Friday, 2018-08-24

« Thursday, 2018-08-23 Index Saturday, 2018-08-25 »
*** r-daneel has quit IRC00:28
*** r-daneel has joined #openstack-keystone00:28
*** gyee has quit IRC00:44
*** imacdonn has quit IRC00:50
*** imacdonn has joined #openstack-keystone00:50
*** ChanServ has quit IRC01:00
*** ChanServ has joined #openstack-keystone01:03
*** barjavel.freenode.net sets mode: +o ChanServ01:03
*** r-daneel has quit IRC01:05
*** itlinux has quit IRC01:07
*** itlinux has joined #openstack-keystone01:07
*** felipemonteiro has quit IRC01:12
*** felipemonteiro has joined #openstack-keystone01:18
*** Nel1x has joined #openstack-keystone01:28
wxy-xiyuanlbragstad: cmurphy : cool, thanks for the patch for placeholder.01:35
*** felipemonteiro has quit IRC01:37
openstackgerritMerged openstack/keystone master: Add safety to the inferred target extraction during enforcement  https://review.openstack.org/59120301:38
openstackgerritMerged openstack/keystone master: Convert role_assignments API to flask native dispatching  https://review.openstack.org/59051801:38
openstackgerritMerged openstack/keystone master: Convert system (role) api to flask native dispatching  https://review.openstack.org/59058801:40
*** raginbajin has quit IRC01:46
*** raginbajin has joined #openstack-keystone01:49
*** dansmith has quit IRC01:49
*** dansmith has joined #openstack-keystone01:51
*** threestrands has quit IRC02:08
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add support for ironic single-version responses  https://review.openstack.org/59598002:16
*** Nel1x has quit IRC02:28
*** imacdonn has quit IRC02:28
*** nicolasbock has quit IRC02:28
*** wlmbasson has quit IRC02:28
*** jlvillal has quit IRC02:28
*** dims has quit IRC02:28
*** mnaser has quit IRC02:28
*** TheJulia has quit IRC02:28
*** rledisez has quit IRC02:28
*** adriant has quit IRC02:28
*** ildikov has quit IRC02:28
*** mordred has quit IRC02:28
*** Nel1x has joined #openstack-keystone02:30
*** imacdonn has joined #openstack-keystone02:30
*** nicolasbock has joined #openstack-keystone02:30
*** wlmbasson has joined #openstack-keystone02:30
*** dims has joined #openstack-keystone02:30
*** jlvillal has joined #openstack-keystone02:30
*** mnaser has joined #openstack-keystone02:30
*** TheJulia has joined #openstack-keystone02:30
*** rledisez has joined #openstack-keystone02:30
*** ildikov has joined #openstack-keystone02:30
*** adriant has joined #openstack-keystone02:30
*** mordred has joined #openstack-keystone02:30
*** openstack has joined #openstack-keystone13:19
*** ChanServ sets mode: +o openstack13:19
*** openstackstatus has joined #openstack-keystone13:22
*** ChanServ sets mode: +v openstackstatus13:22
*** openstackstatus has quit IRC13:22
*** openstackstatus has joined #openstack-keystone13:24
*** ChanServ sets mode: +v openstackstatus13:24
openstackgerritLance Bragstad proposed openstack/keystone master: Convert policy API to flask  https://review.openstack.org/58995013:29
*** felipemonteiro has joined #openstack-keystone13:29
*** itlinux-away has quit IRC13:53
*** jaosorior has joined #openstack-keystone14:02
*** r-daneel has joined #openstack-keystone14:04
*** felipemonteiro has quit IRC14:16
mnaserhi keystone team14:31
mnaserwe're seeing this weird issue under centos14:31
mnaserin openstack ansible14:32
mnaserhttp://logs.openstack.org/96/595796/2/check/openstack-ansible-functional-centos-7/4fe8937/logs/ara-report/result/1c0f7c0b-6848-49ea-8189-6da35d4e348a/14:32
mnaserany ideas?14:32
cmurphymnaser: pysaml2 isn't installed?14:32
*** jaosorior has quit IRC14:33
mnasercmurphy: shouldn't that just be installed when we add keystone?14:34
mnaseras in, isn't that in requirements.txt, i didn't check honestly14:34
*** itlinux has joined #openstack-keystone14:35
cmurphymnaser: it is in requirements.txt14:35
mnasercmurphy: ok, strange, let me see why it didn't get installed then14:35
mnaserhttp://logs.openstack.org/96/595796/2/check/openstack-ansible-functional-centos-7/4fe8937/logs/ara-report/result/d70c28b3-833e-4439-a84d-8973a96b2828/14:36
