Monday, 2018-11-05

*** Dinesh_Bhor has joined #openstack-keystone		00:31
*** Dinesh_Bhor has quit IRC		00:31
*** david-outreachy has quit IRC		00:59
*** Dinesh_Bhor has joined #openstack-keystone		01:37
*** Dinesh_Bhor has quit IRC		01:37
*** imus has quit IRC		01:37
*** imus has joined #openstack-keystone		01:38
*** Dinesh_Bhor has joined #openstack-keystone		01:59
*** Dinesh_Bhor has quit IRC		02:31
*** Dinesh_Bhor has joined #openstack-keystone		02:40
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: [WIP] Implement scope_type checking for ec2 credentials https://review.openstack.org/607820	02:41
*** crisloma has joined #openstack-keystone		02:49
openstackgerrit	wangxiyuan proposed openstack/oslo.policy master: Add policy-upgrade tool https://review.openstack.org/613906	03:36
*** Dinesh_Bhor has quit IRC		03:47
*** Dinesh_Bhor has joined #openstack-keystone		03:51
*** dave-mccowan has quit IRC		04:00
*** crisloma has quit IRC		04:01
*** aojea has joined #openstack-keystone		04:35
adriant	kmalloc, cmurphy: Auth receipts have landed! Thanks for the review feedback! Will try and get a patch for the docs up this week between summit prep. Then what's my deadline for getting code supporting them merged into keystoneauth1 for Stien?	04:36
adriant	my task list for them now is: 1. API docs, and MFA rules docs. 2. Keystoneauth support 3. Horizon support (multi-step login) 4. Openstackcli support (it attempts password, fails, then uses auth receipt to ask for missing auth values).	04:38
*** aojea has quit IRC		04:39
*** Nel1x has quit IRC		04:58
*** pcaruana has joined #openstack-keystone		05:23
*** Dinesh_Bhor has quit IRC		05:24
*** Dinesh_Bhor has joined #openstack-keystone		05:30
*** pcaruana has quit IRC		05:32
*** zul has quit IRC		05:49
*** felipemonteiro has joined #openstack-keystone		06:49
*** jaosorior has joined #openstack-keystone		07:13
*** jaosorior has quit IRC		07:24
*** jaosorior has joined #openstack-keystone		07:27
*** Dinesh_Bhor has quit IRC		07:54
*** felipemonteiro has quit IRC		08:00
*** pcaruana has joined #openstack-keystone		08:06
*** ykarel has joined #openstack-keystone		08:27
adriant	kmalloc: ykarel seems to be getting some weird 401 errors in tests since merging the auth receipts patch. Weird thing, it is happening on random tests, as if the tokens are expiring. They are also doing fernet_rotate with a cron every 10 mins (sort of) with: "/10 * * *"	08:29
adriant	lbragstad, cmurphy: ^	08:29
ykarel	yup is doing cron that frequent is correct, what's the ideal config that should be done in deployment, and doc , any reference?	08:30
ykarel	kmalloc, lbragstad cmurphy ^^	08:30
adriant	I'm not sure what the auth receipts patch could have done to make the problem suddenly appear. I'm going to put up a patch for him to test with a lot of extra debug logging because the current keystone.log isn't showing me anything useful	08:30
adriant	I was worried that maybe my changes caused keystone_rotate to double rotate, but... I don't think so	08:31
adriant	*fernet_rotate	08:31
*** amoralej has joined #openstack-keystone		08:37
ykarel	adriant, is this difference expected after that keystone patch:	08:39
ykarel	passing job before that patch: https://centos.logs.rdoproject.org/weirdo-generic-puppet-openstack-scenario004/3372/weirdo-project/logs/etc/keystone/fernet-keys/	08:39
ykarel	failing job after that patch:- https://centos.logs.rdoproject.org/weirdo-generic-puppet-openstack-scenario004/3374/weirdo-project/logs/etc/keystone/fernet-keys/	08:39
ykarel	the only difference in these two jobs is the keystone patch: https://github.com/openstack/keystone/commit/c785729efee0daf472301719e0b41e9ff2b7c64d and one nova patch(which seems unrelated)	08:40
ykarel	jfi nova patch was: https://github.com/openstack/nova/commit/781c22818ff0e0aff839b1b47e2db1fba756c875	08:41
