Thursday, 2018-06-21

« Wednesday, 2018-06-20 Index Friday, 2018-06-22 »
*** lifeless_ has joined #openstack-keystone00:06
*** markguz has quit IRC00:06
*** lifeless has quit IRC00:06
*** r-daneel has joined #openstack-keystone00:08
*** _KaszpiR_ has quit IRC00:16
*** _KaszpiR_ has joined #openstack-keystone00:18
*** zzzeek has quit IRC00:25
*** zzzeek has joined #openstack-keystone00:27
*** felipemonteiro has joined #openstack-keystone00:30
*** Dinesh_Bhor has joined #openstack-keystone00:31
*** DHE has joined #openstack-keystone00:48
DHEif I'm using fernet tokens, that means that the keystone database is largely read-only right? I'm thinking of making a somewhat highly available/distributed keystone system with read-only satellite nodes and only one master that can tolerate its failure.00:52
*** felipemonteiro has quit IRC01:04
*** gyee has quit IRC01:25
*** links has joined #openstack-keystone01:33
*** r-daneel has quit IRC01:48
*** brad[] has joined #openstack-keystone01:55
*** bhagyashris has quit IRC02:14
*** bhagyashris has joined #openstack-keystone02:15
*** lifeless_ has quit IRC02:26
*** itlinux has joined #openstack-keystone02:43
*** lifeless has joined #openstack-keystone02:43
*** rcernin has quit IRC02:52
*** sonuk has joined #openstack-keystone03:01
adriantDHE, yes fernet makes the db mostly read only, but the more common way seems to be to just go for a multi-master approach at that stage because forcing write actions against the one node that can write might end up weird03:08
*** felipemonteiro has joined #openstack-keystone03:09
*** rcernin has joined #openstack-keystone03:09
*** ykarel|away has joined #openstack-keystone03:49
*** rcernin has quit IRC03:55
*** germs has quit IRC04:07
*** lifeless has quit IRC04:08
*** rcernin has joined #openstack-keystone04:14
*** lifeless has joined #openstack-keystone04:14
*** lifeless has quit IRC04:20
*** lifeless has joined #openstack-keystone04:20
*** lifeless has quit IRC04:25
*** lifeless has joined #openstack-keystone04:26
*** homeski has quit IRC04:28
*** dansmith has quit IRC04:29
*** rm_work has quit IRC04:29
*** zeus has quit IRC04:29
*** lifeless has quit IRC04:30
*** lifeless has joined #openstack-keystone04:31
*** lifeless has quit IRC04:36
*** lifeless has joined #openstack-keystone04:37
*** lifeless has quit IRC04:41
*** lifeless has joined #openstack-keystone04:43
*** ykarel|away is now known as ykarel04:44
*** lifeless has quit IRC04:47
*** lifeless has joined #openstack-keystone04:48
*** lifeless has quit IRC04:52
*** lifeless has joined #openstack-keystone04:54
*** lifeless has quit IRC04:58
*** lifeless has joined #openstack-keystone04:59
*** lifeless has quit IRC05:04
*** lifeless has joined #openstack-keystone05:04
*** lifeless has quit IRC05:09
*** felipemonteiro has quit IRC05:10
*** lifeless has joined #openstack-keystone05:10
*** lifeless has quit IRC05:14
*** lifeless has joined #openstack-keystone05:15
*** felipemonteiro has joined #openstack-keystone05:17
*** felipemonteiro has quit IRC05:26
*** dansmith has joined #openstack-keystone05:31
*** bigjools has joined #openstack-keystone05:31
*** bigjools has joined #openstack-keystone05:31
*** links has quit IRC05:32
*** rm_work has joined #openstack-keystone05:32
*** rm_work has quit IRC05:32
*** rm_work has joined #openstack-keystone05:32
*** dansmith is now known as Guest8832005:32
*** links has joined #openstack-keystone05:56
*** alex_xu has quit IRC05:57
*** AlexeyAbashkin has joined #openstack-keystone05:58
*** nicolasbock has joined #openstack-keystone06:00
*** alex_xu has joined #openstack-keystone06:03
*** martinus__ has joined #openstack-keystone06:05
*** ykarel is now known as