19:47
lbragstad1.) system administrators keep using project scoped tokens to do system level stuff19:47
lbragstad2.) we write code to pull the project scope checking into the domain_config API19:47
lbragstad3.) system administrators assign themselves admin on the system19:49
lbragstad4.) they start using system scoped tokens to manage system-level resources19:49
*** AlexeyAbashkin has quit IRC19:49
cmurphythere would be a step between 2 and 3 where they are still using project-scoped tokens to do system-scoped things but the behavior changes on them19:50
lbragstadyeah19:50
lbragstadwell...19:51
lbragstadit would be between 3 and 419:51
lbragstadbecause they'd still need to flip the bit in configuration?19:51
lbragstadto enforce scope, right?19:51
cmurphyah yeah19:51
lbragstadso - which migration is better?19:52
cmurphyi think the first one is better - everything that's "admin required" right now is basically a system-scoped operation, that's an easy thing to understand and transition to19:52
lbragstadit also means we don't accidentally let an operator use their foot gun if they decide to flip that configuration early19:53
cmurphyif there's this gray area where both system and project scope work but flipping the switch makes them behave differently that's a little awkward19:53
cmurphyright19:53
lbragstadbecause if an operator starts assigning people admin on projects, but then flips the switch and we haven't written that code...19:54
lbragstadthen that's a possible breach of security19:54
cmurphyyep19:54
lbragstadok - so i need to respin a lot of these and add clearer FIXME comments19:55
cmurphywhile we're on the subject i had a thought while reading the one for credentials19:57
cmurphythat some things are really not system-scoped or project-scoped19:57
cmurphythey're just user-scoped19:57
lbragstadyeah19:58
cmurphyit kind of came up in boston when we were talking about unified limits and wondering what to do about things like nova ssh-keys which are just user resources19:58
cmurphywe sort of need something to describe that19:58
*** bigdogstl has joined #openstack-keystone19:58
*** raildo has quit IRC19:58
lbragstadyeah - i agree19:58
lbragstadi guess i've been describing it as an "in-code policy check"19:59
lbragstadwhich isn't very useful... but it's about all i can come up with19:59
lbragstadsince it consists of checking the attributes of the token and comparing it to what the user actually wants and making a decision based on that information19:59
cmurphyyeah that's kind of what i hacked into application credentials20:00
lbragstadright - and i think that is where that kind of stuff should be20:00
cmurphyokay, that makes sense at least for now20:01
lbragstaddo you have any suggestions for what to call it?20:01
cmurphybut then what scope_type do we set in the policy? or should those things even have policy rules?20:01
lbragstaduser-scope?20:01
lbragstadi would say that is a ['system', 'project'] scope_types thing...20:01
lbragstadsince we're doing most of the policy enforcement in code20:01
lbragstadand we're using scope_types as a pass through :-/20:01
lbragstadessentially...20:02
cmurphyi was thinking either creating a new scope called user-scope or bringing back default projects and having each user have their own implicit project20:02
lbragstadhmmm20:03
*** bigdogstl has quit IRC20:03
lbragstadi kinda like the user-scope thing...20:03
lbragstadbut how do we determine that from a token?20:03
lbragstador does it need to be determined from the token?20:03
cmurphynot sure20:04
cmurphymaybe we can whiteboard it at the ptg20:04
lbragstadyeah...20:04
lbragstadadded it to the idea sheet20:05
*** pramodrj07 has joined #openstack-keystone20:07
openstackgerritLance Bragstad proposed openstack/keystone master: Add scope_types to group policies  https://review.openstack.org/52570620:10
lbragstadexample of how i'll update the rest that have similar cases ^20:11
cmurphyso - right now, with complicated mangling of policy files, it is possible for a domain admin to create a user for their domain, right?20:14
openstackgerritLance Bragstad proposed openstack/keystone master: Add scope_types to domain config policies  https://review.openstack.org/52615320:17
openstackgerritLance Bragstad proposed openstack/keystone master: Add scope_types to domain config policies  https://review.openstack.org/52615320:18
lbragstadhow so?20:19
*** abhishek has quit IRC20:20
openstackgerritLance Bragstad proposed openstack/keystone master: Add scope_types to group policies  https://review.openstack.org/52570620:21
