Thursday, 2018-10-25

« Wednesday, 2018-10-24 Index Friday, 2018-10-26 »
*** gyee has quit IRC00:14
*** Dinesh_Bhor has joined #openstack-keystone01:44
*** rezzycavalheiro has joined #openstack-keystone02:05
*** felipemonteiro has joined #openstack-keystone02:08
rezzycavalheiroHello cmurphy and kmalloc! I'm applying for the Outreachy internship and I should use this chanel for help on getting started! I was wonderign if, to start contributing, should I follow the instructions on the reference links provided and then work on the low-hanging-fruit topics to contribute? Thank you02:10
*** openstackgerrit has joined #openstack-keystone02:22
openstackgerritwangxiyuan proposed openstack/keystone master: Remove useless "clean" file  https://review.openstack.org/61295402:22
openstackgerritGage Hugo proposed openstack/keystone master: Refactor flask domain config resources  https://review.openstack.org/61318202:26
*** ebukha has joined #openstack-keystone02:29
openstackgerritVishakha Agarwal proposed openstack/keystone master: Updating doc of unified limit  https://review.openstack.org/61222602:37
kmallocvishakha: looks good02:45
*** Dinesh_Bhor has quit IRC03:07
*** Dinesh_Bhor has joined #openstack-keystone03:13
openstackgerritVishakha Agarwal proposed openstack/keystone master: Set Default and resource limit as defined schema  https://review.openstack.org/61047903:13
*** itlinux has quit IRC03:17
vishakhakmalloc: : Thank  you03:21
*** felipemonteiro has quit IRC03:32
openstackgerritwangxiyuan proposed openstack/keystone master: nit: remove some useless code  https://review.openstack.org/61262503:37
openstackgerritwangxiyuan proposed openstack/keystone master: nit: remove some useless code  https://review.openstack.org/61262503:44
*** lbragstad has quit IRC04:00
*** felipemonteiro has joined #openstack-keystone04:28
*** ebukha has quit IRC04:36
*** erus has joined #openstack-keystone04:45
erushi04:45
*** spsurya has joined #openstack-keystone04:51
*** shyamb has joined #openstack-keystone05:01
*** rezzycavalheiro has quit IRC05:09
*** felipemonteiro has quit IRC05:16
*** shyamb has quit IRC05:17
*** Dinesh_Bhor has quit IRC05:20
*** Dinesh_Bhor has joined #openstack-keystone05:23
openstackgerritVishakha Agarwal proposed openstack/keystone master: Trivial: Remove repeated if conditions  https://review.openstack.org/61319805:37
*** ebukha has joined #openstack-keystone05:41
*** shyamb has joined #openstack-keystone06:01
*** Dinesh_Bhor has quit IRC06:08
openstackgerritwangxiyuan proposed openstack/keystone master: Remove useless "clean" file  https://review.openstack.org/61295406:09
*** Dinesh_Bhor has joined #openstack-keystone06:10
openstackgerritMike Chen proposed openstack/keystone master: Remove unused logging module  https://review.openstack.org/61320706:23
openstackgerritwangxiyuan proposed openstack/keystone master: Deprecate eventlet related configuration  https://review.openstack.org/61321006:28
openstackgerritwangxiyuan proposed openstack/keystone master: Deprecate eventlet related configuration  https://review.openstack.org/56876406:30
openstackgerritDao Cong Tien proposed openstack/keystone master: Adds doc8 check to pep8  https://review.openstack.org/58319606:38
*** xek has joined #openstack-keystone06:49
*** ebukha has quit IRC06:52
*** xek has quit IRC06:59
openstackgerritwangxiyuan proposed openstack/keystone master: Remove "crypt_strength" option  https://review.openstack.org/61321806:59
*** rcernin has quit IRC07:00
*** pcaruana has joined #openstack-keystone07:04
*** Dinesh_Bhor has quit IRC07:42
*** Dinesh_Bhor has joined #openstack-keystone07:46
*** Emine has joined #openstack-keystone07:46
*** sapd1 has quit IRC07:57
*** sapd1 has joined #openstack-keystone07:58
*** shyamb has quit IRC08:00
*** shyamb has joined #openstack-keystone08:17
*** xek has joined #openstack-keystone08:57
*** shyamb has quit IRC09:15
*** shyamb has joined #openstack-keystone09:17
openstackgerritCollins Okolo proposed openstack/keystone master: Update third endpoint legacy port for Keystone v3 API  https://review.openstack.org/61317109:37
