*** r-daneel has quit IRC | 00:01 | |
*** panbalag has joined #openstack-keystone | 00:17 | |
*** pramodrj07 has quit IRC | 00:35 | |
*** Dinesh_Bhor has joined #openstack-keystone | 00:39 | |
*** Dinesh_Bhor has quit IRC | 00:43 | |
*** Dinesh_Bhor has joined #openstack-keystone | 00:44 | |
*** openstackgerrit has quit IRC | 01:03 | |
*** wxy has joined #openstack-keystone | 01:06 | |
*** gyee has quit IRC | 01:07 | |
*** itlinux has joined #openstack-keystone | 01:15 | |
*** oikiki has quit IRC | 01:17 | |
*** andreykurilin has quit IRC | 01:20 | |
*** andreykurilin has joined #openstack-keystone | 01:21 | |
*** agrebennikov has quit IRC | 01:30 | |
*** lbragstad has quit IRC | 01:34 | |
*** itlinux has quit IRC | 01:43 | |
*** openstackgerrit has joined #openstack-keystone | 01:53 | |
openstackgerrit | wangxiyuan proposed openstack/keystone master: Force SQLite to properly deal with foreign keys https://review.openstack.org/126030 | 01:53 |
---|---|---|
*** itlinux has joined #openstack-keystone | 01:56 | |
*** oikiki has joined #openstack-keystone | 02:03 | |
*** AlexeyAbashkin has joined #openstack-keystone | 02:21 | |
*** itlinux has quit IRC | 02:22 | |
*** AlexeyAbashkin has quit IRC | 02:25 | |
*** itlinux has joined #openstack-keystone | 02:27 | |
*** r-daneel has joined #openstack-keystone | 02:33 | |
*** links has joined #openstack-keystone | 02:35 | |
*** itlinux has quit IRC | 02:40 | |
*** oikiki has quit IRC | 02:49 | |
*** harlowja has quit IRC | 03:04 | |
*** Supun has joined #openstack-keystone | 03:21 | |
*** sapd has quit IRC | 03:42 | |
*** Supun has quit IRC | 03:50 | |
*** Supun has joined #openstack-keystone | 03:50 | |
*** lbragstad has joined #openstack-keystone | 03:52 | |
*** ChanServ sets mode: +o lbragstad | 03:52 | |
*** dave-mccowan has quit IRC | 03:56 | |
*** jmlowe has joined #openstack-keystone | 04:04 | |
*** links has quit IRC | 04:05 | |
*** oikiki has joined #openstack-keystone | 04:06 | |
*** links has joined #openstack-keystone | 04:24 | |
*** Supun has quit IRC | 04:26 | |
*** Supun has joined #openstack-keystone | 04:29 | |
*** Supun has quit IRC | 04:36 | |
*** threestrands has quit IRC | 04:50 | |
*** oikiki has quit IRC | 05:15 | |
*** harlowja has joined #openstack-keystone | 05:52 | |
*** itlinux has joined #openstack-keystone | 05:59 | |
*** itlinux has quit IRC | 06:08 | |
*** harlowja has quit IRC | 06:33 | |
*** martinus__ has joined #openstack-keystone | 06:52 | |
*** lbragstad has quit IRC | 07:01 | |
*** Dinesh_Bhor has quit IRC | 07:21 | |
*** rcernin has quit IRC | 07:25 | |
*** Dinesh_Bhor has joined #openstack-keystone | 07:25 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata https://review.openstack.org/543826 | 07:29 |
*** hoonetorg has quit IRC | 07:34 | |
*** Dinesh_Bhor has quit IRC | 07:37 | |
*** Dinesh_Bhor has joined #openstack-keystone | 07:38 | |
*** pcaruana has joined #openstack-keystone | 07:41 | |
*** Dinesh_Bhor has quit IRC | 07:45 | |
*** AlexeyAbashkin has joined #openstack-keystone | 07:48 | |
*** Dinesh_Bhor has joined #openstack-keystone | 07:49 | |
*** hoonetorg has joined #openstack-keystone | 07:50 | |
*** d0ugal has quit IRC | 07:52 | |
*** d0ugal has joined #openstack-keystone | 08:02 | |
*** Dinesh_Bhor has quit IRC | 08:04 | |
openstackgerrit | James E. Blair proposed openstack/keystoneauth master: Zuul: Remove project name https://review.openstack.org/543842 | 08:07 |
*** Dinesh_Bhor has joined #openstack-keystone | 08:08 | |
*** Dinesh_Bhor has quit IRC | 08:09 | |
*** Dinesh_Bhor has joined #openstack-keystone | 08:20 | |
*** tesseract has joined #openstack-keystone | 08:26 | |
*** Dinesh_Bhor has quit IRC | 09:37 | |
*** m3m0 has joined #openstack-keystone | 09:55 | |
m3m0 | hello, is it possible to create a group in keystone and add users from a different domain (ldap for instance?) | 09:55 |
cmurphy | m3m0: it's possible for users in one domain to be part of a group in another domain but it's not possible for a user in one backend (eg ldap) to be part of a group in another backend (eg sql) | 10:03 |
m3m0 | cmurphy: got it, thanks, then I should have something bad in my conf: I keep getting this error: UNWILLING_TO_PERFORM: {'info': 'no global superior knowledge', 'desc': 'Server is unwilling to perform'} | 10:15 |
