Wednesday, 2018-05-02

« Tuesday, 2018-05-01 Index Thursday, 2018-05-03 »
*** empty_cup has quit IRC00:15
*** Dinesh_Bhor has joined #openstack-keystone00:22
*** markvoelker has quit IRC00:25
*** deepika08 has joined #openstack-keystone00:37
*** felipemonteiro has joined #openstack-keystone01:50
*** felipemonteiro has quit IRC01:56
*** dklyle has quit IRC01:57
*** david-lyle has joined #openstack-keystone01:57
*** masber has joined #openstack-keystone02:09
*** dave-mccowan has quit IRC02:13
*** wxy has joined #openstack-keystone02:16
*** gyee has quit IRC02:17
*** markvoelker has joined #openstack-keystone02:26
*** felipemonteiro has joined #openstack-keystone02:29
*** redrobot has quit IRC02:31
*** felipemonteiro has quit IRC02:37
*** panbalag has joined #openstack-keystone02:45
*** david-lyle has quit IRC02:45
*** deepika08 has quit IRC02:47
*** masuberu has joined #openstack-keystone02:52
*** masber has quit IRC02:52
*** markvoelker has quit IRC02:56
*** markvoelker has joined #openstack-keystone02:57
*** panbalag has quit IRC02:58
openstackgerritwangxiyuan proposed openstack/keystone master: Enable Foreign keys for sql backend unit test  https://review.openstack.org/55802903:01
openstackgerritwangxiyuan proposed openstack/keystone master: Enable foreign keys for test_v3_catalog  https://review.openstack.org/55819303:02
openstackgerritwangxiyuan proposed openstack/keystone master: Enable foreign keys for unit test  https://review.openstack.org/55819303:04
openstackgerritwangxiyuan proposed openstack/keystone master: [DNM] Enable FK for unit tests by default  https://review.openstack.org/55818503:05
*** sapd has quit IRC03:08
openstackgerritwangxiyuan proposed openstack/keystone master: Do not return all the limits for POST request.  https://review.openstack.org/55073603:10
openstackgerritwangxiyuan proposed openstack/keystone master: Unified limit update APIs Refactor  https://review.openstack.org/55955203:10
*** namnh has joined #openstack-keystone03:14
*** nicolasbock has quit IRC03:31
*** masuberu has quit IRC04:47
*** links has joined #openstack-keystone04:50
*** zeus has quit IRC05:04
*** belmoreira has joined #openstack-keystone05:22
*** dklyle has joined #openstack-keystone05:47
*** jaosorior has joined #openstack-keystone06:07
*** sapd has joined #openstack-keystone06:16
*** martinus__ has joined #openstack-keystone06:24
*** dklyle has quit IRC06:29
*** pcichy has joined #openstack-keystone06:29
*** pcichy has quit IRC06:39
*** jaosorior has quit IRC06:41
*** pcichy has joined #openstack-keystone06:41
*** annp has joined #openstack-keystone06:48
*** rcernin_ has joined #openstack-keystone06:50
*** rcernin has quit IRC06:51
*** rcernin_ has quit IRC07:05
*** tesseract has joined #openstack-keystone07:25
*** dklyle has joined #openstack-keystone07:34
*** belmoreira has quit IRC07:37
*** aloga has quit IRC07:52
*** aloga has joined #openstack-keystone07:52
*** belmoreira has joined #openstack-keystone08:01
*** pcaruana has joined #openstack-keystone08:08
*** belmoreira has quit IRC08:10
*** belmoreira has joined #openstack-keystone08:11
*** aloga has quit IRC08:21
*** vegarl has quit IRC08:43
*** vegarl has joined #openstack-keystone08:44
yankcrimethanks lbragstad - i'll take a look now08:46
*** Dinesh_Bhor has quit IRC08:48
*** namnh has quit IRC08:50
*** namnh has joined #openstack-keystone08:51
*** dklyle has quit IRC08:56
*** dklyle has joined #openstack-keystone09:15
*** belmoreira has quit IRC09:16
*** dklyle has quit IRC09:26
*** namnh has quit IRC09:55
*** namnh has joined #openstack-keystone09:56
*** namnh has quit IRC09:59
*** raildo has joined #openstack-keystone10:15
*** rabel has joined #openstack-keystone10:26
rabelhi there. can anyone explain role inheritance in openstack to me or provide a link where i could read it up?10:27
