Tuesday, 2016-01-26

« Monday, 2016-01-25 Index Wednesday, 2016-01-27 »
*** iurygregory has quit IRC00:03
*** iurygregory has joined #openstack-keystone00:05
*** r-daneel has quit IRC00:08
*** chlong has quit IRC00:20
*** shoutm_ has joined #openstack-keystone00:20
*** chlong has joined #openstack-keystone00:20
*** shoutm has quit IRC00:23
*** EinstCrazy has quit IRC00:25
*** su_zhang has joined #openstack-keystone00:27
*** gildub has quit IRC00:31
*** su_zhang has quit IRC00:32
*** zqfan has joined #openstack-keystone00:34
*** su_zhang has joined #openstack-keystone00:36
mgagnenotmorgan thinking about not having regional nodes and instead pay the latency tax "once" and also make all keystonemiddleware cache to the same regional memcached server so all services can benefit from it.00:39
*** oomichi has joined #openstack-keystone00:40
mgagnenotmorgan removing ping (SELECT 1) and ROLLBACK (I gained ~36% performance) but it's clearly not recommended by sqlalchemy manual00:40
*** chlong has quit IRC00:41
notmorganThat will break a lot of things if the connection drops00:41
mgagneof course00:41
notmorganSolvable but we need to rework the whole connection thing.00:41
mgagnewas more or less trying to see the actual cost of those requests on the overall process00:41
*** chlong has joined #openstack-keystone00:41
mgagneI figured that one out =)00:42
*** david-lyle has joined #openstack-keystone00:42
openstackgerritMerged openstack/keystone: Ensure pycadf initiator IDs are UUID  https://review.openstack.org/25218200:43
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947900:45
*** shoutm has joined #openstack-keystone00:47
*** chlong has quit IRC00:48
*** chlong has joined #openstack-keystone00:49
*** shoutm_ has quit IRC00:50
*** chlong has quit IRC00:53
*** chlong has joined #openstack-keystone00:53
*** pgbridge_ has joined #openstack-keystone00:57
*** ngupta has quit IRC01:00
*** ngupta has joined #openstack-keystone01:01
*** pgbridge has quit IRC01:01
*** shoutm has quit IRC01:02
*** shoutm has joined #openstack-keystone01:04
*** iurygregory has quit IRC01:07
*** iurygregory has joined #openstack-keystone01:11
*** kk has joined #openstack-keystone01:14
kki am trying to access swift using keystone. It was working just fine.  but now suddenly, when i type keystone tenant-list or user-list or endpoint list, anything.. it shows expecting an endpoint provided by --os-endpoint or env variable01:16
kkhow can i resolve this issue. help!01:16
*** davechen has joined #openstack-keystone01:17
*** roxanaghe has quit IRC01:17
*** _cjones_ has quit IRC01:18
*** _cjones_ has joined #openstack-keystone01:19
*** gildub has joined #openstack-keystone01:23
notmorgankk: first off, the keystone CLI is deprecated and we highly recommend moving to openstackclient (common client)01:23
*** _cjones_ has quit IRC01:23
notmorgankk: not sure why you're getting that error, did you just update some packages?01:24
kkno. i didn't update any package01:32
kk@notmorgan01:32
*** EinstCrazy has joined #openstack-keystone01:33
*** r-daneel has joined #openstack-keystone01:39
*** r-daneel has quit IRC01:39
*** kk has quit IRC01:48
*** gildub has quit IRC01:50
*** chlong has quit IRC01:55
*** chlong has joined #openstack-keystone01:55
ayoungCan someone please just +2A the RoleAPI and we'll deal with bugs if it happens to be wrong?  Please?01:58
ayounghttps://review.openstack.org/#/c/242614/01:58
*** EinstCrazy has quit IRC01:58
*** jsavak has joined #openstack-keystone02:03
*** david-lyle has quit IRC02:05
*** su_zhang has quit IRC02:07
ayoungseriously, its not that hard02:08
*** EinstCrazy has joined #openstack-keystone02:10
ayounggyee, jamielennox https://review.openstack.org/#/c/242614/  please.02:14
*** shoutm has quit IRC02:14
ayoungBTW, totally going on tour next summer's midcycle http://bostinno.streetwise.co/2016/01/22/new-england-craft-breweries-map-of-every-massachusetts-brewery/02:18
ayoungmgagne, revocations need to go away.02:19
mgagneayoung could I get more context? :D02:19
ayoungOur system is dumb.  We should not force users to go to Keystone first02:19
ayoungJust go directly to Nova with userid and password02:19
ayoungit is no safer, and maybe a little less safe, to send the password to Keystone then to Nova02:20
mgagneayoung how is this related to revocation?02:20
ayoungmgagne, because if we did that we would never revoke02:20
ayoungtokens are a mix of authenticatio0n and authorization02:20
ayoungas such they are not good at either02:21
ayoungif we authenticated directly to Nova, then nova could look up the roles for the users, we'd know they were current02:21
mgagneayoung so I remove a role from a user, how is the token invalidated?02:21
*** shoutm has joined #openstack-keystone02:21
*** fawadkhaliq has joined #openstack-keystone02:21
ayoungmgagne, in my world, there are no tokens02:21
ayoungyou remove a role from a user, next time that user goes to Nova, the operations associated with that role fail02:21
mgagneayoung is there latency in your world? =)02:22
ayoungmgagne, no more or no less than there is now02:22
ayoungif you cache, you increase latency02:22
mgagneayoung and much is there in yours?02:22
ayoungmgagne, the reason we have Keystone is so we don't copy passwords around.  Password suck02:23
ayoungso if you really care about secuirty, you use a real crypto authenitcation mechanism02:23
ayoungthe best option there is client certs02:23
ayoungsecond is Kerberos02:23
ayoungI;'ve been saying this for years02:23
ayoungI'm like the wild hermit in the Life of Brian02:23
mgagneI'm not sure I'm ready to go down that path tonight.02:23
ayoungmgagne, its better than us continuing to expand the mess that is revocations02:24
ayoungright now, we revoke on too many events02:24
mgagneas an operator, I'm not much interested in the next feature or what could be so much better than now. I'm looking to make stuff work now (like this week)02:24
ayoungmgagne, OK, what kind of tokens are you using?02:24
mgagnewe are currently using PKI, trying to move to fernet now02:25
ayoungmgagne, OK,  so with Fernet, we need revocation events, because tokens are not persisted02:25
ayoungif you move to UUID, tokens are persisted, so to revoke a token, you just erase it from the backing store02:25
ayoungmost of the revocation stuff was written with PKI in mind.  It was meant to happen out of tree02:26
mgagnewe don't have much writes in the keystone database: not much role assignment changes, only creation of new accounts02:26
ayoungbut then Fernet happend02:26
*** davechen1 has joined #openstack-keystone02:26
*** shoutm has quit IRC02:26
ayoungso, we have an effort underway, lead by lbragstad, to clean things up:02:26
*** davechen has quit IRC02:26
*** shoutm has joined #openstack-keystone02:27
ayoungthe big thing is that, for revocation events, we can drop revoke by, say , project or domain disable02:27
ayoungwith fernet, we will verify the domain at token validation time, so we don;'t need to record that02:27
ayoungbut...sincee we need to make this all work wityh uuid tokens, we need to make sure the logic is sound not only for fernet but for uud02:28
ayounguuid02:28
ayoungso, from your perspective as an operation, it means that you should have fewer syncs based on token revocations, but it will be essential to make sure that project disable etc are in sync across geographies02:29
mgagneour plan is to have one centralized database which might be replicated or not.02:29
mgagnechallenge is how to make it so 100ms latency doesn't show too much02:30
*** EinstCrazy has quit IRC02:30
*** davechen3 has joined #openstack-keystone02:30
*** EinstCrazy has joined #openstack-keystone02:31
*** davechen1 has quit IRC02:31
mgagneour draft of possible solutions which don't imply implementation new code (or little): https://gist.github.com/mgagne/6061dccbb3d2419204b802:32
mgagneproblem is that we don't have time budget for 3) (galera cluster)02:34
mgagneso we might end up with 2) Lot of cache in keystonemiddleware and keep centralized keystone service.02:35
ayoungmgagne, with fernet, the tax will be paid twice minimum02:35
*** wanghua has joined #openstack-keystone02:35
mgagneayoung which use case?02:35
ayoungonce per user getting a token, then once per service validating the token02:35
mgagneayoung no02:35
ayoungso on a openstack server create02:35
*** richm has quit IRC02:35
mgagneayoung the user gets its token at the centralized service02:35
ayoungok02:35
mgagnewhich he is already doing anyway02:36
ayoungcheck02:36
ayoungso are Nova and glance going to share a cache?02:36
mgagneyes02:36
mgagneGlance is per region02:36
mgagneplan is to hook keystonemiddleware to the same memcached server and share the cache02:37
*** fawadkhaliq has quit IRC02:38
mgagneregional services are all located in the same facility02:38
ayoungmgagne, makes sense.02:38
ayoungso then the question is, how long to let a token stay in cache02:38
mgagnewe tried regional keystone nodes with centralized database, we are paying the latency tax for each queries and there is a lot so yea =(02:38
ayoungthere are 2 use cases02:38
ayoung1 is CLI, which is, essentially one token per call02:38
ayoungthe other is horizon, which is one long lived token for all calls02:39
ayoungand horizon doesn't know if a token has been revoked02:39
