17:01:42 #startmeeting keystone-office-hours 17:01:43 Meeting started Tue Apr 3 17:01:42 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:44 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:46 The meeting name has been set to 'keystone_office_hours' 17:03:00 just fyi - i have a few meetings to be in the next couple hours, but i'll try and check in here/multitask 17:12:51 for those who are familiar with ldap - i took a shot at documenting some how-tos for ldap backed development environments https://review.openstack.org/#/c/557997/ 17:16:15 looks great lbragstad 17:32:24 * gagehugo steps out for lunch 17:40:46 eandersson: thanks for looking :) 18:36:08 hello 18:36:31 doc/keystone-install-ubuntu.rst says: 18:36:42 "Before the Queens release, keystone needed to be run on two separate ports to 18:36:42 accomodate the Identity v2 API which ran a separate admin-only service 18:36:42 commonly on port 35357. With the removal of the v2 API, keystone can be run 18:36:42 on the same port for all interfaces." 18:37:21 does that mean the glance installation instructions that refer to "auth_url=http://controller:35357" should be modified to refer to :5000? 18:37:42 in other words, there is a discrepancy between the two installation documents 18:57:10 tmcm: yeah - that's likely the case 19:13:14 so, we SHOULD or SHOULD NOT use the admin wsgi in queens? 19:16:26 on ubuntu specifically 20:06:04 using the ldap driver, is there a way to have it fallback to sql for e.g., the service users like glance, neutron, etc? 20:13:23 tmcm: you can have different drivers for different domains 20:13:24 https://docs.openstack.org/keystone/latest/admin/identity-domain-specific-config.html 20:43:32 tmcm: it is also recommended that keystone be run on HTTP[S] instead of port 5000 or 35357. 20:43:51 standard HTTP[S] ports* 20:52:29 kmalloc: another bootstrap question for you 20:52:37 yeah 20:53:09 the argument parser for bootstrap has defaults, but if i want to pull the bootstrap logic out into it's own class so that it's easier to hook into the tests, should the defaults move with it? 20:53:23 i'd say no 20:53:34 so - keep the new object really generic 20:53:37 yeah 20:53:39 and unopinionated 20:53:48 mostly because bootstrap is opinionated to get an install running 20:53:56 tests do not adhere to those concepts 20:54:07 don't do acrobatics to make the test look like you want it to 20:54:53 tests should be explicit - and defaults can be bundled into the same mechanism we use to do the setup vs. encoding "real world standup" defaults into the core object 20:55:08 s/same// 20:55:27 fwiw, i've learned a lot about SR-IOV today 20:55:43 it's cool tech, it's a bit weird how it's implemented. 20:56:38 hmm - ok, i think i can make that work 22:53:25 #endmeeting 12:32:57 lbragstad: so i did a comparison of the tokens issued before and after explicitly adding that federated user into the relevant group 12:33:13 they both contain the right group and project 12:33:24 yankcrime: hmm 12:33:27 however, when it fails i do see: 12:33:29 {"error": {"message": "Could not find token 12:34:00 and 2018-04-04 10:20:54.373 18 DEBUG keystone.token.provider [req-720a8b5d-8686-4b56-89b5-7ab2f5900a8f - - - - -] Unable to validate token: User 4d1c38716d394e6097cf20d050f9d81e has no access to project 90fb2e3278344060a4b29008c30f1bc2 12:34:13 that's basically the first bit in the log where it starts to go awry 12:34:49 hmm 12:35:00 which token provider are you using? 12:35:16 uuid 12:36:00 oh - i have a bug report for you 12:36:32 https://bugs.launchpad.net/keystone/+bug/1758460 12:36:33 Launchpad bug 1758460 in OpenStack Identity (keystone) "UUID (or any persistent) token providers unable to validate federation token" [Low,New] 12:36:58 yankcrime: are you able to switch to fernet and test with that? 12:37:42 damn, that looks exactly like it - i'd started to trawl the various bugs on launchpad but missed that one! 12:38:11 yeah, it needs doing anyway so i'll press on with switching to fernet first 12:38:39 yankcrime: let me know if you have any questions about fernet 12:38:53 i can help 12:39:43 lbragstad: thanks, much appreciated - been banging my head against a brick wall with this one for a couple of days now, good to know it's not me that's directly at fault ;) 12:40:02 yeah.. it was just reported not too long ago 12:40:06 and no worries, i should be ok - i have other deployments already on fernet 12:40:52 but uuid support has been waning 12:41:25 yup, surprised this particular instance was built with uuid tbh - probably an oversight 12:41:45 i was just about ask if there was a particular reason it was being used 12:52:17 this particular instance was deployed via kolla-ansible which still defaults to uuid 12:55:52 ahh - gotcha 13:01:44 https://review.openstack.org/#/c/549861/ fwiw 14:39:40 o/ 15:03:18 o/ 15:07:21 o/ 15:17:05 Gage Hugo proposed openstack/keystone master: Fix mispelling of accommodate in install docs https://review.openstack.org/558849 15:17:15 easy change ^ 15:30:36 Harry Rybacki proposed openstack/keystone master: Update install guides https://review.openstack.org/558079 15:43:57 Harry Rybacki proposed openstack/keystone master: Update install guides https://review.openstack.org/558079 16:31:02 woops, forgot about policy meeting - I don't have rights on that project, looks like that honor belongs to these people https://review.openstack.org/#/admin/groups/1372,members 16:32:21 oh - interesting 16:33:53 there were a bunch of people in the session in dublin 16:34:09 and i remember smcginnis being interested in it from a TC perspective 16:34:34 i might do a drive by in the TC room just to see if it jars anyone's attention 18:10:02 I think this looks better lbragstad https://review.openstack.org/#/c/523973/ 18:10:13 cool - i'll take another pass 18:33:42 Merged openstack/keystone master: Fix mispelling of accommodate in install docs https://review.openstack.org/558849 18:34:27 Merged openstack/keystone master: Update install guides https://review.openstack.org/558079 18:50:34 Gage Hugo proposed openstack/keystone master: Add functional testing gate https://review.openstack.org/531014 19:05:58 Merged openstack/keystonemiddleware master: Remove kwargs_to_fetch_token https://review.openstack.org/513273 19:07:55 Gage Hugo proposed openstack/keystone master: Move fernet doctor checks into tokens checks https://review.openstack.org/527527 19:09:00 Gage Hugo proposed openstack/keystone master: Move fernet doctor checks into tokens checks https://review.openstack.org/527527 19:22:42 Lance Bragstad proposed openstack/keystone master: Decouple bootstrap from cli module https://review.openstack.org/558903 19:22:51 kmalloc: just got done beating my head against ^ 19:23:26 that was a fun scenic detour 19:23:43 i should be able to get a patch up that bases the testing of the new keystone token model on that 19:24:21 lbragstad that rips bootstrap out into it's own thing? 