Monday, 2018-02-12

*** zhurong has joined #openstack-keystone00:39
*** namnh has joined #openstack-keystone01:00
*** aloga has joined #openstack-keystone01:16
*** zhurong has quit IRC01:57
*** d0ugal_ has quit IRC02:03
*** d0ugal_ has joined #openstack-keystone02:13
*** nkinder has joined #openstack-keystone02:51
idleminddgedia ContextualVersionConflict: (python-keystoneclient 3.15.0 (/usr/local/lib/python2.7/dist-packages), Requirement.parse('python-keystoneclient!=1.8.0,!=2.1.0,<3.0.0,>=1.6.0'), set(['keystone']))02:55
idlemindDid you have python-keystoneclient installed before devstack by chance?02:55
*** d0ugal_ has quit IRC03:02
*** edmondsw has joined #openstack-keystone03:07
*** itlinux has quit IRC03:10
*** edmondsw has quit IRC03:11
*** d0ugal_ has joined #openstack-keystone03:12
*** links has joined #openstack-keystone03:44
*** itlinux has joined #openstack-keystone04:02
*** d0ugal_ has quit IRC04:06
*** dave-mccowan has quit IRC04:10
*** dave-mccowan has joined #openstack-keystone04:11
*** d0ugal_ has joined #openstack-keystone04:14
*** dave-mccowan has quit IRC04:18
*** jmlowe has joined #openstack-keystone04:20
*** jmlowe_ has quit IRC04:22
*** itlinux has quit IRC04:24
*** bhagyashris has joined #openstack-keystone04:29
*** itlinux has joined #openstack-keystone04:30
*** nicolasbock has quit IRC04:33
*** logan- has left #openstack-keystone04:48
*** brad[] has quit IRC05:03
*** brad[] has joined #openstack-keystone05:05
*** links has quit IRC06:07
*** itlinux has quit IRC06:10
openstackgerritDeepak Mourya proposed openstack/keystoneauth master: Override support message in AuthorizationFailure  class
*** links has joined #openstack-keystone06:51
*** martinus__ has joined #openstack-keystone07:28
*** AlexeyAbashkin has joined #openstack-keystone07:51
*** pcaruana has joined #openstack-keystone08:07
*** tesseract has joined #openstack-keystone08:18
*** rcernin has quit IRC08:39
*** d0ugal_ has quit IRC09:03
*** d0ugal has joined #openstack-keystone09:03
*** d0ugal has quit IRC09:03
*** d0ugal has joined #openstack-keystone09:03
*** brad[] has quit IRC09:20
*** brad[] has joined #openstack-keystone09:32
*** namnh has quit IRC10:08
*** wxy has quit IRC10:26
*** wxy has joined #openstack-keystone10:26
*** sambetts|afk is now known as sambetts11:06
*** jaosorior has joined #openstack-keystone11:10
*** bhagyashris has quit IRC11:38
*** bhagyashris has joined #openstack-keystone11:50
*** nicolasbock has joined #openstack-keystone11:53
*** dave-mccowan has joined #openstack-keystone12:08
*** jmlowe has quit IRC12:27
*** wxy has quit IRC12:36
*** r-daneel has joined #openstack-keystone12:56
*** edmondsw has joined #openstack-keystone13:15
*** edmondsw has quit IRC13:15
*** edmondsw_ has joined #openstack-keystone13:16
*** nkinder has quit IRC13:18
*** edmondsw_ is now known as edmondsw13:37
*** nicolasbock has quit IRC13:54
*** jmlowe has joined #openstack-keystone14:00
*** jmlowe has quit IRC14:05
*** panbalag has joined #openstack-keystone14:10
*** nkinder has joined #openstack-keystone14:13
*** jdennis has joined #openstack-keystone14:37
*** david-lyle has quit IRC14:38
*** edmondsw has quit IRC14:38
*** lbragstad has joined #openstack-keystone14:39
*** ChanServ sets mode: +o lbragstad14:39
*** r-daneel has quit IRC14:45
*** edmondsw has joined #openstack-keystone14:52
*** simondodsley has quit IRC14:58
*** simondodsley has joined #openstack-keystone14:58
*** mchlumsky has joined #openstack-keystone15:01
*** Exhar has quit IRC15:04
*** belmoreira has joined #openstack-keystone15:23
*** jmlowe has joined #openstack-keystone15:23
*** jmlowe has quit IRC15:28
*** jmlowe has joined #openstack-keystone15:30
*** cloudnull has quit IRC15:32
*** cloudnull has joined #openstack-keystone15:36
*** links has quit IRC15:39
*** david-lyle has joined #openstack-keystone15:46
*** panbalag has left #openstack-keystone15:47
*** wolsen has quit IRC15:59
*** wolsen has joined #openstack-keystone16:00
*** Nisha_Agarwal has joined #openstack-keystone16:01
*** pcaruana has quit IRC16:04
*** spilla has joined #openstack-keystone16:04
*** itlinux has joined #openstack-keystone16:08
*** itlinux has quit IRC16:10
*** Supun has joined #openstack-keystone16:19
*** kmARC has quit IRC16:19
*** kmARC has joined #openstack-keystone16:20
*** itlinux has joined #openstack-keystone16:22
*** itlinux has quit IRC16:23
*** r-daneel has joined #openstack-keystone16:32
*** itlinux has joined #openstack-keystone16:34
*** jamespage has quit IRC16:34
*** jamespage has joined #openstack-keystone16:35
lbragstadgagehugo i'm working on a patch to remove the uuid provider and sql token storage bits16:39
lbragstadafter that, i can take a stab at redefining the interfaces for the token providers16:39
gagehugolbragstad cool16:40
lbragstadthat should make the jwt work a lot easier16:40
lbragstadknikolla we might need to sync back up on the bug we talked about on friday16:41
knikollalbragstad: i have a meeting in 10 minutes, let's do in the afternoon16:47
*** links has joined #openstack-keystone16:47
gagehugolbragstad yup16:47
kmalloclbragstad: o/16:49
lbragstadknikolla that works for me16:49
lbragstadkmalloc o/16:49
kmalloclbragstad: when are we able to drop UUID tokens again?16:50
* kmalloc checks coee.16:50
kmallocooh. in R.16:51
kmallocthat means *soon*16:51
kmallocwhich will make token providers so very much easier to deal with16:51
openstackgerritLance Bragstad proposed openstack/keystone master: Remove the sql token driver and uuid token provider
lbragstadkmalloc ^16:52
lbragstadboom - done16:52
kmallocLOL NICE16:52
kmallocAHA, i was just about to do that. i'll review it instead!16:52
kmallocdo you know how happy that change makes me.16:53
lbragstadwxy had a few good questions on the revocation list stuff16:53
kmallocrev list pretty much dies16:53
*** links has quit IRC16:53
kmallocwe need to revisit and make it simply policied off (401)16:53
lbragstadkmalloc i can imagine.. i'm usually pumped to remove code... i could barely contain myself16:53
kmallocsince we can't drop the API16:53
lbragstadthose were the concerns ^16:54
kmallocthe fix is just make it respond with 40116:54
*** links has joined #openstack-keystone16:54
kmallocsince 500 is busted and certs are... well dead16:54
kmallocit exists but no one is allowed to see it16:54
kmalloci'd raise 401 explicitly16:55
lbragstadyeah - i had to dig up the keystone-manage pki_setup command to test that16:55
kmalloca [] isn't valid16:55
kmallocbecause it wont be signed16:55
kmallocalso, we should drop all the cert options.16:55
kmallocthat API requires the data to be signed.16:55
lbragstadkmalloc i think it is signed16:55
lbragstadat least when i tested it locally16:55
lbragstadkmalloc that's what the controller does16:55
kmallocright, only when certs are configured16:56
lbragstadiff the certs are available16:56
kmallocso, we drop the cert options16:56
kmallocand hard raise 40116:56
kmallochell, we just hard raise 401 regardless16:56
lbragstadahh - i see what you mean16:56
kmallocit's better than 50016:56
lbragstadfrom a provider perspective, that can be done in a separate patch, no?16:56
kmallocor we 40316:56
kmallocyeah we do it separately16:56
kmallocit is def a forbidden16:56
lbragstadi got caught a few times going down the rabbit hole16:57
kmallocit might need a tempest change.16:57
kmallocbut we also can drop all the cert options16:57
kmallocwhich is a sin16:57
lbragstadand removing a bunch of stuff not directly related to the removal of those two bits of code16:57
lbragstadi'd like to get eyes on the list of todos in the commit message, too16:57
