Monday, 2019-02-04

« Sunday, 2019-02-03 Index Tuesday, 2019-02-05 »
*** markvoelker has joined #openstack-keystone00:15
*** takamatsu has quit IRC00:29
*** markvoelker has quit IRC00:47
*** kukacz has quit IRC01:10
*** kukacz has joined #openstack-keystone01:12
*** whoami-rajat has joined #openstack-keystone01:14
*** vishwanathj has joined #openstack-keystone01:25
*** markvoelker has joined #openstack-keystone01:44
*** erus1 has quit IRC01:44
*** erus1 has joined #openstack-keystone01:45
*** Dinesh_Bhor has joined #openstack-keystone02:10
*** markvoelker has quit IRC02:18
*** shyamb has joined #openstack-keystone03:06
*** shyamb has quit IRC03:43
*** Dinesh_Bhor has quit IRC05:29
*** Dinesh_Bhor has joined #openstack-keystone05:32
*** dklyle has quit IRC06:09
*** david-lyle has joined #openstack-keystone06:09
*** markvoelker has joined #openstack-keystone06:56
*** tkajinam_ has joined #openstack-keystone07:04
*** tkajinam has quit IRC07:06
*** takamatsu has joined #openstack-keystone07:28
*** pcaruana has joined #openstack-keystone07:35
*** pcaruana has quit IRC07:42
*** pcaruana has joined #openstack-keystone07:42
*** nishaYadav has joined #openstack-keystone07:47
nishaYadavo/07:48
*** awalende has joined #openstack-keystone07:49
*** awalende has quit IRC07:52
*** awalende has joined #openstack-keystone07:52
*** awalende has quit IRC08:06
*** erus1 has quit IRC08:06
*** erus1 has joined #openstack-keystone08:06
*** awalende has joined #openstack-keystone08:22
*** tkajinam_ has quit IRC08:24
*** yan0s has joined #openstack-keystone08:31
*** erus1 has quit IRC08:31
*** erus1 has joined #openstack-keystone08:32
*** xek has joined #openstack-keystone08:32
*** Emine has joined #openstack-keystone08:53
*** tobias-urdin has joined #openstack-keystone09:06
*** Dinesh_Bhor has quit IRC10:35
*** jdennis has quit IRC10:38
openstackgerritYang Youseok proposed openstack/keystonemiddleware master: Add auth invalidation in auth_token for identity endpoint update  https://review.openstack.org/63369510:42
*** Dinesh_Bhor has joined #openstack-keystone10:43
openstackgerritArtem Vasilyev proposed openstack/keystone master: Added request_id and global_request_id to cadf notifications  https://review.openstack.org/63466310:50
openstackgerritArtem Vasilyev proposed openstack/keystone master: Added request_id and global_request_id to basic notifications  https://review.openstack.org/63466310:53
*** claudiub has joined #openstack-keystone11:01
*** raildo has joined #openstack-keystone12:13
yan0shas anyone setup apache mellon plugin for keystone federation?12:17
*** nishaYadav has quit IRC12:18
*** Emine has quit IRC12:20
*** Emine has joined #openstack-keystone12:21
yan0sI'm having trouble to use the openstack cli client with "OS_AUTH_TYPE=v3samlpassword"12:24
yan0slogin through the gui works fine12:28
*** vishakha has joined #openstack-keystone12:49
*** raildo has quit IRC13:05
*** Dinesh_Bhor has quit IRC13:05
*** Dinesh_Bhor has joined #openstack-keystone13:11
*** raildo has joined #openstack-keystone13:12
*** Dinesh_Bhor has quit IRC13:12
*** dave-mccowan has joined #openstack-keystone13:20
*** dave-mccowan has quit IRC13:25
*** dave-mccowan has joined #openstack-keystone13:30
*** edmondsw has quit IRC13:40
*** jmlowe has quit IRC14:09
*** edmondsw has joined #openstack-keystone14:10
*** lbragstad has joined #openstack-keystone14:26
*** ChanServ sets mode: +o lbragstad14:26
*** zzzeek has quit IRC14:31
*** erus1 has quit IRC14:32
*** erus1 has joined #openstack-keystone14:32
*** zzzeek has joined #openstack-keystone14:34
*** awalende has quit IRC14:43
*** jenglisch_ is now known as jenglisch14:48
*** zzzeek has quit IRC14:57
*** zzzeek has joined #openstack-keystone14:57
*** erus1 has quit IRC15:02
*** Emine has quit IRC15:11
openstackgerritVishakha Agarwal proposed openstack/keystone master: Replace 'tenant_id' with 'project_id'  https://review.openstack.org/63170615:14
