Thursday, 2019-03-21

« Wednesday, 2019-03-20 Index Friday, 2019-03-22 »
*** lbragstad has quit IRC00:14
*** jamesmcarthur has quit IRC00:27
*** gyee has quit IRC00:48
*** ileixe has joined #openstack-keystone00:56
*** jamesmcarthur has joined #openstack-keystone00:58
wxy-xiyuancmurphy: lbragstad: sorry that I was offline yesterday. Just saw your message.01:11
*** jamesmcarthur has quit IRC01:15
*** jamesmcarthur has joined #openstack-keystone01:16
openstackgerritMerged openstack/keystone master: Implement domain reader functionality for projects  https://review.openstack.org/62421801:31
openstackgerritMerged openstack/keystone master: Implement domain member functionality for projects  https://review.openstack.org/62421901:31
*** lbragstad has joined #openstack-keystone01:35
*** ChanServ sets mode: +o lbragstad01:35
*** jamesmcarthur has quit IRC01:39
*** jamesmcarthur has joined #openstack-keystone01:40
*** jamesmcarthur has quit IRC01:44
openstackgerritMerged openstack/keystone master: Make system members the same as system readers for credentials  https://review.openstack.org/64112801:45
*** jamesmcarthur has joined #openstack-keystone02:35
*** markvoelker has joined #openstack-keystone02:43
*** jamesmcarthur has quit IRC02:59
*** jamesmcarthur has joined #openstack-keystone03:04
*** jamesmcarthur has quit IRC03:18
*** erus has quit IRC03:18
*** erus has joined #openstack-keystone03:19
*** jamesmcarthur has joined #openstack-keystone03:19
*** jamesmcarthur has quit IRC03:49
*** erus has quit IRC03:49
*** erus has joined #openstack-keystone03:49
*** whoami-rajat has joined #openstack-keystone04:10
*** ileixe has quit IRC04:21
*** ileixe has joined #openstack-keystone04:34
*** phasespace has quit IRC05:14
*** lbragstad has quit IRC06:06
*** pcaruana has joined #openstack-keystone06:11
*** phasespace has joined #openstack-keystone07:18
*** rcernin has quit IRC07:24
*** xek_ has joined #openstack-keystone07:41
*** openstackgerrit has quit IRC08:17
*** whoami-rajat has quit IRC09:10
*** whoami-rajat has joined #openstack-keystone09:18
*** pcaruana has quit IRC09:45
*** pcaruana has joined #openstack-keystone09:46
*** openstackgerrit has joined #openstack-keystone10:49
*** erus has quit IRC10:49
openstackgerritColleen Murphy proposed openstack/keystone master: [WIP] Add domain scope support for group policies  https://review.openstack.org/64393710:49
*** erus has joined #openstack-keystone10:50
*** jaosorior has quit IRC10:53
*** ileixe has quit IRC11:20
*** whoami-rajat has quit IRC11:30
*** whoami-rajat has joined #openstack-keystone11:34
*** dave-mccowan has joined #openstack-keystone11:51
*** jaosorior has joined #openstack-keystone11:51
*** raildo has joined #openstack-keystone11:53
*** dave-mccowan has quit IRC11:53
*** jamesmcarthur has joined #openstack-keystone12:11
*** markvoelker has quit IRC12:22
*** jamesmcarthur has quit IRC12:30
*** jamesmcarthur has joined #openstack-keystone12:31
*** jamesmcarthur has quit IRC12:35
*** lbragstad has joined #openstack-keystone12:54
*** ChanServ sets mode: +o lbragstad12:54
*** irclogbot_3 has quit IRC13:07
*** irclogbot_3 has joined #openstack-keystone13:08
*** jamesmcarthur has joined #openstack-keystone13:10
*** altlogbot_3 has quit IRC13:23
*** altlogbot_1 has joined #openstack-keystone13:24
*** altlogbot_1 has quit IRC13:39
*** whoami-rajat has quit IRC13:40
*** altlogbot_3 has joined #openstack-keystone13:40
bnemeclbragstad: The Bison are still dancing!13:41
lbragstadyessir13:41
bnemecAnd can we just take a moment to appreciate that sports slang allows me to use that phrase with a straight face? :-)13:41
lbragstadwe'll see what happens with Duke ;)13:42
*** irclogbot_3 has quit IRC13:45
bnemecWorst case scenario, you get to watch Zion Williamson for 40 minutes.13:45
bnemecA man that large should not be able to move the way he does.13:46
*** irclogbot_2 has joined #openstack-keystone13:46
lbragstadhttps://www.inforum.com/sports/basketball/990981-Schnepf-With-Duke-next-NDSU-will-receive-the-most-exposure-the-school-has-ever-seen13:48
lbragstadthey are expecting *this* game to be the most exposure the university has ever seen13:48
