Wednesday, 2019-09-11

*** jamesmcarthur has joined #openstack-keystone		00:02
*** liushuobj__ has joined #openstack-keystone		00:02
*** liushuo_ has quit IRC		00:05
*** jamesmcarthur has quit IRC		00:06
*** jamesmcarthur has joined #openstack-keystone		00:10
*** jamesmcarthur has quit IRC		00:27
*** liushuo_ has joined #openstack-keystone		00:33
*** liushuobj__ has quit IRC		00:37
*** jamesmcarthur has joined #openstack-keystone		00:39
*** gyee has quit IRC		00:42
*** jamesmcarthur has quit IRC		00:44
*** jamesmcarthur has joined #openstack-keystone		01:02
*** spatel has joined #openstack-keystone		01:24
*** liushuobj__ has joined #openstack-keystone		01:24
*** tkajinam has quit IRC		01:25
*** lbragstad has quit IRC		01:26
*** tkajinam has joined #openstack-keystone		01:26
*** lbragstad has joined #openstack-keystone		01:26
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Remove obsolete grant policies from policy.v3cloudsample.json https://review.opendev.org/667731	01:27
*** liushuo_ has quit IRC		01:28
*** jamesmcarthur has quit IRC		01:59
*** liushuo_ has joined #openstack-keystone		02:02
*** jamesmcarthur has joined #openstack-keystone		02:04
*** liushuobj__ has quit IRC		02:05
*** FlorianFa has quit IRC		02:15
*** liushuobj__ has joined #openstack-keystone		02:28
*** liushuo_ has quit IRC		02:32
*** FlorianFa has joined #openstack-keystone		02:35
*** jamesmcarthur has quit IRC		03:00
*** spatel has quit IRC		03:03
*** jamesmcarthur has joined #openstack-keystone		03:06
openstackgerrit	Merged openstack/keystone master: Implement system reader for implied roles https://review.opendev.org/680795	03:09
*** jamesmcarthur has quit IRC		03:13
*** jamesmcarthur has joined #openstack-keystone		03:25
*** liushuo_ has joined #openstack-keystone		03:35
*** liushuobj__ has quit IRC		03:39
*** knikolla has quit IRC		03:42
*** ildikov has quit IRC		03:42
*** csatari has quit IRC		03:42
*** knikolla has joined #openstack-keystone		03:45
*** ildikov has joined #openstack-keystone		03:45
*** csatari has joined #openstack-keystone		03:45
openstackgerrit	Merged openstack/python-keystoneclient master: Generate pdf documentation https://review.opendev.org/679377	03:49
*** liushuobj__ has joined #openstack-keystone		03:50
*** liushuo_ has quit IRC		03:53
*** jamesmcarthur has quit IRC		03:57
*** etp has joined #openstack-keystone		04:12
*** dave-mccowan has quit IRC		04:29
*** liushuobj__ has quit IRC		04:32
*** liushuobj__ has joined #openstack-keystone		04:33
*** pcaruana has joined #openstack-keystone		04:42
openstackgerrit	Merged openstack/keystone master: Remove system policy and its association from policy.v3cloudsample.json https://review.opendev.org/678475	04:49
openstackgerrit	Merged openstack/keystone master: Generate PDF documentation https://review.opendev.org/669982	04:49
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Implement system scope for domain role management https://review.opendev.org/680844	04:54
*** Luzi has joined #openstack-keystone		05:07
*** pcaruana has quit IRC		05:12
*** rcernin has quit IRC		05:22
*** redrobot has quit IRC		05:25
*** rcernin has joined #openstack-keystone		05:38
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Expose access rules as its own API https://review.opendev.org/668238	05:44
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add access rules to token validation https://review.opendev.org/631993	05:44
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Update API version for access rules https://review.opendev.org/671374	05:44
*** rcernin has quit IRC		05:51
openstackgerrit	Andreas Jaeger proposed openstack/keystone master: Fix timeout Zuul changes https://review.opendev.org/681380	06:05