*** annp has quit IRC10:37
*** nicolasbock has joined #openstack-keystone10:42
*** belmoreira has joined #openstack-keystone11:02
*** r-daneel has quit IRC11:04
*** panbalag has joined #openstack-keystone11:06
*** panbalag has quit IRC11:06
*** jaosorior has joined #openstack-keystone11:08
*** r-daneel has joined #openstack-keystone11:11
*** jaosorior has quit IRC11:16
*** dklyle has joined #openstack-keystone11:25
*** mvk has quit IRC11:40
*** panbalag has joined #openstack-keystone11:43
*** panbalag has quit IRC11:45
*** dklyle has quit IRC11:50
*** edmondsw has joined #openstack-keystone12:13
*** edmondsw has quit IRC12:13
*** edmondsw has joined #openstack-keystone12:13
*** sonuk has joined #openstack-keystone12:27
*** alex_xu has quit IRC12:29
andreykurilinhi folks! I have a strange case. I'm trying to create a role 'Foo', keystone returns 409 error - 'duplicate entry found '.  But I cannot find role "Foo" while listing all roles. How this can be fixed? Any ideas?12:30
*** pcaruana has quit IRC12:30
lbragstadandreykurilin: is there a domain-specific role named 'Foo'?12:36
*** alex_xu has joined #openstack-keystone12:36
lbragstadrabel: role inheritance useful when you have projects in a tree structure of some kind12:36
lbragstadrabel: you can give users a role on one project, and have it inherit down the tree, so they get consistent authorization elsewhere in the tree wrt the node in the tree that has the assignment12:38
andreykurilinlbragstad: yes. "default" domain.12:41
andreykurilinlbragstad: `if "Foo" not in keystone.roles.list(domain="default"): keystone.roles.create(name="Foo", domain="default")` something like this12:43
lbragstadandreykurilin: checking to see if I can recreate12:43
*** panbalag has joined #openstack-keystone12:44
*** panbalag has left #openstack-keystone12:44
andreykurilinlbragstad: domains.list gives just one default domain12:45
*** belmoreira has quit IRC12:45
lbragstadhmm12:45
lbragstadthat's odd12:45
lbragstaddo you see a trace from the sql transaction in the logs?12:47
andreykurilinnot sure that I have access to them :(12:49
*** mvk has joined #openstack-keystone12:50
*** usr2033 has joined #openstack-keystone12:58
lbragstadandreykurilin: interesting, i double checked the unique constraint13:00
lbragstadi suspected having a role named 'foo' in another domain might be affect it when it shouldn't13:00
lbragstadaffecting*13:00
lbragstadbut - turns out that's not the case, i was able to create a role named 'foo' in a domain and a role named 'foo' without a domain13:01
*** sonuk has quit IRC13:01
andreykurilinlbragstad: `keystone.roles.list(domain=None)` doesn't show "Foo"  either13:03
*** pcaruana has joined #openstack-keystone13:08
*** dave-mccowan has joined #openstack-keystone13:09
lbragstadit looks like you're using keystoneclient?13:17
*** dave-mcc_ has joined #openstack-keystone13:17
usr2033i have encountered something on deleting domain and i don't know if it is a bug. https://developer.openstack.org/api-ref/identity/v3/#delete-domain says "When you delete a domain, this call also deletes all entities owned by it, such as users, groups, and projects, and any credentials and granted roles that relate to those entities." but when i delete domain with "openstack domain delete <domain-id>" role assignment of user to deleted13:18
usr2033domain resides. Does anybody know something about this? Am i doing something wrong?13:18
rabellbragstad: how would i do this? can i assign the role to the user for the root project and set "inherited=True" and the user has the same permissions for the subprojects automatically?13:19
*** dave-mccowan has quit IRC13:19
lbragstadusr2033: i just tested locally13:26
lbragstadusr2033: i set up a new domain, created a user and project within it, then granted the user a role on the project13:26
lbragstadi disabled the domain, then deleted it13:27
lbragstadthe domain, user, project, and role assignment were all deleted13:27
lbragstadusr2033: are you using something differently that results in different behavior?13:27
lbragstadrabel: yeah - i think so, but i believe we have docs13:28
lbragstadrabel: https://developer.openstack.org/api-ref/identity/v3/index.html#os-inherit not sure if you've seen that yet13:28
