*** ileixe has joined #openstack-keystone | 00:51 | |
*** Dinesh_Bhor has quit IRC | 02:07 | |
*** shyamb has joined #openstack-keystone | 02:43 | |
*** whoami-rajat has joined #openstack-keystone | 02:43 | |
*** shyamb has quit IRC | 02:57 | |
*** shyamb has joined #openstack-keystone | 02:58 | |
*** elbragstad has joined #openstack-keystone | 03:25 | |
*** ChanServ sets mode: +o elbragstad | 03:25 | |
*** shyamb has quit IRC | 03:28 | |
*** ileixe has quit IRC | 04:25 | |
*** ileixe has joined #openstack-keystone | 04:46 | |
*** shyamb has joined #openstack-keystone | 05:04 | |
*** shyamb has quit IRC | 05:11 | |
*** shyamb has joined #openstack-keystone | 05:21 | |
*** vishakha has joined #openstack-keystone | 05:55 | |
*** jaosorior has joined #openstack-keystone | 06:02 | |
*** shyamb has quit IRC | 06:34 | |
*** shyamb has joined #openstack-keystone | 06:41 | |
*** sapd1 has quit IRC | 06:44 | |
*** elbragstad has quit IRC | 06:45 | |
*** pcaruana has joined #openstack-keystone | 07:07 | |
*** shyamb has quit IRC | 07:17 | |
*** shyamb has joined #openstack-keystone | 07:34 | |
*** ileixe has quit IRC | 07:49 | |
*** shyamb has quit IRC | 08:00 | |
*** awalende has joined #openstack-keystone | 08:07 | |
*** Dinesh_Bhor has joined #openstack-keystone | 08:40 | |
*** tkajinam has quit IRC | 08:42 | |
*** erus has quit IRC | 08:42 | |
*** erus has joined #openstack-keystone | 08:42 | |
*** shyamb has joined #openstack-keystone | 08:44 | |
openstackgerrit | Colleen Murphy proposed openstack/keystone master: Add domain scope support for group policies https://review.openstack.org/643937 | 08:54 |
---|---|---|
*** wxy-xiyuan has joined #openstack-keystone | 09:07 | |
*** xek has joined #openstack-keystone | 09:17 | |
*** admin0 has joined #openstack-keystone | 09:21 | |
admin0 | hi all .. how does applicaton credentials work when the backend is LDAP/AD? | 09:21 |
*** xek has quit IRC | 09:24 | |
cmurphy | admin0: yes | 09:25 |
admin0 | cmurphy, it should work like normal even if the backend is AD ? | 09:25 |
cmurphy | admin0: yes it will work like normal, the application credential gets stored in keystone's sql database | 09:26 |
*** erus has quit IRC | 09:26 | |
*** jonher has quit IRC | 09:26 | |
*** erus has joined #openstack-keystone | 09:27 | |
admin0 | if I get Attempted to authenticate with an unsupported method where should i be looking ? | 09:29 |
admin0 | is it an entry missing in keystone conf ? | 09:29 |
admin0 | or does it have to be enabled in every other service also | 09:29 |
cmurphy | admin0: you need to add application_credential to [auth]/methods in keystone.conf | 09:30 |
admin0 | cmurphy, just adding that will do ? | 09:31 |
cmurphy | admin0: and restarting keystone of course | 09:33 |
*** erus has quit IRC | 09:33 | |
*** erus has joined #openstack-keystone | 09:33 | |
*** xek has joined #openstack-keystone | 09:40 | |
kmalloc | cmurphy: we didn't make that the default? | 10:05 |
kmalloc | We probably should. | 10:06 |
cmurphy | kmalloc: we did | 10:07 |
kmalloc | Ah ok. Phew | 10:07 |
kmalloc | review.openstack.org/#/c/644774 is ready for eyes, | 10:07 |
cmurphy | but if they're upgrading from an older version or using a config management tool that manages it explicitly then they might not have it | 10:07 |
cmurphy | kmalloc: does this mean we won't need a change in ksm/keystone? | 10:07 |
kmalloc | Hm. Nothing in keystone, I'll make the bug invalid | 10:08 |
kmalloc | Ksm, I am mulling over the non-oslo.cache model | 10:09 |
kmalloc | But I don't think we need to, really | 10:09 |
kmalloc | The use of the pool should be done in all cases.. | 10:09 |
kmalloc | It is way better than the non-poolee form, esp. with eventlet | 10:10 |
kmalloc | Also, we can't fix non-pooled easily until I fix dogpile | 10:11 |
kmalloc | Keystone def. Won't need anyfixes in either case.. | 10:12 |
cmurphy | more worried about ksm since it's supposed to be frozen | 10:13 |
kmalloc | Let's just backport fixes | 10:13 |
cmurphy | ++ | 10:13 |
