Wednesday, 2018-06-13

« Tuesday, 2018-06-12 Index Thursday, 2018-06-14 »
*** felipemonteiro has quit IRC00:07
*** masber has joined #openstack-keystone00:10
*** masuberu has quit IRC00:13
*** masuberu has joined #openstack-keystone00:26
*** masber has quit IRC00:29
*** Dinesh_Bhor has joined #openstack-keystone00:33
*** gyee has quit IRC00:34
*** felipemonteiro has joined #openstack-keystone01:17
*** felipemonteiro has quit IRC01:30
openstackgerritHarry Rybacki proposed openstack/keystone master: Ensure default roles created during bootstrap  https://review.openstack.org/57224301:51
*** liuzz_ has quit IRC01:53
*** liuzz has joined #openstack-keystone01:54
*** itlinux has joined #openstack-keystone02:24
*** annp has joined #openstack-keystone02:40
kmallochm02:42
kmalloclbragstad: this is being too clever, right? --> app.after_request(lambda r: [r.headers.__setitem__('Vary', 'X-Auth-Token')][1])02:42
*** dtruong has quit IRC02:45
* kmalloc makes it not a lambda.02:46
*** dtruong has joined #openstack-keystone02:47
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert json_home and version discovery to Flask  https://review.openstack.org/57473602:47
openstackgerritayoung proposed openstack/keystone master: Ensure default roles created during bootstrap  https://review.openstack.org/57224302:52
*** dave-mccowan has quit IRC02:57
*** sheel has joined #openstack-keystone03:03
openstackgerritMorgan Fainberg proposed openstack/keystone master: Update flask common scafolding for json_home  https://review.openstack.org/57495303:09
*** hoonetorg has joined #openstack-keystone03:28
*** boris_42_ has quit IRC03:29
*** germs has quit IRC04:00
*** germs has joined #openstack-keystone04:00
*** germs has quit IRC04:00
*** germs has joined #openstack-keystone04:00
*** germs has quit IRC04:04
*** links has joined #openstack-keystone04:24
*** ykarel|away has joined #openstack-keystone04:43
*** pcaruana has joined #openstack-keystone04:50
*** Kumar has joined #openstack-keystone04:54
*** Dinesh__Bhor has joined #openstack-keystone04:59
*** Dinesh_Bhor has quit IRC04:59
*** felipemonteiro has joined #openstack-keystone05:03
*** pcaruana has quit IRC05:18
*** ykarel|away is now known as ykarel05:20
*** Kumar has quit IRC05:34
*** Kumar has joined #openstack-keystone05:35
*** Kumar has quit IRC05:38
*** felipemonteiro has quit IRC05:43
*** liuzz_ has joined #openstack-keystone05:45
*** liuzz has quit IRC05:48
*** Kumar has joined #openstack-keystone05:51
*** pcaruana has joined #openstack-keystone06:06
*** lifeless has quit IRC06:26
*** lifeless has joined #openstack-keystone06:26
*** liuzz has joined #openstack-keystone06:30
*** liuzz_ has quit IRC06:30
*** masber has joined #openstack-keystone06:35
*** Kumar_ has joined #openstack-keystone06:38
*** masuberu has quit IRC06:38
*** martinus__ has joined #openstack-keystone06:39
*** Kumar has quit IRC06:39
*** masuberu has joined #openstack-keystone06:41
*** masber has quit IRC06:45
*** lifeless_ has joined #openstack-keystone06:48
*** lifeless has quit IRC06:48
*** masuberu has quit IRC06:54
*** masuberu has joined #openstack-keystone06:54
*** AlexeyAbashkin has joined #openstack-keystone06:54
*** masuberu has quit IRC06:55
*** masuberu has joined #openstack-keystone06:55
*** masuberu has quit IRC06:57
*** masuberu has joined #openstack-keystone06:57
*** masuberu has quit IRC06:58
*** masuberu has joined #openstack-keystone06:59
*** rcernin has quit IRC07:00
*** masuberu has quit IRC07:00
*** masuberu has joined #openstack-keystone07:00
*** masuberu has quit IRC07:01
*** masuberu has joined #openstack-keystone07:01
*** masuberu has quit IRC07:02
*** masuberu has joined #openstack-keystone07:03
*** tesseract has joined #openstack-keystone07:07
*** Kumar_ has quit IRC07:12
*** threestrands has quit IRC07:21
*** lifeless has joined #openstack-keystone07:52
*** lifeless_ has quit IRC07:52
*** srihas has left #openstack-keystone08:02
openstackgerritwangxiyuan proposed openstack/keystone master: Delete project limits when deleting project  https://review.openstack.org/53837108:05
openstackgerritwangxiyuan proposed openstack/keystone master: Remove project_id foreign key for limit  https://review.openstack.org/57501608:05
*** dineshbhor__ has joined #openstack-keystone08:05
*** Dinesh__Bhor has quit IRC08:06
*** s10 has joined #openstack-keystone08:22
*** s10 has quit IRC08:26
*** s10 has joined #openstack-keystone08:27
s10Hello. I have a question about the bug in keystoneauth, described in http://lists.openstack.org/pipermail/openstack-dev/2018-May/130415.html
Hello. I have a question about the bug in keystoneauth, described in http://lists.openstack.org/pipermail/openstack-dev/2018-May/130415.html
Hello. I have a question about the bug in the keystoneauth, described in http://lists.openstack.org/pipermail/openstack-dev/2018-May/130415.html08:29
s10Will this problem be fixed in Rocky release of the keystoneauth library?08:29
s10We currently have to revert commit https://github.com/openstack/keystoneauth/commit/8b8ff830e89923ca6862362a5d16e496a0c0093c in our openstack deployments, because it breaks a lot of things.08:30
*** AlexeyAbashkin has quit IRC08:31
*** ykarel is now known as ykarel|lunch08:31
*** AlexeyAbashkin has joined #openstack-keystone08:40
cmurphymordred: are you working on that fix ^ ?08:45