*** rcernin has joined #openstack-keystone		06:09
*** pcaruana has joined #openstack-keystone		06:21
*** etp has quit IRC		06:32
*** etp has joined #openstack-keystone		06:33
*** liushuo_ has joined #openstack-keystone		06:38
*** liushuobj__ has quit IRC		06:42
*** dancn has joined #openstack-keystone		06:42
*** liushuobj__ has joined #openstack-keystone		07:06
*** awalende has joined #openstack-keystone		07:08
*** trident has quit IRC		07:08
*** ivve has joined #openstack-keystone		07:09
*** liushuo_ has quit IRC		07:10
*** tesseract has joined #openstack-keystone		07:11
*** trident has joined #openstack-keystone		07:17
*** liushuo_ has joined #openstack-keystone		07:18
*** liushuobj__ has quit IRC		07:22
*** trident has quit IRC		07:22
*** liushuobj__ has joined #openstack-keystone		07:28
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Implement scope type checking for EC2 credentials https://review.opendev.org/607820	07:29
*** trident has joined #openstack-keystone		07:31
*** liushuo_ has quit IRC		07:32
*** rcernin has quit IRC		07:38
*** liushuo_ has joined #openstack-keystone		08:17
*** asettle has joined #openstack-keystone		08:19
*** liushuobj__ has quit IRC		08:20
asettle	Hey keystoners - I'm hoping to get some help getting through three patches for master, stein, and rocky just to get some broken links fixed https://review.opendev.org/676906, https://review.opendev.org/676908, and https://review.opendev.org/676955	08:20
asettle	They have three separate changes, so they're not backports.	08:20
asettle	Well, one is a backport of a completely different change	08:20
*** tkajinam has quit IRC		08:27
*** jawad_axd has joined #openstack-keystone		08:29
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Remove system EC2 credentials from policy.v3cloudsample.json https://review.opendev.org/681162	08:40
openstackgerrit	zhouguowei proposed openstack/keystoneauth master: Add blueprints for the document https://review.opendev.org/681407	08:41
*** liushuobj__ has joined #openstack-keystone		08:43
*** liushuo_ has quit IRC		08:47
*** rcernin has joined #openstack-keystone		09:10
*** rcernin has quit IRC		09:41
*** liushuo_ has joined #openstack-keystone		09:44
*** dancn has quit IRC		09:45
*** liushuobj__ has quit IRC		09:47
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Implement system reader & member for domain config API https://review.opendev.org/679623	10:17
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Implement system admin for domain config API https://review.opendev.org/679750	10:17
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Add Domain User for security compliance domain config API https://review.opendev.org/679966	10:17
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Add Project User coverage for domain config API https://review.opendev.org/680341	10:17
openstackgerrit	Vishakha Agarwal proposed openstack/keystone master: Remove system Domain Config from policy.v3cloudsample.json https://review.opendev.org/680357	10:17
*** liushuobj__ has joined #openstack-keystone		11:05
*** liushuo_ has quit IRC		11:08
openstackgerrit	Merged openstack/keystone master: Fix timeout Zuul changes https://review.opendev.org/681380	11:29
*** raildo has joined #openstack-keystone		11:44
*** spsurya has joined #openstack-keystone		11:58
*** dave-mccowan has joined #openstack-keystone		12:05
*** awalende has quit IRC		12:22
*** awalende has joined #openstack-keystone		12:23
*** jamesmcarthur has joined #openstack-keystone		12:25
*** awalende has quit IRC		12:27
*** jamesmcarthur has quit IRC		12:30
*** etp has quit IRC		12:31
*** awalende has joined #openstack-keystone		12:34
*** awalende has quit IRC		12:38
*** jmlowe has quit IRC		12:42
*** dancn has joined #openstack-keystone		12:45
*** jmlowe has joined #openstack-keystone		12:59
*** jmlowe has quit IRC		12:59
*** jmlowe has joined #openstack-keystone		13:00
*** vishakha has quit IRC		13:10
*** jaosorior has quit IRC		13:26
lbragstad	https://pasted.tech/pastes/b45c6b015b97c865018c4b3290f60e0456fe304a.raw is blowing my mind	13:45
lbragstad	for some reason i get ^ locally with https://review.opendev.org/#/c/667730/	13:45
lbragstad	but zuul doesn't seem to have issues with it	13:45
