Wednesday, 2018-05-09

*** dgonzalez has quit IRC00:17
*** dgonzalez has joined #openstack-keystone00:17
*** gyee has quit IRC00:36
*** Dinesh_Bhor has joined #openstack-keystone00:42
*** harlowja has quit IRC00:51
*** nicolasbock has quit IRC00:57
*** felipemonteiro__ has joined #openstack-keystone01:08
*** username_ has joined #openstack-keystone01:22
*** username_ is now known as username__01:23
*** felipemonteiro__ has quit IRC01:27
*** gongysh has joined #openstack-keystone01:37
openstackgerritwangxiyuan proposed openstack/keystone master: Fix the test for unique IdP
*** username__ has quit IRC02:35
*** rcernin has quit IRC03:14
*** threestrands has joined #openstack-keystone03:38
*** threestrands has quit IRC03:38
*** threestrands has joined #openstack-keystone03:38
*** links has joined #openstack-keystone03:42
*** gyan_ has joined #openstack-keystone03:44
*** dave-mccowan has quit IRC03:48
openstackgerritwangxiyuan proposed openstack/keystone master: Remove token driver configuration
*** cburgess_ has quit IRC04:16
*** cburgess has joined #openstack-keystone04:26
*** gongysh has quit IRC04:36
*** Dinesh_Bhor has quit IRC05:00
*** Dinesh_Bhor has joined #openstack-keystone05:03
*** aojea has joined #openstack-keystone05:17
*** gongysh has joined #openstack-keystone05:18
*** aojea has quit IRC05:31
*** hoonetorg has quit IRC05:33
*** gongysh has quit IRC05:37
*** hoonetorg has joined #openstack-keystone05:44
*** threestrands has quit IRC05:54
*** pcaruana has joined #openstack-keystone05:57
openstackgerritwangxiyuan proposed openstack/keystone master: Remove token driver configuration
*** Dinesh_Bhor has quit IRC06:16
*** Dinesh_Bhor has joined #openstack-keystone06:18
*** annp has joined #openstack-keystone06:22
*** xinran__ has joined #openstack-keystone06:25
*** jaosorior has joined #openstack-keystone06:34
*** tesseract has joined #openstack-keystone07:22
*** masber has quit IRC07:36
*** rpittau has joined #openstack-keystone07:57
*** namnh has joined #openstack-keystone08:02
*** edmondsw has joined #openstack-keystone08:35
*** jaosorior has quit IRC08:36
*** edmondsw has quit IRC08:40
*** jaosorior has joined #openstack-keystone08:41
*** gyankum has joined #openstack-keystone08:55
*** nicolasbock has joined #openstack-keystone08:56
*** Dinesh_Bhor has quit IRC09:32
openstackgerritStephen Finucane proposed openstack/oslo.policy master: generator: Reimplement wrapping of 'description'
openstackgerritStephen Finucane proposed openstack/oslo.policy master: trivial: Fix file permissions
*** namnh has quit IRC10:28
*** annp has quit IRC10:33
*** mchlumsky_ has joined #openstack-keystone10:59
*** mchlumsky has quit IRC10:59
*** raildo has joined #openstack-keystone11:54
*** xinran__ has quit IRC12:05
*** edmondsw has joined #openstack-keystone12:10
*** jdennis has quit IRC12:16
*** Raju has joined #openstack-keystone12:18
*** jmlowe has quit IRC12:20
*** pcaruana has quit IRC12:21
RajuQuestion on keystone regions and tenants. Is there a way to restrict restrict region access to specific tenants?12:21
*** jdennis has joined #openstack-keystone12:22
*** dave-mccowan has joined #openstack-keystone12:43
*** gyan_ has quit IRC12:51
*** gyankum has quit IRC12:51
*** jmlowe has joined #openstack-keystone13:02
*** sapd has quit IRC13:05
lbragstadRaju: there is a endpoint to project mapping API within keystone13:06
lbragstadso depending on the project you're working with, you'll get endpoints in the catalog specific to that project13:06
lbragstadRaju: here is the API reference -
*** Raju has quit IRC13:07
lbragstadmordred: ping13:09
openstackgerritHarry Rybacki proposed openstack/keystone-specs master: Define a set of basic default roles
*** felipemonteiro__ has joined #openstack-keystone13:34
mordredlbragstad: heya13:35