ayoungare you even using horizon or a horizon like service?02:39
mgagneit's hooked to the centralized keystone02:40
mgagnewe don't have horizon in our regions, it's a global service02:40
*** davechen3 is now known as davechen02:40
mgagneglobal = in that one central region with more management nodes02:40
ayoungmgagne, so, you probaly want horizon validating tokens before sending them out. Otherwise, what I say stands02:41
mgagnehow can this be done?02:41
ayoungI don't know.  I don't think it can be done without code changes02:41
ayoungI'm just thinking it through02:41
ayoungmgagne, lets assume that it can't be done easily....02:41
ayoungso a user goes to central horizon, gets a token.  This token has a long life02:41
ayoungwe set it to an hour, buyt m,any sites had to up that to deal with long running tasks02:42
ayoungso, say 12 hours02:42
ayoungor 8 or whatever02:42
ayoungI think you would want to make the cache timeout match the horizon session cache.02:42
mgagnedoes ksmiddleware know about token expiration?02:42
ayoungso if your sessions are 10 minutes, make the memcache timeout be 10 minues02:42
mgagnecan't it cache it to no more than expiration time when possible?02:43
ayoungmgagne, nahm,  it relies on Keystone to validate that,except for PKI02:43
ayoungwith fernet, you might want to think about validating locally.02:43
mgagne1st time, it will validate with keystone, aren't metadata about token returned? if so, why not use it to adjust TTL related to expiration time?02:44
mgagnehow can you validate locally?02:44
ayoungmgagne, usually the TTL is much longer than cache timeout02:44
ayoungwould you really want an 8 hour cache timeout?02:44
mgagne"usually" is a synonym of assumption and bugs =)02:44
mgagneayoung lets say I put 1h. TTL==token lifetime02:45
ayoungmgagne, believe me, if we could make the timeout 4 minutes I'd be ecstatic02:45
ayoungmgagne, why>02:45
ayoung?02:45
ayoungit means you never want to check that a token is revoked02:45
ayoungtokens never get extended02:45
mgagnethe guy runs around, doing nothing with his token. he then comes to our API after 40m and ask stuff. we cache it for 1h. what now? will ksmiddleware cache it for 1h?02:46
ayoungI'd say 10 minutes is the longest I'd recommend, and probably too long at that.  Make it 502:46
ayoungHe has a slightly longer response time on his first call to Nova cuz his token is flushed from cache02:46
ayounghe won't notice it02:46
ayoung5 minutes02:46
ayoungthat is network clock sync slop allowance anyway02:47
mgagneso cache is not aware of revocation events nor token TTL.02:47
ayoungmgagne, that is correct02:47
mgagneI see room for improvement =)02:47
ayoungmgagne, with PKI, revokcation list was checked in process. BUt Fernet or UUID you need to go back to Keystone server to validate02:48
*** jasonsb has joined #openstack-keystone02:48
*** chlong has quit IRC02:49
mgagneI see _check_revocations_for_cached. is this what you are referring to?02:49
*** chlong has joined #openstack-keystone02:49
*** davechen1 has joined #openstack-keystone02:51
*** davechen2 has joined #openstack-keystone02:52
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235802:53
*** davechen has quit IRC02:54
*** fawadkhaliq has joined #openstack-keystone02:54
*** davechen2 is now known as davechen02:54
*** lhcheng has quit IRC02:55
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235802:55
*** davechen1 has quit IRC02:56
ayoungmgagne, yeah,  but remember, there are two thingss: revocation list, designed to be read from a remote proces, and revoatione events.  These are checked in keystone server only02:56
*** daemontool has quit IRC02:56
mgagnelist was for PKI which isn't a thing anymore02:56
mgagneright?02:56
mgagneand event is for internal stuff?02:57
*** EinstCrazy has quit IRC02:59
*** EinstCrazy has joined #openstack-keystone03:00
mgagne10pm, I have to go, we can talk more tomorrow, thanks for your help!03:02
*** lhcheng has joined #openstack-keystone03:06
*** ChanServ sets mode: +v lhcheng03:06
*** jsavak has quit IRC03:06
*** gildub has joined #openstack-keystone03:09
*** lhcheng has quit IRC03:11
*** browne has quit IRC03:15
*** bill_az has quit IRC03:16
*** chlong has quit IRC03:17
*** chlong has joined #openstack-keystone03:18
*** chlong has quit IRC03:19
*** chlong has joined #openstack-keystone03:20
*** david-lyle has joined #openstack-keystone03:25
openstackgerritMerged openstack/keystone: Refactor test auth_plugin config into fixture  https://review.openstack.org/26639603:26
*** woodster_ has quit IRC03:26
*** spandhe has quit IRC03:29
*** henrynash has quit IRC03:29
*** henrynash has joined #openstack-keystone03:29
*** ChanServ sets mode: +v henrynash03:29
*** ccard__ has joined #openstack-keystone03:31
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947903:33
*** ccard_ has quit IRC03:34
*** iurygregory has quit IRC03:41
notmorganayoung:  hey, sorry just got back can look at the api thing03:41
ayoungnotmorgan, thanks, please do.03:42
ayoungnotmorgan, I hate to be a noodfe03:42
ayoungnoodge03:42
ayoungactually, that is a lie, I really don;t mind it03:42
notmorganayoung: eh. i've been roped back into server things03:42
ayoungbut it is i the only way on these more complex patches to make things move03:42
notmorganunforuntately03:42
notmorganso meh03:42
ayoungthis one is making progress03:42
*** iurygregory has joined #openstack-keystone03:43
notmorganayoung: you may want to look at https://review.openstack.org/#/c/272007/03:43
notmorganayoung: it's that whole "don't ask for things from the backends more tha once" thing03:44
notmorganso for a request we will only ever hit the backend/memcache once for .get_domain(<id>) for example03:44
notmorganayoung: looking for general feedback on it03:44
ayoungnotmorgan, is this a dogpile replacement?03:45
notmorganno it hooks into dogpile03:45
ayoungOK...03:45
notmorganso we stash anything we lookup in the request context effectively03:45
notmorganit's a 2nd cache tier in process that is request specific03:45
openstackgerrithenry-nash proposed openstack/keystone: Add tests in preparation of projects acting as a domain  https://review.openstack.org/27236903:45
notmorganso duplicated calls don't have to socket()->memcache()->deserialize()03:45
notmorganit just does the deserialize step03:46
notmorganand btw, the hardest part was serializing/deserilaizing the RevokeTree03:46
notmorgan:P03:46
openstackgerrithenry-nash proposed openstack/keystone: Removes project.domain_id FK  https://review.openstack.org/23327403:46
notmorganif that goes a way i can save ~50 microseconds per deserialize :P ok... not worth it :P03:46
notmorganayoung: this one?03:47
notmorganhttps://review.openstack.org/#/c/242614/03:47
ayoungnotmorgan, that should not have been hard to serialize.  I went through that process way back when.  But thanks03:48
ayoungthat tree needs a lumberjack03:48
notmorganit is. JSON thinks it has circular references03:48
ayoungJoy03:48
notmorganso i used msgpack03:48
ayoungrapture03:48
notmorganand created a serializer that just dumps .revoke_map03:48
notmorganand restores it on a new object when needed03:48
notmorganfor deserialize03:48
notmorganwas easier than trying to figure out how to know it was in-fact a revoketree, msgpack did it all for free03:49
*** dims has joined #openstack-keystone03:49
notmorganand the difference was ~60usec vs ~7usec03:49
openstackgerrithenry-nash proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128903:49
notmorganin a synthetic pure deserliaize test03:49
notmorganwhich is close to what an event looks like03:49
ayoungnotmorgan, can we just chop off all the spurious revoke events?03:49
notmorganayoung: more work03:50
ayoungwe don;'t need anything but by userid/time and byt token id03:50
notmorganless work to just serialize the whole thing.03:50
notmorganonce we cut down all the extra revoke event types, i'll push the logic down to SQL03:50
openstackgerritDave Chen proposed openstack/keystone: Relax the schema validation to accept empty request body  https://review.openstack.org/23744803:50
ayoungNo , I mean kill it in the treee.  now03:50
notmorgansince SQL can do the lookup for us more cheaply at that point03:50
ayoungI should just write that patch03:51
notmorganout of scope for this change03:51
ayoungI know03:51
notmorganeasy to stack that on next03:51
ayoungit just keeps coming up03:51
notmorgani was holding off on hacking away on revoke tree03:51
notmorgansince this was a clear and easy test/win03:51
*** dims has quit IRC03:51
notmorganand i had to hack on dogpile anyway to make role assignment caching work03:51
ayoungnotmorgan, put the move of the model into its own change, I think.03:51
ayoungnot important, though...03:52
notmorganayoung: notice this is WIP. it's more for "do we like the concept?"03:52
notmorganbefore i do cleanup / finalization03:52
ayoungyeah...I do like the idea03:52
notmorganthere is another change that will default caching on in keystone always if we go foreward with it03:52
ayoungjust all the crud in the revoke distracts from the core03:52
notmorganand jsut defualt to the null (cache nothing) actual dogpile backend03:52
ayoungthere is no native caching in the database, is there?03:53
notmorganno03:53
notmorganyou can hook dogpile onto SQL-A but the invalidates still need to be written03:53