*** pas-ha has joined #openstack-keystone09:40
pas-hahi all, have a question re docs vs reality - docs say that Keystone v3 API version in Pike is 3.9 https://developer.openstack.org/api-ref/identity/v3/index.html#what-s-new-in-version-3-9-pike but the code in stable/pike clearly states 3.8 https://git.openstack.org/cgit/openstack/keystone/tree/keystone/version/__init__.py?h=refs/heads/stable/pike#n1509:42
pas-haand the commit bumping it to 3.9 was merged long after Pike release, in the late December of 2017 https://git.openstack.org/cgit/openstack/keystone/commit/?id=b8c7cafe091ce0c05b0baf33b49deaf1bd8a080609:44
pas-haso where is the truth? :-)09:44
*** shyamb has quit IRC09:45
cmurphypas-ha: I just made that change to the api-ref to refer to the release names, I might have messed it up, let me try to confirm09:45
*** shyamb has joined #openstack-keystone09:45
pas-hacmurphy: thanks09:46
cmurphypas-ha: i think the tags stuff was meant to be queens not pike09:52
cmurphyi think somehow we ended up doing both 3.9 and 3.10 in queens09:54
openstackgerritColleen Murphy proposed openstack/keystone master: Fix api-ref v3.9 release identifier  https://review.openstack.org/61325710:00
*** Dinesh_Bhor has quit IRC10:11
*** shyamb has quit IRC10:21
*** shyamb has joined #openstack-keystone10:22
*** Dinesh_Bhor has joined #openstack-keystone10:29
*** ebukha has joined #openstack-keystone10:30
*** ebukha has quit IRC10:32
*** Emine has quit IRC10:38
*** Emine has joined #openstack-keystone10:39
*** shyamb has quit IRC10:39
*** Dinesh_Bhor has quit IRC10:56
*** shyamb has joined #openstack-keystone11:13
*** dave-mccowan has joined #openstack-keystone11:15
*** raildo has joined #openstack-keystone12:14
*** jistr_ is now known as jistr12:14
*** erus has quit IRC12:15
*** pcaruana has quit IRC12:26
*** pcaruana has joined #openstack-keystone12:39
*** shyamb has quit IRC12:51
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Add ability to pass in target data for the oslopolicy-checker  https://review.openstack.org/61331312:52
*** bnemec has joined #openstack-keystone12:56
*** orange_julius has quit IRC12:59
*** ebukha has joined #openstack-keystone13:04
*** felipemonteiro has joined #openstack-keystone13:23
*** aojea_ has joined #openstack-keystone13:26
*** jistr is now known as jistr|call13:29
*** tobberydberg has joined #openstack-keystone13:30
*** d0ugal has quit IRC13:33
*** lbragstad has joined #openstack-keystone13:33
*** ChanServ sets mode: +o lbragstad13:33
*** d0ugal has joined #openstack-keystone13:34
*** pcaruana has quit IRC13:37
*** d0ugal has quit IRC13:49
*** aojea_ has quit IRC13:50
*** aojea_ has joined #openstack-keystone13:51
*** mchlumsky_ has quit IRC13:54
*** aojea_ has quit IRC13:55
*** ayoung has quit IRC13:57
*** mchlumsky has joined #openstack-keystone14:06
-openstackstatus- NOTICE: Zuul and Nodepool services are being restarted to migrate them to a new Zookeeper cluster. THis brings us an HA database running on newer servers.14:39
*** jistr|call is now known as jistr14:50
gagehugoyeah tags were in queens14:54
*** tobberydberg has quit IRC14:56
cmurphyyeah i remember it came after pike by like this much -->| |<--14:57
gagehugoyup, heh14:58
*** devx has quit IRC15:04
*** tobberydberg has joined #openstack-keystone15:05
*** devx has joined #openstack-keystone15:05
*** ebukha has quit IRC15:13
*** tobberydberg has quit IRC15:13
kmalloccmurphy: we could probably do a derived thing :P15:23
kmallockinda like PBR does for git-versiobns15:23
kmallocbut it might be very magical in sphinx land.15:23
cmurphyheh15:23
kmallocand that worries me15:23
*** tobberydberg has joined #openstack-keystone15:25
-openstackstatus- NOTICE: The Zuul and Nodepool database transition is complete. Changes updated during the Zuul outage may need to be rechecked.15:31
*** erus has joined #openstack-keystone15:44
erusHi everybody :)15:44
kmallocerus: allo15:47
* kmalloc queues Labyrinth "Did you say hello", "no I said allo, but close enough" ;)15:48
eruseverything ok?15:48
