Thursday, 2025-05-29

*** mhen_ is now known as mhen01:24
opendevreviewTakashi Kajinami proposed openstack/keystone-tempest-plugin master: Remove stable/2023.2 job  https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/95123505:55
andrewbogott_If anyone is feeling helpful, I could use a hand with a keystone regression that's breaking my production cloud:  https://bugs.launchpad.net/keystone/+bug/211211212:10
andrewbogott_I'm digging through the code, lots of validation refactors in there which will take me a while to grasp12:10
andrewbogott_oh, looks like that was already fixed but didn't make it into the debian package...12:12
andrewbogott_Hey zigo, how would you feel about rebuilding the ospo keystone debs from the latest 2025.1 branch? Looks like that might get us out of this mess.12:20
stephenfingtema: Got another one for you https://review.opendev.org/c/openstack/keystoneauth/+/95118312:33
stephenfinandrewbogott_: Just to help zigo, what commit have you identified as the fix? I wasn't able to reproduce it fwiw.12:41
andrewbogott_I'm only 45 minutes into this issue so haven't tested yet, but I think this is the attempted fix: https://review.opendev.org/c/openstack/keystone/+/94550412:41
andrewbogott_Which I think is on the 2025.1 branch already...12:42
stephenfinThat's my change. I didn't think that would affect that.12:42
andrewbogott_oh, hm12:43
andrewbogott_well then I don't know much yet.12:43
andrewbogott_So https://bugs.launchpad.net/keystone/+bug/2104185 is not a duplicate of my bug?12:44
stephenfinI don't think so. If you're using openstackclient you shouldn't be using comparators. I think only Gophercloud was affected by that (since there are tests there for that feature)12:45
stephenfinCan you share the (scrubbed) output from OSC and ideally keystone in the bug?12:46
andrewbogott_here's a stack trace (that i have not actually looked at)12:47
andrewbogott_https://www.irccloud.com/pastebin/ADr3YwNj/12:47
andrewbogott_that's server-side obviously12:48
stephenfinhttps://github.com/openstack/keystone/blob/069fa4566b9c4835554d993780f1010362f4420b/keystone/assignment/schema.py#L31612:50
andrewbogott_does id_string mean a uuid?12:51
stephenfinnot quite. any alphanumeric character plus hyphens12:52
stephenfinhttps://github.com/openstack/keystone/blob/069fa4566b9c4835554d993780f1010362f4420b/keystone/api/validation/parameter_types.py#L11512:52
andrewbogott_ok12:52
stephenfin(keystone doesn't insist on uuids, even though the IDs it uses look like uuids)12:52
stephenfindanny_b is a name though, so why is it hitting ID validation...?12:53
andrewbogott_It's probably his ID too12:53
andrewbogott_this is all coming from ldap, they aren't keystone-generated IDs.12:53
andrewbogott_Was that type changed recently?12:53
* andrewbogott_ goes back to git12:54
stephenfinah, see that's relevant :)12:54
stephenfinyes, this is all new code in Epoxy https://review.opendev.org/c/openstack/keystone/+/94034412:55
andrewbogott_Our cloud is old -- even in places where we don't use ldap we have lots of pre-uuid IDs in our database. It's kind of a running gag, compulsive openstack devs keep adding new uuid validation and I have to push back.12:55
stephenfinpart of the effort to add OpenAPI schemas to various services12:55
stephenfinso what other IDs are coming from LDAP?12:55
* stephenfin is not familiar with keystone with LDAP, or really LDAP (beyond basic usage as an end-user)12:56
andrewbogott_OK. Well, I will say what I always say in these cases: Not every cloud is a 0-day cloud so y'all can't just add new constraints to existing properties :)12:56
andrewbogott_The ldap backend is just for users, not projects or assignments. So it's basically just username and ID (and auth)12:57
andrewbogott_but ldap isn't really the issue here, the issue is that it's an already-existing cloud with already-existing data12:57
stephenfinldap isn't an "issue", but it is relevant since it has different criteria for things like usernames which haven't been considered here13:03
andrewbogott_true!13:03
stephenfinFrom my brief bit of research, it seems like there are no realistic limits on allowed characters or the length of an LDAP uid, right?13:04
andrewbogott_Agreed! But I'm trying to make a more general point (which maybe doesn't matter in this case but might), which is that unless you read the keystone code all the way to day one and check every possible value for /any/ property, we can't impose new constraints on that property. Does that make sense? Because you don't know what might be an existing cloud's database already.13:05
andrewbogott_So I think basically any new validation that's added has to be switchable with a config setting.13:05
andrewbogott_So... hackwise, if I mark out the     @validation.request_query_schema bits will it stop validating?13:05