ayoungand we are so stateless that we query every time03:53
notmorganand we might as well cache at the business logic layer03:53
notmorganright.03:53
notmorganthis is not that bad a thing tbh03:54
*** harlowja has quit IRC03:54
notmorganand caching higher up saves us driver logic too03:54
ayoungnotmorgan, is this the heart of it https://review.openstack.org/#/c/272007/edit/keystone/middleware/auth.py03:54
notmorganuhm03:55
notmorganare you editing that?03:55
notmorgancause... i can't open that page03:55
ayoungah...I ddid a minor edit to do al ine break03:55
ayoungone sec03:55
openstackgerritayoung proposed openstack/keystone: WIP/DNM: Use requst local caching [full cache]  https://review.openstack.org/27200703:55
notmorganthere03:55
notmorganhehe03:55
notmorgani can't view your mid-edit changes03:56
ayoungI did al ine break and laost put in that newline lbragstad asked for03:56
*** dims has joined #openstack-keystone03:56
ayounghttps://review.openstack.org/#/c/272007/3/keystone/middleware/auth.py  that03:56
ayoungnotmorgan, so, where does the cache get read?03:56
notmorganin the _context_proxy03:56
notmorganso memoize hits the _context_proxy before hitting the backend03:57
ayoungnotmorgan, so, we already have dogpile caching set up, and this extends that?03:57
notmorgan@memoize->dogpile.region->_context_proxy->dogpile_backend03:57
notmorgani just layed the new context_proxy in03:57
notmorganin the "dogpile" way03:57
notmorganyou cna add proxies [as many as you want] in before the backend03:57
notmorganand the context proxy stores the data for that request in thread.local03:57
ayoungnotmorgan, ok, so the new proxy is in memery, and, local to the request?03:57
notmorganyep03:58
*** roxanaghe has joined #openstack-keystone03:58
ayoungso each requst will get its own copy03:58
notmorganyep03:58
ayoungand if that is a miss, it goes to dogpile03:58
notmorganyep03:58
notmorganand if an .invalidate() happens it affects both thread.local and dogpile.03:58
ayoungwhat was configured before...that is alos in memory, but shared...03:58
notmorganbefore it was default configured off03:58
ayoungnow, in mod_wsgi, does where does the existing dogpile cahce live?03:58
notmorganfor unit tests we had a synthetic dict() based backend that looked like a memcache interface03:58
notmorganstill do.03:58
ayoungwhat threading model are we running under?03:59
notmorganin mod_wsgi once my next devstack change lands we will run everything with a real memcache in devstack too03:59
notmorganuhmm... i think we're worker03:59
notmorganbut WSGIDaemonProcess03:59
ayoungworker means what?03:59
notmorgannot prefork apache03:59
notmorganbut not event apache03:59
notmorganit's the threaded apache03:59
notmorganand we run 5 process, single thread in mod_wsgi03:59
ayoung5 proc 1 thread...does that mean that, effectively, we are doing pre-fork cuz there is onoly one thread per process?04:00
notmorganmost deployments run everything worker (threaded) apache unless you *really* need prefork04:00
openstackgerrithenry-nash proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128904:00
notmorganright for the wsgi_workers04:00
notmorganbut not for apache04:01
notmorganapache will multiplex to the workers, just the workers handle a single thing04:01
notmorganalso, i think a thread in mod_wsgi is different than a python thread04:01
notmorganit's a C-thread that runs a python interpreter04:01
*** EinstCrazy has quit IRC04:01
notmorganso think of it like a single-threaded python task even if mod_Wsgi has many threads04:02
notmorganfwiw, i've been told you can OOM a machine with 10 keystone workers in mod_wsgi if its an 8GB node04:03
notmorganin some folks dev deployments04:03
*** shoutm_ has joined #openstack-keystone04:04
*** dims has quit IRC04:05
*** browne has joined #openstack-keystone04:05
ayoungnotmorgan, so, IIUC, a thread here will get reused.  Does that mean that the global python objects will be reused in the next request?04:05
notmorganyeah, i think so.04:05
notmorganbut a thread.local is specific to that request04:06
ayounginitialization only has to be run when the thread is spun up, so once per process04:06
notmorganyea.04:06
notmorganor when the thread is torn down04:06
ayoungso this cache you are doing is thread local?04:06
notmorganyes.04:06
notmorganit's hooked into oslo.context04:06
notmorganwe use the same thread.local cache, so if we clear it for a request, we clear our request cache too04:06
ayoungwho's word am I supposed to take that oslo.context is thread local?04:07
notmorganayoung: https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L28 https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L165 https://github.com/openstack/oslo.context/blob/master/oslo_context/context.py#L7004:07
*** shoutm has quit IRC04:08
notmorganoslo_context's04:08
ayoungthis has the potential to be a security hole.  If data from one request can show up in another due to the cache.04:08
notmorganthe data i am storing there is never available outside of the oslo_context direct access04:08
ayoung_request_store = threading.local()04:08
*** davechen1 has joined #openstack-keystone04:08
ayoungwe better test the fO(&*) out of that04:08
notmorganthreading.local is pretty damn well tested04:09
ayoungok...04:09
ayoungso, how does your additional cache help us?04:09
notmorganit means that if a request asks for say .get_domain('default')04:10
notmorganit is stored in the requests' context rather than needing to reach out04:10
notmorganso no socket() no networking, no waiting on memcache,04:10
*** davechen has quit IRC04:10
notmorganstrict .deserialize()04:10
notmorganand return04:10
notmorganif it isn't a cache miss. this means all the duplicated .get_domain for checking user, project, user_project, project_domain, trust.user.domain04:11
ayoungwhy even serialize?  why not just store python objects?04:11
notmorganbecomes cached in-process04:11
notmorganwell it has to be isolated04:11
ayoungfrom what04:11
notmorganyou cna't return a dict, dicts are mutable04:11
notmorganif someone did .get_domain('default') then dom_ref['id'] = 'HAI'04:11
notmorgannow .get_domain('default') would return bogus data04:12
notmorganthe options are copy.deepcopy(), serialize(), or custom copy() code04:12
notmorgandeepcopy has bizzare performance implications04:12
notmorgansince it has a TON of sanity checking04:12
*** fawadkhaliq has quit IRC04:12
notmorgani would use json, but revoke tree needs to die first04:12
notmorganmsgpack was super easy04:12
notmorganand already available (and really isn't slow) and no "security" concerns like pickle has04:13
notmorganorder of speed: json 7usec, deepcopy (simple objects) 13usec, pickle 30usec, msgpack 60usec, deepcopy (complex) unknown04:14
notmorgans/unkown/variable04:14
notmorganbut a lot of extra code isneeded to use json, and deepcopy is highly variable04:14
notmorganpickle raises security concerns always, even if it shouldnt because it's never exposed in a way to the user.04:14
notmorganso until revoke tree is gone msgpack, but honestly an avg of 50usec per deserialze doesn't seem like much to fret over04:15
notmorganwe're well within CPU slices04:15
notmorganon any modern proc04:15
ayoungnotmorgan, but this cache is only in a singe process, why worry about mutablilty>?04:16
notmorganbecause if somethng in the request changes the id, then we break the rest of the request that relies on that object04:16
notmorganget_project_domain, change ref, get user_domain (same as project_domain), now the data is wrong04:17
ayoungnotmorgan, and that is why I coded the models with the immutable switch all those years ago...04:17
notmorganexcept we can't make it imutable04:17
ayoungbut tree should be immutable04:17
ayoungor, really, should not need to be serialized.04:17
ayoungbut, I think your apporach is solid04:17
ayoungits on the conservative side, which I can't fault04:18
notmorganwe often do want it to be mutable (domain_ref for example) since we pass that into update_domain at times w/o copyu04:18
ayoungmight make our memory overhead a bit higher...04:18
ayoungright04:18
notmorgannot really04:18
notmorganminimally so for the serialized content04:18
notmorganbecause each time we call .get_domain, we do all the SQL object book keeping04:18
notmorganand spin up a new ORM object then .to_dict it04:18
ayoungtree could be painful.  I'd think long and hard if we could skip serializing the tree.04:19
notmorganwe might actually have lower over head since no ORM overhead04:19
notmorganayoung: tree serializes just fine if i only serialize .revoke_map, and i expect to kill most of the tree before mitaka closes04:19
ayoungworks for me04:19
ayounghttps://review.openstack.org/#/c/242614/  awaits04:19
notmorganso we will be able to drop down to json. but this all works for now as is04:19
notmorganand reduces runtime (4core i7 5660u) laptop by 20sec for our unit tests04:20
notmorganand in gate (depending on node/ssd/non-ssd/etc) up to 100s04:20
notmorganand i've seen between 5 and 20m improvment in some dsvm runs04:20
notmorganso non-trivial benefits even on top of memcache :)04:20
notmorganooh i just realized something04:21
notmorganneed to fix something in the context thing hehe, your point on "does threading.local" work. it does.. but you have to be smart about it04:22
*** davechen has joined #openstack-keystone04:24
notmorganoh we're good04:24