19:24:27 yeah 19:24:51 interesting 19:27:33 yeah - i've been in the middle of a couple refactors where i need testing taht just gives me a base model to work from 19:27:45 base model = admin user, project, system role assignments, default domain, etc... 19:27:55 and bootstrap was written to do that for operators 19:28:01 so i figured it might be useful to reuse for testing 19:28:16 but the dependency injection stuff was kind of a pain for figure out 19:32:10 s/for/to/ 19:56:40 hrybacki: took another pass 19:56:52 just a few nits, otherwise i feel comfortable +1'ing it 20:33:17 Gage Hugo proposed openstack/keystone master: Add new config option and setup for token keys https://review.openstack.org/558918 21:37:55 Gage Hugo proposed openstack/keystone master: WIP - Add LDAP-backed functional testing gate https://review.openstack.org/558940 21:39:35 Gage Hugo proposed openstack/keystone master: Add new config option and setup for token keys https://review.openstack.org/558918 22:54:03 Gage Hugo proposed openstack/keystone master: WIP - Add LDAP-backed functional testing gate https://review.openstack.org/558940 04:07:38 Lance Bragstad proposed openstack/keystone master: Decouple bootstrap from cli module https://review.openstack.org/558903 07:41:26 do we have support in keystone to add periodic tasks? like we do have support in nova & other components 11:59:47 o/ 12:58:44 o/ 13:00:21 mornin' 14:01:21 A 14:02:46 hello, is it possible to specity a port when enabling ldap backend? 14:03:07 I have ldap running behind haproxy and is running a different port than the default ones 14:05:54 root_743: i think it should just be part of the url 14:06:07 Merged openstack/keystone master: Expose a bug that list_limit doesn't work correctly https://review.openstack.org/558150 14:06:10 Merged openstack/keystone master: Fix list_limit doesn't work correctly for domain https://review.openstack.org/558151 14:06:26 cmurphy: thanks 14:31:32 thanks lbragstad -- got some really good comments from Mel too! Misconceptions still exist :( system scope == global/god mode 14:31:45 !=* 14:31:46 oh - nice! 14:31:47 hrybacki: Error: "=*" is not a valid command. 14:32:00 heh openstack 14:32:10 I just wanted a kiss, jeez 14:32:29 lol 15:28:29 lbragstad, cmurphy: so - if someone wants to get the complete version discovery picuture for a given cloud, they basically have to do this: http://paste.openstack.org/show/718491 15:28:50 which uses a private method - and is also a bit yuck 15:29:56 I'm going to poke at some options for exposing something a little better ... 15:31:02 oh - sure 15:31:06 that's handy 15:31:46 mordred: fun 15:33:20 I also need to finish the work on getting os-service-types integrated - so fair warning - there may be some keystoneauth patches coming from me :) 15:34:02 my favorite 15:37:56 cmurphy: I know how much you enjoy them 15:38:00 that'd make a good doc contribution 15:40:15 ++ 16:11:59 Colleen Murphy proposed openstack/keystoneauth master: add lower-constraints job https://review.openstack.org/555625 16:12:00 Colleen Murphy proposed openstack/keystoneauth master: Fix lower-constraints dependencies https://review.openstack.org/559118 16:12:14 crap, i only meant to submit one of those 16:14:27 heh 16:38:49 Monty Taylor proposed openstack/keystoneauth master: Expose version status in EndpointData https://review.openstack.org/559125 16:39:03 cmurphy, lbragstad: ^^ there's step one 16:51:08 cmurphy, lbragstad: OOH. I may suck a little bit - it looks like we have a method that may do mostof this already \o/ 16:53:36 Lance Bragstad proposed openstack/keystone master: Introduce new TokenModel object https://review.openstack.org/559129 16:54:03 kmalloc: ^ i'm hitting a couple transients with dependency inject :( but that's what i have so far 17:03:10 lbragstad, cmurphy: http://paste.openstack.org/show/718507/ and http://paste.openstack.org/show/718508/ (with that first ksa patch applied) 17:29:51 mordred: wow - nice 18:10:36 lbragstad: cool, will looks shortly 18:15:33 Colleen Murphy proposed openstack/keystoneauth master: add lower-constraints job https://review.openstack.org/555625 18:19:19 mordred: hey ksa's queens branch is still borked http://logs.openstack.org/84/543684/1/check/openstacksdk-functional-devstack-tips/5c38f3a/job-output.txt.gz#_2018-04-04_16_55_29_473944 do you know why? 19:13:11 cmurphy: the revision_number is different: http://logs.openstack.org/84/543684/1/check/openstacksdk-functional-devstack-tips/5c38f3a/job-output.txt.gz#_2018-04-04_16_55_29_476576 19:14:52 cmurphy: I think that's something we fixed already in master branch of sdk ... https://review.openstack.org/#/c/544995/ 19:15:02 cmurphy: I think we just need to cherry-pick back to queens 19:15:24 cmurphy: https://review.openstack.org/#/c/559150/ 19:15:31 cmurphy: cherry-pick submitted 19:18:54 Monty Taylor proposed openstack/keystoneauth master: Add methods to get all of the version data https://review.openstack.org/559154 19:31:52 lbragstad, kmalloc, cmurphy: ^^ that needs tests, but it works against vexxhost public cloud - I've pushed it up for any initial feedback before I go writing unittests 19:32:10 there's also some scrollback discussing it a little bit in #openstack-sdks 19:32:17 cool - checking 20:53:29 even with the uuid provide and sql driver gone, refactoring the token provider api is going to be difficult 20:53:46 provider* 21:09:04 yeah... 21:11:54 i've tried slicing this refactor up about 3 different ways 21:12:19 and 60% of the time, it's messy 100% of the time 21:43:30 heh 06:07:02 Nguyen Hai proposed openstack/keystone master: Follow the new PTI for document build https://review.openstack.org/555196 08:05:38 Colleen Murphy proposed openstack/keystoneauth master: add lower-constraints job https://review.openstack.org/555625 11:24:43 Monty Taylor proposed openstack/keystoneauth master: Add methods to get all of the version data https://review.openstack.org/559154 11:25:11 cmurphy: ^^ that should be ready for review now - and I even added tests 11:25:52 mordred: fantastic 11:35:01 Doug Hellmann proposed openstack/keystoneauth master: add lower-constraints job https://review.openstack.org/555625 12:21:09 ö/ 12:37:39 fried_rice: Hi 12:37:48 Hello 12:38:10 i want dicuss with you regarding keystoneauth session 12:39:41 pooja_jadhav: Is this in reference to https://review.openstack.org/#/c/505764/ ? 12:40:01 correct 12:40:18 Okay. I remember seeing that go by, but I didn't actually review it. 12:40:32 Let's just heads-up the folks who did, cause they're more likely to be able to help... 12:40:51 kmalloc, cmurphy, mordred, cdent 12:40:59 pooja_jadhav: Okay, proceed with your question please :) 12:41:15 fried_rice: Actually, i want use that split logger parameter in nova while call is going to cinder client.