Wednesday, 2019-03-27

*** dolphm has quit IRC		00:16
*** dustinc has quit IRC		00:25
*** jamesmcarthur has joined #openstack-keystone		00:49
*** markvoelker has joined #openstack-keystone		00:51
*** ileixe has joined #openstack-keystone		00:54
*** ileixe has quit IRC		00:54
*** ileixe has joined #openstack-keystone		00:55
*** awalende has joined #openstack-keystone		01:02
*** markvoelker has quit IRC		01:03
*** awalende has quit IRC		01:07
*** markvoelker has joined #openstack-keystone		01:18
*** erus has quit IRC		01:23
*** erus has joined #openstack-keystone		01:23
*** rcernin has quit IRC		01:49
*** rcernin has joined #openstack-keystone		01:53
*** whoami-rajat has joined #openstack-keystone		02:08
*** erus has quit IRC		02:08
openstackgerrit	Merged openstack/keystone master: Add keystone's technical vision reflection https://review.openstack.org/641374	02:08
*** erus has joined #openstack-keystone		02:09
*** mgagne has quit IRC		02:15
*** mgagne has joined #openstack-keystone		02:15
*** charz has quit IRC		02:16
*** jamesmcarthur has quit IRC		02:52
*** jamesmcarthur has joined #openstack-keystone		03:36
*** jamesmcarthur has quit IRC		03:44
*** jamesmcarthur has joined #openstack-keystone		03:45
*** jamesmcarthur has quit IRC		03:47
*** jamesmcarthur has joined #openstack-keystone		03:47
*** jamesmcarthur has quit IRC		03:52
*** jamesmcarthur has joined #openstack-keystone		04:00
*** jamesmcarthur has quit IRC		04:01
*** vishakha has joined #openstack-keystone		04:09
*** ileixe has quit IRC		04:11
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: WIP: implement domain reader support for grants https://review.openstack.org/645968	04:44
*** shyam89 has joined #openstack-keystone		04:58
*** shyam89 has quit IRC		05:03
*** ileixe has joined #openstack-keystone		05:08
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: WIP : Make domain admin policies consistent for grants https://review.openstack.org/647999	05:10
*** shyam89 has joined #openstack-keystone		05:15
*** lbragstad has joined #openstack-keystone		05:25
*** ChanServ sets mode: +o lbragstad		05:25
*** lbragstad has quit IRC		05:41
*** markvoelker has quit IRC		06:00
*** jaosorior has quit IRC		06:26
*** jaosorior has joined #openstack-keystone		06:28
*** markvoelker has joined #openstack-keystone		06:31
*** jistr is now known as jistr\|doc		06:33
vishakha	lbragstad: For grants API will the project ( admin or member or reader) will be able to list the grants or the behaviour weill be same as role assignments?	06:37
*** erus has quit IRC		06:43
*** erus has joined #openstack-keystone		06:43
*** shyam89 has quit IRC		07:00
*** shyam89 has joined #openstack-keystone		07:04
*** shyam89 has quit IRC		07:31
*** shyam89 has joined #openstack-keystone		07:48
tonyb	cmurphy: Are you around?	07:55
cmurphy	tonyb: need 5 minutes sorry	07:56
tonyb	cmurphy: It's cool I'll wait	07:56
cmurphy	tonyb: here now, sorry about that - my laptop decided right at the beginning of the meeting that that was a good time to explode spectacularly	08:04
cmurphy	so now i'm at the office	08:04
tonyb	cmurphy: litterally explode?	08:05
cmurphy	no figuratively	08:05
tonyb	'cause that'd be very cool	08:05
tonyb	pffft	08:05
cmurphy	it would be quite messy	08:05
tonyb	True	08:05
tonyb	So rocky	08:05
tonyb	We're kinda a little stuck	08:05
cmurphy	right	08:05
tonyb	can we confirm / test that py2 with 2.1.0 is okay? or do we knwo that's broken also	08:06
cmurphy	ldappool 2.1.0? or you mean 2.0.0 https://review.openstack.org/#/c/613648/4/lower-constraints.txt	08:07
tonyb	cmurphy: 2.0.0 would be better but CentOS has 2.1.0 so that'd do	08:08
cmurphy	i think python2 works fine with 2.0.0 or 2.1.0	08:09
evrardjp	o/	08:10
cmurphy	what's your suggestion? to revert because python2 is okay? it's broken for non-rhel on python3 so that wouldn't make me happy	08:10
tonyb	and the reason for the bump is because py3 needed extra 'handling'	08:10
tonyb	cmurphy: If we can be certain that py2+ldappool(2.0.0 -> 2.3.1) is ok then I'll approve it and ask y'all not to do that thing again	08:11
tonyb	... at least without discussin alternatives with the stable team first	08:12
cmurphy	okay, we did have smcginnis approve that change so i thought it was okay	08:12
cmurphy	py2 should be unaffected by this change	08:13
cmurphy	will be more aware next time	08:13
*** awalende has joined #openstack-keystone		08:16
*** tkajinam has quit IRC		08:16
*** shyam89 has quit IRC		08:16
tonyb	Okay so if you're good to stand by 'py2 is okay with <2.3.1' I'll approve the release tomorrow	08:18
