Monday, 2018-06-18

*** Dinesh_Bhor has joined #openstack-keystone00:33
*** rcernin_ has joined #openstack-keystone00:34
*** rcernin has quit IRC00:37
*** edmondsw_ has joined #openstack-keystone00:52
*** edmondsw has quit IRC00:55
*** namnh has joined #openstack-keystone01:05
*** germs has quit IRC01:24
*** germs has joined #openstack-keystone01:25
*** germs has quit IRC01:25
*** germs has joined #openstack-keystone01:25
*** edmondsw_ has quit IRC01:29
*** sapd has joined #openstack-keystone02:09
*** rcernin_ has quit IRC02:09
*** annp has joined #openstack-keystone02:22
*** homeski has joined #openstack-keystone02:36
*** edmondsw has joined #openstack-keystone02:44
*** edmondsw has quit IRC02:49
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP]Add auto increase primary key for unified limit
*** r-daneel has joined #openstack-keystone04:10
*** r-daneel_ has joined #openstack-keystone04:13
*** germs has quit IRC04:14
*** r-daneel has quit IRC04:15
*** r-daneel_ is now known as r-daneel04:15
*** felipemonteiro has joined #openstack-keystone04:26
*** edmondsw has joined #openstack-keystone04:32
*** edmondsw has quit IRC04:37
*** links has joined #openstack-keystone04:37
*** mvk has joined #openstack-keystone04:50
*** lifeless has quit IRC04:52
*** felipemonteiro has quit IRC05:13
*** itlinux has quit IRC05:19
*** rcernin has joined #openstack-keystone05:20
*** bhagyashris has quit IRC05:55
*** martinus__ has joined #openstack-keystone06:11
*** sheel has joined #openstack-keystone06:14
*** bhagyashris has joined #openstack-keystone06:20
*** edmondsw has joined #openstack-keystone06:21
*** annp has quit IRC06:21
*** edmondsw has quit IRC06:26
*** pcaruana has joined #openstack-keystone06:35
*** dmellado has joined #openstack-keystone06:41
*** rcernin has quit IRC07:01
*** belmoreira has joined #openstack-keystone07:11
*** tesseract has joined #openstack-keystone07:22
*** links has quit IRC07:38
*** links has joined #openstack-keystone07:55
*** AlexeyAbashkin has joined #openstack-keystone07:57
*** links has quit IRC08:04
*** r-daneel has quit IRC08:08
*** r-daneel has joined #openstack-keystone08:09
*** edmondsw has joined #openstack-keystone08:09
*** edmondsw has quit IRC08:14
*** links has joined #openstack-keystone08:18
*** slunkad has joined #openstack-keystone08:22
*** aojea has joined #openstack-keystone08:26
*** sonuk_ has joined #openstack-keystone08:27
*** s10 has joined #openstack-keystone08:27
*** sonuk has quit IRC08:30
*** annp has joined #openstack-keystone08:34
*** aojea has quit IRC08:36
*** amoralej has joined #openstack-keystone08:39
amoraleji'm finding error when trying to create "Member" role if "member" already exist08:40
amoralejis this expected?08:40
amoralejare role names non case sensitive?08:41
*** tosky has joined #openstack-keystone08:41
amoralejhrybacki, ^08:48
amoralej is breaking some things08:49
toskyamoralej: oh, we had some breakages related to keystone in sahara after that change was merged, I was not sure if it was directly related08:50
toskyI can share the issues, one minute...08:50
*** lifeless has joined #openstack-keystone08:55
toskyvs failing:
toskyamoralej: does it match the error that you noticed? ^08:57
amoralejtosky, let me check...08:57
amoralejtosky, looks a different error, but probably related to that patch too08:58
toskyamoralej: did you try a test revert patch already, just to verify?08:58
toskyor could I?08:58
amoralejtosky, in my case08:59
amoralejthe error is08:59
amoralej" Execution of '/bin/openstack role create --format shell Member' returned 1: Conflict occurred attempting to store role - Duplicate entry found with name Member. (HTTP 409)"08:59
amoralejand it's clear that root cause is that patch08:59
tosky"Conflict: Conflict occurred attempting to store trust - Duplicate entry."08:59
toskythat's my error08:59
amoralejtosky, but i see other one too08:59
toskywhich is a warning, but becomes an error in heat, and boom08:59
toskythat's later08:59
toskybut confusing09:00
amoralejah ok09:00
tosky"Circular reference found role inference rules"09:00
amoralejin the case of puppet, that's breaking09:00
toskymaybe it's related too09:00
amoralejyeah, that's the one i referred09:00
toskyamoralej: so, do you think that it's worth to try a revert to pinpoint more precisely the issue, now that the gates are still not too loaded?09:02
amoralejtosky, now i see your error Duplicate entry found with name Member.09:04
amoralejit's exactly the same09:04
amoralejbut in your case it's probably not as critical09:04
amoralejbecause it's just warning09:04
toskybut one of the later warning is taken by heat as an error09:05
amoraleji think this will break many things...09:07
amoralejtosky, it may be worthy to propose a revert at least to discuss it09:09
amoralejand see how to improve backwards compatibility09:09
toskyok, let me try (with a depends-on patch for sahara)09:09
openstackgerritLuigi Toscano proposed openstack/keystone master: Revert "Ensure default roles created during bootstrap"
amoralejtosky, i'm investigating to implement case insensivity in puppet-keystone09:13
amoralejwhich seems to be required according to keystone behavior09:13
toskyamoralej: is that the reason, a conflict between words with different cases?09:13
amoralejmember and Member09:14
amoraleji'm not sure in your trust09:14
amoralejbut it's still not very clear to me if case insensitity is expected in keystone09:14
toskybut that review just introduced new defaults, so how did it break everything?09:14
amoralejin my case09:14
amoralejit introduced member09:15
amoralejwe try to create Member09:15
amoralejand it produces error09:15
amoralejopenstack role create Member09:15
amoralejreturns 109:15
amoralejand puppet module thinks that the role does not exist09:15
toskyso keystone is not case sensitive for role names?09:15
amoralejand i'm afraid in everything else09:15
toskynop as "keystone is not case sensitive", or nop as "it's not correct that keystone is not case sensitive"?09:17
tosky(sorry, just to be sure)09:17
*** aojea_ has joined #openstack-keystone09:21
*** jaosorior has joined #openstack-keystone09:23
*** aojea_ has quit IRC09:26
amoralejtosky, not as "keystone is not case sensitive" at least in my p-o-i deployment09:31