*** redrobot has joined #openstack-keystone		13:50
*** jawad_axd has quit IRC		13:55
*** Luzi has quit IRC		13:59
*** dancn has quit IRC		14:18
lbragstad	bah	14:33
lbragstad	https://opendev.org/openstack/keystone/src/branch/master/keystone/api/groups.py#L84 leads to https://opendev.org/openstack/keystone/src/branch/master/keystone/server/flask/common.py#L917-L943	14:35
lbragstad	and by default we short circuit	14:35
lbragstad	https://opendev.org/openstack/keystone/src/branch/master/keystone/server/flask/common.py#L924-L926	14:35
lbragstad	but i have a local config that enabled domain_specific_drivers_enabled = True	14:35
lbragstad	so - if you set that option and then run those tests, they'll fail	14:36
lbragstad	documented all of ^ in https://review.opendev.org/#/c/645968/	14:48
*** vishakha has joined #openstack-keystone		14:59
*** spatel has joined #openstack-keystone		15:01
*** jmlowe has quit IRC		15:04
*** ayoung has quit IRC		15:07
*** jamesmcarthur has joined #openstack-keystone		15:08
*** jmlowe has joined #openstack-keystone		15:09
cmurphy	lbragstad: aha	15:10
cmurphy	so the system role tests break when domain specific drivers are enabled because there's no domain in the token?	15:10
*** ayoung has joined #openstack-keystone		15:10
evrardjp	o/	15:11
lbragstad	cmurphy i believe so	15:12
lbragstad	i just stumbled across it	15:12
cmurphy	lbragstad: i think we should address that separately	15:12
cmurphy	and open a new bug for it	15:12
lbragstad	but i think that method blows up with tokens that it can't find domains for (which makes sense because system doesn't belong under a domain)	15:12
lbragstad	ok	15:12
lbragstad	so continue merging that series?	15:13
cmurphy	lbragstad: i think so - it seems like domain specific drivers being broken with system scope is a separate issue?	15:13
cmurphy	or are we introducing a regression if we merge this?	15:13
lbragstad	well - arguable the regression already existsed	15:14
lbragstad	your work just highlighted the regression	15:14
lbragstad	IMO	15:14
cmurphy	okay	15:14
lbragstad	i would assume it was introduced when the system-scope work happened	15:15
lbragstad	or was merged	15:15
lbragstad	we could backport this	15:15
vishakha	o/	15:16
cmurphy	++	15:16
cmurphy	o/	15:16
lbragstad	(but that's probably a low priority since system-scoped tokens aren't used for anything in keystone's api)	15:16
lbragstad	prior to stein	15:16
cmurphy	oh i still need to address the duplicate test though	15:18
cmurphy	the matrix of tests needed for the grants api is ridiculously huge	15:22
*** gyee has joined #openstack-keystone		15:23
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Implement domain reader support for grants https://review.opendev.org/645968	15:24
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Implement domain admin support for grants https://review.opendev.org/667730	15:24
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Remove obsolete grant policies from policy.v3cloudsample.json https://review.opendev.org/667731	15:24
vishakha	cmurphy: For EC2 credentials link# https://review.opendev.org/#/c/607820/ my project test cases are failing. I am trying to find the root cause. Could it be possible to merge only for system users and update about the project users in the commit message ?	15:24
cmurphy	vishakha: hrm it seems kind of important to me that things like test_user_cannot_create_ec2_credentials_for_others works, if this test is causing project users to be able to delete other users' credentials that is a regression	15:27
vishakha	cmurphy: ok. Thanks.	15:29
*** ivve has quit IRC		15:29
*** ayoung has quit IRC		15:43
*** jaosorior has joined #openstack-keystone		15:44
kmalloc	o/	15:45
cmurphy	o/	15:45
*** ayoung has joined #openstack-keystone		15:45
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Implement system admin for implied roles https://review.opendev.org/680796	15:47