notmorgannvm04:24
notmorganmy explicit .update_store() does exactly waht is needed04:24
ayoungyou had me at :  reduces runtime (4core i7 5660u) laptop by 20sec for our unit tests04:25
notmorgan;)04:25
notmorganwell 2core + SMT04:25
notmorganbut effectively 4core04:25
ayoungnotmorgan, BTW, we are making progress on getting Keystone Eventlet out of Tripleo. I think that is the last place in the tent that still requires it04:26
notmorgancool04:26
ayoungthe undercloud change went through, but overcloud is more complex04:26
*** davechen1 has quit IRC04:26
*** vivekd has joined #openstack-keystone04:28
notmorgangood stuff04:29
*** shoutm has joined #openstack-keystone04:31
*** shoutm_ has quit IRC04:32
*** fawadkhaliq has joined #openstack-keystone04:32
hugokuoHi all04:36
hugokuoI got a couple of question for Keystone and Keystone middleware.04:37
hugokuoQ1. Does Keystone allows operator to setup the prefix for token ? eg. AUTH_1234567 or COOL_123456704:38
hugokuoQ2. In a case there's 3 Keystone servers non-federated, how's the best way to deal with user's request in a service?04:39
hugokuothx04:39
stevemarhugokuo: q1: nope, no prefix for tokens04:40
hugokuostevemar: copy.04:40
*** shoutm has quit IRC04:43
ayounghugokuo, to answer q1: no04:44
hugokuoneat04:44
*** shoutm has joined #openstack-keystone04:45
hugokuoThen my original plan would not able be implemented. If there's token prefix for different keystone, I can properly have a new middleware to select which Keystone server for validating incoming token in Swift proxy server04:46
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235804:46
*** stevemar has quit IRC04:47
*** topol has quit IRC04:47
*** iurygregory has quit IRC04:48
*** vivekd has quit IRC04:48
*** iurygregory has joined #openstack-keystone04:49
notmorganayoung: uhm04:51
hugokuohmm... perhaps I cen return different hostname of same service in each Keystone server. And then write another middleware to parse the incoming request's hostname header. To extract the keystone server index from the hostname header04:52
notmorgani am clearly not understanding the implied roles? is it a one-to-one relation ship atm?04:52
notmorganit looks like you get exactly 1 implied role for a previous role?04:52
notmorganand also do we really wand "admin or cloud_admin"?04:52
notmorganto be able to make them?04:52
* notmorgan is looking at code.04:53
notmorgannot at the docs fwiw04:53
notmorganoh nvm was looking at .get_implied_role not list_role_inference_rules04:53
notmorganand list_implied_roles04:53
ayoungnotmorgan, its is a many to many relationship04:54
notmorganright04:54
ayoungso one prior role can imply many implied roles04:54
ayoungand one role can be implied by multiple prior04:54
ayoungwe deal with cycles in a few patches that are already in04:55
notmorganright04:55
ayoungbasically, allow them, but test04:55
notmorganso..04:55
notmorganadmin, vs cloud_admin04:55
ayoungright04:55
ayoungyou could now say admin implied cloud_admin,04:55
notmorganthere doesn't seem to be any protection that the user has the prior/implied/whatever role04:55
ayoung?04:56
ayoungwhat user?04:56
notmorganthe user creating the implied role04:56
notmorganyou've said in the v3 policy file "admin or cloud admin"04:56
notmorganso domain admins can create implied roles?04:56
*** roxanaghe has quit IRC04:56
ayoungnotmorgan, is that too trusting for now?04:56
ayounghmmm04:57
*** stevemar_znc has joined #openstack-keystone04:57
notmorganand there seems to be no protection to prevent a domain admin from creating an implied role04:57
ayoungyou may be right04:57
notmorganthat she doesn't have04:57
notmorganand escalate perms04:57
notmorgani want the cloud admin role, so create an implied role that will cascade it onto me04:57
ayoungis_admin would protect against that, but we can't count on that yet04:57
openstackgerritMerged openstack/keystone: Adds a base class for functional tests  https://review.openstack.org/20314204:57
notmorganrightr.04:57
ayoungso we should change the policy to be admin only for now04:57
notmorgancloud_admin only for v3 iirc04:57
ayoungnotmorgan, so only need to change v3cloudsample?04:59
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947904:59
*** topol_ has joined #openstack-keystone04:59
notmorganstill lookin04:59
notmorgangbut that one is the firs tthing that stands out04:59
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235805:00
*** topol_ is now known as topol05:01
*** ayoung is now known as ayoung_ZZZzzzz05:01
*** ChanServ sets mode: +v topol05:01
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235805:03
notmorganayoung_ZZZzzzz: ok -1 on the security concern. but otherwise (didn't look at the tests too closely) looks reasonable05:04
*** shoutm_ has joined #openstack-keystone05:10
*** shoutm has quit IRC05:12
*** zqfan has quit IRC05:21
*** vivekd has joined #openstack-keystone05:23
*** EinstCrazy has joined #openstack-keystone05:41
*** shoutm_ has quit IRC05:52
*** spandhe has joined #openstack-keystone05:54
*** shoutm has joined #openstack-keystone05:56
*** su_zhang has joined #openstack-keystone05:57
openstackgerritDolph Mathews proposed openstack/keystone-specs: PCI-DSS v3.1  https://review.openstack.org/27239605:59
dolphmsorry ^05:59
*** EinstCrazy has quit IRC06:04
*** lhcheng has joined #openstack-keystone06:06
*** ChanServ sets mode: +v lhcheng06:06
*** shoutm_ has joined #openstack-keystone06:07
*** shoutm has quit IRC06:08
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235806:09
jamielennoxugh06:10
*** fawadkhaliq has quit IRC06:13
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235806:14
openstackgerritDolph Mathews proposed openstack/keystone-specs: PCI-DSS v3.1  https://review.openstack.org/27239606:16
openstackgerritDave Chen proposed openstack/keystone: Relax the schema validation to accept empty request body  https://review.openstack.org/23744806:20
openstackgerritDave Chen proposed openstack/keystone: Remove the duplicated testcase  https://review.openstack.org/27240106:20
*** shoutm_ has quit IRC06:22
*** shoutm has joined #openstack-keystone06:23
*** redrobot has left #openstack-keystone06:26
*** EinstCrazy has joined #openstack-keystone06:26
*** redrobot has joined #openstack-keystone06:27
*** lhcheng has quit IRC06:29
*** zqfan has joined #openstack-keystone06:31
*** su_zhang has quit IRC06:36
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235806:37
*** gyee has quit IRC06:37
*** belmoreira has joined #openstack-keystone06:37
*** EinstCrazy has quit IRC06:40
*** zqfan has quit IRC06:40
*** EinstCrazy has joined #openstack-keystone06:41
*** rcernin has joined #openstack-keystone06:53
*** vivekd has quit IRC06:58
*** mkoshiya_ has joined #openstack-keystone07:02
*** GB21 has joined #openstack-keystone07:05
*** su_zhang has joined #openstack-keystone07:12
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235807:13
*** spandhe has quit IRC07:14
*** shoutm has quit IRC07:17
*** vgridnev has joined #openstack-keystone07:17
*** shoutm has joined #openstack-keystone07:20
*** fawadkhaliq has joined #openstack-keystone07:20
*** EinstCrazy has quit IRC07:26
mkoshiya_Hi, all. could you please review bp/return-request-id-to-caller ? #link https://review.openstack.org/#/c/261188/ and Related Changes.07:27
mkoshiya_Thank you07:27
*** simondodsley has quit IRC07:28
*** mkoshiya_ has left #openstack-keystone07:35
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235807:41
*** fawadkhaliq has quit IRC07:49
*** fawadkhaliq has joined #openstack-keystone07:50
*** GB21 has quit IRC07:59
*** EinstCrazy has joined #openstack-keystone08:00
*** EinstCra_ has joined #openstack-keystone08:13
*** EinstCrazy has quit IRC08:14
*** su_zhang has quit IRC08:21
*** pnavarro has joined #openstack-keystone08:23
*** GB21 has joined #openstack-keystone08:27
*** shoutm_ has joined #openstack-keystone08:38
*** jaosorior has joined #openstack-keystone08:40
*** shoutm has quit IRC08:41
*** fhubik has joined #openstack-keystone08:47
openstackgerritDave Chen proposed openstack/keystone: Relax the schema validation to accept empty request body  https://review.openstack.org/23744808:47
*** fawadkhaliq has quit IRC08:57
*** fawadkhaliq has joined #openstack-keystone08:57
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235809:07
*** browne has quit IRC09:14
*** jistr has joined #openstack-keystone09:19
*** markvoelker has quit IRC09:23
*** mhickey has joined #openstack-keystone09:32
*** fawadkhaliq has quit IRC09:39
*** fawadkhaliq has joined #openstack-keystone09:39
*** fhubik has quit IRC09:40
*** EinstCra_ has quit IRC09:48
openstackgerritDina Belova proposed openstack/keystone: Integrate OSprofiler in Keystone  https://review.openstack.org/10336809:48