amoraleji found somewhere that it may be because of database is not case sensitive09:32
amoraleji dunno09:32
toskyuhm, that would be weired; sometimes we had this member vs Member thing and nothing happened09:33
jaosorioramoralej, tosky: What's done in the failing test? Is the admin user given the member role there?09:46
amoralejjaosorior, in my case it's creating Member role09:47
jaosoriorthat's it? is it not assigning it anywhere?09:47
jaosorioralso, quite confused as why to why the role name is case insensitive :/09:48
toskyjaosorior: my failing test is a full end-to-end scenario job (albeit with a fake plugin) for sahra09:49
toskyit's not a "test"09:49
*** Dinesh_Bhor has quit IRC09:49
toskywe do some magic with trust and so, but I can defer you to the other devs when they come back (I didn't study how that part works in depth)09:50
amoralejjaosorior, we may have problems in other places09:53
amoralejassigning user to roles, probably09:53
amoralejat least09:53
jaosoriortosky: that would be good; if you can get more info on what the test does09:54
jaosorioramoralej: ??09:54
toskyjaosorior: I can point you to the sahara code; the job is creating a full sahara cluster09:57
jaosoriortosky: sure09:57
*** pcichy has joined #openstack-keystone09:57
toskyespecially creating an heat template (which is bailing out)09:58
toskyI don't know09:59
amoralejtosky, that's devstack, right?09:59
toskyit's touching the entire provisioning code of sahara09:59
toskyamoralej: yes09:59
amoralejhas devstack "Member" as role name in sahara?09:59
toskydo you mean if a keystone Member role is created by devstack?10:02
*** lifeless has quit IRC10:03
amoralejor used in some configuration file or something10:03
toskyit is used for proxy users to access swift (in order to not pass the credentials directly or so)10:04
*** lifeless has joined #openstack-keystone10:04
toskyI see that Member is the default:
amoralejtosky, can you do a test job changing it to "member" ?10:08
toskyI can, sure10:09
amoralejtosky, i'm checking in for p-o-i10:10
toskybut if the default is changed, would that cause a requirement bump?10:10
amoraleji'm not sure how to handle that10:11
amoralejwhat about upgrades?10:11
toskythat would mean that keystone must be always upgraded first (which is probably what's happening already? Not sure)10:12
*** namnh has quit IRC10:19
*** jaosorior has quit IRC10:30
*** mvenesio has joined #openstack-keystone10:33
*** alex_xu has quit IRC10:49
*** alex_xu has joined #openstack-keystone10:49
*** mvenesio has quit IRC10:53
*** d0ugal has quit IRC10:54
*** szaher has joined #openstack-keystone10:54
*** d0ugal has joined #openstack-keystone10:56
*** lifeless has quit IRC11:10
toskythe test using "member" in sahara did not work:
*** mvenesio has joined #openstack-keystone11:23
*** jaosorior has joined #openstack-keystone11:33
*** amoralej is now known as amoralej|lunch11:33
*** dave-mcc_ has joined #openstack-keystone11:34
*** mvenesio has quit IRC11:35
*** raildo has joined #openstack-keystone11:57
*** ispp has joined #openstack-keystone12:00
*** rmascena has joined #openstack-keystone12:04
*** raildo has quit IRC12:06
*** edmondsw has joined #openstack-keystone12:09
*** wxy has joined #openstack-keystone12:23
*** jistr is now known as jistr|mtg12:36
*** josecastroleon has joined #openstack-keystone12:40
tosky... soooo :)12:42
*** amoralej|lunch is now known as amoralej12:47
hrybackiamoralej: jaosorior -- reading up now12:49
jaosoriortosky, hrybacki: I'm redeploying my environment to reproduce it... taking a while :12:50
hrybackijaosorior: ack -- thank you12:51
toskythank you12:52
jaosoriorhrybacki: in my previous environment, the _member_ role had an inherited role for some reason. And I could see the Circular dependency error log in keystone, however, that seems to be a warning more than an actual error12:53
jaosoriorthat's why I redeployed, had to check if it was something messed up in my env or if that's what results12:53
toskybut then why heat does not like it?12:53
* tosky will wait12:53
hrybackiyeah that seems strange12:53
*** dklyle_ has joined #openstack-keystone12:57
amoralejhrybacki, wrt keystone not being case sensitive for names, is that expected?12:58
*** david-lyle has quit IRC12:59
hrybackiamoralej: I thought it was case sensitive. cmurphy ^^ do you know if this is true?12:59
cmurphyi wouldn't have expected that13:00
cmurphymy first guess would be database configuration13:00
*** s10 has quit IRC13:00
*** r-daneel has quit IRC13:01
hrybackiack thanks cmurphy13:01
*** s10 has joined #openstack-keystone13:02
*** r-daneel has joined #openstack-keystone13:02
*** jistr|mtg is now known as jistr13:04
*** r-daneel has quit IRC13:05
*** mchlumsky has joined #openstack-keystone13:10
*** mvenesio has joined #openstack-keystone13:15
*** jmlowe has quit IRC13:15
*** quiquell|rover has joined #openstack-keystone13:16
*** tellesnobrega has joined #openstack-keystone13:18
*** quiquell|rover is now known as quiquell|off13:20
*** felipemonteiro has joined #openstack-keystone13:24
*** nicolasbock has joined #openstack-keystone13:29
*** ispp has quit IRC13:31
*** belmorei_ has joined #openstack-keystone13:33
*** josecastroleon has quit IRC13:33
*** belmoreira has quit IRC13:34
*** josecastroleon has joined #openstack-keystone13:35
*** ispp has joined #openstack-keystone13:35
*** spilla has joined #openstack-keystone13:35
hrybackijaosorior: may I ask how you are replicating that failure?13:37
*** superdan is now known as dansmith13:38
jaosoriorhrybacki: by having a deployment with the new bootstrap. TripleO deploys _member_ by default, so I wanna see if the issue I saw was on my side or if it always happens13:45
hrybackiack ack13:47
hrybackidevmode -> rdo cloud seems to be broken rn so I'm having issues getting an environmnet up myself jaosorior13:47
*** felipemonteiro has quit IRC13:51
*** rmascena has quit IRC13:54
*** jmlowe has joined #openstack-keystone13:55
*** sheel has quit IRC13:59
frickleroh, fun, this is already on heavy rotation it seems. this "member" vs "Member" issue is also breaking things in Horizon fyi.