cmurphy	let me do a quick unit test run with the constraint lowered just to be extra sure	08:19
tonyb	cmurphy: cool	08:19
* tonyb needs to get the kids to bed		08:19
tonyb	cmurphy: let me know how you go	08:19
cmurphy	o7	08:20
tonyb	:)	08:20
evrardjp	I will vote based on your results cmurphy	08:27
*** pcaruana has joined #openstack-keystone		08:57
*** shyam89 has joined #openstack-keystone		09:12
*** jistr\|doc is now known as jistr		09:15
*** shyam89 has quit IRC		10:08
*** shyam89 has joined #openstack-keystone		10:21
ildikov	cmurphy: hi	10:23
*** mvkr has joined #openstack-keystone		10:51
*** rcernin has quit IRC		10:51
*** shyam89 has quit IRC		10:53
cmurphy	hi ildikov	10:57
cmurphy	what's up?	10:57
*** erus has quit IRC		11:18
*** erus has joined #openstack-keystone		11:18
*** shyam89 has joined #openstack-keystone		11:28
*** zlangi has joined #openstack-keystone		11:48
*** erus has quit IRC		11:48
zlangi	hello everyone, is ther anyone who got some experience with keystone integration with AD? I can't get the groups working. in the corp AD, the cn for the users is the full name of the users, I got to use sAMAccountName for the username. that would be ok, but! the group membership is returned by cname as well. basically when I query the group membership, that comes back like this: CN=Doe John,OU=MyGroups,OU=Somewhere,OU=com	11:48
zlangi	is there anyone here had similar problem? if yes, how did you solve it?	11:49
*** erus has joined #openstack-keystone		11:49
*** markvoelker has quit IRC		12:21
*** mchlumsky has joined #openstack-keystone		12:22
*** jamesmcarthur has joined #openstack-keystone		12:23
*** jamesmcarthur has quit IRC		12:32
*** erus has quit IRC		12:32
*** erus has joined #openstack-keystone		12:33
*** shyam89 has quit IRC		12:34
*** mvkr has quit IRC		12:37
*** pcaruana has quit IRC		12:39
*** erus has quit IRC		12:39
*** erus has joined #openstack-keystone		12:40
*** pcaruana has joined #openstack-keystone		12:42
*** pcaruana has quit IRC		12:42
*** pcaruana has joined #openstack-keystone		12:43
*** shyam89 has joined #openstack-keystone		12:46
*** lbragstad has joined #openstack-keystone		12:46
*** ChanServ sets mode: +o lbragstad		12:46
*** jamesmcarthur has joined #openstack-keystone		12:51
*** jamesmcarthur has quit IRC		12:52
*** jamesmcarthur has joined #openstack-keystone		12:52
ildikov	cmurphy: I wanted to ask you about the hacking days we're organizing with the edge group	12:55
ildikov	cmurphy: one of the potential tasks to do is setting up an environment with Keystone so that we can do testing and with csatari we're somewhat available the week before the Summit to give it the first try	12:56
ildikov	cmurphy: so I wanted to check if you're around that much to dial in if we get brutally stuck to ask a few questions	12:56
cmurphy	ildikov: what are the dates again?	12:56
*** itlinux has quit IRC		12:57
ildikov	cmurphy: tracking it in this poll: https://doodle.com/poll/m7ar8m8zp3izw7t5	12:57
ildikov	cmurphy: so potentially something between April 17 and 24	12:58
cmurphy	ildikov: what would the time zone be?	12:59
ildikov	cmurphy: the idea is to run it all day so people can join when they're available	13:01
cmurphy	ildikov: okay i'd be happy to dial in	13:02
ildikov	cmurphy: I know one or two students in Sweden who would be interested in joining and csatari and I, we're in Hungary so it's all Central European Time, that's why I thought to reach out to you about the environment building idea as we would prolly test the plugin that just got merged and do something for federation testing	13:02
cmurphy	ildikov: so i will actually be in west coast time that week	13:03
ildikov	cmurphy: ah, I see	13:03
ildikov	cmurphy: seemed a bit too good to be true :)	13:04
*** ileixe has quit IRC		13:04
ildikov	cmurphy: if you're around in the morning then we could do a little sync up in case we got somewhere or the opposite and we would need help?	13:04
cmurphy	ildikov: sure	13:07
cmurphy	ildikov: do you have an agenda or brainstorming etherpad or something?	13:07
cmurphy	maybe i could make some notes and pointers	13:07
ildikov	cmurphy: just an overall brainstorming etherpad: https://etherpad.openstack.org/p/osf-edge-hacking-days	13:07
ildikov	there are Keystone related items there, so please drop in any info you think would be useful	13:08
ildikov	thank you!!	13:08
cmurphy	no problem, I'll try to add some context and notes in there	13:08
ildikov	sounds great, thanks again!	13:08
