Wednesday, 2018-01-31

« Tuesday, 2018-01-30 Index Thursday, 2018-02-01 »
*** zhurong has joined #openstack-keystone00:20
*** kmalloc has quit IRC00:29
*** zhurong has quit IRC00:37
*** Dinesh_Bhor has joined #openstack-keystone00:37
*** markvoelker has quit IRC00:43
*** markvoelker has joined #openstack-keystone00:44
*** Dinesh_Bhor has quit IRC00:47
*** markvoelker has quit IRC00:48
*** zhurong has joined #openstack-keystone00:50
*** Dinesh_Bhor has joined #openstack-keystone00:51
*** Dinesh_Bhor has quit IRC01:01
*** r-daneel has quit IRC01:04
*** rcernin has joined #openstack-keystone01:09
*** dave-mccowan has joined #openstack-keystone01:13
*** Neptu_ has quit IRC01:13
*** Neptu has joined #openstack-keystone01:16
*** gongysh has joined #openstack-keystone01:19
*** markvoelker has joined #openstack-keystone01:30
*** zhongjun has joined #openstack-keystone01:34
openstackgerritwangqiang-bj proposed openstack/keystone master: add 'tags' in request body of projects  https://review.openstack.org/53776201:41
*** Dinesh_Bhor has joined #openstack-keystone02:02
*** gongysh has quit IRC02:03
*** Dinesh_Bhor has quit IRC02:05
*** Dinesh_Bhor has joined #openstack-keystone02:05
lbragstadwxy: o/02:07
lbragstadi have a couple patches up to document limits https://review.openstack.org/#/c/538312 and https://review.openstack.org/#/c/53832202:07
*** Dinesh_Bhor has quit IRC02:08
wxylbragstad: yeah, I saw it. I left comment there for `user_id`02:08
wxylbragstad, have you saw that?02:09
lbragstadchecking02:09
wxyhttps://review.openstack.org/#/c/538312 this one.02:09
lbragstadoh - yeah.. good point02:10
lbragstadi can make some adjustment to clarify that02:10
wxyotherwise they are both awesome. You know, I can't write this kind of doc unobstructed in English. ;)02:11
*** harlowja has quit IRC02:15
lbragstadi just wanted to make sure you reviewed the model one for sure02:20
wxylbragstad: I think it's good. But I'm not sure we should land it now since the related quota model and APIs code have not been added to Keystone yet.02:23
lbragstadwhich parts?02:29
wxyhttps://review.openstack.org/#/c/538322 ``GET /limits-model``02:30
lbragstadoh yeah02:30
lbragstadi can make that more apparent in the NOTE02:34
wxylbragstad: cool.02:35
*** rcernin has quit IRC02:35
lbragstadwxy: since you were the master mind behind the unified limit implementation, do you have any cleanup bits you wanna do as rocky opens?02:43
lbragstador do you have any ideas about how things should look as we start working on the enforcement models stuff?02:43
wxylbragstad: this is what I'm think these days. I'll update the spec about it. I'm sure it'll be done before PTG.02:45
*** d0ugal has quit IRC02:50
lbragstadcool02:53
*** Dinesh_Bhor has joined #openstack-keystone02:55
*** Pramod has quit IRC03:05
*** Dinesh_Bhor has quit IRC03:06
*** mgagne has quit IRC03:22
*** melwitt has quit IRC03:23
*** chris_hultin has quit IRC03:23
*** jamielennox has quit IRC03:23
*** mgagne has joined #openstack-keystone03:24
*** chris_hultin|AWA has joined #openstack-keystone03:24
*** mgagne is now known as Guest8724003:24
*** chris_hultin|AWA is now known as chris_hultin03:24
*** melwitt has joined #openstack-keystone03:25
*** jamielennox has joined #openstack-keystone03:29
*** zhurong has quit IRC03:46
*** david-lyle has quit IRC04:26
*** david-lyle has joined #openstack-keystone04:27
*** dave-mccowan has quit IRC04:32
*** vish_18 has quit IRC04:37
*** rcernin has joined #openstack-keystone04:50
*** harlowja has joined #openstack-keystone04:51
*** rcernin has quit IRC04:51
*** rcernin has joined #openstack-keystone04:52
*** markvoelker has quit IRC05:06
*** links has joined #openstack-keystone05:07
*** jose-phillips has quit IRC05:13
*** jose-phi_ has joined #openstack-keystone05:13
*** mylu has quit IRC05:24
*** zhurong has joined #openstack-keystone05:47
*** threestrands has quit IRC05:51
*** threestrands has joined #openstack-keystone06:01
*** threestrands has joined #openstack-keystone06:01
*** daidv has quit IRC06:08
*** zhurong has quit IRC06:49
*** wangqiang has joined #openstack-keystone06:57
*** wangqiang has quit IRC07:00
*** harlowja has quit IRC07:01
*** itlinux has joined #openstack-keystone07:02
*** wangqiangbj has joined #openstack-keystone07:06
*** wangqiangbj has quit IRC07:07
*** rcernin has quit IRC07:08
*** markvoelker has joined #openstack-keystone07:11
*** itlinux has quit IRC07:15
*** jaosorior has quit IRC07:26
*** gongysh has joined #openstack-keystone07:29
*** gongysh has quit IRC07:35
*** zhurong has joined #openstack-keystone07:38
*** markvoelker has quit IRC07:42
*** jaosorior has joined #openstack-keystone07:43
*** daidv has joined #openstack-keystone07:46
*** pcaruana has joined #openstack-keystone07:51
*** AlexeyAbashkin has joined #openstack-keystone07:51
*** AlexeyAbashkin has quit IRC07:51
*** AlexeyAbashkin has joined #openstack-keystone07:52
openstackgerritMerged openstack/keystone master: Fix federation unit test  https://review.openstack.org/53159908:15
*** rcernin has joined #openstack-keystone08:16
*** tesseract has joined #openstack-keystone08:20
*** itlinux has joined #openstack-keystone08:21
*** rcernin has quit IRC08:26
openstackgerritMerged openstack/keystone master: Handle TZ change in iso8601 >=0.1.12  https://review.openstack.org/53826308:27
*** sinese has joined #openstack-keystone08:37
*** markvoelker has joined #openstack-keystone08:39
*** zhurong_ has joined #openstack-keystone08:47
*** edmondsw has joined #openstack-keystone08:50
*** wangqiang has joined #openstack-keystone08:53
*** namnh has joined #openstack-keystone08:54
*** edmondsw has quit IRC08:54
*** lxnch_ has quit IRC08:56
*** d0ugal has joined #openstack-keystone09:05
*** rcernin has joined #openstack-keystone09:05
*** markvoelker has quit IRC09:12
openstackgerritColleen Murphy proposed openstack/keystone master: Delete SQL users before deleting domain  https://review.openstack.org/53934709:16
*** abhi89 has joined #openstack-keystone09:27
openstackgerritColleen Murphy proposed openstack/keystone master: Delete SQL users before deleting domain  https://review.openstack.org/53934709:31
abhi89cmurphy: Hi Colleen09:34
cmurphyabhi89: hi09:36
abhi89i have gone through your video on federated identity & I have a doubt..09:37
abhi89cmurphy: to get a token we need both username & password.. in federated identity, we get saml assertion saying that the user has been authenticated & then we map the response to format which keystone understands.. but we still don't have the password to get token.. how is this handled? i mean how do we get the token from keystone even though we didnot get password from IdP..09:37
cmurphyabhi89: when you're using a federated auth method you don't need a password to get a token any more09:40
cmurphyabhi89: when the federated auth is complete you get an unscoped token, and then you can use the token auth method instead of the password auth method to get a scoped token09:42
abhi89cmurphy: i use /v3/auth/tokens api to get token.. is there any special federated api to get the unscoped token you mentioned09:44
cmurphyabhi89: yes there is, it will be either https://developer.openstack.org/api-ref/identity/v3-ext/#request-an-unscoped-os-federation-token or https://developer.openstack.org/api-ref/identity/v3-ext/#web-single-sign-on-authentication-new-in-version-1-2 and those are the locations you'll need to protect with mod_shib or mod_mellon in your apache config09:46
cmurphylike so http://www.gazlene.net/demystifying-keystone-federation.html#set-up-apache09:47
abhi89cmurphy: oh ok.. thanks for the info.. on more thing.. we are trying to get federated identity in our openstack based solution.. we use our own dashboard & not horizon.. so will this make any difference.. i mean we can still achieve the federation with just CLI right?09:50
cmurphyabhi89: yes it does work with the CLI09:50
cmurphyand you can look at horizon to see how it works with federation if you want to implement it, it's pretty simple09:51
cmurphyabhi89: well, correction, SAML auth works with the CLI, OpenIDC does not really work09:52
abhi89cmurphy: we will be using SAML and not openIDC so we are good there09:52
