Tuesday, 2019-01-29

« Monday, 2019-01-28 Index Wednesday, 2019-01-30 »
*** imacdonn has quit IRC00:00
*** imacdonn has joined #openstack-keystone00:00
*** itlinux has joined #openstack-keystone00:10
openstackgerritMerged openstack/keystone master: Add CentOS support in devstack federation plugin  https://review.openstack.org/63337400:10
*** edmondsw has quit IRC00:38
*** erus1 has quit IRC00:42
*** erus1 has joined #openstack-keystone00:42
*** gyee has quit IRC00:51
*** markvoelker has joined #openstack-keystone01:10
*** erus1 has quit IRC01:11
*** erus1 has joined #openstack-keystone01:12
kmalloclbragstad: there is also a massive slowdown around the holidays. i expect us to be close to rocky or beyond by the end of the cycle01:13
kmallocif we're diligent we might surpase pike.01:13
*** markvoelker has quit IRC01:15
*** Dinesh_Bhor has joined #openstack-keystone01:32
*** lbragstad has quit IRC01:35
*** whoami-rajat has joined #openstack-keystone02:37
*** ileixe has joined #openstack-keystone02:39
*** aojea has joined #openstack-keystone03:12
*** aojea has quit IRC03:17
*** Dinesh_Bhor has quit IRC03:43
*** lbragstad has joined #openstack-keystone03:47
*** ChanServ sets mode: +o lbragstad03:47
*** Dinesh_Bhor has joined #openstack-keystone03:50
*** erus1 has quit IRC04:20
*** itlinux has quit IRC04:41
*** spsurya has joined #openstack-keystone05:05
*** shyamb has joined #openstack-keystone05:11
*** shyamb has quit IRC05:44
*** shyamb has joined #openstack-keystone05:48
*** edmondsw has joined #openstack-keystone06:19
*** markvoelker has joined #openstack-keystone06:20
*** markvoelker has quit IRC06:24
*** shyamb has quit IRC06:52
*** shyamb has joined #openstack-keystone06:55
*** aojea has joined #openstack-keystone06:57
*** aojea has quit IRC07:07
*** shyamb has quit IRC07:38
*** awalende has joined #openstack-keystone08:12
vishakhalbragstad: The extra parameter  "region"was deprecated , which will be removed in queens release https://review.openstack.org/#/c/594921/08:20
vishakha*train release08:20
*** markvoelker has joined #openstack-keystone08:20
*** bnemec has joined #openstack-keystone08:29
*** yan0s has joined #openstack-keystone08:46
*** shyamb has joined #openstack-keystone08:47
*** tkajinam has quit IRC08:48
*** pcaruana has joined #openstack-keystone08:51
*** markvoelker has quit IRC08:54
*** mvkr has joined #openstack-keystone09:33
*** markvoelker has joined #openstack-keystone09:51
*** shyamb has quit IRC10:10
*** shyamb has joined #openstack-keystone10:11
*** markvoelker has quit IRC10:24
openstackgerritYang Youseok proposed openstack/keystonemiddleware master: Add auth invalidation in auth_token for identity endpoint update  https://review.openstack.org/63369510:32
openstackgerritYang Youseok proposed openstack/keystonemiddleware master: Add auth invalidation in auth_token for identity endpoint update  https://review.openstack.org/63369510:34
lbragstadvishakha oh - gotcha, i'll take another look at that today10:35
vishakhalbragstad: sure10:36
*** Dinesh_Bhor has quit IRC10:38
*** shyamb has quit IRC10:38
*** shyamb has joined #openstack-keystone10:40
*** shyamb has quit IRC10:45
*** mvkr has quit IRC10:46
*** mvkr has joined #openstack-keystone11:03
*** markvoelker has joined #openstack-keystone11:21
*** shyamb has joined #openstack-keystone11:35
*** markvoelker has quit IRC11:53
*** shyamb has quit IRC11:53
*** shyamb has joined #openstack-keystone11:55
*** erus has quit IRC11:59
*** kukacz has quit IRC12:04
*** erus has joined #openstack-keystone12:04
*** kukacz has joined #openstack-keystone12:04
*** erus has quit IRC12:23
*** erus has joined #openstack-keystone12:25
*** abhi89 has joined #openstack-keystone12:30
*** erus has quit IRC12:30
abhi89Hi All.. i have a doubt.. while creating image from api we don't mention any project-id, so looks like image is not associated with a project as such.. in the UI, image created in one project cannot be seen when we login via another project (both project have same compute & storage resources).. but we can deploy a vm in a project where this image doesn't exist using the image-id.. both of them kind of contradict..12:31
abhi89visibility of the image was set to private12:32
