Wednesday, 2018-03-14

*** germs has quit IRC		00:15
*** germs has joined #openstack-keystone		00:17
*** gyee has quit IRC		00:20
*** germs has quit IRC		00:32
*** germs has joined #openstack-keystone		00:42
*** germs has quit IRC		00:42
*** germs has joined #openstack-keystone		00:42
*** Dinesh_Bhor has joined #openstack-keystone		00:47
*** germs has quit IRC		00:48
*** germs has joined #openstack-keystone		00:49
*** Dinesh_Bhor has quit IRC		00:51
*** germs has quit IRC		00:53
*** odyssey4me has quit IRC		00:53
*** odyssey4me has joined #openstack-keystone		00:53
*** Dinesh_Bhor has joined #openstack-keystone		00:54
*** Dinesh__Bhor has joined #openstack-keystone		00:59
*** Dinesh__Bhor has quit IRC		00:59
*** Dinesh_Bhor has quit IRC		01:00
*** r-daneel has quit IRC		01:02
*** Dinesh_Bhor has joined #openstack-keystone		01:02
Dinesh_Bhor	cmurphy: Hi, you there? Thank you for reviewing the patch: https://review.openstack.org/#/c/267456/	01:04
*** oikiki has quit IRC		01:07
*** itlinux has quit IRC		01:12
*** harlowja has quit IRC		01:20
*** edmondsw has joined #openstack-keystone		01:25
*** gongysh has quit IRC		01:27
*** edmondsw has quit IRC		01:29
*** ionel has quit IRC		01:31
*** gongysh has joined #openstack-keystone		01:39
lbragstad	kmalloc: ayoung .... what happened?	01:40
lbragstad	the scrollback is ridiculous	01:40
lbragstad	about the hmt bits...	02:02
lbragstad	if project A has children B and C	02:02
lbragstad	if i get a token scoped to A and list all servers, I should be able to see servers in A, B, and C	02:02
lbragstad	but that does require nova to callback to keystone to understand the tree structure	02:02
lbragstad	or at least iterate through a list of projects and return the servers owned by them	02:03
lbragstad	the advantage is that it helps introduce granularity in the APIs that might actually get used by end-users (versus just operators)	02:04
lbragstad	wxy: o/	02:04
wxy	lbragstad: hi, online now. wake up late this morning.	02:06
lbragstad	wxy: ha - it happens	02:07
lbragstad	wxy: is it 9:00 AM there?	02:07
lbragstad	or 8:00AM?	02:07
wxy	lbragstad: 10:00 AM	02:07
wxy	lol	02:07
lbragstad	"off by 1" errors	02:08
wxy	anything I can help?	02:08
lbragstad	just wanted to check in - we made some updates to the trello board during office hours	02:08
lbragstad	(not sure if you've parsed it yet)	02:08
wxy	thanks for reminding me. I'll check it later.	02:09
lbragstad	i know we talked a bit earlier about splitting up the token provider API refactor, are you still interested in that as a precursor to the JWT work?	02:12
wxy	lbragstad: hmm, so I have some works on yaml catalog, limit description, token provider refactor and help you to enhance unified limit and oslo.limit.	02:13
wxy	lbragstad: that's sound good.	02:13
lbragstad	wxy: you're ambitious :)	02:13
lbragstad	the token provider refactor is still a bit of a mess	02:14
wxy	lbragstad: It' my pleasure to help upstream work and you guys trust me.	02:14
lbragstad	i	02:15
lbragstad	i'll make a point to sit down with https://review.openstack.org/#/c/545450/ tomorrow and work through it a bit more	02:15
lbragstad	i'll see if i can split it into pieces that are easier to review	02:16
wxy	cool. it's a good start.	02:16
lbragstad	i think so, too	02:17
lbragstad	i know knikolla was interested in that work as well	02:17
wxy	We may work together to make it perfect.	02:19
lbragstad	++	02:19
lbragstad	hey - how was your trip back home?	02:19
lbragstad	did you hit any issues with travel?	02:19
openstackgerrit	wangxiyuan proposed openstack/keystone master: Deprecate the templated catalog https://review.openstack.org/482714	02:20
openstackgerrit	wangxiyuan proposed openstack/keystone master: [WIP]Add yaml-loaded filesystem catalog backend https://review.openstack.org/483514	02:20