ykarel|afk06:23
*** ykarel|afk has quit IRC06:33
*** ykarel|afk has joined #openstack-keystone06:34
*** namnh has joined #openstack-keystone06:37
*** AlexeyAbashkin has quit IRC06:43
*** AlexeyAbashkin has joined #openstack-keystone06:43
*** mvk has joined #openstack-keystone06:44
*** tommylikehu has quit IRC06:45
*** ykarel|afk is now known as ykarel06:46
*** tommylikehu has joined #openstack-keystone06:48
*** tommylikehu has quit IRC06:54
*** ispp has joined #openstack-keystone06:57
*** tommylikehu has joined #openstack-keystone06:59
*** dikonoor has joined #openstack-keystone06:59
*** tommylikehu has quit IRC07:06
*** tesseract has joined #openstack-keystone07:11
*** tommylikehu has joined #openstack-keystone07:12
cmurphyadriant: I don't actually know that much about patrole, felipemonteiro is the best person to ask07:12
*** peereb has joined #openstack-keystone07:15
*** dikonoo has joined #openstack-keystone07:16
*** dikonoor has quit IRC07:20
*** links has quit IRC07:21
*** links has joined #openstack-keystone07:21
*** pcaruana has joined #openstack-keystone07:22
*** Alexey_Abashkin has joined #openstack-keystone07:23
*** AlexeyAbashkin has quit IRC07:24
*** Alexey_Abashkin is now known as AlexeyAbashkin07:24
*** amoralej|off is now known as amoralej07:25
*** efried has quit IRC07:28
*** efried has joined #openstack-keystone07:28
*** tosky has joined #openstack-keystone07:33
*** annp has joined #openstack-keystone07:34
*** links has quit IRC07:42
*** rcernin has quit IRC07:47
*** belmoreira has joined #openstack-keystone07:48
adriantcmurphy: thanks, will play with it first and then potentially chat to him. I was very very close to writing (had sort of starting writing something simple) that took a yaml file and used an admin account to make users/sessions and test raw API calls with tokens with only certain roles against our cloud: http://paste.openstack.org/show/724006/07:50
adriantPatrole saves me a bunch of effort potentially, but at the very least gives me a way to confirm policy files make sense before even touching APIs.07:52
adrianthopefully, if I read the docs right.07:53
cmurphyyes I think so07:53
*** links has joined #openstack-keystone07:55
*** ykarel is now known as ykarel|lunch08:02
yankcrimeping knikolla - did you get any further with ksproj?08:37
wxylbragstad: add some comments here: https://etherpad.openstack.org/p/keystone-unified-limit-migration-notepad ,L89, need your suggestion. Thanks.08:40
*** markvoelker has quit IRC08:54
*** vegarl has quit IRC09:03
*** vegarl has joined #openstack-keystone09:05
*** ykarel|lunch is now known as ykarel09:29
*** rcernin has joined #openstack-keystone09:39
*** Dinesh_Bhor has quit IRC09:49
*** rcernin has quit IRC09:53
*** dikonoor has joined #openstack-keystone09:58
*** dikonoo has quit IRC10:02
*** annp has quit IRC10:20
*** sonuk has quit IRC10:41
knikollayankcrime: o/10:42
knikollaI did. I also did some playing around with adjutant.10:44
yankcrimeah cool, i've been on holiday for a week so still in catch-up mode, but playing around with adjutant is also on my to-do10:44
*** dikonoo has joined #openstack-keystone10:45
knikollaI would really like a vacation. Around 60% of last week was meetings for me.10:45
knikollaWanna talk about your requirements?10:46
*** dikonoor has quit IRC10:49
*** martinus__ has quit IRC10:49
yankcrimeyeah can do, althought my thoughts are probably slightly half-baked10:51
*** namnh has quit IRC10:51
yankcrimebasic requirement is user invitation and onboarding (aup awareness / acceptance etc.), i think a lot of what's there in ksproj is along the right lines10:54
*** rcernin has joined #openstack-keystone10:54
knikollaare your users going to be federated?10:55