lbragstadwhich is a real bold statement, given NDSU's football program has won 7 national titles in 8 years13:49
*** erus has quit IRC13:51
*** adriant has quit IRC13:51
*** adriant has joined #openstack-keystone13:52
*** jistr is now known as jistr|call13:52
bnemecImpressive. Although I'm probably a bit biased because my cousin went to NDSU too, so I pay more attention to it than most people.13:54
bnemecAnd you never know. There's precedent for a 16-1 upset now. :-)13:55
*** phasespace has quit IRC13:58
* lbragstad is glad he went to NDSU before tuition rates increased with every national championship13:58
*** jistr|call is now known as jistr14:00
openstackgerritMerged openstack/keystone master: trivial: correct spelling in test names  https://review.openstack.org/64499314:01
openstackgerritLance Bragstad proposed openstack/keystone master: Remove assignment policies from policy.v3cloudsample.json  https://review.openstack.org/64094314:07
lbragstadok - most patches in https://etherpad.openstack.org/p/keystone-stein-rc2-tracking are rechecked and passing zuul14:08
lbragstada lot of them already have +2 if anyone is looking to do reviews14:08
*** jaosorior has quit IRC14:15
*** whoami-rajat has joined #openstack-keystone14:23
gagehugoo/14:28
*** jamesmcarthur has quit IRC14:29
*** jamesmcarthur has joined #openstack-keystone14:35
*** altlogbot_3 has quit IRC14:35
*** altlogbot_3 has joined #openstack-keystone14:36
*** irclogbot_2 has quit IRC14:38
*** irclogbot_0 has joined #openstack-keystone14:39
openstackgerritLance Bragstad proposed openstack/keystone master: Update system grant policies for system reader  https://review.openstack.org/62261514:44
openstackgerritLance Bragstad proposed openstack/keystone master: Update system grant policies for system member  https://review.openstack.org/64502114:44
openstackgerritLance Bragstad proposed openstack/keystone master: Update system grant policies for system admin  https://review.openstack.org/64502214:44
openstackgerritLance Bragstad proposed openstack/keystone master: Test domain users against system assignment API  https://review.openstack.org/64502314:44
openstackgerritLance Bragstad proposed openstack/keystone master: Test project users against system assignment API  https://review.openstack.org/64502414:44
lbragstadcmurphy we haven't made mention of the rc tracking etherpad on the mailing list, have we?14:45
cmurphylbragstad: not yet afaik14:45
lbragstadwould you like me to send a note? or were you planning on including it in the newsletter?14:45
cmurphyit's already in my newsletter draft but i wasn't going to send that till tomorrow or saturday so feel free to drop a note now14:46
cmurphyfyi i'm taking tomorrow off mostly14:46
lbragstadack14:50
lbragstaddone14:50
cmurphyty14:51
lbragstadi assume next week is going to be the last opportunity we have to get things in for rc214:51
lbragstadthe week after is the final target14:51
cmurphypretty much14:51
cmurphywe probably have till thursday of that week to actually propose rc214:51
lbragstadcutting RCs close to final target gives me the nervous sweats14:52
cmurphy:)14:52
lbragstadso we're planning on having RC2 by the 28th?14:52
lbragstador 4/1 or 4/2?14:54
cmurphyimo i would say either when all the major rc2 bugs are closed or by 4/2 whichever comes first14:55
* lbragstad nods14:55
*** raildo has quit IRC14:56
openstackgerritOpenStack Release Bot proposed openstack/keystone master: Update master for stable/stein  https://review.openstack.org/64520114:57
*** raildo has joined #openstack-keystone14:58
* gagehugo watches 50 emails appear about issues fixed in rc115:02
bnemecHeh, +7'd.15:03
bnemecAlso, \o/ for 20% performance improvements!15:03
*** jamesmcarthur has quit IRC15:27
*** jamesmcarthur has joined #openstack-keystone15:45
*** erus has joined #openstack-keystone15:49
*** jamesmcarthur has quit IRC15:50
*** jamesmcarthur has joined #openstack-keystone15:54
*** gyee has joined #openstack-keystone15:57
mordredcmurphy, lbragstad, kmalloc: https://review.openstack.org/#/c/644251/ if you get a sec - it's in service of the stack moving nova away from python-*client16:04
lbragstadcmurphy are we missing a link to release notes https://docs.openstack.org/releasenotes/keystone/  for stein?16:05