rabellbragstad: thanks. i will play around with that a little bit13:30
*** belmoreira has joined #openstack-keystone13:32
andreykurilinlbragstad: yes. it is keystoneclient13:32
usr2033@lbragstad i set only domain admin role to user13:35
usr2033lbragstad i use keystone version 8 with v3 api13:37
lbragstad hmm13:39
lbragstadusr2033: here is what i did locally - http://paste.openstack.org/raw/720220/13:39
lbragstadusr2033: so you're on liberty?13:40
*** zeus has joined #openstack-keystone13:43
*** zeus is now known as Guest4475213:43
*** Guest44752 is now known as zeus13:45
*** zeus has joined #openstack-keystone13:45
lbragstadkmalloc: i went through and updated all the stable reviews I've +1'd to +213:46
lbragstadand kicked a couple that you've +2'd through13:46
usr2033lbragstad, yes i am in liberty13:56
*** panbalag has joined #openstack-keystone13:59
usr2033lbragstad, my issue is already created user. my user already has default domain and project role. i grant new role in new domain.13:59
*** panbalag has left #openstack-keystone13:59
usr2033lbragstad13:59
usr2033lbragstad, in your case i got success too13:59
*** belmoreira has quit IRC13:59
lbragstadso - the user in the domain you're deleting has roles in other domains?14:01
lbragstadand those aren't being cleaned up?14:01
openstackgerritLance Bragstad proposed openstack/keystone master: Implement enforcement model logic in Manager  https://review.openstack.org/56271514:04
openstackgerritLance Bragstad proposed openstack/keystone master: Expose endpoint to return enforcement model  https://review.openstack.org/56271614:04
*** felipemonteiro has joined #openstack-keystone14:07
usr2033lbragstad, yes user has roles in other domains, all roles of user stays14:08
usr2033after deleting domain14:08
kmalloclbragstad: awesome14:10
*** xinran_ has joined #openstack-keystone14:10
lbragstadusr2033: ok - let me recreate with that case then14:10
*** alex_xu has quit IRC14:11
*** alex_xu has joined #openstack-keystone14:17
usr2033lbragstad: :+1:14:19
mordredkmalloc, lbragstad: ok. the devstack fix for the block-storage endpoint has merged. what additional would y'all like for landing https://review.openstack.org/#/q/topic:service-type-aliases ?14:23
kmallocI'm good with it as is honestly.14:24
kmallocI want to help get a doc published (docs.o.o) or similar for the mapping of aliases and links in ksa.14:24
lbragstadusr2033: same thing - http://paste.openstack.org/raw/720227/14:25
kmallocBut that can come post landing this.14:25
kmallocmordred: reviewing the code now btw.14:25
lbragstadusr2033: but i added the user to a project in two different domains, and it looks like the role assignments were clean up for both14:25
kmalloclbragstad: yay a second stable reviewer14:25
lbragstadkmalloc: ++14:25
mordredkmalloc: thanks! and yes, I agree about doc14:26
kmallocmordred: and I said I'd help with the doc job, I just need to get the ick out of my sinuses (yay springtime) to see straight :P. Much better today with heavy allergy meds.14:28
*** alex_xu has quit IRC14:29
mordredkmalloc: springtime sinuses are the worst14:29
*** felipemonteiro_ has joined #openstack-keystone14:30
*** belmoreira has joined #openstack-keystone14:32
usr2033lbragstad: i will try with project role too.14:33
lbragstadi can retry with a domain role14:34
lbragstadi forgot about that14:34
*** felipemonteiro has quit IRC14:34
*** openstackgerrit has quit IRC14:34
*** links has quit IRC14:34
usr2033lbragstad, thanks for your attention14:35
hrybackicmurphy: have you come across anyone that has an example of using app creds that live in an rc file by chance?14:35
lbragstadusr2033: same result - http://paste.openstack.org/raw/720230/14:38
lbragstadeverything gets cleaned up14:39
lbragstadat least with master14:39
cmurphyhrybacki: are you looking for a real world example? I can show you a demo example but I haven't encountered anyone using it in real life yet14:39
*** jmlowe has quit IRC14:39
hrybackicmurphy: a demo example would be fine :)14:40