openstackgerrit	Adrian Turjak proposed openstack/keystone master: [DO NOT MERGE] Extra debug for puppet-openstack-integration failures https://review.openstack.org/615502	08:47
adriant	ykarel: can you please try with the above patch ^ ?	08:47
adriant	not sure if you can, but those extra debug statements would help me when looking at the keystone log during your tests	08:47
ykarel	adriant, ack, amoralej can we test keystone ^^ patch in poi? i am not sure we build packages with Depends-On ?	08:51
amoralej	no, we don't	08:51
amoralej	we need to test manually	08:51
cmurphy	o/	08:51
ykarel	amoralej, okk will test that locally	08:52
adriant	cmurphy: hello! Not really sure what could be happening here :(	08:52
adriant	it almost looks like a fernet over rotation, but their config appears to be 5 keys, and rotate every 10th minute i the hour	08:53
adriant	so unless their tests take over 50mins... that shouldn't be causing 401s	08:53
cmurphy	the logs sure make fernet look suspicious https://centos.logs.rdoproject.org/weirdo-generic-puppet-openstack-scenario001/6726/weirdo-project/logs/keystone/keystone.txt.gz?level=WARNING#_2018-11-04_21_42_52_723	08:55
cmurphy	adriant: it looks like it's double-rotating every time https://centos.logs.rdoproject.org/weirdo-generic-puppet-openstack-scenario001/6726/weirdo-project/logs/keystone/keystone.txt.gz?level=INFO#_2018-11-04_21_30_03_250	08:56
cmurphy	so this is not doing the right thing i guess http://git.openstack.org/cgit/openstack/keystone/tree/keystone/cmd/cli.py#n471	08:57
adriant	yeah, which is weird :/	08:58
adriant	https://github.com/openstack/keystone/blob/master/keystone/conf/fernet_tokens.py#L20	08:59
adriant	https://github.com/openstack/keystone/blob/master/keystone/conf/fernet_receipts.py#L22	08:59
adriant	unless....	08:59
adriant	OH	08:59
adriant	sec, lemme check something	08:59
cmurphy	https://centos.logs.rdoproject.org/weirdo-generic-puppet-openstack-scenario004/3372/weirdo-project/logs/etc/keystone/keystone.conf.txt.gz	08:59
cmurphy	they set [fernet_tokens]/key_repository to /etc/keystone/fernet-keys without the /	09:00
adriant	yeah	09:00
adriant	that's what I was thinking	09:00
adriant	hmmm	09:00
adriant	so sort of not entirely my fault... but also a weird one	09:00
*** Dinesh_Bhor has joined #openstack-keystone		09:01
cmurphy	yeah weird corner case, we'll have to make it rstrip the / before the comparison or something	09:01
adriant	maybe i can do some real filepath comparison?	09:02
cmurphy	++	09:02
adriant	we can have it build a real OS path for both and then compare	09:02
openstackgerrit	Merged openstack/keystone master: Use port 5000, keystone-wsgi-public and --http-socket https://review.openstack.org/614734	09:02
adriant	ykarel, amoralej: you two see the above?	09:03
adriant	it's an easy fix to your conf, but I will get it fixed with a patch soon	09:03
amoralej	ykarel, ^ are you building a reproducer?	09:04
* ykarel reading back		09:04
adriant	cmurphy: if only we could be python3 only right now I could use pathlib :(	09:05
ykarel	amoralej, yes i am building	09:05
ykarel	adriant, so should i try ur patch or just that config fix, key_repository?	09:05
adriant	ykarel: my patch will tell you the same thing	09:05
adriant	you're rotating twice each time	09:05
adriant	just change your config	09:06
adriant	or just use the default	09:06
ykarel	adriant, okk so just trying the config change	09:06
adriant	meanwhile I'll get a patch up to compare real paths rather than stirngs	09:06
adriant	so this problem goes away	09:06
ykarel	amoralej, ^^ i will try that in ci itself	09:07
ykarel	with current repo	09:07
amoralej	ack	09:07
adriant	cmurphy: any objections to me adding pathlib2 to keystone requirements? with a note to switch to py3 pathlib when py2 is dropped?	09:15
adriant	it's already in global requirements: https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L282	09:15