cmurphyi'm not sure, i assumed it could be done but i never knew how. probably a bad assumption :)20:22
*** fried_rolls is now known as fried_rice20:23
openstackgerritLance Bragstad proposed openstack/keystone master: Add scope_types to service provider policies  https://review.openstack.org/52617320:24
lbragstadmaybe depending on the domain configuration? i think the default create user policy requires an admin?20:26
*** AlexeyAbashkin has joined #openstack-keystone20:27
*** bigdogstl has joined #openstack-keystone20:29
*** AlexeyAbashkin has quit IRC20:31
openstackgerritLance Bragstad proposed openstack/keystone master: Document fixes needed token scope_types  https://review.openstack.org/52617420:34
lbragstadcmurphy: ^ that's a fun one...20:34
openstackgerritLance Bragstad proposed openstack/keystone master: Document fixes needed for token scope_types  https://review.openstack.org/52617420:35
cmurphyoof20:36
lbragstadglad that one didn't sneak through20:37
openstackgerritLance Bragstad proposed openstack/keystone master: Document fixes needed for token scope_types  https://review.openstack.org/52617420:40
*** bigdogstl has quit IRC20:40
cmurphylbragstad: so the rule for check_token is admin_or_token_subject where token_subject has nothing to do with scope at all20:40
lbragstadcorrect20:40
cmurphyso could that one have a system scope, which is where 'admin' would come into play, and just not a project scope yet?20:41
*** mvenesio has joined #openstack-keystone20:42
lbragstadwhat would happen if enforce_scope was true though?20:42
cmurphythe check string is user_id:%(target.token.user_id)s - would enforce_scope break that?20:43
cmurphyit's not a project scope20:43
cmurphyit's a different property of the token20:44
lbragstadchecking the oslo.policy logic quick20:44
lbragstadyeah- it would compare the scope_types before executing the check (which is an OR statement)20:46
lbragstadhttps://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L84520:46
cmurphyhrm :/20:46
*** mvenesio has quit IRC20:46
lbragstadthe scope types will short circuit the check if enforce_scope is enabled20:46
* lbragstad is starting to like the idea of user-scope more and more20:47
cmurphychecking a token should be an unscoped operation20:47
lbragstadyeah...20:47
lbragstadlike.. teach oslo.policy about user-scope and set that to be a user-scoped operation in keystone20:47
*** mvenesio has joined #openstack-keystone20:47
lbragstadif you have a valid token, you have user scope20:47
cmurphyor maybe just teach oslo.policy about unscoped20:48
lbragstadit's only an unscoped operation if you're validating your own token though20:48
cmurphythat's true20:48
lbragstadi guess scope starts to matter when you start doing things to other people's tokens20:49
gagehugocmurphy lbragstad looking at ksa now20:50
cmurphylbragstad: so what happens if we leave it without a scope type?20:53
lbragstadcmurphy: https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L84520:53
lbragstadit's only checked against the token scope if the scope_types attribute is set20:54
lbragstadso it'll just keep doing what it's doing today with the default check_str20:55
*** aojea has joined #openstack-keystone20:56
cmurphyokay20:57
*** bigdogstl has joined #openstack-keystone21:02
*** aojea_ has joined #openstack-keystone21:02
gagehugocmurphy lbragstad ksa worked great for app creds21:03
cmurphyyay \o/21:05
*** aojea has quit IRC21:05
*** bigdogstl has quit IRC21:06
*** aojea has joined #openstack-keystone21:07
gagehugonot sure if we should merge it now though before keystone proper?21:08
gagehugoI know the deadline is now21:09
*** aojea_ has quit IRC21:10
cmurphywe kind of have to do it now21:10
cmurphyit doesn't hurt to have it in even if there's no server that works with it yet21:11
*** aojea_ has joined #openstack-keystone21:12
knikollaas long as we don't do a release.21:13
gagehugook21:14
*** aojea has quit IRC21:14
knikollawhat does lbragstad think?21:15
*** aojea__ has joined #openstack-keystone21:17
*** aojea_ has quit IRC21:20
*** aojea_ has joined #openstack-keystone21:22
*** ayoung has quit IRC21:25
*** aojea__ has quit IRC21:25
*** aojea__ has joined #openstack-keystone21:27
lbragstadright21:28
lbragstadif it is there before we merge the keystone bits that's fine21:28
lbragstadwe did the same thing with system scope, which is still in review21:28
*** mvenesio has quit IRC21:29
*** aojea_ has quit IRC21:30
*** aojea has joined #openstack-keystone21:32
*** aojea__ has quit IRC21:35
*** bigdogstl has joined #openstack-keystone21:36
*** aojea_ has joined #openstack-keystone21:36
*** aojea has quit IRC21:39
lbragstadcc knikolla gagehugo ^21:40