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Remove implied roles policies from v3cloudsample https://review.opendev.org/680797	15:47
kmalloc	lbragstad: immutable/resource options bits are all passing and needing some eyes (cc gagehugo, gyee) starting here https://review.opendev.org/#/c/678322/	15:48
gagehugo	o/	15:48
gyee	yes sir	15:52
lbragstad	cmurphy done https://bugs.launchpad.net/keystone/+bug/1843609	16:01
openstack	Launchpad bug 1843609 in OpenStack Identity (keystone) "Domain-specific domain ID resolution breaks with system-scoped tokens" [High,Triaged]	16:01
cmurphy	thanks lbragstad	16:01
cmurphy	we can try to address it before RC	16:01
lbragstad	++	16:01
*** spatel has quit IRC		16:01
*** spatel has joined #openstack-keystone		16:02
*** spatel has quit IRC		16:07
kmalloc	cmurphy: +2 on the doc changes except the one that needed commit cleanup (stable branches)	16:09
cmurphy	asettle: ^	16:09
asettle	Thank you cmurphy :D	16:10
asettle	Just left it as a plain commit message	16:11
cmurphy	thanks asettle	16:12
*** jmlowe has quit IRC		16:13
kmalloc	cmurphy: +2/+A (overrode your -1, commit message is fine now)	16:16
cmurphy	asettle: not to nitpick but you still could have mentioned in the commit message why it's not being cherry-picked, my comment was only about the reference to comments on the gerrit review	16:17
cmurphy	kmalloc: that's fine	16:17
asettle	cmurphy, can do :)	16:17
cmurphy	asettle: not important at this point	16:17
kmalloc	asettle: I'll re-+2/+A if you feel like updating again	16:17
asettle	cmurphy, I admittedly left it because of the comment history. But will keep in mind for future.	16:17
kmalloc	but it's really ok as is	16:17
asettle	If you're both okay with it, I'm okay. I'll just be sure to remmeber it for future. In fairness, I just want these done... and in the way the projects want them done. So, i'm easy :)	16:18
kmalloc	asettle: :)	16:18
kmalloc	yeah don't worry about it	16:18
*** liushuobj__ has quit IRC		16:24
zaneb	hey folks! In Heat we're planning to allow users to specify domains for stuff we previously didn't have a way to specify the domain on by using syntax like <user>@<domain> https://review.opendev.org/663404	16:28
zaneb	does that sound basically sane, or are there potential gotchas?	16:29
cmurphy	zaneb: one potential issue is that @ is a valid character for both a username or a domain name	16:29
zaneb	is there another syntax that would be recommended instead?	16:30
cmurphy	not really, it would be better if you had some way to keep the fields separate	16:31
cmurphy	we had the same issue with puppet resources	16:31
cmurphy	let me look up what delimiter we ended up using	16:31
zaneb	we looked at adding properties to everything, but it was kind of intrusive and would behave weirdly in the case where you specified a UUID for the user	16:32
zaneb	and still failed on stuff like parameter constraints	16:32
zaneb	I think an @ in the domain shouldn't actually be an issue, because the patch splits on the first @	16:33
zaneb	an @ in the username would be a big problem though	16:33
cmurphy	what if you're using an email address as a username?	16:33
cmurphy	looks like we chose :: as the delimeter https://opendev.org/openstack/puppet-keystone/src/branch/master/examples/user_project_user_role_composite_namevar.pp#L11-L25	16:35
zaneb	I guess we could try looking up the domain first, and if that fails fall back to just treating it as a username	16:35
zaneb	cmurphy: thanks. that seems very... puppety... but it's worth considering	16:36
cmurphy	lol	16:36
cmurphy	trying to look up the domain first seems like a good idea	16:36
cmurphy	any way to treat the fields as separate would be safest	16:37
zaneb	cmurphy: do you have a convenient reference on which characters are and are not allowed? or does anything go and you just tried to pick something unlikely for puppet?	16:37
cmurphy	zaneb: there are no disallowed characters, we just chose :: in puppet because it seemed less likely to cause problems than @	16:38