*** felipemonteiro_ has quit IRC14:42
*** felipemonteiro_ has joined #openstack-keystone14:42
*** felipemonteiro__ has joined #openstack-keystone14:46
cmurphyhrybacki: something like http://paste.openstack.org/show/720232/14:49
cmurphyalso if you stand up horizon on master you can download an RC file with app creds14:50
*** felipemonteiro_ has quit IRC14:50
*** mvk has quit IRC14:52
lbragstadcmurphy: oh - that's neat14:58
*** jmlowe has joined #openstack-keystone15:01
lbragstadkmalloc: ayoung curious if you'd like to review https://review.openstack.org/#/c/530509/15:02
*** tonytan4ever has joined #openstack-keystone15:02
*** jmlowe has quit IRC15:03
ayounglbragstad, I'd take jamielennox 's comments as canon15:03
usr2033lbragstad, all roles you set in same domain as i understand :(15:03
ayoungX-15:04
ayoungDictionary is strange15:04
ayounghmm thought I reviewed that...bet I have a bunch of drafts15:04
hrybackithanks a bunch cmurphy !15:04
*** jmlowe has joined #openstack-keystone15:04
lbragstadayoung: yeah - the dictionary bit is weird15:04
ayounglbragstad, that makes the contract Python specific.15:05
lbragstadi guess i'm trying to figure out a way to make it so that we can pass that information in the header while keeping it open for expansion later15:05
ayoungyeah15:05
lbragstadbecause we might do something more interesting in the future15:05
lbragstadinstead of 'system': {'all': True}15:05
usr2033lbragstad, i already have an user_z with domain admin role in domain domain_a, i created new domain named domain_b and i gave domain admin role to user_z on domain_b.15:05
usr2033lbragstad, my new domain has no project.15:06
lbragstadwe could do 'system': {'service': '4d52512c24ec433b8f57dcfebf97c692'} or what-not15:06
*** alex_xu has joined #openstack-keystone15:07
lbragstadusr2033: what domain does uesr_z belong to?15:09
*** belmoreira has quit IRC15:09
*** germs has joined #openstack-keystone15:10
*** germs has quit IRC15:10
*** germs has joined #openstack-keystone15:10
lbragstadayoung: about the X- header bit, kmalloc had input against that in a previous patch set15:12
*** Guest29196 has quit IRC15:21
*** Rhvs has joined #openstack-keystone15:21
*** jaosorior has joined #openstack-keystone15:23
*** openstackgerrit has joined #openstack-keystone15:31
openstackgerritKen Giusti proposed openstack/oslo.policy master: Remove stale pip-missing-reqs tox test  https://review.openstack.org/56580315:31
*** felipemonteiro__ has quit IRC15:39
kmalloclbragstad: yep15:47
kmallocayoung: we need to stop proliferating more x- prefixed headers15:47
kmallocayoung: https://tools.ietf.org/html/rfc664815:47
kmallocso future headers should be descriptive and prefixed with OS, OpenStack, os-keystone, os-identity, etc (or whatever we want to use)15:48
*** jaosorior has quit IRC15:49
*** gyee has joined #openstack-keystone15:59
kmallocmordred:  ok i reviewed most of it, but looks like a bunch of patches might need rebases.15:59
kmalloclbragstad: commented16:02
lbragstadkmalloc: thanks - i'll check here in a minute once i push a few limit patches16:03
kmalloclbragstad: mostly just said the same thing else where (re X- prefix).16:04
kmalloci am inclined to dislike the 'system': {'all': True}16:04
kmallocto be "more" HTTP like, you could make it: 'system-all' or a list (comma delimited, future) of allowed16:05
kmallocit also allows adding OPENSTACK-System-Scope header multiple times to make it automatically concatenated with commas (HTTP standard) works16:05
kmallocayoung: ^16:05
* ayoung read mordred as Murdered.16:08
*** nkinder has joined #openstack-keystone16:12
nkindercmurphy: do you know of any examples of using application credentials in RC files?16:13
cmurphynkinder: :) http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-05-02.log.html#t2018-05-02T14:35:4316:14
nkindercmurphy: the documentation shows a middleware configuration example, but not RC usage16:14
cmurphythe RC file would be basically the same but with the options uppercased and prefixed with OS_16:15
nkindercmurphy, Thanks!  I figured as much, but wanted to be sure :)16:15