*** germs has joined #openstack-keystone		02:20
*** germs has quit IRC		02:20
*** germs has joined #openstack-keystone		02:20
openstackgerrit	wangxiyuan proposed openstack/keystone master: [WIP]Add yaml-loaded filesystem catalog backend https://review.openstack.org/483514	02:20
wxy	I was blocked at Frankfurt. But just delayed a few hours fortunately.	02:21
lbragstad	did you fly direct from Frankfurt to China?	02:22
wxy	yeah, to BeiJing, then to Xi'An	02:22
lbragstad	oh - cool	02:23
lbragstad	so you made it back when you expected to	02:23
lbragstad	that's good	02:23
wxy	;)	02:23
*** r-daneel has joined #openstack-keystone		02:26
*** Dinesh_Bhor has quit IRC		02:27
*** pcichy has quit IRC		02:28
*** Dinesh_Bhor has joined #openstack-keystone		02:30
*** AlexeyAbashkin has joined #openstack-keystone		02:36
*** AlexeyAbashkin has quit IRC		02:40
*** germs has quit IRC		02:43
*** germs has joined #openstack-keystone		02:43
*** germs has quit IRC		02:43
*** germs has joined #openstack-keystone		02:43
*** germs has quit IRC		02:48
*** Dinesh_Bhor has quit IRC		02:52
*** Dinesh_Bhor has joined #openstack-keystone		02:52
*** Dinesh_Bhor has quit IRC		02:58
*** Dinesh_Bhor has joined #openstack-keystone		03:00
*** edmondsw has joined #openstack-keystone		03:14
*** gongysh has quit IRC		03:17
*** edmondsw has quit IRC		03:18
*** nicolasbock has quit IRC		03:26
*** AlexeyAbashkin has joined #openstack-keystone		03:36
*** AlexeyAbashkin has quit IRC		03:40
*** david-lyle has joined #openstack-keystone		03:55
*** gongysh has joined #openstack-keystone		04:00
*** Dinesh_Bhor has quit IRC		04:07
*** namnh has joined #openstack-keystone		04:09
*** harlowja has joined #openstack-keystone		04:12
*** abhi89 has joined #openstack-keystone		04:15
*** dave-mccowan has quit IRC		04:17
*** links has joined #openstack-keystone		04:22
ayoung	lbragstad, had to shovel snow. Kicked my ass. 2 feet.	04:26
ayoung	lbragstad, yeah, the issue is that if we go with Morgan's plan, I can't see a way to close out 968696 in a timely manner, and I was kindof gobsmacked by that.	04:27
ayoung	And with that, I am going to bed.	04:27
*** karthi has joined #openstack-keystone		04:39
*** harlowja has quit IRC		04:40
*** Dinesh_Bhor has joined #openstack-keystone		04:42
*** igrcafii has joined #openstack-keystone		04:50
*** igrcafii has quit IRC		04:52
*** Dinesh_Bhor has quit IRC		04:57
*** Dinesh_Bhor has joined #openstack-keystone		05:00
openstackgerrit	Dinesh Bhor proposed openstack/python-keystoneclient master: Add Response class to return request-id to caller https://review.openstack.org/329913	05:01
openstackgerrit	Dinesh Bhor proposed openstack/python-keystoneclient master: Add return-request-id-to-caller function(v3) https://review.openstack.org/267456	05:01
*** karthi has quit IRC		05:04
*** karthi has joined #openstack-keystone		05:05
*** karthi has quit IRC		05:09
*** Dinesh_Bhor has quit IRC		05:17
*** karthi has joined #openstack-keystone		05:22
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone master: Updated from global requirements https://review.openstack.org/551493	05:33
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone-tempest-plugin master: Updated from global requirements https://review.openstack.org/551494	05:33
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystoneauth master: Updated from global requirements https://review.openstack.org/549536	05:33
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements https://review.openstack.org/551495	05:33