lbragstadi'm trying to document what we need to do after we remove that16:57
kmallocso the order of code changes: 1) what you proposed, 2) rev list -> 403, 3) drop all cert options / keystone-manage pki-setup16:57
kmalloc2/3 might be tempest changes16:58
kmallocas well.16:58
kmallocah so we can't setup the pki stuff anyway16:58
kmallocgood. lets drop the options and nuke it from orbit16:58
kmallocit's the only sure way16:58
kmallocalso, it means tempest can't be testing it16:58
lbragstadwell - people *could* have certificates still16:58
lbragstadsince pki_setup was only a "developer tool"16:59
kmallocbut we don't populate the rev list anymore.16:59
kmallocand if we change the API to be 403 (it is a fair way to disable the API), we don't need to sign it16:59
kmallocFTR: Pike removal17:00
kmallocif we don't lean on those options for anything17:01
kmallocand almost everyone 500s on the rev list [which is no longer populated]17:01
kmallocwe should drop the options17:01
kmallocanyway, we should be good in either case.17:01
lbragstadyeah - i think that sounds like a plan17:05
lbragstadso long as we have a list of things to clean up17:05
lbragstadi know there are a lot of things that could be included in the removal patch, but that's starting to get into a refactor17:05
lbragstadtrying to keep them separate for the sake of reviewing17:05
kmalloclbragstad: nit on your patch17:06
kmallocbut +217:06
kmallocand added my comment about 403 AND removing signing options17:06
openstackgerritLance Bragstad proposed openstack/keystone master: Remove the sql token driver and uuid token provider
kmalloclbragstad: +2/+A for the openstack proposal/release bot reviews for stab/queens17:09
lbragstadawesome - we do have to cut rc217:09
lbragstadwaiting on a resolution to
openstackLaunchpad bug 1658641 in OpenStack Identity (keystone) "Moving/disabling LDAP users break Keystone queries depending on role ID" [Medium,In progress] - Assigned to Kristi Nikolla (knikolla)17:10
lbragstadafaik - that's the last rc potential bug we are targeting17:11
kmallocthat is a hard bug to fix17:11
lbragstadit's not a release stopper, since it wasn't introduced in queens, but it would be nice to get fixed17:11
kmallocbasically you're changign things behind keystone in a way it can't know17:11
kmallocthats painful.17:11
lbragstadwe had a long conversations about it on friday17:11
kmallocthat is expected behavior17:11
kmallocthe 404 if it disappears17:12
lbragstadwe have a couple options to fix it17:12
kmalloci'd probably not hold Q up for the fix if it lags17:12
kmallocwe can backport the fix if needed17:12
lbragstadone it the current proposal, which makes the purge mapping command smart enough to clean up assignments17:12
kmallocwhich is the best option imo17:13
kmallocbut it has limitations17:13
kmalloctl;dr don't hold up the release. i'm 100% sure that we can backport if needed. if we get a reasonable proposal for code, we can land it before Q ships17:13
lbragstadthe part that tripped me up is that the solution isn't accessible to everyone17:13
kmallocunfortunately, it probably wont ever be.17:14
kmallocnature of LDAP integrations17:14
kmallocmost apps fail in this regard if you do what the bug purports17:14
kmallocand some fail far less gracefully than we do17:14
kmallocpersonally, i view this as expected behavior.17:14
lbragstadok - qq17:15
kmalloc(but i'll support most any fix that makes it even slightly better)17:15
lbragstadlets say I'm a domain administrator and i have my domain backed by ldap17:15
lbragstadbut it's not my deployment17:15
lbragstadthe team that manages the ldap i'm backing to starts shuffling users around into different groups17:16
kmalloci see where you're going.17:16
lbragstadas a result, when i call v3/role_assignments with names, the api breaks with a 40417:16