*** erus has joined #openstack-keystone12:36
*** pcaruana has quit IRC12:40
*** erus has quit IRC12:43
*** pcaruana has joined #openstack-keystone12:50
*** markvoelker has joined #openstack-keystone12:50
*** erus has joined #openstack-keystone12:51
*** shyamb has quit IRC12:55
*** erus has quit IRC12:58
*** yan0s has quit IRC13:04
*** erus has joined #openstack-keystone13:07
*** ileixe has quit IRC13:08
*** aojea_ has joined #openstack-keystone13:10
*** xek has joined #openstack-keystone13:11
*** erus has quit IRC13:13
*** aojea_ has quit IRC13:14
*** yan0s has joined #openstack-keystone13:17
*** markvoelker has quit IRC13:20
*** erus has joined #openstack-keystone13:22
*** yan0s has quit IRC13:22
*** erus has quit IRC13:28
*** yan0s has joined #openstack-keystone13:34
*** erus has joined #openstack-keystone13:37
*** erus has quit IRC13:45
*** erus has joined #openstack-keystone13:52
*** erus has quit IRC13:58
*** erus has joined #openstack-keystone14:06
*** aojea_ has joined #openstack-keystone14:12
*** shyamb has joined #openstack-keystone14:12
*** erus has quit IRC14:12
*** mchlumsky has joined #openstack-keystone14:16
*** erus1 has joined #openstack-keystone14:17
*** shyamb has quit IRC14:20
*** aojea_ has quit IRC14:30
*** yan0s has quit IRC14:30
*** aojea_ has joined #openstack-keystone14:33
*** dave-mccowan has joined #openstack-keystone14:38
*** dave-mccowan has quit IRC14:45
*** pcaruana has quit IRC14:45
*** yan0s has joined #openstack-keystone14:50
*** pcaruana has joined #openstack-keystone14:53
openstackgerritVishakha Agarwal proposed openstack/keystone master: Drop ephemeral from api-ref  https://review.openstack.org/63375715:06
*** aojea_ has quit IRC15:16
*** aojea_ has joined #openstack-keystone15:16
knikollao/15:20
*** aojea_ has quit IRC15:21
*** wxy| has joined #openstack-keystone15:28
*** awalende has quit IRC15:33
*** awalende has joined #openstack-keystone15:33
*** awalende has quit IRC15:37
*** openstackgerrit has quit IRC15:51
kmalloco/15:58
lbragstadhola16:00
*** erus1 has quit IRC16:00
*** erus1 has joined #openstack-keystone16:00
*** yan0s has quit IRC16:10
*** Nel1x has joined #openstack-keystone16:36
*** abhi89 has quit IRC16:40
*** brtknr has joined #openstack-keystone16:43
brtknrhello16:43
brtknrsince when did keystone tokens start being scoped by project_name?16:44
brtknri do not seem to be able to do this in queens16:44
brtknris this a rocky+ feature?16:44
brtknri seem to be able to use tokens generated under one project scope in another project scope16:45
*** mchlumsky has quit IRC16:45
lbragstadbrtknr do you have an example?16:45
*** mchlumsky has joined #openstack-keystone16:48
ayoungcmurphy, lets talk service ID and app creds. \16:56
ayoungI wanted to hold off during the meeting, but I tripped over that particular one before16:56
cmurphyayoung: i'm still halfway in another meeting, let's talk in ~30 minutes?16:57
ayoungPrimo!16:57
*** wxy| has quit IRC16:59
*** pcaruana has quit IRC17:01
*** gyee has joined #openstack-keystone17:03
cmurphyayoung: okay i'm here17:19
cmurphydo you have suggestions for how to solve this issue?17:19
cmurphythe problem i was struggling with is that the service might be behind a proxy and so has no idea what host and especially what path the client was requesting17:19
cmurphyit can find the host in the x-foward-host headers but not the original path, which is a problem with devstack which has eg glance in /image17:20
cmurphywhich means it can't use that data to compare the requested host to a catalog endpoint17:23
kmallocbrtknr: tokens should always be scoped to the project id. project name may be used to authenticate if domain(s) are also used to identify the project uniquely17:27
*** bnemec has quit IRC17:27
kmallocbrtknr: if you can use a token from one project in another (and the role isn't admin + performing admin-actions) there is a concern. It might be broken policy (if you've done custom policy work) or a real concern with upstream keystone's defaults (it happens)17:28
kmallocbrtknr: if you cna provide us with more examples/reproduction steps we can help you narrow it down.17:28
* cmurphy runs home to eat food17:32
cmurphybbiab17:32
*** erus1 has quit IRC17:36
ayoungcmurphy, so, yeah17:38
ayoungI think we do need a parameter in the config files.  The question is can we automate it, and what does it mean to be overrideen17:39
ayoungkmalloc, is there something in oslo-config where we could say "If this fragment is imported into Nova, set the service name to compute?"17:40
kmallocayoung: there is a "set default" that nova could use for options imported17:41
kmallocksm defines an option, nova sets the default17:42
kmallocit could be overidden by the operator, but it would default to something set by nova.17:42
kmallocwe use the mechanism for osprofiler17:42
kmallocto ensure it is off by default17:42
ayoungso if there is no default set, is there some way we could automate finding that default just by including it in middleware?17:42
kmallocnot easily17:42