openstackLaunchpad bug 1777359 in OpenStack Dashboard (Horizon) "Unable to create a project from horizon on devstack" [Undecided,New]14:04
*** raildo has joined #openstack-keystone14:05
*** felipemonteiro has joined #openstack-keystone14:07
lbragstadredeploying devstack with horizion to see if i can recreate14:07
*** felipemonteiro_ has joined #openstack-keystone14:08
*** links has quit IRC14:09
*** nicolasbock has quit IRC14:11
*** felipemonteiro has quit IRC14:12
*** jeremyfreudberg has joined #openstack-keystone14:12
jaosoriorhrybacki: couldn't reproduce it :/ I guess it was an issue in my env.14:16
fricklerlbragstad: I sure can, just did it14:16
jaosoriorhrybacki: though, for some reason, the _member_ role wasn't created :/14:17
hrybackijaosorior: weird. re-re-recreate?14:17
hrybackihopefully lbragstad will have some insights wrt this as well. I'm working with RDO Cloud folks trying to get some resources14:18
jeremyfreudberg if you look at the debug statements with "sql.core" and the warning statements nearby, seems to be a mark of case sensitivty issues14:19
hrybackilbragstad: do we want to push forward the revert to unblock folks in the interim?14:24
hrybackiI'm concerned that we'll not be able to debug these failures w/o it tbh. Clearly hitting non-gate covered issues14:25
hrybackilbragstad: and maybe add some role specific tests here:
lbragstadyeah - coverage would be good, i'm not finding anything specific to why that is though (API-wise)14:30
hrybackilbragstad: cmurphy said it was probably a DB configuration issue14:30
lbragstadthat stackoverflow link says something similar14:31
* hrybacki nods14:31
*** felipemonteiro_ has quit IRC14:31
hrybackiI'll work on adding tests now in a separate patch14:31
lbragstadit depends on the character set14:31
hrybackiis this a behavior we can force one way or another on our end?14:32
*** s10 has quit IRC14:38
lbragstadi need to look into that a bit further - looks like we do for users and projects14:38
lbragstadlooking at the apache access logs, horizon gets a list of roles from keystone14:42
*** ayoung has joined #openstack-keystone14:45
*** aojea has joined #openstack-keystone14:46
*** dklyle_ has quit IRC14:49
*** aojea has quit IRC14:51
lbragstadfrickler: fixes the horizon issue for me14:57
hrybackilbragstad: I also just saw
hrybackialigning 'Member'->'member'14:58
lbragstadoh - nice14:58
fricklerlbragstad: yes, that's what I mentioned in the bug report already. I'm just worried what this may do to existing installations.14:59
fricklerlbragstad: in the long run making horizon handle case-insensitivity like OSC does would seem safer14:59
*** pooja_jadhav has joined #openstack-keystone14:59
lbragstadfrickler: yeah - i think i agree15:00
*** dtruong_ has joined #openstack-keystone15:07
*** nicolasbock has joined #openstack-keystone15:09
*** dtruong has quit IRC15:12
*** belmorei_ has quit IRC15:12
*** ispp has quit IRC15:12
*** josecastroleon has quit IRC15:12
*** josecastroleon has joined #openstack-keystone15:13
lbragstadhrybacki: did you happen to see commit 7e279d10325ca5acc767a6bcbef5a2b2798ddac8 ?15:13
*** jeremyfreudberg has left #openstack-keystone15:13
* hrybacki looks15:13
*** itlinux has joined #openstack-keystone15:13
hrybacki ? not before just now15:14
*** ispp has joined #openstack-keystone15:15
lbragstadyeah - just noticing the context in the commit message15:15
*** belmoreira has joined #openstack-keystone15:15
hrybackiah hmm15:16
lbragstadi'm trying to figure out why we treat usernames as case sensitive15:16
lbragstadbut we don't for other things like roles15:16
cmurphymaybe because ldap?15:17
*** josecastroleon has quit IRC15:17
lbragstadlooks like we have tests for project names too? but it looks like this specific test has been around for a while (so we probably supported ldap backed resource backends)15:18
*** josecastroleon has joined #openstack-keystone15:18
lbragstadhmm - maybe i looked a bit too far into that15:22
*** gyee has joined #openstack-keystone15:27
*** dklyle has joined #openstack-keystone15:29
*** aojea_ has joined #openstack-keystone15:32
*** josecastroleon has quit IRC15:32
*** aojea_ has quit IRC15:36
*** fiddletwix has joined #openstack-keystone15:37
*** felipemonteiro has joined #openstack-keystone15:38
*** jaosorior has quit IRC15:38
*** ispp has quit IRC15:52
lbragstadhrybacki: i'm not sure we'll be able to do much in the way of adding case-sensitivity to role names15:59
lbragstadwe might be better off assisting other projects where we can with the trasition16:00
hrybackilbragstad: ack -- starting team meeting now but will ping you after these are over16:00
toskylbragstad: as long as there is a patch which fixes sahara, and also works in case of upgrades, I'm fine with not reverting the change16:06
lbragstadi was just curious where some of those other errors were16:07
lbragstadoh - i just saw your comment on the review16:08
*** nicolasbock has quit IRC16:08
lbragstadamoralej: ^16:08
amoralejlbragstad, i'm fixing issues in
amoralejbut i know there are more16:10
amoralejand if we are asuming case insensivity we should also support it in puppet-keystone resources16:11
*** AlexeyAbashkin has quit IRC16:11
*** tesseract has quit IRC16:19
*** pcaruana has quit IRC16:20
*** nicolasbock has joined #openstack-keystone16:20
lbragstadamoralej: do you mind if i reuse your topic for other changes that are related?16:22
amoralejlbragstad, no problem, you can use it16:23
lbragstadawesome - thank you16:23
toskylbragstad: if it's a problem with case sensitivity, why did my test for sahara fail?16:23
*** nicolasbock has quit IRC16:24
lbragstadtosky: do you have a link to the failure?16:24
lbragstadi jumped in with