gagehugoo/15:15
lbragstad\o15:16
cmurphyo/15:16
openstackgerritColleen Murphy proposed openstack/keystone master: Replace 'tenant_id' with 'project_id'  https://review.openstack.org/63170615:18
*** Emine has joined #openstack-keystone15:19
*** jmlowe has joined #openstack-keystone15:43
*** jistr is now known as jistr|biab15:52
openstackgerritVishakha Agarwal proposed openstack/keystone master: Correcting tests with project_id  https://review.openstack.org/63439415:53
*** erus1 has joined #openstack-keystone16:00
*** erus1 has quit IRC16:07
*** zzzeek has quit IRC16:23
*** gyee has joined #openstack-keystone16:23
*** jistr|biab is now known as jistr16:24
*** zzzeek has joined #openstack-keystone16:25
*** erus1 has joined #openstack-keystone16:34
gyeelbragstad, looks like we'll need to update x.509 tokenless to support system-scope as well16:40
lbragstad++16:41
lbragstadthat rings a bell16:41
gyeeshould I file another bug for that?16:41
lbragstadyeah - i think so16:41
lbragstadi remember seeing the exception when i was filing the scope bug and it was specific to project/domain support only16:41
gyeeI finally get around to update my vagrant dev environment to get it working, to some extend16:41
lbragstadnice16:41
lbragstadhave you posted your vagrant file somewhere?16:42
gyeenot yet, I can put it in my github account16:42
lbragstadawesome16:42
lbragstadi wouldn't mind an automated way of setting all that up ;)16:42
gyeebasically, vagrant with ansible provisioner16:42
lbragstaddoes it use devstack?16:43
gyeeyes16:43
lbragstadcool16:43
gyeeit patches default devstack16:43
lbragstadwith new libraries or just the tls-proxy service/16:43
gyeeno tls-proxy, just vanilla devstack16:44
lbragstadah16:44
gyeeI am working off the Rocky branch right now. Devstack master branch seem broken, at least as of last Friday. :-)16:45
lbragstadhuh16:47
lbragstadi haven't ran it recently16:47
lbragstadat least since last friday16:47
gyeeit was giving me a bunch of packaging errors, let me try again today16:47
*** erus1 has quit IRC16:56
gyeelbragstad, also, not sure if this is a known bug, but keystone-admin uwsgi process failed to come up in stable/rocky17:03
gyeeonly keystone-public seem to be working17:04
lbragstadhm17:04
lbragstadi haven't heard of anything like that happening yet, but i bet it went unnoticed because we no longer have v2.0 up17:04
gyeeyeah, also, apache2 is not enabled in systemd, so it does not come up on system reboot17:05
gyeenot sure if that's by design or a bug17:05
gagehugodo you need the keystone-admin uwsgi process after v2.0 is gone?17:06
lbragstadno - it's optional at this point17:06
gyeeno, but we are still creating it in apache2 vhosts.d17:06
gagehugoah17:06
gyeemaybe we need to remove it?17:06
lbragstadwell...17:06
lbragstadwe might have to check with the tempest folks17:07
gagehugoI've only every setup with the public one since queens17:07
gagehugoever*17:07
gyeeif its needed, its broken :-)17:07
lbragstadpike is still supported17:07
lbragstadwhich has v2.017:07
*** dmellado has quit IRC17:07
gyeeI am using stable/rocky17:07
lbragstadwe might need to keep the infrastructure for deploying the admin app until that is unmaintained since tempest is branchless17:08
*** dmellado has joined #openstack-keystone17:08
* lbragstad shrugs17:08
*** dmellado has quit IRC17:08
lbragstadbut it's only supported for another month17:08
lbragstadhttps://releases.openstack.org/17:08
gyeenice17:09
*** dmellado has joined #openstack-keystone17:09
lbragstadhttps://docs.openstack.org/releasenotes/keystone/queens.html#other-notes17:11