[1]https://github.com/openstack/nova/blob/master/nova/volume/cinder.py#L77 12:42:23 but how to use not getting still 12:42:39 :( 12:44:12 pooja_jadhav: Okay, I'm reading over that patch, stand by... 12:44:34 fried_rice: Sure 12:48:25 pooja_jadhav: Okay, it looks to me like there's no way to do this via ksa loading. 12:49:47 fried_rice: Yeah, but if we want to do.. then how can we do then? 12:50:32 pooja_jadhav: If you want to try it out just to see if it will work the way you want it to, you can add: 12:50:33 _SESSION._split_loggers = True 12:50:33 after https://github.com/openstack/nova/blob/master/nova/volume/cinder.py#L82 12:51:16 ohk.. i will try and let u know 12:52:03 pooja_jadhav: That's not going to be a real solution. But if it does what you want, you could probably submit a patch to openstack/keystone to expose that via a conf option. 12:52:31 pooja_jadhav: Then you wouldn't need to do anything to the nova code - you could just add the option in your conf file and restart the service. 12:56:45 ok 13:02:42 Doug Hellmann proposed openstack/ldappool master: add lower-constraints job https://review.openstack.org/555757 13:20:40 Merged openstack/ldappool master: add lower-constraints job https://review.openstack.org/555757 13:36:40 Merged openstack/keystone master: Removal of deprecated direct driver loading https://review.openstack.org/350815 13:36:55 Nguyen Hai proposed openstack/keystone master: Fix incompatible requirement in lower-constraints https://review.openstack.org/559334 13:38:22 Nguyen Hai proposed openstack/keystone master: Fix incompatible requirement in lower-constraints https://review.openstack.org/559334 13:43:41 Colleen Murphy proposed openstack/keystoneauth master: add lower-constraints job https://review.openstack.org/555625 13:49:14 Merged openstack/keystonemiddleware master: Update links in README https://review.openstack.org/557189 14:23:07 cmurphy: an application credential token can't be used to change a user's password can it? 14:25:53 lbragstad: it could if it has the user's original password https://developer.openstack.org/api-ref/identity/v3/index.html#change-password-for-user 14:26:28 ahh 14:26:32 ok - nevermind 14:26:56 :) 14:27:01 i thought i remember a restriction in there somewhere that might help with https://bugs.launchpad.net/keystone/+bug/1755874/ 14:27:02 Launchpad bug 1755874 in OpenStack Identity (keystone) "Ability to block users from changing passwords is missing in Kesystone v3" [Undecided,In progress] - Assigned to Pavlo Shchelokovskyy (pshchelo) 14:27:27 i just read the use case they described... 14:29:12 yeah we didn't any restrictions on that for app creds 14:29:58 having a policy that users can't change their own passwords seems really weird and anti-security to me but i guess it's a real world use case we should allow 14:30:31 mhmm 14:31:37 unless there is a different workflow we can support somehow that doesn't require us to open that back up 14:32:20 we can enforce password strength 14:32:47 yeah 14:33:02 that seems like the main thing they want 14:33:09 sounds like the layer that sits on top of keystone does that too 14:33:24 but i assume that's been around for a while if they implemented that for v2.0 14:34:14 so - sure... some system creates a new user for some set of operations and a user *could* change the password directly using keystone 14:34:45 but it won't buy them much because keystone can be configured to match the same password strength requirements that the layer on top of keystone requires? 14:35:37 Nguyen Hai proposed openstack/keystone master: Follow the new PTI for document build https://review.openstack.org/555196 14:36:13 auditability i guess, if they're tracking password changes through this other layer and don't want to track them through keystone 14:37:26 that could be true 14:38:41 sounds like they have a system in place and we broke them, so we could either enable the change that unbreaks their system or we could encourage them to use our system 14:38:44 ¯\_(ツ)_/¯ 14:39:27 sure - i'll leave a comment 14:40:02 Monty Taylor proposed openstack/keystoneauth master: Add methods to get all of the version data https://review.openstack.org/559154 14:41:36 lbragstad: fyi i'll be on vacation all next week and hopefully not looking at my computer 14:41:49 cmurphy: ack - thanks for the heads up 14:41:53 cmurphy: i'm jealous ;) 14:42:09 doing anything fun? 14:43:36 meeting up with some friends to go camping in Iceland :D 14:44:08 oh... wow 14:44:25 * lbragstad gives cmurphy his camera 14:44:30 please take some pictures 14:44:38 i plan to 14:44:40 s/some/lots of/ 14:44:45 :) 14:44:47 that's going to be amazing 14:45:12 also - pretty hard to get onto irc while camping 15:03:16 cmurphy: have fun! 15:09:45 Matthew Thode proposed openstack/keystone master: Fix incompatible requirement in lower-constraints https://review.openstack.org/559334 15:09:45 Matthew Thode proposed openstack/keystone master: Use the new pysaml2 constraints https://review.openstack.org/558217 15:23:07 Nguyen Hai proposed openstack/keystone master: Follow the new PTI for document build https://review.openstack.org/555196 15:55:47 o/ 16:24:36 lbragstad, cmurphy: so... there is a minor issue to fix the password-change API blocking bit 16:24:51 and it is because @protected is wonky 16:25:02 * lbragstad dreads that refactor too 16:26:05 the most immediate mechanism to block in that bug is use ninx/apache and put a block rule into http[s]://identity/v3/users/*/password 16:37:58 lbragstad: oh man, i know how to fix the bug w/o code on our end 16:38:05 we have minimum password change times. 16:38:44 oh! 16:38:57 right?! 16:39:06 * lbragstad checks the implementation 16:39:12 yeah i am looking at that now 16:39:39 oh. 16:39:46 maybe we don't have that 16:39:51 we might need to add that. 16:40:48 yeah... 16:41:00 we have unique last pass count 16:41:56 lets just add minimum password change time 16:42:19 rather than implement policy due to issues with @protected 16:42:24 until that refactor lands 16:42:36 what's the status of that refactor? 16:42:43 i haven't had a chance to dig into it yet 16:43:01 ... i don't know what the status is 16:43:18 oh - no worries, i was just curious 16:43:48 i've buried myself in the token provider refactor, but i think i need a break from that for a while 16:44:46 i don't think much yeah 16:44:52 s/don't think much 16:44:57 annnnyway 16:45:05 i don't think much has been done on the refactor 16:45:16 i can try and dig in some, but, it's a beast of a refactor 16:45:29 the issue is that it touches soooooo very much 16:45:40 yeah :( 16:45:57 let me start my NAS [old] -> NAS [new] 16:46:01 transfer 16:46:08 need to move ~4TB today 16:46:14 and i'll start poking at the refactor 16:47:18 sweet 16:47:37 the refactors we have on our plate this release are _massive_ 16:48:08 yeah 16:48:12 i started breaking the "rewrite keystone" patch into a series 16:48:16 but it's all VERY good stuff that makes keystnoe better 16:48:18 i failed, like 4 times 16:48:24 honestly, i want to re-write a ton of keystone. 