*** vivekd has joined #openstack-keystone09:54
*** davechen has quit IRC09:56
*** shoutm has joined #openstack-keystone09:57
*** shoutm_ has quit IRC10:00
*** vivekd has quit IRC10:10
*** jamielennox is now known as jamielennox|away10:15
*** vivekd has joined #openstack-keystone10:22
*** jaosorior has quit IRC10:23
*** markvoelker has joined #openstack-keystone10:23
*** jaosorior has joined #openstack-keystone10:24
*** jamielennox|away is now known as jamielennox10:25
*** iurygregory has quit IRC10:27
*** markvoelker has quit IRC10:28
*** iurygregory has joined #openstack-keystone10:30
*** aix_ has quit IRC10:32
*** EinstCrazy has joined #openstack-keystone10:38
*** shoutm has quit IRC10:39
*** fhubik has joined #openstack-keystone10:40
*** alexpro has joined #openstack-keystone10:40
*** iurygregory has quit IRC10:41
*** iurygregory has joined #openstack-keystone10:42
*** fhubik is now known as fhubik_brb10:47
*** fhubik_brb is now known as fhubik10:48
*** iurygregory has quit IRC11:00
*** vivekd has quit IRC11:01
*** iurygregory has joined #openstack-keystone11:02
*** davechen has joined #openstack-keystone11:02
*** fhubik has quit IRC11:03
*** chlong has quit IRC11:05
*** chlong has joined #openstack-keystone11:10
*** aix_ has joined #openstack-keystone11:13
*** davechen1 has joined #openstack-keystone11:16
*** davechen has quit IRC11:18
*** shoutm has joined #openstack-keystone11:26
*** shoutm has quit IRC11:31
*** shoutm has joined #openstack-keystone11:33
*** fawadkhaliq has quit IRC11:34
*** vgridnev has quit IRC11:45
*** gildub has quit IRC11:56
*** pauloewerton has joined #openstack-keystone12:07
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591612:08
*** jaosorior has quit IRC12:12
*** jaosorior has joined #openstack-keystone12:13
*** daemontool has joined #openstack-keystone12:14
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414912:14
*** iurygregory has quit IRC12:16
*** iurygregory has joined #openstack-keystone12:17
*** doug-fish has joined #openstack-keystone12:21
*** vgridnev has joined #openstack-keystone12:22
*** doug-fish has quit IRC12:23
*** doug-fish has joined #openstack-keystone12:24
*** markvoelker has joined #openstack-keystone12:25
*** dims has joined #openstack-keystone12:28
*** doug-fish has quit IRC12:28
*** markvoelker has quit IRC12:29
*** iurygregory has quit IRC12:30
*** iurygregory has joined #openstack-keystone12:30
*** doug-fish has joined #openstack-keystone12:31
*** doug-fish has quit IRC12:35
*** vgridnev has quit IRC12:41
*** vgridnev has joined #openstack-keystone12:42
*** dims has quit IRC12:45
*** pauloewerton has quit IRC12:48
*** iurygregory has quit IRC12:49
*** shoutm_ has joined #openstack-keystone12:50
*** iurygregory has joined #openstack-keystone12:52
*** pauloewerton has joined #openstack-keystone12:52
*** shoutm has quit IRC12:52
*** iurygregory has quit IRC12:54
*** daemontool has quit IRC12:55
*** shoutm has joined #openstack-keystone12:58
*** shoutm_ has quit IRC12:58
*** raildo-afk is now known as raildo12:59
*** fawadkhaliq has joined #openstack-keystone13:02
*** bill_az has joined #openstack-keystone13:02
*** shoutm has quit IRC13:08
*** shoutm has joined #openstack-keystone13:09
*** topol has quit IRC13:11
*** raildo is now known as raildo-afk13:13
*** raildo-afk is now known as raildo13:14
*** topol_ has joined #openstack-keystone13:15
*** jsavak has joined #openstack-keystone13:18
*** gordc has joined #openstack-keystone13:18
*** edmondsw has joined #openstack-keystone13:18
*** davechen1 has left #openstack-keystone13:19
*** davechen1 has joined #openstack-keystone13:24
openstackgerritfengzhr proposed openstack/keystone: The name can be just white character except project and user  https://review.openstack.org/27235813:24
*** fawadkhaliq has quit IRC13:25
davechen1dstanek: hi sir,13:25
davechen1dstanek: so, how about just remove 'test_calling_create_with_empty_entity_arg_fails' instead?13:25
*** markvoelker has joined #openstack-keystone13:25
*** davechen1 is now known as davechen13:26
*** markvoelker has quit IRC13:28
*** markvoelker has joined #openstack-keystone13:28
*** doug-fish has joined #openstack-keystone13:30
*** shoutm has quit IRC13:30
*** spzala has joined #openstack-keystone13:33
*** doug-fish has quit IRC13:37
*** doug-fish has joined #openstack-keystone13:38
*** topol_ has quit IRC13:39
*** ninag has joined #openstack-keystone13:42
*** topol_ has joined #openstack-keystone13:42
*** doug-fish has quit IRC13:43
*** aix_ has quit IRC14:00
*** aix has joined #openstack-keystone14:02
*** shoutm has joined #openstack-keystone14:06
*** richm has joined #openstack-keystone14:10
*** su_zhang has joined #openstack-keystone14:13
*** dslevin1 has quit IRC14:20
*** daemontool has joined #openstack-keystone14:24
*** doug-fish has joined #openstack-keystone14:26
*** clenimar has joined #openstack-keystone14:26
*** doug-fish has quit IRC14:26
*** dims has joined #openstack-keystone14:27
*** clenimar has quit IRC14:27
*** doug-fish has joined #openstack-keystone14:27
*** clenimar has joined #openstack-keystone14:28
*** clenimar has quit IRC14:28
*** dims has quit IRC14:29
*** clenimar has joined #openstack-keystone14:29
*** shoutm has quit IRC14:31
*** dims has joined #openstack-keystone14:32
*** iurygregory has joined #openstack-keystone14:33
*** boris-42 has quit IRC14:34
*** bill_az has quit IRC14:34
*** yarkot has quit IRC14:35
*** boris-42 has joined #openstack-keystone14:35
*** clenimar has quit IRC14:35
*** clenimar has joined #openstack-keystone14:35
notmorganZzzzzzzzzzzz14:41
*** davechen has left #openstack-keystone14:42
*** daemontool has quit IRC14:43
*** daemontool has joined #openstack-keystone14:47
*** fawadkhaliq has joined #openstack-keystone14:49
*** pushkaru has joined #openstack-keystone14:54
*** mhickey has quit IRC15:01
*** mhickey has joined #openstack-keystone15:07
*** sigmavirus24_awa is now known as sigmavirus2415:11
*** aix has quit IRC15:12
*** aix has joined #openstack-keystone15:13
openstackgerritLance Bragstad proposed openstack/keystone-specs: Add spec for multifactor authentication  https://review.openstack.org/27228715:22
*** david-lyle_ has joined #openstack-keystone15:26
*** timcline has joined #openstack-keystone15:26
*** ChanServ sets mode: +v topol_15:26
*** topol_ is now known as topol15:26
*** simondodsley has joined #openstack-keystone15:26
*** tonytan4ever has joined #openstack-keystone15:28
lbragstadi suppose everyone is going to be traveling today huh15:46
*** slberger has joined #openstack-keystone15:50
*** gokrokve has joined #openstack-keystone15:50
*** GB21 has quit IRC15:54
raildolbragstad: are you going for the midcycle?15:54
lbragstadraildo yep15:55
raildolbragstad: nice :)15:55
lbragstadraildo are you?15:55
*** genunix has left #openstack-keystone15:56
raildolbragstad: no, it's really expensive for me :(15:56
lbragstadraildo that's understandable15:57
lbragstadraildo did you have any more luck with the fernet trust things?15:57
openstackgerritLance Bragstad proposed openstack/keystone: Reuse project scoped token check for trusts  https://review.openstack.org/25367215:58
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for domain scoped data creep  https://review.openstack.org/25367115:58
openstackgerritLance Bragstad proposed openstack/keystone: Add checks for project scoped data creep to tests  https://review.openstack.org/25367015:58
raildolbragstad: I'm debbuging the code, and I think there is some problem when we create a token v2 with trust... I was waiting to see you and ayoung_ZZZzzzz online to talk about it15:59
lbragstadraildo ah - gotcha15:59
lbragstadraildo also - another thing we are trying to do related to our conversation from yesterday is this https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:consolidate-fernet-provider16:00
raildolbragstad: but since you probably will be travelling, maybe we can talk about it later....16:00
lbragstadraildo i'm not traveling until tomorrow16:00
lbragstadso I'll be available all day today16:00
*** GB21 has joined #openstack-keystone16:01
raildolbragstad: great, so I'll dig into this problem a little more and come back with some more information :)16:01
*** jsavak has quit IRC16:01
*** phalmos has joined #openstack-keystone16:01
lbragstadraildo awesome - a big piece of getting fernet to be default is consolidating those code paths16:01
raildolbragstad: got it :)16:03
raildolbragstad: i saw that this method doesn't return the auth_response: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_auth.py#L104416:04
*** jsavak has joined #openstack-keystone16:05
raildolbragstad: now I'm try to understand the reason16:06
*** vgridnev has quit IRC16:08
*** vgridnev has joined #openstack-keystone16:09
*** r-daneel has joined #openstack-keystone16:10
*** mylu has joined #openstack-keystone16:15
*** belmoreira has quit IRC16:16
*** david-lyle_ has quit IRC16:18
*** fawadkhaliq has quit IRC16:20
*** avarner has quit IRC16:20
*** GB21 has quit IRC16:23
*** dims has quit IRC16:24
*** chlong is now known as chlong_zzz16:28
*** avarner has joined #openstack-keystone16:28
*** phalmos has quit IRC16:29
*** phalmos has joined #openstack-keystone16:29
*** avarner_ has joined #openstack-keystone16:34
*** woodster_ has joined #openstack-keystone16:36
*** avarner__ has joined #openstack-keystone16:36
*** mhickey has quit IRC16:36
*** avarner has quit IRC16:36
*** e0ne has joined #openstack-keystone16:37
*** mylu has quit IRC16:37
*** stevemar_znc is now known as stevemar16:38
*** avarner_ has quit IRC16:39
*** mylu has joined #openstack-keystone16:40
*** avarner has joined #openstack-keystone16:41
*** spandhe has joined #openstack-keystone16:42
*** avarner__ has quit IRC16:43
*** diazjf has joined #openstack-keystone16:44
*** browne has joined #openstack-keystone16:44
*** _cjones_ has joined #openstack-keystone16:46
htrutahey henrynash: maybe you can add this to your review list: https://review.openstack.org/#/q/topic:bp/project-tree-deletion16:47
