Wednesday, 2019-02-13

*** markvoelker has quit IRC		00:06
*** jamesmcarthur has joined #openstack-keystone		00:10
*** jamesmcarthur has quit IRC		00:16
*** david-lyle has joined #openstack-keystone		00:18
*** dklyle has quit IRC		00:21
*** openstackgerrit has quit IRC		00:52
*** jamesmcarthur has joined #openstack-keystone		00:53
*** jamesmcarthur has quit IRC		00:54
adriant	lbragstad: having project names bigger than 64 would be nice for some of my use cases... but changing that is too much of a breaking change it seems, so https://blueprints.launchpad.net/keystone/+spec/name-field-consistency is probably dead	01:00
lbragstad	adriant ack - i appreciate the follow up	01:00
adriant	I'll will patiently wait for v4	01:01
adriant	....	01:01
lbragstad	hah	01:01
adriant	bah was rewritting that and hit enter.	01:01
adriant	but yes, v4, the solution to all the problems!	01:01
lbragstad	:)	01:02
adriant	mostly, I need 64+ project names to essentially turn the project name into a sub-tree name path, so subprojects can be 'unique'	01:02
lbragstad	yeah - i remember you were doing something like that	01:02
adriant	but I guess I'll mostly tell people to name things shorts, and use project descriptions	01:02
lbragstad	oh - sure	01:02
lbragstad	i suppose that works	01:02
lbragstad	you don't use traditional project hierarchies?	01:03
lbragstad	like - the actual implementation in keystone?	01:03
*** markvoelker has joined #openstack-keystone		01:03
adriant	names aren't unique for sub projects	01:04
adriant	as in, this includes trees	01:04
adriant	but I enforce a naming convention down the tree	01:04
adriant	so root_project_1/test and root_project_2/test can both exist	01:04
*** jamesmcarthur has joined #openstack-keystone		01:04
adriant	when otherwise they will both make "test" and the second attempt will fail	01:04
lbragstad	but that's because they will both be in the same domain, right?	01:05
adriant	yes	01:05
adriant	single domain issues	01:05
lbragstad	and has less to do with project hierarchy	01:05
adriant	yep	01:05
lbragstad	got it	01:05
adriant	project hierarchy is used for role inheritance and subproject ownership, but we aren't handing a domain to each customer :/	01:06
adriant	mostly because that has it's own set of messes	01:06
*** gyee has quit IRC		01:07
lbragstad	like proper domain support for RBAC?	01:08
*** yankcrime has quit IRC		01:08
*** gyee has joined #openstack-keystone		01:10
adriant	lbragstad: sort of, but also the ability to migrate existing customers into their own domain, and other stuff like billing per domain	01:18
lbragstad	mmm	01:18
adriant	single domain is easier in a weird way	01:19
adriant	and sub-projects and hierarchy mostly make it fine	01:19
adriant	the only issue is names no being unique per sub-project level, which can't be solved without some path_name value to maintain unique namespacing	01:20
adriant	there was specs and such a while back about solving exactly that, but it would break too much	01:20
adriant	so my solution (through Adjutant) was just enforce that path_name in the actual name	01:21
adriant	lbragstad: https://blueprints.launchpad.net/keystone/+spec/hierarchical-project-naming < before my time	01:22
adriant	but essentially I'm trying to mimic that	01:23
lbragstad	interesting	01:23
adriant	adding that to keystone breaks the API, but doing it as a 'naming convention' doesn't :)	01:24
adriant	ah yes, the rabbit hole of rejected specs that is this: https://review.openstack.org/#/c/318605/	01:27
adriant	lbragstad: looks like you even commented on those :)	01:28
lbragstad	it's been a while	01:30
*** jamesmcarthur has quit IRC		01:30
adriant	that's a little before I started playing around a lot more with Keystone, so I missed those discussions until afterwards.	01:31
adriant	and by that point the first spec (which solved my particular use case) was abandoned	01:31