16:48:41 once we break @protected, the flask re-write will be easy 16:49:06 yesterday i pulled the entire new model into a separate change, which is cool.. but then i attempted to remove the KeystoneToken model 16:49:22 so s/KeystoneToken/TokenModel/ everywhere in keystone 16:50:01 and then went over like a kicking a hornets nest 16:50:35 the problem is that we need to validate the token, then we pass it to the KeystoneTOken model to get an object 16:50:44 but with the new model, we use composition 16:50:47 right 16:51:09 so - we validate the token and then handpick values to build a token model using TokenModel? 16:51:22 which just defeats the purpose 16:51:31 well, we know what the values from the fernet payload mean 16:51:42 and we should be able to do composition with a "hey this is issued" 16:51:55 vs "this is new" 16:52:01 composition should work the same 16:52:05 oh - yeah.. that'd mean building the model generation into the validation path right? 16:52:06 it's a big change to the internals 16:52:08 yeah 16:52:14 right.. i didn't do that 16:52:19 but that is the way to do it and how we discussed it 16:52:39 all i did was introduce the new model and attempt to replace all usage of the old model with the new one 16:52:42 which kinda backfired 16:52:44 yeah 16:52:47 and it got really messy 16:52:57 i think we need to wait until validate_token returns an instance of TokenModel 16:53:00 if anything do it inverse, compose validation 1st 16:53:04 THEN everything else 16:53:15 instead of making all the different places in keystone do composition on blank token models 16:53:23 ++ 16:53:24 yeah 16:53:30 i think that's what i learned yesterday 16:53:35 and maybe just make a wrapper interface for the tokenmodel (new) 16:53:43 so we can interface the token the same way elsewhere 16:53:46 then drop the interface 16:54:15 it's transitional code, but it would make it easy 16:54:29 ok - so what if i do this 16:54:32 and we can just drop the magic methods to see what all still references the old style 16:54:36 1.) propose the new token model 16:54:54 2.) rework the authentication API to construct token models and whatnot 16:55:07 3.) rework the validation path to construct token models 16:55:11 1a. implement interface for tokenmodel to work like current dict-model. 16:55:23 how do you do that? 16:55:27 basically some magic __getitem__ __setitem__ 16:55:34 one model accepts a dictionary and the other doesn't accept anything? 16:55:44 s/?// 16:56:06 just implement __getitem__ __setitem__ that knows the token dict format 16:56:09 kt = token_model.KeystoneToken(token_data=token_data) 16:56:09 and sets the values 16:56:22 mmm 16:56:23 then you can just use the KeystoneToken directly 16:56:29 everywhere 16:56:33 simple search/replace 16:56:36 then rework bits to compose 16:56:39 and direct access 16:56:47 so - under the hood KeystoneToken proxies to TokenModel? 16:56:51 no 16:57:08 implement on KeystoneToken __getitem__ that knows what the format should be 16:57:15 its the dict magic get method 16:57:52 so KeystoneToken()['user'] etc returns dicts of the keystonetoken values 16:58:07 and KeystoneToken()['user']['id' 16:58:11 and KeystoneToken()['user']['id'] = XXXXX 16:58:15 would set the ritght thin 16:58:26 now that i think about it 16:58:31 might be a massive amount of work 16:58:35 yeah 16:58:39 that's how i have things now 16:58:40 maybe just a .to_dict() 16:58:42 with the new model 16:58:49 or _to_dict() 16:58:56 it all @property methods 16:59:05 and just render a token from the @propertys 16:59:24 so keystonetoken.to_dict()[ since we already need the code to render the dicts 16:59:49 for controller bits 17:00:01 for exmple - https://review.openstack.org/#/c/555931/1/keystone/models/token_model.py@869 17:00:35 eh, i think your proposed steps work fine 17:00:44 so 17:00:47 1.) introduce new model 17:00:56 2.) make authentication path use new model 17:01:03 3.) make validation path use new model 17:01:15 yep 17:01:36 4.) convert instances of KeystoneToken to use TokenModel (which is returned from PROVIDERS.token_provider_api.validate_token(token_id)) 17:01:55 5.) remove duplicate model 17:02:04 yep 17:02:13 6.) profit 17:02:29 because everyone loves a good refactor, amiright? 17:12:42 ok - i'm going to step away for lunch quick 17:18:21 Matthew Thode proposed openstack/keystone master: Fix incompatible requirement in lower-constraints https://review.openstack.org/559334 17:18:22 Matthew Thode proposed openstack/keystone master: Use the new pysaml2 constraints https://review.openstack.org/558217 17:22:43 lbragstad: i'll propose the "minimum password change time" thing shortly 17:23:08 lbragstad: and make it so -1 is a "never allowed", 18:10:52 Lance Bragstad proposed openstack/keystone master: Introduce new TokenModel object https://review.openstack.org/559129 18:21:08 #openstack-security 19:20:38 lbragstad: almost have the password opt override added for min_password_age 19:21:14 lbragstad: i am also implementing the case where if min_password_age is -1 in config, it makes password changes impossible. 19:21:39 cool 19:22:07 so, you will now have a useropt "min_password_age" which overrides the global conf only if it is greater than the global conf 19:22:15 (basically, we only take the highest of the two values) 19:22:21 EXCEPT if the value is -1 for either 19:22:32 which means passwords may not be changed via the change_password API 19:24:54 that makes se 19:24:56 sense* 19:25:24 knikolla: did you have the patch to replace non-existant users with @ while listing role assignments? 19:25:56 * lbragstad thinks something in our ldap implementation regressed 19:26:28 i'm noticing something pretty strange 19:26:54 if i have a user in ldap, i can create a role assignment for them, and everything is fine and dandy 19:27:16 if i remove the user from ldap directly, i still see the role assignment 19:27:46 if i attempt to remove the role assignment, i get an error saying the user can't be found, which makes sense 19:27:55 but the role assignment doesn't go away 19:28:13 and then after some period of time... the user name in the assignment list switches to @? 19:28:44 lbragstad: that was a long time ago, yeah i think i did a patch for smth like that. 19:29:03 Changed names with empty string though 19:29:14 Not sure about the @ 19:29:35 http://paste.openstack.org/show/718621/ 19:30:10 i had a developers@Users group 19:30:16 Oh, because @ divides the username and domain 19:30:16 and an lbragstad@Users user 19:30:23 Which both are empty strings 19:30:28 yeah 19:31:31 if i do `openstack role assignment list` i see the stale records 19:31:34 with the IDs 19:31:43 I think my patch was only for listing, not deleting. 