kmalloceither you need to be able to update the domain config to reference the changes or bug the openstack admin17:16
kmalloclikely both.17:16
lbragstadso - open a ticket?17:16
lbragstadin both cases17:16
kmallocit's unfortunate17:17
kmallocthere *is* a long term fix17:17
lbragstadwell - actually, i might be wrong17:17
kmallocsplit keystone ID and <rest of the API>17:17
kmallocmake all ID purely federated17:17
lbragstada domain admin should be able to propose changes to the domain config API17:17
kmallocoffer a SAML2/somethingelse option that person X can run for their domain17:17
kmalloclbragstad: correct, should, but not guaranteeed17:18
kmallocit is likely a ticket, but may not be needed in all cases17:18
lbragstadthat's fair17:18
kmallocbut tl;dr, if we offered an ID service - and everything was federated with industry tech, we could eliminate this issue17:19
*** belmoreira has quit IRC17:19
kmallocreconfig your local keystone-id-proxy-service that talks to ldap17:19
kmallocand then it does the federated auth dance17:19
kmallocwhen you need to talk to the deployment keystone17:19
kmallocthat is an ideal world17:19
kmallocbut... that is a biiiiig hurdle17:19
kmallocit's what i'd drive towards as a general modality of managing keystone/openstack ID. hard split resource+RBAC and Identity.17:20
kmallocthen we can just run a id process for an LDAP domain and allow the interfacing folks manage that w/o touching the openstack deployment itself.17:21
kmallocstill a ticket if fundamental mapping changes, but, not as often17:21
kmallocand likely most folks can move towards full SAML2/OIDC impls with exception of SQL-specific keystone-isms17:22
kmallocand we can handle PII/user data in a better fashion [we can be much smarter]17:22
*** mvk_ has quit IRC17:22
kmallocbut again, this is a BIG change17:22
kmallocand might be a hard sell17:22
kmallocit works better if we also move to the edge-permission model.17:23
kmallocso you could just talk to nova directly instead of needing to hit keystone to token to talk to nova to pass tokens to glance.17:23
kmallocbut i'd work to logically split keystone-id into it's own micro service that does federated auth w/ keystone <service>17:24
kmallocagain, this is waxing poetic on "designing steps forward"17:25
lbragstadthis is probably a discussion at the PTG17:25
kmalloc@#$! i need to book travel17:25
lbragstadbut we should rehash this when knikolla is available so we're all on the same page17:25
lbragstadthen i'll go through and cut rc2 based on that discussion17:26
kmallocholy hell it's $400 for the ticket?!17:26
lbragstadthe ptg ticket?17:26
gagehugokmalloc yeah they ran out17:26
lbragstadprice bump17:26
kmallocwhelp, guess i'm not going.17:26
lbragstadlast friday?17:26
kmallocsorry. i'll be missing this one17:27
kmalloci don't want to front that kind of cash to ask for a reimbursal for.17:27
*** Nisha_Agarwal has left #openstack-keystone17:30
kmallocit's what i get for not being able to book the trip until now.17:30
kmalloc[had some questions on if i'd be able to go due to personal travel/appointments]17:31
*** AlexeyAbashkin has quit IRC17:36
openstackgerritLance Bragstad proposed openstack/keystone master: Remove the sql token driver and uuid token provider
* lbragstad takes lunch 17:44
*** david-lyle has quit IRC17:55
*** dklyle has joined #openstack-keystone18:07
openstackgerritMerged openstack/keystone master: Imported Translations from Zanata
*** harlowja has joined #openstack-keystone18:14
lbragstadkmalloc will need to be backported?18:18
lbragstadto stable/queens?18:18
kmalloci'd ask the translation team18:18
lbragstadi guess that one went in, too18:18
*** r-daneel has quit IRC18:27
*** dklyle has quit IRC18:30
*** r-daneel has joined #openstack-keystone18:35
cmurphykmalloc: could you do a stable review for me?