*** Dinesh_Bhor has joined #openstack-keystone		01:32
*** jamesmcarthur has joined #openstack-keystone		01:33
*** markvoelker has quit IRC		01:35
lbragstad	cmurphy vishakha - i started an etherpad in case either of you find it useful to see what i'm doing with blueprint https://etherpad.openstack.org/p/keystone-blueprint-cleanup	01:46
*** openstackgerrit has joined #openstack-keystone		01:46
openstackgerrit	Merged openstack/keystonemiddleware master: Add auth invalidation in auth_token for identity endpoint update https://review.openstack.org/633695	01:46
lbragstad	also - i'm open to feedback if you have an alternative way of doing things	01:46
*** gyee has quit IRC		01:47
* lbragstad signs off for a bit		01:48
*** jamesmcarthur has quit IRC		01:53
*** jamesmcarthur has joined #openstack-keystone		01:54
*** yankcrime has joined #openstack-keystone		02:01
*** jamesmcarthur has quit IRC		02:05
*** jamesmcarthur has joined #openstack-keystone		02:16
*** jamesmcarthur has quit IRC		02:28
*** penguinepimple has left #openstack-keystone		02:41
*** Dinesh_Bhor has quit IRC		02:44
*** Dinesh_Bhor has joined #openstack-keystone		02:48
*** vishakha has joined #openstack-keystone		02:58
*** jamesmcarthur has joined #openstack-keystone		02:59
*** jamesmcarthur has quit IRC		03:06
*** jamesmcarthur has joined #openstack-keystone		03:26
*** jamesmcarthur has quit IRC		03:30
*** opetrenko_ has quit IRC		03:49
*** spsurya has joined #openstack-keystone		03:55
*** lbragstad has quit IRC		04:32
*** shyamb has joined #openstack-keystone		05:03
*** shyamb has quit IRC		05:53
*** shyamb has joined #openstack-keystone		05:55
*** markvoelker has joined #openstack-keystone		06:00
*** markvoelker has quit IRC		06:04
*** imacdonn has quit IRC		06:13
*** Dinesh_Bhor has quit IRC		06:30
openstackgerrit	weizj proposed openstack/oslo.policy master: Update hacking version https://review.openstack.org/627651	06:33
*** Dinesh_Bhor has joined #openstack-keystone		06:39
*** markvoelker has joined #openstack-keystone		07:00
*** ileixe has joined #openstack-keystone		07:07
*** adriant has quit IRC		07:11
*** adriant has joined #openstack-keystone		07:11
*** josecastroleon has joined #openstack-keystone		07:15
openstackgerrit	weizj proposed openstack/oslo.limit master: Update hacking version https://review.openstack.org/627656	07:15
*** jamesmcarthur has joined #openstack-keystone		07:26
*** jamesmcarthur has quit IRC		07:31
*** markvoelker has quit IRC		07:34
*** shyamb has quit IRC		07:41
*** yan0s has joined #openstack-keystone		08:07
vishakha	lbragstad, cmurphy : I am updating the same etherpad https://etherpad.openstack.org/p/keystone-blueprint-cleanup with blueprints on which I commented.	08:12
*** markvoelker has joined #openstack-keystone		08:31
*** liumk_ has joined #openstack-keystone		08:36
*** tkajinam has quit IRC		08:36
*** liumk_ has quit IRC		08:50
*** shyamb has joined #openstack-keystone		08:53
*** xek has joined #openstack-keystone		08:54
*** markvoelker has quit IRC		09:04
*** liumk2233 has joined #openstack-keystone		09:08
*** liumk2233 has quit IRC		09:14
*** liumk_ has joined #openstack-keystone		09:15
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Correcting tests with project_id https://review.openstack.org/634394	09:32
*** liumk_ has quit IRC		09:35
*** markvoelker has joined #openstack-keystone		10:02
*** markvoelker has quit IRC		10:34
*** shyamb has quit IRC		10:58
*** ileixe has quit IRC		11:20
*** Dinesh_Bhor has quit IRC		11:21
*** markvoelker has joined #openstack-keystone		11:30
*** shyamb has joined #openstack-keystone		11:32
*** raildo has joined #openstack-keystone		11:42
*** raildo_ has joined #openstack-keystone		11:58
*** raildo has quit IRC		12:01
*** markvoelker has quit IRC		12:04
*** rmascena__ has joined #openstack-keystone		12:27
*** raildo_ has quit IRC		12:30
*** erus has joined #openstack-keystone		12:58