mordredhttps://review.openstack.org/#/c/643601/ is an example using it16:05
cmurphylbragstad: I assume that will appear when stein is released?16:05
kmallocmordred: +2. i'll let lbragstad or cmurphy +A16:06
cmurphyoh the current series is empty16:06
kmallocmordred: it looks sane to me.16:06
cmurphyhmm16:06
lbragstadhttp://lists.openstack.org/pipermail/openstack-discuss/2019-March/004093.html16:06
kmallocbnemec: I should have a local test of oslo.cache today16:06
cmurphylbragstad: maybe we should check with release team16:06
kmallocbnemec: if you really think we can't release an oslo.cache update i'll do dirty things in keystone16:06
lbragstad++16:07
kmallocbnemec: but really it wont be good because i'll need to specifically introspect oslo.cache options16:07
openstackgerritMerged openstack/keystone master: Implement domain reader functionality for user API  https://review.openstack.org/62331916:07
gagehugouh16:07
openstackgerritMerged openstack/keystone master: Implement domain member functionality for user API  https://review.openstack.org/62332016:07
kmallocand we try not to do "read/modify options from other source" where possible16:07
bnemeckmalloc: I'm fine with releasing oslo.cache to fix this. We'll need to convince the release/requirements teams too though. :-)16:08
bnemecYeah, that would be grosser than my eventlet pool fix.16:08
kmallocbnemec: the other option is defer the fix till post Stein release, and backport the fix16:09
*** erus has quit IRC16:09
kmalloci have a patch for KSM i'm spinning up for the non-oslo-cache path(s)16:09
bnemecSeems silly to wait when we have a fix.16:09
*** erus has joined #openstack-keystone16:09
bnemecIt's not like we aren't going to fix this, it's just a question of timing.16:09
bnemecI'd rather have it available in the initial release of Stein that people will start testing.16:09
cmurphyeither way we'd have to convince them, keystonemiddleware is just as frozen as oslo.cache16:10
kmalloci agree.16:10
kmallocbut it is a lower barrier to just backport16:10
kmallocif people get grumpy this late in16:10
kmallocwe've lived with this issue since the inception of caching in keystone / keystonemiddleware16:10
bnemecTrue. I guess if we can't convince the R teams that we need this then we just wait.16:10
kmallocso... since ... uhm... havana?16:11
kmallocpartly back then we couldn't use flush-on-reconnect because memcache was used to store the token data16:11
kmallocrather than just a cache16:11
mordredkmalloc: \o/ - and also \o/ to less python-*client in life16:11
bnemecIn any case, we need to get the patch merged on master.16:12
bnemecThen we can start arguing about when the backport gets released.16:12
* cmurphy needs to be away for a couple of hours, will look at 644251 later if someone else doesn't get to it first16:12
kmallocmordred:  i still want to move OSC to SDK for keystone... and then deprecate keystonelcient :)16:12
mordredkmalloc: yes. I want to start working on that16:13
kmallocbnemec: yep, so, do you want me to do a VERY mocked up test that checks flush is called on reconnect?16:13
kmallocbnemec: or are you really ok with just local confirmation and test-less (letting functional/tempest) confirm we aren't breaking things in the non-reconnect model16:14
bnemeckmalloc: If you can add a basic unit test that would make it more obvious if someone tries to remove this in the future.16:14
kmallocwfm.16:15
bnemecBut we can't meaningfully test this in unit tests, so meh.16:15
kmallocwill do i think i can just mock the heck out of the client.16:15
kmalloci might spin up a functional test for oslo-cache (suite) that installs memcached and runs a suite of "did this do a thing"16:15
kmallocthe hard part is forcing a disconnect... but i think i know how to do that too16:15
kmallocthat latter part can come in Train.16:16
kmallocthe functional tests that is.16:16
bnemec+116:16
*** mriedem has joined #openstack-keystone16:16
openstackgerritMatt Riedemann proposed openstack/keystone master: Fix typo in docs section header  https://review.openstack.org/64522416:16
mriedemATC accomplishment unlocked!16:19
bnemecmriedem: Hasn't merged yet. :-P16:20