kmallocyah, it's just slow to get started some mornings15:49
kmalloc^_^15:49
erusthat's true :)15:49
kmalloci think i need to hit coffee #2 and i might be able to get started thinking about code.15:50
erusI just finished my coffee but now I need some food, I'm really hungry :P15:51
erusI have finished a lot of flowcharts, I need a break15:52
erushaha15:52
lbragstadcoffee does sound like a good idea...15:56
lbragstadkmalloc https://review.openstack.org/#/c/613364/ contains a fix for the ironic gate15:57
kmalloclbragstad: yep15:58
kmalloc+115:58
kmalloclbragstad: that one should go out asap.15:58
kmallocerus: eeeeuuuwww flow charts ;)15:58
kmalloclbragstad: so...15:59
kmalloclbragstad: if i get SDK to par with KSC in the near future... you feel good marking ksc as deprecated [officially frozen, no more code unless security fix]15:59
kmallocthis cycle?15:59
kmallocor within say 90% of par.16:00
kmalloci already am pushing folks to contribute new things to SDK over ksc.16:00
*** itlinux has joined #openstack-keystone16:06
lbragstadyeah - that seems reasonable16:08
kmalloci'll propose a doc change (-1 workflow) indicating it's bitrottable16:12
kmallocand we'll see how far i can get in SDK / OSC in the next week or so16:12
kmallocbut i expect with real focus it can move quick, ksc doesn't really do *that* much16:12
kmalloc(in comparison to the server APIs)16:12
cmurphyhi erus o/16:14
*** gyee has joined #openstack-keystone16:16
*** emine__ has joined #openstack-keystone16:21
*** Emine has quit IRC16:24
*** jhesketh has joined #openstack-keystone16:25
*** mnaser has quit IRC16:26
*** mnaser has joined #openstack-keystone16:26
*** jhesketh_ has quit IRC16:27
knikollacmurphy: have you been following things with outreachy? i have not been able to monitor my mail very closely these days.16:42
cmurphyknikolla: yes, i have had several people reach out to me16:42
cmurphyit's a little overwhelming tbh16:42
cmurphybut only one so far for the federation project, that's erus16:42
*** imacdonn has quit IRC16:42
*** imacdonn has joined #openstack-keystone16:43
knikollacmurphy: did arica reach out to you as well? i just saw an email from yesterday about interest in the federation project16:43
cmurphyknikolla: no i haven't heard from them16:44
cmurphyif you want to forawrd them to me i can handle it16:44
openstackgerritMerged openstack/keystone master: Trivial: Remove repeated if conditions  https://review.openstack.org/61319816:44
cmurphythey need to record a contribution before they can formally apply so i've been having them get set up with gerrit and then make a 5000->35357 docs fix16:44
knikollaThanks, I'm a little overwhelmed these days.16:45
cmurphyer 35357->500016:45
knikollacmurphy: just forwarded their email to you16:45
cmurphythanks16:45
knikollaI'll try to catch up in the following week. Thanks for picking up my slack.16:46
cmurphyno problem16:46
*** dnguyen has joined #openstack-keystone16:49
erushi cmurphy o/16:51
*** shyamb has joined #openstack-keystone16:58
*** xek has quit IRC16:58
*** xek has joined #openstack-keystone16:59
*** pcaruana has joined #openstack-keystone17:03
*** shyamb has quit IRC17:20
openstackgerritColleen Murphy proposed openstack/python-keystoneclient master: [WIP] Convert functional tests to Zuulv3  https://review.openstack.org/61338517:30
mnasergood evening cmurphy17:35
mnaseraround for a quick application credential question by any chance? :)17:35
mnaser(i'll throw it here anyways)17:35
mnaserwhy is it that identity:create_application_credential => base.RULE_ADMIN_OR_OWNER17:35
mnaseri have a customer that is trying to experiment (i.e. give swift user role to an app cred user to do things)17:36
kmallocmnaser: so the idea is admins are allowed to create app-creds (for anyone, iirc), and owner is a check that user_id in the context/app_cred == user_id of the currently authenticated user17:42
kmallocjust looking at the rules. let me check the actual code.17:43
mnaseroh wait17:43
mnaseryou're right17:43
mnaserthats not ADMIN_API17:43
kmalloc:)17:44