htrutaHMT stuff16:47
henrynashhtruta: sure16:47
*** roxanaghe has joined #openstack-keystone16:47
*** mylu has quit IRC16:48
henrynashhtruta: project tree delete…neat!16:48
*** _cjones_ has quit IRC16:48
*** mhickey has joined #openstack-keystone16:48
*** _cjones_ has joined #openstack-keystone16:48
*** mylu has joined #openstack-keystone16:49
*** dims has joined #openstack-keystone16:50
*** vgridnev has quit IRC16:51
*** gokrokve has quit IRC16:52
*** gokrokve has joined #openstack-keystone16:54
*** su_zhang has quit IRC16:54
htrutahenrynash: thanks16:55
*** dims has quit IRC16:56
*** fawadkhaliq has joined #openstack-keystone16:57
*** jbell8 has joined #openstack-keystone16:58
*** erhudy has quit IRC17:00
*** mylu has quit IRC17:02
*** rbak has joined #openstack-keystone17:03
*** fawadk has joined #openstack-keystone17:03
*** diazjf has quit IRC17:03
*** diazjf1 has joined #openstack-keystone17:03
*** gokrokve has quit IRC17:03
*** mylu has joined #openstack-keystone17:04
*** EinstCra_ has joined #openstack-keystone17:04
*** pauloegf has joined #openstack-keystone17:05
*** fhubik has joined #openstack-keystone17:05
*** fhubik has quit IRC17:06
*** EinstCrazy has quit IRC17:07
*** pauloewerton has quit IRC17:07
*** stevemar has quit IRC17:07
*** fawadkhaliq has quit IRC17:07
*** stevemar_znc has joined #openstack-keystone17:08
*** mylu has quit IRC17:09
openstackgerritSteve Martinelli proposed openstack/keystone: Enhance manager list_role_assignments to support group listing  https://review.openstack.org/26565017:15
*** openstackgerrit has quit IRC17:17
*** openstackgerrit has joined #openstack-keystone17:17
*** gokrokve has joined #openstack-keystone17:18
*** e0ne_ has joined #openstack-keystone17:18
*** spzala_ has joined #openstack-keystone17:20
*** e0ne has quit IRC17:20
*** spzala has quit IRC17:20
*** clenimar has quit IRC17:22
*** jsavak has quit IRC17:23
*** vgridnev has joined #openstack-keystone17:24
*** jsavak has joined #openstack-keystone17:27
*** timcline has quit IRC17:27
*** jsavak has quit IRC17:27
htrutahenrynash: are you still around?17:29
htrutalooks like we don't need to update this you suggested here: https://review.openstack.org/#/c/248295/7/keystone/resource/backends/sql.py17:29
henrynashhtruta: for a short while, yes17:29
*** stevemar_znc has quit IRC17:30
*** rvba has quit IRC17:30
henrynashhtruta: becasue….17:30
htrutahenrynash: I don't know why, but manager already calls it like this: https://review.openstack.org/#/c/248295/7/keystone/resource/core.py@82017:30
htrutait has "project" on the signature17:30
*** EmilienM has quit IRC17:30
*** aix has quit IRC17:30
*** e0ne_ has quit IRC17:31
*** jsavak has joined #openstack-keystone17:33
henrynashhtruta: interesting….I’m not quite sure if that is enough, however - I agree “morally” this should be enough, but I think if manger code wrote a call like: get_project(project_id=xyz) would that fail to work against a V8 driver?17:33
*** dgonzalez has quit IRC17:34
htrutahenrynash: good question. Will test it here17:34
*** mylu has joined #openstack-keystone17:34
*** stevemar_znc has joined #openstack-keystone17:34
*** EmilienM has joined #openstack-keystone17:34
*** dgonzalez has joined #openstack-keystone17:34
*** rvba has joined #openstack-keystone17:34
*** rvba has quit IRC17:34
*** rvba has joined #openstack-keystone17:34
*** ayoung_ZZZzzzz is now known as ayoung17:35
*** ayoung has quit IRC17:36
*** jsavak has quit IRC17:37
*** tonytan4ever has quit IRC17:37
henrynashhtruta: actually I *think* we are OK - since the wrapper code should satisfy the postional paramater call, and will just call the V8 drive get_project() method in non-positional fashion17:37
htrutahenrynash: that's what I think too17:37
*** mylu has quit IRC17:38
*** mylu has joined #openstack-keystone17:40
*** ayoung has joined #openstack-keystone17:41
*** ChanServ sets mode: +v ayoung17:41
*** vgridnev has quit IRC17:43
*** jsavak has joined #openstack-keystone17:45
*** vgridnev has joined #openstack-keystone17:46
*** raildo is now known as raildo-afk17:47
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Add backend support for deleting a projects list  https://review.openstack.org/24591617:47
*** raildo-afk is now known as raildo17:49
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414917:49
*** jsavak has quit IRC17:50
*** hockeynut is now known as hockeynut_otr17:51
*** diazjf1 has quit IRC17:52
*** hockeynut_otr is now known as hockeynut17:52
*** tonytan4ever has joined #openstack-keystone17:52
*** jsavak has joined #openstack-keystone17:53
*** dgonzalez has quit IRC17:53
*** henrynash has quit IRC17:54
*** spzala_ has quit IRC17:54
*** jaosorior has quit IRC17:55
*** spzala has joined #openstack-keystone17:55
*** dgonzalez has joined #openstack-keystone17:55
*** spzala has quit IRC17:56
*** spzala has joined #openstack-keystone17:56
*** jsavak has quit IRC17:57
*** rderose has joined #openstack-keystone17:58
*** sigmavirus24 is now known as sigmavirus24_awa17:59
*** timcline has joined #openstack-keystone18:00
*** hockeynut_afk has joined #openstack-keystone18:00
*** sigmavirus24_awa is now known as sigmavirus2418:03
*** sigmavirus24 is now known as sigmavirus24_awa18:04
*** hockeynut_afk has quit IRC18:05
*** hockeynut_otr has joined #openstack-keystone18:06
*** jsavak has joined #openstack-keystone18:08
*** raildo is now known as raildo-afk18:10
*** su_zhang has joined #openstack-keystone18:10
*** jistr has quit IRC18:11
*** raildo-afk is now known as raildo18:13
*** rderose has quit IRC18:13
*** mylu has quit IRC18:13
*** gokrokve has quit IRC18:17
*** harlowja has joined #openstack-keystone18:18
*** mgarza has joined #openstack-keystone18:19
*** stevemar_znc is now known as stevemar18:20
*** ChanServ sets mode: +o stevemar18:20
*** e0ne has joined #openstack-keystone18:21
pauloegflbragstad, hi, you around?18:22
*** fawadk has quit IRC18:24
*** jsavak has quit IRC18:25
*** mhickey has quit IRC18:27
*** hockeynut_otr has quit IRC18:28
*** timcline has quit IRC18:31
*** jsavak has joined #openstack-keystone18:35
*** jsavak has quit IRC18:36
*** jsavak has joined #openstack-keystone18:36
*** gokrokve has joined #openstack-keystone18:37
*** jsavak has quit IRC18:41
*** gokrokve has quit IRC18:42
*** jsavak has joined #openstack-keystone18:42
lbragstadraildo why is that?18:43
lbragstadpauloegf o/18:43
lbragstadpauloegf what can I help you with?18:43
ayounglbragstad, you the only person not in transit right now?18:44
lbragstadayoung pretty much18:44
openstackgerritHenrique Truta proposed openstack/keystone: Replace tenant for project in resource files  https://review.openstack.org/24829518:45
lbragstadayoung i'll be in transit tomorrow morning early18:45
ayounglbragstad, I'll be available On IRC.  Let me know what tech I should try to use for remote presence. OK18:45
raildolbragstad: I'm come bace to investigate this now, I had some problems with my pc here18:45
*** vgridnev has quit IRC18:45
lbragstadraildo sounds good..18:46
lbragstadayoung have you heard if we are going to use anything in particular?18:46
ayounglbragstad, nope18:46
lbragstadayoung ok - me either, I'll be sure to ask tomorrow18:47
raildoplease, create a hangouts for the mere mortals here \o18:47
ayoungstevemar, what does IBM tend to use for remote presence?18:48
ayoungraildo, is Hangout the best option for you guys?  At Red Hat we use Bluejeans and the results have been pretty good18:48
pauloegflbragstad, about your comment in https://review.openstack.org/#/c/244248/11/keystone/resource/controllers.py18:48
*** avarner has quit IRC18:49
pauloegflbragstad, do you have any idea on how to do the mapping of the cascade parameter in routers.py?18:49
raildoayoung: any simple stream option work for us, I've never used bluejeans but sounds good to me18:50
pauloegfwe've already tried to put a new parameter in json_home but it didn't work well =\18:50
lbragstadpauloegf I think you'd just have to point the operation to a different method18:50
*** browne has quit IRC18:50
ayoungraildo, only problem is, none of the people on site know it.  I was on site last time, and samueldmq gave his presentation using it.  Maybe you are right to go with a hangout18:51
ayoungraildo, can we set up one now that is good for the week?18:51
*** EinstCra_ has quit IRC18:51
lbragstadpauloegf could the cascade flag be a query string? (does that make sense from a REST perspective)?18:52
ayoungraildo, Sent an invite.. we can set it up now and make it easy for tomorrow18:52
raildoayoung: bluejeans is not free? :(18:52
htrutalbragstad: I'm working with pauloegf on this18:52
lbragstadlike DELETE /v3/projects/{project_id}?cascade versus DELETE /v3/projects/{project_id}/cascade18:52
ayoungraildo, THE CLIENT is free.  RH has a subscription18:53
lbragstadhtruta o/18:53
raildoayoung: oh, great :)18:53
ayoungraildo, are any of you guys on team Brazil co-located anymore?18:53
htrutawe did it as a new rout to specifically enforce a new policy rule18:53
ayoungor are you scatterd to the winds now?18:53
raildome, htruta and pauloegf are in the same room, right now :)18:54