kmalloc | Un-rc block it, and save the headache | 10:14 |
kmalloc | Marked as invalid for keystone, ksm will get a patch/backports soon | 10:18 |
cmurphy | thanks kmalloc | 10:18 |
*** shyamb has quit IRC | 10:19 | |
*** jonher has joined #openstack-keystone | 10:37 | |
*** trident has quit IRC | 10:43 | |
*** shyamb has joined #openstack-keystone | 11:01 | |
*** trident has joined #openstack-keystone | 11:08 | |
*** shyamb has quit IRC | 11:30 | |
*** rcernin has quit IRC | 11:31 | |
*** shyamb has joined #openstack-keystone | 11:44 | |
*** xek_ has joined #openstack-keystone | 11:47 | |
*** xek has quit IRC | 11:49 | |
*** xek has joined #openstack-keystone | 11:58 | |
*** xek_ has quit IRC | 11:59 | |
*** xek_ has joined #openstack-keystone | 12:01 | |
*** xek has quit IRC | 12:03 | |
*** xek_ has quit IRC | 12:03 | |
*** xek has joined #openstack-keystone | 12:04 | |
*** xek has quit IRC | 12:08 | |
*** erus has quit IRC | 12:08 | |
*** xek has joined #openstack-keystone | 12:08 | |
*** erus has joined #openstack-keystone | 12:08 | |
*** raildo has joined #openstack-keystone | 12:11 | |
*** jroll has quit IRC | 12:14 | |
*** erus has quit IRC | 12:14 | |
*** erus has joined #openstack-keystone | 12:15 | |
*** jroll has joined #openstack-keystone | 12:15 | |
*** vishakha has quit IRC | 12:17 | |
*** whoami-rajat has quit IRC | 12:24 | |
*** markvoelker has quit IRC | 12:26 | |
*** cfey has joined #openstack-keystone | 12:34 | |
*** jamesmcarthur has joined #openstack-keystone | 12:50 | |
*** jmlowe has quit IRC | 13:04 | |
*** dklyle has joined #openstack-keystone | 13:04 | |
*** shyamb has quit IRC | 13:13 | |
*** zaneb has joined #openstack-keystone | 13:17 | |
*** mvkr has quit IRC | 13:20 | |
*** elbragstad has joined #openstack-keystone | 13:24 | |
*** ChanServ sets mode: +o elbragstad | 13:24 | |
*** elbragstad is now known as lbragstad | 13:25 | |
*** trident has quit IRC | 13:27 | |
*** irclogbot_3 has joined #openstack-keystone | 13:28 | |
*** trident has joined #openstack-keystone | 13:29 | |
*** zaneb has quit IRC | 13:29 | |
*** zaneb has joined #openstack-keystone | 13:29 | |
*** altlogbot_2 has quit IRC | 13:31 | |
*** altlogbot_0 has joined #openstack-keystone | 13:32 | |
*** jamesmcarthur has quit IRC | 13:36 | |
*** mchlumsky has joined #openstack-keystone | 13:37 | |
*** dklyle has quit IRC | 13:37 | |
*** irclogbot_3 has quit IRC | 13:38 | |
*** irclogbot_1 has joined #openstack-keystone | 13:39 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add role assignment testing for project users https://review.openstack.org/639718 | 13:41 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove assignment policies from policy.v3cloudsample.json https://review.openstack.org/640943 | 13:41 |
*** mchlumsky has quit IRC | 13:45 | |
*** mvkr has joined #openstack-keystone | 13:47 | |
*** erus has quit IRC | 13:47 | |
*** erus has joined #openstack-keystone | 13:47 | |
*** mchlumsky has joined #openstack-keystone | 13:48 | |
*** jmlowe has joined #openstack-keystone | 14:01 | |
*** erus has quit IRC | 14:23 | |
*** erus has joined #openstack-keystone | 14:24 | |
* lbragstad wonders if https://review.openstack.org/#/c/645968/ support should wait for Train... | 14:25 | |
cmurphy | lbragstad: you mean just that patch or the whole series? | 14:28 |
lbragstad | up to that patch | 14:28 |
lbragstad | everything is pretty straight-forward up to that patch | 14:29 |
lbragstad | but that patch is where domain support begins for the grant API... | 14:29 |
*** jamesmcarthur has joined #openstack-keystone | 14:29 | |
lbragstad | i spent a couple hours on friday laying out the protection tests, and it's going to be a significant amount of work | 14:30 |
gagehugo | o/ | 14:33 |
cmurphy | if it's not feasible in time then i guess let's not worry about it, there are others we'll have to finish up next cycle too | 14:33 |
lbragstad | part of me feels better leaving full domain user support for grant management alone because we do have domain support for the role assignment API done | 14:34 |