*** markvoelker has joined #openstack-keystone		13:01
*** shyamb has quit IRC		13:13
*** jamesmcarthur has joined #openstack-keystone		13:14
*** jamesmcarthur has quit IRC		13:29
*** Dinesh_Bhor has joined #openstack-keystone		13:34
*** markvoelker has quit IRC		13:34
*** vishakha has quit IRC		13:35
*** lbragstad has joined #openstack-keystone		13:41
*** ChanServ sets mode: +o lbragstad		13:41
*** Dinesh_Bhor has quit IRC		13:44
*** jamesmcarthur has joined #openstack-keystone		13:50
*** jmlowe has quit IRC		13:54
*** Dinesh_Bhor has joined #openstack-keystone		14:22
*** jamesmcarthur has quit IRC		14:26
lbragstad	cmurphy do you see a use case for https://blueprints.launchpad.net/keystone/+spec/domain-specific-mapping ?	14:31
*** markvoelker has joined #openstack-keystone		14:31
lbragstad	that blueprint does seem to fall in line with the self-service aspect of the keystone vision and openstack vision	14:37
lbragstad	by allowing domain users access to mappings	14:37
cmurphy	lbragstad: did that get covered by http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/shadow-mapping.html ? i can't quite tell at a quick skim	14:38
lbragstad	cmurphy i double checked	14:38
lbragstad	cmurphy shadow mappings need to be created by system administrators, right?	14:38
cmurphy	lbragstad: yeah	14:38
cmurphy	i definitely see a use for domain specific mappings, it goes along with native saml and self service domain admins	14:39
lbragstad	i think what henry was trying to get at with that blueprint, is the ability for domain administrators to modify mappings for the domain+idp they are using with federation	14:39
cmurphy	makes sense to me, i think native saml is a prereq for that though	14:40
lbragstad	iiuc - the mapping logic in keystone is all api driven, do we need native saml for it?	14:40
lbragstad	we need native saml for full domain admin federation support for sure	14:41
lbragstad	but if i'm a domain admin and you're a system admin, you setup the shib mappings and trust my identity provider, then i get the keys and i can update mappings based on assertions issued by my idp?	14:42
lbragstad	e.g., i don't have to ask you to setup a mapping specific to my assertions	14:44
* cmurphy thinks...the mapping would take input from the saml assertion which means it's useful to have direct control over the identity provider and the service provider configuration settings, i guess not required if you're able to get that information from your admin		14:44
lbragstad	i should clarify - i'm thinking about the keystone mapping, not the shib mapping	14:45
cmurphy	yeah but it's still looking into the saml assertion to get the values in the "remote" section of the mapping	14:46
lbragstad	yeah - because those come from the shib mapping output	14:46
lbragstad	hmm	14:46
cmurphy	so you're right not 100% required, just more useful if paired with domain admin control of the idp	14:46
lbragstad	yeah - absolutely	14:46
cmurphy	in any case i would unmark that as invalid and we should revisit the spec	14:47
lbragstad	i think so, too	14:47
lbragstad	for blueprints like this, I'll just mark them as "discussion"	14:48
cmurphy	i marked a couple others in the etherpad that i think should be revisited	14:48
cmurphy	i didn't make it through the whole list	14:48
lbragstad	well - it's a long list	14:48
cmurphy	ya	14:48
cmurphy	who knew	14:48
lbragstad	it hasn't been cleaned up in years...	14:49
lbragstad	because i've never done it - and i can't remember if steve ever did? i just see updates from 2016-02-02 to the whiteboard	14:49
cmurphy	not sure if we can block the blueprints feature in lp but maybe after this cleanup is done we should add a note to use bugs and specs instead	14:50
lbragstad	yeah - we need something that describes the process	14:51
lbragstad	i came up dry trying to find any documentation on "how to write specs"	14:51