cmurphys10: I don't see any indication that that has been fixed yet or any patches in flight but I'm sure we can fix it in rocky08:47
cmurphys10: if you haven't already, could you file a bug for it in https://bugs.launchpad.net/keystoneauth so we can track it?08:47
s10There is filed bug, that is caused by this issue https://bugs.launchpad.net/keystoneauth/+bug/173305208:51
openstackLaunchpad bug 1733052 in keystoneauth "Usage of internal URL in clouds.yaml causes a 404" [Undecided,Confirmed]08:51
*** nicolasbock has joined #openstack-keystone08:57
*** m3m0 has joined #openstack-keystone09:05
m3m0Hello, is there any way to query all the users for a given project?09:06
*** links has quit IRC09:08
*** nicolasbock has quit IRC09:12
cmurphym3m0: you can use `openstack role assignment list --project <project id>`09:13
m3m0cmurphy: thank you, I was using this but the users and domain (coming from ldap) appear as empty09:14
m3m0http://paste.openstack.org/show/723372/09:15
m3m0same goes for `openstack user list --project <project_id>`09:15
cmurphym3m0: did you make a role assignment for each ldap user with `openstack role add --user <userid> --project <projectid> <roleid>` ? if you're expecting there to be a default project that might be a little wonky09:21
s10Should I fill another more specified bug, or this one would be enough?09:22
cmurphys10: that one is great, just need mordred to see it when he wakes up09:22
s10Ok, thank you.09:23
*** links has joined #openstack-keystone09:25
*** ykarel|lunch is now known as ykarel09:26
m3m0cmurphy: yes I did, it seems to be an issue with my ldap conf, I'll debug that09:29
m3m0thanks a lot09:29
*** lifeless_ has joined #openstack-keystone09:34
*** lifeless has quit IRC09:34
*** lifeless has joined #openstack-keystone09:44
*** lifeless_ has quit IRC09:46
*** dineshbhor__ has quit IRC09:57
*** m3m0 has quit IRC10:03
*** AlexeyAbashkin has quit IRC10:06
*** AlexeyAbashkin has joined #openstack-keystone10:06
*** masuberu has quit IRC10:10
*** AlexeyAbashkin has quit IRC10:11
*** links has quit IRC10:12
*** d0ugal has quit IRC10:17
*** lifeless has quit IRC10:23
*** lifeless has joined #openstack-keystone10:24
*** links has joined #openstack-keystone10:25
*** lifeless_ has joined #openstack-keystone10:32
*** lifeless has quit IRC10:32
*** d0ugal has joined #openstack-keystone10:36
*** nicolasbock has joined #openstack-keystone10:46
jaosoriorcmurphy: hey, could you check this out if you have some time? https://review.openstack.org/#/c/57224310:51
*** AlexeyAbashkin has joined #openstack-keystone11:05
cmurphyjaosorior: commented11:06
jaosoriorthanks11:07
*** liuzz has quit IRC11:41
*** lifeless_ has quit IRC11:42
*** lifeless has joined #openstack-keystone11:42
*** annp has quit IRC11:45
*** edmondsw has joined #openstack-keystone12:07
*** Alexey_Abashkin has joined #openstack-keystone12:24
*** AlexeyAbashkin has quit IRC12:26
*** AlexeyAbashkin has joined #openstack-keystone12:27
*** Alexey_Abashkin has quit IRC12:29
*** larsks has joined #openstack-keystone12:31
*** larsks has left #openstack-keystone12:31
*** aojea_ has joined #openstack-keystone12:36
*** hoonetorg has quit IRC12:37
*** dave-mccowan has joined #openstack-keystone12:42
hrybackicmurphy: hmm so I do believe that the role implication will be created even if an existing 'reader' or 'member' role is in place12:44
hrybackiwe talked about how no new role will be created in the spec but didn't htink about role implications12:44
*** hoonetorg has joined #openstack-keystone12:47
jaosoriorhrybacki, cmurphy: perhaps the best way to address this is to enable a flag to the bootstrap command that will skip the creation of these roles if enabled. And the only thing we can actually do is document it.12:48
hrybackibased on what kmalloc was saying yesterday, we don't want to make the bootstrap process configureable12:50
hrybackithis bit might need some more discussion12:50
cmurphyyeah i'm not sure what the answer is here12:50
mordredcmurphy: what did I do?12:50
cmurphymordred: broke the world12:51
cmurphyhttps://bugs.launchpad.net/keystoneauth/+bug/173305212:51
openstackLaunchpad bug 1733052 in keystoneauth "Usage of internal URL in clouds.yaml causes a 404" [Undecided,Confirmed]12:51
cmurphymaybe just a very small number of clouds in the world12:52
mordredcmurphy: oh! yeah - that12:52
*** AlexeyAbashkin has quit IRC12:54
jaosoriorhrybacki: right... but we also don't want to block keystone from having sane bootstrap values. Either we make it configurable, or we document the implications of this change thoroughly12:54
jaosorior(it should be documented thoroughly anyway)12:55
*** bhagyashri_s is now known as bhagyashris12:56
hrybackiagreed12:58
hrybackiI'm just not sure what behavior we want (forcing implications or not)12:58
*** AlexeyAbashkin has joined #openstack-keystone13:04
lbragstadjaosorior: hrybacki we can technically get the same behavior and sane values without doing any of the role implication stuff13:18
lbragstadit's how we originally wrote the specification13:19
kmallocthats fine, i just don;'t want wildly different results (role name changes) etc13:19
kmallocbootstrap is not meant to be "make my cloud how i  want it" it is meant to be "build me a basic set of things for interfacing with the api, that most people would want"13:20
jaosoriorlbragstad: we sure can, that just means longer policies. Would have sure been nice to have the implications13:20