*** abhi89 has quit IRC		05:48
*** karthi has quit IRC		06:03
*** karthi has joined #openstack-keystone		06:11
*** karthi has quit IRC		06:15
*** karthi has joined #openstack-keystone		06:18
*** pcichy has joined #openstack-keystone		06:21
*** Dinesh_Bhor has joined #openstack-keystone		06:35
*** dims has quit IRC		06:41
*** dims has joined #openstack-keystone		06:43
*** dims has quit IRC		06:48
*** dims has joined #openstack-keystone		06:49
*** edmondsw has joined #openstack-keystone		06:50
*** pcichy has quit IRC		06:52
*** edmondsw has quit IRC		06:54
*** abhi89 has joined #openstack-keystone		07:03
*** pcaruana has joined #openstack-keystone		07:04
*** karthi has quit IRC		07:15
*** Dinesh_Bhor has quit IRC		07:15
*** karthi has joined #openstack-keystone		07:15
*** Dinesh_Bhor has joined #openstack-keystone		07:16
*** Dinesh_Bhor has quit IRC		07:20
*** Dinesh_Bhor has joined #openstack-keystone		07:27
*** Dinesh_Bhor has quit IRC		07:37
*** karthi has quit IRC		07:38
*** martinus__ has joined #openstack-keystone		07:38
*** karthi has joined #openstack-keystone		07:38
*** AlexeyAbashkin has joined #openstack-keystone		07:57
*** karthi has quit IRC		08:10
*** tesseract has joined #openstack-keystone		08:14
*** karthi has joined #openstack-keystone		08:16
*** Dinesh_Bhor has joined #openstack-keystone		08:17
*** hoonetorg has quit IRC		08:30
*** karthi has quit IRC		08:33
*** edmondsw has joined #openstack-keystone		08:38
*** Dinesh_Bhor has quit IRC		08:38
*** edmondsw has quit IRC		08:43
*** hoonetorg has joined #openstack-keystone		08:44
*** karthi has joined #openstack-keystone		09:03
*** Dinesh_Bhor has joined #openstack-keystone		09:15
*** Dinesh_Bhor has quit IRC		09:16
*** Dinesh_Bhor has joined #openstack-keystone		09:21
*** gongysh has quit IRC		09:22
*** karthi has quit IRC		09:24
openstackgerrit	wangxiyuan proposed openstack/keystone master: Add yaml-loaded filesystem catalog backend https://review.openstack.org/483514	09:24
*** karthi has joined #openstack-keystone		09:24
*** Dinesh_Bhor has quit IRC		09:30
*** karthi has quit IRC		09:43
*** namnh has quit IRC		10:00
*** rcernin has quit IRC		10:13
*** karthi has joined #openstack-keystone		10:14
*** karthi has quit IRC		10:22
*** karthi has joined #openstack-keystone		10:23
*** nicolasbock has joined #openstack-keystone		10:25
*** edmondsw has joined #openstack-keystone		10:26
*** karthi has quit IRC		10:29
*** jmlowe has quit IRC		10:30
*** edmondsw has quit IRC		10:31
*** karthi has joined #openstack-keystone		10:32
openstackgerrit	Johannes Grassler proposed openstack/keystone-specs master: Add whitelist-extension-for-app-creds https://review.openstack.org/396331	10:39
*** belmoreira has joined #openstack-keystone		10:56
*** panbalag has quit IRC		10:58
*** HW-Peter has quit IRC		11:22
*** jmlowe has joined #openstack-keystone		11:23
*** jmlowe has quit IRC		11:27
*** karthi has quit IRC		11:28
*** karthi has joined #openstack-keystone		11:36
*** karthi has quit IRC		11:38
*** raildo has joined #openstack-keystone		12:07
*** zhongjun has quit IRC		12:14
*** edmondsw has joined #openstack-keystone		12:24
*** dave-mccowan has joined #openstack-keystone		12:32
*** panbalag has joined #openstack-keystone		12:37
*** karthi has joined #openstack-keystone		12:45
*** odyssey4me has quit IRC		12:47
*** odyssey4me has joined #openstack-keystone		12:47
*** r-daneel has quit IRC		12:53
*** edmondsw_ has joined #openstack-keystone		12:55
*** edmondsw has quit IRC		12:58
*** spilla has joined #openstack-keystone		13:01
*** felipemonteiro_ has joined #openstack-keystone		13:23
*** edmondsw_ is now known as edmondsw		13:27
lbragstad	morning	13:27
*** karthi has quit IRC		13:31
gagehugo	o/	13:51
*** felipemonteiro_ has quit IRC		13:51
*** zhongjun has joined #openstack-keystone		13:53
gagehugo	docs building seems broken	14:01
lbragstad	yep	14:02
wxy	Sphinx v1.6.7 lead the error	14:06
wxy	if a package only contain __init__.py, it will be ignored to generate the toc.	14:07
lbragstad	in case anyone is interested in the oslo.limit proposal - https://review.openstack.org/#/c/552907/2	14:08
wxy	keystone.contrib, keysotne.tests and keystone.tests.unit.contrib have this problem.	14:09
*** karthi has joined #openstack-keystone		14:14
lbragstad	trying to recreate locally	14:19
lbragstad	is this the failure everyone else is getting - v	14:25
lbragstad	http://paste.openstack.org/show/700937/	14:25