hrybackiProcess question -- if we have a LP is raised in Master but determined to actually exist in say Queens and Pike, do we create a LP for each 'backport' that will be required?13:35
mordredlbragstad: what did I break?13:35
lbragstadmordred: o/ nothing, but i have a question via proxy... a classmate of mine is deploying a small openstack cluster for scientific purposes and is kicking the tires13:36
lbragstadmordred: he had a question about all these rc files laying around with credentials and wondered if there was a better option13:36
lbragstadi thought of clouds.yaml, and wondered if that'd be a better option?13:37
mordredyes. noone should ever use rc files for any purpose13:37
mordredhe should totally use clouds.yaml ... and ...13:37
* lbragstad waits anxiously in anticipation13:38
mordredif he wants, he can optionally put his secrets into ~/.config/openstack/secure.yaml alongside clouds.yaml if he wants to13:38
mordred(although I'm not sure that actually buys him a ton just as a local user)13:38
lbragstadoh - so clouds.yaml contains the mapping and endpoints, and looks for secure for the password13:38
mordredyah. it'll merge the two files if it finds both13:39
lbragstadoh - nice13:39
mordredit's more useful for places putting clouds.yaml into config management13:39
lbragstadthat makes total sense13:39
mordreddeath to rc files13:39
lbragstadis clouds.yaml parsed on every request?13:40
*** pcaruana has joined #openstack-keystone13:40
lbragstadso after i update it, i don't have to source anything?13:40
*** jaosorior has quit IRC13:43
*** jaosorior has joined #openstack-keystone13:50
*** spilla has joined #openstack-keystone13:53
*** felipemonteiro_ has joined #openstack-keystone13:53
*** felipemonteiro__ has quit IRC13:56
*** xinran__ has joined #openstack-keystone13:59
cmurphylbragstad: that's correct14:00
*** pcaruana has quit IRC14:05
lbragstadthanks cmurphy14:07
*** pcaruana has joined #openstack-keystone14:08
*** pcaruana has quit IRC14:25
*** pcaruana has joined #openstack-keystone14:26
lbragstadkmalloc: curious if you want to follow up here?
*** felipemonteiro__ has joined #openstack-keystone14:34
*** felipemonteiro_ has quit IRC14:37
*** germs has joined #openstack-keystone14:37
*** germs has quit IRC14:37
*** germs has joined #openstack-keystone14:37
*** r-daneel has joined #openstack-keystone14:37
lbragstaddoes anyone else get this when using os-cloud ?14:40
lbragstadfwiw - my endpoint doesn't have a version appended to it (e.g. http://localhost/identity)14:41
*** r-daneel_ has joined #openstack-keystone14:41
*** jaosorior has quit IRC14:41
*** r-daneel has quit IRC14:42
*** r-daneel_ is now known as r-daneel14:42
*** abhi89 has joined #openstack-keystone14:42
gagehugolbragstad I usually specify the version14:42
lbragstadgagehugo: in the url?14:43
* lbragstad facepalms14:44
gagehugowell the url and in identity_api_version14:45
*** germs has quit IRC14:46
*** germs has joined #openstack-keystone14:46
*** germs has quit IRC14:46
*** germs has joined #openstack-keystone14:46
abhi89lbragstad: Hi Lance.. can you please take a look at its regarding personal data being logged when configured with ldap..14:47
openstackLaunchpad bug 1767323 in OpenStack Identity (keystone) "Keystone ldap logs personal information" [Undecided,New]14:47
kmalloclbragstad: +a14:51
lbragstadabhi89: that information is only logged when log level is debug14:52
lbragstadabhi89: so you have an issue if you turn debug logging on in production?14:53
abhi89lbragstad: yes, PI is logged in only debug mode.. many times we would want customers to turn on the debug mode & provide us with the logs, in which case the customer is not aware that his PI is getting logged..14:54
kmalloclbragstad: we can probably offer some filtering in ldap config too. But, this very much goes to (and I agree) don't run prod with production14:54