cmurphy | m3m0: that looks like an ldap server error, that doesn't come from keystone | 10:18 |
m3m0 | cmurphy: yes, indeed comes from there, I'll take a look, thanks | 10:19 |
m3m0 | and this is the error from keystone for reference: Group membership across backend boundaries is not allowed | 10:21 |
cmurphy | m3m0: right, that is what i meant by it not being possible to cross backends | 10:23 |
cmurphy | it's only possible if the domains are in the same backend | 10:23 |
*** links has quit IRC | 10:36 | |
*** links has joined #openstack-keystone | 10:49 | |
*** zhongjun has quit IRC | 11:30 | |
*** zhongjun has joined #openstack-keystone | 11:30 | |
*** panbalag has left #openstack-keystone | 11:37 | |
*** mwhahaha has quit IRC | 11:51 | |
*** mwhahaha has joined #openstack-keystone | 11:52 | |
*** robcresswell has quit IRC | 11:58 | |
*** robcresswell has joined #openstack-keystone | 11:58 | |
*** bhagyashri_s has joined #openstack-keystone | 11:59 | |
*** bhagyashris has quit IRC | 12:02 | |
*** portdirect has quit IRC | 12:03 | |
*** portdirect has joined #openstack-keystone | 12:04 | |
*** nkinder has quit IRC | 12:15 | |
*** edmondsw has joined #openstack-keystone | 12:56 | |
*** sambetts|afk is now known as sambetts | 12:57 | |
*** pcaruana has quit IRC | 13:16 | |
*** lbragstad has joined #openstack-keystone | 13:20 | |
*** ChanServ sets mode: +o lbragstad | 13:20 | |
*** dave-mccowan has joined #openstack-keystone | 13:36 | |
lbragstad | o/ | 13:57 |
cmurphy | \o | 13:58 |
*** cwright has joined #openstack-keystone | 13:59 | |
*** Supun has joined #openstack-keystone | 14:02 | |
lbragstad | this is so weird... for some reasons https://review.openstack.org/#/c/530410/ causes keystone to store more revocation events | 14:06 |
lbragstad | and one of them happens to match the token used by the administrator to clean up resources in tempest's teardown process | 14:06 |
lbragstad | hence, the 401 | 14:07 |
lbragstad | 0.0 | 14:07 |
cmurphy | o.0 | 14:07 |
cmurphy | go home, keystone, you're drunk | 14:08 |
lbragstad | an extra assignment that isn't used does that? really?! | 14:08 |
lbragstad | pretty much | 14:10 |
*** amito has quit IRC | 14:16 | |
*** amito has joined #openstack-keystone | 14:16 | |
*** david-lyle has quit IRC | 14:33 | |
*** openstackgerrit has quit IRC | 14:33 | |
*** r-daneel has quit IRC | 14:40 | |
*** links has quit IRC | 14:47 | |
* lbragstad shakes head | 14:50 | |
*** ying_zuo has quit IRC | 14:58 | |
*** ying_zuo has joined #openstack-keystone | 14:58 | |
*** spilla has joined #openstack-keystone | 15:12 | |
*** Supun has quit IRC | 15:16 | |
cwright | Hi, I'm trying to understand when to assign the `admin` role or the `service` role to a "systems" account. | 15:17 |
cwright | We have created a user, `mollusk`, that will be accessed programatically to set quotas, etc throughout our OpenStack deployment. | 15:17 |
cwright | I've seen some places in documentation where it suggests the `admin` role should be added to the `mollusk` user, and other places I've seen it say the `service` role should be added instead. | 15:18 |
cwright | I'm also not clear which project this should be added under, `admin` project or `service` project. | 15:18 |
cwright | I may not be explaining this clearly, but does this make sense? | 15:18 |
lbragstad | cwright good question - you answer is going to depend partially on what policies you have setup for the `admin` role and the `service` role, and what the `mollusk` user needs from an API perspective | 15:19 |
cwright | lbragstad: I am using default policies at this point, no customizations made so far. | 15:20 |
lbragstad | cwright cool - in that case, the `service` role will have somewhat limited functionality compared to the `admin` role, but not by a whole lot | 15:20 |
cwright | We aren't sure exactly yet what all the `mollusk` user will need to do, but we'd like it to be able to perform most (if not all) administrative tasks via the api | 15:21 |
lbragstad | the `admin` role will get you that | 15:21 |
cwright | lbragstad: do you know of a document that details the differences between `admin` and `service` roles? | 15:21 |