wxy	lbragstad: yeah, it's the error.	14:26
lbragstad	is there a way to tell sphinx not to ignore those?	14:34
wxy	lbragstad: I'm checking the code, but seems no way IMO.	14:35
wxy	https://github.com/sphinx-doc/sphinx/blob/v1.6.7/sphinx/apidoc.py	14:35
*** germs has joined #openstack-keystone		14:35
*** germs has quit IRC		14:35
*** germs has joined #openstack-keystone		14:35
*** wes_dillingham has joined #openstack-keystone		14:39
*** mvk has quit IRC		14:40
*** felipemonteiro_ has joined #openstack-keystone		14:49
knikolla	o/	14:50
*** felipemonteiro__ has joined #openstack-keystone		14:51
gagehugo	lbragstad yeah	14:51
lbragstad	we didn't consume a major version of sphinx did we?	14:53
lbragstad	doesn't look like it	14:53
*** germs has quit IRC		14:55
*** felipemonteiro_ has quit IRC		14:55
*** mvk has joined #openstack-keystone		14:55
*** ayoung has quit IRC		15:08
*** itlinux has joined #openstack-keystone		15:12
*** germs has joined #openstack-keystone		15:13
*** germs has quit IRC		15:14
*** germs has joined #openstack-keystone		15:15
*** germs has quit IRC		15:15
*** germs has joined #openstack-keystone		15:15
*** links has quit IRC		15:18
*** ayoung has joined #openstack-keystone		15:20
*** wes_dillingham has quit IRC		15:22
ayoung	lbragstad, so I see you noticed the long convo between me and Morgan	15:27
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update modules to contain core.py for Sphinx https://review.openstack.org/552925	15:27
lbragstad	not sure if ^ is the right fix... but we'll need to refactor a few modules in order for Sphinx to work properly	15:27
ayoung	question: what should a service scoped token be able to do on Nova?	15:27
ayoung	because right now, an admin token can do a lot, like cross project operations	15:28
ayoung	and I think that people are building on top of that	15:28
lbragstad	service scoped token in that "you have the admin role on the compute service in regionOne"?	15:28
lbragstad	or like nova's service account	15:29
ayoung	lbragstad, the first	15:29
ayoung	system scoped	15:29
ayoung	the new stuff	15:29
lbragstad	so - i would think that would be all system scoped operations for nova	15:29
lbragstad	for example	15:30
lbragstad	if i give ayoung the admin role on the compute service, you should be able to generate system-scoped tokens that allow you to execute all of nova's system-level APIs	15:30
ayoung	what about list-servers and delete-server?	15:30
lbragstad	but i should be able to give kmalloc the admin role on the storage service, so that he can execute all of cinder's system-level APIs	15:30
lbragstad	those are project-scoped operations	15:31
lbragstad	i can't remember what level of RBAC that pertains to from the NIST documentation, level 3 or 4 i think	15:31
lbragstad	where you separate and disperse administrative actions across a set of users	15:32
*** wes_dillingham has joined #openstack-keystone		15:33
*** felipemonteiro__ has quit IRC		15:34
gagehugo	lbragstad I thought it looked like the issue was fixed in 1.7.1	15:35
gagehugo	from the link wxy posted	15:35
*** felipemonteiro__ has joined #openstack-keystone		15:35
gagehugo	https://github.com/sphinx-doc/sphinx/commit/83f30712b8affef9c5bc6bcc52c4d70797856ece	15:35
lbragstad	https://github.com/sphinx-doc/sphinx/commit/83f30712b8affef9c5bc6bcc52c4d70797856ece	15:36
lbragstad	ah - beat me to it	15:36
lbragstad	nice, so maybe we just upgrade to 1.7.1?	15:36
lbragstad	and blacklist 1.6.7	15:36
gagehugo	maybe	15:38
gagehugo	wonder if sphinx is capped currently?	15:38
lbragstad	looks like it - https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L354	15:41
lbragstad	looks like https://review.openstack.org/#/c/552806/ proposes a bump	15:42
lbragstad	to 1.7.1	15:42
ayoung	lbragstad, so the question is what do we do about all of the third party apps out there that do things with "admin scoped to project" on dehalf of another user? Stuff that should never have been allowed, but is now the norm	15:53
