*** mhen_ is now known as mhen | 01:22 | |
zigo | andrewbogott_: stephenfin: I've uploaded Keystone 27.0.0-2 to unstable with https://review.opendev.org/c/openstack/keystone/+/951282 hopefully it will make it to Debian 13 (and yes, Trixie will come with Epoxy). | 08:28 |
---|---|---|
stephenfin | ack | 08:28 |
opendevreview | Stephen Finucane proposed openstack/keystone master: zuul: Rename, reorder tempest jobs https://review.opendev.org/c/openstack/keystone/+/951380 | 08:40 |
opendevreview | Stephen Finucane proposed openstack/keystone master: zuul: Remove keystone-tox-patch_cover job https://review.opendev.org/c/openstack/keystone/+/951381 | 08:40 |
opendevreview | Stephen Finucane proposed openstack/keystone master: zuul: Bump fips jobs to CentOS Stream 10, Ubuntu 24.04 (Noble) https://review.opendev.org/c/openstack/keystone/+/951382 | 08:40 |
opendevreview | Stephen Finucane proposed openstack/keystone master: zuul: Rename, reorder tempest jobs https://review.opendev.org/c/openstack/keystone/+/951380 | 08:46 |
opendevreview | Stephen Finucane proposed openstack/keystone master: zuul: Remove keystone-tox-patch_cover job https://review.opendev.org/c/openstack/keystone/+/951381 | 08:46 |
opendevreview | Stephen Finucane proposed openstack/keystone master: zuul: Bump fips jobs to CentOS Stream 10, Ubuntu 24.04 (Noble) https://review.opendev.org/c/openstack/keystone/+/951382 | 08:46 |
opendevreview | Stephen Finucane proposed openstack/keystone master: zuul: Remove deprecated job aliases https://review.opendev.org/c/openstack/keystone/+/951383 | 08:46 |
opendevreview | Stephen Finucane proposed openstack/keystone-tempest-plugin master: zuul: Migrate to new job names https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/951384 | 08:49 |
opendevreview | Stephen Finucane proposed openstack/keystone master: zuul: Rename, reorder tempest jobs https://review.opendev.org/c/openstack/keystone/+/951380 | 08:55 |
opendevreview | Stephen Finucane proposed openstack/keystone master: zuul: Remove keystone-tox-patch_cover job https://review.opendev.org/c/openstack/keystone/+/951381 | 08:55 |
opendevreview | Stephen Finucane proposed openstack/keystone master: zuul: Remove deprecated job aliases https://review.opendev.org/c/openstack/keystone/+/951383 | 08:55 |
opendevreview | Stephen Finucane proposed openstack/keystone master: zuul: Bump fips jobs to CentOS Stream 10, Ubuntu 24.04 (Noble) https://review.opendev.org/c/openstack/keystone/+/951382 | 08:55 |
opendevreview | Stephen Finucane proposed openstack/keystone-tempest-plugin master: zuul: Migrate to new job names https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/951384 | 08:57 |
gtema | stephenfin - your bug from yesterday with appcred token reauth is indeed very interesting. I was even first not able to reproduce it until I (cough-cough) - restarted. Since then I see it and can't figure out what has changed. I see where things go wrong but I can't explain how this was never seen before (or what the heck has changed so that it started happening) | 09:31 |
stephenfin | gtema: I traced it down to here https://review.opendev.org/c/openstack/keystone/+/951331 | 09:43 |
gtema | Yeha, I know. But that is definitely not a solution | 09:43 |
stephenfin | we seem to expand the set of methods when we unpack the tokens. idk why we do that, but it seems like the wrong thing to do when using token auth | 09:43 |
stephenfin | I figured it might not be :) | 09:43 |
gtema | nope, it is not. Otherwise the user is able to escape app cred constraints | 09:44 |
gtema | sadly the same seems to be valid also for other auth things, so I am now very confused | 09:44 |
stephenfin | I was under the impression most of the relevant context was encoded in the fernet token | 09:45 |
gtema | yes, and in the case of app_cred it is its id | 09:45 |
stephenfin | I notice, for example, that the tokens are noticeably longer when created with application credential credentials | 09:45 |
gtema | so I know where to get it from, just wondering why the heck it went unnoticed | 09:45 |
stephenfin | it's probably a very uncommon path | 09:46 |
stephenfin | I mean, if you are already using the v3applicationcredential auth method, you probably don't need to use the v3token auth method | 09:46 |
gtema | and that is what confuses me most. On my rust cli/tui I am exactly going this way and always trying to extend auth using the token | 09:47 |
stephenfin | (The reason I even noticed it is that I am testing token auth in various k8s/OpenShift components and our internal cloud does not allowed v3password auth) | 09:47 |
gtema | i.e. if you auth with pwd you can't rely on that for re-auth since it may require MFA and then it sucks | 09:47 |
gtema | the same for oauth | 09:47 |
gtema | that's all reasons why I reimplement it now all in rust from scratch | 09:48 |
gtema | I mean keystone part | 09:48 |
opendevreview | Artem Goncharov proposed openstack/keystone master: Fix getting token from application credentials token https://review.opendev.org/c/openstack/keystone/+/951392 | 10:50 |