cmurphycool09:55
abhi89thanks a lot for the info :)09:55
cmurphyno problem09:55
*** markvoelker has joined #openstack-keystone10:09
*** annp has quit IRC10:14
*** namnh has quit IRC10:15
*** zhurong has quit IRC10:19
*** bhagyashri_s is now known as bhagyashris10:24
*** sambetts|afk is now known as sambetts10:27
*** abhi89 has quit IRC10:41
*** markvoelker has quit IRC10:42
*** josecastroleon has joined #openstack-keystone10:46
*** zhurong_ has quit IRC10:48
*** wangqiang has quit IRC10:51
*** belmoreira has joined #openstack-keystone10:52
*** mvk has quit IRC11:01
*** jmlowe has quit IRC11:02
*** AlexeyAbashkin has quit IRC11:09
*** AlexeyAbashkin has joined #openstack-keystone11:15
*** sinese has quit IRC11:17
*** mvk has joined #openstack-keystone11:30
*** markvoelker has joined #openstack-keystone11:39
*** dmellado has joined #openstack-keystone11:40
dmelladoHi everyone11:40
dmelladocould anyone tell me if it's possible to have devstack create the fallback 5000 and 35357 endpoints?11:40
*** itlinux has quit IRC11:55
*** Supun has joined #openstack-keystone11:58
*** threestrands has quit IRC12:08
*** dave-mccowan has joined #openstack-keystone12:09
*** raildo has joined #openstack-keystone12:12
*** markvoelker has quit IRC12:12
cmurphydmellado: i think if you set KEYSTONE_DEPLOY=mod_wsgi then it uses the ports instead of the uwsgi proxy12:19
dmelladocmurphy: I'll be giving it a try, thanks!12:20
cmurphyno problem12:20
*** rcernin has quit IRC12:58
*** markvoelker has joined #openstack-keystone13:09
*** edmondsw has joined #openstack-keystone13:22
*** mvenesio has joined #openstack-keystone13:23
*** Supun has quit IRC13:26
*** mvenesio has quit IRC13:34
*** mvenesio has joined #openstack-keystone13:34
*** markvoelker has quit IRC13:37
*** alex_xu has quit IRC13:37
*** markvoelker has joined #openstack-keystone13:37
*** alex_xu has joined #openstack-keystone13:39
*** Supun has joined #openstack-keystone13:45
*** gongysh has joined #openstack-keystone13:49
*** abhi89 has joined #openstack-keystone13:53
*** panbalag has joined #openstack-keystone13:53
*** panbalag has left #openstack-keystone14:00
*** itlinux has joined #openstack-keystone14:02
*** sinese has joined #openstack-keystone14:02
*** jmlowe has joined #openstack-keystone14:04
*** pcaruana has quit IRC14:05
*** Supun has quit IRC14:07
*** Supun has joined #openstack-keystone14:11
*** tobberydberg__ has joined #openstack-keystone14:15
*** tobberydberg__ has quit IRC14:15
*** tobberydberg__ has joined #openstack-keystone14:16
*** pcaruana has joined #openstack-keystone14:21
*** sxc731_ has joined #openstack-keystone14:23
*** links has quit IRC14:27
*** sxc731_ has quit IRC14:28
*** sxc731_ has joined #openstack-keystone14:38
*** sxc731_ has quit IRC14:42
lbragstadnow that we're officially past library freeze14:42
lbragstadthese are probably going to have to wait until Rocky https://review.openstack.org/#/c/524416/ and https://review.openstack.org/#/c/481284/14:42
lbragstadunfortunately...14:42
lbragstadhttps://review.openstack.org/#/c/526189/ should be ready for another review14:46
lbragstadsame with https://review.openstack.org/#/c/526171/14:46
lbragstadand https://review.openstack.org/#/c/526197/ https://review.openstack.org/#/c/526203/ and https://review.openstack.org/#/c/525701/14:46
lbragstadthat should take care of everything for feature freeze... the application credential stuff is scarily close to actually merging :)14:47
*** sxc731_ has joined #openstack-keystone14:47
*** spilla has joined #openstack-keystone14:47
cmurphydon't say that you'll jinx it14:48
*** pcaruana has quit IRC14:48
dmelladoheh14:49
cmurphycrossing all of my limbs that the auth plugin makes it in and if anything else fails i'm just going to unparent the release note patch and get that in and call it done14:49
*** abhi89 has quit IRC14:49
*** sxc731_ has quit IRC14:53
lbragstadi hear ya...14:55
*** sxc731 has joined #openstack-keystone14:55
lbragstadi mean - the rest of the stuff outside of that is just scope_types14:56
lbragstadwhich can be added anytime really...14:56