kmallocmriedem: oh no, you're going to use that to run for PTL next cycle aren't you? :P16:21
bnemeclol16:23
*** njohnston has joined #openstack-keystone16:23
* bnemec makes a note to run for PTL in all the projects where he has ATC16:24
njohnstonHi!  I have a question about oslo.policy, specifically vis-a-vis it's application in Neutron - bnemec suggested I post it here.  When creating a port, a user can supply an option to enable or disable port security, which in the default policy is only permitted for "rule:context_is_advsvc or rule:admin_or_network_owner".16:24
njohnstonIf a normal non-admin user tries to create a port without supplying a port security option it works, with the default "port_security: True".  If that same user supplies the option to enable port security it fails the policy check, even though it means no change in the resulting port.  Is there a way to bypass the policy check when the thing being checked would result in a no-op?16:24
kmallocnjohnston: depends on how neutron manages enforcement16:26
kmallocnjohnston: the easiest mechanism is just to not call 'enforce()' in cases you don't want to.16:27
kmallocnjohnston: it is totally fine to call enforce() conditionally or even multiple times in a given call16:27
*** jaosorior has joined #openstack-keystone16:27
kmallocso, enforce() can be called to see if the user has access to create a port, and then enforce() can be called again in the case when port_security is checked16:28
mriedemkmalloc: oh god no16:28
kmallocthe default rule would need to be split into 2 cases for that16:28
kmallocif you're doing enforcement as a decorator, you've backed yourself into a corner16:28
*** jamesmcarthur has quit IRC16:29
kmallocyou could also strip data out of the target_dict/enforcement data to make it conform before you call enforce()16:29
kmallocwe do a mix of both within keystone.16:29
*** mriedem has left #openstack-keystone16:29
kmallocwe specifically moved away from decorator based because of headaches.16:30
*** erus has quit IRC16:30
*** erus has joined #openstack-keystone16:30
njohnstonkmalloc: No, we don't do a decorator, we do it in the API base as pretty much the first thing out of the gate.  That tells me that in order to do this we'd need to put that check-defaults code right at the start of request processing.  https://opendev.org/openstack/neutron/src/branch/master/neutron/api/v2/base.py#L46816:32
kmallocright16:33
kmallocand that is exactly why you should enforce in the API like you do :)16:33
kmallocso you can move bits up and pre-process the request as needed16:33
njohnstonkmalloc: Thanks for the help, that really clarifies the task!16:33
kmallocsure thing!16:34
*** mvkr has quit IRC16:48
*** jamesmcarthur has joined #openstack-keystone16:55
*** jamesmcarthur has quit IRC17:01
*** mvkr has joined #openstack-keystone17:16
*** gmann is now known as gmann_afk17:43
*** mvkr has quit IRC17:46
*** cfey has joined #openstack-keystone18:05
cfeyHi all, can some maybe help me with keystone auth methods to implement a openidc config?18:07
cfeyFollowing tutorial https://cloud.denbi.de/wiki/cloud_admin/elixir_OIDC/ (and others also) create a method called "oidc" defined as "oidc = keystone.auth.plugins.mapped.Mapped" but it looks like this does not work since ocata. At the moment I'm a bit lost..tried with "openid" and "mapped" but always get the following error "Authorization failed. Attempted to authenticate with an unsupported method."18:10
*** whoami-rajat has quit IRC18:23
openstackgerritMerged openstack/keystone master: Implement domain admin functionality for projects  https://review.openstack.org/62422018:29
openstackgerritMerged openstack/keystone master: Remove project policies from policy.v3cloudsample.json  https://review.openstack.org/62422218:29
*** gmann_afk is now known as gmann18:40
openstackgerritLance Bragstad proposed openstack/keystone master: Add explicit testing for project users and the user API  https://review.openstack.org/62332218:44
openstackgerritLance Bragstad proposed openstack/keystone master: Remove user policies from policy.v3cloudsample.json  https://review.openstack.org/62332318:44
gagehugolbragstad: one question on https://review.openstack.org/#/c/638587/18:46