*** jhesketh has quit IRC		13:10
*** mvkr has joined #openstack-keystone		13:12
*** erus has quit IRC		13:12
csatari	cmurphy: there are legends, that you know how to easily reproduce one of the x.509 bugs. Can you add to the etherpad which bug is it and probably some description how to reproduce it?	13:13
*** erus has joined #openstack-keystone		13:13
cmurphy	csatari: sure	13:13
csatari	cmurphy: thanks	13:15
*** shyam89 has quit IRC		13:27
*** shyam89 has joined #openstack-keystone		13:27
*** jamesmcarthur has quit IRC		13:28
knikolla	o/	13:31
*** shyam89 has quit IRC		13:31
lbragstad	\o	13:31
vishakha	o/	13:33
cmurphy	~o~	13:33
vishakha	lbragstad: For grants API will the project ( admin or member or reader) will be able to list the grants or the behaviour weill be same as role assignments?	13:33
*** shyam89 has joined #openstack-keystone		13:33
lbragstad	vishakha i don't think so	13:34
lbragstad	actually...	13:34
lbragstad	i think it's going to be complicated :)	13:35
lbragstad	system users should be able to perform any of the grants APIs across any projects or domains	13:36
lbragstad	or the deployment system itself	13:36
lbragstad	domain users should be able to access grants for any projects within the domain they're operating on	13:36
lbragstad	^ those are the two easier cases	13:37
lbragstad	but since keystone supports hierarchical multitenancy - you could also support the ability for project users to have access to grants for all sub-projects in the tree underneath them	13:37
*** erus has quit IRC		13:37
*** erus has joined #openstack-keystone		13:38
lbragstad	but - that is going to be complicated	13:39
lbragstad	because in order to use the grant API effectively, you need to know the ID of the user in the grant	13:39
lbragstad	and users are resources that are owned by domains, which we don't expose to project users at all	13:40
lbragstad	(e.g., a project user can't call GET /v3/users?domain.id=domainA to get a list of all users within domainA and add them to a project they're admin on)	13:41
*** jamesmcarthur has joined #openstack-keystone		13:44
efried	Hi keystoners. Is this correct? https://review.openstack.org/#/c/647972/	13:46
lbragstad	yeah - i think so	13:48
lbragstad	Default is the domain ID and `default` is the ID =/	13:48
lbragstad	er... Default is the domain name	13:48
lbragstad	default is the ID	13:49
efried	Thanks lbragstad. Where are these opts defined?	13:50
lbragstad	only the default domain ID is configurable	13:51
lbragstad	https://docs.openstack.org/keystone/latest/configuration/config-options.html#identity.default_domain_id	13:51
lbragstad	it's default is... default	13:51
lbragstad	i don't know if you can tell, but we're awesome at naming things...	13:51
efried	This is going to reveal how ignorant I am, but...	13:54
efried	how/where does a project (like nova) register the keystone_authtoken opt group?	13:55
erus	o/	13:55
efried	That's the thing it uses to be a "service", right?	13:56
efried	So other pieces can connect to it via e.g. ksa or sdk	13:57
lbragstad	correct	13:57
lbragstad	those options are maintained in keystoneauth	13:57
lbragstad	so you expose/register them like you would any other library you're consuming (think oslo.policy or oslo.messaging)	13:58
efried	so somewhere in my project's conf/ directory I'm looking for a file that imports something from keystoneauth1 and does a register_keystone_authtoken_opts or similar?	13:58
lbragstad	i believe so	13:58
* lbragstad grabs a copy of nova		13:58
efried	the stuff in keystoneauth1.loading is for the client side afaict.	13:59
lbragstad	https://pasted.tech/pastes/ff598f826816b024f4b2cc257c7b8ff14e55e8f6.raw	14:00
*** erus has quit IRC		14:00
lbragstad	nova/conf/utils.py?	14:00
efried	yeah, aren't all of those for when nova wants to be the client? I.e. when nova asks the cinder API for things, or the neutron API, etc.	14:01
*** erus has joined #openstack-keystone		14:01
efried	I know for sure the stuff in conf/utils is that	14:01
efried	cause I wrote it	14:01
*** admin0 has left #openstack-keystone		14:01
* efried <== reasonable amount of experience with the client side		14:01
* efried <== zero experience with the server/service side		14:02
*** jamesmcarthur_ has joined #openstack-keystone		14:02
lbragstad	ah	14:02
lbragstad	sorry - i thought that is what you were asking about?	14:03
efried	sorry if I'm blithering, I'm fuzzy this morning.	14:03
lbragstad	i guess i'm not sure what you mean by "That's the thing it uses to be a service"	14:04
efried	There's two sides to keystone: the service (API) and the client that connects to it.	14:04
efried	sorry, I shouldn't have said "to keystone" probably	14:04