ayoung	I think we CloudForms, we can get away with using HMT, but that is kindof by luck	15:53
ayoung	list all projects on the server uses an admin token, but actual operations that change state use a (properly scoped) project token	15:54
ayoung	not sure if this is the case elsewhere	15:54
ayoung	but it was things like this that had the hack in is_admin_project that allowed it to always be set...gave a transition plan	15:54
lbragstad	ideally - we don't want that behavior, right?	16:01
*** felipemonteiro_ has joined #openstack-keystone		16:01
*** felipemonteiro_ has quit IRC		16:02
*** felipemonteiro_ has joined #openstack-keystone		16:03
*** felipemonteiro__ has quit IRC		16:04
*** felipemonteiro__ has joined #openstack-keystone		16:06
*** felipemonteiro_ has quit IRC		16:09
lbragstad	wxy: gagehugo Sphinx 1.6.5 doesn't seem to have that behavior	16:15
lbragstad	https://review.openstack.org/#/c/552100/	16:15
lbragstad	actually - wrong link	16:15
lbragstad	https://review.openstack.org/#/c/552955/1	16:15
*** r-daneel has joined #openstack-keystone		16:15
gagehugo	lbragstad yeah I got the same result	16:15
lbragstad	looks like updating to 1.7.1 isn't feasible	16:15
lbragstad	because it depends on a new version of pbr	16:16
gagehugo	does doc/requirements.txt not get used?	16:16
lbragstad	and there are apparently issues there	16:16
gagehugo	oh global-requrements.txt	16:16
lbragstad	yeah	16:16
gagehugo	something was overriding doc/requirements.txt	16:16
lbragstad	that should go through and propose an update to our doc/requirements.txt i think	16:16
lbragstad	https://github.com/openstack/keystone/blob/master/doc/requirements.txt#L7 needs to get updated	16:17
lbragstad	or it should get updated once the g-r patch merges	16:17
cmurphy	is this https://github.com/sphinx-doc/sphinx/issues/4446 ? i guess they released a new version without fixing that?	16:18
gagehugo	cmurphy yeah	16:19
lbragstad	dhellmann proposed a fix - https://github.com/sphinx-doc/sphinx/commit/83f30712b8affef9c5bc6bcc52c4d70797856ece	16:19
lbragstad	which appears to be in version 1.7.1	16:19
lbragstad	not sure why that doesn't close #4446	16:20
*** felipemonteiro__ has quit IRC		16:20
lbragstad	oh - nevermind	16:21
lbragstad	i think it does	16:21
lbragstad	it should - just not linked directly i don't think?	16:21
*** karthi has quit IRC		16:27
*** AlexeyAbashkin has quit IRC		16:30
*** karthi has joined #openstack-keystone		16:35
lbragstad	grabbing lunch	16:39
*** karthi has quit IRC		16:44
*** sapd_ has joined #openstack-keystone		17:01
*** sapd has quit IRC		17:05
*** pcaruana has quit IRC		17:18
*** ayoung has quit IRC		17:21
openstackgerrit	Pavlo Shchelokovskyy proposed openstack/keystone master: Allow to block self-service password change https://review.openstack.org/552988	17:32
*** abhi89 has quit IRC		17:36
*** panbalag has left #openstack-keystone		17:49
*** itlinux has quit IRC		17:50
*** links has joined #openstack-keystone		17:57
*** itlinux has joined #openstack-keystone		17:58
*** gyee has joined #openstack-keystone		18:05
*** AlexeyAbashkin has joined #openstack-keystone		18:07
*** harlowja has joined #openstack-keystone		18:11
*** AlexeyAbashkin has quit IRC		18:11
*** felipemonteiro_ has joined #openstack-keystone		18:12
*** felipemonteiro__ has joined #openstack-keystone		18:15
*** felipemonteiro_ has quit IRC		18:19
*** felipemonteiro__ has quit IRC		18:30
*** felipemonteiro__ has joined #openstack-keystone		18:30
*** mvk has quit IRC		18:41
*** itlinux has quit IRC		18:57
*** itlinux_ has joined #openstack-keystone		18:57
jdennis	per user auth (A.K.A. multi-factor auth) was added in Ocata. Do I understand correctly in order to enforce MFA the MFA rules need to be explicitly set for each user as opposed to a site-wide MFA configuration with the per user auth providing an exception for the site-wide MFA policy?	19:07