lbragstad | cwright unfortunately, i don't think it exists | 15:21 |
lbragstad | we do have some work in flight to help with that though | 15:22 |
cwright | ah ok. Where we first ran into this is with setting quota's on swift accounts. We found a document that said we needed to create a `ResellerAdmin` role and add it to `mollusk` | 15:22 |
lbragstad | yeah - that's a role specifically for swift | 15:22 |
cwright | we aren't sure what limitations `ResellerAdmin` has | 15:23 |
lbragstad | right... | 15:23 |
cwright | oh, ok did not know that | 15:23 |
lbragstad | we'll - by specifically for swift, i mean, swift defines it and expects it in it's service logic | 15:23 |
lbragstad | well* | 15:23 |
lbragstad | it's pretty much an opinionated set of authorization rules for swift | 15:24 |
cwright | ok, so do you know if swift would respect the `admin` role as well, or for swift are we required to use `ResellerAdmin`? | 15:24 |
*** Supun has joined #openstack-keystone | 15:25 | |
lbragstad | i believe ResellerAdmin is a specific set of cases for swift, so i'm not sure reusing it for anything else will work as expected, but let me double check the code | 15:25 |
cwright | lbragstad: thanks so much | 15:25 |
knikolla | o/ | 15:26 |
lbragstad | "Users with the Keystone role defined in reseller_admin_role (ResellerAdmin by default) can operate on any account. The auth system sets the request environ reseller_request to True if a request is coming from a user with this role. This can be used by other middlewares." | 15:27 |
*** r-daneel has joined #openstack-keystone | 15:27 | |
lbragstad | some related stuff here - https://docs.openstack.org/swift/latest/overview_auth.html#configuring-swift-to-use-keystone | 15:27 |
cwright | reading now... | 15:28 |
lbragstad | i don't think swift uses oslo.policy either | 15:29 |
lbragstad | edmondsw ping | 15:30 |
edmondsw | lbragstad headed into a mtg... | 15:30 |
lbragstad | edmondsw cwright has a couple questions that are a bit over my head regarding ResellerAdmin | 15:30 |
lbragstad | edmondsw and you're *way* more knowledgable there than I am ;) | 15:31 |
edmondsw | cwright ping me in 30 min if I don't get back to you before that | 15:32 |
cwright | edmondsw: thanks, will circle back then | 15:32 |
lbragstad | cwright from what i know, swift handles policy and authorization a bit different than some of the other projects | 15:35 |
lbragstad | most of the other projects don't really defined roles needed for the service | 15:36 |
lbragstad | but they define policies around what they assume to be there (like the `admin` role) | 15:36 |
lbragstad | since that's really the only role guaranteed to be present after bootstrapping keystone | 15:36 |
lbragstad | ideally, we'd like to move towards something like https://review.openstack.org/#/c/523973/ | 15:37 |
cwright | lbragstad: yea. I think the swift differences are responsible for part of my trouble understanding this, but also i'm not sure which project I should be using | 15:42 |
cwright | should the roles to `mollusk` be added in the `admin` or `service` projects? | 15:42 |
cwright | is `admin` special? | 15:42 |
lbragstad | oh - yeah, that's another good question | 15:42 |
lbragstad | yes and no | 15:43 |
lbragstad | if anything is really considered special in openstack authorization model, it's the presence of a role with the name 'admin' | 15:43 |
lbragstad | a lot of projects will look for a role named 'admin' when trying to determine if a user should be able to escalate privileges | 15:44 |
lbragstad | which is in the token reference in the authenticate and validation responses | 15:44 |
cmurphy | lbragstad: fyi i won't be at the meeting tonight | 15:45 |
lbragstad | which can be problematic because it means that anyone with a role names 'admin' on any project can do cloud administrator activities | 15:45 |
lbragstad | cmurphy ack - thanks for the heads up | 15:46 |
lbragstad | role named * | 15:46 |
cwright | so is it recommended to not assign the admin role generally? | 15:47 |
lbragstad | cwright by default - i wouldn't give admin to anyone who isn't expected to administer the deployment | 15:47 |
lbragstad | because you're giving them the power to do just about anything | 15:48 |