adriant	yes I could use other means, but pathlib is just so much cleaner, and come py3 we'll use it anyway	09:15
cmurphy	adriant: seems sort of heavy handed to add a new dependency when the same thing can be accomplished with just rstrip or os.path	09:18
adriant	fair, but I'll leave a note to switch to pathlib when we drop py2	09:19
cmurphy	okay	09:19
adriant	cmurphy: it's just so nice: http://paste.openstack.org/show/734131/	09:20
cmurphy	adriant: i mean http://paste.openstack.org/show/734132/	09:22
* adriant bows to cmurphy		09:23
adriant	done, adding the code now	09:23
cmurphy	;)	09:23
adriant	I think some part of my just loves the idea of a path as an object with its own magical ability to compare against another of its kind rather than a string, but it is very much an irrational one :P	09:26
openstackgerrit	wangxiyuan proposed openstack/oslo.limit master: Add limit check func https://review.openstack.org/596520	09:31
ykarel	adriant, amoralej testing https://review.openstack.org/#/c/614988/	09:31
*** pcaruana has quit IRC		09:31
openstackgerrit	Adrian Turjak proposed openstack/keystone master: Fix an issue with double fernet key rotation https://review.openstack.org/615516	09:32
amoralej	ykarel, iiuc ^ that's the fix	09:32
*** pcaruana has joined #openstack-keystone		09:32
ykarel	amoralej, yes adriant is fixing it in keystone https://review.openstack.org/615516	09:33
adriant	oh wait, missed one	09:33
adriant	sec	09:33
cmurphy	bah i don't think we have unit tests for the fernet_rotate cli	09:33
openstackgerrit	Adrian Turjak proposed openstack/keystone master: Fix an issue with double fernet key rotation https://review.openstack.org/615516	09:34
ykarel	amoralej, and in poi https://review.openstack.org/#/c/615513/ if keystone patch takes time	09:34
adriant	there we go	09:34
adriant	I didn't change both fernet_setup and fernet_rotate ... :/	09:34
amoralej	ok, ok, i see it now	09:34
amoralej	ykarel, Syntax error at 'fernet_max_active_keys' (file: /etc/puppetlabs/code/modules/openstack_integration/manifests/keystone.pp	09:35
ykarel	i think i missed comma	09:35
amoralej	yeap	09:35
ykarel	Fixed	09:36
* adriant is happy this wasn't a huge break		09:36
adriant	apart from this no one should hit anything with auth receipts until they actually add rules, which considering there aren't any docs on how, is not something I expect to happen yet	09:37
*** ykarel is now known as ykarel\|lunch		09:41
*** ykarel\|lunch is now known as ykarel		10:05
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Fix uwsgi --http flag https://review.openstack.org/615522	10:15
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Remove deprecated "bind" in token https://review.openstack.org/613891	10:18
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Remove deprecated "bind" in token https://review.openstack.org/613891	10:19
*** nkinder has quit IRC		10:32
*** Dinesh_Bhor has quit IRC		10:34
ykarel	adriant, amoralej cmurphy job passed with trailing slash in [fernet_token]/key_repository: http://logs.openstack.org/88/614988/4/check/puppet-openstack-integration-5-scenario002-tempest-centos-7/372d448/logs/testr_results.html.gz	11:43
amoralej	good	11:44
*** beekneemech has quit IRC		11:53
*** bnemec has joined #openstack-keystone		11:57
*** dave-mccowan has joined #openstack-keystone		12:04
*** raildo has joined #openstack-keystone		12:10
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Create OPA check https://review.openstack.org/614224	12:21
*** jroll has quit IRC		12:32
*** jroll has joined #openstack-keystone		12:34
*** amoralej is now known as amoralej\|lunch		13:06
*** imus has quit IRC		13:10
*** zul has joined #openstack-keystone		13:15
*** jistr is now known as jistr\|call		13:32
*** aojea has joined #openstack-keystone		13:33
*** aojea has quit IRC		13:40
*** aojea has joined #openstack-keystone		13:40
*** aojea has quit IRC		13:45
*** felipemonteiro has joined #openstack-keystone		13:53
*** amoralej\|lunch is now known as amoralej		14:00
*** aojea has joined #openstack-keystone		14:05
*** jistr\|call is now known as jistr		14:08
*** david-outreachy has joined #openstack-keystone		14:08
*** nelsnelson has joined #openstack-keystone		14:12
*** felipemonteiro has quit IRC		14:21
amoralej	could we get reviews on https://review.openstack.org/#/c/615516/2 ?	14:22