kmallocDebug in production*14:55
*** felipemonteiro__ has quit IRC14:55
*** felipemonteiro_ has joined #openstack-keystone14:55
kmallocWe can't 100% sanitize debug logs.14:56
lbragstadso would we expose a configuration option that only allows specific information to be, or not be, logged?14:56
kmallocThat filters out attributes from the ldap resources14:57
kmallocWe can make some assertions based upon the rfc for people14:57
kmallocI can take this on, it is med. Priority at best. Largly, it is to limit pii pulled from ldap.14:58
lbragstadcool - i'll update the bug14:58
kmallocSo it won't ever leak into logs.  That said.... Don't run production in debug, especially with regards to gdpr14:58
*** spilla has quit IRC14:58
abhi89kmalloc, lbragstad: sure, thanks14:59
*** edmondsw has quit IRC15:04
kmallocYep. Np15:04
lbragstadoh - not sure if folks here saw, but apparently there is test storyboard deployment available for practice migrations15:07
*** gyankum has joined #openstack-keystone15:08
lbragstadpeople from the storyboard team are offering to do test migrations for projects to this test system15:08
*** gyan_ has joined #openstack-keystone15:08
lbragstadso - if anyone is interesting in tinkering with storyboard with real-ish data, it'll be available15:08
*** felipemonteiro_ has quit IRC15:16
*** felipemonteiro_ has joined #openstack-keystone15:16
*** links has quit IRC15:25
hrybackilbragstad: which people?15:28
lbragstadhrybacki: as in who is going to be doing the mock migration?15:31
lbragstaddiablo_rojo offered to get things going for us15:32
lbragstadi think it also gives them an opportunity to test out the migration tooling they have15:32
lbragstaddhellmann was impressed with it15:33
*** germs has quit IRC15:36
*** germs has joined #openstack-keystone15:37
*** gyee has joined #openstack-keystone15:38
hrybackiawesome, I'll make a point to reach out to him this week15:39
hrybackialthough diablo_rojo is definitively masculine :P15:40
lbragstadkmalloc: this goes hand in hand with the ksm patch :)
lbragstadhrybacki: this might also be applicable to our work now
kmalloc+1, looks good in general15:52
lbragstadthanks kmalloc15:52
*** spilla has joined #openstack-keystone16:02
lbragstaddoes anyone have talks during the summit they want mentioned during the project update?16:03
lbragstador does anyone know of keystone talks that we should mention?16:03
lbragstadluckily the project update is early in the week, so we have the opportunity to plug talks16:04
cmurphylbragstad: :)16:11
* cmurphy should start prepping for that16:11
lbragstadperfect - it's already on the list16:12
*** abhi89 has quit IRC16:12
*** spilla has quit IRC16:14
*** abhi89 has joined #openstack-keystone16:17
*** r-daneel has quit IRC16:18
openstackgerritMerged openstack/keystonemiddleware master: Introduce new header for system-scoped tokens
lbragstadanother question related to the project update16:24
lbragstadfor the Stein release, are there any big initiatives we can already see being targeted to that release?16:24
lbragstadright now i have cross-project default roles, consumption of unified limits, and a couple other things...16:24
*** gyankum has quit IRC16:33
*** gyan_ has quit IRC16:34
openstackgerritFelipe Monteiro proposed openstack/keystone-specs master: Patrole (RBAC) Keystone Gating
*** masber has joined #openstack-keystone16:40
lbragstadcmurphy: i don't want to spoil anything, but are you going to do a live demo in your app cred talk?16:40
cmurphylbragstad: yeah i think so16:41
cmurphywill def be an easier demo than the federation demo16:41
*** r-daneel has joined #openstack-keystone16:54
*** tesseract has quit IRC17:15
*** aloga has quit IRC17:19
*** raildo has quit IRC17:24
kmallocnot much can be more complex than federation demos :P17:29