yankcrimeyes, that's the goal10:55
yankcrimeoriginally our thinking was that users would hit a page on which they'd request access, and then an admin would approve those10:55
knikollamakes sense,  it's pretty much the same goal that I have. With the addition that users also be able to invite/remove people from their projects.10:56
knikollaksproj currently can do invites for federated users and prompt for terms of agreement on invite acceptance10:58
knikolla(on master)10:58
knikollaon dev I was working on doing some refactoring so that I could add features to remove/list users from projects10:58
*** markvoelker has joined #openstack-keystone10:59
knikollabased on my testing around adjutant I found that it also does invites, however it doesn't work with federated users10:59
knikollaadriant: ^^ if you're around11:00
yankcrimeah that'd be a showstopper for us then as it stands right now11:01
*** dikonoor has joined #openstack-keystone11:02
*** dikonoo has quit IRC11:06
knikollayankcrime: I wanna spend slighly more time with it, to see if it's hard or easy to patch that in.11:09
knikollaI'd be happier to maintain ksproj if you're helping but also don't want to duplicate efforts by the community11:09
yankcrimeyeah that11:10
yankcrimethat's fair enough, i'll do some more hacking around with ksproj as i've a specific deployment in mind for it right now11:10
yankcrimei'll see about filling any gaps along the way and then let you know11:11
knikollayankcrime: cool, you know where to find me if you have questions. Though keep in mind I'm on EST.11:11
yankcrimeno worries, and will do - thanks again knikolla11:12
* knikolla goes to shower and have breakfast11:12
*** rcernin has quit IRC11:19
*** markvoelker has quit IRC11:30
*** sonuk has joined #openstack-keystone11:38
*** rcernin has joined #openstack-keystone11:39
*** rcernin has quit IRC11:44
DHEadriant: regarding my read-only keystone db, I'm mostly looking at it from the standpoint of disaster recovery but with keystone (and only keystone) high availability. if region 1 burns to the ground I'll deal with it manually to get nova, glance etc up and running11:48
DHEbut I'm running (or will be running) swift in multiple regions which only depends on keystone and I want to ensure it continues functioning even if region 1 is offline for a fiber cut or something.11:49
DHEso really this is me taking the lazy way out11:49
*** raildo has joined #openstack-keystone12:05
*** amoralej is now known as amoralej|lunch12:10
*** sonuk has quit IRC12:18
*** markvoelker has joined #openstack-keystone12:26
*** mchlumsky has joined #openstack-keystone12:35
*** links has quit IRC12:43
*** edmondsw has joined #openstack-keystone12:58
*** markvoelker has quit IRC13:00
*** felipemonteiro has joined #openstack-keystone13:03
hrybackiHappy Summer (or winter) Solstice y'all13:07
*** felipemonteiro has quit IRC13:24
*** markvoelker has joined #openstack-keystone13:30
*** josecastroleon has quit IRC13:32
*** josecastroleon has joined #openstack-keystone13:32
*** josecastroleon has quit IRC13:36
*** josecastroleon has joined #openstack-keystone13:36
openstackgerritzhangzhaoshan proposed openstack/oslo.limit master: Update url in HACKING.rst  https://review.openstack.org/57716213:39
*** spilla has joined #openstack-keystone13:39
*** amoralej|lunch is now known as amoralej13:44
hrybackilbragstad: question -- so we can indicate that rules are deprecated now within policy -- but this isn't meant to indicate that a specific path/method is deprecated/slotted for removal, correct?13:48
*** jistr is now known as jistr|mtg13:49
lbragstadright13:50
