Tuesday, 2018-11-20

« Monday, 2018-11-19 Index Wednesday, 2018-11-21 »
*** hoonetorg has quit IRC00:35
*** hoonetorg has joined #openstack-keystone00:37
*** hoonetorg has quit IRC00:40
*** hoonetorg has joined #openstack-keystone00:41
*** prashkre has joined #openstack-keystone01:21
*** prashkre has quit IRC01:44
*** prashkre has joined #openstack-keystone01:45
*** Dinesh_Bhor has joined #openstack-keystone01:49
*** Dinesh_Bhor has quit IRC01:55
*** prashkre has quit IRC01:59
*** prashkre has joined #openstack-keystone01:59
*** Dinesh_Bhor has joined #openstack-keystone02:04
*** prashkre has quit IRC02:22
*** prashkre has joined #openstack-keystone02:22
*** prashkre has quit IRC02:39
*** Dinesh_Bhor has quit IRC03:42
*** dklyle has quit IRC03:45
*** david-lyle has joined #openstack-keystone03:45
*** Dinesh_Bhor has joined #openstack-keystone04:01
*** prashkre has joined #openstack-keystone04:54
*** links has joined #openstack-keystone05:56
*** sapd1 has joined #openstack-keystone06:11
*** Dinesh_Bhor has quit IRC06:25
*** Dinesh_Bhor has joined #openstack-keystone06:28
*** spsurya has joined #openstack-keystone06:39
*** sapd1 has quit IRC06:39
*** sapd1 has joined #openstack-keystone07:04
*** pcaruana has joined #openstack-keystone07:20
openstackgerritwangxiyuan proposed openstack/keystone master: Fix py36 CI  https://review.openstack.org/61895407:23
*** pcaruana has quit IRC07:34
*** pcaruana has joined #openstack-keystone07:40
*** artem_vasilyev has joined #openstack-keystone07:42
*** prashkre has quit IRC07:50
openstackgerritMerged openstack/keystone master: Add scope documentation for service developers  https://review.openstack.org/55472707:57
*** prashkre has joined #openstack-keystone08:37
*** sapd1 has quit IRC08:37
*** sapd1 has joined #openstack-keystone08:37
*** amoralej|off is now known as amoralej08:40
openstackgerritwangxiyuan proposed openstack/keystone master: Fix py36 CI  https://review.openstack.org/61895408:54
*** lbragstad has joined #openstack-keystone08:54
*** ChanServ sets mode: +o lbragstad08:54
openstackgerritLance Bragstad proposed openstack/keystone master: Document user options  https://review.openstack.org/61882309:00
openstackgerritLance Bragstad proposed openstack/keystone master: Update api-ref to include user options  https://review.openstack.org/60331909:00
*** sapd1 has quit IRC09:22
openstackgerritwangxiyuan proposed openstack/keystone master: Fix py36 CI  https://review.openstack.org/61895409:25
*** links has quit IRC09:26
*** sapd1 has joined #openstack-keystone09:49
*** sapd1 has quit IRC09:54
*** shrasool has joined #openstack-keystone10:02
openstackgerritwangxiyuan proposed openstack/keystone master: Fix py36 CI  https://review.openstack.org/61895410:22
*** sapd1 has joined #openstack-keystone10:26
*** sapd1 has quit IRC10:31
wxy-xiyuanlbragstad: Sorry that I can not attend today's weekly meeting since our community is in power outage. For the patch https://review.openstack.org/618954, feel free to take it over if need. Thanks.10:48
lbragstadwxy-xiyuan sounds good - thanks for the heads up!10:49
*** Dinesh_Bhor has quit IRC10:56
*** Dinesh_Bhor has joined #openstack-keystone10:58
*** Dinesh_Bhor has quit IRC10:59
*** shrasool has quit IRC11:07
*** shrasool has joined #openstack-keystone11:08
knikollajust missed my flight :(11:24
*** xek_ has joined #openstack-keystone11:24
*** xek__ has quit IRC11:27
*** prashkre has quit IRC11:32
lbragstadout of germany?!11:41
*** prashkre has joined #openstack-keystone11:53
*** raildo has joined #openstack-keystone12:04
*** prashkre has quit IRC12:06
*** xek_ is now known as xek12:06
*** amoralej is now known as amoralej|lunch12:08
*** shrasool has quit IRC12:25
*** prashkre has joined #openstack-keystone12:30
*** prashkre_ has joined #openstack-keystone12:35
*** prashkre has quit IRC12:37
*** prashkre_ has quit IRC12:47
*** prashkre has joined #openstack-keystone12:50
*** prashkre has quit IRC12:57
*** prashkre_ has joined #openstack-keystone12:57
*** vishakha has quit IRC13:07
*** jrist has quit IRC13:11
*** jrist has joined #openstack-keystone13:13
knikollalbragstad: yes. deutsche bahn messed up. the express train to the airport had a 1hr delay due to a disabled train blocking the way.13:16