gagehugos/question/comment18:46
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain reader for role_assignments  https://review.openstack.org/63858718:49
openstackgerritLance Bragstad proposed openstack/keystone master: Add role assignment test coverage for domain members  https://review.openstack.org/63859318:49
openstackgerritLance Bragstad proposed openstack/keystone master: Add role assignment test coverage for domain admins  https://review.openstack.org/63859718:49
openstackgerritLance Bragstad proposed openstack/keystone master: Add role assignment testing for project users  https://review.openstack.org/63971818:49
openstackgerritLance Bragstad proposed openstack/keystone master: Remove assignment policies from policy.v3cloudsample.json  https://review.openstack.org/64094318:50
lbragstadgagehugo nice - thanks18:50
lbragstadfixed ^18:50
*** itlinux has quit IRC18:55
*** awalende has joined #openstack-keystone19:11
*** mvkr has joined #openstack-keystone19:13
*** phluger has joined #openstack-keystone19:23
*** whoami-rajat has joined #openstack-keystone19:25
openstackgerritLance Bragstad proposed openstack/keystone master: Update system group assignment policies for reader and member  https://review.openstack.org/64530919:29
openstackgerritLance Bragstad proposed openstack/keystone master: Update group system grant policies for admins  https://review.openstack.org/64531019:29
openstackgerritLance Bragstad proposed openstack/keystone master: Test domain and project users against group system assignment API  https://review.openstack.org/64531119:29
openstackgerritLance Bragstad proposed openstack/keystone master: Remove system assignment policies from policy.v3cloudsample.json  https://review.openstack.org/64531219:29
*** vkmc has joined #openstack-keystone20:07
vkmco/20:08
vkmcI'm working on removing the dependency for keystoneclient in the manilaclient, and I have a few questions wrt keystoneauth20:08
vkmcI see some projects got rid of their httpclients in favour or a sessionclient, extending the adapter.jsonlegacyadapter class20:09
vkmcis this the recommended way to proceed?20:10
vkmcjamielennox, I saw your worked on this on cinder side, so maybe you can give me a few pointers20:10
*** phluger has quit IRC20:45
*** raildo has quit IRC21:12
*** cfey has quit IRC21:30
*** pcaruana has quit IRC21:33
openstackgerritMerged openstack/keystone master: Only validate tokens once per request  https://review.openstack.org/64149921:38
openstackgerritMerged openstack/keystone master: Update master for stable/stein  https://review.openstack.org/64520121:38
openstackgerritMerged openstack/keystone master: Fix typo in docs section header  https://review.openstack.org/64522421:38
*** whoami-rajat has quit IRC21:45
*** xek_ has quit IRC21:55
*** njohnston_ has joined #openstack-keystone21:59
*** njohnston has quit IRC21:59
*** irclogbot_0 has quit IRC22:05
kmallocbnemec: oh joy. this fix doesn't work... digging deep into trying to make this work22:07
bnemec:-(22:10
*** rcernin has joined #openstack-keystone22:19
kmalloctrying to figure out how things get passed to the client constructor22:23
kmallocok the issue is a fault in dogpile.cache22:25
kmallocwe *can't* pass this value down.22:25
kmallocbnemec:         return memcache.Client(self.url)22:26
kmallocbnemec: you just can't pass other arguments to the constructor :(22:26
kmallocthis is pretty bad.22:28
*** cwright_ has quit IRC22:29
*** cwright has joined #openstack-keystone22:32
*** phasespace has joined #openstack-keystone22:39
kmallocbnemec: i can fix the KSM bits that don't use oslo_cache.22:40
kmallocbut fixing oslo_cache and keystone may be impossible.22:40
kmalloclet me check, memcache pool might be doable22:41
kmallocok i can fix memcache_pool and ksm22:42
kmalloci can't fix the non-pooled memcache client due to limitations in dogpile.22:42
*** timothyb89 has quit IRC22:46
*** tkajinam has joined #openstack-keystone22:56
*** awalende has quit IRC23:30
*** lbragstad has quit IRC23:46
*** jamesmcarthur has joined #openstack-keystone23:58
« Wednesday, 2019-03-20 Index Friday, 2019-03-22 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!