*** zeus has joined #openstack-keystone13:50
*** zeus is now known as Guest2199013:50
lbragstadhrybacki: the DeprecatedRule is only meant to indicate a specific policy name or check string has been deprecated13:52
*** Guest21990 is now known as zeus13:52
*** zeus has joined #openstack-keystone13:52
hrybackiack, thanks for confirming lbragstad13:54
hrybackilbragstad: I'm going to start making something similar to https://wiki.openstack.org/wiki/Barbican/Policy for Keystone today -- to assist in the API audit -- is there any additional info points you think I should capture?13:55
lbragstadnot that i can think of13:56
hrybacki++13:57
lbragstadi bumped the minimum version of python-keystoneclient in osc for https://review.openstack.org/#/q/status:open+project:openstack/python-openstackclient+branch:master+topic:bp/unified-limits14:03
lbragstad^ that should be working now14:03
*** r-daneel has joined #openstack-keystone14:11
*** ykarel is now known as ykarel|away14:12
*** links has joined #openstack-keystone14:17
openstackgerritLance Bragstad proposed openstack/keystone master: Simplify the issue token code path  https://review.openstack.org/54545014:17
*** dikonoo has joined #openstack-keystone14:21
*** links has quit IRC14:23
*** dikonoor has quit IRC14:24
*** itlinux has quit IRC14:31
*** r-daneel_ has joined #openstack-keystone14:43
*** r-daneel has quit IRC14:44
*** r-daneel_ is now known as r-daneel14:44
openstackgerritMerged openstack/oslo.limit master: Update url in HACKING.rst  https://review.openstack.org/57716214:50
*** peereb has quit IRC14:51
*** zhongjun__ has joined #openstack-keystone14:55
*** pcaruana has quit IRC14:56
*** josecastroleon has quit IRC15:02
*** josecastroleon has joined #openstack-keystone15:02
*** josecastroleon has quit IRC15:04
*** josecastroleon has joined #openstack-keystone15:04
*** itlinux has joined #openstack-keystone15:19
*** felipemonteiro has joined #openstack-keystone15:25
gagehugoo/15:26
*** jistr|mtg is now known as jistr15:36
*** jistr is now known as jistr|off15:47
*** ykarel|away has quit IRC15:47
*** dklyle has quit IRC15:48
*** ispp has quit IRC15:49
*** blake has joined #openstack-keystone15:52
openstackgerritLance Bragstad proposed openstack/keystone master: Introduce new TokenModel object  https://review.openstack.org/55912915:56
openstackgerritLance Bragstad proposed openstack/keystone master: Simplify the issue token code path  https://review.openstack.org/54545015:56
*** Guest88320 is now known as dansmith15:59
*** dikonoor has joined #openstack-keystone16:00
*** dikonoo has quit IRC16:04
*** r-daneel_ has joined #openstack-keystone16:09
*** tesseract has quit IRC16:09
*** r-daneel has quit IRC16:11
*** r-daneel_ is now known as r-daneel16:11
*** gyee has joined #openstack-keystone16:12
*** fiddletwix has quit IRC16:14
*** dklyle has joined #openstack-keystone16:16
*** d0ugal has quit IRC16:23
*** tadams12083 has joined #openstack-keystone16:28
*** amoralej is now known as amoralej|off16:29
*** raopajay has joined #openstack-keystone16:37
openstackgerritGage Hugo proposed openstack/keystone master: Remove unclear wording in parameters  https://review.openstack.org/57723516:47
*** blake has quit IRC16:50
*** blake has joined #openstack-keystone16:50
*** blake has quit IRC16:55
*** blake has joined #openstack-keystone17:01
*** amoralej|off is now known as amoralej17:33
*** dikonoor has quit IRC17:34
*** r-daneel_ has joined #openstack-keystone17:38
openstackgerritKristi Nikolla proposed openstack/keystone master: Simple usage docs for implied roles  https://review.openstack.org/57591117:39