kmalloci only know this stuff because i just spent a huge amount of time doing re-working of keystone17:44
mnaserstill, customer got: `{"error": {"message": "You are not authorized to perform the requested action: identity:create_application_credential.", "code": 403, "title": "Forbidden"}}`17:44
mnaserso maybe that could be a misleading error17:44
kmallocwell, that is a correct error if the user isn't allowed to do something17:45
*** aojea_ has joined #openstack-keystone17:45
kmallochm, let me see if i can do this against vexxhost... i should be able to right?17:45
kmalloc(basic account)17:45
mnaserkmalloc: yep17:46
kmalloccool17:46
kmallocgive me a moment17:46
kmallocgetting my creds from the password manager so i can snag a token (etc)17:46
mnaserAAAAH17:47
mnaseri think our uuid users have confused my customer.17:47
mnaserthey made a request to: https://auth.vexxhost.net/v3/users/xxxxxxxx-xxxx-xxxx-xxxx-blah/application_credentials17:48
mnaserbut i guess they should be hitting their real actual user id17:48
mnaserand im guessing keystone is like: no!17:48
*** mvkr has quit IRC17:50
*** aojea_ has quit IRC17:50
*** aojea_ has joined #openstack-keystone17:50
kmallocahh17:51
kmallocyeah17:51
kmallocthat is probably it17:51
*** felipemonteiro has quit IRC17:52
*** zzzeek_ has joined #openstack-keystone17:59
cmurphymnaser: o/18:02
mnasercmurphy: buffer but i think it might have been a brainfart + someone doing something wrong18:03
mnaser:P18:03
cmurphyi think that rule is slightly misleading because i'm not totally sure we even allow admins to create credentials for regular users18:03
cmurphybut owner should defintiely be able to create their own18:03
kmallocmnaser: ...18:09
kmallochttps://www.irccloud.com/pastebin/BcOVqpPp/18:09
kmallocmnaser: can confirm it works just fine against vexxhost ^18:09
kmallocmnaser: but i had to introspect the token to get user-id.18:10
kmallocmnaser: it wasn't straightforward, because the user-names look uuid/guid18:10
kmalloccmurphy: it looks like code wise we don't prevent admins from creating app_creds for other folks.18:11
kmalloccmurphy: but i didn't dig THAT deep.18:11
kmalloci might be totally wrong18:11
cmurphy¯\_(ツ)_/¯18:13
kmalloccmurphy: fwiw, barring my total inability to type, it was trivial to create the app cred from curl :) GJ!18:13
cmurphylol18:13
kmalloci think it's probably one of our cleanest interfaces18:13
cmurphyeh i hate that we stuck it in /users18:13
kmallocyes18:14
kmalloconce we have the next round of cleanup/work done18:14
kmalloci really want to discuss splitting auth to /auth and catalog to /catalog and really consider v4 for crud operations where we shuffle things and then update SDK to use v4 when it is available18:14
kmalloc(also drop the cruft from v3 we don't encourage people from using)18:15
kmallocas part of the broker/idp proxy bits where we need to make some clear decisions about $stuff$18:16
cmurphyhmmm /auth and /catalog separate would mean the sdk has to make two calls to keystone before it can even talk to a service18:16
kmallocno, you still emit catalog with the auth pass18:18
kmallocbut allow for an explicit "get me my catalog"18:18
kmallocwithout needing to validate the token (also useful for unscoped tokens)18:18
kmallocor even for unauth'd catalog data18:18
kmallocat the very least, split auth to /auth18:19
cmurphyoh okay18:19
kmalloc and /v3/auth would proxy to /auth behind the scenes in the v3 way so nothing breaks18:19
kmallocthe idea is we can iterate on auth things wihtout touching crud things and vice-versa18:19
kmallocthe pain of v2->v3 was that auth changed18:19
kmalloca lot18:19
kmalloci never want to repeat that.18:19
cmurphythe pain of v2->v3 was no one ever properly explained user_domain and project_domain ;)18:20
kmallocv4 in my mind doesn't implement auth explicitly, auth is a separate concern housed under /v3/auth and /auth (respectively, where /auth gets new features etc)18:20
kmallocLOL18:20
kmallocsure.18:20
kmallocalso domains suck18:20
kmallocbut that is something aside18:20