*** Supun has quit IRC14:56
openstackgerritMerged openstack/keystone master: Use native Zuul v3 tox job  https://review.openstack.org/53778714:58
*** sxc731 has quit IRC14:59
dmelladohmmm lbragstad cmurphy I'm not sure if I'm doing some odd thing but adding KEYSTONE_DEPLOY=mod_wsgi to my local.conf15:01
dmelladois still adding uwsgi15:01
dmelladoam I missing something?15:01
*** sxc731 has joined #openstack-keystone15:02
bhagyashrisHi team can any one please tell me where i will catch Morgan Fainberg15:02
cmurphydmellado: not sure :/ i found that by looking at lib/keystone in devstack but i haven't tried to make it work in a while15:03
lbragstadit could be an issue with devstack, too... i'm not sure15:03
cmurphybhagyashris: he's kmalloc on irc, i think he's on vacation this week and doesn't seem to be online15:04
cmurphybhagyashris: is there something we can help you with?15:04
dmelladocmurphy: lbragstad for the record, this is my dreaded local.conf15:05
dmelladohttps://paste.fedoraproject.org/paste/KVYgPtOLKIDp6kocF0xJgQ15:05
dmelladoI tired to be specific on the keystone bits15:05
bhagyashriscmurphy: Actually i want to discuss with him regarding the comment given on patch https://review.openstack.org/#/c/505764/615:05
*** sxc731 has quit IRC15:05
dmelladotired/tried xD15:05
*** Supun has joined #openstack-keystone15:07
bhagyashriscmurphy: i have one question is it possible to alias the logger name when we log the messages using the logging.conf15:08
bhagyashriscmurphy: i mean is there any provision we can alias the logger name?15:08
cmurphydmellado: yeah, sorry i'm not a devstack expert so i'm not sure what's up without running it myself15:09
cmurphybhagyashris: mordred would be a good person to ask about that15:09
dmelladocmurphy: np! thanks for the hint in any case, I'm digging up into lib/apache now15:10
dmelladomordred: any hint on that? ^^15:10
bhagyashriscmurphy: ok thank you :)15:10
bhagyashrismordred: yeah15:10
lbragstaddmellado: someone in #openstack-qa might be able to help there, too15:10
lbragstadwhich is where most of the devstack folks hangout15:11
dmelladoandreaf: ^^15:11
dmelladolbragstad: thanks, sadly I know xD15:11
*** sxc731 has joined #openstack-keystone15:11
dmelladodevstack changes just so much every time I need to do anything with it xD15:11
*** alex_xu has quit IRC15:11
lbragstadah - yes it does15:11
cmurphydmellado: is there a reason you want to run it with ports instead of the default way?15:12
cmurphyrunning on standard ports is encouraged15:12
dmelladocmurphy: basically for the sake of  backwards compatibility15:12
dmelladoI need to attach an appliance15:12
dmelladowhich only has ip and port support15:12
dmelladoso no /foo15:12
cmurphyah :(15:12
dmelladoI tried port 80 and /identity but no luck15:12
*** alex_xu has joined #openstack-keystone15:13
cmurphythat should work :/15:13
dmelladomy guess it doesn't work well with fqdn, just ips15:13
dmelladoand I thought that rather than try to attack the appliance itself it would be easier to tweak devstack15:14
*** pcaruana has joined #openstack-keystone15:14
andreafdmellado: what's up? I haven't read the whole scroll-back yet15:14
*** sxc731 has quit IRC15:14
dmelladoandreaf: o/15:14
dmelladobasically I'm trying to set up a devstack with keystone and mod_wsgi15:14
dmelladousing KEYSTONE_DEPLOY=mod_wsgi15:15
dmelladoso I could get back the former 5000 and 35357 endpoints15:15
dmelladoso far it didn't work, using uwsgi even when I specified that15:15
dmelladohttps://paste.fedoraproject.org/paste/KVYgPtOLKIDp6kocF0xJgQ15:15
dmelladothis is my fancy local.conf15:15
andreafdmellado: for the v2 api or v3?15:15
dmelladohopefully, both15:16
dmelladobut I'd be fine with whichever15:16
dmelladoI tried v315:16
cmurphylbragstad: https://review.openstack.org/#/c/525346/ is about to fail tempest T.T15:16
* cmurphy dies15:16
andreafbecause v2 had public and admin endpoints, which was the reason for the two ports if I remember correctly15:16
andreafdmellado: but in v3 there's no such distinction anymore15:17