*** r-daneel has quit IRC17:40
*** r-daneel_ is now known as r-daneel17:40
*** r-daneel_ has joined #openstack-keystone17:50
*** jeremyfreudberg has joined #openstack-keystone17:52
*** r-daneel has quit IRC17:52
*** r-daneel_ is now known as r-daneel17:52
*** blake has quit IRC17:55
*** blake has joined #openstack-keystone17:55
*** blake has quit IRC18:00
openstackgerritJeremy Freudberg proposed openstack/keystone master: Expose duplicate role names bug in trusts  https://review.openstack.org/57661018:03
openstackgerritJeremy Freudberg proposed openstack/keystone master: Fix duplicate role names in trusts bug  https://review.openstack.org/57661118:03
*** germs has joined #openstack-keystone18:05
*** germs has quit IRC18:05
*** germs has joined #openstack-keystone18:05
jeremyfreudberg^ lbragstad, back to you... it would be great if the sahara gate became unblocked today18:06
*** blake has joined #openstack-keystone18:07
*** germs has quit IRC18:10
*** AlexeyAbashkin has quit IRC18:10
*** efried is now known as efried_pto18:20
ildikovknikolla: hi18:34
knikollaildikov: o/ hi18:35
knikollain a meeting currently. i should be back in about 30 mins.18:35
ildikovknikolla: I created an etherpad to work out a plan to continue the testing work and have people sign up: https://etherpad.openstack.org/p/ECG_Keystone_Testing18:35
ildikovknikolla: cool, plz ping me, when you're available18:35
*** felipemonteiro_ has joined #openstack-keystone18:37
*** felipemonteiro has quit IRC18:37
*** ksavich has joined #openstack-keystone18:39
*** ksavich has quit IRC18:40
tadams12083When I run "openstack user list --domain <ldap enabled domain>" I get all my ldap users however when I run "openstack group contains user --group-domain <ldap enabled domain> --user-domain <ldap enabled domain> <ldap groupname> <ldap user>" against an LDAP enabled domain it comes back empty with 0 users.  Is there anyone who can point me in the rigth direction for troubleshooting LDAP groups in keystone?18:43
lbragstadjeremyfreudberg: ack - reviewed18:44
*** martinus__ has joined #openstack-keystone18:44
kmalloclbragstad: if you have a few moments to look at the new enforcer, i'd like to get a "yeah that looks better" or "oh god, kjust as bad or worse" before i write the tests/diving into using it18:47
*** amoralej is now known as amoralej|off18:59
openstackgerritJeremy Freudberg proposed openstack/keystone master: Fix duplicate role names in trusts bug  https://review.openstack.org/57661119:01
lbragstadkmalloc: yeah - i can pull that up quick19:05
lbragstadi need a break from the TokenModel refactor anyway19:05
*** felipemonteiro__ has joined #openstack-keystone19:05
kmallochehe, i figured you might want a change.19:06
*** jeremyfreudberg has left #openstack-keystone19:07
lbragstadis it https://review.openstack.org/#/c/576639/6 ?19:08
*** felipemonteiro_ has quit IRC19:09
*** jmlowe_ has quit IRC19:11
lbragstadkmalloc: hmm19:20
lbragstadso enforce() is getting replaced with enforce_call()?19:21
kmalloc.enforce_call is called in the method instead of decorating with @protected19:21
lbragstadbut it's taking the place of enforce(), right?19:21
kmallocno. taking the place of @protected/@filteredprotected19:22
kmallocenforce still exists and is ultimately called down through the oslo_policy enforcer19:22
kmallocenforce is the lower layer19:23
kmalloctoday [pre-flask], we do @protected, which does "check authenticated", then calls common.authorization.check_protection, which then calls check_policy, builds policy_dict, then calls controllers(policy).enforce19:23
kmallocwhich calls driver.enforcer, which calls policy_API19:24
kmalloci think.19:24
lbragstadok - yeah19:24
lbragstadthat sounds right19:24
kmallocor... the last part is it calls olos_policy.enforcer.enforce19:24
kmallocit's absurd19:24
