Thursday, 2018-03-08

« Wednesday, 2018-03-07 Index Friday, 2018-03-09 »
*** gyee has quit IRC00:23
*** oikiki has quit IRC00:26
*** oikiki has joined #openstack-keystone00:26
*** lbragstad has quit IRC00:39
*** gongysh has joined #openstack-keystone00:44
*** AlexeyAbashkin has joined #openstack-keystone00:45
*** zhurong has joined #openstack-keystone00:45
*** gongysh has quit IRC00:48
*** AlexeyAbashkin has quit IRC00:50
*** david-lyle has quit IRC00:53
*** david-lyle has joined #openstack-keystone00:56
*** gongysh has joined #openstack-keystone01:08
*** zhurong has quit IRC01:11
*** zhurong has joined #openstack-keystone01:46
*** annp has joined #openstack-keystone01:51
*** gongysh has quit IRC01:52
*** daidv_ has joined #openstack-keystone01:53
*** namnh has joined #openstack-keystone01:54
*** david-lyle has quit IRC01:57
*** oikiki has quit IRC01:58
*** daidv_ has quit IRC02:18
*** itlinux has joined #openstack-keystone02:44
*** AlexeyAbashkin has joined #openstack-keystone02:45
*** harlowja has quit IRC02:49
*** AlexeyAbashkin has quit IRC02:49
*** nicolasbock has quit IRC02:57
openstackgerritMerged openstack/keystone master: Fix formatting of ImportError  https://review.openstack.org/54987003:02
*** germs has quit IRC03:32
*** germs has joined #openstack-keystone03:33
*** germs has quit IRC03:33
*** germs has joined #openstack-keystone03:33
*** spilla has joined #openstack-keystone03:46
*** spilla has quit IRC04:10
*** jmlowe_ has joined #openstack-keystone04:23
*** jmlowe has quit IRC04:23
*** dave-mccowan has quit IRC04:26
*** zhurong has quit IRC04:32
*** harlowja has joined #openstack-keystone04:37
*** edmondsw has joined #openstack-keystone04:37
*** edmondsw has quit IRC04:37
*** jappleii__ has joined #openstack-keystone04:42
*** jappleii__ has quit IRC04:43
*** threestrands_ has quit IRC04:44
*** akrzos has quit IRC04:59
*** links has joined #openstack-keystone04:59
*** links has quit IRC04:59
*** threestrands has joined #openstack-keystone05:00
*** threestrands has quit IRC05:00
*** threestrands has joined #openstack-keystone05:00
*** jaosorior has quit IRC05:02
*** karthi has joined #openstack-keystone05:14
*** links has joined #openstack-keystone05:16
*** threestrands has quit IRC05:25
*** Supun has joined #openstack-keystone05:50
*** pcaruana has joined #openstack-keystone05:57
*** karthi has quit IRC06:03
*** masber has joined #openstack-keystone06:03
*** harlowja has quit IRC06:05
*** Supun has quit IRC06:05
*** pcaruana has quit IRC06:08
*** david-lyle has joined #openstack-keystone06:09
*** Supun has joined #openstack-keystone06:11
*** germs has quit IRC06:17
*** zhurong has joined #openstack-keystone06:18
*** karthi has joined #openstack-keystone06:20
*** germs has joined #openstack-keystone06:22
*** dims has quit IRC06:24
*** dims has joined #openstack-keystone06:30
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata  https://review.openstack.org/55071106:31
*** germs has quit IRC06:33
*** karthi has quit IRC06:37
*** karthi has joined #openstack-keystone06:37
*** masber has quit IRC06:55
*** gus has quit IRC07:14
*** gus has joined #openstack-keystone07:15
*** gongysh has joined #openstack-keystone07:19
*** rcernin has quit IRC07:22
*** masber has joined #openstack-keystone07:23
*** karthi has quit IRC07:31
*** martinus__ has joined #openstack-keystone07:43
*** AlexeyAbashkin has joined #openstack-keystone07:45
openstackgerritwangxiyuan proposed openstack/keystone master: Do not return all the limits for GET/PUT request.  https://review.openstack.org/55073607:48