19:32:09 * knikolla is on the subway. Will be home in 10 mins or so. 19:32:55 ok - no worries 19:50:08 lbragstad: just finishing tests and then docs 19:53:10 lbragstad: and we should really implement domain-specific overrides for all the DSS stuff. 19:53:46 for PCI? 19:55:07 https://www.irccloud.com/pastebin/c8D2uU2Y/ 19:55:11 lbragstad: yeah. 19:55:14 pci-dss* 19:55:41 lbragstad: once tests pass locally i'll toss in docs 19:55:44 and a reno 19:55:55 and we can tag that bug as closed 19:56:22 the user resource options stuff is nice to work with. 19:57:32 lbragstad: i'm pleased with the code just because adding a resource is straightforward 19:57:44 s/resource/option 19:57:53 right 19:57:57 yeah - that is nice 19:58:54 lbragstad: next challene, i need to standup keycloak or freeipa locally on my network so i can get my NAS to have consistent uids 19:59:26 ayoung: i am frightened, i am actually thinking of standing up keycloak locally for my home network... just had to share (krb5 and all that) 20:00:02 lbragstad: and i need to stand up some ansible for all my stuff *eek* this is like I am actually an engineer or something. 20:00:31 lbragstad: annnd, i'm actually developing python on windows (gonna see if subsystem for linux will work for unit tests) 20:06:25 0.o 20:06:30 python on windows? 20:07:07 yep 20:07:11 i know it's possible, but i always found it to be a pain sharing source between the development environment and the environment the project actually runs in 20:07:52 oh, i just symlink: /home/notmorgan/userprofile -> /mnt/c/User//Documents/ and have stuff under there 20:08:03 i even have proper ssh-agent and all that running 20:08:05 in bash 20:08:28 i expect this will explode in my face 20:08:59 lol 20:18:02 why is it still snowing in april... 20:25:37 i just did something with ldap + keystone that technically shouldn't be possible 20:25:50 ldap blows my mind some days 20:30:37 knikolla right?! 20:39:45 lbragstad: what did you do? 20:40:16 this - https://bugs.launchpad.net/keystone/+bug/1751045 20:40:18 Launchpad bug 1751045 in OpenStack Identity (keystone) "The removal of a role on a non existing group throws an error" [Undecided,In progress] - Assigned to Jose Castro Leon (jose-castro-leon) 20:40:23 ^ i couldn't recreate it 20:40:29 but i have no idea how not 20:40:53 hmm 20:41:03 what version of keystone is he using 20:41:11 because shadow stuff might have 100% mitigated that 20:42:39 we used to have a fix for getting that to work with users... 20:42:51 well - we still have that fix 20:42:53 right 20:43:26 technically - it should blow up here https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L403-L413 20:44:16 but it doesnt? 20:44:45 check to see if it's hitting shadow user stuff 20:44:56 because the api.get would work if the group is shadowed 20:44:58 right? 20:45:21 lbragstad: also, it's funny, but unit tests are running. 20:45:23 but man it's slow 20:46:13 lbragstad: what was the invocation to run unit tests with the pretty output? 20:46:56 added so logging to figure out what in the world is going on 20:47:07 that's a good question, i'm not quite sure? 20:49:56 kmalloc, there is a reason all this technology exists, you know. 20:50:21 ayoung: do you rtememebr the magic subunit-trace invocation w/ tox 20:50:32 ayoung: this is driving me batty, i want to see the tests running 20:50:54 kmalloc, so I remeber enable the venv and run the command tox runs 20:51:15 there was something needed piping to like subunit-trace 20:52:16 oslo_debug_helper {posargs} 20:52:16 What is that? 20:52:38 no idea 20:52:49 https://docs.openstack.org/os-testr/latest/user/subunit_trace.html 20:53:09 stestr run 20:53:33 something like that? 20:56:46 ayoung: yeah, but i can't seem to get it to work. 20:57:42 bah! caching bites me again 21:00:47 once i disabled caching i was able to recreate it 21:00:53 ayoung: it's working now 21:01:09 lbragstad: AHA 21:01:12 lbragstad: yeaaaah 21:01:19 that group was being cached... 21:01:25 lbragstad: rememebr, only 2 hard things in computer science 21:01:41 lbragstad: naming things, caching, off-by-one-errors 21:01:49 lol 21:01:51 exactly 21:02:02 i also like the async data version of that too 21:02:27 holy crap. i'm... running 32 python test runners under windows subsystem for linux 21:02:30 it's... working 21:02:58 heh, load: 0.52 21:03:49 lbragstad: i... i want another threadripper now. 21:04:43 ... obligatory: COULD YOU IMAGINE A BEOWULF CLUSTER OF THOSE!?! *sigh* I'm ... making it clear how long i've lurked on the intertubes now 21:06:36 ayoung: yeah, well i guess I'm back to having a far more complex home lab than expected ;) 21:07:47 lbragstad: our tests are stupid chatty about debug things like scope-check failures 21:07:56 lbragstad: we should make sure we aren't emitting that cruft unlessw e care 21:10:29 yeah - i need to fix that 21:10:36 not the chattyness 21:10:39 the actual tests 21:10:47 to do things properly with scope 21:12:25 I actually built Beowulf clusters for a living. I cannot imagine a Beowulf cluster of those. 21:19:27 ayoung: lol 21:19:46 ayoung: i really do want to setup a few compute nodes that are all 1950x processors 21:19:51 ayoung: it would be fantastic. 21:19:58 but i don't have that kind of money 21:20:05 Running Windows? 21:20:17 i run it locally for reasons of lazyness 21:20:29 but i would run those nodes under linux 21:20:57 https://adam.younglogic.com/2012/03/shared-nothing-diskless-boot/ 21:21:06 yeah i've done that before 21:21:11 it's fantastic. 21:21:29 Kinda want to do that for an OpenStack cluster 21:21:45 that is how we managed all of our nodes at myspace [largely my design] 21:21:48 and how we did it at blizzard 21:24:09 ayoung: it wouldn't be too hard to do that for some of openstack, but parts need stateful storage [but i guess that could be outside of the root] 21:24:17 notably libvirt is a culprit. 21:24:21 and some cinder things 21:24:27 iSCSI for that 21:25:05 sure. 21:25:52 you'd have some wonky 21:25:56 for some things 21:26:06 but generally it would be doable for the API nodes themselves. 21:39:31 Lance Bragstad proposed openstack/keystone master: Allow to remove a group deleted out-of-band from LDAP https://review.openstack.org/546969 21:39:32 Lance Bragstad proposed openstack/keystone master: Add a test for cleaning up stale group assignments https://review.openstack.org/559435 21:43:31 Lance Bragstad proposed openstack/keystone master: Add a test for cleaning up stale group assignments https://review.openstack.org/559435 21:43:53 Lance Bragstad proposed openstack/keystone master: Add a test for cleaning up stale group assignments https://review.openstack.org/559435 22:13:59 Morgan Fainberg proposed openstack/keystone master: Allow blockin users from self-service password change https://review.openstack.org/559438 22:15:08 Morgan Fainberg proposed openstack/keystone master: Allow blocking users from self-service password change https://review.openstack.org/559438 22:15:59 Morgan Fainberg proposed openstack/keystone master: Allow blocking users from self-service password change https://review.openstack.org/559438 22:16:32 lbragstad: ^ there ya go 22:19:31 nice 22:19:36 kmalloc: awesome - thanks for picking that up 22:35:00 Merged openstack/keystone master: Fix incompatible requirement in lower-constraints https://review.openstack.org/559334 22:57:53 Morgan Fainberg proposed openstack/keystone master: Allow blocking users from self-service password change https://review.openstack.org/559438 01:41:37 anyone around for a second review? 