m3m0 | nnhello :) is it possible to create a group for my ldap users? openstack group create group_for_ldap --domain ldap, because it fails with this error: UNWILLING_TO_PERFORM: {'info': 'no global superior knowledge', 'desc': 'Server is unwilling to perform'} | 15:48 |
m3m0 | I don't understand why ldap is involved here other than for querying if it is supposed to be read-only | 15:49 |
lbragstad | m3m0 that kind of looks like an error from a separate backend? do your keystone.logs say anything? | 15:49 |
m3m0 | yep, I have a separate backend for ldap | 15:49 |
lbragstad | cwright fwiw, we're going to be working to improve a lot of this (or that is the plan) | 15:49 |
cmurphy | m3m0: you can't create groups in ldap from keystone, keystone treats ldap as read-only | 15:50 |
lbragstad | cwright we implemented a feature in Queens that introduces a new assignment scope | 15:50 |
m3m0 | other than the stacktrace and this: {'info': 'no global superior knowledge', 'desc': 'Server is unwilling to perform'}, not much | 15:50 |
lbragstad | cwright so in addition to being able to assign users and groups roles on projects and domains, you're going to have the ability to assign users roles on the "system" | 15:50 |
cwright | lbragstad: i see. | 15:51 |
lbragstad | cwright long story short, we should hopefully be able to get away from having to overload roles with special values | 15:51 |
lbragstad | which will make things simpler and allow for tighter access control | 15:52 |
m3m0 | cmurphy: if I want to create a group for my ldap users in keystone, is there anything I can do? modifying my ldap model maybe? | 15:52 |
lbragstad | m3m0 yeah - i think you'd have to do the creation in ldap, which should show up via keystone when you query groups | 15:52 |
lbragstad | cwright http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html the problem description here does a bit better job of explaining it | 15:53 |
*** david-lyle has joined #openstack-keystone | 15:54 | |
cwright | so, sorry to keep coming back to this, but for my `mollusk` user who we want to be able to do most admin actions via the api, is there a reason to set the project to `admin` or `service`? | 15:54 |
cwright | openstack user create --domain XYZ --password '{{ account.password }}' --project admin mollusk | 15:54 |
cwright | or --project service | 15:54 |
cwright | this is one of the last pieces that my brain is struggling to grasp :) | 15:55 |
m3m0 | lbragstad: is this the only conf I would need to change? group_tree_dn = ou=Groups,dc=example,dc=org and group_objectclass = groupOfNames?? (from https://docs.openstack.org/keystone/pike/admin/identity-integrate-with-ldap.html) | 15:55 |
lbragstad | cwright sorry - i got off on a tangent there | 15:56 |
lbragstad | cwright the `admin` project also has special meaning | 15:56 |
lbragstad | to a certain extent | 15:56 |
lbragstad | it was used to escalate privileges | 15:57 |
lbragstad | so if you had a token scoped to the admin project, you be able to do administrator-like things | 15:57 |
lbragstad | but until we get all the system scope stuff rolled out - `admin` is probably what you want | 15:57 |
lbragstad | cwright http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html#alternatives explains the significance of the `admin` project | 15:59 |
lbragstad | m3m0 i believe so - but i'd have to double check | 15:59 |
m3m0 | I changed those parameters, restart httpd and query: openstack group list --domain ldap with no luck :( | 15:59 |
cwright | lbragstad: ok thanks so much, i'll read all this and get back to you if i have further questions. i really appreciate you taking the time here | 15:59 |
lbragstad | cwright absolutely, it's confusing stuff and we have a lot of moving parts going on | 16:00 |
lbragstad | cwright happy to get feedback if you have any | 16:00 |
*** itlinux has joined #openstack-keystone | 16:01 | |
lbragstad | m3m0 are you using domain configuration for the ldap domain? | 16:02 |
m3m0 | do you mean the conf in /etc/keystone/domains/keystone.ldap.conf? | 16:03 |
m3m0 | if so, yes | 16:03 |
lbragstad | correct | 16:05 |
ayoung | lbragstad, and there you have bug 968696 in a nutshell | 16:10 |