*** AlexeyAbashkin has quit IRC07:49
*** Supun has quit IRC07:57
*** pcaruana has joined #openstack-keystone08:04
*** karthi has joined #openstack-keystone08:17
*** namnh has quit IRC08:17
*** tesseract has joined #openstack-keystone08:36
*** gongysh has quit IRC08:39
*** pcaruana has quit IRC08:43
*** tesseract has quit IRC08:43
*** gongysh has joined #openstack-keystone08:49
*** pcaruana has joined #openstack-keystone08:52
*** tesseract has joined #openstack-keystone08:52
*** pcaruana has quit IRC09:02
*** tesseract has quit IRC09:02
*** pcaruana has joined #openstack-keystone09:15
*** tesseract has joined #openstack-keystone09:16
*** pcichy has quit IRC09:26
*** tesseract has quit IRC09:32
*** pcaruana has quit IRC09:32
*** zhurong has quit IRC09:40
*** akrzos has joined #openstack-keystone09:42
*** pcaruana has joined #openstack-keystone09:45
*** tesseract has joined #openstack-keystone09:46
*** dmellado has quit IRC10:08
*** Suramya has joined #openstack-keystone10:08
*** karthi has quit IRC10:10
*** dmellado has joined #openstack-keystone10:13
*** annp has quit IRC10:13
*** karthi has joined #openstack-keystone10:40
*** karthi has quit IRC10:44
*** karthi has joined #openstack-keystone10:44
*** raildo has joined #openstack-keystone11:01
*** pcichy has joined #openstack-keystone11:15
*** gongysh has quit IRC11:23
*** rarora has joined #openstack-keystone11:25
*** karthi has quit IRC11:31
*** karthi has joined #openstack-keystone11:39
*** felipemonteiro has joined #openstack-keystone11:41
*** karthi has quit IRC11:44
*** ayoung has quit IRC11:56
*** nicolasbock has joined #openstack-keystone12:01
*** ayoung has joined #openstack-keystone12:07
*** jaosorior has joined #openstack-keystone12:09
*** jaosorior has quit IRC12:11
*** felipemonteiro has quit IRC12:16
openstackgerritwangxiyuan proposed openstack/keystone master: Do not return all the limits for GET/PUT request.  https://review.openstack.org/55073612:20
*** akrzos_ has joined #openstack-keystone12:27
*** masuberu has joined #openstack-keystone12:27
*** akrzos has quit IRC12:30
*** masber has quit IRC12:31
*** r-daneel has joined #openstack-keystone12:43
*** ayoung has quit IRC13:03
*** r-daneel has quit IRC13:05
*** germs has joined #openstack-keystone13:14
*** germs has quit IRC13:14
*** germs has joined #openstack-keystone13:14
*** edmondsw has joined #openstack-keystone13:14
*** ayoung has joined #openstack-keystone13:16
*** germs has quit IRC13:25
*** guys has quit IRC13:26
*** karthi has joined #openstack-keystone13:29
*** karthi has quit IRC13:36
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Remove tox_install.sh and align with constraints consumption  https://review.openstack.org/55083713:46
*** dave-mccowan has joined #openstack-keystone13:48
knikollao/13:49
cmurphyo/13:50
*** links has quit IRC13:51
*** lbragstad has joined #openstack-keystone13:54
*** ChanServ sets mode: +o lbragstad13:54
*** karthi has joined #openstack-keystone13:57
*** McClymontS has joined #openstack-keystone14:00
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Remove tox_install.sh and align with constraints consumption  https://review.openstack.org/55083714:01
*** karthi has quit IRC14:02
*** edmondsw_ has joined #openstack-keystone14:17
*** edmondsw has quit IRC14:18
*** r-daneel has joined #openstack-keystone14:20
*** panbalag has quit IRC14:26
*** panbalag1 has joined #openstack-keystone14:26
*** spilla has joined #openstack-keystone14:33
*** gongysh has joined #openstack-keystone14:34
*** gongysh has quit IRC14:34
*** McClymontS has quit IRC14:39
*** McClymontS has joined #openstack-keystone14:40
*** thomasduval has joined #openstack-keystone14:42
*** jaosorior has joined #openstack-keystone14:45
*** McClymontS has quit IRC14:56
*** masber has joined #openstack-keystone14:56
*** guys has joined #openstack-keystone14:58
*** melwitt has quit IRC14:59
*** masuberu has quit IRC14:59
*** hamzy has quit IRC15:05
*** melwitt has joined #openstack-keystone15:06
*** melwitt is now known as Guest7007515:07
*** itlinux has quit IRC15:17
*** masber has quit IRC15:22
*** edmondsw_ is now known as edmondsw15:24
*** germs has joined #openstack-keystone15:26
*** germs has quit IRC15:26
*** germs has joined #openstack-keystone15:26
*** hamzy has joined #openstack-keystone15:30
*** germs has quit IRC15:30
*** hamzy has quit IRC15:35
*** edmondsw has quit IRC15:50
*** edmondsw has joined #openstack-keystone15:51
*** edmondsw has quit IRC15:55
*** ayoung has quit IRC15:58
*** pcaruana has quit IRC16:06
*** m3m0 has quit IRC16:08
*** david-lyle has quit IRC16:10
*** ayoung has joined #openstack-keystone16:11
*** jaosorior has quit IRC16:12
*** germs has joined #openstack-keystone16:13
*** germs has quit IRC16:13
*** germs has joined #openstack-keystone16:13
*** germs has quit IRC16:18
openstackgerritRussell Tweed proposed openstack/keystone master: Use different labels for user and project names  https://review.openstack.org/55088416:21