openstackgerrit | Merged openstack/keystone master: Implement domain reader for role_assignments https://review.openstack.org/638587 | 14:34 |
openstackgerrit | Merged openstack/keystone master: Add role assignment test coverage for domain members https://review.openstack.org/638593 | 14:34 |
openstackgerrit | Merged openstack/keystone master: Add role assignment test coverage for domain admins https://review.openstack.org/638597 | 14:34 |
lbragstad | so - at least domain users can query keystone for role assignment information | 14:34 |
lbragstad | speaking of ^ | 14:34 |
cmurphy | heh | 14:34 |
cmurphy | lbragstad: i'm wondering how to handle this https://review.openstack.org/643937 - where we've already deprecated the policy once and we're changing it again right away | 14:35 |
lbragstad | oh - you mean going from base.SYSTEM_READER to SYSTEM_READER_OR_DOMAIN_READER? | 14:36 |
cmurphy | yeah, but just before that it was RULE_ADMIN_REQUIRED | 14:36 |
lbragstad | right | 14:37 |
lbragstad | are you thinking we need to formally handle the move from SYSTEM_READER to SYSTEM_READER_OR_DOMAIN_READER? | 14:37 |
cmurphy | i'm not sure | 14:38 |
*** erus has quit IRC | 14:38 | |
cmurphy | in case someone has already updated their policies it's going to be out of date already | 14:38 |
lbragstad | i would say we should, iff we claim to support deploying keystone off of master | 14:39 |
cmurphy | also we already have release notes for the old-new policies that are now in stable/stein i think | 14:39 |
*** erus has joined #openstack-keystone | 14:39 | |
cmurphy | they are | 14:39 |
cmurphy | so those release notes will now be wrong, though i think we can handle that | 14:40 |
cmurphy | s/handle that/fix that | 14:40 |
lbragstad | we'd have to backport adjustments to them i suppose | 14:40 |
lbragstad | hmmm | 14:41 |
cmurphy | yeah and then there's a trick we have to do on master so that the change only appears on stein and not the unrelease notes | 14:41 |
lbragstad | i guess the only other way to prevent this from happening, is to have all code and tests to go from base.RULE_ADMIN_REQUIRED to SYSTEM_READER_OR_DOMAIN_READER all in one go | 14:41 |
cmurphy | we've already changed a bunch to SYSTEM_READER already | 14:43 |
lbragstad | right | 14:43 |
lbragstad | so, everything we've merged in https://etherpad.openstack.org/p/keystone-stein-rc2-tracking will need release notes backported to stable/stein? | 14:44 |
cmurphy | pretty much | 14:44 |
lbragstad | oof | 14:45 |
lbragstad | just release notes? | 14:45 |
* lbragstad struggles to remember the shenanigans we had to do for release notes before in this situation | 14:46 | |
cmurphy | i think for rc2 it's probably fine to just fixup the release notes, when we open train for development i'm not sure how we'll handle the deprecations since i think oslo.policy can only handle one deprecation? | 14:46 |
cmurphy | there's a trick with adding an ignored note to a file somewhere | 14:46 |
lbragstad | yeah - only one deprecation at a time, afaik | 14:47 |
cmurphy | maybe we need to augment oslo.policy to handle multiple deprecations before we keep working on these :/ | 14:49 |
lbragstad | maybe... | 14:50 |
lbragstad | i guess the way i envisioned it was... | 14:50 |
lbragstad | land patches the deprecate policies, and update the deprecations up to the point where we release so they are in their final "state" | 14:51 |
lbragstad | but I can see how that didn't necessarily pan out with some of these more complicated policy changes and APIs | 14:51 |
lbragstad | s/patches the deprecate/patches that deprecate/ | 14:51 |
openstackgerrit | Colleen Murphy proposed openstack/keystone master: Delete shadow users when domain is deleted https://review.openstack.org/647498 | 14:58 |
cmurphy | just if an operator has upgraded to stein, sees all these deprecation warnings, overrides their policies to use the new recommended/default policy, then we change it again in train, i think they won't see deprecation warnings and won't be prompted to change them again? all they have to go on is the release notes | 14:59 |