kmalloccmurphy: realistically if auth hadn't changed dramatically v2->v3 was crud changes.18:21
kmallocmy ultimate goal is auth is a separate concern from crud operations18:22
openstackgerritMerged openstack/keystone master: Updating doc of unified limit  https://review.openstack.org/61222618:26
openstackgerritMerged openstack/keystone master: Update third endpoint legacy port for Keystone v3 API  https://review.openstack.org/61317118:26
*** bnemec has quit IRC18:29
*** felipemonteiro has joined #openstack-keystone18:30
openstackgerritIslam Musleh proposed openstack/keystone master: Update keystone-manage bootstrap port instructions  https://review.openstack.org/61316318:32
openstackgerritGage Hugo proposed openstack/keystone master: Refactor flask domain config resources  https://review.openstack.org/61318218:36
*** felipemonteiro has quit IRC18:37
openstackgerritMerged openstack/keystone master: Remove useless "clean" file  https://review.openstack.org/61295418:39
kmalloccmurphy, lbragstad: I'm going to hold on the internal code shuffle on keystone until Stein is more solidified on new stuff18:41
kmalloce.g. moving things to keystone.subsystem.XXX18:42
kmalloc(managers, backends, etc)18:42
cmurphyo718:44
lbragstadwfm18:49
*** itlinux has quit IRC18:52
* kmalloc wanders off for a bit18:59
*** itlinux has joined #openstack-keystone19:03
*** imus has joined #openstack-keystone19:05
cmurphywelcome imus o/19:08
imusThanks!19:12
openstackgerritGage Hugo proposed openstack/keystone master: Remove check for disabled v3  https://review.openstack.org/61340219:30
*** lbragstad has quit IRC19:43
*** lbragstad has joined #openstack-keystone19:43
*** ChanServ sets mode: +o lbragstad19:43
openstackgerritColleen Murphy proposed openstack/keystone master: Delete administrator federation guide  https://review.openstack.org/61340820:00
*** dnguyen has quit IRC20:01
*** irclogbot_1 has joined #openstack-keystone20:01
openstackgerritguang-yee proposed openstack/keystonemiddleware master: account for services with no endpoints when parsing service catalog  https://review.openstack.org/61341020:04
openstackgerritColleen Murphy proposed openstack/keystone master: Delete administrator federation guide  https://review.openstack.org/61340820:05
openstackgerritguang-yee proposed openstack/keystonemiddleware master: Skip the services with no endpoints when parsing service catalog  https://review.openstack.org/61341020:05
*** irclogbot_1 has quit IRC20:22
openstackgerritguang-yee proposed openstack/keystonemiddleware master: Skip the services with no endpoints when parsing service catalog  https://review.openstack.org/61341020:27
*** dnguyen has joined #openstack-keystone20:31
*** imacdonn has quit IRC20:31
*** imacdonn has joined #openstack-keystone20:32
*** dnguyen_ has joined #openstack-keystone20:34
*** dnguyen has quit IRC20:37
*** dnguyen_ is now known as dnguyen20:37
*** xek has quit IRC20:42
*** raildo has quit IRC20:55
*** irclogbot_1 has joined #openstack-keystone21:15
*** erus has quit IRC21:46
*** itlinux has quit IRC21:52
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Repropose JWT specification for Stein  https://review.openstack.org/54190322:02
*** emine__ has quit IRC22:24
mgagneis there a way to enforce a specific auth method on a per domain basis?22:35
*** mvkr has joined #openstack-keystone22:35
*** aojea_ has quit IRC22:37
*** erus has joined #openstack-keystone22:45
kmallocmgagne: no.23:01
kmallocyou can set some values in the MFA rules for specific users but that is largely undocumented23:01
mgagneI'm trying to test that feature. But would really like to have it per domain ;)23:02
kmallocit was a long term goal to consider expanding it to a domain default level23:02
kmallocbut for now we haven't approached that23:02
kmalloci think enhancements to that system will come after auth receipts23:02
mgagnethanks for the info, I'll see what I can do from there. ;)23:04
*** dnguyen has quit IRC23:47
*** gyee has quit IRC23:57
« Wednesday, 2018-10-24 Index Friday, 2018-10-26 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!