lbragstad	i think the best we have is the template	14:51
*** jamesmcarthur has joined #openstack-keystone		14:55
openstackgerrit	Jose Castro Leon proposed openstack/keystone master: Adds caching of credentials https://review.openstack.org/636645	14:58
*** jmlowe has joined #openstack-keystone		14:59
*** markvoelker has quit IRC		15:04
kmalloc	lbragstad: I have a fix proposed to the template to indicate use of bugs over BPs	15:15
lbragstad	sounds good	15:15
kmalloc	I'd just close all blueprints after period x with prejudice.	15:15
lbragstad	launchpad does have a toggle for blueprints, so i would guess that we don't have to use them	15:16
kmalloc	https://review.openstack.org/#/c/625282/	15:16
*** Dinesh_Bhor has quit IRC		15:16
lbragstad	what i mean by that is if we are going to move to RFE bugs, then i'd like to completely shutoff the ability for people to open blueprints at all	15:17
kmalloc	Yes	15:17
lbragstad	but i do want the archive	15:17
lbragstad	i want the cake and i want to eat it, too!	15:17
kmalloc	Turning off in LP I think turns off the archive	15:18
*** jmlowe has quit IRC		15:18
lbragstad	of course it would	15:18
kmalloc	Not delete though iirc	15:18
cmurphy	we can copy the ones we want to keep into bugs	15:18
kmalloc	I think it is fine to lose the archive at this point. Copy to bug.. what cmurphy said	15:18
lbragstad	like - pending blueprints cmurphy? or all blueprints?	15:18
kmalloc	All pending	15:19
lbragstad	oh - right	15:19
cmurphy	lbragstad: whatever we dont' want to get rid of	15:19
kmalloc	Old bps are going away with the move to sb anyway.	15:19
kmalloc	So shrug	15:19
kmalloc	It's really ok, BPs provide not a ton of info these days that isn't in reno	15:19
lbragstad	what i don't want to lose it stuff like this - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/juno/non-persistent-tokens.html	15:20
lbragstad	which points to all the patches in https://blueprints.launchpad.net/keystone/+spec/non-persistent-tokens	15:20
kmalloc	Honestly, we could write a bit that just closes BPs if you want.	15:21
kmalloc	Personally I am ok with losing that, perhaps we just do a mass update of those specs and copy the content into them.and drop the links.	15:21
kmalloc	They are archive only, not active.	15:22
kmalloc	As part of the shut down BPs bit.	15:22
*** jmlowe has joined #openstack-keystone		15:23
lbragstad	well - let's see if that's even necessary	15:25
kmalloc	You know, I think copy/paste the BP content into a <pre> block in the archived specs and drop the link is the best bet the more I think about it if we lose the archive access.	15:25
lbragstad	let's go through all the existing ones, mark invalid ones as obsolete, move interesting ones to formal specs or bugs, and then at that point i'll try disabling them in launchpad for keystone	15:26
lbragstad	then we can test if the links still work	15:26
kmalloc	Wfm	15:26
*** shyamb has joined #openstack-keystone		15:28
*** jmlowe has quit IRC		15:54
*** jmlowe has joined #openstack-keystone		15:58
*** markvoelker has joined #openstack-keystone		16:01
*** shyam89 has joined #openstack-keystone		16:14
*** shyamb has quit IRC		16:16
*** shyamb has joined #openstack-keystone		16:17
*** rafaelweingartne has joined #openstack-keystone		16:18
rafaelweingartne	Hello guys, what is the status of the endpoint filtering feature in Keystone?	16:18
rafaelweingartne	I mean, I am having some odd issues	16:18
*** ayoung has quit IRC		16:19
rafaelweingartne	When I read, endpoing groups, I was expecting to be able to create rules such as : { "service_id": "<service1>", "service_id": "<service2>"}	16:20
rafaelweingartne	however, that does not seem to work	16:20
rafaelweingartne	I tried to read some docs and blueprints, but they did not give me much on what is implemented there	16:20
rafaelweingartne	Is it fully implemented?	16:20
rafaelweingartne	for instance, I tried: { "interface": "public" }	16:21