*** jmlowe has quit IRC18:44
*** links has quit IRC18:45
*** itlinux has quit IRC18:49
*** itlinux has joined #openstack-keystone18:51
*** itlinux has quit IRC18:53
*** david-lyle has joined #openstack-keystone18:54
openstackgerritMerged openstack/keystone master: Update reno for stable/queens
*** itlinux has joined #openstack-keystone18:55
*** agrebennikov has joined #openstack-keystone19:00
cmurphyty :)19:01
cmurphyi have one for stable/ocata too that's making its way through check
cmurphyit's needed for the tempest test to pass but i'm not sure it's in line with stable policy19:02
kmalloclet me know when it passes19:02
kmallocand i'll take a gander19:02
*** jmlowe has joined #openstack-keystone19:04
*** jmlowe has quit IRC19:06
*** jmlowe has joined #openstack-keystone19:06
agrebennikovdstanek, hi, I have a question regarding the shadow users/mapping (and you mentioned as a contributor). Essentially, I don't see any clear mentioning for shadow groups to be implemented. How do I then do group-based assignments in case of saml auth?19:08
*** jmlowe has quit IRC19:08
*** jmlowe has joined #openstack-keystone19:09
*** gyee has joined #openstack-keystone19:12
*** sambetts is now known as sambetts|afk19:13
*** jmlowe has quit IRC19:15
lbragstadkmalloc sorry - a couple more for you :)19:17
lbragstad and
kmalloclbragstad: donje19:18
*** tesseract has quit IRC19:18
lbragstadkmalloc thanks19:19
*** jmlowe has joined #openstack-keystone19:22
*** jmlowe has quit IRC19:38
*** jmlowe has joined #openstack-keystone19:41
*** lbragstad_ has joined #openstack-keystone19:41
*** lbragstad_ has quit IRC19:43
*** Supun has quit IRC19:44
*** Supun has joined #openstack-keystone19:44
*** pramodrj07 has joined #openstack-keystone19:49
knikollalbragstad: o/20:06
lbragstadknikolla o/20:08
knikollalbragstad: yep... played around with ldap and keystone for a bit20:09
knikollasurprisingly, wasn't able to reproduce the bug.20:09
knikollayes, maybe the shadow users stuff?20:10
knikollai created and deleted a user after adding permissions20:10
knikollathis is after i deleted the user20:10
knikollayou can see even doing show on a user that isn't returned from the user list, works.20:12
agrebennikovhey folks, maybe anybody else can explain a little bit about federation mappings (except dstanek)? Is it possible to have groups assignments only and have a user assertions to contain the groups he belongs to?20:13
knikollalbragstad: argh... cache got me.20:17
lbragstadknikolla so demo is the user you modified in ldap?20:17
knikollalbragstad: no, demo is the user that was already there. i created and then deleted a different user named kristi.20:18
knikollalet me give you fresh output after restarting and clearing the cache20:18
*** Exhar has joined #openstack-keystone20:19
kmalloccache wont pop if you change the backend20:20
lbragstadi suppose20:22
lbragstadthere isn't a way for keystone to know about that20:22
lbragstadwhat if you disable caching?20:22
knikollai just restarted the keystone service.20:24
lbragstadhmm - so it sounds like your fix also works for this20:26
lbragstadsounds like that specific bug is resolved, but we could file an RFE to handle the left over assignments20:28
knikollalbragstad: it doesn't.20:28
knikollaas this bug is for a different API call.20:28
knikollaoh, you mean the mapping_purge, yes.20:29
lbragstadright - we still have a problem where role assignments aren't updated20:29
lbragstadand according to it was causing a 404, but based on your trace, that doesn't seem to be the case anymore20:30
openstackLaunchpad bug 1658641 in OpenStack Identity (keystone) "Moving/disabling LDAP users break Keystone queries depending on role ID" [Medium,In progress] - Assigned to Kristi Nikolla (knikolla)20:30
lbragstaddoes that sound accurate?20:34