amoralej	it's blocking promotions in RDO	14:22
*** SteelyDan is now known as dansmith		14:37
*** aojea has quit IRC		14:40
*** aojea has joined #openstack-keystone		14:41
*** felipemonteiro has joined #openstack-keystone		14:42
*** felipemonteiro has quit IRC		14:45
*** aojea has quit IRC		14:45
*** mvkr has quit IRC		14:47
*** ekikoh has joined #openstack-keystone		14:48
cmurphy	kmalloc: good morning https://review.openstack.org/615446	14:52
*** imus has joined #openstack-keystone		14:56
*** munimeha1 has joined #openstack-keystone		15:02
*** jistr is now known as jistr\|call		15:04
gagehugo	o/	15:10
*** ekikoh has quit IRC		15:10
*** jistr\|call is now known as jistr		15:10
openstackgerrit	David.O proposed openstack/keystonemiddleware master: Documentation Fix - auth_url Port Number https://review.openstack.org/615582	15:13
*** mvkr has joined #openstack-keystone		15:15
*** d34dh0r53 has quit IRC		15:22
*** cloudnull has quit IRC		15:22
*** eglute has quit IRC		15:22
*** d34dh0r53 has joined #openstack-keystone		15:23
*** eglute has joined #openstack-keystone		15:23
*** chudler has left #openstack-keystone		15:33
*** dklyle has joined #openstack-keystone		16:02
*** pcaruana has quit IRC		16:06
*** nels has joined #openstack-keystone		16:13
*** nelsnelson has quit IRC		16:15
*** imacdonn has quit IRC		16:16
*** imacdonn has joined #openstack-keystone		16:17
openstackgerrit	Merged openstack/keystone master: Fix an issue with double fernet key rotation https://review.openstack.org/615516	16:22
kmalloc	cmurphy: +2/+A there has to be a better way to do that	16:32
kmalloc	but... that fixes the immediate problem	16:33
kmalloc	cmurphy: does that need backporting to rocky too?	16:33
cmurphy	kmalloc: oh probably, i didn't check	16:34
*** nkinder has joined #openstack-keystone		16:34
cmurphy	yeah we don't test that dev env thing really	16:34
kmalloc	yup	16:37
kmalloc	if it isn't tested, it's broken imo	16:37
cmurphy	agreed but it's documented so we should strive for it being unbroken	16:37
kmalloc	yep	16:38
cmurphy	kmalloc: https://review.openstack.org/615598	16:41
openstackgerrit	Merged openstack/keystone master: Fix developer config dir flask aftermath https://review.openstack.org/615446	16:41
kmalloc	cmurphy: +2/+A	16:43
*** nkinder has quit IRC		16:47
*** openstackgerrit has quit IRC		16:48
*** cwright has quit IRC		16:48
*** cwright has joined #openstack-keystone		16:49
*** gyee has joined #openstack-keystone		17:02
*** openstackgerrit has joined #openstack-keystone		17:09
openstackgerrit	Merged openstack/oslo.policy master: Add ability to pass in target data for the oslopolicy-checker https://review.openstack.org/613313	17:09
*** nels has quit IRC		17:18
*** nelsnelson has joined #openstack-keystone		17:21
*** ykarel has quit IRC		17:23
*** mriedem has joined #openstack-keystone		17:37
mriedem	lbragstad: are you ok with me removing the lazy translation stuff from keystone? https://github.com/openstack/keystone/blob/e3c1633ea871cac1af5c9515752c3632edfcb476/keystone/server/flask/core.py#L26	17:37
lbragstad	mriedem that's causing issues with the upgrade checker goal, right?	17:37
mriedem	yeah. bnemec has a workaround for that for now https://review.openstack.org/#/c/615610/	17:38
mriedem	but i just didn't realize other projects still had that lazy translation stuff i nthem	17:38
mriedem	pretty sure no one uses it	17:38
*** stewie925 has joined #openstack-keystone		17:38
mriedem	so at best it's just dead code, at worst it's going to break thigns	17:38