mnaser"Running setup.py (path:/tmp/pip-build-dBwTWA/pysaml2/setup.py) egg_info for package pysaml2 produced metadata for project name unknown. Fix your #egg=pysaml2 fragments."14:36
mnaserinteresting14:36
elbragstadis this master?14:37
elbragstadlooks like it https://review.openstack.org/#/c/595796/14:37
*** viks__ has quit IRC14:38
openstackgerritLance Bragstad proposed openstack/keystone master: Add test case for expanding implied roles in system tokens  https://review.openstack.org/59635614:48
openstackgerritLance Bragstad proposed openstack/keystone master: Expand implied roles in system-scoped tokens  https://review.openstack.org/59635714:48
*** jlvillal is now known as jlviva-viva14:52
*** itlinux has quit IRC14:55
*** pcaruana has quit IRC14:59
openstackgerritLance Bragstad proposed openstack/keystone master: Expand implied roles in system-scoped tokens  https://review.openstack.org/59635715:00
*** r-daneel has quit IRC15:04
*** r-daneel has joined #openstack-keystone15:06
*** itlinux has joined #openstack-keystone15:09
*** r-daneel_ has joined #openstack-keystone15:18
*** r-daneel has quit IRC15:19
*** r-daneel_ is now known as r-daneel15:19
*** nicolasbock has joined #openstack-keystone15:21
*** imacdonn has joined #openstack-keystone15:22
*** raildo has quit IRC15:26
*** raildo has joined #openstack-keystone15:54
*** itlinux has quit IRC16:02
*** itlinux has joined #openstack-keystone16:06
*** itlinux is now known as itlinux-away16:16
*** itlinux-away is now known as itlinux16:16
*** r-daneel_ has joined #openstack-keystone16:18
*** gyee has joined #openstack-keystone16:19
*** r-daneel has quit IRC16:20
*** r-daneel_ is now known as r-daneel16:20
knikollao/16:35
openstackgerritMerged openstack/oslo.policy master: add lib-forward-testing-python3 test job  https://review.openstack.org/59118916:51
mnaserheyso16:53
mnasersay i know someone who runs a public cloud thats launching a new region16:54
mnaserhow is the state of rocky right now in terms of rc's16:54
elbragstad0.016:54
mnaseris deploying stable/rocky crazy at this state?16:54
elbragstadare you asking what i think you're asking?16:54
cmurphymnaser: that could be anyone16:54
cmurphy:P16:55
mnaserbecause our gates in OSA seem to deploy it ok16:55
mnaserbut i'm wondering if there aren't things that are still being flushed out16:55
elbragstadthat sounds oddly like a "well, it worked in devstack" statement ;)16:55
mnaseror if it looks like the release will go out in the current state :p16:55
elbragstadto be honest, i *think* rc2 is going to be fine16:56
elbragstadwe had little new development this release, but we did have a couple very large refactors16:56
mnaseri guess the flask stuff too16:56
elbragstadyeah - mainly flask16:56
elbragstadwe also shuffled around a lot of stuff with the token provider interfaces, but i'm pretty confident in that with the testing we have16:57
mnasercool16:58
mnaserthe only thing i'm worried about is a bit of latency16:58
elbragstadbecause of keystone?16:58
mnaser73ms16:58
mnaserfor a rtt between where keystone is located and the region16:59
elbragstadoh - you're talking network latency with respect to that region?16:59
elbragstadaha - i see what you mean16:59
mnaseryeah, because we want to keep a single keystone (i will refuse to have multiple keystone instances, neverrr)16:59
elbragstadand you don't want to standup a multi-site master deployment?17:00
mnasermulti-site master as is multi-site galera?17:00
elbragstadright17:00
mnaseri dont think you can run a per-db only galera instance17:00
mnaserwhich means it would replicate a lot more stuff than it needs17:00
mnaseri guess the other alternative is to build a read-only slave in the region17:01
mnaserwith normal boring replication17:01
mnasergiven the state of users/projects/etc doesn't actually *change* all that much17:01
elbragstadif you have a cluster of api servers in region A backed to galera in region A17:01
elbragstadyou couldn't do a cluster of api servers in region B backed to galera in region B?17:02
mnaseri could, but how do i make sure the data from region A makes it to region B17:02
elbragstadbut both sets of galera nodes replicate to each other17:02