kmallocknikolla: it shouldn't matter if we merge it21:41
kmalloceven without a release21:41
kmallocwe should merge KSA and release21:41
kmallocthen work on system side21:41
kmalloc(keystone server side)21:41
kmalloceven with*21:41
knikollakmalloc: sounds good. i fully agree after putting some thought into it. since ksa will be used with older keystone server releases anyway.21:42
kmallocyep21:42
*** aojea__ has joined #openstack-keystone21:42
*** bigdogstl has quit IRC21:45
*** aojea_ has quit IRC21:45
gagehugook21:48
lbragstadsend it!21:49
*** nkinder has quit IRC21:49
*** aojea__ has quit IRC21:51
*** aojea has joined #openstack-keystone21:52
openstackgerritGage Hugo proposed openstack/keystone master: Move token_formatter to token  https://review.openstack.org/52753821:53
*** aojea_ has joined #openstack-keystone21:57
*** aojea has quit IRC22:01
*** tesseract has quit IRC22:01
*** nkinder has joined #openstack-keystone22:02
*** aojea has joined #openstack-keystone22:03
*** aojea_ has quit IRC22:06
*** bigdogstl has joined #openstack-keystone22:06
*** aojea_ has joined #openstack-keystone22:07
*** spilla has quit IRC22:09
*** aojea has quit IRC22:10
*** bigdogstl has quit IRC22:11
*** aojea has joined #openstack-keystone22:13
*** aojea_ has quit IRC22:15
openstackgerritGage Hugo proposed openstack/keystone master: Move token_formatter to token  https://review.openstack.org/52753822:17
*** aojea_ has joined #openstack-keystone22:18
openstackgerritLance Bragstad proposed openstack/keystoneauth master: Add documentation and release note for app creds  https://review.openstack.org/53586722:18
*** aojea has quit IRC22:21
*** aojea has joined #openstack-keystone22:23
*** aojea has quit IRC22:23
*** aojea_ has quit IRC22:26
openstackgerritLance Bragstad proposed openstack/keystone master: Document scope_types for ec2 policies  https://review.openstack.org/52619122:31
*** edmondsw has quit IRC22:37
*** bigdogstl has joined #openstack-keystone22:37
openstackgerritLance Bragstad proposed openstack/keystone master: Document scope_types for credential policies  https://review.openstack.org/52618922:38
*** bigdogstl has quit IRC22:43
openstackgerritMerged openstack/keystoneauth master: Add support for application credentials  https://review.openstack.org/53445522:45
*** dave-mcc_ has quit IRC22:58
openstackgerritLance Bragstad proposed openstack/keystone master: Add scope_types for user policies  https://review.openstack.org/52620323:00
*** itlinux has quit IRC23:00
*** itlinux has joined #openstack-keystone23:02
lbragstadgood work this week everyone... we hammered through a lot of stuff! thanks for the bandwidth and being awesome23:04
cmurphy:D23:04
*** bigdogstl has joined #openstack-keystone23:05
gagehugo:)23:08
gagehugoI should be around this weekend if anything else needs done23:10
* cmurphy too23:12
*** bigdogstl has quit IRC23:16
openstackgerritLance Bragstad proposed openstack/keystone master: Document scope_types for project policies  https://review.openstack.org/52615923:18
lbragstadsame here23:18
lbragstadi'm going to try and have the release for ksa squared away and ready by sunday night23:18
lbragstadso we can get that rolling first thing monday23:19
*** bigdogstl has joined #openstack-keystone23:20
*** AlexeyAbashkin has joined #openstack-keystone23:22
openstackgerritColleen Murphy proposed openstack/python-keystoneclient master: Add CRUD support for application credentials  https://review.openstack.org/53496523:22
*** esp has quit IRC23:23
*** AlexeyAbashkin has quit IRC23:26
*** bigdogstl has quit IRC23:27
*** bigdogstl has joined #openstack-keystone23:27
openstackgerritGage Hugo proposed openstack/keystone master: Add functional testing gate  https://review.openstack.org/53101423:39
*** bigdogstl has quit IRC23:40
-openstackstatus- NOTICE: Zuul will be offline over the next 20 minutes to perform maintenance; active changes will be reenqueued once work completes, but new patch sets or approvals during that timeframe may need to be rechecked or reapplied as appropriate23:42
openstackgerritGage Hugo proposed openstack/keystone master: Add functional testing gate  https://review.openstack.org/53101423:46
*** itlinux has quit IRC23:47
*** bigdogstl has joined #openstack-keystone23:49
*** itlinux has joined #openstack-keystone23:50
« Thursday, 2018-01-18 Index Saturday, 2018-01-20 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!