efried	The latter, the client side, is what ksa is for. I'm familiar with that. I can construct an Adapter which allows me, the client, to talk to a service that's listening on the other end at a nicely formed endpoint.	14:05
lbragstad	sure	14:05
*** jamesmcarthur has quit IRC		14:05
efried	So what I'm asking is, how does the other end get to be there and listen for that Adapter to come knocking?	14:05
efried	I thought it was by setting itself up with... something keystoney, which includes exposing conf options in the keystone_authtoken group	14:05
efried	...so if my service has username/password foo/bar in keystone_athtoken, then my client would construct an Adapter by passing in username/password foo/bar as authentication creds	14:06
efried	am I just waay off?	14:06
efried	I'm sure there's a lovely doc that explains this. I would call it "How to set up my service to use Keystone". But I suck at naming things.	14:07
lbragstad	no - the last part sounds accurate because you build a ksa object that you can re-use across clients, right?	14:07
efried	re-use across clients... not sure about that bit. I just know I create a ksa adapter by loading the conf options whose defs I registered via those ksa/loading modules	14:08
*** erus has quit IRC		14:08
efried	so yeah, I guess multiple clients using the same conf file could all access the same service the same way.	14:09
*** erus has joined #openstack-keystone		14:09
lbragstad	or you could build multiple clients from the same ksa adapter?	14:10
efried	you're talking client like an instance, I thought you meant a client like a process.	14:10
*** adriant has quit IRC		14:10
efried	(python instance of a class, not instance in the nova sense)	14:11
efried	anyway, so I know how my client code registers those client-side conf options - they come out of ksa/loading	14:11
*** adriant has joined #openstack-keystone		14:11
*** shyam89 has quit IRC		14:12
efried	What I'm trying to get at is, how does the service come up knowing that those values are the right ones and it should allow the traffic?	14:12
efried	And I thought the admin set this ^ up by filling in the [keystone_authtoken] section of the service's conf file.	14:12
lbragstad	yeah - sorry, i was referring to python objects	14:12
lbragstad	iiuc, it's completely up to operators to set that up correctly	14:13
lbragstad	the service assumes that the auth token values are correct and available (e.g., an identity API is on the other end of the wire)	14:13
efried	Right, it's up to the operator to set up the service with the correct values - in the [keystone_authtoken] section of the service's conf, right?	14:15
lbragstad	and the connection information (username and password) are correct and correspond to a user account created in keystone	14:15
lbragstad	yes	14:15
efried	cool - so: how/where does the service (the code itself) register that conf group and those options?	14:16
efried	looks like it may come from keystonemiddleware....	14:23
lbragstad	yeah	14:23
lbragstad	sorry - i was just looking at https://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/loading/conf.py#n66	14:24
efried	yeah - those are the client side options	14:24
lbragstad	http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/_opts.py#n202	14:24
lbragstad	http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/_base.py#n13	14:26
efried	So my service implicitly registers the opts by somehow importing auth_token/_opts.py, which must happen through some other (public) import chain	14:26
*** itlinux has joined #openstack-keystone		14:27
lbragstad	well - nova runs keystonemiddleware in front of the service	14:27
lbragstad	http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/api-paste.ini#n83	14:27
efried	via some paste-ini magic... yeha	14:28
efried	and that, somewhere under the covers, imports keystonemiddleware.auth_token, which imports _opts, which registers the conf options.	14:28
efried	gadzooks	14:28
lbragstad	correct - http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/api-paste.ini#n32 is defined in the pipeline	14:28
* efried doesn't know what a pipeline is		14:29
efried	but that's okay.	14:29
efried	at some point here there will probably be several groups wanting to set up their fringe projects to use keystone	14:29
lbragstad	specifically - http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n955	14:30
efried	so they'll need to know how to do this magic.	14:30
lbragstad	a paste pipeline is way to say what the order of request processing should be	14:30
lbragstad	so, looking at http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/api-paste.ini#n32	14:31