openstack | bug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung) | 16:10 |
lbragstad | ayoung i'm getting so good at describing it... | 16:11 |
ayoung | lbragstad, evetually you will realize that we want the "RBAC from Middleware" proposal I wrote up. We need an inventory of calls, and a way to map them back to the roles. | 16:12 |
ayoung | we need it in one place. | 16:12 |
ayoung | I'm pretty sure if you look at istio and 3scale, that is a part of what they are providing. | 16:13 |
ayoung | getting a scope on everything is a huge part of that, and I hope we are almost there....are we? | 16:13 |
lbragstad | getting there... still have a lot of work to get things fixed up across the other services | 16:16 |
ayoung | lbragstad, what is the plan for that...specifically for Nova? I think that is the hardest one. | 16:17 |
lbragstad | it's part of our agenda at the PTG | 16:17 |
ayoung | I had a hack that was a starting point based on is_admin_project we should probably revisit...lemme see | 16:17 |
ayoung | https://review.openstack.org/#/c/384148/ lbragstad so that was my take on the way that the API calls should be scoped | 16:18 |
ayoung | convert the is_admin_project mechanism to a scoped token, and you should have the same general thing | 16:18 |
lbragstad | yeah - i have one of those in flight - https://review.openstack.org/#/c/525772/ | 16:19 |
ayoung | For example RULE: global_admin should be system:admin | 16:19 |
lbragstad | i need to respin it | 16:19 |
ayoung | cool. and it looks like Ken is actively reviewing | 16:20 |
edmondsw | cwright alright, finally out of my meeting, starting to read back | 16:20 |
ayoung | create:attach_volume is project scoped | 16:21 |
edmondsw | cwright the "service" role is really just for OpenStack services like nova. I don't think I've ever seen that given to an end user | 16:21 |
ayoung | on the create:forced_host....wow I didn't know we had that. I would think that you would need a system scoped token to do that, though. | 16:21 |
*** agrebennikov has joined #openstack-keystone | 16:22 | |
edmondsw | ResellerAdmin is the default admin role for swift. Though you can call that something else if you prefer. It is configurable | 16:22 |
edmondsw | cwright more about that here: https://github.com/openstack/swift/blob/d2e32b39e8bead7984d205d532a489908be655ef/doc/source/overview_auth.rst#L308 | 16:23 |
ayoung | lbragstad, do we have an overall inventory of policy points? I started doing that back years ago, and then got tripped up over network: being a duplicated prefisx betweenn nova nad neutron. But I think we can work around that by prefixing the service to the policy | 16:23 |
lbragstad | ayoung right - there is a ton of stuff like that | 16:23 |
ayoung | its a little redundant for identity | 16:23 |
ayoung | identity:identity:create_user etc | 16:23 |
lbragstad | i'm not sure if there is a master doc | 16:23 |
ayoung | I am pretty sure there is not one | 16:24 |
lbragstad | but it shouldn't be hard to get now that you can generate it using policy in code | 16:24 |
ayoung | yep. | 16:24 |
ayoung | I had worked with things along these lines in Tripleo: | 16:24 |
ayoung | https://adam.younglogic.com/2016/08/rbac-policy-update-tripleo/ | 16:24 |
edmondsw | cwright here's at least one place it's checked in the code to give you an idea what it's allowed to do: https://github.com/openstack/swift/blob/3135878d2fe9909f49fcadeeb9cc6c6933d06127/swift/common/middleware/keystoneauth.py#L418 | 16:25 |
edmondsw | cwright I think the swift folks would typically expect you to keep ResellerAdmin and admin roles separate, but I'm not a swift expert | 16:28 |
cwright | edmondsw: thanks. I sometimes see `swiftoperator` and sometimes I see `ResellerAdmin`. have been trying to see if there is a difference, or if that is just a renaming | 16:28 |
*** sambetts is now known as sambetts|afk | 16:29 | |
ayoung | lbragstad, so system level permissions are not going to be sufficient to do project scoped operations? We'll have to explicitly state that an API needs a system scoped role to allow for an override? | 16:31 |
edmondsw | cwright mollusk will need a role on the project that contains the resources you want him to manage. E.g. if you want his VMs in "projectA" then you give him a role on "projectA". | 16:32 |