*** shyam89 has quit IRC		16:21
rafaelweingartne	and this rules works, it lists only public enpoints	16:21
rafaelweingartne	on the other hand, this rule : { "service_id": "serviceID"}	16:21
rafaelweingartne	does not work	16:21
rafaelweingartne	it continues listing all services endpoints	16:21
*** markvoelker has quit IRC		16:34
*** jmlowe has quit IRC		16:38
*** jmlowe has joined #openstack-keystone		16:44
lbragstad	rafaelweingartne i haven't looked at that feature in a while, but you might need to build an association between a group of endpoints and a project	16:49
lbragstad	users with a token scoped to that project should get a filtered catalog in the response	16:50
rafaelweingartne	that is what I am doing	16:50
rafaelweingartne	but, it gets even more strange	16:51
*** jamesmcarthur has quit IRC		16:51
rafaelweingartne	I have these two configurations rafael-EP-filtering-group-restrict-public.json and rafael-EP-filtering-group-restrict-internal.json	16:51
rafaelweingartne	these a basic filters, the first one filters interfaces by public, and the second by internal	16:51
*** shyamb has quit IRC		16:51
rafaelweingartne	the content of each one of them is the following: { "interface": "public" } and { "interface": "internal" }	16:52
rafaelweingartne	Then,	16:52
rafaelweingartne	I issue the commands:	16:52
rafaelweingartne	openstack endpoint group create rafael-test1-ep-filter rafael-EP-filtering-group-restrict-public.json	16:52
rafaelweingartne	openstack endpoint group create rafael-test3-ep-filter rafael-EP-filtering-group-restrict-internal.json	16:52
rafaelweingartne	afterwards, if I issue: openstack endpoint group list	16:53
rafaelweingartne	I can see both of them	16:53
rafaelweingartne	however, if I issue: openstack endpoint group show rafael-test1-ep-filter More than one endpointgroup exists with the name 'rafael-test1-ep-filter'.	16:53
rafaelweingartne	I get an error saying that there are more than one with the same name	16:54
rafaelweingartne	I then, proceeed and use the show command with a uuid	16:54
rafaelweingartne	openstack endpoint group show 0dcfa90ff2c84510a04d1c32fdad7e07	16:54
rafaelweingartne	and I get this: +-------------+----------------------------------+ \| Field \| Value \| +-------------+----------------------------------+ \| description \| None \| \| filters \| {u'interface': u'internal'} \| \| id \| 0dcfa90ff2c84510a04d1c32fdad7e07 \| \| name \| rafael-test3-ep-filter \| +-------------+----------------------------	16:54
*** gyee has joined #openstack-keystone		16:55
lbragstad	for pastes - you can use paste.openstack.org if that helps	16:55
*** jamesmcarthur has joined #openstack-keystone		17:00
*** rmascena__ has quit IRC		17:04
*** rmascena__ has joined #openstack-keystone		17:05
*** itlinux has joined #openstack-keystone		17:05
lbragstad	https://blueprints.launchpad.net/keystone/+spec/keystone-lib is an interesting idea	17:07
*** itlinux has quit IRC		17:09
*** itlinux_ has joined #openstack-keystone		17:09
*** itlinux_ has quit IRC		17:14
*** itlinux has joined #openstack-keystone		17:15
*** jamesmcarthur has quit IRC		17:22
*** jmlowe has quit IRC		17:23
lbragstad	https://blueprints.launchpad.net/keystone should be relatively clean now	17:27
lbragstad	these are the changes we made	17:27
lbragstad	https://etherpad.openstack.org/p/keystone-blueprint-cleanup	17:27
lbragstad	i think our next steps are to figure out the migration away from blueprints so i can disable them in launchpad	17:28
lbragstad	and formally documenting out RFE bug process in the template ( kmalloc has a patch up already) and in the contributor guide (still needs to be done)	17:28
lbragstad	s/out/our/	17:28
lbragstad	then - we need to migrate applicable blueprints to RFE bugs and copy the context	17:29
lbragstad	unless anyone has objections, we'll plan on stein being the last release we use blueprints for	17:29