openstackLaunchpad bug 1777359 in OpenStack Dashboard (Horizon) "Unable to create a project from horizon on devstack" [Undecided,New]16:24
*** nicolasbock has joined #openstack-keystone16:24
lbragstadso i might have missed a different issue16:24
lbragstadlooks like an issue specific to implied roles -
toskylbragstad: it's the same failure as before, if I'm not mistaken16:27
toskysee the error in heat:
*** jaosorior has joined #openstack-keystone16:27
*** jaosorior has quit IRC16:28
toskythe error about "duplicate blabla" is not there anymore in keystone logs16:28
toskythe error about circular references is still there16:28
lbragstadyeah - i just saw though16:28
lbragstad is the part it is failing on16:30
*** dave-mcc_ has quit IRC16:30
lbragstadmapping the req id
lbragstad seems to happen afterwords16:31
*** jaosorior has joined #openstack-keystone16:32
*** mvenesio has quit IRC16:32
*** germs has joined #openstack-keystone16:35
*** germs has quit IRC16:35
*** germs has joined #openstack-keystone16:35
*** germs has quit IRC16:36
*** germs has joined #openstack-keystone16:36
*** germs has quit IRC16:36
*** germs has joined #openstack-keystone16:36
lbragstadtosky: does heat attempt to clean things up if something doesn't work right when creating the trust?16:42
*** r-daneel has joined #openstack-keystone16:42
lbragstads/heat/heat or sahara/16:42
kmallocCase sensitivity on role names?16:43
*** felipemonteiro_ has joined #openstack-keystone16:43
* kmalloc reads up.16:43
toskylbragstad: ehm, I don't really know the answer - tellesnobrega: ^^16:44
lbragstadit's something we don't handle because of SQL from what i can tell16:44
lbragstadwe take the same approach with user names, project names, etc...16:44
tosky(or jeremyfreudberg, if you are reading the logs)16:44
kmallocI want to say at some point we decided case insensitive because SQL could be configured in different ways.16:45
kmallocIt also sounds like implied roles isn't FKing16:45
lbragstadyeah - we couldn't guarantee it, i saw some commit messages from henry taking about that16:45
kmallocWe can correct that fwiw, but it involves some encoding magic16:46
kmallocFwiw, I prefer names be case insensitive but case remembering, where possible.16:47
*** felipemonteiro has quit IRC16:47
kmallocJust because the abuse of PRojectName vs.ProjectName16:47
*** mvenesio has joined #openstack-keystone17:00
*** jaosorior has quit IRC17:01
*** sonuk has joined #openstack-keystone17:03
lbragstadi'm going to grab lunch but i'll send a note to the mailing list this afternoon about the change and some of the failures people are seeing17:04
*** sonuk_ has quit IRC17:06
*** d0ugal has quit IRC17:12
*** amoralej is now known as amoralej|off17:13
*** aojea has joined #openstack-keystone17:20
*** nicolasbock has quit IRC17:25
*** aojea has quit IRC17:25
*** d0ugal has joined #openstack-keystone17:26
*** jeremyfreudberg has joined #openstack-keystone17:27
jeremyfreudberghi keystone, what could it mean when a list of roles contains duplicates? see here:17:27
jeremyfreudberg(this is related to sahara stuff again)17:27
toskyjeremyfreudberg: it may be related to the case (in)sensitivity thing discussed earlier17:31
*** dklyle has quit IRC17:36
*** dklyle has joined #openstack-keystone17:37
ildikovknikolla: ping17:46
knikollaildikov: o/17:46
ildikovknikolla: hi :)17:46
knikollahi :)17:47
ildikovknikolla: I'm trying to find people to help out with adding more tests to this one:
ildikovthe plan is still to work together with the OPNFV team, but they also have limited resources and could help more on the test environment side17:47
ildikovI got told that you know most about the Tempest plugin and federation test plans there :)17:48
ildikovso I wanted to ask if there's any roadmap or further ideas on what would be the next to add there?17:48
knikollaildikov: sure, currently there some federation testing in there.17:49
lbragstadjeremyfreudberg: i believe that is a list populated by context17:49
knikollaIt uses the external service to test SAML217:49
ildikovok, that's a little further from my testing expertise :)17:49
lbragstadit could be that the list is being populated because the user has 'admin' and 'member' role assignments, which could be getting expanded 'admin' -> 'admin', 'member', 'reader' and 'member' -> 'member', 'reader'17:50
knikollaThere's no keystone to keystone federation testing yet (although i had an intern who worked on the tests for that at some point, so I might be able to find and resurrect the code as a starting point)17:50
lbragstadmeaning the result would be 'admin', 'member', 'reader', 'member', 'reader'17:50
ildikovknikolla: that would be great17:50
lbragstadchances are role inheritance is playing a factor17:50
lbragstadcc hrybacki ^17:51
ildikovknikolla: also, are the current tests running in any job right now?17:51
ildikovknikolla: if you can dig up at least the plans on test cases that would already help17:51
knikollaildikov: yes, the federation test is running on the keystone-dsvm-functional-v3-only job17:52
knikollaildikov: there's a spec on that, lemme fetch it :)17:52
ildikovknikolla: ok, cool17:52
jeremyfreudberglbragstad: thanks, and that makes sense. i'll have to dig a little deeper, then, to see how it interacts with my problem17:52
ildikovknikolla: that job is non-voting right now, right?17:53
knikollaildikov: this is about the devstack plugin, but in the end there's a worklist17:53
knikollaildikov: correct.17:53
lbragstadjeremyfreudberg: this looks like the keystone code that it responsible for that17:53
knikollaildikov: since we depend on an external service, it wouldn't make sense to make it voting yet.17:53
ildikovknikolla: ah, I see17:54
lbragstadayoung: when we validate a token that has implied roles, do we not remove duplicates?17:54