kmalloci mean we could look at the package details, but that is not guaranteed to be super useful17:43
kmalloci'd recommend explicit default set in service17:43
kmalloc(patch per service)17:43
ayoungso....by default we would get something like "not specified"17:43
kmallocyeah17:43
kmallocor ""17:43
kmallocwhatever ksm sets as the explicit default17:43
ayoungcould we look up a nova specific value?17:44
kmallocthe reason i would rather do an explicit default set is that it is then encoded as an explicit set17:44
ayoungyep17:44
kmallocvs "something nova provided but could change because it wasn't intended for this"17:44
ayoungSo...17:45
ayoungwhat if the unset value was just required for amibuous situations17:45
ayounglike, say both nova and neutron had a /net  suburl17:45
kmallocKsm runs in the process space17:46
ayoungwe only check "service" if the suburl could potentially match in multiple services17:46
kmallocSo if you use service type url doesn't matter17:46
ayoungright...but for the vast majority of cases, we don't need to know service type17:47
ayoungor is that dangerous17:47
kmallocSure... You could do that but realistically, url matching across deployments will be harder/more work/slower than service type.17:47
kmallocNot dangerous, just more prone to error17:47
ayoungwhat if the client sent the service type in the request?17:47
ayoung"we think we are going to Nova"17:48
kmallocI don't trust clients for security17:48
kmallocThis is security.17:48
ayoungthe default is to deny17:48
ayoungso..yeah, in the ambiguous case, there would be a problem17:48
kmallocYou are expecting to gate access on service type in ksm based upon token values.17:48
kmallocKsm still needs to know what service type it really is. Clients cannot provide that sanely to ksm.17:49
cmurphyo/17:49
ayoungok...so I think we'll need to get a patch into each of the services specifying service type17:49
ayoungIt can be any string./17:50
ayoungWe come up with a set of defaults that match the current service catalog17:50
ayoungbut nothing prevents a deployment for coming up with their own17:50
ayoungso compute could become gold-compute to only allow in gold customers17:50
kmallocYeah. Use os-service-types values, eventually we will integrate with that.17:51
kmallocFor defaults*17:51
cmurphywe have a set of standards already, projects can't come up with their own https://service-types.openstack.org/service-types.json17:51
ayoungcmurphy, right.17:51
kmallocAlso.we can expand the same.mechanism to endpoints (not just services) for the gold-compute example.17:52
ayoungcmurphy, one use case I was tripped up on a while back was how to do per-endpoing access, as opposed to per service.  Like, two different Nova servers with different pay structures17:52
kmallocBut start with just os-service-types for the service type itself.17:52
ayoungit puts some complexity on the4 Keystone side, but the enforcement is fairly simple17:53
ayoungso long as the config value is a string, we can provide a sane default in each of the services, but let the deployers override the value17:53
ayoungcmurphy, I assume you cam to roughly the same conclusion?17:58
clarkbas a heads up keystone changes are failing pep8 jobs due to a new release of pycodestyle. I don't know what the requirements team intends to do to address that, but one option is for keystone to fix the issues if it hasn't arleady17:59
cmurphyayoung: I came to the conclusion that we needed a config value, i wasn't aware of how we could provide a sane default so that's good to know17:59
cmurphyclarkb: thanks for the headsup18:00
clarkbrequirements team points out that the linters are managed per project. So you'll want to pin or fix the errors locally18:04
ayounglooking nopw18:07
ayoungnow18:07
kmallocclarkb: we'll fix this on our end.18:09
kmallocthanks18:09
ayoungclarkb, kmalloc, just git rebase then tox -re pep8  right18:10
clarkbayoung: yup the -r being the important flag to pull in latest pycodestyle18:10
kmallocayoung: yeah that should rebuild the environment for you.18:10
ayoungrunning now18:10
*** aojea has joined #openstack-keystone18:10
kmallocayoung: we just need to exempt E117 for now18:11
kmallocayoung: should fix us and we can circle back later18:11
kmalloci'll get a patch spun up here in a second.18:11
ayounglet me see what the errors look like18:12
kmallochttp://logs.openstack.org/78/633378/4/gate/openstack-tox-pep8/1b8b41a/job-output.txt.gz#_2019-01-29_17_42_47_90123818:12
ayoungits only 5 lines18:12
ayoungkmalloc, I got it18:12