lbragstadyeah - it was removed in queens17:11
lbragstadso pike will still have reminants of the v2.0 api17:11
lbragstadremnants*17:11
gagehugoyeah17:11
lbragstadthat could be why the admin api still still exists in devstack17:12
lbragstadstuff still*17:12
gyeemaybe time to update devstack to not creating that vhost file17:12
lbragstadman.. monday's are _terrible_ for typing17:12
lbragstadi agree17:12
lbragstadas soon as pike is unsupported, we should be safe to simplify all of that17:12
gyeethis is the error I am encounter when running devstack master branch17:13
gyee"Complete output from command /opt/stack/requirements/.venv/bin/python -m pip config list:", "ERROR: unknown command \"config\"", "----------------------------------------",17:13
*** Emine has quit IRC17:18
*** awalende has joined #openstack-keystone17:20
lbragstadinteresting17:21
*** awalende has quit IRC17:24
*** yan0s has quit IRC17:25
gyeelooks like its using a very old version of pip, 9.0.317:30
*** Emine has joined #openstack-keystone17:30
kmallocoh man, seattle has a couple inches of snow :P18:00
kmallocthis is hilarious18:00
kmallocgyee: yeah use a modern pip, first order18:00
*** pcaruana has quit IRC18:00
gyeekmalloc, looks like devstack cap it to an older version18:07
gyeebut I think the problem is maybe somewhere else, virtualenv perhaps18:08
gyeebut I am still troubleshooting it18:08
kmalloclbragstad: https://review.openstack.org/#/c/605485/17 maintain the 40418:09
kmallocadd a note that it should be a 403, but changing is pending versioning (either microversions *or* v4)18:09
kmalloclbragstad: easy.18:09
kmallocgyee: hm.18:09
kmallocweird.18:09
lbragstadi think we're going to have if/else statements in the api code then18:09
lbragstadwhich will be fine, it'll just be messy i thin18:10
lbragstadthink*18:10
kmallocyep. or you maintain a 404 in all cases with a FIXME IN VERSIONING18:21
kmalloc*shrug*18:21
openstackgerritLance Bragstad proposed openstack/keystone master: Implement JWS token provider  https://review.openstack.org/61454918:25
openstackgerritLance Bragstad proposed openstack/keystone master: Add JWS token provider documentation  https://review.openstack.org/63383118:25
gyeelbragstad, kmalloc, so this is the exact problem I am having. https://superuser.com/questions/1400430/python-virtualenv-error-unknown-command-config18:37
gyeeI am surprised no one else ran into this with devstack18:37
kmallocgyee: huh. i really always use a newer pip *even* if devstack dictates other versions18:39
kmallocgyee: so, i don't see it.18:39
gyeehow do I tell devstack to use a newer version of pip18:42
gyeehttps://github.com/openstack-dev/devstack/blob/master/tools/cap-pip.txt18:43
gyeemanually fudge that file?18:43
*** zzzeek has quit IRC18:44
cmurphykmalloc: lbragstad commented on 60548518:44
lbragstadcmurphy thanks - i just saw that roll through my email18:45
lbragstadcmurphy what makes https://review.openstack.org/#/c/634193/1/keystone/tests/unit/mapping_fixtures.py,unified invalid?18:45
*** claudiub has quit IRC18:45
cmurphylbragstad: try it and see18:46
* cmurphy not really here, back in a few hours18:47
*** zzzeek has joined #openstack-keystone18:48
kmalloccmurphy: thnx18:50
kmalloccmurphy: we can do that18:50
kmalloccmurphy: I dont feel like it would block the change either way.18:51
kmallocthe safest bet is 404 maintain18:51
kmallocbut if we're not maintainign the 404, then we release note it and go with 40318:51
lbragstadaha - got it18:53
*** zzzeek has quit IRC18:54
*** zzzeek has joined #openstack-keystone18:57
lbragstadkmalloc since you're migration savvy https://review.openstack.org/#/c/621497/719:06
kmallocoh noes!19:08
kmallocok looking19:08
kmallocwait... wut.. *blink*19:10
kmallocok let me try and get context from the commit message19:10