lbragstadright13:20
lbragstadthat was the trade off13:20
jaosoriorwhat about writing up a mail in the operators list?13:21
jaosoriorget some feedback there about what folks are doing13:21
*** dave-mccowan has quit IRC13:21
lbragstad++13:21
kmallocan alternative is we accept a yaml file that defines the whole cloud setup [operator uses it, it is on them] otherwise we do the basic stuff with implications.13:22
kmalloci worry that making bootstrap smart will cause us to do it badly though.13:22
jaosoriorkmalloc: I didn't understand that, could you rephrase?13:22
lbragstadwhat's in the yaml file?13:22
lbragstadpolicies?13:22
*** felipemonteiro has joined #openstack-keystone13:22
kmalloclbragstad: domains, projects, roles, users, assigned roles, etc13:22
kmallocjaosorior: we *could* allow someone to provide a template for building up their cloud during bootstrap13:23
*** felipemonteiro has quit IRC13:23
lbragstadwould that just be a yaml version of the command line arguments?13:23
kmallocjaosorior: so keystone-manage bootstrap --template mycloud.yaml13:24
kmalloclbragstad: ^13:24
kmalloclbragstad: no, much more involved.13:24
kmalloclbragstad: i am of the opinion this is a bad idea13:24
jaosoriorstill unsure what mycloud.yaml contains; if it contains user and role assignments to users, I'm not too keen on that.13:24
kmalloci'm not a fan. i also am not really a fan of bootstrap creating something remarkably different based on flags13:25
kmallocjaosorior: it would be a template for bootstraping the cloud to the form an operator would want instead of the very basic setup we have now which may not match policies.13:25
kmalloclbragstad: that said i wont hold up much of anything on this front because i don't like it.13:26
lbragstaddoes that address the implied roles bit?13:26
kmallocit would, as you'd define a set of implied roles or not implied roles in the yaml.13:26
cmurphykmalloc: yeah i don't like that, i was never trying to imply that bootstrap should be bringing up a fully configured keystone, it's just that it's supposed to be idempotent and if it has this behavior change when it's run after it's already deployed that's not great13:26
kmallocwait... hold on13:27
kmallocif someone has already deployed a cloud and re-runs bootstrap with an upgraded bootstrap13:27
jaosoriorI would much rather just ask around what folks are doing, bring up what we intend to do, and if it's not too much inpact, then lets just provide the default roles with implications13:28
kmallocno, we don't special case that13:28
kmallocthat is dumb13:28
kmallocmaybe we make bootstrap say "uh, looks like you ran bootstrap with a previous verison, are you REALLY SURE YOU WANT THIS?!"13:28
cmurphywhat if we just say if role reader already exists and role member already exists then don't create an implication rule between them13:28
jaosoriorkmalloc: I like that option better. a Warning and a confirmation13:29
kmalloccmurphy: i think we're solving a people problem with tech here13:29
hrybackicmurphy so the first part of that already happens13:29
cmurphykmalloc: no i don't think so13:29
cmurphyit's an automation problem13:29
kmallocif you are re-running bootstrap on an openstack that you already deployed you're doing it wrong13:29
lbragstadit's a common thing though13:29
lbragstadsome deployment projects do that13:29
kmallocthe only case this is an issue: deployed openstack, upgraded, re-run bootstrap13:30
kmallocthis is bad behavior13:30
cmurphyif a config management tool runs bootstrap the only way to note "DON'T RUN THIS AGAIN" is to write it down somewhere13:30
cmurphywhich is weird and awkward13:30
cmurphyand it would be better to just make it safe to run again13:30
lbragstadwhich is what we've been doing for a while, we've fixed bugs to make it idempotent13:31
hrybackiwe'll have to re-work the patch but I think that's doable. I'd like to keep the role implications if possible13:31
kmallocidempotent is fine, idempotent across versions of keystone is absurd13:31
cmurphyi disagree13:31
kmallocso, here is my solution: encode bootstrap was run with version X in the db13:31
*** hrybacki is now known as hrybacki|mtg13:31
kmallocif you're running it with a new version, it needs explicit confirmation or it is noop13:31
cmurphyokay i'm fine with that13:32
kmallocbootstrap was never meant to be used on every single upgrade.13:32
cmurphythat would actually be great for cfg mgmt tools regardless of this13:32
cmurphyesp puppet13:32
kmallocs/new version/new OR old version/13:32
kmalloccmurphy: i'm happy to make it easier to not run bootstrap in silly ways ;)13:33
*** AlexeyAbashkin has quit IRC13:33
kmalloci'm standing by my statement that it wasn't really intended to be run from different versions of openstack on production/running clouds13:34
lbragstadwhat about recovering the administrator account?13:34
kmallocit was intended to be idempoent in the case that there was some initial automation that justified re-running things.13:34
kmalloclbragstad: i would make that an explicit keystone-manage command13:34
kmallocor a doctor command?13:34
kmallocbootstrap is and always was intended to avoid "start keystone, initialize db, stop keystone--change paste.ini or config--, start keystone"13:35
kmallocgetting the db in a usable state of basic user/project/role for further automation work.13:35