*** oikiki has joined #openstack-keystone20:35
knikollalbragstad: for the most part, the only API call that I think still doesn't work is this20:36
knikollaor wait.. i think that's my typo20:36
* knikolla facepalm20:37
knikollalbragstad: i see. it's only the API call in openstackclient that fails.20:38
knikollalbragstad: because when you do `openstack user list --project <project>`20:38
knikollaopenstack does role_assignment?<project>20:38
knikollathe above call works20:38
knikollaand then does a users/users?name=<user> for all the users returned from the above call20:39
lbragstadGET /v3/projects/{project_id}/users/ isn't an API we support id on't think20:39
knikollalbragstad: i realized that. it's openstackclient syntactic sugar20:39
* lbragstad loves syntactic sugar20:39
knikollawhich makes the `openstack user list --project <project>` fail20:39
lbragstadyeah - so it queries role_assignments20:39
knikollabut i see no bug with keystone here. we could maybe have role_assignment api clean up non existing users20:40
lbragstadknikolla would you mind putting your pastes in the bug report?20:45
lbragstadthose are super helpful20:45
lbragstadtechnically, the only bug is that there are users with empty names when listing users (which flags a non-existent user)20:48
lbragstadso - yeah, that sounds like a RFE20:48
knikollalbragstad: posted20:51
*** itlinux has quit IRC20:51
*** Supun has quit IRC20:55
knikollawoohoo... just got the visa approval email for ireland.20:57
*** ChanServ has quit IRC21:02
*** ChanServ has joined #openstack-keystone21:11
*** sets mode: +o ChanServ21:11
*** oikiki has quit IRC21:11
*** oikiki has joined #openstack-keystone21:11
gagehugoknikolla yay21:12
lbragstadknikolla nice!21:12
*** r-daneel has quit IRC21:17
*** r-daneel has joined #openstack-keystone21:17
*** oikiki has quit IRC21:22
*** oikiki has joined #openstack-keystone21:23
openstackgerritLance Bragstad proposed openstack/keystone master: Grant admin a role on the system during bootstrap
openstackgerritLance Bragstad proposed openstack/keystone master: Delete system role assignments when deleting users
lbragstadmtreinish ^21:25
lbragstadcherry-picked the bootstrap patch onto that one21:25
lbragstadwe should probably be taking care of those assignments anyway21:26
mtreinishlbragstad: hmm looking at that patch, I'm not sure I could see where that would fix things21:26
mtreinishdefinitely a good thing to do, just not sure if it's related to the failures21:27
lbragstadyeah - that's fair21:27
lbragstadthe admin user is never removed through, right?21:27
*** gagehugo has quit IRC21:27
lbragstadtempest always keeps the user from bootstrap around?21:27
*** gagehugo has joined #openstack-keystone21:28
*** mvk_ has joined #openstack-keystone21:33
*** oikiki has quit IRC21:36
*** edmondsw has quit IRC21:39
*** oikiki has joined #openstack-keystone21:43
lbragstadanother stable review we can kick through -
*** threestrands has joined #openstack-keystone22:12
*** jmlowe has quit IRC22:14
*** martinus__ has quit IRC22:17
*** masber has quit IRC22:29
*** rcernin has joined #openstack-keystone22:31
openstackgerritColleen Murphy proposed openstack/keystone master: Add docs for application credentials
openstackgerritColleen Murphy proposed openstack/keystone master: Use OSC in application credential documentation
lbragstadhas anyone see sh: 1: cannot create /sys/kernel/mm/ksm/run: Permission denied in devstack recently ?23:18
*** AlexeyAbashkin has joined #openstack-keystone23:21
*** panbalag has joined #openstack-keystone23:21
*** oikiki has quit IRC23:23
*** oikiki has joined #openstack-keystone23:24
*** AlexeyAbashkin has quit IRC23:26
kmallochaven't seen that23:35
*** bhagyashris has quit IRC23:40
*** bhagyashris has joined #openstack-keystone23:41
*** spilla has quit IRC23:42

Generated by 2.15.3 by Marius Gedminas - find it at!