*** itlinux has joined #openstack-keystone16:26
*** itlinux has quit IRC16:31
*** Supun has joined #openstack-keystone16:31
*** germs has joined #openstack-keystone16:32
*** r-daneel has quit IRC16:32
*** germs has quit IRC16:33
*** germs has joined #openstack-keystone16:36
*** germs has quit IRC16:36
*** germs has joined #openstack-keystone16:36
*** itlinux has joined #openstack-keystone16:41
*** harlowja has joined #openstack-keystone16:54
*** david-lyle has joined #openstack-keystone17:04
*** Supun has quit IRC17:04
*** jrist has quit IRC17:10
*** thomasduval has quit IRC17:11
*** gyee has joined #openstack-keystone17:17
openstackgerritRussell Tweed proposed openstack/keystone master: Use different labels for user and project names  https://review.openstack.org/55088417:22
*** jrist has joined #openstack-keystone17:32
*** jrist has quit IRC17:37
*** oikiki has joined #openstack-keystone17:42
*** edmondsw has joined #openstack-keystone17:47
*** edmondsw has quit IRC17:50
*** Supun has joined #openstack-keystone17:57
*** Supun has quit IRC18:02
*** Supun has joined #openstack-keystone18:03
*** felipemonteiro has joined #openstack-keystone18:05
*** edmondsw has joined #openstack-keystone18:07
*** r-daneel has joined #openstack-keystone18:10
*** harlowja has quit IRC18:26
*** edmondsw has quit IRC18:27
*** felipemonteiro has quit IRC18:28
*** Suramya has quit IRC18:31
*** edmondsw has joined #openstack-keystone18:33
*** r-daneel_ has joined #openstack-keystone18:35
*** edmondsw has quit IRC18:35
*** edmondsw_ has joined #openstack-keystone18:35
*** r-daneel has quit IRC18:35
*** r-daneel_ is now known as r-daneel18:35
*** Supun has quit IRC18:38
*** germs has quit IRC18:48
*** tesseract has quit IRC18:49
*** edmondsw_ has quit IRC18:53
*** edmondsw has joined #openstack-keystone18:53
*** pcichy has quit IRC18:55
*** david-lyle has quit IRC18:56
*** germs has joined #openstack-keystone18:56
*** germs has quit IRC18:56
*** germs has joined #openstack-keystone18:56
openstackgerritNicolas Helgeson proposed openstack/python-keystoneclient master: Extends tags comparator support to KSC  https://review.openstack.org/52579218:56
*** edmondsw has quit IRC19:03
*** edmondsw has joined #openstack-keystone19:03
*** r-daneel has quit IRC19:04
*** r-daneel has joined #openstack-keystone19:04
*** harlowja has joined #openstack-keystone19:11
openstackgerritMerged openstack/keystone master: Imported Translations from Zanata  https://review.openstack.org/55071119:14
*** edmondsw has quit IRC19:18
*** harlowja has quit IRC19:18
*** edmondsw has joined #openstack-keystone19:18
*** edmondsw has quit IRC19:23
*** edmondsw has joined #openstack-keystone19:24
*** edmondsw has quit IRC19:28
*** edmondsw has joined #openstack-keystone19:28
*** harlowja has joined #openstack-keystone19:33
*** jrist has joined #openstack-keystone19:35
*** edmondsw has quit IRC19:38
*** jrist has quit IRC19:39
*** oikiki has quit IRC19:41
*** edmondsw has joined #openstack-keystone19:42
*** jrist has joined #openstack-keystone19:42
*** edmondsw has quit IRC19:43
*** edmondsw has joined #openstack-keystone19:45
*** edmondsw has quit IRC19:45
*** r-daneel_ has joined #openstack-keystone19:47
*** r-daneel has quit IRC19:47
*** r-daneel_ is now known as r-daneel19:47
*** r-daneel has quit IRC19:50
*** r-daneel has joined #openstack-keystone19:51
*** r-daneel has quit IRC19:52
*** r-daneel has joined #openstack-keystone19:52
*** mvk has quit IRC19:57
*** r-daneel_ has joined #openstack-keystone20:07
*** r-daneel has quit IRC20:08
*** r-daneel_ is now known as r-daneel20:08
jdennisI'm wondering about some naming conventions in the code. What does the _ref suffix on a function/method name indicate? I was guessing "reference", but even if it's reference I'm not sure what that's trying to indicate. Are these naming conventions documented somewhere?20:11