*** mvk has joined #openstack-keystone		19:09
*** idlemind has joined #openstack-keystone		19:14
jdennis	lbragstad: ^^^	19:15
lbragstad	jdennis: yes - unfortunately	19:15
lbragstad	there was some usability issues with policy/rbac and MFA	19:15
jdennis	lbragstad: thanks, are there any plans for a site wide policy?	19:16
lbragstad	because technically you'd need to have an administrator to update the user secrets	19:16
lbragstad	technically - that'd be something that we should fix by including a scope check in code	19:16
lbragstad	adriant: was working on some of that stuff	19:16
lbragstad	i think https://bugs.launchpad.net/keystone/+bug/1750678 was part of that problem	19:16
openstack	Launchpad bug 1750678 in OpenStack Identity (keystone) "The ec2 credential API should account for different scopes" [High,Triaged]	19:16
lbragstad	another example - https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/credential.py#L21-L31	19:18
*** tesseract has quit IRC		19:20
kmalloc	jdennis: we don't have site-wide scheduled, but it could be implemneted, it would need to allow for the current system to override site-wide	19:22
lbragstad	yeah - technically a user should be able to update their own credential secrets	19:23
kmalloc	jdennis: the key was we wanted to land the base functionality first before site-wide - hitting the initial use-case	19:23
jdennis	lbragstad, kmalloc: thanks	19:23
lbragstad	but right now the policies aren't that smart :(	19:23
kmalloc	i would not be opposed to a site-wide setup if someone wants to help contribute.	19:23
kmalloc	but it absolutely needs to address cases for users (service users) that cannot have MFA.	19:23
kmalloc	which was the main sticking point to starting with site-wide first.	19:24
jdennis	kmalloc: but I though we had an per user mfa exception	19:24
kmalloc	right now we have per-user	19:24
kmalloc	the option when we implemented it was per-user or site-wide, just due to code bandwidth	19:24
kmalloc	we opted for per-user since that is more functional	19:25
kmalloc	(it was driven by the need for the user-option mechanism in SQL)	19:25
kmalloc	so, now we could do a site-wide with the current system overriding (and/or add a mechanism to disable)	19:25
kmalloc	or a way to flag groups of users with say MFA rules.	19:26
kmalloc	(vs. site-wide)	19:26
jdennis	kmalloc: what I was trying to get at was your comment "needs to address cases for users (service users) that cannot have MFA", and I thought we had an exception mechanism for that today	19:26
kmalloc	tl;dr, we opted for base use of enable per user to start. Someone is welcome to contribute enhancemnets :)	19:26
kmalloc	right, today the default is no MFA rules.	19:26
kmalloc	so service users are by default exempted. if we implement a site wide, we need to still maintain that exemption	19:27
kmalloc	service users are fundamentally just users and could have MFA rules.	19:27
kmalloc	but it would be a bad idea :P	19:27
*** links has quit IRC		19:34
*** panbalag has joined #openstack-keystone		19:38
*** itlinux_ has quit IRC		19:40
*** itlinux has joined #openstack-keystone		19:52
*** ayoung has joined #openstack-keystone		20:08
*** Supun has joined #openstack-keystone		20:12
*** jmlowe has joined #openstack-keystone		20:35
*** AlexeyAbashkin has joined #openstack-keystone		20:36
knikolla	per domain mfa options?	20:36
kmalloc	knikolla: sure.	20:36
kmalloc	that'd be fine	20:36
kmalloc	as long as user options override.	20:36
*** raildo has quit IRC		20:38
*** Supun has quit IRC		20:39
*** AlexeyAbashkin has quit IRC		20:40
openstackgerrit	Nicolas Helgeson proposed openstack/python-keystoneclient master: Extends tags comparator support to KSC https://review.openstack.org/525792	20:41
*** wes_dillingham has quit IRC		20:44
*** idlemind_ has joined #openstack-keystone		20:44
*** idlemind_ has quit IRC		20:44
*** idlemind has quit IRC		20:44
aning	cmurphy: Bug #1755906 has been created for the upgrade keystone DB deadlock issue during db_sync --contract	20:45