mriedem	i can hit up the ops list as well	17:40
lbragstad	the justification in https://bugs.launchpad.net/oslo.i18n/+bug/1801761 makes sense	17:40
openstack	Launchpad bug 1801761 in oslo.upgradecheck "enable_lazy should be deprecated/removed" [High,In progress] - Assigned to Ben Nemec (bnemec)	17:40
lbragstad	i don't have any reason to hold on to it, but confirmation on the ML would be nice	17:41
kmalloc	mriedem: happy to remove the lazy translate stuff if it's not needed	17:48
*** dave-mccowan has quit IRC		17:49
kmalloc	lbragstad: looks like i'm going to need to write a new memcache driver for oslo.cache becasue apparantly we broke redis when we fixed the URL processing in the arguemnt.url thing	17:58
kmalloc	unrelated... someone should really tell ceiliometer not to use redis ever.	17:58
*** erus has joined #openstack-keystone		18:00
gagehugo	kmalloc: I was looking at https://bugs.launchpad.net/oslo.cache/+bug/1578466, could we add that effort in as well?	18:06
openstack	Launchpad bug 1578466 in oslo.cache "cache should offer encryption in a similar manner to keystonemiddleware cache does" [Wishlist,Confirmed]	18:06
kmalloc	gagehugo: that is just a proxy, it's a lot easier to develop	18:07
kmalloc	gagehugo: it's been on a long long long long list of would like to do	18:07
kmalloc	that said, i worry about the CPU cost of both serializing and encrypt/signing the data	18:07
* kmalloc would honestly rather deprecate that functionality in KSM		18:08
*** aojea has joined #openstack-keystone		18:08
gagehugo	hmm	18:09
* kmalloc goes and gets pymemcache out and starts writing a driver.		18:24
kmalloc	if it works i'll override the default in oslo.cache	18:24
* kmalloc also has some oslomiddleware code to drop soon.		18:24
*** aojea has quit IRC		18:29
*** aojea has joined #openstack-keystone		18:29
*** jmlowe has quit IRC		18:30
*** aojea has quit IRC		18:40
*** david-outreachy has quit IRC		18:48
*** david-outreachy has joined #openstack-keystone		18:48
*** aojea has joined #openstack-keystone		18:51
*** aojea has quit IRC		18:51
*** mriedem has left #openstack-keystone		18:51
*** aojea has joined #openstack-keystone		18:52
*** jmlowe has joined #openstack-keystone		18:54
*** mvkr has quit IRC		18:55
*** aojea has quit IRC		18:56
*** david-outreachy has quit IRC		19:02
*** david-outreachy has joined #openstack-keystone		19:03
openstackgerrit	Merged openstack/keystonemiddleware master: Documentation Fix - auth_url Port Number https://review.openstack.org/615582	19:07
*** david-outreachy has quit IRC		19:07
*** xek_ has joined #openstack-keystone		19:09
*** xek has quit IRC		19:12
*** zul has quit IRC		19:24
*** amoralej is now known as amoralej\|of		19:41
*** amoralej\|of is now known as amoralej\|off		19:41
*** jmlowe has quit IRC		20:19
openstackgerrit	Lance Bragstad proposed openstack/oslo.limit master: WIP: Expose enforcement API outside of ctx manager https://review.openstack.org/615643	20:27
*** jmlowe has joined #openstack-keystone		20:39
*** david-outreachy has joined #openstack-keystone		20:49
*** erus has quit IRC		20:54
*** aojea has joined #openstack-keystone		21:07
*** raildo has quit IRC		21:15
*** itlinux has joined #openstack-keystone		21:23
*** david-ou_ has joined #openstack-keystone		21:37
*** david-ou_ has quit IRC		21:38
*** david-outreachy has quit IRC		21:40
*** imus has quit IRC		21:48
*** felipemonteiro has joined #openstack-keystone		22:28
*** munimeha1 has quit IRC		22:42
*** itlinux has quit IRC		22:45
*** mvkr has joined #openstack-keystone		22:51
*** felipemonteiro has quit IRC		23:07
*** lbragstad has quit IRC		23:09
*** lbragstad has joined #openstack-keystone		23:10
*** ChanServ sets mode: +o lbragstad		23:10
*** xek__ has joined #openstack-keystone		23:21
*** xek_ has quit IRC		23:24
*** aojea has quit IRC		23:58

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!