mnaserafaik galera cant do 'per db replication'17:02
mnaserits either the entire cluster or nothing17:02
mnaserand that would bring in all sorts of other dbs (our dbs host all services)17:03
elbragstadoh...17:03
elbragstadkeystone isn't your only database i suppose17:03
mnaseryeah17:03
elbragstadgot it17:03
mnaseri forgot, can a fernet token be validated locally?17:04
elbragstaddolph and i did a bunch of testing around multi-site multi-write support with galera deployed locally17:04
mnaserlike is db access involved in fernet token vlaidation17:04
elbragstadmnaser: define locally?17:04
mnaserso i think i remember reading that fernet tokens used the /etc/fernet-keys to validate them17:04
elbragstadvalidation requires database reads in order to reconstruct the token response17:04
mnaserah i see17:04
elbragstadbut it's all reads17:05
mnaserso really all i'm adding is a 70ms rtt overhead17:05
elbragstadi believe so?17:05
elbragstadyou could deploy keystone with a readonly database17:06
elbragstadand just point keystone_authtoken for each service to use the local keystone within the new region17:06
elbragstad(that might help cut down the network latency)17:06
mnaserlooks like per db replication is just a really weird beast17:07
elbragstadso galera does support it?17:07
mnasernope, mysql does but not galera from what it looks17:07
mnaserhttp://galeracluster.com/2015/07/geo-distributed-database-clusters-with-galera/17:08
mnaserinteresting17:08
mnaserbut it also means all sorts of stuff will be there that dont have to be there17:09
* elbragstad just found that same link17:09
elbragstadis that going to be a non-starter from a security perspective?17:09
mnaseri guess i can use `replicate-do-db`17:09
mnasernot really.17:10
mnaseri mean my thoughts was going to be17:10
mnaserstart with that latency and see what happens.17:10
elbragstadsure17:10
mnaseri dont think it would be *that* bad17:10
elbragstadif it does end up being terrible, it looks like there are paths for optimizations17:11
mnaseryeah to minimize the number of transactions/etc17:11
mnaserwe can profile this stuff17:11
mnaserto help minimize round trips17:11
mnasermemcache doesnt really help, does it?17:11
mnaserwe deploy it anyways but im not sure how much of help it would be17:11
elbragstadit would help on subsequent requests i think?17:12
elbragstadbut you might be paying the 70 ms latency cost at least once17:12
mnaseryeah the at least once i think is a given17:12
kmallocmnaser: we could work to help pre-seed things into memcache, but subsequent requests (even within the same transaction) would help17:12
mnaserkmalloc: i think i'd be okay with at least once hitting 70ms.. i'd certainly be more than happy to work to provide some profiling stuff to see what is taking up the time17:14
mnaserbut i guess this work would be client-side stuff17:14
elbragstad++17:14
elbragstadprofiling would be awesome17:14
mnaseryeah actually i think we wouldn't have multiple 70ms hits because17:14
* elbragstad hasn't done any real profiling since 2015 :(17:14
mnaserif i keep our api the same place, it will simply make 1 request17:14
mnaserso rather than hosting local apis which do multiple db requests at 70ms each17:15
mnasercontacting the remote api would instead be a single request at 70ms but inside that request, they'd all execute locally in that region17:15
elbragstadyou mean each service would use the local region for token validation?17:15
elbragstadand the 70 ms penalty would only be at the edge of the request (e.g. hitting nova)17:16
mnaserelbragstad: nope, each service would talk to the same keystone which is at the current region17:17
elbragstadoh17:17
mnaserso <service @ region B> => <keystone @ region A> => <local db access>17:17
mnaservs <service @ region B> => <keystone @ region B> => <remote db access>17:17
elbragstadlocal db is going to be in region B?17:18
mnasersorry no, in region A in both cases17:18
mnaseri think that it would be quicker to talk to region A directly because it means that it's a single HTTP round trip17:18