openstack	bug 1755906 in OpenStack Identity (keystone) "Occasional deadlock during db_sync --contract during Newton to Pike live upgrade" [Undecided,New] https://launchpad.net/bugs/1755906	20:45
aning	Cool, the bug popped up here by itself :)	20:46
gagehugo	magic!	20:51
gagehugo	lbragstad tags question	20:51
gagehugo	if I have 2 projects: p1 with tags:["red", "blue"] and p2 with tags:["red", "blue", "green"]	20:52
gagehugo	and I do GET keystone/v3/projects?tags=red,blue	20:52
gagehugo	should only p1 be returned (exact match) or p1 & p2 (subset match)	20:53
lbragstad	i thought the tags qp only filtered exact matching sets	20:53
lbragstad	so just p1 would be returned?	20:53
lbragstad	but tags_any=red,blue would return both	20:54
kmalloc	that was my understanding too lbragstad	20:55
openstackgerrit	Nicolas Helgeson proposed openstack/keystone master: Extend comparator support for project list by tags https://review.openstack.org/523499	20:55
gagehugo	hmm	20:55
lbragstad	does it not work that way?	20:56
gagehugo	right now keystone does exact	20:56
gagehugo	https://specs.openstack.org/openstack/api-wg/guidelines/tags.html#filtering-and-searching-by-tags	20:56
lbragstad	for tags=red,blue ?	20:57
gagehugo	yes	20:57
lbragstad	isn't that working as designed then?	20:57
gagehugo	the question I have is should it be exact vs subset	20:57
lbragstad	tags_any should be subset, right?	20:58
lbragstad	if i use tags=red,blue i want a list of all projects with only those tags	20:58
lbragstad	if i use tags_any=red,blue i want a list of all projects with that set of tags as a subset or complete set	20:58
gagehugo	tags-any would return all projects with red OR blue, not just both though	21:00
lbragstad	mmm	21:01
gagehugo	so p3 with tags: ["red" "green"] would be included	21:02
lbragstad	right	21:02
gagehugo	ok	21:03
*** wes_dillingham has joined #openstack-keystone		21:03
lbragstad	should it include subsets?	21:03
gagehugo	I think there was some concern about potential ambiguity in the api-wg spec	21:04
lbragstad	so - does that mean keep tags from returning subsets?	21:05
gagehugo	I wonder what nova does	21:05
lbragstad	i assume strict checking with tags (versus tags-any) would mitigate concerns about ambiguity	21:07
lbragstad	if i want ambiguity, i should use tags-any..	21:07
lbragstad	if i want exact matches, i should use tags	21:07
*** rcernin has joined #openstack-keystone		21:08
gagehugo	that's what I assume	21:12
*** jessegler has joined #openstack-keystone		21:19
gagehugo	jessegler o/	21:19
gagehugo	the case is I want all projects with red AND blue, and if there are others I don't mind	21:23
jessegler	o/	21:23
jessegler	I'm coming in late to this party	21:23
jessegler	So, to recap, I think we've got a bug with the keystone tags. The spec says you can do: GET /v3/projects?tags=foo,bar&tags-any=red,blue	21:25
jessegler	And that you can get back: Example that returns any projects that have the “foo” and “bar” tags, plus at least one of “red” and “blue”.	21:25
jessegler	I think that implies that tags shouldn't be exact -- that it should be the superset or as @gagehugo said if there are others I don't mind	21:26
*** dave-mccowan has quit IRC		21:26
jessegler	Because otherwise you're AND'ing the set of projects that contain both 'foo' and 'bar' with the set of projects that contain 'red' or 'blue'	21:26
jessegler	And that's an empty set, because the left side would give you only projects that contain 'foo' and 'bar' and nothing else	21:27
jessegler	So they couldn't contain 'red' or 'blue'	21:27
jessegler	Make sense?	21:27
lbragstad	hmm	21:31
lbragstad	so - we'd need to loosen the tags query parameter to include subsets	21:32
lbragstad	or update the specification to say GET /v3/projects?tags=foo,bar,blue	21:32