lbragstadjdennis: that's a good question - and they aren't documented :(20:13
lbragstadit's essentially just saying the thing named *_ref is supposed to be a dictionary and is shorthand for "reference"20:13
jdennislbragstad: ok, good to know. I don't really get the association between dict and reference, I'm used to references in other languages but I'll take it for what it is. Any other naming conventions you think might be useful to know?20:16
lbragstadjdennis: yeah - a lot of that pre-dates me... so i'm probably short on some historical context as well...20:17
lbragstad_ref is probably the big one now that you mention it, but i'm sure there are others lurking around20:18
rodrigodsi even started to use _ref in other projects due that20:31
lbragstadi'd love to see _ref go away in favor of just using `user = some_call()`20:33
lbragstadinstead of `user_ref = some_call()`20:33
lbragstadand user should be some sort of python object that you can pass around20:34
jdennislbragstad: well if you mean we should be using Python classes instead of unstructured anonymous dicts I'm all for that. It can be really hard to figure out what data is being passed around for what purpose when the data is just a dict, dict's do carry any structural information20:37
jdenniss/do carry/do not carry/20:37
lbragstadjdennis: right20:38
lbragstadthe token provider is really complicated due to that20:38
lbragstadhooks get invoked based on the presence and values of keys in a dictionary20:38
jdennislbragstad: tell me about it! I get so lost in that code20:39
lbragstadwhich in turn modifies the response20:39
lbragstadso - the driver code is dictating what a response should look like (?!)20:39
lbragstadsuper confusing :)20:39
lbragstadi want to try and rip all that out this release - https://review.openstack.org/#/c/545450/20:40
*** felipemonteiro has joined #openstack-keystone20:40
*** d0ugal_ has joined #openstack-keystone20:42
jdennislbragstad: another question if you don't mind, I see in keystoneauth1 that some methods (e.g. kerberos, oauth) send an empty auth_info dict. Is the assumption that those auth methods are "in front of keystone" (e.g. in Apache) and hence if the token request gets to Keystone auth has already occurred and hence no need for auth data?20:43
*** d0ugal has quit IRC20:44
lbragstadjdennis: that *might* be the case but I'd probably need to confirm with either knikolla, cmurphy, or jamielennox but that would seem sane20:44
knikollajdennis: i think so. the API for getting a token is protected from an apache mod, so if you get there you're golden.20:46
*** lucasxu has joined #openstack-keystone20:46
knikollathe auth info is in the environment variables that apache passes to you.20:46
knikollaso /identity_providers/myidp/protocols/myprotocol/auth would be the protected endpoint for myidp and protocol myprotocol.20:47
knikollawhatever mapping is configured for myidp-myprotocol will be triggered to convert the env variables to a user.20:48
*** edmondsw has joined #openstack-keystone20:49
jdennisknikolla: but you're talking about federation, as far as I can figure out the keystoneauth1 code uses the /v3/auth/token endpoint for most of it's methods20:49
*** edmondsw has quit IRC20:50
*** edmondsw has joined #openstack-keystone20:51
knikollajdennis: right. but i think keberos/etc are treated as "external" method of authentication.20:51
knikollaand in that case it will look at the REMOTE_USER env variable20:51
knikollaor whatever is configured in keystone.conf20:52
knikollatake that with a grain of salt as this is from me reading something in the docs rather than playing around with that kind of authentication.20:53
jdennisknikolla: ok sure. Can you define the difference between "external" and "federation"20:53
knikollahttps://github.com/openstack/keystone/blob/master/keystone/auth/plugins/external.py#L35-L3820:54
knikollajdennis: external assumes that there will be a local user, and matches remote_user to a local user.20:54
knikollafederation creates a shadow user with the attributes passed on from the idp.20:54
*** edmondsw has quit IRC20:55
jdennisknikolla: thanks20:56