01:41:56 https://review.openstack.org/558217 02:18:16 Nguyen Hai proposed openstack/keystone master: Follow the new PTI for document build https://review.openstack.org/555196 02:41:32 wangxiyuan proposed openstack/keystone master: Fix 500 error when deleting domain https://review.openstack.org/558489 01:52:24 wangxiyuan proposed openstack/keystone master: Fix 500 error when deleting domain https://review.openstack.org/558489 03:10:57 wangxiyuan proposed openstack/keystone-specs master: Hierarchical Unified Limits https://review.openstack.org/540803 03:37:14 wangxiyuan proposed openstack/keystone master: Fix 500 error when deleting domain https://review.openstack.org/558489 06:32:07 wangxiyuan proposed openstack/keystone master: Delete project limits when deleting project https://review.openstack.org/538371 07:05:44 wangxiyuan proposed openstack/keystone master: Do not return all the limits for GET request. https://review.openstack.org/550736 08:07:47 wangxiyuan proposed openstack/keystone master: Do not return all the limits for GET request. https://review.openstack.org/550736 08:07:47 wangxiyuan proposed openstack/keystone master: [WIP] Update limit Refactor https://review.openstack.org/559552 16:14:13 Nguyen Hai proposed openstack/keystone master: Follow the new PTI for document build https://review.openstack.org/555196 02:38:28 wangxiyuan proposed openstack/keystone master: Unified limit update APIs Refactor https://review.openstack.org/559552 09:06:30 Hi Team, 09:07:08 While making a request to Swift, there's a header in the response WWW-Authenticate: Keystone uri='http://192.168.56.25:500/v2.0' ` 09:07:21 Is this returned by keystonemiddleware? 09:11:00 hugokuo: yeah. https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L681-L683 09:11:55 I'm reading RFC https://tools.ietf.org/html/rfc7235#section-2.1 and https://tools.ietf.org/html/rfc7230#section-3.2.6 . It looks like the string should be quoted by double quote instead of single quote? 09:22:36 hugokuo: indeed. The RFC said that. 09:27:33 kk 09:27:39 I'll file a bug in LP 09:33:59 Should it be in keystone's LP or some other place? https://launchpad.net/keystone 09:34:34 https://launchpad.net/keystonemiddleware I think. 09:34:41 thx man 09:35:24 wangxiyuan proposed openstack/keystone master: Mark the idp's domain_id unique https://review.openstack.org/559676 09:59:24 hi all 09:59:57 I am unable to delete other users' stacks as admin user 10:00:18 can someone help me what exactly to modify in the heat policy.json file 10:16:04 can anyone help me please 14:18:41 Doug Hellmann proposed openstack/keystonemiddleware master: add lower-constraints job https://review.openstack.org/555626 14:21:12 Doug Hellmann proposed openstack/keystoneauth master: add lower-constraints job https://review.openstack.org/555625 14:26:17 Doug Hellmann proposed openstack/python-keystoneclient master: add lower-constraints job https://review.openstack.org/556142 14:37:23 Wxy, hugokuo : that may be python library representation. Remember ' and " are both acceptable. Is that actually the header on the wire or what ksm passes down via request. If it is the latter, the rfc doesn't matter, we're in Python and ' is the default. 14:38:50 o/ 14:58:07 kmalloc: It's not the later one as I know. 14:59:18 relatively easy review here - https://review.openstack.org/#/c/558217/7 15:11:48 knikolla: ty 15:11:54 lbragstad: that's a long != list. 15:13:05 lbragstad: this should be failing right? https://review.openstack.org/#/c/559435/ 15:13:25 oh you rebased on top of the fix. 15:13:29 nice 15:14:37 yeah - i was thinking about just merging those two patches together and writing a release note 15:15:06 that'd be a pretty easy thing to propose and have ready for tomorrow 15:17:28 lbragstad: release note with the test or in a separate patch? 15:18:06 knikolla: i was going to squash https://review.openstack.org/#/c/546969/4 and https://review.openstack.org/#/c/559435/3 and write a release note 15:18:11 so it would all be in one pathc 15:18:13 patch* 15:18:50 lbragstad: sounds good. ping me when you get that up so i can review, both look good. 15:19:35 ++ i should be able to get to that after lunch for sure 15:19:40 doing a bunch of bug triage now 15:19:57 knikolla: i did see that new bug you opened about federated login after deleting a shadow user 15:20:13 i wonder it that is cache related? 15:20:23 lbragstad: have 15 mins to chat default role spec at like 1PM your time? 15:20:35 hrybacki: sure 15:20:39 lbragstad: ++ 15:21:05 my schedule is open today, so just ping me whenever 15:22:04 lbragstad: disabling caching and checking real quick. 15:23:37 lbragstad: yup, disabling caching fixed that. 15:23:50 interesting 15:24:06 so the shadow user api doesn't clear the cache when a shadow user is deleted? 15:24:15 looks like it. 15:24:21 hmm 15:26:47 had some students discover it when playing around with mappings. 15:40:34 kmalloc: hugokuo so is https://bugs.launchpad.net/keystonemiddleware/+bug/1762362 confirmed? 15:40:35 Launchpad bug 1762362 in keystonemiddleware "[RFC] HTTP header field values should be quoted by double quote rather than single-quote" [Undecided,New] 15:59:44 lbragstad: I filed it. That's confirmed the ksm returned single quote. But if it should follow the RFC will be determined by upstream core team. 16:04:00 lbragstad: that might not be ksm, it might be an underlying liv 16:04:05 Library 16:04:07 * 16:04:39 yeah - keystone doesn't use ksm? 16:04:58 Not directly, afair 16:05:14 I can check when o get home. 16:05:31 But my guess is it isn't keystone or ksm. 16:06:20 This line in ksm header_val = 'Keystone uri=\'%s\'' % self._auth_uri 16:06:49 I tested it by change the code to have double quote and it works as expected. 