*** tesseract has quit IRC16:18
openstackgerritMerged openstack/keystoneauth master: Trivial: Update pypi url to new url  https://review.openstack.org/56541816:19
*** felipemonteiro has joined #openstack-keystone16:20
*** xinran_ has quit IRC16:20
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Use Status variables in tests  https://review.openstack.org/56425816:20
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Reference class variable in Status  https://review.openstack.org/56426216:20
mordredkmalloc: I think that should take care of the rebase needs16:21
mordredwasn't as bad as I thought16:21
kmallocmordred: cool.16:21
kmallocyeah it looks ghood, just needed that so we can land it all :)16:21
openstackgerritLance Bragstad proposed openstack/keystone master: Add policy for limit model protection  https://review.openstack.org/56271416:25
openstackgerritLance Bragstad proposed openstack/keystone master: Implement enforcement model logic in Manager  https://review.openstack.org/56271516:25
openstackgerritLance Bragstad proposed openstack/keystone master: Expose endpoint to return enforcement model  https://review.openstack.org/56271616:25
*** tonytan4ever has quit IRC16:26
*** tonytan4ever has joined #openstack-keystone16:26
lbragstadkmalloc: yeah - passing a dictionary in a header seems odd16:26
kmalloclbragstad: so. what are we trying to pass in16:27
lbragstadbut with the addition of more service scoped stuff in the future16:27
lbragstadi wanted to avoid having to add more headers16:27
kmallocok, so lets use a list of values16:27
kmallocopenstack-system-scope: <type>, <type>, <type>16:27
kmallocand the default can be system-all (today)?16:27
lbragstadwhat is type?16:27
kmallocinstead of system: all16:28
kmallocsystem-all16:28
lbragstadif 'scope': 'system': {'all': True} is in a token16:28
lbragstadwhat does that look like in the header?16:28
lbragstadtranslated to the header*16:28
kmallocopenstack-system-scope: system-all16:28
lbragstadah16:29
lbragstadso 'system-all' would be special16:29
kmallocsince headers can be comma delimited16:29
kmallocexample could be (future)16:29
kmallocopenstack-system-scope: nova-all, glance-all16:29
lbragstadso if we did something like 'scope': {'system': {'service': '30e0dcd33bf543f69a099c5228d2ad59'}16:29
kmallocopenstack-system-scope: system-<id> ?16:30
kmallocor service-id16:30
lbragstadwhere ID would be the service id?16:30
kmallocooor...16:30
kmalloci mean...16:30
kmallocis it always going to be :system:16:30
kmallocbecause then we can do: openstack-system-scope: all16:30
lbragstadright - that can probably be inferred from the header name16:30
kmallocor openstack-system-scope: 30e0dcd33bf543f69a099c5228d2ad5916:31
lbragstadit would be like saying x-project-id: project-id16:31
kmallocwhere "all" is magic16:31
lbragstadsure16:31
kmallocand remember, we can have it concatentated16:31
kmallocif you want multiple services16:31
lbragstadwouldn't that be like scoping to multiple projects?16:31
kmalloce.g.: openstack-system-scope: 30e0dcd33bf543f69a099c5228d2ad59, deadbeef1, deadbeef216:31
kmallocit would, i was just explaining how it could work if we wanted that16:32
lbragstadsure16:32
lbragstadok - that makes sense16:32
lbragstadwe only support all today anyway16:32
kmallocso, lets dump the dict in the header, no reason to do that16:32
lbragstadok - i can respin that patch to take the key of the system scope and put that in the header instead16:32
kmallocand we make "all" the default (current) and can add specific services (eityher via alias e.g.: nova / nova-all / etc, or by id16:32
lbragstad^ righ?16:32
kmallocyeah16:32
kmallocthat would be what i would do16:33
lbragstadcool16:33
kmallocit simplifies it a lot16:33
lbragstadyeah16:33
kmallocand it makes it more generic16:33
lbragstadi agree16:33
lbragstadcc jamielennox ayoung ^16:33
lbragstadthanks kmalloc16:33
lbragstadkmalloc: fwiw - the limit model patch should be ready for some reviews16:33
mordredkmalloc: you missed one https://review.openstack.org/#/c/55915416:33
