Monday, 2019-01-07

*** erus has quit IRC		00:35
*** erus has joined #openstack-keystone		00:40
openstackgerrit	Merged openstack/keystone master: Bring SP/IdP URLs closer to style guide guidance https://review.openstack.org/627843	01:35
openstackgerrit	Merged openstack/keystone master: Fix nits in code blocks in federation guide https://review.openstack.org/627844	01:35
openstackgerrit	Merged openstack/keystone master: Use samltest.id as an example sandbox IdP https://review.openstack.org/627845	01:35
openstackgerrit	Merged openstack/keystone master: Update federation SP prerequisites section https://review.openstack.org/627846	01:36
*** ileixe has joined #openstack-keystone		02:14
*** shyamb has joined #openstack-keystone		02:37
*** whoami-rajat has joined #openstack-keystone		02:52
*** mhen has quit IRC		03:01
wxy-xiyuan	lbragstad: I'll take a look. :)	03:01
*** mhen has joined #openstack-keystone		03:02
*** shyamb has quit IRC		03:15
*** shyamb has joined #openstack-keystone		03:16
openstackgerrit	Merged openstack/keystone master: Remove duplicate RBAC logging from enforcer https://review.openstack.org/624799	04:04
openstackgerrit	Merged openstack/keystone master: Add prerequisites section to keystone-to-keystone https://review.openstack.org/627847	04:04
*** shyamb has quit IRC		04:18
*** shyamb has joined #openstack-keystone		04:21
*** shyamb has quit IRC		04:30
*** ileixe has quit IRC		04:57
*** ileixe has joined #openstack-keystone		05:03
*** shyamb has joined #openstack-keystone		05:39
*** shyamb has quit IRC		05:48
*** shyamb has joined #openstack-keystone		06:05
*** rcernin has quit IRC		06:56
*** ileixe has quit IRC		07:31
*** shyamb has quit IRC		07:50
*** ileixe has joined #openstack-keystone		07:51
*** yan0s has joined #openstack-keystone		07:56
*** pcaruana has joined #openstack-keystone		08:14
*** pcaruana has quit IRC		08:24
*** xek has joined #openstack-keystone		08:39
*** pcaruana has joined #openstack-keystone		08:46
*** shyamb has joined #openstack-keystone		08:53
*** shyamb has quit IRC		09:14
*** shyamb has joined #openstack-keystone		09:16
*** shyamb has quit IRC		09:44
*** shyamb has joined #openstack-keystone		09:44
*** jaosorior has joined #openstack-keystone		10:03
*** shyamb has quit IRC		10:48
*** pcaruana has quit IRC		11:11
*** pcaruana has joined #openstack-keystone		11:16
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Add openstack_groups to assertion https://review.openstack.org/588211	11:20
*** ileixe has quit IRC		11:23
*** vishakha has joined #openstack-keystone		11:31
*** tobias-urdin is now known as tobias-urdin_afk		11:34
*** shyamb has joined #openstack-keystone		11:35
*** raildo has joined #openstack-keystone		11:51
*** tobias-urdin_afk is now known as tobias-urdin		11:59
*** zigo has quit IRC		12:31
*** ygk_12345 has joined #openstack-keystone		12:38
ygk_12345	HI all	12:50
ygk_12345	I need some help with AD integration of keystone	12:51
ygk_12345	i have already integrated it as a separate domain apart from the default domain	12:51
ygk_12345	but when I list the users , it is throwing this error	12:51
ygk_12345	Number of User/Group entities returned by LDAP exceeded size limit. Contact your LDAP administrator. (HTTP 500) (Request-ID:	12:51
ygk_12345	how to solve this ?	12:53
ygk_12345	I am using rocky	12:53
*** shyamb has quit IRC		12:59
*** jhesketh has quit IRC		13:05
ygk_12345	is anyone around ?	13:06
*** jhesketh has joined #openstack-keystone		13:06
*** shyamb has joined #openstack-keystone		13:06
cmurphy	ygk_12345: that error is due to the way your ldap server is configured, the number of results it can return is limited so it throws an error instead	13:12
cmurphy	a workaround is to set page_size in keystone.conf so that keystone requests fewer results at a time	13:13
ygk_12345	cmurphy: where to modify ?	13:21
cmurphy	ygk_12345: in keystone.conf in the [ldap] section https://docs.openstack.org/keystone/latest/admin/integrate-with-ldap.html#identity-ldap-server-set-up	13:22
ygk_12345	cmurphy: can I increase the page_size from 0 to how much ?	13:23
cmurphy	ygk_12345: however much you want, something below your AD server's size limit	13:24
ygk_12345	cmurphy: in OSA install, where should I restart the keystone service after makinh changes in the keystone container ?	13:31
cmurphy	ygk_12345: you'd have to ask the OSA people that	13:31
ygk_12345	cmurphy: ok thank you	13:31
cmurphy	you're welcome	13:31
*** dave-mccowan has joined #openstack-keystone		13:32
ygk_12345	cmurphy: when I list the projects using openstack project list from the AD domain, it is returning empty list	13:48
ygk_12345	cmurphy: but it is returning user list well	13:48
cmurphy	ygk_12345: projects are not read from AD, they are always read from keystone's sql database, so if you haven't created any projects in that domain then it won't return any	13:49
ygk_12345	cmurphy: i want to convert the existing AD users into projects in keystone. HOw do I do that ?	13:57