kmallocor non-automated work.13:35
kmalloci would never, ever, ever, recommend using bootstrap outside of a "initializing keystone for a given deployment" including run it on every upgrade, or similar cases.13:37
kmallocif we need more manage/doctor/operator commands for administrative things, we should add them  not wedge it into bootstrap13:37
kmalloccmurphy: i'd be happy to review any code that makes bootstrap work like that and avoid re-running on new versions without confirmation.13:38
kmallocjaosorior: ^ what i said to cmurphy13:38
kmallocand i 100% support adding that functionality to bootstrap :)13:38
jaosoriorkmalloc: I'll read it in a bit (in a meeting right now)13:39
kmallocjaosorior: np :)13:39
cmurphyi'm still a little unhappy, until now it's been totally safe to rerun bootstrap, either by accident or for recovery, so people are going to have build tooling making those assumptions13:40
cmurphybuilt*13:40
cmurphyand in fact one of our products does seem to run it unconditionally though the other one doesn't13:44
*** felipemonteiro has joined #openstack-keystone13:45
jaosoriorcmurphy: tripleo runs it unconditionally, but I can easily fix that issue13:45
jaosoriorfor puppet-keystone, it all depends on whether or not you enable bootstrap to run via a flag13:45
*** zxy has quit IRC13:45
cmurphyjaosorior: sure, you can fix tripleo and i can fix suse's thing but the point is it's out in the wild and other people are relying on it13:46
*** zxy has joined #openstack-keystone13:46
*** aojea_ has quit IRC13:48
*** sheel has quit IRC13:50
*** aojea_ has joined #openstack-keystone13:52
*** aojea_ has quit IRC13:52
*** aojea_ has joined #openstack-keystone13:52
kmalloccmurphy: if i had known that was the plan, i would have advocated to make bootstrap never runable again13:54
kmalloccmurphy: the idempotent run was strictly a design choice for making it easy for a standup of a cloud for initialization only.13:55
kmallocwe are changing the behavior, it is not purely idempotent13:56
kmallocit is idempoent in a given release (and even a number of historical releases)13:56
kmallocif we can never make our bootstrapping tools better because "someone might be using them" we're in a broken state.13:57
kmalloci am very very very much against making bootstrap super smart unless we go the whole way and just say "fine, provide a template" and we define a couple templates with/without the implications but default to implications.13:58
kmallocso. if we make bootstrap know it has been run [or the cloud is in production] and require confirmation to re-run, with changed behavior (version-dependant, idempotent within a given version)13:59
kmallocit seems to make it "safe" again.13:59
*** dave-mccowan has joined #openstack-keystone13:59
kmallocalso - if people are really using it for recovery, we should figure out if it makes sense to offer another command specifically tailored for that14:00
*** jmlowe has quit IRC14:02
cmurphyi am not saying it has to be super smart and i'm not saying we have to treat it as a stable api and never change it14:03
kmalloci think we miscommunicated what it was for and that is a problem.14:03
kmallocand we should rectify it in two ways: 1) if we change it make it safe -- so at least people aren't getting something "new" added that they were not expecting14:04
cmurphyi think it is great at what it is, a create-if-not-exists utility, i don't think it needs to be smarter than that14:05
kmalloc2) add additional support for the things folks were using it for that doesn't meet with the defined purpose of the tool.14:05
cmurphyi added a comment to the review that i just think we should document the new behavior better14:05
kmallocthats fine.14:05
kmallocand i don't disagree14:05
kmallocs/don't disagree/totally agree14:05
cmurphyokay cool14:05
kmalloci also think we should make sure we're clear on what it's intended to do and i don't want a ton more options "--create-implication" "--dont-create-implications" "--dumb-default-roles", "--super-smart-cool-new-hotness-default-roles"14:06
kmalloc :)14:06
cmurphyfine with me14:06
kmalloc++14:07
cmurphyi am 100% on board with keeping it as dumb as possible14:07
kmalloci do really think we should make it possible to know if bootstrap has been run14:07
kmallocmaybe invert the option(s) like mysql im-a-dummy (prevents delete without a where clause)14:08
kmallocso bootstrap --only-run-once and it never runs if it's been run before14:08
cmurphytools like puppet could really benefit from a keystone-manage do-i-need-to-run-bootstrap command14:08
kmalloc++14:08
cmurphybecause they then report on whether they did the action14:08
kmallocand i like knowing what version of keystone or more specifically of bootstrap we ran14:09
kmallocthough i'd like to figure out a way of being clever to ensure it requires a version change if new feature is added/functionality is changed.14:09
kmalloccmurphy: would you like me to take on adding the migration and bootstrap changes for knowing that?14:11
kmalloc[if we have a bug/bp/spec i can target it to, i'll hack that code up quickly, stalled on the flask stuff because @protected and mulling over how to approach]14:11
*** spilla has joined #openstack-keystone14:12
cmurphykmalloc: well i worry about the "being clever" part14:13