hrybackilbragstad: no bites on my default roles pitch for the policy meeting :P16:57
lbragstadhrybacki: :( yeah - we need to start knocking on doors17:01
lbragstadi can make a point to do that this weke17:01
lbragstadweek*17:01
* lbragstad goes to run a couple errands over lunch17:01
hrybackilbragstad: yeah, I'm gonna bring your original post to our internal list -- hopefully drum up some support there17:01
hrybackiayoung: ^^17:01
lbragstadi'm usually not a fan of asking for reviews on the mailing list - but since it involved several parts of the community it might need that visibility17:02
*** openstackgerrit has quit IRC17:04
kmallocmordred: yeah reviewing that now17:05
hrybackilbragstad: precisely. My fear is we approach M2 and then someone decides to jump in and bike-shed pass the deadline17:07
kmallocmordred: looks good to me17:09
kmallochrybacki: if it is in our code base, lbragstad can step in and say "uh, bike shed elsewhere"17:09
*** felipemonteiro_ has joined #openstack-keystone17:10
kmallochrybacki: if it is important to land, we should land it -- M2 is the deadline and if people engage 1 minute to midnight, they're in the wrong (imo) if they're bikeshedding17:10
hrybackikmalloc: well, it is an openstack-spec (that we hope will turn into a community goal in the next release) 'there be dragons'17:10
hrybackibut I agree with that wholeheartedly. I want to at least be able to point to several direct asks for input should that scenario arise17:11
ayoungI'm easy on this.  Just that jamielennox spent a lot of time on Context, so I take his opinion fairly seriously.17:11
*** panbalag has joined #openstack-keystone17:11
kmalloccan't say much besides push back on bikeshedding at the last minute by saying "where were you before when I asked, <here>, <here>, <here>"17:11
kmallocayoung: yeah the rest of the context comments weren't hard to see where he was coming from17:11
kmallocthe header bit, that one I get his confusion, but we're trying to adhere to the RFCs going forward (as we should)17:12
kmallochrybacki: i would probably highligh (not "hey review this") but engage the idea via the ML17:12
kmallocthis isn't asking for reviews17:12
mordredkmalloc: RFCs ... more like RFskeez17:12
kmallocit is asking for feedback17:12
kmallocmordred: lol17:13
*** germs has quit IRC17:14
kmallochrybacki: this is making sure you have mindshare on the direction of the spec/goal17:14
*** felipemonteiro has quit IRC17:15
* hrybacki nods17:15
*** germs has joined #openstack-keystone17:17
*** germs has quit IRC17:17
*** germs has joined #openstack-keystone17:17
*** germs has quit IRC17:18
*** germs has joined #openstack-keystone17:19
*** germs has quit IRC17:19
*** germs has joined #openstack-keystone17:19
lbragstad[m]++ well put kmalloc17:29
*** panbalag has quit IRC17:44
*** rabel has left #openstack-keystone17:44
*** panbalag has joined #openstack-keystone17:45
*** panbalag has left #openstack-keystone17:46
ayoungkmalloc, hrybacki after taking the dog for a walk, and thinking about this, I think we should 1. Add a new header IAW the old style and 2. Add a brand new set of headers as a follow on patch that matches the RFC.17:46
ayoung1 is to get things moving, and to not have a one off.  2 is for the long term direction.17:46
kmallocayoung: no, don't add the old style at all17:48
kmallocreally.17:48
kmallocdon't proliferate x- style headers for new headers.17:48
ayoungkmalloc, no, really, add the old style.17:48
kmalloc-217:48
ayoungIt does not matter.17:48
kmallocit does.17:48
ayoungIt is the current pattern.  A deliberate change of the pattern should occur.  And I would not hold this up for the new pattern17:48
kmallocthe general direction of openstack is to eliminate x- prefixed headers17:49
kmallocwe shouldn't add another x-prefixed header17:49
kmallocand support it forever17:49
kmallocbecause if we add it, we support it forever17:49
ayoungYes we should.17:49
kmallocabsolutely not17:50
ayoungBecause otherwise it is a one off, and that will mess people up more.17:50