*** aojea has quit IRC18:15
*** aojea has joined #openstack-keystone18:29
*** jdennis has quit IRC18:32
*** awalende has joined #openstack-keystone18:45
*** jdennis has joined #openstack-keystone18:48
*** openstackgerrit has joined #openstack-keystone18:49
openstackgerritayoung proposed openstack/keystone master: Adjust Indents to meet PEP8 E117  https://review.openstack.org/63380018:49
*** awalende has quit IRC18:49
*** aojea has quit IRC18:52
*** aojea has joined #openstack-keystone18:53
ayoungkmalloc, ^^18:56
*** aojea has quit IRC18:57
*** mvkr has quit IRC19:06
*** whoami-rajat has quit IRC19:07
openstackgerritLance Bragstad proposed openstack/keystone master: Add configuration options for JWS provider  https://review.openstack.org/62867619:08
openstackgerritLance Bragstad proposed openstack/keystone master: Add keystone-manage jws_setup functionality  https://review.openstack.org/61531519:08
openstackgerritLance Bragstad proposed openstack/keystone master: Add test fixture for the JWS key repository  https://review.openstack.org/61454719:08
openstackgerritLance Bragstad proposed openstack/keystone master: Add PyJWT as a requirement  https://review.openstack.org/61454819:08
openstackgerritLance Bragstad proposed openstack/keystone master: Implement JWS token provider  https://review.openstack.org/61454919:08
lbragstadhit an issue with lower-constraints ^19:08
lbragstadshould be fixed19:08
kmallocayoung: i actually dislike the readability of that log.warning change more than the original19:19
ayounglet me look19:19
kmallocayoung: it's correct (the new one)19:20
ayoungkmalloc, yeah..I kinda went back and forth on it19:20
kmallocbut it is less readable, indent lines up with the second line of the if19:20
kmallocwhatever19:20
kmalloc+2/+A19:20
ayoungheh19:20
kmallocnot worth quibbling over. i disagree with a number of the pep8 things we lean on19:21
kmallocmost of all, at this point the 80-line one19:21
kmalloci'd support moving to a 120column setup, would make a number of our lines of code easier to read19:21
ayoungI wonder if I could do something with that log on19:21
kmallocs/80-line/80-column19:21
ayounge19:21
kmallocayoung: nah, just let it be.19:21
ayoungR19:22
kmallocnot worth extra time on it, this is unbreak the gate19:22
openstackgerritLance Bragstad proposed openstack/keystone master: Remove domain policies from policy.v3cloudsample.json  https://review.openstack.org/60587620:00
*** blake has joined #openstack-keystone20:05
*** blake has quit IRC20:25
*** aojea has joined #openstack-keystone20:29
*** aojea has quit IRC20:30
*** aojea_ has joined #openstack-keystone20:30
*** xek has quit IRC20:54
openstackgerritLance Bragstad proposed openstack/keystone master: Add JWS token provider documentation  https://review.openstack.org/63383121:36
* lbragstad steps away to take a late lunch 21:47
*** mchlumsky has quit IRC22:00
*** erus1 has joined #openstack-keystone22:16
openstackgerritColleen Murphy proposed openstack/keystone master: [WIP] Add API for /v3/access_rules  https://review.openstack.org/62852422:17
openstackgerritColleen Murphy proposed openstack/keystone master: [WIP] Add SQL migrations for app cred capabilities  https://review.openstack.org/63193622:17
openstackgerritColleen Murphy proposed openstack/keystone master: [WIP] Add driver support for app cred capabilities  https://review.openstack.org/63193722:17
openstackgerritColleen Murphy proposed openstack/keystone master: [WIP] Add manager support for app cred capabilities  https://review.openstack.org/62819322:17
openstackgerritColleen Murphy proposed openstack/keystone master: [WIP] Add API changes for app cred capabilities  https://review.openstack.org/62816822:17
openstackgerritColleen Murphy proposed openstack/keystone master: [WIP] Add capabilities to token validation  https://review.openstack.org/63199322:17
*** aojea_ has quit IRC22:33
*** gyee has quit IRC22:35
*** tkajinam has joined #openstack-keystone22:55
-openstackstatus- NOTICE: http://zuul.openstack.org is not working. https://zuul.openstack.org does work. Please use that while we investigate.23:13
kmalloclbragstad: re https://review.openstack.org/#/c/628676/4 if we add jwe support we really want to have a new config group?23:40
*** rcernin has quit IRC23:53
lbragstadi think so23:54
lbragstadbecause we would be signing with a private key, then encrypting with it23:55
lbragstadand vice versa23:55
lbragstadi was thinking if we keep the repositories separate we mitigate the possibility of someone using a signed token and ciphertext from the same private key23:57
« Monday, 2019-01-28 Index Wednesday, 2019-01-30 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!