lbragstadcmurphy: you've gotta be kidding me... this is ridiculous15:17
dmelladoandreaf: yeah, but shouldn't it try to at least use mod_wsgi if specified instead of uwsgi?15:17
mordredbhagyashris: morning!15:17
andreafdmellado: I don't think any job runs mod_wsgi so there's no guarantee it will work I fear15:17
* dmellado sighs15:18
dmelladoI see, so it'd probably just stopped working at some point15:18
dmelladowill try to debug through it15:18
dmelladothanks in any case andreaf15:18
mordredbhagyashris: oh yeah - I keep forgetting - we need to add a constructor parameter to Session ...15:18
*** itlinux has quit IRC15:18
andreafdmellado: np - but why do you need the two ports back if I may ask?15:19
dmelladobasically I need to hook up an appliance15:19
dmelladowhich doesn't work well with the new /identity endpoint15:19
cmurphylbragstad: tempest.api.volume.admin.test_group_snapshots.GroupSnapshotsV319Test.test_reset_group_snapshot_status failed15:19
* cmurphy kicks cinder15:19
dmelladoso I just wanted to get back to the deprecated 5000 and 3535715:19
*** Supun has quit IRC15:22
cmurphylbragstad: oh wait, it's queued behind another cinder change, maybe it'll get a chance to rerun without losing its place in line15:22
lbragstadso - the check queue is running at about 5 hours rightn ow15:22
lbragstadcmurphy: i hope you're right15:23
lbragstadi'm not up-to-date the how zuul does queuing15:23
lbragstadin cases like this15:24
*** david-lyle has quit IRC15:24
*** dklyle has joined #openstack-keystone15:24
mordredlbragstad: in the gate, it makes a virtual serial queue containing approved changes for everything that is in the 'integrated' queue15:26
*** Guest87240 is now known as mgagne15:27
*** mgagne has joined #openstack-keystone15:27
lbragstadmordred: we have a change we've been trying to get through the gate for a week https://review.openstack.org/#/c/525346/15:27
lbragstadand it tripped over an unrelated thing again15:28
mordredlbragstad: then it tests those changes in parallel, assuming that changes are going to pass - however, if a change ahead of you in the queue fails, zuul ejects it from the queue and rebuilds the queue behind the failure15:28
lbragstaddamn...15:28
mordredlbragstad: yah - it's not been a good week15:28
cmurphyi'm hoping that 538314 fails so it can run again15:28
cmurphysorry cinder15:28
mordredcmurphy: :)15:28
lbragstadcan we come up with a James Marsden award for features?15:29
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Split request logging into four different loggers  https://review.openstack.org/50576415:33
*** Supun has joined #openstack-keystone15:33
mordredbhagyashris: cmurphy: ^^ I think that sohuld address morgan's concerns15:34
*** links has joined #openstack-keystone15:35
cmurphythanks mordred15:36
*** abhi89 has joined #openstack-keystone15:38
*** abhishek has joined #openstack-keystone15:42
*** phalmos has joined #openstack-keystone15:45
*** abhi89 has quit IRC15:45
*** jose-phi_ has quit IRC16:01
*** abhishek has quit IRC16:02
lbragstadping raildo, ktychkova, rderose, htruta, hrybacki, atrmr, gagehugo, lamt, thinrichs, edmondsw, ruan_he, ayoung, kmalloc, raj_singh, johnthetubaguy, knikolla, nhelgeson16:04
lbragstadreminder about the policy meeting in -cp16:04
*** Supun has quit IRC16:06
*** Supun has joined #openstack-keystone16:06
*** efried_hexchat has quit IRC16:08
*** daidv has quit IRC16:09
*** belmoreira has quit IRC16:10
*** daidv has joined #openstack-keystone16:11
*** phalmos has quit IRC16:11
*** belmoreira has joined #openstack-keystone16:18
*** Supun has quit IRC16:21
*** prometheanfire has left #openstack-keystone16:28
*** r-daneel has joined #openstack-keystone16:29
*** Supun has joined #openstack-keystone16:36
*** gongysh has quit IRC16:38
*** sinese has quit IRC16:39
*** pcaruana has quit IRC16:39
*** sinese has joined #openstack-keystone16:48
*** daidv has quit IRC16:52
*** sinese has quit IRC16:52
*** daidv has joined #openstack-keystone16:53
*** harlowja has joined #openstack-keystone17:02
*** belmoreira has quit IRC17:08
*** phalmos has joined #openstack-keystone17:08
*** Supun has quit IRC17:11
*** phalmos has quit IRC17:16
lbragstadcmurphy:  knikolla notes sent17:16