kmallocso wait, we mis-recreated the tables?19:12
kmalloclbragstad: why are we creating the column in the contract phase?19:14
kmalloclbragstad: really i need more context on waht this is fixing.19:14
*** opetrenko_mob has joined #openstack-keystone19:14
*** opetrenko_mob has quit IRC19:19
*** Emine has quit IRC19:22
*** vishakha has quit IRC19:25
gyeelbragstad, kmalloc, just want to confirm, system-scope is not something we can facilitate via federation mapping right19:26
gyeein other words, once can't get a system-scoped token via federation19:26
gyees/once/one/19:26
kmalloci don't see why a mapping couldn't do it ... eventually19:26
kmallocbut i don't think we have wired up system scope on the mapping side.19:26
kmallocyet19:26
gyeek, just want to confirm it doesn't exist right now19:28
gyeethanks19:28
kmalloci am fairly certain it does not.19:28
kmallocbut i can only keep so much info in my head at once, i might be wrong19:29
lbragstadkmalloc it was a sqlite but19:31
lbragstadbug*19:31
kmallocright.19:31
kmallocand my question is why not just fix the migration instead of wedging it into the contract phase19:32
kmallocthis feels like the wrong place for it19:32
lbragstadi think i asked a similar question19:32
lbragstadand i think it's because of the order the migrations are run across the repositories19:32
kmalloci'm -1 without more clarity because SQLite is used for testing.19:32
kmallocand we can just retrofit the create to the end of the upgrade/update migration instead of wedging a create into a contract19:33
lbragstadbecause sqlite?19:33
kmallocif someone is using sqlite in production and it breaks them i'm going to just say "uh... no. so nope, not supporting that"19:33
kmallocif we could remove sqlite support, i would.19:34
kmallocbut it is really needed for testing.19:34
lbragstaddstanek was close to doing that a couple years ago19:34
*** xek_ has joined #openstack-keystone19:34
kmallocyeh19:35
gyeestupid question: why would you testing something that is not intended for production? :-)19:35
kmallocgyee: sqlite provides a very close analogue in memory only for unit tests19:35
kmallocinstead of needing a full MySQL instance (which is very slow in comparison) for our testing19:35
kmallocgyee: it is more convenience to ensure quick unit tests that automatically drop the data when the connection to the in-memory allocated schema is closed.19:36
kmallocgyee: ideally, we wouldn't  use SQLite at all19:36
kmallocbut even a snap .create_all in SQLA based upon the models and then a drop in MySQL is much much much slower.19:37
*** xek has quit IRC19:37
kmallocwe could fix the unit tests to not db_sync / stand up a clean schema every time. or we can use SQLite until we have another alternative19:38
gyeeyeah, I wouldn't waste time on sqlite19:39
gyeewhy not just move that stuff to functional test or something19:39
kmallocagain, the unit tests need to have a backend.19:46
kmalloceven the non-functional versions.19:46
kmallocso, what are we to do, we need to stand up something for ensuring the logic is working19:47
kmallocso, since it provides a reasonable analoge for now, we keep it19:47
lbragstadiirc - if you wire up the unit tests to run again sql, the performance is really bad19:48
kmallocwe could do it19:48
kmallocreally we could do an in-memory mysql [ndb] or any number of other options19:49
kmallocbut SQLite works fine for now19:49
kmallocwe have bigger fish / oceans to boil before we get to "remove SQLite from testing"19:49
*** jaosorior has quit IRC19:58
openstackgerritMerged openstack/keystone master: Add endpoint tests for system member role  https://review.openstack.org/61933020:03
*** jmlowe has quit IRC20:31
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role for users  https://review.openstack.org/60548520:38