efried	The only thing I know about paste is that I used to have to like uninstall and reinstall it in different ways (apt/pip) at various versions to get my devstack working.	14:31
lbragstad	a request object hits cors first, then http_proxy_to_wsgi	14:31
lbragstad	etc...	14:31
lbragstad	so when you setup a pipeline you have the ability to specify the order of software that gets run	14:32
lbragstad	the contract uses generic request objects and an interface between middleware so you can string them together	14:32
lbragstad	the same pattern happens on the way out for response objects	14:32
efried	Okay.	14:33
lbragstad	for example; each piece in the pipeline has a process_request() method	14:33
lbragstad	so, this is what's actually getting run each time someone calls the nova API http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n598	14:33
lbragstad	which is what's responsible for validating the users token and setting headers that nova pulls off (in the next piece of middleware) to build request context objects using oslo.context	14:34
lbragstad	all that happens before the request actually hits the nova API	14:35
lbragstad	because that's defined last in the pipeline (osapi_compute_app_v21)	14:35
efried	So reminding myself what I was looking for when I started down this path...	14:36
efried	I then expected to find project_domain_name and user_domain_name defined in keystonemiddleware.auth_token._opts	14:36
efried	but they aren't there	14:37
*** erus has quit IRC		14:40
*** erus has joined #openstack-keystone		14:40
efried	or anywhere in those three projects (keystone, keystoneauth, keystonemiddleware)	14:41
lbragstad	looking	14:45
efried	I'm going to go with +2 because it matches the example in the ksm documentation	14:45
lbragstad	they're loaded dynamically	14:49
lbragstad	middleware invokes http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n261 right?	14:49
lbragstad	and we get into ksa here - http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n257	14:49
lbragstad	which calls this - https://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/loading/conf.py#n30	14:50
lbragstad	https://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/loading/conf.py#n37	14:51
vishakha	lbragstad: ohh ok. Let me come back to you for any doubts on project for grant api	14:51
*** erus has quit IRC		14:53
*** erus has joined #openstack-keystone		14:54
lbragstad	efried keystoneauth can't have dependencies on oslo, which is why you're not seeing the options defined and registered like you normally work	14:58
lbragstad	would*	14:58
lbragstad	i didn't remember that earlier - i was looking for definitions with oslo.config, too	14:59
efried	but where are user_domain_name and project_domain_name defined?	14:59
efried	it's okay, you don't have to kill yourself explaining this to me, at this point it's just stubborn intellectual curiosity, but I can let it go.	15:00
lbragstad	https://review.openstack.org/#/c/647972/1/doc/source/install/compute-install-obs.rst@79	15:00
lbragstad	^ right there	15:00
lbragstad	you see auth_type = plugin?	15:00
lbragstad	er - auth_type = password?	15:01
efried	yes	15:01
efried	Yeah, I found where auth_type came from	15:01
* efried wonders if project_domain_name and user_domain_name are actually obsolete/unused and nobody noticed		15:02
*** erus has quit IRC		15:02
efried	cause I only see them loaded from conf in tests	15:02
*** erus has joined #openstack-keystone		15:02
lbragstad	well - it'll load the password auth plugin	15:03
lbragstad	and it resolves the attributes of that plugin as configuration options https://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/identity/v3/password.py	15:04
efried	okay. I still don't see how that guy is loading anything from the conf. But seriously, we can stop beating this horse.	15:08
lbragstad	hopefully it at least cleared some things up	15:10
lbragstad	sorry it took me a while to grok this	15:10
*** awalende has quit IRC		15:11
*** erus has quit IRC		15:11
*** erus has joined #openstack-keystone		15:12
*** awalende has joined #openstack-keystone		15:12
bnemec	lbragstad: Hmm, is that why the config validator doesn't find things like keystone_authtoken/password?	15:12
lbragstad	bnemec probably	15:13
lbragstad	ksa has isn't own Opt object	15:14
lbragstad	its own*	15:14
bnemec	Okay, and there's probably no way for those opts to show up in the sample config data?	15:14
* bnemec has been trying to clean up false failures in the config validator		15:15