kmalloclbragstad, cmurphy: what IDE (if any) are you using these days?17:29
*** dmellado has quit IRC17:29
lbragstadi use vi17:29
cmurphykmalloc: vim17:30
kmallochmm, i guess i should look into the volume of magic to make it work like a real ide17:30
kmalloci've never put much effort into that.17:30
cmurphyme neither17:30
cmurphyi don't really use ides17:30
lbragstadi use about 100 lines in my vimrc to get the magic17:30
kmallocmostly i lean heavily on the "jump to definition" and "find all usages of" type magic17:31
kmallocand... auto-complete.17:31
kmalloci know that isn't a TON of magic in an ide.17:31
lbragstadyeah... the jump to funtionality is nice17:31
lbragstad has some good reads17:32
*** mchlumsky_ has quit IRC17:35
*** mchlumsky has joined #openstack-keystone17:37
*** germs has quit IRC17:37
*** germs has joined #openstack-keystone17:38
*** germs has quit IRC17:38
*** germs has joined #openstack-keystone17:38
*** mchlumsky has quit IRC17:41
*** mchlumsky has joined #openstack-keystone17:43
lbragstadkmalloc: that thing you and zzzeek were talking about yesterday was specifically for multi-region keystone deployments?17:49
*** r-daneel has quit IRC18:07
*** r-daneel has joined #openstack-keystone18:07
*** abhi89 has quit IRC18:07
*** germs has quit IRC18:09
*** germs has joined #openstack-keystone18:10
*** germs has quit IRC18:10
*** germs has joined #openstack-keystone18:10
*** pcichy has joined #openstack-keystone18:12
*** germs has quit IRC18:12
*** germs has joined #openstack-keystone18:13
*** germs has quit IRC18:13
*** germs has joined #openstack-keystone18:13
*** germs has quit IRC18:17
*** germs has joined #openstack-keystone18:17
*** germs has quit IRC18:17
*** germs has joined #openstack-keystone18:17
*** dklyle has joined #openstack-keystone18:19
*** mvenesio has quit IRC18:20
*** dklyle has quit IRC18:21
*** mvenesio has joined #openstack-keystone18:21
*** germs has quit IRC18:21
*** oikiki has joined #openstack-keystone18:24
*** dklyle has joined #openstack-keystone18:25
*** mvenesio has quit IRC18:25
*** sonuk has joined #openstack-keystone18:32
*** d0ugal_ has joined #openstack-keystone18:36
*** d0ugal has quit IRC18:37
*** xinran__ has quit IRC18:39
*** sonuk has quit IRC18:43
*** mvenesio has joined #openstack-keystone18:51
gagehugo\o/ vim18:53
gagehugoatom is kinda ok too18:54
*** dmellado has joined #openstack-keystone18:58
*** mvenesio has quit IRC19:00
*** raildo has joined #openstack-keystone19:03
*** r-daneel_ has joined #openstack-keystone19:11
*** r-daneel has quit IRC19:11
*** r-daneel_ is now known as r-daneel19:11
*** felipemonteiro__ has joined #openstack-keystone19:11
*** mvk has quit IRC19:13
*** felipemonteiro_ has quit IRC19:15
*** spilla has joined #openstack-keystone19:16
kmalloclbragstad: yea19:20
*** links has joined #openstack-keystone19:22
lbragstadwow - nice.. os cloud config works with system scope19:30
*** dklyle has quit IRC19:40
*** links has quit IRC19:45
*** edmondsw has joined #openstack-keystone19:54
*** jmlowe has quit IRC19:58
*** germs has joined #openstack-keystone20:18
*** germs has quit IRC20:22
*** germs has joined #openstack-keystone20:27
*** germs has quit IRC20:27
*** germs has joined #openstack-keystone20:27
*** germs has quit IRC20:27
kmallocgagehugo: sadly atom required py27 =/20:39
kmallocgagehugo: i was hoping to avoid py27 on my system ;)20:40
lbragstadi'm having a hard time groking something20:40
lbragstadwho feels like being a rubber duck?20:40
kmallocwait... wut?20:40
kmallocoh sure20:41
kmallocbounce ideas20:41
lbragstadso - we have a paste pipeline20:41
lbragstadcurrently build_auth_context is processed in front of token_auth20:42
lbragstadwhich calls this -
lbragstadas far as i can tell - the variable `token` within that scope only refers to the token id20:42
lbragstadwhich is getting pulled from the header20:43