ayoungWe can then convert the whole set of headers over en mass17:50
kmallocno, document it, we use openstack-blah headers for microversions and have a bad migration for that too17:50
kmallocplease please please do not add more x- prefixed headers for new functionality17:51
kmalloci wont -2 this.17:51
kmallocbut i will -1 it every time if it has a x- prefix17:51
kmallocwith the same comment.17:51
ayoungkmalloc, so, I don't really have a dog in the fight.  This is just my opinion on the way to do it with out messing up the users, but I will not hold it up either way.17:51
ayoungThe hill is yours.17:52
kmallocit wont mess up the users -- this is behind the scenes ksm/ksa stuff17:52
kmalloca user will never send openstack-system-scope header17:52
kmallocor should never17:52
kmallocs/ksa/keystone-server17:52
kmallocthis is how we communicate to the services what scope, similar to x-project-id17:53
lbragstadthings would remain backwards compat it we didn't add the new x-style header, wouldn't they?18:18
lbragstadit would just force users to use the new style header for the new authorization?18:19
ayounglbragstad, yes...this is just nit picking.  It would probably be fine either way, and if kmalloc cares so strongly, lets just do it his way.18:25
lbragstadayoung: kmalloc ok - i have another context question18:37
kmallocsure18:37
lbragstadthe context object has a system attribute right?18:37
lbragstadand that should technically represent the token's system scope18:38
lbragstadwhen we call things like https://review.openstack.org/#/c/530509/5/oslo_context/context.py,unified@296 should it be18:38
kmalloco tjoml sp/18:39
kmalloci think so*18:39
lbragstadctx.system = {'all': True}18:39
lbragstador should it be ctx.system = 'all'18:39
kmallocwhy are we doing "all": true18:39
kmalloci think it should jsut be "all"18:39
kmallocnot sure what benefit the dict adds18:39
kmallocif we only ever support one type of system code18:39
*** openstackgerrit has joined #openstack-keystone18:39
openstackgerritMerged openstack/keystoneauth master: fix a typo in session.py  https://review.openstack.org/55639718:39
lbragstadok18:40
lbragstadi thought we were checking the dictionary values more strictly in oslo.policy18:40
lbragstadhttps://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L83418:41
kmallocwe can transform it if needed18:41
kmallocgo with what is needed to work correctly18:42
lbragstadso should context expect to be passed the system scope from the token? or should it be called like ctx = context.RequestContext(system='all')18:44
kmalloci am not sure.18:45
kmallochonestly18:45
kmalloci think either works?18:45
lbragstadok - i had the wrong idea18:55
*** pcichy has quit IRC18:55
lbragstadi was thinking that oslo.context was going to handle that18:55
lbragstadbut actually that's up to ksm18:55
kmallocyeah18:55
lbragstadi had my wires crossed18:56
openstackgerritMerged openstack/python-keystoneclient master: Trivial: Update pypi url to new url  https://review.openstack.org/56305518:57
*** felipemonteiro__ has joined #openstack-keystone18:59
*** felipemonteiro_ has quit IRC18:59
kmalloc:)19:02
kmallocits all good man19:02
openstackgerritLance Bragstad proposed openstack/keystonemiddleware master: Introduce new header for system-scoped tokens  https://review.openstack.org/56407219:15
lbragstadmmk ^19:15
lbragstadthat should do it19:15
openstackgerritGage Hugo proposed openstack/keystone master: Add LDAP user-backed functional testing gate  https://review.openstack.org/55894019:18
lbragstadoslo.context patch - https://review.openstack.org/#/c/564072/19:19
*** deepika08 has joined #openstack-keystone19:21
lbragstadcc jamielennox ^19:30
*** linkmark has joined #openstack-keystone19:35
-openstackstatus- NOTICE: The Gerrit service at review.openstack.org will be offline starting at 20:00 (in roughly 25 minutes) for a server move and operating system upgrade: http://lists.openstack.org/pipermail/openstack-dev/2018-May/130118.html19:36