lbragstadfwiw - i'd be inclined to expose a "do i need to run bootstrap" command versus "run bootstrap but fail if it's already been done" permutation14:13
* lbragstad leaves his $0.02 on the counter14:13
cmurphylbragstad: ++14:13
cmurphythat is exactly what i'd want14:13
cmurphyi don't really want the bootstrap command itself trying to be smart14:13
kmalloccmurphy: clever in the code "if we change bootstrap make sure we can detect it automatically and we increase the version"14:14
kmallocnot anything more than for testing14:14
kmallocso we can catch and say "uh, changed bootstrap version didn't change"14:14
lbragstadcc cloudnull ^14:15
*** aojea_ has quit IRC14:15
kmalloclbragstad, cmurphy: and do you want it to be a separate command or do you want "i-am-a-dummy" flag (opt in)14:16
kmalloc(i do like mysql's form of that, it is a nice opt-in protection)14:16
cmurphykmalloc: either works, i was thinking separate command but actually a --noop might be nice14:17
lbragstad++14:17
kmalloclbragstad: in this weeks "why did i ever start programming": func = lambda r: [r.__setitem__('new_dict_key', 'new_dict_value'), r][1]14:18
kmalloclbragstad: how many ways can i write bad python code ;)14:18
* cmurphy takes the computer away from kmalloc14:18
* lbragstad gets the bottle of vinegar/water out14:18
kmalloccmurphy: ^_^ not that i ran into a case where that would work last night or anything...14:18
cmurphy:P14:19
kmallocbecause i needed to work around a decorator without using it as a decorator and needed to pass a func that changed a dict but returned the surrounding object14:19
kmalloc(wsgi response object)14:19
lbragstadok - so does this mean we are ok with the implications/14:19
lbragstadrole implications*14:19
kmalloclbragstad: we add them to bootstrap, document heavily the changed functionality14:19
cmurphyi'm okay with it14:20
cmurphyjust needs to be highlighted better in the release note14:20
kmallocand give bootstrap a "hey don't run me more than once" mechanism14:20
lbragstadand document the usage of the --noop and why it makes that whole situation better for people who've rolled their own stuff14:20
kmallocalso...because cmurphy said she's good with it :)14:20
kmalloclbragstad: ++14:20
lbragstadok - cool14:20
kmalloclbragstad: though i'm probably not calling it --noop :P14:20
lbragstadcc hrybacki|mtg jaosorior ^14:20
hrybacki|mtgwe are reviewing barbican APIs atm, I'll read up and review after we finish this14:21
kmallocsure.14:22
cmurphyto be clear the --noop part doesn't need to block hrybacki|mtg 's patch imo14:22
cmurphyjust a nice-to-have14:22
lbragstadtrue14:22
*** felipemonteiro has quit IRC14:27
kmalloccorrect14:30
kmallocthe --noop part will be in addition to anything else and can be done in paralle14:30
kmallocl14:30
*** itlinux has quit IRC14:34
*** hoonetorg has quit IRC14:35
*** larsks has joined #openstack-keystone14:51
larsksHey folks.  What is the purpose of the public_endpoint and admin_endpoint settings in keystone.conf?14:54
kmalloclarsks: well, 2 things14:55
kmallochistorically for long ago functionality14:55
kmallocand 2: allows for override in case you'r ebehind say a loadbalancer that doesn't send x-forwarded-for etc, so you can set the endpoint that shows up in the rel links in the json responses14:56
kmallocetc.14:56
larskskmalloc: Thanks.  For context, I'm trying to get the openidc federation support in puppet-keystone, and it seems to want to use the value of those settings to create a URL, and I am trying to figure out if I can replace that with another puppet variable.14:56
kmallocadmin_endpoint applied only to keystone v2.0 when you were using the admin vs public thing14:56
kmalloclarsks: i recommend not using those values if you can replace it with something else.14:57
kmalloclarsks: fwiw, in rocky admin_endpoint is not used, and public_endpoint is used only in special circumstances14:57
kmallocso, substituting for something else if possible (var wise) is good14:57
kmallocunless you need those set for your deployment, then keeping them tied together is a nice thing to do.14:57
kmallocmost dpeloyments don't need them set.14:57
larsksGot it.  The trick I'm running into is finding someone who is familiar with both keystone *and* the puppet-keystone module :).  You've given me some ideas, though.14:58
lbragstadcmurphy: at some point - we should revisit what we want to do about patches like this - https://review.openstack.org/#/c/575016/115:04
*** hrybacki|mtg is now known as hrybacki15:04
* hrybacki is more confused now than he was before after reading up15:04
*** r-daneel has quit IRC15:05
lbragstadthe TL;DR as i understood it15:05
lbragstad- we can make the role implication happen in bootstrap, but we need to telegraph it in the upgrade section of a release note (to make operators aware if they have their own custom policies that rely on those role names)15:06
cmurphyhrybacki: the tldr is i left a -1 with actionable feedback on the review15:06
hrybackiack. I'll also update the patch for the section covering this to note as much15:07
hrybackithe spec*15:07
hrybackithanks all15:07
cmurphylbragstad: ooh you know how much i want to drop that fk ;)15:07
lbragstadyeah - we've had a slew of patches come up recently doing the same thing15:08
lbragstadbut i'm not sure i remember the conclusion of the discussions we had around it?15:08
cmurphythere wasn't a solid conclusion15:09
lbragstadso i'm not in left field then15:10