*** raildo has quit IRC20:43
lbragstadthe last bit of that method calls fill_context()20:43
kmallocthat is support the old admin token string thing (the process request bits and what not)20:43
kmallocbefore fill_context20:43
lbragstadone of the first things we do in fill_context, is build a context object20:44
lbragstadand shortly after that we use the token to generate a token model, which requires a token reference20:45
lbragstadthe part i don't get is where keystone if performing that token validation call and setting that reference in the request environment to be pulled out later20:45
lbragstadwe don't use keystonemiddleware, which is the part the does this for other services20:46
kmallocright we can't use ksm20:46
lbragstadthere is a method called fetch_token in that same middleware, but it looks like dead code20:47
lbragstadwe don't call it anywhere in keystone afaict20:47
kmallocthat is called from the super class, which is KSM's auth_token20:48
*** dklyle has joined #openstack-keystone20:48
kmallocwe override for local "gets"20:48
kmalloccalls the super, so KSM, which in turn is going to call fetch_token20:49
lbragstadwth - i totally missed that20:50
lbragstadand we override it because we're not an external service sitting behind keystone20:50
kmalloclbragstad: yes20:51
kmallocand because we support old-"admin" style tokens, if we didn't we would be able to eliminate a chunk more of that process_request20:51
kmallocsince... fetch_token is the magic part20:51
*** jmlowe has joined #openstack-keystone20:53
lbragstadand it's set right here
kmalloclbragstad: also note:
kmallocwe have an active "kill the token_auth" part because it's superfluous20:55
lbragstadthat gets handled by ksm, too?20:55
kmallocmost of that is merged into the authcontext middleware if it isn't (by that patch)20:56
lbragstadoh - nevermind20:56
lbragstadi see it20:56
lbragstadits in the Request class20:56
kmalloctoken_auth filter does *nothing* interesting20:56
kmallocit used to do a ton more20:57
kmallocbut we've been making our code better.20:57
lbragstadthat makes sense20:57
kmallocwe still need to merge more things down imo20:57
kmallockeystone should not, in any-way-shape-or-form, offer multiple middleware/filters20:57
lbragstadyeah... it takes a bit to wrap your head around how context is handled20:57
kmalloci'm of the opinion we should just merge authcontext down into the service_3 or whatver the basic one is20:58
lbragstadafter staring at some of the other context middleware bits of other services, it'd be nice to build context all at once20:58
kmallocso keystone (the app[tm]) is everything keystone20:58
kmallocand the pipeline is *really* just adding external things20:58
kmallocwe are mostly there20:58
kmallocnotably, ec2 and s3 need to be merged still20:59
lbragstadit seemed a bit strange to build a context object and then override a bunch of stuff when the RequestContext constructor is really rich20:59
kmallocand a few other things... though authcontext may need to be separate20:59
*** pcaruana has quit IRC20:59
kmallocbut if we merge ec2 and s3 into service_v3, the questionis json_body21:00
kmallocbut i think that can come before authcontext21:00
lbragstadwhat about it?21:00
lbragstadjust where to put it in the pipeline?21:00
kmallocoh it's a keystone specific thing21:00
kmallocwe can merge that in too21:00
kmallocwe could collapse authcontext and after into service_321:01
*** raildo has joined #openstack-keystone21:01
kmallochealthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id are all external to us, right?21:01
lbragstadi believe so21:01
kmallocah url_normalize is not21:01
lbragstadwe offer four middleware bits,21:01
*** spilla has quit IRC21:02
lbragstadoh - right21:02
kmallocwe could probably move url_normalize after request_id21:02
kmallocand merge it in as well21:02