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member role user test coverage  https://review.openstack.org/62331720:38
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in users API  https://review.openstack.org/62331820:38
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain reader functionality for user API  https://review.openstack.org/62331920:38
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain member functionality for user API  https://review.openstack.org/62332020:38
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain admin functionality for user API  https://review.openstack.org/62332120:38
openstackgerritLance Bragstad proposed openstack/keystone master: Add explicit testing for project users and the user API  https://review.openstack.org/62332220:38
openstackgerritLance Bragstad proposed openstack/keystone master: Remove user policies from policy.v3cloudsample.json  https://review.openstack.org/62332320:38
lbragstadfor ^ that series, we'll have to figure out how we want to approach getting the domain user tempest test to pass20:43
lbragstadhttps://review.openstack.org/#/c/624794/ should show the issue20:43
*** whoami-rajat has quit IRC20:44
*** opetrenko_and has joined #openstack-keystone20:47
*** opetrenko_and has quit IRC20:53
*** raildo has quit IRC20:59
gyeefound another bug with x.509 tokenless, ephemeral user mapping is also broken21:02
*** xek__ has joined #openstack-keystone21:12
kmallocthat would make sense.21:14
kmalloctokenless was never meant to map to ephemeral21:14
kmallocas i recall21:14
*** xek_ has quit IRC21:14
kmallocit was meant to map to concrete user(s)21:15
gyeekmalloc, we also support ephemeral21:20
gyeebut yeah, it was primarily meant for local users21:21
kmallocyep, hence not surprised it is broken21:21
kmallochappy to take patches (and testing, please testing!!!) to make it work21:21
gyeeit's a one line fix, let me finish up the testing21:21
kmalloccool21:24
openstackgerritIslam Musleh proposed openstack/keystone master: Converting the API tests to use flask's test_client  https://review.openstack.org/63030121:34
*** xek__ has quit IRC21:35
*** rm_work_ has joined #openstack-keystone21:36
*** opetrenko__ has joined #openstack-keystone21:39
openstackgerritguang-yee proposed openstack/keystone master: Fixes incorrect params passing  https://review.openstack.org/63481621:40
opetrenko__hey, does somebody know how to contact Adam Young?21:42
*** rm_work has quit IRC21:49
*** rm_work_ is now known as rm_work21:49
*** Nel1x has joined #openstack-keystone21:50
larsksopetrenko__: he usually hangs out here.  you can probably find his email address in the keystone commit log.22:00
*** jmlowe has joined #openstack-keystone22:05
kmallocopetrenko__: best bet is to email him if you can't find him here in the channel. Most days he shows up for a tleast a bit.22:31
opetrenko__thx22:32
openstackgerritGage Hugo proposed openstack/keystone master: WIP - Add flask hook for authentication timings  https://review.openstack.org/63482622:43
*** tkajinam has joined #openstack-keystone22:56
openstackgerritMerged openstack/keystone master: Test case for bad type user in assertion  https://review.openstack.org/63419323:27
*** markvoelker has quit IRC23:31
brtknrAnyone here can tell me why I am able to create a heat stack only as a trustor, not as the trustee but then able to make changes and delete a stack even as a trustee as expected23:34
brtknr?23:34
*** imacdonn has joined #openstack-keystone23:48
lbragstadbrtknr i know heat has some custom policy in place that only allows the stack owner to do things23:59
« Sunday, 2019-02-03 Index Tuesday, 2019-02-05 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!