ildikovknikolla: are there plans to make the job voting?17:54
ayounglbragstad, I thought we did17:54
lbragstadayoung: check this out -
ayoungits a dictionary, I thought17:54
lbragstadayoung: that's building the context object17:55
ildikovknikolla: also is there any environment requirement that we should try to leverage the OPNFV labs for or we can do everything here and only the test cases are missing?17:55
lbragstadayoung: which is populated here -
lbragstadbut that logic is pretty straight forward17:55
knikollaildikov: yes, we can make it voting when instead of using, we set up some identity provider in the gate.17:55
lbragstadit looks like it's pulling duplicates from the token17:55
knikollaildikov: I don't think. In the case of identity federation, you don't really need antyhing special in terms of resources.17:56
lbragstadjeremyfreudberg: do you know what role assignments that user has in that case?17:56
knikollaildikov: more resources would probably make sense if we test scalability or smth like that.17:56
ildikovknikolla: ok, fair enough17:57
ayounglbragstad, could be.  But the de-dupe code should be the same as the cycles-detection code.  Could the problem be that we have multiple roles and we missed the uniqueness constraint?17:57
ildikovknikolla: sure, I guess the job takes care of setting up two Keystones, etc17:57
*** blake has joined #openstack-keystone17:57
lbragstadayoung: multiple roles as in defined more that once in the backend?17:58
jeremyfreudberglbragstad: not sure exactly, tosky could know better, but i think that user is whatever admin user devstack makes17:58
ildikovknikolla: I'm not super familiar with identity providers, is there any openly available we could set up?17:58
ayounglbragstad, I don't have the liberty to look right now17:58
lbragstadayoung: thats fine, just curious in what sense you meant multiple17:59
knikollaildikov: here, k2k tests on a tempest fork from 2 years ago
knikollaildikov: keystone itself can act like one when doing keystone to keystone :)18:00
*** dklyle has quit IRC18:00
ildikovknikolla: I know it can, but we also want to test it with a separate identity provider, hence my question :)18:01
knikollaha, she's probably mad i haven't pushed those upstream since 2 years ago :)18:01
ildikovI guess by now those are more references on what would need to be tested18:01
* hrybacki reads up18:01
ildikovand are also free to be re-used as much as possible?18:02
knikollaildikov: they should probably still work fine, the API interface is the same18:02
knikollaildikov: there are a few, shibboleth, keycloak, ipsilon, etc.18:02
ildikovok, that overall sounds good18:03
ildikovso as for the OPNFV collaboration, we should look into other topics as opposed to the Keystone federation testing, if I understand correctly?18:03
lbragstadjeremyfreudberg: if i use the admin user provided by devstack and execute that same code path, i get this
lbragstadwhich doesn't contain duplicates18:04
knikollaildikov: what is it they want to get out of the collaboration?18:04
knikollaso we can find something that makes sense for both of us18:05
jeremyfreudberglbragstad: it may be the sahara service user, then18:05
knikollajeremyfreudberg: if you're still stuck by 3pm, ping me and we can do some high bandwidth debugging.18:06
jeremyfreudbergknikolla: thanks18:06
jeremyfreudberglbragstad: don't quote me on that yet18:06
lbragstadit is a trust token18:07
hrybackiokay, caught up now lbragstad18:07
ildikovknikolla: they are looking into edge scenarios where Keystone has an important role and would like to help out in areas where it makes sense18:08
lbragstadhrybacki: we're trying to nail down a problem with duplicate roles while building the context object18:08
hrybackifun times18:08
ildikovknikolla: and as OPNFV is mainly an integration and test project testing seemed like a good idea and when we didn't know that there's already some federation testing we thought to start with that18:08
lbragstadnot sure if that is contributing to sahara's problem, but seems odd to do regardless18:08
knikollaildikov: i think scenario is the keyword here. As in have a deployment which as closely resembles what they're trying to deploy, and test that.18:09
knikollaildikov: i agree that simple tests may be the way to start and then make our way up from there.18:09
ildikovknikolla: but if there's anything else in mind that's connecting and as you say would be beneficial for both of us, it would be great to do that18:09
knikollaas it also helps with familiarizing with the infrastructure.18:09
*** r-daneel has quit IRC18:09
*** r-daneel has joined #openstack-keystone18:10
ildikovknikolla: do you mean to setup the federation testing there too and then make variations with different scenraios?18:10
knikollaildikov: yes. that would be one idea.18:11
knikollaildikov: some time ago I was working on setting up keystone to keystone on the job, but haven't had time to finish it up and not sure when i'll have time to18:12
hrybackilbragstad: how can I assist you at this stage?18:13
knikollathat might be a starting point on how to setup keystone to keystone in the job, and I also previously linked to k2k tests for reference.18:13
knikollathat should be a good starting point18:13
knikollaand then once those are done, they could probably also be used separate of the job, in their own environment.18:13
ildikovknikolla: ok, I got a little confused now, what is the current non-voting job doing?18:14
ildikovknikolla: and what's this patch doing?18:14
ildikovknikolla: if it's all in that spec, I can do my reading :)18:14
jeremyfreudberglbragstad: it's a trust token, where the trustor is the devstack admin user, and the trustee is heat18:14