lbragstad	or GET /v3/projects?tags=foo,bar,red	21:32
jessegler	That wouldn't solve @gagehugo's case though.	21:33
*** dave-mccowan has joined #openstack-keystone		21:33
gagehugo	hmm	21:34
jessegler	Eh, I don't think that would solve the issue?	21:34
jessegler	If you do tags=foo,bar,blue currently you'd only get back projects with [foo, bar, blue] (and no other tags)	21:35
lbragstad	it sounds like the bug is that the documentation expects tags to handle subsets	21:35
jessegler	I definitely agree that the documentation is not great here.	21:35
gagehugo	lol	21:35
jessegler	But I think exact tags is a weird user experience	21:35
jessegler	If I search for tags=red,blue I'd expect to get back all the projects that have red AND blue AND maybe some other tags	21:36
gagehugo	I would think subsets would allow for MORE exact if you just keep including more tags	21:36
lbragstad	that feels like it's also something that tags-any should do, too	21:36
jessegler	And maybe you could tell me to do tags-any=red,blue but then I'm getting projects that maybe just have red or just have blue	21:37
gagehugo	tags-any=red & tags-any=blue	21:37
jessegler	Hmmm	21:37
jessegler	That might work, but it doesn't match the example in the spec	21:38
lbragstad	right	21:38
lbragstad	the spec or documentation needs to be updated i think	21:38
lbragstad	or we update the implementation	21:39
jessegler	I think both?	21:39
jessegler	I think tags --> exact list is a weird user experience and shouldn't be the default.	21:39
*** itlinux has quit IRC		21:40
jessegler	If I'm searching for music, and I look for songs tagged "90s", I'd expect to get back all the songs with a "90s" tag, even if they were also tagged "pop" for instance.	21:40
jessegler	I'd argue that if we want an exact tag match, that's fine (maybe a little weird, but fine) but we should have like a "tags-exact" for it or something	21:41
*** edmondsw has quit IRC		21:41
lbragstad	you'd also get that by doing tags-any=90s	21:42
lbragstad	right?	21:42
jessegler	Currently you could.	21:42
jessegler	But, I think that the one parameter case is weird	21:43
lbragstad	i guess it depends on what we expect `tags` to actually mean	21:43
jessegler	I think for one parameter tags should be equivalent to tags-any	21:43
jessegler	And then for more parameters tags should AND the parameters	21:44
jessegler	And tags-any should OR them	21:44
jessegler	For one parameter there's nothing to AND or OR the single parameter against so comes out the same	21:44
*** belmoreira has quit IRC		21:45
jessegler	It also will make startswith/endswith/contains sane(r).	21:47
jessegler	If we have a project with a tag [happy]	21:47
jessegler	and we do tags__contains=app,y	21:48
jessegler	Are we looking for two tags? Or should we match that project?	21:48
*** martinus__ has quit IRC		21:55
lbragstad	are we consistent with other services?	21:56
jessegler	I can figure out what Nova is doing and get back to you?	21:57
lbragstad	sure	21:58
jessegler	Sounds good	21:58
openstackgerrit	ayoung proposed openstack/keystone-specs master: Add whitelist-extension-for-app-creds https://review.openstack.org/396331	22:07
jamielennox	lbragstad: hey, we never talked last week - did you figure out what you need/	22:08
*** felipemonteiro_ has joined #openstack-keystone		22:20
*** felipemonteiro__ has quit IRC		22:23
*** wes_dillingham has quit IRC		22:38
*** dave-mccowan has quit IRC		22:47
*** spilla has quit IRC		22:48
*** felipemonteiro_ has quit IRC		22:49
*** david-lyle has quit IRC		23:21
*** david-lyle has joined #openstack-keystone		23:26
*** david-lyle has quit IRC		23:28
*** david-lyle has joined #openstack-keystone		23:30
*** kmalloc has quit IRC		23:38
*** itlinux has joined #openstack-keystone		23:47
*** bigjools_ is now known as bigjools		23:59
*** bigjools has quit IRC		23:59
*** bigjools has joined #openstack-keystone		23:59

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!