lbragstadcmurphy: when does https://review.openstack.org/#/c/525346/35 go back in the queue17:18
cmurphylbragstad: it's still in the queue17:19
cmurphyit's stuck behind a hung cinder job17:19
* lbragstad is waiting with a fresh recheck17:19
lbragstadi wonder if using RECHECK versus recheck will make a different17:20
lbragstadrecheck harder!17:20
knikollahaha17:20
knikollarecheck, please?17:20
lbragstadrecheck kthxbye17:20
*** links has quit IRC17:21
*** AlexeyAbashkin has quit IRC17:23
*** Supun has joined #openstack-keystone17:33
*** tesseract has quit IRC17:45
mordredlbragstad, cmurphy: I was just updating the docs for the split-loggers patch after having added the flag to control it ... and I think I'd like to argue that the original no-flag version was not an breaking change due to the way python logging works17:48
mordredlbragstad, cmurphy: currently (before the change) all session traffic is logged to 'keystoneauth.session' - the split change causes it to log to keystoneauth.session.request, keystoneauth.session.body, keystoneauth.session.response and keystoneauth.session.request-id17:49
mordredthe thing is - anyone who has been doing anything with logging related to the keystoneauth.session logger will still have the same results - since settings for keystoneauth.session apply to keystoneauth.session.* too17:50
*** rmcall has joined #openstack-keystone17:50
*** rmcall has quit IRC17:51
mordred(I've obviously got the update to introduce a flag - but updating the docs made me think about whether it actually was a break or not)17:51
*** rmcall has joined #openstack-keystone17:51
cmurphymordred: tbh i haven't looked closely at it but will do so17:51
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Split request logging into four different loggers  https://review.openstack.org/50576417:52
mordredcmurphy: there it is with updated docs and a fix for the test17:52
mordredcmurphy: compare to PS6 for the 'is this or is this not a break needing the flag introduced in PS7/8'17:52
mordredcmurphy: and thanks!17:52
cmurphysure thing17:53
bretonlbragstad: re https://review.openstack.org/#/c/525772/17:54
bretonlbragstad: the patch is good, but17:54
bretonlbragstad: they use policy not only to check permissions for operations listed in policy.json or policies/ dir, but for some other17:57
lbragstadfor some other checks/17:59
lbragstad?17:59
bretonlbragstad: for example https://github.com/openstack/nova/blob/c1442d3c8cf9ab8a3cc6fe7e169c71e39abe1faf/nova/network/floating_ips.py#L16517:59
bretonlbragstad: yes17:59
bretonlbragstad: so they rely on policies in their code17:59
lbragstadmmm yeah - that's going to be something we need to look at17:59
bretonlbragstad: my guess is that all their is_admin is system scope18:00
lbragstadright18:00
lbragstadbecause that's how they have to work around those issues today18:00
lbragstadwe took a similar approach when adding scope_types to our policies18:01
bretonlbragstad: but even with your patch project-admin will have is_admin=True18:01
lbragstadright - because they still have the admin role, which trips that check18:01
bretonlbragstad: can we use scope type check in rules? Something like: "context_is_admin": "role:admin and scope:system"?18:02
lbragstadbreton: we have logic in oslo.policy to handle some of that18:03
lbragstadwhich is enabled through configuration18:03
lbragstadhttps://github.com/openstack/oslo.policy/blob/d72cc34d7a145d1091ca3f2f14e92007ffe16352/oslo_policy/policy.py#L84718:03
lbragstadwhich gives operators the ability to run things in a backwards compatible way until two things happen18:04
lbragstad1.) projects fix their policies to not queue of 'admin'18:04
lbragstad2.) operators audit their users and grant system level access to the people that need to access those APIs18:04
bretonok. I haven't read the spec yet, so i'll go back to my Newton-based setup :p18:06
ayoungbreton, in newton you can use is_admin project and we'll figure some scripting to port that to service scoped roles in the future18:07