lbragstadbummer - when do you think you'll be able to make it out?13:16
knikollai booked a different flight which departs in 5hrs and makes it to boston tomorrow afternoon13:17
*** prashkre_ has quit IRC13:17
knikollathis expense report will be... tricky... to say the least.13:18
lbragstadwell - hopefully you'll make it home before heavy holiday travel starts13:18
*** frickler has joined #openstack-keystone13:24
openstackgerritLance Bragstad proposed openstack/keystone master: Update api-ref to include user options  https://review.openstack.org/60331913:25
*** erus has joined #openstack-keystone13:26
erusHello everyone :)13:26
knikollahello :)13:27
lbragstadso - PSA13:27
lbragstadthe python 3.6 gate is broken in keystone13:28
lbragstadwxy-xiyuan has a patch to get it straightened out https://review.openstack.org/#/c/618954/13:28
lbragstadif anyone has some time to look, i'll see if i can get it passing lower-constraints13:29
lbragstadbut any code changes are going to fail until that's fixed (if you've been wondering why rechecks aren't working)13:30
*** amoralej|lunch is now known as amoralej13:32
fricklerthe federation functional jobs are failing on Bionic because some packages aren't installable. I already pinged jamespage from Canonical about it, maybe someone from keystone interested in this topic can help https://bugs.launchpad.net/keystone/+bug/180290113:38
openstackLaunchpad bug 1802901 in OpenStack Identity (keystone) "Federation functional job failing on Bionic" [Undecided,New]13:38
lbragstadinteresting - i wonder what's referencing libxmltooling713:41
* lbragstad bets on pysaml 13:41
lbragstadoh - it's the mod-shib plugin13:42
openstackgerritLance Bragstad proposed openstack/keystone master: Use pycodestyle in place of pep8  https://review.openstack.org/61895413:44
artem_vasilyevHi, review would be appreciated: https://review.openstack.org/#/c/618095/ And is it possible to backport this feature to Queens, or only bugs are backported?13:59
*** erus has quit IRC13:59
lbragstadsince that's a borderline feature - i doubt we'll be able to backport it to queens14:00
artem_vasilyevthanks for the clarification14:01
*** ign0tus has joined #openstack-keystone14:02
*** erus has joined #openstack-keystone14:12
*** shrasool has joined #openstack-keystone14:17
*** ign0tus has quit IRC14:51
*** artem_vasilyev has quit IRC14:54
*** prashkre has joined #openstack-keystone15:08
*** edmondsw has joined #openstack-keystone15:14
*** prashkre has quit IRC15:33
*** dave-mccowan has joined #openstack-keystone15:41
*** prashkre has joined #openstack-keystone15:43
kmalloclbragstad: yeah that isn't something i'd backport15:49
* lbragstad refills coffee before the meeting15:49
kmallochm.15:50
*** itlinux has quit IRC15:57
*** shrasool has quit IRC15:57
*** prashkre has quit IRC16:04
*** prashkre has joined #openstack-keystone16:04
*** prashkre has quit IRC16:12
*** prashkre has joined #openstack-keystone16:12
*** shrasool has joined #openstack-keystone16:13
*** shrasool has quit IRC16:28
*** ayoung has joined #openstack-keystone16:38
*** itlinux has joined #openstack-keystone16:43
*** prashkre has quit IRC16:50
*** prashkre_ has joined #openstack-keystone16:50
tobias-urdinanybody here that could help me out, not sure if i found a bug in keystoneclient or horizon is doing it wrong16:54
tobias-urdinwhen changing password this is called https://github.com/openstack/python-keystoneclient/blob/3.17.0/keystoneclient/v3/users.py#L22416:54
tobias-urdinbut results in "POST /v3/users/None/password HTTP/1.1" 401 114 "-" "python-keystoneclient"16:54
tobias-urdinwhich is obviously wrong, this is where horizon calls it https://github.com/openstack/horizon/blob/14.0.0/openstack_dashboard/api/keystone.py#L57316:54
tobias-urdini logged the "client.user_id" value and it was the correct user id16:55
tobias-urdini suspect it maybe should be client.client.user_id which also is kind of weird16:55