bnemec	So this is relevant to my interests. :-)	15:15
*** awalende has quit IRC		15:16
lbragstad	i'm not sure what you mean by show up in the sample config data?	15:19
lbragstad	in this specific case, ksm loads the opts for ksa by calling https://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/loading/conf.py#n30	15:21
lbragstad	which eventually(?) resolves auth_type to a plugin instance and populates the rest of the configuration opts based on the attributes of the plugin	15:22
lbragstad	which is where we get user_domain_name and project_domain_name	15:23
lbragstad	https://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/identity/v3/base.py#n47	15:24
*** erus has quit IRC		15:24
*** adriant has quit IRC		15:25
*** erus has joined #openstack-keystone		15:25
*** adriant has joined #openstack-keystone		15:26
efried	bnemec: ah, good point, keystonemiddleware.auth_token._opts is registering opts, and the genconfig conf.py for $project is calling out keystonemiddleware.auth_token so we include the opts in the documentation, and these mysterious options are showing up there. I just (still) can't figure out where they're registered.	15:29
lbragstad	^ that code is eluding me, too	15:29
lbragstad	i see the doc string that describes the behavior	15:30
lbragstad	and i assume it works, because how else would it?	15:30
lbragstad	but... where is the thing that grabs an instance of the plugin and iterates its attributes to register them as options?	15:31
lbragstad	cc kmalloc ^	15:31
*** erus has quit IRC		15:32
*** erus has joined #openstack-keystone		15:33
bnemec	My concern is that when I run tox -e genconfig in a project, the resulting keystone_authtoken section doesn't have a password option (or any of the other options from that plugin).	15:33
bnemec	It sounds like that's because the options are generated dynamically at runtime?	15:33
kmalloc	Possibly at runtime. Also because you can use different plugins.	15:34
lbragstad	right...	15:34
bnemec	I'm wondering if there's any way to include those options in the sample config or if I just need to disable validation of the keystone_authtoken opt group because there's no way to know which options are valid ahead of time.	15:34
kmalloc	But can't use more than one at a time.	15:34
lbragstad	i just can't find that code	15:34
kmalloc	I'd disable validatiob	15:35
kmalloc	You need to know the plugin to know opts.	15:35
bnemec	kmalloc: Okay, thanks. That's simple enough.	15:36
lbragstad	right - where were is the code that resolves the auth_type value to register its opts?	15:36
bnemec	Maybe I can dump out an info level message when we ignore a keystone_authtoken opt.	15:36
kmalloc	lbragstad: in ksa I think	15:36
lbragstad	ksm calls https://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/loading/conf.py#n30	15:37
lbragstad	but idk how that resolves things?	15:37
kmalloc	Magic	15:37
lbragstad	outside of the docstring saying it does	15:37
kmalloc	Ksa doesn't create oslo opts	15:38
kmalloc	It converts on demand to them	15:38
*** zlangi has quit IRC		15:38
kmalloc	So, it does some work behind the scenes.	15:38
lbragstad	right - i assume that's what in keystoneauth1/loading/_opts.py	15:38
kmalloc	Yeah, but you see in config the .to_oslo opt, you load the plugin and then get the opts cast from.obj	15:39
kmalloc	Really, this is KSA magic.	15:40
kmalloc	this is opaque also because ksm did weird things to begin with and we carry a lot of legacy	15:41
kmalloc	and on top of it all, ksa can't lean directly on oslo_config.	15:41
lbragstad	yeah - i remember that part	15:41
kmalloc	honestly, i dislike oslo_config massively, it, imo, does not meaninfully add anything to config parsing	15:42
kmalloc	outside of the fixtures, and that could have been done independantly	15:42
kmalloc	but that aside	15:43
kmalloc	this really is related to oslo_config not being something ksa directly imports.	15:43
lbragstad	omg...	15:45
lbragstad	http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n863	15:46
*** erus has quit IRC		15:46
lbragstad	http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n884	15:46
*** erus has joined #openstack-keystone		15:47
lbragstad	which calls - https://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/loading/conf.py#n45	15:48
kmalloc	yep	15:48
* lbragstad checks to see if it's 1700 yet		15:48
lbragstad	there's your answer efried ^	15:48
kmalloc	it's 1700 somewhere	15:48
bnemec	Somewhere, I'm sure. ;-)	15:48
lbragstad	my brain hurts	15:48
kmalloc	lbragstad: 1550 UTC, so ... 70 more minutes.	15:49