kmallocand that doesn't even take into account callbacks.19:24
kmallocso, instead of a very crazy call stack19:27
kmalloc... we now call, in our method: .enforce_call()19:27
kmallocand supply the same kind of information you'd supply for @protected/@filterprotected19:27
kmallocand / or target info (which eliminates the callback)19:28
kmallocsince it is called mid-method19:28
kmallocrather than as a decorator19:28
ildikovknikolla: BTW, are you on the Edge Computing mailing list too?19:28
kmallocand we have a couple wrappers to throw errors *if* enforce_call isn't called and/or the method isn't explicitly exempted from enforcement19:29
lbragstadok19:30
lbragstadfrom a high level view - this seems sane19:30
lbragstadeverything seems pretty well encapsulated19:31
kmallocalso i tried to add docstrings up and down and up so that it's "easy" to use19:31
lbragstadthat'll be the other big part19:31
*** jmlowe has joined #openstack-keystone19:32
kmallocright now, good luck knowing what @protected does19:32
kmallocand what each thing is19:32
kmallocit took me 3 days to unwind it19:32
kmallocbecause it supports doing insane levels of things... and we literally use none of it19:32
lbragstadso - from the perspective of someone looking to write a new keystone API19:32
lbragstadand protect it19:32
lbragstadmy main entry point is enforce_call()19:33
kmalloci even added the same "functionality" to do the "get_member_from_driver" if needed.19:33
kmallocyep, and the blueprint/API base automatically wraps the "API MUST BE PROTECTED" stuff for you19:33
knikollaildikov: o/ hi again. yes, i signed up for the edge computing mailing list the other day.19:33
kmallocand there is a decorator to say "this is a whitelisted/non-protected api"19:33
lbragstadin the case of https://bugs.launchpad.net/keystone/+bug/175066019:33
openstackLaunchpad bug 1750660 in OpenStack Identity (keystone) "The v3 project API should account for different scopes" [High,Triaged]19:33
ildikovknikolla: great19:34
lbragstadsay i want to rework the authorization of that method to properly handle system-scope19:34
ildikovknikolla: two things19:34
kmalloclbragstad: changing the behavior based upon scope is easy.19:34
lbragstadkmalloc: i call enforce_call() first19:35
kmallocrelatively.19:35
lbragstadthen i still have the context available to make the distinction between project-scope, domain-scope, and system-scope?19:35
kmallocthat being said... that change seems like a bad idea.19:35
ildikovknikolla: there's a new thread on Keystone Edge architectures: http://lists.openstack.org/pipermail/edge-computing/2018-June/000294.html19:35
kmalloccalling /v3/projects and getting different respoinses, but then again, i guess that adheres to the "vary" header19:36
ildikovknikolla: talking about what options we have, like federation vs DB replication, etc.19:36
lbragstadkmalloc: i think we'd have to in order to fix admin-ness?19:36
kmalloclbragstad: yeah.19:36
kmalloclbragstad: i didn't say we had another option19:36
kmallocfrom an api standpoint... gross19:36
ildikovknikolla: I think it could be beneficial to continue the Forum discussion either on the thread or on a follow up meeting19:36
lbragstadif i'm a system admin, i call GET /v3/projects i can get all projects19:36
ildikovknikolla: can you chime in to the thread from Keystone capabilities perspective?19:37
kmalloclbragstad: do you always get all projects?19:37
kmallocin that case19:37
kmallocor [obv. filterable]19:37
lbragstadif i'm a project admin and i call it, i only get projects under the project i admin19:37
kmallocbut assuming GET /projects19:37
kmallocno ?filerparam19:37