ayoungtobias-urdin, looks like that "client" is really wrapped here https://github.com/openstack/horizon/blob/14.0.0/openstack_dashboard/api/keystone.py#L13716:57
ayoungtobias-urdin, feels like a bug in Horizon, but client should also not do the None thing16:58
tobias-urdinah thx, i'll dig some more16:58
kmallocayoung: ++16:59
ayoungtobias-urdin, it might be pulled out of the cache, but if not, it is created here: https://github.com/openstack/horizon/blob/14.0.0/openstack_dashboard/api/keystone.py#L19916:59
ayoungtobias-urdin, if you hack it to be client.client.user_id does it work?17:01
ayoungkmalloc, is that at all safe?  Seems like a race condition waiting to happen?  Pulling the client out of cache? I guess there is one per user-session?17:02
kmallochmm17:02
tobias-urdinclient.client.user_id raised exception with "Unknown Attribute: client"17:02
kmallocit should be one per user-session17:02
ayoungwe should not be updating it post creation whatever17:02
kmallocif it is anything else, i'd worry.17:03
ayoungtobias-urdin, OK, and you said you logged it an it was the right value?  Seems like maybe setting it on the client is a hack, not the right approach.17:03
kmalloci am just not 100% sure on the django-isms.17:03
tobias-urdini logged client.user_id which is set by that request.user.id and that was the correct user id17:04
*** amoralej is now known as amoralej|off17:04
ayoungstill, that is old code17:05
ayounge027878791 openstack_dashboard/api/keystone.py (Zhenguo Niu          2013-12-04 16:03:56 +0800  569)     client.user_id = request.user.id17:05
ayounginteresting...that was not the original code.  THe update of the user_id happened only for V2, but was moved to support V317:06
*** shrasool has joined #openstack-keystone17:07
ayoungtobias-urdin, try commenting out that explicit set.  It might be messing with the client17:07
ayoungand, we should not be setting the user_id on the client post creation.17:07
tobias-urdin"POST /v3/users/None/password HTTP/1.1" 401 114 "-" "python-keystoneclient"17:10
tobias-urdinno luck17:10
tobias-urdinhere is the trace: http://paste.openstack.org/show/735822/17:12
openstackgerritLance Bragstad proposed openstack/keystone master: Use pycodestyle in place of pep8  https://review.openstack.org/61895417:16
lbragstad^ that should get the py36 gate passing17:16
*** shrasool has quit IRC17:20
tobias-urdinayoung: kmalloc thanks for helping out, got words from the #openstack-horizon channel that it was fixed in https://review.openstack.org/#/q/Idb296d1b10fa02a0b4852e96fe8cb2bdd70380e017:20
tobias-urdinit just isn't released yet... :| sorry for wasting some time17:21
ayoungtobias-urdin, no problem.  And that is the wrong place to put the fix  IMNSHO17:21
ayoungit should be back on the client creation code...lets see why it wasn't17:22
ayoungclient.users.client.session.auth.user_id = request.user.id17:22
tobias-urdinseems like they were aware it was a bad solutions though17:23
ayoungclient.users.client.session.auth.user_id = request.user.id17:24
ayoungum17:24
ayoung        keystone_session = session.Session(auth=token_auth,17:24
ayoung                                           original_ip=remote_addr,17:24
ayoung                                           verify=verify)17:24
ayoung        conn = client_version['client'].Client(session=keystone_session,17:24
ayoung                                               debug=settings.DEBUG)17:24
ayoungauth should have the user_id in it, as it is token_auth17:24
ayoungthey are doing token_auth...17:27
*** tobias-urdin is now known as tobias-urdin_afk17:27
ayoungkmalloc, ^^ they are using token-endpoint from KSA.  the comment there says "This is really only useful for testing and in certain CLI cases where you17:30
ayoung    have a known endpoint and admin token that you want to use."17:30
ayoungbut we are not using an admin_token to change password, we are using the users token, which is why they are setting the user_id17:30
*** sapd1 has joined #openstack-keystone17:31
ayoungshould they be using a different auth plugin, like v3/token instead?17:31
ayoungor...calling get_auth_ref off that?17:32