efried	lbragstad: https://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/loading/_plugins/identity/generic.py#n69 ffs, it's because it was spelled with hyphens I never found it.	15:54
* lbragstad pours efried a guinness		15:54
efried	thanks, I needed that.	15:55
lbragstad	i think we reached the last layer of the onion though	15:55
efried	(it's not quite 1100 here)	15:55
efried	lbragstad: Back to the original point, I don't see a default value in that opt :P	15:56
efried	so it is still unclear whether that doc edit patch is right	15:56
efried	but I'm standing by my decision	15:56
efried	to match the ksm documentation	15:56
lbragstad	i don't think they have can default values for user_domain_name and project_domain_name?	15:57
lbragstad	but yeah - i agree that matching the ksm reference is a good idea	15:58
cmurphy	it's 1700 here :P	16:00
*** KeithMnemonic has quit IRC		16:01
cmurphy	ksm/ksa don't set a default value for the domain name or id, those come from the keystone database, that's why they need to be spelled out explicitly in the config	16:01
* cmurphy partially paying attention		16:02
*** efried is now known as efried_rollin		16:02
lbragstad	yeah - i was going to say, in the best case you'd be assuming a user has authorization on something in order for it to work	16:04
* bnemec is jealous of cmurphy's time zone		16:07
*** gyee has joined #openstack-keystone		16:17
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add domain scope support for group policies https://review.openstack.org/643937	16:22
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Remove redundant policies from v3cloudsample https://review.openstack.org/647586	16:22
*** shyamb has joined #openstack-keystone		16:30
*** jamesmcarthur_ has quit IRC		16:42
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Remove redundant policies from v3cloudsample https://review.openstack.org/647586	16:48
*** erus has quit IRC		16:48
*** erus has joined #openstack-keystone		16:48
*** dustinc has joined #openstack-keystone		16:52
cmurphy	heads up, if you haven't filled out the poll for the new meeting time please do so https://doodle.com/poll/zxv6d2mxngmhb3vc	16:55
*** shyamb has quit IRC		16:58
kmalloc	cmurphy: are those times supposed to convert to my timezone, or is incorrectly showing Pacific time?	17:13
cmurphy	kmalloc: i created it using pacific time, if the times don't make sense for pacific time then i screwed up	17:13
kmalloc	col	17:14
kmalloc	cool*	17:14
kmalloc	second, is it intending to push the time to earlier in the day?	17:14
kmalloc	i'm not sure what the timing issue is at the moment	17:14
cmurphy	the issue is that pretty soon we won't have anyone who attends from europe, and the current time is really inconvenient for wxy-xiyuan and vishakha so i thought revisiting it would be a good idea	17:16
kmalloc	ah	17:17
kmalloc	unfortunately, the tuesday 8am, 9am (depending on DST) works the best for me. but as long as we aren't pushing it super early I can probably make it work (regardless of doodle responses)	17:18
*** erus has quit IRC		17:18
*** erus has joined #openstack-keystone		17:19
cmurphy	if we can't find something more agreeable for everyone then we can stick with the current slot	17:19
kmalloc	just letting you know I responded to doodle with preferred times	17:20
kmalloc	but pretty much anything tuesday/wed/thurs will work	17:20
cmurphy	thanks kmalloc	17:20
kmalloc	now i need to get that RBAC fix rolled	17:29
kmalloc	i figured out what needs to happen	17:29
kmalloc	it needs a new resource object	17:29
kmalloc	should be straightforward	17:29
kmalloc	i'll submit another fix (not backporting) to fix the typo in the log line	17:30
lbragstad	oh - i automatically assumed it was converted to my tz	17:39
lbragstad	oh nevermind...	17:39
cmurphy	maybe double check	17:39
lbragstad	all times displayed in America/Chicago	17:40
lbragstad	sweet	17:40
kmalloc	ah nice	17:40
cmurphy	my other motivation is all my other meetings are always scheduled at exactly that time	17:43
*** mvkr has quit IRC		17:44
lbragstad	kmalloc we have a few laggard patches to stable/stein that need some reviews	17:45
lbragstad	https://etherpad.openstack.org/p/keystone-stein-rc2-tracking	17:45
* kmalloc nods.		17:45
kmalloc	i'll get to those once i have the RBAC thing proposed so we can backport	17:45
lbragstad	fantastic	17:46
lbragstad	kmalloc do you run your 4k monitors off usb-c?	17:46
kmalloc	display-port	17:47
lbragstad	to mini display port?	17:47
kmalloc	on my laptop? uhm i think i just use HDMI	17:47
kmalloc	i mostly use my desktops these days with 4k monitor(s)	17:47