*** vishakha has quit IRC		13:58
cmurphy	ygk_12345: you can't do that, users are not projects	14:00
cmurphy	ygk_12345: https://docs.openstack.org/keystone/latest/admin/identity-concepts.html	14:00
cmurphy	ygk_12345: you can manually create the projects you want with `openstack project create`	14:01
ygk_12345	cmurphy: ok	14:01
*** whoami-rajat has quit IRC		14:01
*** irclogbot_1 has quit IRC		14:14
lbragstad	o/	14:16
cmurphy	\o	14:16
openstackgerrit	Colleen Murphy proposed openstack/keystone master: [WIP] Add API for /v3/allowed-requests https://review.openstack.org/628524	14:16
openstackgerrit	Colleen Murphy proposed openstack/keystone master: [WIP] Add manager support for app cred capabilities https://review.openstack.org/628193	14:16
openstackgerrit	Colleen Murphy proposed openstack/keystone master: [WIP] Add API changes for app cred capabilities https://review.openstack.org/628168	14:16
*** xek has quit IRC		14:27
*** xek has joined #openstack-keystone		14:28
*** shyamb has quit IRC		14:28
*** needsleep is now known as TheJulia		14:36
bnemec	lbragstad: Go Bison!	14:39
*** irclogbot_1 has joined #openstack-keystone		14:39
lbragstad	inoright?	14:40
lbragstad	7 national championships in 8 years	14:40
*** ygk_12345 has quit IRC		14:41
*** jdennis has joined #openstack-keystone		14:42
bnemec	I'm sad I missed the game. Family Christmas this weekend and my brother is a cord cutter.	14:43
bnemec	And I have an adorable two year old niece who gets all my attention when I'm there. :-)	14:44
lbragstad	well - that's understandable ;)	14:46
*** irclogbot_1 has quit IRC		15:01
*** irclogbot_1 has joined #openstack-keystone		15:10
*** sapd1_ has joined #openstack-keystone		15:14
*** evrardjp has joined #openstack-keystone		15:15
*** sapd1 has quit IRC		15:16
evrardjp	hello... I saw an email on the ML that was not tagged keystone but is more or less linked to keystone: An issue in openstack CLI... Just saying :) http://lists.openstack.org/pipermail/openstack-discuss/2019-January/001409.html	15:17
*** openstackgerrit has quit IRC		15:22
*** mchlumsky has joined #openstack-keystone		15:23
*** mchlumsky has quit IRC		15:35
*** mchlumsky has joined #openstack-keystone		15:36
lbragstad	evrardjp interesting - thanks for the ping	15:54
*** openstackgerrit has joined #openstack-keystone		15:57
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Enhance authn sections in federation guide https://review.openstack.org/627966	15:57
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Clean up keystone-to-keystone section https://review.openstack.org/627968	15:57
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Reorganize guide on configuring a keystone SP https://review.openstack.org/627972	15:57
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add section on configuring protected auth paths https://review.openstack.org/627975	15:57
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Consolidate WebSSO guide into SP instructions https://review.openstack.org/627976	15:57
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Enhance the shibboleth guide https://review.openstack.org/627982	15:57
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Enhance the mellon guide https://review.openstack.org/627993	15:57
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Enhance the openidc guide https://review.openstack.org/628037	15:57
bnemec	Colleen is going to annexed by the docs team if she spends any more time there. :-)	15:59
* cmurphy hides		16:00
*** mchlumsky has quit IRC		16:01
bnemec	*get annexed	16:02
bnemec	Per Muphry's Law, there would naturally be a typo in any comment about writing.	16:02
cmurphy	;)	16:02
*** bnemec is now known as stackymcstackfac		16:04
*** stackymcstackfac is now known as bnemec		16:05
evrardjp	bnemec: you ddi good there	16:07
bnemec	evrardjp: :-)	16:08
bnemec	I'm also giving myself points for not making the really obvious joke based on someone's last name.	16:09
bnemec	I expect she's already heard them all. ;-)	16:09
evrardjp	bnemec: I thought it was included in the sentence too. I took it as part of the joke at least:p	16:09
cmurphy	i generally assume every time murphy's law comes up it's a joke at my expense :P	16:10
evrardjp	cmurphy: isn't that proving the law in itself?	16:10
bnemec	There _are_ other names for that law that I could have used, it's true.	16:10
bnemec	Although this one might have been more applicable here: 'Umhoefer's or Umhöfer's rule: "Articles on writing are themselves badly written."'	16:13
bnemec	Since I wasn't actually grammar nitpicking for a change. :-)	16:13
* bnemec carefully sidesteps the wikipedia rabbit hole and closes the window		16:14
cmurphy	that's a healthy choice	16:15
evrardjp	:)	16:16
*** pcaruana has quit IRC		16:21
*** erus has quit IRC		16:24
*** erus has joined #openstack-keystone		16:25
*** whoami-rajat has joined #openstack-keystone		16:28
*** imacdonn has joined #openstack-keystone		16:51
*** yan0s has quit IRC		17:15
*** markvoelker has joined #openstack-keystone		17:33
*** markvoelker has quit IRC		17:34
openstackgerrit	Merged openstack/keystone master: correct the description on domain re-enable https://review.openstack.org/628705	17:35