bretonayoung: yep. But nova with its is_admin is still there.18:07
ayoungah...but we only got oslo-context working for Keystone this go-round...sorry, You'll need that18:07
ayoungbreton, oh, yea, you just need to rewrite all the policy rules everywhere18:07
* lbragstad breaks for lunch18:09
*** Supun has quit IRC18:14
*** AlexeyAbashkin has joined #openstack-keystone18:17
*** phalmos has joined #openstack-keystone18:24
*** mvenesio has quit IRC18:31
*** mvenesio has joined #openstack-keystone18:45
*** AlexeyAbashkin has quit IRC18:51
*** mvk has quit IRC18:52
*** harlowja has quit IRC18:52
cmurphyokay sweet the hanging cinder change was bumped from the queue so the keystone change is rerunning18:54
cmurphydon't jinx it this time18:54
*** david-lyle_ has joined #openstack-keystone18:58
*** dklyle has quit IRC19:01
*** freerunner has quit IRC19:06
*** NikitaKonovalov has quit IRC19:06
*** DinaBelova has quit IRC19:06
*** DinaBelova has joined #openstack-keystone19:07
*** NikitaKonovalov has joined #openstack-keystone19:07
*** freerunner has joined #openstack-keystone19:08
*** david-lyle_ is now known as dklyle19:08
*** tobberydberg__ has quit IRC19:14
*** tobberydberg__ has joined #openstack-keystone19:15
*** sambetts is now known as sambetts|afk19:19
*** tobberydberg__ has quit IRC19:19
* lbragstad stays quiet19:24
*** DinaBelova has quit IRC19:29
*** freerunner has quit IRC19:29
*** NikitaKonovalov has quit IRC19:29
*** aojea_ has joined #openstack-keystone19:36
*** harlowja has joined #openstack-keystone19:37
lbragstadcmurphy: this might be getting ahead of ourselves19:38
lbragstadbut what would we replace baremetal/vm with for a name?19:38
lbragstadcc johnthetubaguy ^19:38
lbragstadsince i think he was the original one to coin the name :)19:38
cmurphyit still applies if it's just nova/ironic that needs to talk19:39
lbragstadin boston we had an etherpad for that group that had stuff for cinder/neutron on it, too19:40
cmurphyidk maybe instead of selecting certain projects we should be selecting topics and then anyone it applies to should attend19:41
*** aojea__ has joined #openstack-keystone19:41
lbragstadyeah...19:41
*** gyee has joined #openstack-keystone19:42
lbragstadi'm terrible with naming things... but the question popped up in my head over lunch19:42
*** DinaBelova has joined #openstack-keystone19:42
*** NikitaKonovalov has joined #openstack-keystone19:43
*** freerunner has joined #openstack-keystone19:43
*** aojea_ has quit IRC19:44
*** aojea_ has joined #openstack-keystone19:47
*** aojea__ has quit IRC19:49
*** aojea__ has joined #openstack-keystone19:51
*** tobberydberg__ has joined #openstack-keystone19:53
*** tobberydberg__ has quit IRC19:54
*** aojea_ has quit IRC19:54
*** tobberydberg__ has joined #openstack-keystone19:55
*** aojea_ has joined #openstack-keystone19:57
*** aojea__ has quit IRC20:00
*** aojea_ has quit IRC20:06
*** rmascena has joined #openstack-keystone20:16
*** DinaBelova has quit IRC20:17
*** NikitaKonovalov has quit IRC20:17
*** freerunner has quit IRC20:17
*** DinaBelova has joined #openstack-keystone20:17
*** NikitaKonovalov has joined #openstack-keystone20:18
*** raildo has quit IRC20:19
*** NikitaKonovalov has quit IRC20:21
*** DinaBelova has quit IRC20:21
*** DinaBelova has joined #openstack-keystone20:22
*** NikitaKonovalov has joined #openstack-keystone20:22
*** freerunner has joined #openstack-keystone20:23
*** links has joined #openstack-keystone20:36
*** DinaBelova has quit IRC20:39
*** NikitaKonovalov has quit IRC20:39
*** freerunner has quit IRC20:39
*** DinaBelova has joined #openstack-keystone20:40
*** NikitaKonovalov has joined #openstack-keystone20:41
*** freerunner has joined #openstack-keystone20:41
*** aojea_ has joined #openstack-keystone20:46
*** aojea__ has joined #openstack-keystone20:51
*** aojea_ has quit IRC20:54
*** aojea_ has joined #openstack-keystone20:57
*** tobberydberg__ has quit IRC20:58
*** tobberydberg__ has joined #openstack-keystone20:58
*** aojea__ has quit IRC21:00
*** aojea__ has joined #openstack-keystone21:01