ayoungtobias-urdin_afk, I know you want to be done with this, but I would ask that, since you have a cluster set up, could you try one more thing:17:33
ayoungin the keystoneclient function, instead of  token_auth = token_endpoint.Token(endpoint=endpoint,17:34
ayoung                                          token=token_id)17:34
ayoungdo17:34
ayoung                                          token=token_id).auth_ref17:34
ayoungmeh forget it17:34
ayoungit should do that implicitly, I think17:34
*** sapd1 has quit IRC17:35
ayoungoh...and that gives "None" anyway17:35
*** prashkre_ has quit IRC17:35
*** lbragstad has quit IRC17:38
*** lbragstad has joined #openstack-keystone17:41
*** ChanServ sets mode: +o lbragstad17:41
lbragstadi have a few oslo reviews if people are interested17:46
lbragstadhttps://review.openstack.org/#/c/613635/17:46
lbragstadand https://review.openstack.org/#/c/611443/17:47
lbragstadwhich should help us get back on track with the policy changes17:47
kmallocayoung: probably17:48
ayoungkmalloc, we need a jamielennox clone17:49
kmallocexcept even with jamielennox a lot of this didn't happen17:49
ayounglbragstad, um  I think that needs to be project_domain_id17:49
ayounglbragstad, correction17:50
ayoungI think that needs to be mutually exclusive with project_domain_id as well as project_name17:50
lbragstaddomain_id is for domain scoped tokens17:50
ayounglbragstad, right17:50
lbragstadproject_domain_id is only present for project-scoped tokens17:51
ayoungand it should only be set either/or17:51
lbragstadyou can't get a token scoped to both a project and domain17:51
lbragstadso aren't they already mutually exclusive?17:51
ayoungBut we set both there....I'm wondering if there is a proble,17:51
ayoungmaybe not17:51
lbragstadwell - those are populated based on the env17:52
*** shrasool has joined #openstack-keystone17:52
ayounggod I hate domains17:52
lbragstadwhich should be done by ksm17:52
ayoungand we need this only for Keystone, right?17:52
ayoungright now, no one can enforce policy on domain scoped tokens because it is not in context17:52
ayoungI kinda like that17:53
lbragstadwell - it'll set the context.domain_id attribute for anyone that is passing a domain-scoped token to a service using oslo.context17:53
ayounglbragstad, you are making this change explicitly for Keystone, right? So it can use these from middleware in our policy?17:54
kmallocayoung: you uploading the slides for our talk?17:54
ayoungkmalloc, done17:54
kmallock thnx17:54
kmalloc:)17:54
lbragstadi'm going to be using it in keystone, yes17:54
ayoungI just linked to google slides17:54
ayoungAH, CRUD...17:55
ayoungNO One can access, and I don't think I can open it up17:55
lbragstadhttps://review.openstack.org/#/c/611179/9 uses it17:56
lbragstad(that patch is only failing because we need new versions of oslo.context and oslo.policy)17:56
openstackgerritLance Bragstad proposed openstack/keystone master: Pass context objects to policy enforcement  https://review.openstack.org/60553917:57
ayounglbragstad, I get it, And I like what you are doing, and I approve.  And I think we are going to pay for this.  No good deed goes unpunished.  Someone out there will start using domain scoped tokens.  But, so be it17:57
lbragstaddamned if you do and damned if you don't17:58
ayounglbragstad, I can only +1 context.  But I did17:58
lbragstadappreciate it17:58
ayoungI think  moguimar, can +217:59
ayoungbug jamielennox tongiht, too, I think17:59
*** sapd1 has joined #openstack-keystone18:01
*** sapd1 has quit IRC18:06
*** jrist has quit IRC18:22
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role in domains API  https://review.openstack.org/60548518:33
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member role in domains API  https://review.openstack.org/60584918:33
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in domains API  https://review.openstack.org/60585018:33
openstackgerritLance Bragstad proposed openstack/keystone master: Allow domain users to access the GET domain API  https://review.openstack.org/60585118:33
openstackgerritLance Bragstad proposed openstack/keystone master: Allow project users to retrieve domains  https://review.openstack.org/60587118:33