cmurphyi think the most actionable part was we need better rolling upgrade testing so we can evaluate how things like that will play out in upgrade scenarios15:10
cmurphyi think that was what kmalloc was worried about15:11
lbragstadah15:11
lbragstadi was thinking it felt weird to have a relational database at out disposal, but we can't really use any fk to our advantage15:12
lbragstadour*15:12
*** jmlowe has joined #openstack-keystone15:12
cmurphywe can use them, just not in a plugin-style architecture15:13
kmalloccmurphy: ++15:13
openstackgerritHarry Rybacki proposed openstack/keystone-specs master: Add role implication note to basic-default-roles  https://review.openstack.org/57514415:14
kmallocso, we can't leverage FKs across backends if we support loading them from different data sources15:14
*** AlexeyAbashkin has joined #openstack-keystone15:18
*** efried has quit IRC15:20
*** itlinux has joined #openstack-keystone15:23
*** AlexeyAbashkin has quit IRC15:30
*** lifeless has quit IRC15:31
*** lifeless has joined #openstack-keystone15:31
*** ykarel is now known as ykarel|away15:33
kmallocIF we want to leaverage FKs we need to re-tie what the backends are and how they work15:36
*** links has quit IRC15:36
kmallocFKs across different data stores (or in the case a data store is overriden and a FK is required) might break things horribly15:36
*** AlexeyAbashkin has joined #openstack-keystone15:42
*** r-daneel has joined #openstack-keystone15:46
*** r-daneel_ has joined #openstack-keystone15:49
*** s10 has quit IRC15:50
*** r-daneel has quit IRC15:51
*** r-daneel_ is now known as r-daneel15:51
*** aojea has joined #openstack-keystone15:51
*** gyee has joined #openstack-keystone15:51
*** ykarel|away has quit IRC16:12
*** r-daneel_ has joined #openstack-keystone16:17
*** r-daneel has quit IRC16:18
*** r-daneel_ is now known as r-daneel16:18
*** ykarel|away has joined #openstack-keystone16:25
*** r-daneel has quit IRC16:31
*** r-daneel has joined #openstack-keystone16:31
*** tesseract has quit IRC16:33
*** ykarel|away has quit IRC16:37
hrybackilbragstad: ayoung do we really not have implied roles documented? https://bugs.launchpad.net/keystone/+bug/160916416:40
openstackLaunchpad bug 1609164 in OpenStack Identity (keystone) "[api] Document implied roles" [Wishlist,Fix released] - Assigned to Tin Lam (lamt)16:40
ayounghrybacki, I thought I wrote something for them way back when16:40
hrybackiayoung: lost patch perhaps?16:40
lbragstadwe lack documentation for other role things, too16:40
lbragstadhttps://bugs.launchpad.net/keystone/+bug/173786316:41
openstackLaunchpad bug 1737863 in OpenStack Identity (keystone) "Lack of documentation for role inheritance" [Medium,Confirmed]16:41
hrybackioh boy16:41
lbragstadand https://bugs.launchpad.net/keystone/+bug/177509416:41
openstackLaunchpad bug 1775094 in OpenStack Identity (keystone) "Lack of documentation for role permutations and possibilities" [Medium,Triaged]16:41
ayoungit was part of the original patch...was a requirement I thought16:41
lbragstaddocumentation has also shuffled various places since then... so maybe it accidentally got lost somewhere?16:42
ayoungcommit 3b86db443cc7f4b360e434a6a804df20d175642516:42
ayoungAuthor: Tin Lam <tinlam@gmail.com>16:42
ayoungDate:   Sat Aug 13 20:41:07 2016 -050016:42
ayoung    api-ref: Document implied roles API16:42
ayoung16:42
ayoung    Add documentation for implied roles.16:42
hrybackiI'm really bad at reading -- fix released16:42
ayoungapi-ref/source/v3/roles.inc16:43
lbragstadoh - nvm16:43
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/api-ref/source/v3/roles.inc#n104216:43
ayoungall good?16:44
*** ykarel|away has joined #openstack-keystone16:52
hrybackiayoung: gerrit question for you16:57
*** Alexey_Abashkin has joined #openstack-keystone16:58
*** AlexeyAbashkin has quit IRC16:58
*** Alexey_Abashkin is now known as AlexeyAbashkin16:58
hrybackiayoung: there was a dependency on openstack/tempest but some of those patches have merged. So I removed the 'depends-on' from my commit msg and now I'm seeing: https://paste.fedoraproject.org/paste/QS7i387kYQKxSPL4gS4O8w16:59
hrybackisorry, left out some lines: https://paste.fedoraproject.org/paste/OvZPRvhYLbxIQ8qLAZYrxw17:02
openstackgerritHarry Rybacki proposed openstack/keystone master: Ensure default roles created during bootstrap  https://review.openstack.org/57224317:05
hrybackimust be tainted local thing. Submitted it through gerrit directly \_0_/17:05
*** aojea has quit IRC17:07
*** aojea has joined #openstack-keystone17:07
*** AlexeyAbashkin has quit IRC17:10
lbragstadhrybacki: i think you just need to rebase your work on master and resubmit17:21
lbragstadthe change it is complaining about already merged17:21
hrybackilbragstad: I thought so but that didn't work either17:21
lbragstadmm17:22
lbragstadwhich change is it?17:22
lbragstadthis one? https://review.openstack.org/#/c/572243/17:22
hrybackilbragstad: https://review.openstack.org/57224317:22
hrybackiaye17:22
hrybackiI got it through -- just had to use the GUI (yuck, I know)17:22
hrybackiI'll wipe my local keystone repo and re-clone if I need another patchset17:23
lbragstadcool17:23
hrybackibut that seems in order17:23
lbragstadfwiw - leaving the depends-on in the commit message shouldn't matter17:23
hrybackikmalloc: did you take the action item for the --noop bits ?17:23