*** awalende has quit IRC | 15:00 | |
beekneemech | In oslo.config you can have multiple deprecated names for whatever the current name is. Something similar might be good for policy. | 15:00 |
*** beekneemech is now known as bnemec | 15:00 | |
*** awalende has joined #openstack-keystone | 15:00 | |
cmurphy | yeah | 15:00 |
* bnemec -> oslo meeting | 15:01 | |
*** whoami-rajat has joined #openstack-keystone | 15:01 | |
* lbragstad thinks through the oslo.policy deprecation logging | 15:02 | |
*** awalende has quit IRC | 15:04 | |
lbragstad | looks like this is the case we handle in oslo.policy http://git.openstack.org/cgit/openstack/oslo.policy/tree/oslo_policy/policy.py?id=5d2b7a8634c0a1b7c75a71953e37b671e996a9ca#n678 | 15:05 |
lbragstad | if we deprecate identity:create_foo to use SYSTEM_READER instead of RULE_ADMIN_REQUIRED | 15:06 |
lbragstad | a warning will be logged | 15:06 |
lbragstad | if the operator *doesn't* override identity:create_foo and we change the deprecation from SYSTEM_READER to SYSTEM_READER_OR_DOMAIN_READER - then another warning will be logged | 15:07 |
lbragstad | however, if they do decide to override identity:create_foo with something else, or the new default, they won't see a log warning encouraging them to use SYSTEM_READER_OR_DOMAIN_READER | 15:08 |
cmurphy | right | 15:09 |
knikolla | o/ | 15:10 |
cmurphy | \o | 15:10 |
lbragstad | so - we might need something like https://pasted.tech/pastes/7bf6d68ded0481914abb50dd6a80599c20a8fde3.raw | 15:17 |
lbragstad | in oslo.policy | 15:17 |
lbragstad | which logs a warning if the operator is overriding the policy | 15:19 |
erus | o/ | 15:19 |
*** dklyle has joined #openstack-keystone | 15:20 | |
lbragstad | that might be missing an edge case or two... | 15:20 |
cmurphy | btw i send out the meeting time doodle poll on the mailing list but never linked it here, here it is https://doodle.com/poll/zxv6d2mxngmhb3vc | 15:28 |
*** erus has quit IRC | 15:28 | |
*** erus has joined #openstack-keystone | 15:28 | |
*** shyamb has joined #openstack-keystone | 15:36 | |
*** itlinux has quit IRC | 15:37 | |
bnemec | lbragstad: Are we simply missing functionality to check for deprecated targets in the policy rules? | 16:02 |
*** xek has quit IRC | 16:02 | |
bnemec | I'm not sure we should be warning every time someone overrides a rule whose default changed at some point. | 16:02 |
* bnemec may be misunderstanding what is going on here too | 16:03 | |
lbragstad | well - we do have functionality for deprecation warnings | 16:06 |
lbragstad | in all currently handled cases, we issue a warning | 16:06 |
lbragstad | http://git.openstack.org/cgit/openstack/oslo.policy/tree/oslo_policy/policy.py?id=5d2b7a8634c0a1b7c75a71953e37b671e996a9ca#n633 | 16:06 |
*** xek has joined #openstack-keystone | 16:08 | |
bnemec | Right, but that only handles rule renames and default changes. | 16:09 |
bnemec | It doesn't handle the case where the thing you're referring to in the rule changes. | 16:09 |
bnemec | Even setting aside the double-deprecation problem, if I had overridden a rule that previously used RULE_ADMIN_REQUIRED I wouldn't get a warning, would I? | 16:10 |
cmurphy | right | 16:11 |
*** erus has quit IRC | 16:11 | |
*** erus has joined #openstack-keystone | 16:12 | |
bnemec | That seems less than ideal. | 16:13 |
bnemec | With the disclaimer that I don't currently know how/if we can fix it. | 16:13 |
cmurphy | yeah, it means the only means we have to let those people know that things are changing is through release notes | 16:13 |
cmurphy | but in the case that they had already overridden a policy then likely it's because they really wanted something different and wouldn't want to switch to the new defaults anyways | 16:14 |
cmurphy | but in the case they were just overriding the policy to get rid of deprecation warnings then they won't see deprecation warnings telling them to override again | 16:15 |