*** aojea_ has quit IRC21:04
*** aojea_ has joined #openstack-keystone21:07
*** tobberydberg__ has quit IRC21:08
*** tobberydberg__ has joined #openstack-keystone21:08
*** aojea__ has quit IRC21:10
*** aojea__ has joined #openstack-keystone21:12
*** aojea_ has quit IRC21:14
*** rmascena has quit IRC21:15
*** aojea_ has joined #openstack-keystone21:16
*** mvk has joined #openstack-keystone21:18
*** aojea__ has quit IRC21:19
*** mchlumsky has joined #openstack-keystone21:21
*** aojea__ has joined #openstack-keystone21:22
lbragstadgagehugo: i assume you're good with this https://review.openstack.org/#/c/537762/3 ?21:24
openstackgerritMerged openstack/keystone master: Add application credential auth plugin  https://review.openstack.org/52534621:24
openstackgerritMerged openstack/keystone master: Add api-ref for application credentials  https://review.openstack.org/53374421:24
lbragstadO.O21:24
openstackgerritMerged openstack/keystone master: Enable application_credential auth by default  https://review.openstack.org/53546921:24
lbragstadYAS!!!21:24
cmurphyOMG21:24
cmurphyOMG21:25
cmurphyOMG21:25
*** aojea_ has quit IRC21:25
* lbragstad tips hat to cmurphy21:25
lbragstadnice work21:25
cmurphy^.^21:25
*** aojea_ has joined #openstack-keystone21:27
*** rmcall has quit IRC21:27
*** aojea__ has quit IRC21:29
*** aojea__ has joined #openstack-keystone21:32
*** links has quit IRC21:32
*** aojea_ has quit IRC21:35
*** aojea_ has joined #openstack-keystone21:38
*** aojea__ has quit IRC21:39
*** aojea__ has joined #openstack-keystone21:43
*** aojea_ has quit IRC21:46
*** aojea_ has joined #openstack-keystone21:49
*** aojea__ has quit IRC21:52
*** aojea_ has quit IRC21:52
*** spilla has quit IRC21:56
lbragstadfyi - i removed the project tags and system scope osc patches from our review board since we're past library freeze :-/22:09
lbragstadthe project tags one looked good, but it needed reviews from python-openstackclient folks22:10
openstackgerritColleen Murphy proposed openstack/keystone master: Delete SQL users before deleting domain  https://review.openstack.org/53934722:11
cmurphyyeah definitely want to plan further ahead next time we want to add features in osc22:13
lbragstadat least we have client support in ksc22:16
lbragstadwhich is something at least22:16
openstackgerritMerged openstack/keystone master: Impose limits on application credentials  https://review.openstack.org/53654322:16
openstackgerritMerged openstack/keystone master: Add a release note for application credentials  https://review.openstack.org/53549322:16
lbragstadWOO!22:16
cmurphyOMG22:17
* cmurphy collapses22:17
lbragstadyeah - i'm pretty sure i'm going to sleep friday - monday22:18
cmurphyi'm pretty sure my productivity had hit the floor since i've been obsessing over the gate queue22:20
openstackgerritColleen Murphy proposed openstack/keystone master: Delete SQL users before deleting domain  https://review.openstack.org/53934722:22
openstackgerritLance Bragstad proposed openstack/keystone master: Document flat limit enforcement model  https://review.openstack.org/53832222:22
lbragstadcc wxy ^22:22
lbragstadtotally - it's like a hurry up and wait situation22:22
*** rmcall has joined #openstack-keystone22:23
*** mvenesio has quit IRC22:27
*** mvenesio has joined #openstack-keystone22:27
lbragstadit also makes me feel bad when i propose *more* patches when the gate is already really behind..22:29
lbragstadit's like a big game of jenga22:29
cmurphylol yeah every time something minor made it through the queue it was *sigh*22:30
lbragstad"sure, go ahead!"22:30
*** mvenesio has quit IRC22:31
*** edmondsw has quit IRC22:32
*** edmondsw has joined #openstack-keystone22:33
*** edmondsw has quit IRC22:37
*** rmcall has quit IRC22:49
gagehugowoo23:13
gagehugolbragstad yeah lgtm23:14
*** phalmos has quit IRC23:14
*** d0ugal has quit IRC23:20
*** rcernin has joined #openstack-keystone23:28
*** rcernin has quit IRC23:50
*** mchlumsky has quit IRC23:56
« Tuesday, 2018-01-30 Index Thursday, 2018-02-01 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!