knikollajdennis: sure, np. that is my understanding of how things work, but never really played around with it. ayoung might have more firsthand knowledge.20:59
ayoungREading up20:59
ayoungjdennis, the ref thing goes back to termie.  No idea what he was thinking21:00
ayoungkmalloc, and jamielennox are youre betst sources of info on the whys of keystoneauth121:01
jdennisknikolla, lbragstad: while I've got your attention :-) I've been trying to figure out if there is ever a case where access will continue to be allowed after a token is revoked, (provided client token caching is disabled), is that true? What about service tokens that are allowed past their expiration?21:01
ayoungjdennis, ok that last one I can answer21:01
ayoungtoken revocation and token expiry are intended to be treated differently21:02
ayounghowever...Hmmm]21:02
lbragstadjdennis: it's possible for a service user to validate an expired user token21:02
ayoungI am not certain if we decided that, with service tokens, that we were going to accept revoked.  I think not.21:02
lbragstadbut other than that, it should be treated as an invalid token21:02
ayoungan expired token, on the other handm yes, that can be used in cionjunction with a service token for long lived work flows21:03
lbragstad^21:03
ayoungso a snapshot that tkaes an hour to uplaod, and then does some other operation should succeed even if the original token timed out21:03
ayoungwhere as if it were revoked, it should fail.21:03
ayoungI'd have to look at the code to see if that is what we actually enforce, but I think that is the case21:03
lbragstadbut once a token is revoked against keystone - it will be compared to a tokens upon request and if keystone receives a token matching the one that was revoked, we return a 40121:04
ayoungjdennis, external was the term used before federation21:04
lbragstads/a/all/21:04
ayoungthat has my fingerprints on it, and was a way of saying "authenticated by HTTPD" but the user data was directly accessable, so think Kerberso and LDAP21:04
ayoungor X509 and LDAP, or even, potentially basic auth.  But that last was never done.21:05
ayoungFederation kindof took over there, and we decided that all external stuff could be done with Federation.21:05
*** masber has joined #openstack-keystone21:05
jdennislbragstad, ayoung: so to put this in context, I'm trying to write a security document that discusses PCI-DSS compliance, I've looked at all the Keystone docs on this topic and there is still unanswered questions, what I'm stuck on now is Requirement 8.1.3, "Immediately revoke access for any terminated users", it's not entirely clear to me this is enforced21:07
*** david-lyle has joined #openstack-keystone21:07
lbragstadby terminated - do you mean deleted?21:07
lbragstador disabled?21:07
ayoungjdennis, ok,  lets put LDAP aside for a moment21:07
ayoungif the user is stored in the Keystone Database we can do that. If the user is stored in a Federated store, we cannot21:08
ayoungLDAP....we kindof really can't either21:08
lbragstadkeep in mind pci-dss support was written with sql in the for front21:08
ayoungFOr Federated/LDAP the best we can do is let tokens expire21:08
lbragstadfore front*21:08
ayoungNow, if we went with 5 minute tokens like I wanted to years ago....21:09
jdennislbragstad: I believe you can use any combination of actions to achieve this, so I assume it would be delete the user and revoke any tokens he has21:09
ayoungso that might be one way we could do it, but we would have to make sure than any nontrivial operation worked with service tokens21:09
*** lucasxu has quit IRC21:09
lbragstadjdennis: yeah - for sql a terminiation (being disabling the user or deleting the user) the tokens associated to that user will be considered revoked21:09
ayoungif you deactivate a user, delete her, or change her password, all of her tokens are immediately revoked21:09
ayoungshe can perform no new operations21:10
ayoungif you disable or delete, all trusts she set up are also deactivated21:10
* ayoung hopes that is true of app creds. Have to confirm with lbragstad and cmurphy 21:10
lbragstadit is21:10