bnemec | Yeah, but they still need to know to s/RULE_ADMIN_REQUIRED/SYSTEM_READER/ in their custom policy. | 16:15 |
bnemec | Oh, I hadn't considered that second case. | 16:16 |
bnemec | That they're basically saying "Yeah, I know it's changing. I'm ready for it." | 16:17 |
bnemec | I guess that's the double-deprecation problem you were originally talking about. | 16:19 |
* bnemec seems to have a talent for derailing keystone conversations | 16:19 | |
cmurphy | it's a good point though, i guess you'd have the same problem in oslo.config if you tried to do a 'this default is changing' advance warning deprecation notice and then double-changed it within two cycles | 16:22 |
bnemec | Yeah, I'm not actually sure oslo.config handles default value changes at all. You can't just append the values in that case like we can in oslo.policy. | 16:24 |
bnemec | I think the way it's been handled in the past is to set the default to a sentinel value and if the application sees the sentinel then it logs the warning itself. Then it overrides with whatever the default should actually be. | 16:25 |
cmurphy | hmm yeah | 16:29 |
*** shyamb has quit IRC | 16:35 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Consolidate user protection tests https://review.openstack.org/623323 | 16:49 |
lbragstad | cmurphy thoughts on https://etherpad.openstack.org/p/keystone-stein-rc2-tracking ? | 16:50 |
lbragstad | i marked stopping points | 16:50 |
*** gyee has joined #openstack-keystone | 16:50 | |
vkmc | hey, I'd need some guidance for https://review.openstack.org/#/c/647538/, I'm trying to remove keystoneclient and use keystoneauth instead for manilaclient, I'm wondering if these changes are good enough (from a functional perspective) | 16:59 |
vkmc | any pointer is appreciated | 16:59 |
*** dustinc has joined #openstack-keystone | 17:15 | |
*** jamesmcarthur has quit IRC | 17:26 | |
lbragstad | cmurphy started proposing some of what's landed in master to stable stein https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:stable/stein | 17:30 |
*** jamesmcarthur has joined #openstack-keystone | 17:31 | |
*** KeithMnemonic has joined #openstack-keystone | 17:32 | |
*** erus has quit IRC | 17:32 | |
*** erus has joined #openstack-keystone | 17:32 | |
*** mvkr has quit IRC | 17:37 | |
cmurphy | vkmc: left a comment | 17:43 |
vkmc | cmurphy, thanks! | 17:43 |
cmurphy | lbragstad: looks like we're in good shape wrt https://etherpad.openstack.org/p/keystone-stein-rc2-tracking ? | 17:52 |
lbragstad | i think so - trying to clean things up now | 17:52 |
lbragstad | cmurphy gagehugo do you have +2/+W on stable/stein? | 17:53 |
cmurphy | nope :'( | 17:53 |
lbragstad | really?! | 17:53 |
openstackgerrit | Merged openstack/keystone master: Update system grant policies for system member https://review.openstack.org/645021 | 17:53 |
gagehugo | nope.jpg | 17:53 |
cmurphy | might be more efficient if i propose the backports so you and kmalloc can approve | 17:53 |
lbragstad | hmmm | 17:53 |
lbragstad | i remember having stable core on stable/pike before it was officially released even though i didn't have keystone-stable-core power yet | 17:54 |
lbragstad | i wonder if something changed there | 17:54 |
cmurphy | hmm | 17:54 |
gagehugo | no idea | 17:57 |
lbragstad | apparently that process changed... | 17:57 |
*** jamesmcarthur has quit IRC | 17:59 | |
cmurphy | lbragstad: one more thing on https://review.openstack.org/639718 | 18:00 |
*** jamesmcarthur has joined #openstack-keystone | 18:01 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Add role assignment testing for project users https://review.openstack.org/639718 | 18:02 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Remove assignment policies from policy.v3cloudsample.json https://review.openstack.org/640943 | 18:02 |
lbragstad | cmurphy thanks | 18:02 |
* lbragstad takes lunch quick | 18:08 | |