openstackgerritLance Bragstad proposed openstack/keystone master: Remove domain policies from policy.v3cloudsample.json  https://review.openstack.org/60587618:33
*** tobias-urdin_afk is now known as tobias-urdin18:38
*** pcaruana has quit IRC18:47
lbragstadquestion18:50
*** sapd1 has joined #openstack-keystone18:50
lbragstadif we're removing https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L13-L1718:51
lbragstads/if//18:51
lbragstadthoughts on requiring a bug for that?18:51
lbragstadi mean, someone *could* be using that for policies18:51
*** sapd1 has quit IRC18:56
*** jrist has joined #openstack-keystone19:10
*** amoralej|off is now known as amoralej19:18
*** jrist has quit IRC19:27
openstackgerritLance Bragstad proposed openstack/keystone master: Add region protection tests for system readers  https://review.openstack.org/61908520:02
openstackgerritLance Bragstad proposed openstack/keystone master: Update region support for system member scopes  https://review.openstack.org/61908620:02
lbragstadhttps://review.openstack.org/#/c/618954/6 is passing20:05
*** sapd1 has joined #openstack-keystone20:13
gagehugolbragstad: lgtm20:17
*** sapd1 has quit IRC20:18
*** jrist has joined #openstack-keystone20:23
lbragstadthanks gagehugo20:25
lbragstadwrapping it up for today, i might be on later tonight though20:25
*** sapd1 has joined #openstack-keystone20:34
*** sapd1 has quit IRC20:38
*** itlinux has quit IRC20:39
kmalloclbragstad: we should plan to remove it20:45
kmalloclbragstad: i don't think we can for now20:46
kmalloclbragstad: we didn't communicate it was going away/will no longer be maintained20:46
*** david-lyle is now known as dklyle20:46
*** raildo has quit IRC20:48
*** AJaeger has joined #openstack-keystone20:54
AJaegerkeystone team, could you import your rocky translations, please? https://review.openstack.org/61723120:54
*** shrasool has quit IRC21:00
kmallocAJaeger: done21:08
AJaegerthanks, kmalloc21:09
*** AJaeger has left #openstack-keystone21:10
*** itlinux has joined #openstack-keystone21:13
*** dave-mccowan has quit IRC21:28
*** erus has quit IRC21:34
openstackgerritShuayb Popoola proposed openstack/keystone master: --bootstrap-password's default changed from 'none' to 'password'  https://review.openstack.org/61910121:34
*** rcernin has joined #openstack-keystone21:38
*** rafaelweingartne has joined #openstack-keystone21:55
rafaelweingartneHello folks21:55
rafaelweingartneoes OpenStack (Keystone) have an URL such as "/auth/realms/master/protocol/saml/descriptor"in Keycloak where we can retrieve the metadata of the provider?21:55
rafaelweingartneDoes*21:56
*** mchlumsky has quit IRC22:00
rafaelweingartneDoes OpenStack (Keystone) have an URL such as "/auth/realms/master/protocol/saml/descriptor"in Keycloak where we can retrieve the metadata of the provider?22:05
*** mchlumsky has joined #openstack-keystone22:11
rafaelweingartneDoes OpenStack (Keystone) have an URL such as "/auth/realms/master/protocol/saml/descriptor"in Keycloak where we can retrieve the metadata of the provider?22:18
*** erus has joined #openstack-keystone22:26
openstackgerritShuayb Popoola proposed openstack/keystone master: Fix --bootstrap-password's default password error  https://review.openstack.org/61910122:32
rafaelweingartneDoes OpenStack (Keystone) have an URL such as "/auth/realms/master/protocol/saml/descriptor"in Keycloak where we can retrieve the metadata of the provider?22:38
*** imacdonn has quit IRC22:42
*** imacdonn has joined #openstack-keystone22:42
*** itlinux has quit IRC22:44
openstackgerritMerged openstack/keystone master: Use pycodestyle in place of pep8  https://review.openstack.org/61895422:45
jamielennoxayoung a jamielennox clone is a lot of matter - maybe start with someone smaller?23:02
*** mugsie has quit IRC23:06
rafaelweingartneDoes OpenStack (Keystone) have an URL such as "/auth/realms/master/protocol/saml/descriptor"in Keycloak where we can retrieve the metadata of the provider?23:16
« Monday, 2018-11-19 Index Wednesday, 2018-11-21 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!