opendevreview | Artem Goncharov proposed openstack/keystone master: Split role assignment request/response schemas https://review.opendev.org/c/openstack/keystone/+/951397 | 12:09 |
stephenfin | gtema: Any chance of a +w on https://review.opendev.org/c/openstack/keystoneauth/+/951183 so I can cut a new patch release? https://review.opendev.org/c/openstack/keystoneauth/+/951310 is nice-to-have too | 12:31 |
gtema | stephenfin, yes, will do this today. We have reviewaton in 1.5 hours for Keystone and we definitely will look at those | 12:32 |
stephenfin | Sweet. Those CI fixes should be on the reviewathon list too, in that case | 12:32 |
stephenfin | there are jobs currently broken due to use of Jammy + CentOS 9. I suspect there will be more work needed to get them working on Noble and CentOS 10 | 12:33 |
gtema | you start keeping me away from other topics now also in keystone. Are you chasing me ;-) ? | 12:33 |
stephenfin | Not yet. But if those patches don't get reviewed... 😈 | 12:35 |
stephenfin | (kidding :)) | 12:35 |
gtema | ah poor me | 12:35 |
opendevreview | Artem Goncharov proposed openstack/keystone master: Prevent MFA bypass https://review.opendev.org/c/openstack/keystone/+/945429 | 12:59 |
gtema | stephenfin - would you mind joining our openapi meeting today so that we can perhaps discuss using voice different approaches dealing with responses? | 13:01 |
stephenfin | gtema: I was planning to finish earlier today as I've had a few very long evenings this week. I will set a reminder though and try to join for 15-20 mins. | 13:02 |
gtema | more is not required for sure. If not - enjoy your evening | 13:03 |
stephenfin | d34dh0r53: Thanks for the reviews. There's just one more needed here for now https://review.opendev.org/c/openstack/keystone-tempest-plugin/+/951384 | 15:11 |
andrewbogott_ | thank you zigo! | 15:25 |
opendevreview | Merged openstack/keystoneauth master: typing: Correct type (redux) https://review.opendev.org/c/openstack/keystoneauth/+/951183 | 15:40 |
opendevreview | Merged openstack/keystone master: zuul: Rename, reorder tempest jobs https://review.opendev.org/c/openstack/keystone/+/951380 | 15:58 |
opendevreview | Merged openstack/keystone master: zuul: Remove keystone-tox-patch_cover job https://review.opendev.org/c/openstack/keystone/+/951381 | 15:58 |
opendevreview | Merged openstack/keystone master: api: Add log when creating unscoped token https://review.opendev.org/c/openstack/keystone/+/951327 | 16:08 |
opendevreview | Merged openstack/keystone master: docs: identity service now use https https://review.opendev.org/c/openstack/keystone/+/947861 | 16:08 |
opendevreview | Merged openstack/keystone master: Fix getting token from application credentials token https://review.opendev.org/c/openstack/keystone/+/951392 | 16:15 |
opendevreview | Artem Goncharov proposed openstack/keystone master: Split role assignment request/response schemas https://review.opendev.org/c/openstack/keystone/+/951397 | 16:20 |
opendevreview | Artem Goncharov proposed openstack/keystone master: Separate user response and request schema https://review.opendev.org/c/openstack/keystone/+/950647 | 16:20 |
opendevreview | Artem Goncharov proposed openstack/keystone master: Separate user response and request schema https://review.opendev.org/c/openstack/keystone/+/950647 | 16:24 |
opendevreview | Merged openstack/keystoneauth master: Drop support for Python 3.9 https://review.opendev.org/c/openstack/keystoneauth/+/949008 | 16:56 |
opendevreview | Merged openstack/keystoneauth master: Add .git-blame-ignore-revs file https://review.opendev.org/c/openstack/keystoneauth/+/951310 | 16:56 |
opendevreview | Merged openstack/keystoneauth master: Bump Python version used for linters to 3.9 https://review.opendev.org/c/openstack/keystoneauth/+/949009 | 16:56 |
opendevreview | Stephen Finucane proposed openstack/keystone stable/2025.1: api: Add log when creating unscoped token https://review.opendev.org/c/openstack/keystone/+/951428 | 17:21 |
opendevreview | Stephen Finucane proposed openstack/keystoneauth master: Bump Python version used for linters to 3.10 https://review.opendev.org/c/openstack/keystoneauth/+/949010 | 17:23 |
opendevreview | Merged openstack/keystone master: Update pre-commit hook versions https://review.opendev.org/c/openstack/keystone/+/950157 | 18:11 |
opendevreview | Artem Goncharov proposed openstack/keystone master: Split role assignment request/response schemas https://review.opendev.org/c/openstack/keystone/+/951397 | 18:24 |
opendevreview | Artem Goncharov proposed openstack/keystone master: Separate user response and request schema https://review.opendev.org/c/openstack/keystone/+/950647 | 18:24 |
opendevreview | Ivan Anfimov proposed openstack/keystone master: wip https://review.opendev.org/c/openstack/keystone/+/951439 | 19:39 |
opendevreview | Ivan Anfimov proposed openstack/keystone master: wip https://review.opendev.org/c/openstack/keystone/+/951439 | 19:49 |
opendevreview | Merged openstack/keystoneauth master: Bump Python version used for linters to 3.10 https://review.opendev.org/c/openstack/keystoneauth/+/949010 | 20:56 |
*** darmach9 is now known as darmach | 21:05 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!