*** jamesmcarthur has quit IRC | 18:09 | |
*** xek_ has joined #openstack-keystone | 18:11 | |
*** xek has quit IRC | 18:14 | |
*** itlinux has joined #openstack-keystone | 18:26 | |
*** xek_ has quit IRC | 18:27 | |
*** xek has joined #openstack-keystone | 18:27 | |
*** xek has quit IRC | 18:32 | |
*** dustinc is now known as dustinc|away | 18:44 | |
cmurphy | lbragstad: so i think what we need to do is add all the notes that we're backporting to stein to http://git.openstack.org/cgit/openstack/keystone/tree/releasenotes/source/unreleased.rst | 19:03 |
cmurphy | i think we should do that as one lump to master when we're done with all of them | 19:03 |
*** jmlowe has quit IRC | 19:03 | |
lbragstad | ++ | 19:04 |
lbragstad | yeah - i think that's a good idea | 19:04 |
*** mailingsam_ has joined #openstack-keystone | 19:05 | |
mailingsam_ | when does id_mapping table get populated? during deployment of keystone first time or on each ldap user login? | 19:05 |
cmurphy | mailingsam_: when the user logs in, or you an pregenerate it with `keystone-manage mapping_populate` | 19:07 |
mailingsam_ | @cmurphy do you know how heat keystone user constraint works? resource_getter_name = 'get_user_id' entity = 'KeystoneUser' . For ldap user I get user not found | 19:12 |
cmurphy | mailingsam_: i know almost nothing about how heat works :( but at a guess i would suggest making sure the domain for the ldap users is specified and correct | 19:13 |
cmurphy | lbragstad: if we don't want to go for https://review.openstack.org/645968 we'll still need a release note for the rest of that series | 19:14 |
mailingsam_ | Heat keystone constrain seems to just do crud operation on user table but I'm confused how it does crud operation when we have user, local_user, nonlocal_user tables does it do union or searches only user table | 19:14 |
lbragstad | cmurphy agreed - want me to tack it onto https://review.openstack.org/#/c/645890/2 or another patch? | 19:14 |
cmurphy | mailingsam_: the user table has foreign keys to local_user and nonlocal_user so it should be enough to just query the user table | 19:15 |
cmurphy | lbragstad: either way | 19:15 |
mailingsam_ | when I check one of my env, the user table has few users compared to id_mapping, i.e not all users in ldap are reflected in user table so trying to see how to update user/nonlocal_user table to reflect all users in ldap | 19:20 |
*** jamesmcarthur has joined #openstack-keystone | 19:21 | |
openstackgerrit | Colleen Murphy proposed openstack/keystone master: Add domain scope support for group policies https://review.openstack.org/643937 | 19:22 |
openstackgerrit | Gage Hugo proposed openstack/keystone master: WIP - Add flask hook for authentication timings https://review.openstack.org/634826 | 19:24 |
cmurphy | mailingsam_: keystone waits until the user logs in before creating it in the user table, but the id_mapping can be created with the mapping_populate command or when you list/show the user or when they log in | 19:27 |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Make system admin policies consistent for grants https://review.openstack.org/645890 | 19:30 |
mailingsam_ | Thanks @cmurphy let me check if user table populates on user login | 19:31 |
*** jamesmcarthur has quit IRC | 19:34 | |
openstackgerrit | Lance Bragstad proposed openstack/keystone master: Consolidate user protection tests https://review.openstack.org/623323 | 19:38 |
openstackgerrit | Colleen Murphy proposed openstack/keystone master: Remove redundant policies from v3cloudsample https://review.openstack.org/647586 | 19:41 |
openstackgerrit | Colleen Murphy proposed openstack/keystone master: Remove redundant policies from v3cloudsample https://review.openstack.org/647586 | 19:45 |
*** jamesmcarthur has joined #openstack-keystone | 19:49 | |
gagehugo | lbragstad cmurphy looks like ksm is failing on lower-constraints, I'm getting the same error as zuul locally | 19:54 |
lbragstad | gagehugo link? | 19:54 |
gagehugo | https://review.openstack.org/#/c/643997/ and https://review.openstack.org/#/c/643998/ | 19:54 |