lbragstadhtruta ah - I was thinking you could consolidate the methods in the controller with a query string. The existing delete_project method would just pull out the cascade query string and apply the policy accordingly?18:54
*** lhcheng has joined #openstack-keystone18:54
*** ChanServ sets mode: +v lhcheng18:54
ayoungraildo, you don't need to answer, but are you getting the ping from hangouts?18:55
htrutalbragstad: I think so..18:55
raildoayoung: ops, sorry18:55
raildolbragstad: are you suggest make the policy check on the code, like we did for parent_id?18:56
lbragstadraildo i'm not sure... i thinks so?18:57
raildolet me find the code...18:57
lbragstadnot sure if that is the best way to do it but I wouldn't mind seeing the difference in implementation with what is already proposed18:57
*** sigmavirus24_awa is now known as sigmavirus2418:57
*** RichardRaseley has joined #openstack-keystone18:57
ayoungraildo, No problem, this is the commo check, not the actual operation18:57
lbragstadayoung what do you think about the DELETE /v3/projects/{project_id}/cascade API call?18:57
raildolbragstad:  something like that https://github.com/openstack/keystone/blob/master/keystone/resource/controllers.py#L234-L24018:58
*** jaosorior_ has joined #openstack-keystone18:58
lbragstadfrom a rest perspective - should the cascade thing be a query string?18:58
htrutalbragstad, pauloegf: https://review.openstack.org/#/c/148730/20/specs/liberty/recursive-deletion.rst@77 makes sense?18:58
*** diazjf has joined #openstack-keystone18:58
RichardRaseleyHow would one delete a role assignment with python-keystoneclient? When attempting a client.role_assignments.delete I get an "MethodNotImplemented: Delete not supported for role assignments" error.18:58
ayounglbragstad, it feels like it should be query string, because there might be multiple modifiers and you end up with API explosion18:58
ayoungbu8t I can;t think what else you would add18:58
htrutaayoung: take a look at the link I've just pasted18:59
pauloegfhtruta, checking18:59
*** ninag has quit IRC18:59
lbragstadhtruta so - henry is making the point that we need a separate policy for the cascade behavior?18:59
*** gokrokve has joined #openstack-keystone18:59
raildoRichardRaseley: I think that you should use openstack client for this operation19:00
ayounghtruta, I think you are on the right track.   Let me ask you this;  if we do /cascade, how will we have limited ourselves, and is that a deliberate choice?19:00
htrutalbragstad: yes19:01
ayoungif, otoh, we made is a query parameter, could we do, say, wildcard matching in the future ,or some other traverse the tree operation, and in a non-surprising way?19:01
htrutaayoung: what do you mean by limiting?19:01
ayounghtruta, say I want to delete all projects in a tree that start with demo_19:02
lbragstadhtruta so in that case - i would say do it as a query string and then check for the presence of the query string in the current delete_project method - https://github.com/openstack/keystone/blob/200e7f3dff763087b99df8748d50dd4d2cfc32b8/keystone/resource/core.py#L336-L36219:02
ayoungor all proejcts in a tree where the owner is htruta19:02
RichardRaseleyraildo: No, I was recommended (in this channel) to use python-keystoneclient directly when developing against Keystone. I am not going to change it at this point. Am interested only in how to delete a role assignment using python-keystoneclient 2.0.019:02
ayoungor any other operation performed over the whole tree19:02
*** jasonsb has quit IRC19:02
ayoungnot just delete19:02
*** ninag has joined #openstack-keystone19:02
*** jsavak has quit IRC19:02
ayoungmaybe I want to disable all of the lbragstad projects but not delete them because there are some htruta owned projects underneath, and I want them to saty around19:03
ayoungstay19:03
RichardRaseleyIt looks like there is a delete method for role_assignments, but it doesn't seem to work in the way that I expected.19:03
ayoungI thin query params are the right mechanism.  And then the question is how to enforce policy on them...I will think about that,19:03
*** jsavak has joined #openstack-keystone19:03
lbragstadI have a feeling if query strings are used the policy is going to be in code19:04
notmorganlbragstad: so, the reason things had to be moved in the cache patch was otherwise circular imports19:04
htrutaayoung: I see you problem, but do not see how query string will solve that19:04
raildoRichardRaseley: yeap https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/role_assignments.py#L12419:04
*** gokrokve has quit IRC19:04
notmorganlbragstad: revoke.core -> imports common.cache and common.cache._context_proxy can't import revoke.model (since revoke.core is imported from __init__19:05
RichardRaseleyraildo: So how does one 'remove' or 'unset' or 'delete' a role assignment?19:05
RichardRaseleyWhat is the proper nomenclature?19:05
htrutaayoung, lbragstad: I see a query string as a filter of something... I this case, we are kind of doing a different operation19:05
openstackgerritMerged openstack/keystone: Add testcases to check cache invalidation  https://review.openstack.org/25878519:06
htrutalbragstad, ayoung: see this rodrigods comment: https://review.openstack.org/#/c/148730/3/specs/kilo/recursive-deletion.rst@6619:06
lbragstadnotmorgan ah - makes sense19:07
notmorganlbragstad: answering the comment can't be done via phone :(19:07
notmorganlbragstad: because new gerrit ui is broken on mobile devices19:07
notmorgan(massive downside)19:07
*** henrynash has joined #openstack-keystone19:07
*** ChanServ sets mode: +v henrynash19:07
lbragstadnotmorgan no that makes sense... i'll update the review19:07
raildoRichardRaseley: I jus know you can do that on openstackclient doing "openstack role remove --user USER_NAME (or group) --project TENANT_ID ROLE_NAME(or domain)"19:07
notmorganoooh look it's snowing19:07
openstackgerritMerged openstack/keystone: Fix trust redelegation and associated test  https://review.openstack.org/26982419:07
openstackgerritMerged openstack/keystone: Online schema migration documentation  https://review.openstack.org/26525219:08
raildoRichardRaseley: but there should be a way to do that on keystoneclient, I just don't know how...19:08
ayounghtruta, so, I am not saying that we should do the wildcard approach here.  I am saying that the query paramter approach supports it better19:08
openstackgerritMerged openstack/keystone: Unit test for checking cross-version migrations compatibility  https://review.openstack.org/24160319:08
RichardRaseleyraildo: OK, thank you for trying to help. =]19:08
ayoungnotmorgan, what do you think of a hardcoded check that admin can never be an implied role?19:08
raildoRichardRaseley: np :)19:09
htrutaRichardRaseley: if you're using the python API, this is the method you should call: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/roles.py#L17919:10
notmorganayoung: are we making admin a "special" hard coded role then?19:10
notmorganayoung: i'm not sure what the best solution to the security escalation concern is tbh19:10
ayoungnotmorgan, yes, based on the same logic as is_admin, I think19:10
RichardRaseleyhtruta: That looks like it, thank you!19:10
notmorgantime to board... be back in a bit19:10
ayoungnotmorgan, right now, admin is the root of the tree.  Implying admin by todays standards would be wrong19:10
ayoungits supposed to be a DAG, and admin is the root node19:11
ayoungheh19:11
notmorganftr i'm not apposed to it19:11
ayoungnotmorgan, I'll propose it.  thanks19:11
notmorganjust not sure what the "best" / "correct for now" / "whatever" option is19:11
*** timcline has joined #openstack-keystone19:12
htrutaayoung: but do you agree that the query parameter just seems conceptually wrong:19:12
RichardRaseleyhtruta: Hmm... I don't seem to have access to that method...19:12
RichardRaseley'revoke'19:12
*** dims has joined #openstack-keystone19:13
*** r-daneel has quit IRC19:18
*** ninag has quit IRC19:21
htrutalbragstad: who's the rest guru here? I'm looking for some guideline that says that "we only have query params for GET and HEAD calls in REST APIs" as in the spec19:21
*** ninag has joined #openstack-keystone19:21
*** ninag has quit IRC19:22
*** ninag has joined #openstack-keystone19:22
notmorganAnd get must mirror head except no body returned.19:22
openstackgerrithenry-nash proposed openstack/keystone: Verify project unique constraints for projects acting as domains  https://review.openstack.org/15837219:23
*** dims has quit IRC19:24
openstackgerrithenry-nash proposed openstack/keystone: Add tests in preparation of projects acting as a domain  https://review.openstack.org/27236919:27
*** browne has joined #openstack-keystone19:27
lbragstadhtruta i'm not sure - notmorgan do you have any advice on that?19:28
notmorganWhat is the question?19:28
*** simondodsley has quit IRC19:28
lbragstadnotmorgan what makes more sense...19:28
lbragstadnotmorgan DELETE /v3/projects/{project_id}/cascade or DELETE /v3/projects/{project_id}?cascade19:29
notmorganUhmm not the query string19:30
notmorganCascade is an action19:30
lbragstadok19:32
notmorganOK reading a bit more19:34
notmorganOften query string are used in this context19:35
notmorganE.g. ?wipeData=true19:35
notmorganSo, no "wrong" way to do it19:35
notmorganAnd the more I think the more the query string is correct because this isn't a resource called "cascade"19:36