edmondsw | cwright and give out the admin role carefully... it is the one role that can actually do things against other projects besides the one where it has a role | 16:33 |
edmondsw | cwright including really powerful things like deleting VMs, volumes, etc. | 16:33 |
ayoung | lbragstad, that is going to be a problem with "delete" calls. RIght now, if a user deletes a project in Keystone, there is going to be no way to clean up resources int Nova et alles, as there will be no way to get a project scoped token, and the deletes don't have a system scoped role annotated on them | 16:33 |
edmondsw | cwright but unfortunately there isn't always an alternative today... sometimes you just have to give the admin role to let someone do what they need to do. We're working on that. | 16:34 |
ayoung | I'm not sure how we implemented it, but I always envisioned the system scoped roles being allowed in to any project to perform the same operations. So, say we had a "cleanup" role that could delete VMs, on the project level, that role is allowed to cdelete vms in the project, and at the systme level it is allowed to delete VMs in any project | 16:35 |
ayoung | is that how we have it? | 16:35 |
ayoung | cuz I see your patch has a bunch of scope_types=['system', 'project']), | 16:35 |
lbragstad | hmmm | 16:42 |
lbragstad | i see what you mean with the delete case | 16:43 |
*** Supun has quit IRC | 16:44 | |
*** Supun has joined #openstack-keystone | 16:45 | |
*** itlinux has quit IRC | 16:46 | |
ayoung | lbragstad, why would you ever have a project scoped operation that a system scoped operator could not perform, too? | 16:47 |
*** pcaruana has joined #openstack-keystone | 16:47 | |
lbragstad | my thinking there was that if an operation required a project for ownership of the resource, you won't have to modify the API to account for that when the scope isn't in the token itself | 16:48 |
ayoung | I see that as kindof separate from the access enforcement. Yes, it may mean that a service scoped token cannot be used to do a certain call, but not due to access control rules, just due to API specification | 16:49 |
ayoung | lets limit the scoping to either project OR system with system implying project at the enforcement level | 16:49 |
ayoung | cleaner, simpler to implement, and it is required in most cases | 16:50 |
*** itlinux has joined #openstack-keystone | 16:50 | |
*** oikiki has joined #openstack-keystone | 16:55 | |
*** openstackgerrit has joined #openstack-keystone | 16:58 | |
openstackgerrit | Murali Annamneni proposed openstack/keystone master: [WIP] Enables MySQL Cluster support for Keystone https://review.openstack.org/431229 | 16:58 |
agrebennikov | @here hey folks, maybe anybody else can explain a little bit about federation mappings? Is it possible to have groups assignments only and have a user assertions to contain the groups he belongs to? | 17:17 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Expose bug in /role_assignments API with system-scope https://review.openstack.org/544011 | 17:18 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Fix querying role_assignment with system roles https://review.openstack.org/544012 | 17:18 |
lbragstad | cmurphy ayoung ^ | 17:18 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Grant admin a role on the system during bootstrap https://review.openstack.org/530410 | 17:19 |
lbragstad | ^ that should pass tempest now | 17:19 |
lbragstad | we'll need to backport those two patches to stable/queens for rc2 | 17:19 |
*** Supun has quit IRC | 17:22 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Fix querying role_assignment with system roles https://review.openstack.org/544012 | 17:23 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Grant admin a role on the system during bootstrap https://review.openstack.org/530410 | 17:23 |
lbragstad | cc kmalloc knikolla gagehugo | 17:24 |
*** itlinux has quit IRC | 17:26 | |
kmalloc | hmm | 17:28 |
*** itlinux has joined #openstack-keystone | 17:31 | |
*** AlexeyAbashkin has quit IRC | 17:38 | |
kmalloc | lbragstad: those were easy | 17:39 |