kmallocyeah17:23
hrybackiack thanks kmalloc17:23
lbragstadit just prevents someone from +A'ing the change before the dependency in the other repository merges17:23
hrybackilbragstad: hmm. Why was it griping about the depends-on already having merged?17:23
lbragstad(and it's nice for auditing purposes)17:23
lbragstadit looks like your error message was griping about something else17:24
lbragstadhttps://review.openstack.org/57191317:25
lbragstadnot https://review.openstack.org/#/c/574149/17:25
lbragstadwhich is the dependency listed it the commit message of https://review.openstack.org/#/c/572243/1117:25
hrybackioh god, gj fat fingers17:26
*** AlexeyAbashkin has joined #openstack-keystone17:28
lbragstadstepping away for lunch quick, but i'm going to get a couple patches up for unified limit support in osc afterwords (in case anyone's burning to test that manually)17:34
*** AlexeyAbashkin has quit IRC17:36
*** ykarel|away has quit IRC17:37
*** aojea has quit IRC17:42
*** germs has joined #openstack-keystone17:47
*** germs has quit IRC17:47
*** germs has joined #openstack-keystone17:47
*** simondodsley_ has quit IRC18:03
*** simondodsley has joined #openstack-keystone18:03
*** simondodsley has left #openstack-keystone18:04
*** openstackgerrit has quit IRC18:04
*** openstackgerrit has joined #openstack-keystone18:09
openstackgerritHarry Rybacki proposed openstack/keystone master: Ensure default roles created during bootstrap  https://review.openstack.org/57224318:09
hrybackilbragstad: re-added the missing dependency18:10
hrybackishould be ready for reviews18:10
*** harlowja has joined #openstack-keystone18:10
*** r-daneel_ has joined #openstack-keystone18:11
*** r-daneel has quit IRC18:11
*** r-daneel_ is now known as r-daneel18:11
knikollao/18:13
*** dave-mccowan has quit IRC18:15
*** zxy has quit IRC18:16
*** zxy has joined #openstack-keystone18:16
hrybackilbragstad: is it possible to assign scope to an action in policy.json files?18:27
hrybackiThat is a request from Barbican during the audit (thinking about Cu. uses)18:28
lbragstadthere is the ability to match project ids through policy18:29
hrybackis/assign scope/specify required scope type/18:30
hrybackiakin to:18:30
lbragstadscope_types are immutable from policy.json files18:30
hrybackihttps://github.com/openstack/keystone/blob/master/keystone/common/policies/role.py#L2618:30
lbragstadit was meant to be set in code and not overridden18:31
hrybackiack. I need to refresh myself on how the toggle for scope types works again18:31
lbragstadif keystone.conf [oslo_policy] enforce_scope = True then oslo.policy will raise an exception if a token of the wrong scope is used to access a policy of a different scope type18:32
hrybackisolid, thanks lbragstad18:33
*** Exhar_ has quit IRC18:33
lbragstadnp18:33
*** felipemonteiro has joined #openstack-keystone18:43
*** boris_42_ has joined #openstack-keystone18:45
ayoungYou never have to reclone18:48
ayounghrybacki, the magic to git is this:18:48
ayounggit fetch origin18:48
ayounggit checkout master18:48
ayounggit reset --hard origin/master18:48
ayounghrybacki, are we making a rule that admin implies member?18:50
ayoungWhy so we are...very nice18:50
ayoungI'm sure that will annoy someone out there, but it makes me pleases as Punch18:50
hrybackiayoung: yeah. we'll see how that is received. The implication will happen regardless of whether or not they want it of they re-run the bootstrap process (for now -- kmalloc is working on a noop for that)18:51
ayoungopt out?18:57
ayounghrybacki, we already have the opt out of the implications happening in token section of the config file18:58
hrybackiayoung: that would break any existing implications they had though18:58
ayoungso it really would only be a problem for that one person out there that is using implied roles, but does not want member to imply reader or admin to imply member.  I'll be happy to rewrite that one persons rules myself18:58
hrybackiayoung: noted :)18:59
hrybackibut the default behavior will be to create them regardless so your wishes are coming true18:59
ayoungsteepled hands "all my plans are coming together"19:03
*** hoonetorg has joined #openstack-keystone19:04
kmallocayoung: the plan is "if you don't want implications created, don't run bootstrap"19:11
kmallocayoung: and if you REALLY want to not run bootstrap and are using automation there is an option to only run it once19:12
ayoungkmalloc, so, I finally have a reason to do RBAC later than the middleware time.  I mean, at middleware works still for the use cases, but I had an interesting talk with a customer for also doing it after fetching the object from the database19:13
ayoungthey want to be able to label an object and do RBAC matching against it19:14
kmallocah19:14
ayounglike, a specific object,19:14
ayoungmostly for stuff in swift and so one19:14
kmallochm. i think that falls into the grey area we deal with now,19:14
kmallocso basically, the delay_auth_decision stuff19:15
ayoungI think we could actually do it now, assuming the remote system supported a way to get the object tags into the policy check19:15
kmallocand let the underlying app do the thing19:15
ayoungwel... I think it would be more of an "And rule applied later"19:15
kmallocwe'd need a hook for <check_policy_with_new_thing>19:15
ayoungso, even if you get in, the policy check in the code might say "ah, not THIS object"19:15