lbragstadapp creds are purged if the user is disabled or deleted21:10
jdennisbut there are two caveats though, right? Client token caching must be disabled and it does not apply to service accounts21:11
*** edmondsw has joined #openstack-keystone21:11
*** edmondsw has quit IRC21:11
lbragstadjdennis: yeah - this is keeping online validation in mind, so hopefully mitigated by short lived caches21:11
*** edmondsw has joined #openstack-keystone21:12
lbragstadbut still a margin for error there if you are caching for any length of time21:12
lbragstad(client side that is)21:12
ayoungedmondsw looked in, saw this convo, and fled....21:14
ayoungjdennis, I guess it would be possible for a remote system that sends out notifications to disable a user, so it might be beyond a Keystone boundary to meet compliance21:21
*** felipemonteiro has quit IRC21:22
edmondswoh, you don't want me in that convo... I would tell you that even revoking tokens doesn't take effect immediately because of caching21:22
*** nicolasbock has quit IRC21:23
edmondswI see jdennis came to the same conclusion21:24
edmondsw(now that eavesdrop has caught up)21:26
lbragstadyup21:28
*** oikiki has joined #openstack-keystone21:29
edmondswthe clients used to check a revocation list, but that got whacked :(21:31
edmondswcasualty of the PKI removal... it wasn't PKI-specific, but some of the comments made it sound like it was, and...21:31
*** oikiki has quit IRC21:31
*** oikiki has joined #openstack-keystone21:32
*** r-daneel has quit IRC21:34
*** oikiki has quit IRC21:39
*** david-lyle has quit IRC21:45
*** threestrands has joined #openstack-keystone21:47
*** r-daneel has joined #openstack-keystone21:52
*** spilla has quit IRC21:57
*** jrist has quit IRC21:58
*** martinus__ has quit IRC21:59
*** oikiki has joined #openstack-keystone22:05
ayoungedmondsw, heh22:09
ayoungspeak of the devil and he shall appear.  We used to call termie "He who must not be named in IRC"22:09
edmondswayoung :)22:09
ayoungedmondsw, so I wonder what the PCI-DSS definition of Immediate is.  Does 5 minutes lag count?22:10
*** marst has joined #openstack-keystone22:10
edmondswayoung if they have a definition :)22:11
ayoungHeh22:11
edmondswargue that if you really had to make it truly immediate you can take the system offline for 5 min? ;)22:12
ayoungHa22:12
*** oikiki has quit IRC22:13
*** aning has joined #openstack-keystone22:13
*** oikiki has joined #openstack-keystone22:13
aningHi guys, here is my question I posted to openstack ...22:14
aningquestion, starting from Ocata, the keystone "user" table seems to be obsolete and I can see all users are in local_user table, but "user" table is still there, why that?22:15
aningThe reason I'm asking is that, when upgrade from Newton to Ocata, in 014_contract_add_domain_id_to_user_table.py ,it adds ForeignKeyConstraints to local_user table, with reference to "user" table22:15
aningHow could this work?22:15
ayounganing, not obsolute22:16
ayoungobsolete22:16
ayoungits for recording Federated users22:16
cmurphyit's a converged view of local users, federated users, and ldap users22:17
ayoungbut users stored in the sql backend get users too22:17
aningOk, it is reserved for federated user if I'm not using federated auth.22:18
lbragstadayoung: our context -> authorization stuff is confusing22:18
lbragstadayoung: if i want to pull things out of the token model to populate in the context object, do i do that in auth/middleware.py?22:19
cmurphyaning: the federated_users table is just for federated users but the users table is for all users22:19
aningIn my deployment, the "user" table is empty22:19
aningservices users are in local_user table.22:20
*** eandersson has joined #openstack-keystone22:20
aningI should see all users with domain_id in the "user" table as well?22:21
* cmurphy goes to check devstack22:21
eanderssonlbragstad, could we re-evaluate this as a quick fix for templated v3 catalogs? https://review.openstack.org/#/c/482364/22:21
eanderssontemplated still hasn;t been marked as deprecated afaik22:21
lbragstadeandersson: you're right - you can go ahead and restore it22:22
lbragstadwe didn't find someone jumping at the bit to implement the yaml stuff yet22:22