16:08:43 Lance Bragstad proposed openstack/keystone master: Allow cleaning up non-existant group assignments https://review.openstack.org/546969 16:14:48 knikolla: ^ 16:17:36 * lbragstad breaks for lunch 16:23:02 lbragstad: some good news for your return - switching keystone's token provider out from uuid to fernet solved my federation-related woes 16:23:09 thanks again for the help! 16:25:57 Johannes Grassler proposed openstack/keystone-specs master: Add capabilities to application credentials https://review.openstack.org/396331 16:59:02 yankcrime: i am glad to hear that. 16:59:20 yankcrime: i figured that would work for you, but good for confirmation 17:01:11 wow, we screwed that up: Www-Authenticate: Keystone uri='http://192.168.56.25:5000/' 17:01:19 that looks... wrong somehow 17:01:23 not just in the ' vs " 17:04:28 hugokuo: if you want to propose a fix for ' vs " (and tests) we'll happily take / review it 17:08:49 yankcrime: awesome! let us know if you run into any other snags :) 17:09:07 lbragstad: yeah fixing the quotes is the corrective action in ksm 17:10:16 kmalloc: nice 17:10:42 i confirmed the bug 17:10:56 lbragstad: https://review.openstack.org/#/c/559438/ is ready for eyes/merging 17:26:36 kmalloc: oh - sweet 17:26:40 that was on my list today 17:31:27 Doug Hellmann proposed openstack/keystoneauth master: add lower-constraints job https://review.openstack.org/555625 17:32:51 jgrassler: o/ need a minor fix for the capabilities 17:33:00 jgrassler: but... it can be a follow up 17:57:25 i need to review that today, too 18:05:20 lbragstad: still free? :) 18:24:03 Merged openstack/keystone master: Use the new pysaml2 constraints https://review.openstack.org/558217 19:32:55 lbragstad, hrybacki kmalloc so as prep for my talk at summit...I wrote a second article on Istio and Keystone, this time looking into RBAC. https://adam.younglogic.com/2018/04/comparing-keystone-and-istio-rbac/ this is on top of what I wrote before https://adam.younglogic.com/2018/04/comparing-istio-and-keystone-middleware/ 19:44:14 and knikolla and cmurphy of course...just didn't see you actively posting. But Everyone.... 19:48:20 ayoung: i'll have a look. never found the time to dive into istio though i've heard it mentioned to me multiple times. 19:48:49 knikolla, pretty sure it is "keystone middleware for Kubernetes based services" 19:49:34 ayoung: not limited to that though 19:49:34 plus a few other things, like a mutual Cert validation layer, but its the RBAC part that interests me 19:55:04 and it is the other part that interests me :) 19:55:39 ldap developer docs available https://docs.openstack.org/devstack/latest/guides/devstack-with-ldap.html 20:15:07 ayoung: domain scope was pulled from the spec -- look back in the comments for more detail about that 20:15:17 tl;dr there is no 'real' domain scope (yet) 20:15:18 hrybacki, it is in the examples 20:15:54 hanging chad, needs to be pulled as well. Good catch 20:16:04 hrybacki, no 20:16:21 hrybacki, domain scope needs to be put back in there, or domains themselves need to go away 20:16:43 ayoung: domain scope will come, and we will add it then. This was discussed in length 20:16:49 Horizon now has support for domain scoped tokens 20:16:54 it is a real thing 20:17:29 I'll let cmurphy weigh in here. We can emulate domain scope but it's not actually domain scope 20:17:29 I'm more concerned about the Implied Roles comment 20:17:46 hrybacki, cloudsamplev2 is in wide usage 20:17:56 domain scope is real, its just not in default policy 20:18:28 http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json 20:19:45 hrybacki, so I'd recommend putting domain scoped back in, and you can caveat it that way 20:20:51 ayoung: that was my literal approach but I was dissuaded by cmurphy and the team agreed 20:21:14 hrybacki, you were right and they were wrong. 20:21:19 :) 20:21:28 ayoung: I disagree with you know and past Harry :P 20:22:00 hrybacki, so, if the goal is to make Domain scoping go away, I would be in full support 20:22:23 however, users and groups are not owned by projects, and I absolutetly should not need a System scoped token to create either 20:23:04 I mean, I know domains were a mistake 20:23:11 but they are not one was can sweep under the rug now 20:23:15 All arguments I raised, the team discussed, and rejected 20:23:38 I agree with them now (to be clear) 20:23:47 domain scoping can be sidelines 20:23:52 we cannot remove it/make it go away 20:23:56 because it is part of the v3 api 20:24:16 sidelined* and/or suggested to "not be used" 20:24:45 WRT implied roles. Our aim (at the project level) is make these alterations by way of policy file changes that move into policy-in-code after being vetted 20:25:57 simple, quick, and easily modifiable. Customers will /really/ start to flip if we don't offer these things soon 20:26:14 implied roles were also discussed in length (during one of the office hours sessions IIRC) 20:28:03 hrybacki, it was a tool built explicitly to aid in this problem 20:29:12 ayoung: that doesn't mean it's right for right now 20:29:35 we really need to keep this as simple as possible right now 20:30:58 maybe I misunderstand how you are advising we use them here. But minor mods to policy files is acceptable other projects and the team after a lot of discussion at PTG 20:31:17 hrybacki, simple: 20:31:22 create 2 rules 20:31:27 admin implies memember 20:31:33 member implies reader 20:31:39 or auditor whatever it is called 20:31:48 tag the API with the Lowest level role 20:31:54 no need for the OR statements 20:32:15 for project scoped apis, you still need the right system scoped role to get at it 20:32:28 I see what you are suggesting now. Create the implications during the bootstrap process and keep the policy files clean as possible? 20:32:35 so you could give someone system:auditor and they can read all of the auditor roles 20:32:39 yep 20:32:50 okay, I have to run to an appt. I'm gonna reflect on this while I walk 20:33:12 cool 20:35:32 lbragstad: responded to your comments 20:35:39 need some more feedback before I post an updated patch 20:39:08 kmalloc: ack - 20:39:14 thoughts on https://bugs.launchpad.net/keystone/+bug/1729933 ? 20:39:15 Launchpad bug 1729933 in OpenStack Identity (keystone) "region update doesn't update extras" [Undecided,In progress] - Assigned to David Lyle (david-lyle) 20:39:56 kmalloc, do you honestly thinkg there is an alternative to doing domain scoped for users and groups? DO we honestly want to make people system admins in order to add new users? Adding users should be cheap...its role assignements that are dangerous. 20:51:25 ayoung: no, i am not advocating for anything it was just a comment 20:51:32 cool 20:51:40 ayoung: we can sideline we can say don't do this, we cannot remove the functionality from keystone 20:51:55 lbragstad: ugh, extras 20:52:00 lbragstad: sigh 20:52:11 =/ yeah... 20:52:18 kmalloc, lbragstad one topic I want to discuss at the summit is multi-site OpenStack deployements where the different regions/sites are on different versions of OpenStack. 