ildikovknikolla: BTW, would you be available on this week's or next week's OPNFV Edge Cloud call to talk this through?18:15
knikollaildikov: i think the spec touches upon that. if you have more questions i feel free to ping me at anytime.18:15
knikollaildikov: tomorrow right?18:15
ildikovknikolla: tomorrow is the Edge Computing Group call which is under our umbrella, the OPNFV one is supposed to be on Wednesday at 1300 UTC, but I will double check18:17
*** dave-mccowan has joined #openstack-keystone18:17
ildikovknikolla: I would like to help the OPNFV guys to get some initial thoughts on testing on their side, but I'm very far from being an expert and fail pretty early to answer questions :/ :)18:17
knikollaildikov: yeah, i can make wednesday 1300 UTC18:18
knikollasend me a calendar invite18:18
ildikovknikolla: I need to double check, it may be next week as there were some changes due to a few recent events, etc18:21
ildikovknikolla: I will let you know once I figured it out whether it's this week or next week :)18:21
knikollaildikov: ok sure, no prob18:22
ildikovknikolla: I might also come back with more people/questions shortly :)18:22
ildikovknikolla: thanks for all the pointers!18:22
knikollaildikov: you know where to find me :)18:22
ildikovknikolla: sure do, thanks! :)18:22
*** jroll has quit IRC18:24
*** jroll has joined #openstack-keystone18:24
*** pcaruana has joined #openstack-keystone18:25
*** dklyle has joined #openstack-keystone18:26
*** AlexeyAbashkin has joined #openstack-keystone18:32
*** AlexeyAbashkin has quit IRC18:35
lbragstadjeremyfreudberg: hmm - i wonder if i can recreate that locally18:37
lbragstadhrybacki: i'm not sure, just a heads up i guess (sorry for the rogue ping)18:38
hrybackilbragstad: no worries -- I've got an eye on this channel. Let me know if you hit a spot that needs additional eyes18:38
lbragstadbut we might need a patch to remove duplicates depending on what comes out of the trust + implied roles bit18:38
*** AlexeyAbashkin has joined #openstack-keystone18:38
jeremyfreudberglbragstad: in the meantime i'm going to try switching in the sahara gate to a user with "less" roles18:39
*** pcaruana has quit IRC18:39
jeremyfreudbergit may help my problem, anyway18:39
hrybackiack. Once we get these initial bumps knocked out I think the next will come from 'unexpected' role implications18:39
*** AlexeyAbashkin has quit IRC18:45
*** jmlowe has quit IRC18:50
openstackgerritGage Hugo proposed openstack/python-keystoneclient master: WIP - Remove keystoneclient session
*** blake_ has joined #openstack-keystone19:00
*** blake has quit IRC19:02
*** aojea has joined #openstack-keystone19:09
*** jmlowe has joined #openstack-keystone19:11
*** blake_ is now known as blake19:11
hrybackigoing for longest time since a rebase award gagehugo ? :P19:12
gagehugohrybacki yes19:13
gagehugoalso the logs links were long dead19:13
hrybackinailed it haha19:13
*** aojea has quit IRC19:13
*** blake has quit IRC19:20
lbragstadjeremyfreudberg: i've created a user, a trust, assigned the user and the trustor additional roles, but i can't get the context to duplicate roles like in the sahara gate19:21
lbragstadi was able to recreate the circular reference bit though -
lbragstadbut it never prevented me from actually doing what i wanted to19:23
jeremyfreudberglbragstad: i don't think the circular reference bit is relevant in the sahara case either, just by doing some timestamp comparisons19:24
lbragstadthat error is present for me when a user has a duplicate role assignment via the implied role19:24
lbragstadif user admin has member and admin on the admin project, i can create a trust for another user and do things as the admin user, which throws that error, but it doesn't actually prevent me from doing anything19:25
lbragstadlooks like it's more of a thing for operators to cleanu p19:25
jeremyfreudberglbragstad: "that error" is the circular reference thing?19:26
*** lifeless has joined #openstack-keystone19:26
lbragstadi see the circular reference error in the logs, but it doesn't prevent me from doing anything as the user with a circular role reference19:26
lbragstad(circular also seems to be the wrong term in this case, but i'm not sure about the history)19:27
lbragstadi guess what i'm saying is that i doubt it's actually causing problems and it may just be a red herring or false positive19:27
lbragstadthe 409 might be causing the real issues19:29
larsksknikolla: if you're around, remind me how to find the url for the --remote-id argument?19:29
jeremyfreudberglbragstad: i still need to do some more experimenting i guess... i tried but actually it didn't turn out the way i thought it would19:33
jeremyfreudberglbragstad: although, wouldn't duplicates in the role cause havoc with role id being the primary key of  the trust_role table?19:35
jeremyfreudbergduplicates in the role list, i mean19:35
*** edmondsw has quit IRC19:39
lbragstadkmalloc: did you see wxy's follow up on ?19:42
knikollalarsks: issuer in
larsksknikolla: thanks, I thought that might be it.19:43
*** germs is now known as GotOneHandCutOff19:50
*** GotOneHandCutOff is now known as germs19:50
kmallocOn my list in the next few minutes19:53
jeremyfreudberglbragstad: i'm bad at explaining it, but it is possible that we get duplicate role names with a "trust on top of a trust"?19:56
lbragstadcan you define the "on top of" part a little more?19:58
jeremyfreudbergsahara itself creates a trust to manage a "cluster"; one of underlying resources of that cluster is a heat stack; heat creates a trust where the old trust is trustor and heat is trustee20:00
lbragstadwho are the actors in the first trust?20:05
kmallocayoung: roles (names) are not unique by design (not my design, but by design)20:05