*** gyee has joined #openstack-keystone		17:45
openstackgerrit	Merged openstack/keystone master: Enhance authn sections in federation guide https://review.openstack.org/627966	17:55
openstackgerrit	Merged openstack/keystone master: Clean up keystone-to-keystone section https://review.openstack.org/627968	17:55
openstackgerrit	Brian Rosmaita proposed openstack/oslo.policy master: Fix sample config value when set_defaults is used https://review.openstack.org/623292	18:11
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement system reader role for projects https://review.openstack.org/624215	18:11
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement system member role project test coverage https://review.openstack.org/624216	18:11
lbragstad	biab	18:13
*** jmlowe has quit IRC		18:32
gyee	lbragstad, so looks like for users, unlike domains and projects, disabling a user will permanently invalid the token. Doesn't matter whether the user is re-enable immediately.	18:34
*** jmlowe has joined #openstack-keystone		18:50
*** jmlowe has quit IRC		18:58
*** jmlowe has joined #openstack-keystone		18:59
*** itlinux has joined #openstack-keystone		19:15
lbragstad	gyee ack	19:16
lbragstad	gyee do you think that behavior with users should be the same as with domains and projects?	19:16
gyee	lbragstad: from consistency perspective, yes	19:34
gyee	but the notion of "user" has always been different from other resources	19:37
*** whoami-rajat has quit IRC		19:58
*** jmlowe has quit IRC		20:01
*** jmlowe has joined #openstack-keystone		20:03
lbragstad	gyee right	20:05
lbragstad	i guess right now we expect re-enabled users to reauthenticate	20:06
lbragstad	but that same expectation is optional for projects and domains	20:07
gyee	lbragstad, yeah, I don't have a strong argument for one way or the other. So as long as we are properly doc the expected behavior I guess we're fine.	20:12
lbragstad	yeah - that works for me	20:12
lbragstad	nice find though	20:13
lbragstad	depending on what stance you have, we could one of two things	20:13
lbragstad	1.) open a bug saying that we should remove the revocation event that is persisted when a user is disabled	20:13
lbragstad	2.) doc the behavior that re-authentication is required when a user is re-enabled	20:14
gyee	I'd go for 2) for now	20:16
gyee	I've got a feeling that 1) may open up a can of worms :-)	20:16
gyee	not sure if this behavior was by design as part of PCI DSS	20:17
gyee	though I can't seem to find anything on it	20:18
lbragstad	i have a feeling it is left over cruft from revocation events	20:21
gyee	yeah could be	20:30
lbragstad	that's an area of code that could probably be simplified	20:31
gyee	lbragstad: how about lets do 2) in short term, and 1) in longer term?	20:37
*** jmlowe has quit IRC		20:42
lbragstad	gyee works for me	20:59
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement system admin role in project API https://review.openstack.org/624217	20:59
cmurphy	I didn't think users could be disabled?	20:59
lbragstad	they can be	21:00
lbragstad	https://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/core.py#n968	21:00
lbragstad	groups can't be though	21:01
gyee	we can do 'openstack user set --disable user'	21:01
*** raildo has quit IRC		21:03
*** xek has quit IRC		21:11
*** jmlowe has joined #openstack-keystone		21:27
lbragstad	i don't think there is an actual reason why groups can't be disabled though...	21:39
*** bnemec has quit IRC		21:58
*** bnemec has joined #openstack-keystone		22:02
*** erus has quit IRC		22:10
*** erus has joined #openstack-keystone		22:16
*** ianw_pto is now known as ianw		22:26
openstackgerrit	Merged openstack/keystone master: Reorganize guide on configuring a keystone SP https://review.openstack.org/627972	22:26
openstackgerrit	Merged openstack/keystone master: Add section on configuring protected auth paths https://review.openstack.org/627975	22:26
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement domain reader functionality for projects https://review.openstack.org/624218	22:35
*** itlinux has quit IRC		22:37
*** erus has quit IRC		22:43
*** erus has joined #openstack-keystone		22:44
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement domain reader functionality for projects https://review.openstack.org/624218	22:44
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement domain member functionality for projects https://review.openstack.org/624219	22:44
*** rcernin has joined #openstack-keystone		22:45
-openstackstatus- NOTICE: The Etherpad service at https://etherpad.openstack.org/ has been offline since 23:22 UTC due to a hypervisor issue in our service provider, but should hopefully return to service shortly.		23:49
*** dave-mccowan has quit IRC		23:56
*** erus is now known as eRus		23:59

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!