lbragstadso we should at least fix that in the mean time22:22
eanderssonYep22:22
lbragstadthanks for the reminder22:22
eanderssonThanks22:22
openstackgerritErik Olof Gunnar Andersson proposed openstack/keystone master: Fixing multi-region support in templated v3 catalog  https://review.openstack.org/48236422:23
*** masber has quit IRC22:25
*** rcernin has joined #openstack-keystone22:25
cmurphyaning: i have CONSTRAINT `local_user_user_id_fkey` FOREIGN KEY (`user_id`, `domain_id`) REFERENCES `user` (`id`, `domain_id`) ON DELETE CASCADE ON UPDATE CASCADE so i'm not sure how your user table could be empty22:27
*** david-lyle has joined #openstack-keystone22:32
*** d0ugal_ has quit IRC22:34
*** rcernin_ has joined #openstack-keystone22:34
*** rcernin_ has quit IRC22:35
*** rcernin_ has joined #openstack-keystone22:36
*** rcernin has quit IRC22:36
*** d0ugal_ has joined #openstack-keystone22:36
*** rcernin_ has quit IRC22:37
*** rcernin has joined #openstack-keystone22:40
*** edmondsw has quit IRC22:44
*** itlinux has quit IRC22:44
*** edmondsw has joined #openstack-keystone22:44
*** jrist has joined #openstack-keystone22:49
*** raildo has quit IRC22:50
*** edmondsw has quit IRC22:51
*** edmondsw has joined #openstack-keystone22:52
*** masber has joined #openstack-keystone22:54
*** edmondsw has quit IRC22:56
cmurphyhrybacki: hi can we please make https://trello.com/b/Vo6dRALh/keystone-queens-retrospective public?23:02
eanderssonlbragstad, are you okey with just adding two more regions to the existing tests?23:07
lbragstadsure - i'm not sure how much refactoring you'll have to do to get that to work - but maybe a new multiregion test case that uses a multi-region templated catalog?23:07
lbragstadi gotta step out for a bit - but i'll be on later (hoping to catch jamielennox if i'm lucky to talk about oslo.context)23:11
*** oikiki has quit IRC23:11
jamielennoxlbragstad: its 10:15 i'm around23:12
cmurphylol23:13
jamielennoxlbragstad: i had read your retro and wanted to mention that i did a fair bit of work  around requiring certain policy attributes23:13
*** eschwartz is now known as anyone23:13
*** jrist has quit IRC23:19
*** oikiki has joined #openstack-keystone23:19
lbragstadahh - i'm just trying to figure out how to add system scope to the context properties so taht i can get it into the policy creds dictionary23:26
* lbragstad has to run to fire training23:27
lbragstadi should be back in a couple hours though23:27
jdennisfire drill?23:27
lbragstadpretty much :)23:28
lbragstadfire 1 & 2 training for the fire dept23:28
jdennisyou're hot stuff23:28
lbragstadi think they'd be surprised at how many fire drills we deal with a day ;)23:28
lbragstadjamielennox: i'll see if i can catch you in a few hours?23:30
jamielennoxi should be around, i'm out for the next say 2.5 hours, but after should be ok23:31
*** threestrands_ has joined #openstack-keystone23:33
*** rcernin has quit IRC23:35
*** rcernin has joined #openstack-keystone23:35
*** threestrands has quit IRC23:36
openstackgerritErik Olof Gunnar Andersson proposed openstack/keystone master: Fixing multi-region support in templated v3 catalog  https://review.openstack.org/48236423:40
adriantlbragstad: not sure if actually a bug.. but when doing role assignment list with include_names, and one of the assignments is a domain assignment, I'm getting a 40023:43
adriant"openstack role assignment list --role test" works, but "openstack role assignment list --role test --names" throws a 40023:44
eanderssonlbragstad, it's a bit hacky, but does what it is supposed to at least :D let me know if you have any better suggestion23:44
adriantlbragstad, and I'll add a blueprint for this, it would be nice for the project list API to have an include_domains filter, rather than having to do two API calls to get a full list of projects.23:45
adriantlbragstad: yep, role assignment list with include_names when there is a domain level assignment is broken in my devstack (built from master 2 days ago)23:56
« Wednesday, 2018-03-07 Index Friday, 2018-03-09 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!