jeremyfreudberglbragstad: in the first trust, whoever uses sahara is the trustor and the sahara service user is trustee20:08
*** felipemonteiro_ has quit IRC20:08
*** felipemonteiro__ has joined #openstack-keystone20:08
lbragstadand the second trust is between sahara and heat?20:09
lbragstador the user and heat?20:09
jeremyfreudbergthe second trust appears to be the user and heat20:10
jeremyfreudberg(i don't know the details of how keystone works though: is it possible for the trustor of the second trust to be an impersonator?)20:11
lbragstadimpersonation is where the trustee assumes the identity of the trustor20:11
*** dave-mccowan has quit IRC20:12
jeremyfreudbergwhat i mean to ask is, can the second trust really be between sahara pretending to be the user, and heat20:12
kmalloclbragstad: +2 on wxy's patch update. we need indexes still and/or dropping the weird FK bits, but this is a good update and should land20:13
lbragstadkmalloc: ++ thanks, we should be able to start gating the clients patches, too20:13
lbragstadjeremyfreudberg: that's a good question20:14
kmalloclbragstad: i'll spin up a patch for a new SQL_Base that errors if someone does a PK that isn't an auto-inc int UNLESS they set a special flag20:14
kmalloclbragstad: so we can be more likely to catch these things.20:14
lbragstadi've never run into a case  like that20:14
lbragstadkmalloc: sounds good20:14
kmallocjeremyfreudberg: the only case that can be is with impersonation and... i think broken code.20:15
*** dave-mccowan has joined #openstack-keystone20:15
kmallocafaik you can't chain trusts together in any way, if you can, that is a security bug.20:15
kmallocyou may have a non-impersonation trust for User->(OtherUser, Roles on Project), you may not have a User->(OtherUser->(SomeOtherUser, Roles on Project))20:16
kmallocor any variation thereof.20:16
kmallocbasically, trust auth is Trustee to Trustor *only*.20:17
kmallocif you have it wrapped deeper than that, we have a bug that should be closed.20:17
jeremyfreudbergkmalloc / lbragstad : i might not actually be chaining them (need to consult the other sahara devs to understand that part) but it does seem like a way to explain how extra role entries seem to accumulate20:17
*** aojea has joined #openstack-keystone20:17
kmallocand this isn't using implied roles?20:18
kmallocbecause that can easily cause expansion to *other* roles20:18
kmalloc(though, if there are duplicates we should just set([role_list])20:18
jeremyfreudbergkmalloc: if it was simply implied roles (in this case, the roles implied from admin) then i would have thought lbragstad could have replicated my issue easily20:19
kmallocsorry i'm jumping in a bit late (missed scroll back)20:19
jeremyfreudbergi'd like to simply remove duplicates here:
jeremyfreudbergbut the underlying reason would still be great to uncover20:20
kmalloci'm totally ok with making added_roles a set then casting it back to a list before storing20:20
kmallocto solve the immediate issur20:20
kmallocthough you'd need to make it a not-dict being added, otherwise...20:21
jeremyfreudbergyes, it's a list of dicts20:21
jeremyfreudbergi can certainly do a quick fix like that and investigate deeper later20:21
jeremyfreudbergi have knikolla around to do my heavy lifting :)20:22
knikollawhat did i miss?20:23
jeremyfreudbergknikolla: a repeat of last summer mostly, teaching me how trusts work20:23
jeremyfreudbergkmalloc / lbragstad : what about "redelegation"?20:23
jeremyfreudbergof trusts, i mean20:24
lbragstadredelegation is the act of using a trust to create another trust i think20:24
kmallocso, something like:20:25
lbragstadthus - redelegating your access to someone else20:25
jeremyfreudbergi believe "redelegation" may more accurately describe the user-sahara-heat relationship20:25
lbragstad(e.g. kmalloc gives me admin on foo via a trust, then i give someone else admin on foo would be a count on redelegation)20:25
kmalloclbragstad: ++20:25
lbragstadkmalloc: did you see yet?20:26
kmalloclbragstad: looking20:26
lbragstadlooks like wxy already has a patch up20:26
kmalloci saw20:26
lbragstadoh - nice20:26
kmallocit needs work, but that's why I added +2 to the other one20:26
kmallocmy concerns are WIP :)20:26
kmallocjeremyfreudberg: so, it seems like it is sane to de-dupe roles20:27
kmallocjeremyfreudberg: regardless20:27
kmallocso, feel free to toss up a patch to apply that change ^ (see my irccloud pastebin), but before we land it we need to figure out how to test  / cause the duplication. so in parallel we should build a test case that mirrors what you're doing20:28
kmallocso we can try and duplicate and figure out wth is going on.20:28
lbragstadi still haven't been able to recreate, but adding a test case would be good20:29
kmalloclbragstad: my thought is we build the patch then build a test and rebase the patch on the test with the fix.20:30
lbragstadthat works20:30
kmallocand land it all if we can figure out wth is happening.20:30
kmallocbut... ftr, it is probably good to de-dupe role ids there20:30
kmallocafaict the only reason it is a list is becaue JSON doesn't handle sets.20:30
kmallocthat is clearly not intented to contain dupes.20:31
jeremyfreudbergkmalloc: ack, will do20:31
jeremyfreudbergis there anything already in the gate that tests redelegatable trusts?20:31
lbragstadkeystone has a bunch of various tests for trusts20:32
kmallocjeremyfreudberg: oh wait you'll need to also check if role['id'] not in added_roles: before doing session.add()20:32
jeremyfreudbergkmalloc: yep20:32
kmallocjeremyfreudberg: we don't want to populate the DB with duplicated roles (though, that... shouldn't be possible)20:32
jeremyfreudbergkmalloc: populating the db with duplicated roles is what's throwing the 409 now20:32