zaneb	ok, makes sense	16:38
zaneb	it does indeed seem very likely that there are people using email addresses as usernames in the wild since that's allowed	16:38
cmurphy	yep	16:38
zaneb	I assume the same applies to group/role/project?	16:39
cmurphy	yes	16:39
*** Ben78 has joined #openstack-keystone		16:39
zaneb	cmurphy: cool, thanks for your help	16:41
cmurphy	np	16:41
* zaneb will try to find a way to avoid disaster		16:41
*** ivve has joined #openstack-keystone		16:42
*** jaosorior has quit IRC		16:46
*** ayoung has quit IRC		16:51
*** ayoung has joined #openstack-keystone		16:53
*** tesseract has quit IRC		16:57
kmalloc	if there is more than one @, rsplit vs lsplit	17:00
kmalloc	but only if you explicitly define domain as required.	17:01
kmalloc	but because we weren't more opinionated...we are stuck	17:02
kmalloc	yeah, don't assume @ is safe at all	17:02
*** awalende has joined #openstack-keystone		17:03
*** awalende has quit IRC		17:07
*** ayoung has quit IRC		17:14
zaneb	kmalloc: yeah, we're retrofitting it into existing properties so we can't require the domain either	17:15
zaneb	I currently thinking of something like "user{domain}"	17:16
zaneb	that should be extraordinarily unlikely to occur by accident	17:16
*** ayoung has joined #openstack-keystone		17:17
kmalloc	sorry i can't be more help	17:18
kmalloc	yeah {} is probably fine	17:18
kmalloc	alternative options that are unlikely to occur normally are probably <>	17:19
*** Ben78 has quit IRC		17:32
*** spsurya has quit IRC		17:32
*** jmlowe has joined #openstack-keystone		17:36
*** ayoung has quit IRC		17:39
*** ayoung has joined #openstack-keystone		17:42
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Add immutable roles status check https://review.opendev.org/675509	18:04
cmurphy	gyee: ^	18:04
*** jamesmcarthur has quit IRC		18:06
*** jamesmcarthur has joined #openstack-keystone		18:07
*** jamesmcarthur has quit IRC		18:11
gyee	looking	18:28
*** vishakha has quit IRC		18:28
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Implement scope type checking for EC2 credentials https://review.opendev.org/607820	18:59
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Remove system EC2 credentials from policy.v3cloudsample.json https://review.opendev.org/681162	19:00
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Implement scope type checking for EC2 credentials https://review.opendev.org/607820	19:01
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Remove system EC2 credentials from policy.v3cloudsample.json https://review.opendev.org/681162	19:01
*** vishalmanchanda has quit IRC		19:48
*** jamesmcarthur has joined #openstack-keystone		20:06
*** ayoung has quit IRC		20:24
*** ayoung has joined #openstack-keystone		20:24
*** mvkr has quit IRC		20:27
*** markvoelker has quit IRC		20:27
*** mvkr has joined #openstack-keystone		20:32
*** ayoung has quit IRC		20:35
*** markvoelker has joined #openstack-keystone		20:36
*** ayoung has joined #openstack-keystone		20:38
*** markvoelker has quit IRC		20:41
*** ivve has quit IRC		21:05
*** ivve has joined #openstack-keystone		21:05
*** Ben78 has joined #openstack-keystone		21:13
*** rcernin has joined #openstack-keystone		21:15
*** jamesmcarthur has quit IRC		21:20
*** markvoelker has joined #openstack-keystone		21:59
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Increase tox job timeouts to 90 minutes https://review.opendev.org/681621	22:25
cmurphy	sadness ^	22:25
*** threestrands has joined #openstack-keystone		22:37
gagehugo	:(	22:44
*** raildo has quit IRC		22:49
*** Ben78 has quit IRC		22:50
*** dtruong has quit IRC		22:55
*** dtruong has joined #openstack-keystone		22:55
*** tkajinam has joined #openstack-keystone		23:04
*** jamesmcarthur has joined #openstack-keystone		23:32
*** jamesmcarthur has quit IRC		23:46
*** jamesmcarthur has joined #openstack-keystone		23:46
*** jamesmcarthur has quit IRC		23:51

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!