*** mvk has joined #openstack-keystone19:45
*** linkmark has quit IRC19:46
*** felipemonteiro_ has joined #openstack-keystone19:51
*** felipemonteiro__ has quit IRC19:55
openstackgerritMerged openstack/keystonemiddleware master: Imported Translations from Zanata  https://review.openstack.org/56545519:59
-openstackstatus- NOTICE: The Gerrit service at review.openstack.org will be offline over the next 1-2 hours for a server move and operating system upgrade: http://lists.openstack.org/pipermail/openstack-dev/2018-May/130118.html20:04
*** ChanServ changes topic to "The Gerrit service at review.openstack.org will be offline over the next 1-2 hours for a server move and operating system upgrade: http://lists.openstack.org/pipermail/openstack-dev/2018-May/130118.html"20:04
*** raildo has quit IRC20:06
*** felipemonteiro_ has quit IRC20:09
*** felipemonteiro_ has joined #openstack-keystone20:10
*** openstackgerrit has quit IRC20:27
*** pcaruana has quit IRC20:34
*** tonytan4ever has quit IRC20:45
*** tonytan4ever has joined #openstack-keystone20:45
*** jmlowe has quit IRC20:53
*** panbalag has joined #openstack-keystone21:00
*** panbalag has left #openstack-keystone21:00
*** redrobot has joined #openstack-keystone21:02
*** felipemonteiro__ has joined #openstack-keystone21:06
*** felipemonteiro_ has quit IRC21:09
*** linkmark has joined #openstack-keystone21:16
*** r-daneel has quit IRC21:25
*** jmlowe has joined #openstack-keystone21:31
*** jmlowe has quit IRC21:45
*** martinus__ has quit IRC21:48
*** openstackgerrit has joined #openstack-keystone21:55
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Add scenarios to strict hierarchy enforcement model  https://review.openstack.org/56541221:55
lbragstadwxy: ^ that should be good to review, let me know what you think21:55
lbragstadjohnthetubaguy: yankcrime ^21:56
lbragstadrevised a lot of it, but attempted to keep as much of the CERN case there as possible21:57
lbragstadalso tried to pull some stuff into bugs instead of keeping it in the spec21:57
*** jmlowe has joined #openstack-keystone21:57
*** felipemonteiro_ has joined #openstack-keystone22:01
*** felipemonteiro__ has quit IRC22:01
*** openstackgerrit has quit IRC22:04
*** ChanServ changes topic to "Rocky release schedule: https://releases.openstack.org/rocky/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap"22:10
-openstackstatus- NOTICE: Gerrit maintenance has concluded successfully22:10
*** tonytan4ever has quit IRC22:22
*** tonytan4ever has joined #openstack-keystone22:23
*** panbalag has joined #openstack-keystone22:27
*** tonytan4ever has quit IRC22:29
*** edmondsw has quit IRC22:29
*** edmondsw has joined #openstack-keystone22:30
*** edmondsw has quit IRC22:35
*** edmondsw has joined #openstack-keystone22:35
*** rcernin has joined #openstack-keystone22:36
*** edmondsw has quit IRC22:39
*** deepika08 has quit IRC23:01
*** hrybacki_ has joined #openstack-keystone23:09
*** andreaf has quit IRC23:09
*** mnaser_ has joined #openstack-keystone23:09
*** Anticime1 has joined #openstack-keystone23:12
*** jlvillal_ has joined #openstack-keystone23:15
*** afazekas_ has joined #openstack-keystone23:15
*** _d34dh0r53_ has joined #openstack-keystone23:15
*** lbragstad[m] has quit IRC23:16
*** hrybacki has quit IRC23:16
*** mnaser has quit IRC23:16
*** afazekas has quit IRC23:16
*** jlvillal has quit IRC23:16
*** Anticimex has quit IRC23:16
*** d34dh0r53 has quit IRC23:16
*** hrybacki_ is now known as hrybacki23:16
*** mnaser_ is now known as mnaser23:16
*** jlvillal_ is now known as jlvillal23:19
*** panbalag has quit IRC23:19
*** jlvillal is now known as Guest1001423:19
*** lbragstad[m] has joined #openstack-keystone23:23
*** panbalag has joined #openstack-keystone23:25
*** andreaf has joined #openstack-keystone23:25
*** dave-mcc_ has quit IRC23:32
*** dave-mccowan has joined #openstack-keystone23:36
*** panbalag has quit IRC23:37
*** panbalag has joined #openstack-keystone23:43
« Tuesday, 2018-05-01 Index Thursday, 2018-05-03 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!