lbragstad | kmalloc easy reviews? | 17:44 |
kmalloc | lbragstad: yeah | 17:45 |
lbragstad | that's the goal :) | 17:46 |
*** markvoelker has joined #openstack-keystone | 17:46 | |
*** pcaruana has quit IRC | 17:55 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Fix querying role_assignment with system roles https://review.openstack.org/544012 | 17:57 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Grant admin a role on the system during bootstrap https://review.openstack.org/530410 | 17:57 |
lbragstad | gagehugo kmalloc sorry - had to add a release note ^ | 17:57 |
kmalloc | lbragstad: +2'd again | 17:58 |
lbragstad | kmalloc thanks | 17:58 |
kmalloc | lbragstad: i'm going to be on vacation again next week (partial week) | 17:59 |
kmalloc | lbragstad: i think | 17:59 |
kmalloc | lbragstad: still working out if i need to revisit going to the ptg. | 18:00 |
lbragstad | kmalloc sounds good - thanks for the heads up... hopefully you can make it | 18:00 |
*** pcaruana has joined #openstack-keystone | 18:06 | |
*** david-lyle has quit IRC | 18:11 | |
openstackgerrit | Merged openstack/keystone master: Remove the sql token driver and uuid token provider https://review.openstack.org/543060 | 18:13 |
*** oikiki has quit IRC | 18:25 | |
*** oikiki has joined #openstack-keystone | 18:25 | |
kmalloc | lbragstad: i tossed a -2 on https://review.openstack.org/#/c/431229/26 | 18:27 |
kmalloc | this need documented test case before it can land. | 18:28 |
kmalloc | i want it to land | 18:28 |
kmalloc | but the fact it is rebased over and over dropping my -1 has brought me to toss a -2 until we have documented test plan going forward | 18:28 |
*** idlemind has quit IRC | 18:28 | |
*** itlinux has quit IRC | 18:30 | |
*** spiette_ has quit IRC | 18:33 | |
*** idlemind has joined #openstack-keystone | 18:35 | |
*** Supun has joined #openstack-keystone | 18:38 | |
*** oikiki has quit IRC | 18:38 | |
*** oikiki has joined #openstack-keystone | 18:39 | |
*** tesseract has quit IRC | 18:40 | |
*** itlinux has joined #openstack-keystone | 18:44 | |
*** pcaruana has quit IRC | 18:45 | |
*** itlinux has quit IRC | 18:57 | |
*** itlinux has joined #openstack-keystone | 18:59 | |
*** david-lyle has joined #openstack-keystone | 19:02 | |
*** harlowja has joined #openstack-keystone | 19:03 | |
*** rmcall has joined #openstack-keystone | 19:07 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Expose bug in /role_assignments API with system-scope https://review.openstack.org/544011 | 19:20 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Fix querying role_assignment with system roles https://review.openstack.org/544012 | 19:20 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Grant admin a role on the system during bootstrap https://review.openstack.org/530410 | 19:20 |
*** david-lyle has quit IRC | 19:29 | |
*** david-lyle has joined #openstack-keystone | 19:32 | |
*** itlinux has quit IRC | 19:39 | |
*** itlinux has joined #openstack-keystone | 19:43 | |
*** itlinux has quit IRC | 19:46 | |
lbragstad | #startmeeting keystone-office-hours | 19:54 |
openstack | Meeting started Tue Feb 13 19:54:54 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. | 19:54 |
openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 19:54 |
*** openstack changes topic to " (Meeting topic: keystone-office-hours)" | 19:54 | |
*** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/5F0h9Hoe/keystone" | 19:54 | |
openstack | The meeting name has been set to 'keystone_office_hours' | 19:54 |
* lbragstad fails at meetings | 19:55 | |
lbragstad | i should have started that about 55 minutes about, but whatever | 19:55 |
kmalloc | heh | 20:01 |
*** McClymontS has joined #openstack-keystone | 20:14 | |
*** McClymontS has quit IRC | 20:17 | |
*** spilla has quit IRC | 20:20 | |
*** spilla has joined #openstack-keystone | 20:23 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Delete system role assignments when deleting users https://review.openstack.org/543622 | 20:25 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Expose bug in system assignment when deleting users https://review.openstack.org/544067 | 20:25 |
lbragstad | that should take care of https://bugs.launchpad.net/keystone/+bug/1749264 | 20:25 |