mnaserrather than single HTTP round trip inside the region, but multiple MySQL query round trips to the other region hosting the data17:18
elbragstadoh i think i see what you mean17:18
elbragstadjust make the request to region A from region B off the get go17:19
kmallocmnaser: yeah don't do remote DB, imo17:19
mnaseryeah it's a logistical pain too17:19
kmallocyou may want to crank up the TTL in the token validation to the token lifespan17:20
kmallocalso with the "allow expired" you might even want to add in a caching-proxy local to region B for keystone A with some semblance of "sane"17:20
kmallocthat way ?allow_expired would only be a 70ms hit once as well17:20
mnaserhmm. that might be a fun thing on top of it to reduce hits17:20
mnaserit'll be a fun exercise..17:21
mnaserlol17:21
kmalloc++, just keep in mind that it expands exposure for token life/revocation17:21
elbragstadresults from this would be good for our comprehensive caching guide (which currently doesn't exist)17:21
kmallocup until recent weeks now, i would have considered asking if REDIS as a cache (configured for repl) might work to help.17:22
kmallocsince the pre-seed of token values into the memcache on issue could be replicated locally.17:22
kmallocelbragstad: we should consider pre-seeding validated tokens with a known set of prefixes [independent of keystone's form] to the cache that the services would use.17:23
elbragstadi think we do that within keystone directly17:23
kmallocaka, pull in the KSM logic and allow pre-warming the cache for a given token on issuance, we only warm the cache for keystone's validation17:23
kmallockeystone's validation != what services store17:23
elbragstadright17:23
elbragstadi see what you mean17:23
kmallocso we could do both17:23
kmallocwe could also (if we wanted to async it) allow pre-seed to N cache regions, it would be relatively easy to write a looper that reads off a queue for that17:24
kmallocor at least have a way to send that data out so mnaser could write the loop/push thing.17:25
*** itlinux is now known as itlinux-away17:27
*** itlinux-away is now known as itlinux17:29
*** itlinux is now known as itlinux-away17:29
openstackgerritLance Bragstad proposed openstack/keystone master: Add test case for expanding implied roles in system tokens  https://review.openstack.org/59635617:29
openstackgerritLance Bragstad proposed openstack/keystone master: Expand implied roles in system-scoped tokens  https://review.openstack.org/59635717:29
*** itlinux-away is now known as itlinux17:30
*** itlinux is now known as itlinux-away17:30
*** itlinux-away has quit IRC17:35
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Implement scope_type checking for credentials  https://review.openstack.org/59454718:15
*** itlinux has joined #openstack-keystone20:13
*** raildo has quit IRC20:53
openstackgerritGage Hugo proposed openstack/keystone master: Add details and clarify examples on casing  https://review.openstack.org/59047720:56
*** itlinux has quit IRC20:58
elbragstadalright...21:03
elbragstadincoming patch partially fixing bug 96869621:03
openstackbug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)21:03
*** marvin_mhg has quit IRC21:04
elbragstadit's still wip... but it _should_ pass tests...21:04
elbragstadlooking to see if anyone has some bright ideas for testing that might result in less duplication21:04
openstackgerritLance Bragstad proposed openstack/keystone master: Add test case for expanding implied roles in system tokens  https://review.openstack.org/59635621:12
openstackgerritLance Bragstad proposed openstack/keystone master: Expand implied roles in system-scoped tokens  https://review.openstack.org/59635721:12
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Implement scope_type checking for credentials  https://review.openstack.org/59454721:12
elbragstadcc kmalloc ^21:40
*** itlinux has joined #openstack-keystone22:19
kmallocelbragstad: nice22:22
*** gyee has quit IRC22:52
*** itlinux has quit IRC22:57
*** r-daneel has quit IRC23:24
*** tristanC has quit IRC23:56
« Thursday, 2018-08-23 Index Saturday, 2018-08-25 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!