20:52:45 lbragstad: if it never worked for region, even if the table exists, i'll -2 any added extras support 20:52:48 Something like the hub-and-spoke model, where a central keystone just forwards to another keystone 20:53:09 ayoung: theoretically possible with federation 20:53:17 realistically... unknown 20:53:43 i think the domain scope thing with users and group can still happen, i don't expect it to be system-scope for ever 20:53:56 if you're referencing the default roles specification 21:03:13 lbragstad: just commented on the bug 21:03:27 lbragstad: basically if we can show regions EVER supported "Extras" we need to add it back in 21:03:38 else, nope, nope, not doing it, no, nope, no thanks 21:03:53 though I am not opposed to a Region['VendorData'] like thing 21:04:05 that is explicitly outlined as deployment specific 21:04:22 [AND is a little smarter, like Resource-Opts is, where a "None" clears the value] 21:07:14 kmalloc, I think there is a little bit more to it than just Federation. I'll try to write up a decent agenda. 21:07:30 lbragstad, are we going to have breakout rooms for design, or has all of that been conceded to the PTGs? 21:17:59 ayoung: i don't think so 21:18:08 i think the rooms we get are for large discussions 21:18:15 like cross-project things 21:18:21 or feedback sessions 21:18:34 e.g. i don't think we'd get a room to work on keystone-specific things 21:18:46 they're also time-boxed to 40 minutes or so 21:21:23 lbragstad, OK, so multi-site is a cross project topic. 21:21:53 lbragstad, what I am realizing now is that even if there are multiple openstacks in a single org, they need to be only loosly-unified. If that makes sense 21:22:04 like, maybe you only upgrade one at a time 21:22:16 but you still want a unified Keystone scheme for them 21:22:31 there is no reason you can't use a bleeding edge keystone with an ancient 21:22:36 and thus having a database sync 21:22:39 and regions can be other deploys. 21:22:48 kmalloc, heh yes there is. and it has n othing to do with Keystone 21:22:50 i think that is how most orgs end up doing it 21:22:54 and everything to do with our deployment tool 21:23:13 this sounds like an inflexible deployment tool :P 21:23:25 but yeah, that is how i've seen folks crack that nut 21:23:30 it's still not pretty 21:23:34 but I think having DB sync between version of Keystone is a reasonable design discussion 21:23:46 i.. well 21:24:01 i think this sounds kindof awful 21:24:05 like, how to make a deployment work when one part is on Q and one is on R and one is on S 21:24:19 nAH 21:24:24 everyone use "S" keystone *shiftyeyes* 21:24:39 THey named it for Brian? 21:24:57 https://www.linkedin.com/in/brian-stein-7b659b/ 21:24:59 in all honesty, i would refrain from referencing "db" anywhere in it. 21:25:22 simply so as to circumvent the convo around db-replication :P 21:25:45 kmalloc yep 21:25:57 so, what I *think* you're looking for is something we sortof proposed in the past. 21:26:03 kmalloc, the other convo I want to have is "how do I delete a project without orphaning the majority of my resources" 21:26:15 ah...pause on mine...go on 21:26:27 something that may intercept a keystone call and replicate it [public interface] to other keystones via rest. 21:26:37 and some mechanism to "replay"/"catchup" 21:28:10 thing is, our REST Apis are not create firendly, as they tend to allocate new IDs 21:28:14 but- it wont scale out. 21:28:29 we'd want to make sure that a new Create is done with the ID from the server that has the right to create that record 21:28:36 i was actually thinking of something that would be a dogpile proxy, and it would talk to other dogpile proxies 21:28:44 originally 21:29:24 but it has a lot of potential issues. 21:29:34 My original view was that, in a multi-keystone deployment, each keystone server would be canonical for a subset of domains, and could write data for those, but only read data for other domains 21:29:47 I'm not wedded to that impl, but I think the bones is 21:29:54 so you'd capture at just below the manager layer, and replicate that out to the other keystones 21:30:00 "what data can I write locally, and what do I need to sync" 21:30:41 I'm not sure where capture would happen. I think I'd be pretty flexible on the impl 21:31:05 it would need to be below the manager i think.. 21:31:31 but there are a lot of issues with "what if someone did an update for some new data that R dodens't know about via the S keystone and that is forwarded" 21:31:42 i think it's kindof going to be full of awful pitfalls/ 21:33:13 kmalloc, right. But on the other hand, we can map it out, and at least start sketching out a solution 21:33:30 We couild even say "it starts with K2K 21:33:44 "but we need to keep data in sync" 21:34:50 i'd need to talk more, but honestly, i think k2k still solves 95-99% of what you're asking for 21:35:04 and really only has a lower bound of minimum supportable keystone 21:46:48 kmalloc, I'm OK with K2K as the basis. Just want to map out the full use cases, including how to automate project creation and mapping. 07:00:26 wangxiyuan proposed openstack/keystonemiddleware master: Double quote www_authenticate_uri https://review.openstack.org/559925 12:29:24 Johannes Grassler proposed openstack/keystone-specs master: Add capabilities to application credentials https://review.openstack.org/396331 14:38:58 o/ 14:47:03 o/ 15:12:28 o/ 15:35:27 o/ 15:43:32 lbragstad: FYI I'm gonna be in-and-out all afternoon (tons of meetings I'm getting pulled into today) 15:44:01 hrybacki: thanks for the heads up 15:45:00 ack. I'll be in the weekly meeting though 15:45:48 cool 15:59:33 reminder that the keystone team meeting is starting in a minute in #openstack-meeting-alt 15:59:38 this might be an olso.log question.. but im noticing when running keystone behind uwsgi that when it spits out the DEBUG running config the name of application is 'uwsgi' in logging 15:59:48 on glance, it is 'glance.common.config' 16:00:16 so i have to filter for (^keystone|^uwsgi) on keystone, but only (^glance) for glance 16:00:45 is there anything i can do to get the module to report something a bit more 'keystone' named 16:01:45 SamYaple: it is likely uwsgi is configurable 16:01:49 SamYaple: i haven't looked though 16:02:49 kmalloc: my knowledge of uwsgi as relates to python logging approaches zero, do you have a param or option for me to start searching for in uwsgi to control the name? 16:03:00 im running glance behind uwsgi as well, same configuration 16:03:16 ah 16:03:35 you might need to supply a keystone-specific uwsgi with logging prefix or some such 16:03:46 i'll look post meeting/lunch 16:04:08 and see if i can help you. FWIW, I'm setting up an openstack for my home network today, so I'll specifically poke at that 16:04:57 ok yea, this is really a non-critical issue 16:05:05 im just working on openstack logging right now for my company 16:05:15 appreciate the comments 16:16:09 Merged openstack/keystone-specs master: Add capabilities to application credentials https://review.openstack.org/396331 16:31:35 I should be back after awhile, may not make the rest of the meeting though 17:01:20 lbragstad: Error: Can't start another meeting, one is in progress. Use #endmeeting first. 17:01:30 #endmeeting