lbragstad	do you get throttled at 30 Hz refresh rates?	17:47
kmalloc	i'd need to check the hdmi port version, but probably	17:48
* lbragstad nods		17:48
kmalloc	with my desktop(s) I am using displayport for 1440p 144hz	17:48
lbragstad	i know my x1c has HDMI 1.4 but i think you have a newer version	17:48
kmalloc	and my other desktop i'm doing HD-BaseT (HDMI over Cat7) and getting 4k@60hz 4:4:4	17:49
lbragstad	nice	17:49
*** erus has quit IRC		17:49
kmalloc	if i was to connect the laptop, if the laptop has tb3, i'd go usb-c/tb3->displayport	17:50
*** erus has joined #openstack-keystone		17:50
lbragstad	ok - that's what i was curious about	17:50
lbragstad	i just ordered a displayport -> usb-c adapter	17:50
lbragstad	https://www.amazon.com/gp/product/B01NBX352B	17:51
lbragstad	it should take care of the issue	17:51
lbragstad	(i had to update BIOS firmware last night)	17:51
kmalloc	lbragstad: what laptop did you replace yours with? or something else?	17:54
lbragstad	i got the x1c back up and running	17:55
kmalloc	ah nice	17:55
kmalloc	another option would be to get one of the apple-certified 5k tb3 monitors	17:55
lbragstad	baby steps ;)	17:55
kmalloc	then you don't need an adapter	17:55
kmalloc	:P	17:55
lbragstad	yeah - that would be nice	17:55
*** jamesmcarthur has joined #openstack-keystone		18:05
*** jamesmcarthur has quit IRC		18:53
*** jamesmcarthur has joined #openstack-keystone		19:16
*** vishakha has quit IRC		19:26
*** efried_rollin is now known as efried		19:45
*** pcaruana has quit IRC		19:53
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Remove redundant policies from v3cloudsample https://review.openstack.org/647586	20:02
*** lbragstad has quit IRC		20:05
*** erus has quit IRC		20:17
*** erus has joined #openstack-keystone		20:17
kmalloc	huh	20:20
kmalloc	this rbac one is weird.	20:21
*** erus has quit IRC		20:35
*** erus has joined #openstack-keystone		20:36
*** lbragstad has joined #openstack-keystone		20:43
*** ChanServ sets mode: +o lbragstad		20:43
*** itlinux has quit IRC		20:46
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Raise METHOD NOT ALLOWED instead of 500 error on protocol create https://review.openstack.org/648241	20:50
kmalloc	cmurphy: ^ lets see what zuul has to say about that.	20:50
cmurphy	sweet	20:51
cmurphy	kmalloc: method not allowed is 405 though	20:52
kmalloc	did I typo?	20:52
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Raise METHOD NOT ALLOWED instead of 500 error on protocol create https://review.openstack.org/648241	20:53
cmurphy	typo'd in the comment plus i thought in the bug it was agreed it should be a 404	20:53
kmalloc	looking further it should be a 405	20:53
kmalloc	because it is basically hitting where the list endpoint is... afaict	20:54
kmalloc	this api sucks btw. we require the protocol id on the url, which is silly	20:54
cmurphy	is 405 what would have happened before flask?	20:54
kmalloc	no, before flask it would have been an unrouted 404	20:54
kmalloc	which with flask became 405	20:54
cmurphy	and changing that isn't an api break?	20:55
kmalloc	not really.	20:55
kmalloc	we opted to make it a 405 so we can say "no a put here isn't allowed" for example, or a POST	20:56
kmalloc	it never hit our app before	20:56
kmalloc	it fell through and apache said 404	20:56
cmurphy	ah okay	20:57
kmalloc	yeah. it's a weird edge case.	20:57
kmalloc	that patch is probably going to fail.	20:58
kmalloc	my local environment exploded so i can't run tox atm.	20:58
*** mchlumsky has quit IRC		21:01
*** jmlowe has quit IRC		21:20
*** whoami-rajat has quit IRC		21:28
*** erus has quit IRC		21:35
*** erus has joined #openstack-keystone		21:36
*** erus has quit IRC		22:01
*** erus has joined #openstack-keystone		22:01
bnemec	\o/ 1700. And I just spent 15 seconds staring at a Horizon page trying to remember the word "flavor", so it's clearly time to stop. ;-)	22:05
*** itlinux has joined #openstack-keystone		22:14
*** raildo has quit IRC		22:18
*** jmlowe has joined #openstack-keystone		22:20
*** rcernin has joined #openstack-keystone		22:31
*** jamesmcarthur has quit IRC		22:33
*** jamesmcarthur has joined #openstack-keystone		22:33
*** jamesmcarthur has quit IRC		22:44
*** jamesmcarthur has joined #openstack-keystone		22:48
*** jamesmcarthur has quit IRC		22:51
*** jamesmcarthur has joined #openstack-keystone		22:52
*** jamesmcarthur has quit IRC		22:55
*** erus has quit IRC		22:55
*** erus has joined #openstack-keystone		22:56
*** tkajinam has joined #openstack-keystone		23:00
*** lbragstad has quit IRC		23:48

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!