lbragstadyeah - i can't imagine that ordering would be important21:02
kmalloci don't see why we can't make keystone a single entry in the pipeline and anything/everything else is meant to be external21:02
kmallocwant me to spin up a patch to try and finish this up?21:03
lbragstadsure - if you don't mind21:03
lbragstadi was just tinkering with another series21:03
kmallocit is effectively removing the pipeline [which... i mean we could do that too, in the grand scheme of things]21:03
lbragstadto give hrybacki a leg up on the default role stuff21:03
kmallochonestly,if we could ditch paste all together, i'd be stoked21:03
lbragstadwell - it is a dead project21:04
kmallocso merge our bits together and pull in something else to glue our parts/other parts in21:04
lbragstadkmalloc: would that make building the context object simpler?21:04
lbragstadnot a hard requirement, just curiosu21:04
kmallocbut it means we can streamline a lot of things in general21:04
kmallocsince we control the entire entry21:05
kmallocno one can wedge something in the middle to break us21:05
kmalloci am still an advocate of getting us on Flask21:05
kmallocwhich could, in theory, simplify our context generation code.21:06
kmallocsince it becomes part of the flask framework [filter] instead of pulling all this stuff together ... oddly21:06
*** spilla has joined #openstack-keystone21:07
lbragstadso would all this middleware get pushed into the keystone.common.wsgi.Router object?21:07
lbragstador be invoked from that point?21:07
kmalloci'd have to look at current-state-of-flask21:08
kmallocto know21:08
lbragstadsome where right after it comes off the pipeline and before it hits the router map?21:08
lbragstadgot it, that makes sense21:09
*** mvenesio has joined #openstack-keystone21:10
lbragstadregardless the system-scope process and context handling will be similar either way i think21:10
lbragstad is what i was trying to do21:11
kmallocthat wont changemuch21:12
lbragstadbut more importantly (some what unrelated to middleware) this is how i'd like to try and break apart the default role tests and protection tests
* kmalloc goes hunting for "how I merged the filters together" patches again.21:13
kmalloci know i did  most of these...21:13
kmallocthat looks reasonable21:14
lbragstadwhich should help with the organization of it all21:14
lbragstadbut also - it's dependent on decoupling bootstrap from the cli stuff21:14
*** dmellado has quit IRC21:15
lbragstadso maybe i need to revisit that first21:15
kmallocyeah, do the underlying work first21:15
kmallocmake your job easier and reviewer's jobs easier too ;)21:15
* lbragstad makes a note to pick up tomorrow21:16
lbragstadthere is a race condition in there somewhere yet21:16
*** dave-mccowan has quit IRC21:17
*** dmellado has joined #openstack-keystone21:23
*** dave-mccowan has joined #openstack-keystone21:23
*** mvenesio has quit IRC21:24
*** dmellado has quit IRC21:27
*** jmlowe has quit IRC21:39
*** spilla has quit IRC21:40
*** raildo has quit IRC21:47
*** felipemonteiro__ has quit IRC22:06
*** zigo has quit IRC22:11
*** zigo has joined #openstack-keystone22:11
*** raildo has joined #openstack-keystone22:16
*** raildo has quit IRC22:16
*** mvk has joined #openstack-keystone22:32
*** threestrands has joined #openstack-keystone22:33
*** threestrands has quit IRC22:33
*** threestrands has joined #openstack-keystone22:33
*** threestrands_ has joined #openstack-keystone22:36
*** threestrands has quit IRC22:38
*** r-daneel has quit IRC22:43
*** dklyle has quit IRC22:57
*** oikiki has quit IRC23:01
*** edmondsw has quit IRC23:10
*** edmondsw has joined #openstack-keystone23:11
*** edmondsw has quit IRC23:15
*** oikiki has joined #openstack-keystone23:16
*** oikiki has quit IRC23:17

Generated by 2.15.3 by Marius Gedminas - find it at!