ildikovknikolla: the other thing is that I created an etherpad to organize our testing plans and look for volunteers: https://etherpad.openstack.org/p/ECG_Keystone_Testing19:37
kmallocsystem scope = all projects, domain-admin = projects under my domain, project-admin = subprojects under mine?19:38
ildikovknikolla: if you have any further info/pointers to the content already there, plz add them to the etherpad19:38
lbragstador if i'm a domain admin, and i have project B and C under domain A, if i use a token scoped to domain A, then i should get a list of B and C back (and not E, F, G, which are under a different domain)19:38
lbragstadkmalloc: yaeh - i think so19:38
kmalloclbragstad: then it's easy, thats business logic19:39
lbragstadcool19:39
kmallocthat just introspecs scope to know what to filter / ask for19:39
lbragstadthat's going to be good19:39
kmallochas zero to do with .enforce_call19:39
lbragstadawesome19:39
kmallocenforce_call is "can I access the API and/or resource if populated in the policy_dict"19:39
kmallocbecause we have %(target)19:39
kmallocin the DSL, which could be project_foo.id19:40
ildikovknikolla: those were all my topics for today :)19:40
kmallocand you can check to see if user_id is allowed to <act> on project_foo via %(target)19:40
lbragstadthe role_assignment API is another one that is going to be like that19:40
lbragstade.g. we shouldn't be listing system role assignments when a project admin asks for "all" role assignments19:41
kmallocyeah, think of enforce as being "are you able to do X, given <rule>"19:41
lbragstadsure19:41
kmallocif we change what response is looking like19:41
kmallocenforce has already said "yep, you can do X"19:41
lbragstad^ that will still be possible right?19:41
lbragstadtreat it as a two step thing19:41
kmallocsame concept as project stuff19:41
kmalloc"oh this isn't a system scope, filter system roles"19:42
kmallocit's all business logic19:42
lbragstadyeah19:42
lbragstadcool19:42
lbragstadcalling enforce just makes sure you're access the API with a token of the right authorization and scope19:42
knikollaildikov: awesome! i'll get right to it.19:42
kmallocchecking user_auth.scope.id[a project id] == target.id19:42
kmallocis what enforce is meant to do19:42
lbragstadthe second step makes sure the response matches that information19:43
ildikovknikolla: cool, thanks much!19:43
kmallocor if user_auth.scope_type == API.required_scope19:43
kmallocenforce doesn't care what scope you have unless it is supposed to limit an API to a scope.id or a scope_type19:43
lbragstadsure19:44
kmallocand enforce doesn't care about what data is being returned19:44
lbragstadright19:44
kmallocenforce is... like the honey badger </meme>. it just doesn't <redacted for explicit words>19:44
lbragstadthat makes sense - so long as it's easy to make that business logic in the methods calling .enforce_call() i'm happy19:44
kmallocyeah, that is the goal19:44
kmallocomg. i have AC, and i feel so much better19:45
kmallocmy office was ~10-15 degrees warmer than the rest of the house19:45
kmallocnot ok when that made the office ~90-9519:45
openstackgerritKristi Nikolla proposed openstack/keystone master: Simple usage docs for implied roles  https://review.openstack.org/57591119:46
kmalloclbragstad: oh, this is an easy one: https://review.openstack.org/#/c/576660/19:46
kmalloclbragstad: if you want to get us close to dropping the old password column ;)19:46
kmallocone more cycle after that lands.19:46
openstackgerritKristi Nikolla proposed openstack/keystone master: Simple usage docs for implied roles  https://review.openstack.org/57591119:46
knikollalbragstad, cmurphy, gagehugo: fixed the grammar as suggested ^^19:47