gagehugo | http://logs.openstack.org/98/643998/1/check/openstack-tox-lower-constraints/48b165a/testr_results.html.gz | 19:55 |
openstackgerrit | Colleen Murphy proposed openstack/keystone master: Delete shadow users when domain is deleted https://review.openstack.org/647498 | 19:57 |
lbragstad | openssl related it looks like | 19:57 |
gagehugo | yeah | 19:57 |
cmurphy | fun | 19:58 |
cmurphy | https://review.openstack.org/647498 would be good to get into rc2, not sure if we've fully resolved the foreign key issue that makes testing that hard | 19:59 |
*** jmlowe has joined #openstack-keystone | 20:00 | |
lbragstad | didn't we just do something with keystoneclient on stable? | 20:09 |
lbragstad | er - for stein? | 20:09 |
lbragstad | ksm is failing in ksc cms module | 20:10 |
cmurphy | i don't think we've changed keystoneclient since before the client freeze | 20:10 |
*** whoami-rajat has quit IRC | 20:11 | |
*** cfey has quit IRC | 20:13 | |
lbragstad | last merged change to ksm was on the 6th | 20:16 |
lbragstad | i assume lower-constraints worked then | 20:16 |
gagehugo | I would assume so too | 20:19 |
*** itlinux has quit IRC | 20:20 | |
*** pcaruana has quit IRC | 20:23 | |
*** itlinux has joined #openstack-keystone | 20:27 | |
*** itlinux has quit IRC | 20:27 | |
*** xek has joined #openstack-keystone | 20:33 | |
lbragstad | gagehugo i added some more logging, looks like it's failing to find files https://pasted.tech/pastes/210d3d081942347ba2c21aef5cb5671508ee9ff0.raw | 20:48 |
gagehugo | interesting | 20:50 |
lbragstad | lower constraints is installing python-keystonclient 3.8.0 | 20:58 |
lbragstad | but py37 is using 3.18.0 | 20:58 |
openstackgerrit | Lance Bragstad proposed openstack/keystonemiddleware master: Bump lower constraint for python-keystoneclient to 3.18.0 https://review.openstack.org/647604 | 20:59 |
lbragstad | ^ works for me locally | 20:59 |
lbragstad | no sure why 3.18.0 works and 3.8.0 doesn't | 21:00 |
gagehugo | nice | 21:00 |
lbragstad | not sure* | 21:00 |
gagehugo | yeah it works for me locally too | 21:00 |
lbragstad | commit message is unhelpful, but if that passes and doesn't have other issues, i can update it | 21:01 |
openstackgerrit | Lance Bragstad proposed openstack/keystonemiddleware master: Bump lower constraint for python-keystoneclient to 3.18.0 https://review.openstack.org/647604 | 21:02 |
gagehugo | lgtm | 21:04 |
openstackgerrit | Edgar Magana proposed openstack/keystone master: Replace URL name to the correct one in Keystone Docs https://review.openstack.org/647606 | 21:04 |
*** jamesmcarthur_ has joined #openstack-keystone | 21:22 | |
*** jamesmcarthur_ has quit IRC | 21:23 | |
*** jamesmcarthur_ has joined #openstack-keystone | 21:23 | |
*** jamesmcarthur_ has quit IRC | 21:23 | |
*** jamesmcarthur has quit IRC | 21:24 | |
*** jamesmcarthur has joined #openstack-keystone | 21:24 | |
*** jamesmcarthur_ has joined #openstack-keystone | 21:25 | |
*** jamesmcarthur has quit IRC | 21:29 | |
*** xek_ has joined #openstack-keystone | 21:46 | |
*** xek__ has joined #openstack-keystone | 21:47 | |
*** xek has quit IRC | 21:49 | |
*** xek_ has quit IRC | 21:50 | |
*** itlinux has joined #openstack-keystone | 21:54 | |
*** mchlumsky has quit IRC | 22:02 | |
*** jamesmcarthur_ has quit IRC | 22:06 | |
*** rcernin has joined #openstack-keystone | 22:14 | |
*** jamesmcarthur has joined #openstack-keystone | 22:32 | |
*** jamesmcarthur has quit IRC | 22:56 | |
*** jamesmcarthur has joined #openstack-keystone | 22:56 | |
*** jamesmcarthur has quit IRC | 22:59 | |
*** tkajinam has joined #openstack-keystone | 23:01 | |
*** tkajinam has quit IRC | 23:01 | |
*** jamesmcarthur has joined #openstack-keystone | 23:01 | |
*** tkajinam has joined #openstack-keystone | 23:02 | |
*** jamesmcarthur has quit IRC | 23:40 | |
*** erus has quit IRC | 23:40 | |
*** erus has joined #openstack-keystone | 23:40 | |
*** xek__ has quit IRC | 23:54 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!