openstack | Launchpad bug 1749264 in OpenStack Identity (keystone) "System role assignments exist after removing users" [High,In progress] - Assigned to Lance Bragstad (lbragstad) | 20:25 |
*** itlinux has joined #openstack-keystone | 20:35 | |
*** pramodrj07 has joined #openstack-keystone | 20:37 | |
*** pramodrj07 has quit IRC | 20:38 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Expose bug in system assignment when deleting groups https://review.openstack.org/544073 | 20:50 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Delete system role assignments when deleting groups https://review.openstack.org/544074 | 20:50 |
lbragstad | same goes for https://bugs.launchpad.net/keystone/+bug/1749267 and ^ | 20:50 |
openstack | Launchpad bug 1749267 in OpenStack Identity (keystone) queens "System role assignments exist after removing groups" [High,Triaged] | 20:50 |
*** spilla has quit IRC | 21:02 | |
*** spilla has joined #openstack-keystone | 21:06 | |
*** rmcall has quit IRC | 21:13 | |
*** Supun has quit IRC | 21:17 | |
*** oikiki has quit IRC | 21:26 | |
*** oikiki has joined #openstack-keystone | 21:26 | |
*** martinus__ has quit IRC | 21:30 | |
lbragstad | this is ready for another pass | 21:35 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Fix querying role_assignment with system roles https://review.openstack.org/544012 | 21:38 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Grant admin a role on the system during bootstrap https://review.openstack.org/530410 | 21:38 |
lbragstad | https://review.openstack.org/#/c/544011/2 | 21:39 |
lbragstad | here is a link for all the patches in that series for both master and stable/queens - https://review.openstack.org/#/q/topic:bug/1748970+(status:open+OR+status:merged) | 21:42 |
*** openstackstatus has quit IRC | 21:43 | |
lbragstad | a few more for the user bug (proposed to master and stable/queens) https://review.openstack.org/#/q/topic:bug/1749264+(status:open+OR+status:merged) | 21:44 |
*** openstackstatus has joined #openstack-keystone | 21:44 | |
*** ChanServ sets mode: +v openstackstatus | 21:44 | |
kmalloc | k | 21:45 |
lbragstad | and finally https://review.openstack.org/#/q/topic:bug/1749267+(status:open+OR+status:merged) | 21:45 |
lbragstad | or i could make it easier on everyone with - https://goo.gl/aWTZDv | 21:46 |
lbragstad | ^ includes all patches to master and backports | 21:46 |
lbragstad | the bugs we talked about today | 21:46 |
kmalloc | +2 on all | 21:47 |
lbragstad | the code review equivalent of a grand slam | 21:48 |
*** afazekas has quit IRC | 21:50 | |
*** afazekas has joined #openstack-keystone | 21:52 | |
*** gyee has joined #openstack-keystone | 22:00 | |
*** rcernin has joined #openstack-keystone | 22:05 | |
*** r-daneel has quit IRC | 22:07 | |
*** itlinux has quit IRC | 22:23 | |
*** itlinux has joined #openstack-keystone | 22:27 | |
kmalloc | lbragstad: looks like failing tests | 22:28 |
lbragstad | digging into it now | 22:28 |
kmalloc | lbragstad: 2018-02-13 21:32:24.586485 | primary | ImportError: /opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/netifaces.so: undefined symbol: PyUnicodeUCS2_FromString | 22:29 |
kmalloc | looks like some issues with not keystone | 22:29 |
lbragstad | hmm - because https://review.openstack.org/#/c/544073/1 and https://review.openstack.org/#/c/544074/1 failed | 22:29 |
lbragstad | one on neutron-grenade | 22:29 |
lbragstad | and the other on keystone-dvsm-functional | 22:30 |
kmalloc | yeah same error | 22:30 |
lbragstad | what log are you seeing that in? | 22:31 |
kmalloc | job output | 22:31 |
kmalloc | in both failed test runs | 22:31 |
kmalloc | http://logs.openstack.org/74/544074/1/check/keystone-dsvm-functional/91fc65e/job-output.txt.gz | 22:32 |
lbragstad | oh - i was buried in the logs already | 22:33 |
lbragstad | that's strange | 22:33 |
lbragstad | rechecked both | 22:34 |
kmalloc | vvvc ''''''''' | 22:34 |
kmalloc | yeah sounds good. | 22:34 |
*** itlinux has quit IRC | 22:46 | |
*** spilla has quit IRC | 22:59 | |
kmalloc | lbragstad: pushed the changes to master through. waiting for those to land so we can hit stab/queens | 23:23 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!