andrewbogott_I think you're correct that you can't make any real assumptions about the ldap uid. I don't think all of ours are ascii, for example.13:06
stephenfinI mean we can: that's what API version and database migrations are for. But neither of those have happened here, so that's a bug13:06
andrewbogott_Oh! Yes, if there's a db migration that handles such edge cases then that's fine. But unfortunately keystone can't really do a db migration on an external provider :(13:07
andrewbogott_btw stephenfin I hope I'm not coming across as grumpy with you -- you are being extremely, unnecessarily helpful and I appreciate it! If I'm curt it's mostly because I'm feeling dumb for deploying this in production + also I'm having a plumbing issue in my house at the same time.13:11
andrewbogott_Earlier you asked about client logs -- is that still something that would be useful or do you have all you need from me?13:12
opendevreviewStephen Finucane proposed openstack/keystone master: api: Remove constraints on user IDs  https://review.opendev.org/c/openstack/keystone/+/95128213:15
stephenfinit's all good :)13:15
stephenfinand no, the server log was what was really needed. That should put things right ^13:15
andrewbogott_oh nice, thank you! I will rig up puppet to apply that patch and see what we get.13:16
stephenfinplease take a look and let me/someone know if there are additional resources where LDAP IDs could propagate up. From what you're saying though, it should be just users13:17
andrewbogott_There are other things about users that might show up (email adddress for example?) but it really is just users.13:17
opendevreviewStephen Finucane proposed openstack/keystone master: api: Remove constraints on user IDs  https://review.opendev.org/c/openstack/keystone/+/95128213:20
stephenfinack13:21
stephenfinsmall tweak there too (I missed the query string). Possibly another one coming once unit tests finish running too13:21
andrewbogott_ok13:22
opendevreviewStephen Finucane proposed openstack/keystone master: api: Remove constraints on user IDs  https://review.opendev.org/c/openstack/keystone/+/95128213:23
zigoandrewbogott_: You mean osbpo ?14:08
andrewbogott_zigo: yes! But it turns out that the fix isn't actually merged yet, so I need to apply manually.14:08
andrewbogott_So, we don't actually need any packaging right now. Thank you for appearing though!14:09
zigoandrewbogott_: So, I'd need this patch, right ? https://review.opendev.org/c/openstack/keystone/+/95128214:09
andrewbogott_yep. But packaging that before it's reviewed/merged/passed CI seems premature :)14:10
zigoandrewbogott_: I can always add the patch to the package, even if it's not merged...14:10
zigoPass the CI, of course, I'll wait for that! :)14:10
andrewbogott_I'm ok with applying that locally for now, and then it'll likely show up in F14:10
andrewbogott_But if you really want to backport and package it I'll take it!14:10
zigoOk, thanks for the ping.14:11
zigoFYI, the sooner the better, because Debian 13 is in hard freeze.14:11
andrewbogott_zigo: if it gets backported into 13 then that'd be a good case for repackaging and updating the packages in 13. Assuming 13 is shipping with E.14:14
stephenfingtema: d34dh0r53: I'm seeing some weird behavior. I'm using v3token auth method. On one DevStack environment, I am able to auth with just with token and get a response back with the service catalog and other scope fields included. On the other, I need to also provide a project name and project domain ID14:26
stephenfinSame client and same keystone version on both hosts, practically the same devstack local.conf, same clouds.yaml cloud entry for the user I use to create the token etc. Any idea what might be happening?14:27
stephenfinI have captured tracebacks with mitmproxy too. Nothing different in the requests. It's just the responses that are different14:28
opendevreviewStephen Finucane proposed openstack/keystone master: api: Use explicit ID types  https://review.opendev.org/c/openstack/keystone/+/95129714:29
opendevreviewStephen Finucane proposed openstack/keystoneauth master: Add .git-blame-ignore-revs file  https://review.opendev.org/c/openstack/keystoneauth/+/95131014:43
gtemaStephenfin, I have a public holiday today, thus not responsive. Will have a look tomorrow 15:35
stephenfinack15:47
stephenfinI got to the bottom of it: I had a default project ID set for the user on the first cloud but not the other one.17:09
opendevreviewStephen Finucane proposed openstack/keystone master: api: Add log when creating unscoped token  https://review.opendev.org/c/openstack/keystone/+/95132717:15
opendevreviewStephen Finucane proposed openstack/keystone master: RFC: Do not consider other method types if using token auth  https://review.opendev.org/c/openstack/keystone/+/95133118:02

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!