jeremyfreudbergso it's already unpossible20:33
kmallocthat means we did good things in the db, but anyway, easy enough to de-dup on that input. weird that you're hitting it though20:33
kmalloclbragstad: ugh... Had to reset my "days since last migraine" :(20:33
kmalloclbragstad: saturday night... no pain, but clearly a migraine.20:33
kmallocover 2 years without one.20:34
kmallocit was so mild i almost didn't realize what it was20:34
kmallocbut sure as hell, nausea and aura/loss of vision in part of my eye.20:34
lbragstadthat sucks20:36
* kmalloc tries to keep irc chat PG rated at worst.20:36
kmalloc+A'd the limit schange20:40
kmallockicked it through to gate20:40
kmalloci'm going to pull down the flask stuff, re-spin the "scaffolding" update and get @protected broken apart and limits ported to flask-native20:41
lbragstadsounds good20:41
kmallocthe only question i have is... how far up the stack can i push the enforce?20:41
kmalloclbragstad: are we good with using assert in non-test code?20:42
*** jeremyfreudberg has quit IRC20:42
kmallocbecause it *can* be turned off (just like in C) by invocation of the interpreter20:43
kmallocso in theory we could only ever hit it in tests.20:43
kmalloc[which is fine by me]20:43
lbragstadassert as in the built-in?20:44
kmallocassert <context> enforce_called20:44
kmallocassert <thread_local_context>.enforce_called20:45
lbragstadoh - that's not something we usually do20:45
lbragstadat least not from what i can find20:45
kmalloci plan on making it automatic in all our flask-isms that unless a method is explicitly exempted (e.g. @unenforced_api) keystone errors20:45
kmallocso it isn't possible to "oops, i didn't enforce a routed path"20:46
kmallocyou either explicitly exempt it, or you call enforce.20:46
kmallocshould prevent any test from ever succeeding on an unenforced api [that is ported to flask-nbative dispatching]20:47
kmallocbut for performance critical stuff someone could python -o and asserts are disabled.20:47
lbragstadso our authorization API could be disabled?20:48
lbragstads/authorization API/authorization enforcement engine20:49
kmallocno, just the "assert" that checks if we called enforce20:49
kmallocbasically developer tool.20:49
kmallocif you run with python -o, the only thing disabled is the assert20:50
kmallocbut the whole stack otherwise still calls enforce20:50
*** dave-mcc_ has joined #openstack-keystone20:52
*** dave-mccowan has quit IRC20:54
kmalloclbragstad: python -O = asserts disabled, python -OO = asserts disabled and docstrings eliminated20:55
openstackgerritMorgan Fainberg proposed openstack/keystone master: Add Flask-RESTful as a requirement
openstackgerritMorgan Fainberg proposed openstack/keystone master: Implement scaffolding for Flask-RESTful use
openstackgerritMorgan Fainberg proposed openstack/keystone master: Keystone adheres to public_endpoint opt only
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert json_home and version discovery to Flask
kmalloclbragstad: ^ rebased20:58
*** raildo has quit IRC21:00
*** martinus__ has quit IRC21:10
*** lifeless has quit IRC21:21
*** lifeless has joined #openstack-keystone21:22
*** spilla has quit IRC21:29
*** EmilienM is now known as EmilienM_PTO21:45
*** dklyle has quit IRC21:48
*** dklyle has joined #openstack-keystone21:50
kmalloclbragstad: what are the rules on translation again?21:55
lbragstadwhat do you mean?21:56
*** jmlowe has quit IRC21:56
kmalloclbragstad: the use of _() and _LW() or whatever21:57
kmallocwhat are the cases we are supposed to/not supposed to use those things21:57
*** itlinux has quit IRC21:59
*** jmlowe has joined #openstack-keystone22:00
lbragstadi didn't think there were specific cases to not use it - only for sensitive information i think22:00
kmallocbecause it looks like we don't use _LW anymore?22:00
kmallocor any of the other hints?22:00
lbragstadwe do have a pattern where we translate things and then reuse them in exceptions that make it to end users22:00
kmallocright. but the warning/error/crit hints seem to have disappeareD?22:01
*** felipemonteiro_ has joined #openstack-keystone22:01
lbragstadi'm failing to remember if that was an initiative of some sort22:02
* kmalloc goes over to -oslo and asks questions22:03
*** felipemonteiro__ has quit IRC22:05
kmalloclooks like22:05
kmallocStarting with the Pike series, OpenStack no longer supports log translation. It is not necessary to add translation instructions to new code, and the instructions can be removed from old code. Refer to the email thread understanding log domain change on the openstack-dev mailing list for more details.22:05
kmallocjust exceptions22:05
lbragstadmakes sense22:05
*** jmlowe has quit IRC22:17
*** aojea has quit IRC22:17
*** felipemonteiro_ has quit IRC22:25
kmalloclbragstad: holy crap... @protected is a rabbithole22:25
kmallocit's spagetti code that is very very based in webob22:26
*** jmlowe has joined #openstack-keystone22:29
kmallocoookay, this is going to take a lot more time =/22:30
kmallocgoing to dive back into it shortly but wow...22:30
*** mvenesio has quit IRC22:31
*** lifeless_ has joined #openstack-keystone22:32
*** lifeless has quit IRC22:32
*** rcernin has joined #openstack-keystone22:36
*** boris_42_ has joined #openstack-keystone22:54
*** dklyle has quit IRC23:01
*** lifeless_ has quit IRC23:05
*** lifeless has joined #openstack-keystone23:06
*** r-daneel has quit IRC23:07
*** dave-mcc_ has quit IRC23:16
*** tosky has quit IRC23:20
openstackgerritAdrian Turjak proposed openstack/keystone master: [WIP] Implement auth receipts spec
*** lifeless has quit IRC23:43
*** lifeless has joined #openstack-keystone23:46
*** felipemonteiro has joined #openstack-keystone23:48

Generated by 2.15.3 by Marius Gedminas - find it at!