*** itlinux has quit IRC		17:30
*** markvoelker has joined #openstack-keystone		17:32
lbragstad	documented the next steps on line 79 here - https://etherpad.openstack.org/p/keystone-blueprint-cleanup	17:33
*** jamesmcarthur has joined #openstack-keystone		17:34
*** itlinux has joined #openstack-keystone		17:36
*** itlinux_ has joined #openstack-keystone		17:39
*** itlinux has quit IRC		17:41
*** erus has quit IRC		17:42
*** erus has joined #openstack-keystone		17:42
*** erus has quit IRC		17:49
*** awalende has joined #openstack-keystone		17:58
*** erus has joined #openstack-keystone		17:59
*** markvoelker has quit IRC		18:04
*** jmlowe has joined #openstack-keystone		18:08
*** itlinux_ has quit IRC		18:08
*** awalende has quit IRC		18:19
*** awalende has joined #openstack-keystone		18:21
*** erus has quit IRC		18:25
*** erus has joined #openstack-keystone		18:27
*** awalende has quit IRC		18:35
*** awalende has joined #openstack-keystone		18:38
*** erus has quit IRC		18:43
*** erus has joined #openstack-keystone		18:45
*** markvoelker has joined #openstack-keystone		19:01
*** raildo has joined #openstack-keystone		19:12
*** rmascena__ has quit IRC		19:13
*** rafaelweingartne has quit IRC		19:19
*** markvoelker has quit IRC		19:34
openstackgerrit	Merged openstack/keystone master: Fix wrong example for direct_maps https://review.openstack.org/635444	19:37
openstackgerrit	Merged openstack/keystone master: Seperated CADF notifications tests for request_id https://review.openstack.org/635101	19:37
*** awalende has quit IRC		19:39
*** irclogbot_1 has quit IRC		19:47
*** jamesmcarthur has quit IRC		19:55
*** irclogbot_1 has joined #openstack-keystone		20:00
*** jamesmcarthur has joined #openstack-keystone		20:07
*** jamesmcarthur has quit IRC		20:12
*** jamesmcarthur has joined #openstack-keystone		20:16
*** jmlowe has quit IRC		20:28
*** markvoelker has joined #openstack-keystone		20:31
*** jamesmcarthur has quit IRC		20:35
*** itlinux has joined #openstack-keystone		21:04
*** markvoelker has quit IRC		21:05
*** raildo has quit IRC		21:06
*** xek has quit IRC		21:07
*** jmlowe has joined #openstack-keystone		21:15
gagehugo	our unit tests sure do create a lot of deprecated policy spam :(	21:21
lbragstad	yep - sorry about that	21:23
*** erus has quit IRC		21:25
*** jamesmcarthur has joined #openstack-keystone		21:25
*** erus has joined #openstack-keystone		21:25
*** jamesmcarthur has quit IRC		21:30
*** whoami-rajat has quit IRC		21:32
lbragstad	wxy-xiyuan http://lists.openstack.org/pipermail/openstack-discuss/2019-February/002674.html	21:35
*** itlinux has quit IRC		21:58
*** markvoelker has joined #openstack-keystone		22:02
*** erus has quit IRC		22:20
*** erus has joined #openstack-keystone		22:20
*** openstackgerrit has quit IRC		22:22
*** erus has quit IRC		22:26
*** eandersson has quit IRC		22:33
*** erus has joined #openstack-keystone		22:33
*** markvoelker has quit IRC		22:34
*** cburgess has quit IRC		22:36
*** cburgess has joined #openstack-keystone		22:38
*** erus has quit IRC		22:40
*** jamesmcarthur has joined #openstack-keystone		22:43
*** jamesmcarthur has quit IRC		22:48
*** erus has joined #openstack-keystone		22:50
*** erus has quit IRC		22:50
*** jamesmcarthur has joined #openstack-keystone		22:51
*** eandersson has joined #openstack-keystone		22:59
*** david-lyle has quit IRC		23:02
*** dklyle has joined #openstack-keystone		23:02
*** tkajinam has joined #openstack-keystone		23:05
*** jamesmcarthur has quit IRC		23:07
*** jamesmcarthur has joined #openstack-keystone		23:27
*** markvoelker has joined #openstack-keystone		23:31
*** jamesmcarthur has quit IRC		23:33
*** jamesmcarthur has joined #openstack-keystone		23:49
*** lbragstad has quit IRC		23:52
*** jamesmcarthur has quit IRC		23:53
*** jamesmcarthur has joined #openstack-keystone		23:56

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!