kmalloci think i can hook something into oslo_context for that.19:15
ayoungcurrent policy would be sufficient, but way too static for most uses19:15
kmallocso RBAC basic edge check, then in code you can do context.enforce()19:16
kmallocor with context(): context.enforce()19:16
ayoungbecause the members of the project would want to be able to say "here is the role that needs to match this object property"19:16
ayoungotherwise, it would be a global rule, and that would be tough19:16
kmallocright19:16
ayoungI did write up a simple scheme where you matched the role19:16
ayounglike, you had a object_access tag that got one of the roles from the end user that created it19:17
ayoungand, you needed to have that same role to perform other operations19:17
ayoungbut I don't think it is sufficient19:17
ayoungI wrote it up here. https://etherpad.openstack.org/p/access-tags-planning19:18
kmallocrigth19:20
ayoungkmalloc, I could see and argument for adding the domain specific roles into the token to support cases like that, or even coming up with project specific roles19:21
ayoungbut I suspect that having a wider set of global roles would support most people's needs19:22
kmallocagree with the wider set of roles19:29
kmallocin keystone we have a super easy way to manage that with flask19:29
kmallocthe post "get item" bit19:30
kmallocbut in non-flask things [though i could fix oslo-service to do the same things]19:30
kmallocin flask we have a .before_request and a .after_request set of functions that can modify the flow/responses19:31
kmallochmm.19:35
kmallocthis doesn't make sense.19:35
* kmalloc goes diving through git blame...19:35
lbragstadhttps://review.openstack.org/#/q/topic:bp/unified-limits+status:open+project:openstack/python-openstackclient still needs work, but i'd appreciate early feedback if folks have any19:37
hrybackithis is interesting. Barbican overloads their rule names: https://github.com/openstack/barbican/blob/master/barbican/common/policies/acls.py#L17-L2019:39
kmallocthat...19:39
kmallocwow19:39
hrybackikmalloc: prepare yourself. all these services probably have super interesting ways of doing things19:40
openstackgerritLance Bragstad proposed openstack/python-keystoneclient master: Add support for registered limits  https://review.openstack.org/53766819:41
openstackgerritLance Bragstad proposed openstack/python-keystoneclient master: Add support for project-specific limits  https://review.openstack.org/57439119:41
hrybackikmalloc: these could be collapsed. I'm not sure where we are setting the check strings in keystone though: https://github.com/openstack/keystone/blob/master/keystone/common/policies/auth.py19:42
hrybackiah, I see. Many use defaults19:43
kmallocyep19:43
*** lifeless_ has joined #openstack-keystone19:49
*** lifeless has quit IRC19:49
hrybackikmalloc: I believe it's because they have pretty different rule checks for most methods19:52
openstackgerritTim Burke proposed openstack/keystonemiddleware master: Handle DiscoveryFailure errors  https://review.openstack.org/57521419:53
*** aojea has joined #openstack-keystone20:01
*** dave-mccowan has joined #openstack-keystone20:05
*** AlexeyAbashkin has joined #openstack-keystone20:11
*** spilla has quit IRC20:15
*** AlexeyAbashkin has quit IRC20:16
*** spilla has joined #openstack-keystone20:16
*** spilla has quit IRC20:16
*** vegarl has quit IRC20:19
*** vegarl has joined #openstack-keystone20:20
*** blake has joined #openstack-keystone20:22
*** martinus__ has quit IRC20:30
*** s10 has joined #openstack-keystone20:41
*** s10 has quit IRC21:00
*** openstackgerrit has quit IRC21:04
*** openstackgerrit has joined #openstack-keystone21:05
openstackgerritJoshua Harlow proposed openstack/python-keystoneclient master: Need to pass through domain_id when domain is provided  https://review.openstack.org/57523421:05
*** fiddletwix has joined #openstack-keystone21:06
*** jmlowe has quit IRC21:11
*** lifeless_ has quit IRC21:23
*** lifeless has joined #openstack-keystone21:24
*** nicolasbock has quit IRC21:27
*** edmondsw has quit IRC21:33
*** edmondsw has joined #openstack-keystone21:35
*** felipemonteiro has quit IRC21:36
*** felipemonteiro has joined #openstack-keystone21:36
*** lifeless_ has joined #openstack-keystone21:36
*** lifeless has quit IRC21:37
*** edmondsw has quit IRC21:40
*** dave-mccowan has quit IRC21:43
*** jmlowe has joined #openstack-keystone21:50
*** itlinux has quit IRC21:52
*** jmlowe has quit IRC22:07
*** harlowja has quit IRC22:11
*** harlowja has joined #openstack-keystone22:12
*** jmlowe has joined #openstack-keystone22:20
*** harlowja has quit IRC22:21
*** aojea has quit IRC22:21
*** rcernin has joined #openstack-keystone22:26
*** rcernin is now known as rcernin|brekkie22:27
*** rcernin|brekkie is now known as rcernin22:27
*** felipemonteiro has quit IRC22:44
*** threestrands has joined #openstack-keystone22:47
*** jmlowe has quit IRC23:13
*** jmlowe has joined #openstack-keystone23:15
*** dave-mccowan has joined #openstack-keystone23:22
*** blake has quit IRC23:22
*** blake has joined #openstack-keystone23:23
*** blake has quit IRC23:30
*** blake has joined #openstack-keystone23:31
*** jmlowe has quit IRC23:51
*** jmlowe has joined #openstack-keystone23:55
« Tuesday, 2018-06-12 Index Thursday, 2018-06-14 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!