*** r-daneel_ has joined #openstack-keystone19:58
*** r-daneel has quit IRC19:59
*** r-daneel_ is now known as r-daneel19:59
openstackgerritGage Hugo proposed openstack/keystone master: WIP Add docs for case-insensitivity in keystone  https://review.openstack.org/57664020:07
*** blake has quit IRC20:17
gagehugolbragstad kmalloc: so by default mySQL is case-insensitive right?  https://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_backend_sql.py#n310 is a bit confusing20:19
lbragstadcorrect - i tested that with a devstack install and it failed when i replicated that test by hand20:20
kmallocYes.20:20
kmallocOnly for varchar, it is case preserving though.20:21
lbragstadis sqlite case-sensitive?20:21
openstackgerritGage Hugo proposed openstack/keystone master: WIP Add docs for case-insensitivity in keystone  https://review.openstack.org/57664020:22
gagehugoit looks like it's insensitive20:25
*** blake has joined #openstack-keystone20:28
lbragstadkmalloc: did you happen to see wxy's comments here - https://etherpad.openstack.org/p/keystone-unified-limit-migration-notepad ?20:31
kmalloclbragstad: did not20:33
openstackgerritGage Hugo proposed openstack/keystone master: WIP Add docs for case-insensitivity in keystone  https://review.openstack.org/57664020:35
*** r-daneel_ has joined #openstack-keystone20:37
*** r-daneel has quit IRC20:37
*** r-daneel_ is now known as r-daneel20:37
*** martinus__ has quit IRC20:41
*** aojea has joined #openstack-keystone20:51
openstackgerritGage Hugo proposed openstack/keystone master: Add LDAP user-backed functional testing gate  https://review.openstack.org/55894020:53
openstackgerritGage Hugo proposed openstack/keystone master: Add functional testing gate  https://review.openstack.org/53101420:54
*** jmlowe has quit IRC20:54
*** raildo has quit IRC20:55
*** felipemonteiro__ is now known as felipemonteiro21:11
*** jmlowe has joined #openstack-keystone21:14
*** ayoung has joined #openstack-keystone21:15
*** blake has quit IRC21:19
*** blake has joined #openstack-keystone21:20
*** blake has quit IRC21:24
*** blake has joined #openstack-keystone21:29
*** blake has quit IRC21:30
*** jmlowe has quit IRC21:31
*** r-daneel has quit IRC21:32
*** blake has joined #openstack-keystone21:32
*** blake has quit IRC21:33
openstackgerritGage Hugo proposed openstack/keystone master: WIP Add docs for case-insensitivity in keystone  https://review.openstack.org/57664021:37
*** blake has joined #openstack-keystone21:39
*** jmlowe has joined #openstack-keystone21:39
*** blake has quit IRC21:39
*** spilla has quit IRC21:40
*** d0ugal has joined #openstack-keystone21:42
*** d0ugal_ has joined #openstack-keystone21:44
*** d0ugal has quit IRC21:45
*** blake has joined #openstack-keystone21:49
*** blake has quit IRC21:49
*** blake has joined #openstack-keystone21:52
*** nicolasbock has quit IRC21:54
*** blake has quit IRC21:56
*** itlinux has quit IRC22:04
*** blake has joined #openstack-keystone22:15
*** germs has joined #openstack-keystone22:18
*** germs has quit IRC22:18
*** germs has joined #openstack-keystone22:18
*** felipemonteiro has quit IRC22:18
*** blake has quit IRC22:19
*** blake has joined #openstack-keystone22:19
*** edmondsw has quit IRC22:24
*** rcernin has joined #openstack-keystone22:26
*** edmondsw has joined #openstack-keystone22:26
*** germs has quit IRC22:31
*** edmondsw has quit IRC22:35
*** edmondsw has joined #openstack-keystone22:35
*** aojea has quit IRC22:39
*** edmondsw has quit IRC22:40
*** itlinux has joined #openstack-keystone23:10
*** tosky has quit IRC23:34
*** blake has quit IRC23:49
*** blake has joined #openstack-keystone23:49
« Wednesday, 2018-06-20 Index Friday, 2018-06-22 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!