notmorganSorry for backtracking.19:36
lbragstadnotmorgan no - that makes sense19:36
lbragstadnotmorgan that's the big reason why I wasn't sure about DELETE /projects/{project_id}/cascade19:37
lbragstadbecause it would seem like something owned by a project19:37
lbragstadnotmorgan so maybe a better example would be DELETE /project/{project_id}?cascade=true19:37
htrutalbragstad, notmorgan: I see the cascade here as another operation, not a subset of the original19:39
*** daemontool_ has joined #openstack-keystone19:39
notmorganlbragstad: ++19:40
notmorganOr delete projects is the cascade19:40
*** clenimar has joined #openstack-keystone19:40
htrutahenrynash: any thoughts on the discussion DELETE /v3/projects/{project_id}/cascade or DELETE /v3/projects/{project_id}?cascade ?19:41
htrutahenrynash: since you were active at the spec19:41
*** daemontool has quit IRC19:43
henrynashhtruta: so one thing to consider is that you will ikely want a separate piolciy rule for cascade operations19:43
henrynashhtruta: I know that doesn’t clinch the argumetn, since you can ensure a separate pokicy rule for either proposed API19:43
*** ninag has quit IRC19:44
*** ninag has joined #openstack-keystone19:45
lbragstadcan our current routers.py route API calls to a specific controller method if a particular query string is present?19:45
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947919:45
htrutalbragstad: I don't think so... that's why I couldn't make it in a single method too19:45
lbragstadhtruta ah - so *if* we able to do that we'd be able to enforce policy like we normally do19:46
lbragstadwe were*19:46
henrynashhtruta: for better, for worse we do support GET /role_assignments?project_id=XYZ&include_subtree=trye19:46
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947919:46
htrutalbragstad: I guess we can make the enforcement of it using the context19:48
henrynashlbragstad, htruta: you can make a seperate route work - see role_assigmnet list methods19:48
lbragstadhenrynash with a query string?19:48
henrynashlbragstad: you have to be sneaky!19:48
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947919:49
henrynashlbragstad: basically you have an (unppriected) wrapper method that then calls the different (protected) methods for differnet varuiants of the API19:49
lbragstadhenrynash huh - interesting...19:49
lbragstadhtruta ^ that might be an option?19:49
henrynashlbragstad: see list_role_assignments_wrapper() in assignment/controller.py19:50
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updating sample configuration file  https://review.openstack.org/26947919:50
henrynashlbragstad, htruta: which is doing exactly what you would need to do…for a very simialr reason19:51
htrutalbragstad: sure it is an option for the enforcement stuff19:51
*** henrynash has quit IRC19:52
htrutahenrynash, lbragstad: I'm just thinking if it conceptually makes sense (looks like it does) and a little bit concerned that we go against the spec19:52
*** gokrokve has joined #openstack-keystone19:52
*** edmondsw has quit IRC19:53
*** ninag has quit IRC19:54
*** ninag has joined #openstack-keystone19:55
*** henrynash has joined #openstack-keystone19:55
*** ChanServ sets mode: +v henrynash19:55
*** gokrokve has quit IRC19:56
*** avarner has joined #openstack-keystone19:57
*** ninag has quit IRC19:58
*** rcernin has quit IRC19:58
*** ninag has joined #openstack-keystone19:59
*** pgbridge_ has quit IRC19:59
*** ninag_ has joined #openstack-keystone20:01
*** gokrokve has joined #openstack-keystone20:02
*** henrynash has quit IRC20:02
*** jsavak has quit IRC20:02
*** ninag_ has quit IRC20:02
*** ninag_ has joined #openstack-keystone20:02
*** jsavak has joined #openstack-keystone20:03
*** ninag has quit IRC20:03
*** vgridnev has joined #openstack-keystone20:06
*** diazjf has quit IRC20:11
ayoungGAH20:15
ayounghtruta, I am not happy20:15
htrutaayoung: why is that? open your heart20:16
ayounghtruta, DID YOU JUST IGNORE ME!20:16
*** pgbridge_ has joined #openstack-keystone20:16
ayounghtruta, I did not press submit fast enoujgh and the review went through20:16
raildolol20:16
ayounghtruta, it shoud not be a separate path20:16
htrutaayoung: lol20:16
ayounghenry nash should have known better, too20:16
ayounglaugh all you want, I'm not happyt20:17
ayoungyou asked my opinion20:17
ayoungand I made it clear20:17
ayoungI don't have infinite bandwith20:17
ayoungit should not be a separate policy rule20:17
ayoungit should not be a separate URL20:17
ayoungsee my responses on the last revision20:18
htrutaayoung: sorry. I just got convinced that, as notmorgan said, it'd make sense to have this as a filter20:18
htrutaayoung: will look your review20:18
*** lhcheng_ has joined #openstack-keystone20:18
ayoungas a filter or not as a filter?20:18
ayounghtruta, they are wrong20:19
ayoungI know it is a pain getting things in to Keystone, but when I make a point, please take it to heart20:19
ayoungand neither of the others are here to argue with now...20:20
ayounggah20:20
ayounghtruta, ok...I'm assigning you homework20:20
htrutaayoung: we decided to do it as a filter enforcing a new rule20:20
ayounghtruta, https://en.wikipedia.org/wiki/Visitor_pattern20:20
htrutaayoung: looks like we're not doing a new rule20:20
*** jbell8 has quit IRC20:21
ayoungso, no. it is not a new route,  it should be a query param, and we should be able to mix in multiple20:21
*** jbell8 has joined #openstack-keystone20:21
ayounghmmmm20:21
*** lhcheng has quit IRC20:21
ayoungOK...I think I can work with this.20:21
*** gildub has joined #openstack-keystone20:22
ayoungwe can say that /cascade implies it should be done on all below, regardless of the operation, and additional query params can determine if it applies etc20:22
ayoungbut the policy needs to be the policy for the child node20:22
*** timcline has quit IRC20:22
ayoungnow a new policy rule...20:22
ayoungthat should be20:22
htrutaayoung: now, I'm officially confused20:22
ayoung*not* a new policy rule...20:23
*** mhickey has joined #openstack-keystone20:24
ayounghtruta, if you do DELETE projects/<project_id>  it is just that project, and fails if there are children.  If you do DELETE projects/<project_id>/cascade  it should fail if it would fail on any of the child nodes20:24
ayoungnot a new policy rule20:24
ayounggot me so far?20:24
htrutaayoung: yes20:25
ayoungOK,  so what I am saying that I *can* work with is that /cascade implies "apply this operation to child nodes" and you could add additional filters on top of that20:25
ayoungits kindof dumb20:25
ayoungit should be ?cascade&filter1  but hey20:26
ayoungbecause some of the filters would probably imply recurse anyway20:26
ayoungits just frustrating when you pull me into a discussion, I make a point, go to submit it on the code review, and see the review has merged20:27
htrutaayoung: that shouldn't be a problem, because we don't allow any filter on delete/update projects so far20:27
htrutawe'd only allow the ?cascade param20:27
ayounghtruta, I suspect we are doing a one off here.  We really need to think about all the operations across a tree. DOing that in a consistent manner20:28
ayoungadding a ?cascade parameter to to, say assign role to user in project (explicit, as opposed to inherited) for example20:28
ayoungor anything else we want to do across the tree.20:28
ayoungwe really don't want to have to create a new URL for everything20:29
ayoungapopplying policy check across the tree should not be too hard.20:29
ayoungWe probably want something like :20:29
ayoungcheck_policy_for_tree(rule, root_project, context)20:30
*** mylu has joined #openstack-keystone20:30
ayoungthat we could use for whenever the cascade parameter is allowed20:30
ayounghtruta, meh, whatever..I'm headed back to implied roles20:31
*** diazjf has joined #openstack-keystone20:31
raildolbragstad: I think that I have found a error... when we are using fernet tokens with trust on the authenticate method, the trust will be consumed: https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L148-L14920:31
htrutaayoung: I see20:32
*** rcernin has joined #openstack-keystone20:33
raildolbragstad: but here: https://github.com/openstack/keystone/blob/master/keystone/trust/backends/sql.py#L91-L93 this query_result is none, but we have a trust_id...20:33
ayounghtruta, your homework is to explain to me how the visitor pattern applies here, and for HTM in general.20:33
ayounghttps://en.wikipedia.org/wiki/Visitor_pattern20:33
*** flwang has left #openstack-keystone20:33
htrutaayoung: ok :)20:33
*** jsavak has quit IRC20:33
*** roxanaghe has quit IRC20:34
*** jsavak has joined #openstack-keystone20:34
openstackgerritPaulo Ewerton Gomes Fragoso proposed openstack/keystone: Manager support for project cascade delete  https://review.openstack.org/24414920:34
*** gokrokve has quit IRC20:34
raildolbragstad: I'll try verify where on the code we should be using this TrustModel table20:36
*** harlowja_ has joined #openstack-keystone20:36
*** gokrokve has joined #openstack-keystone20:36
*** harlowja has quit IRC20:37
*** jbell8 has quit IRC20:38
*** jbell8_ has joined #openstack-keystone20:38
raildolbragstad: btw this is one of the tests that are broken on this behavior: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_auth.py#L113520:38
*** mylu has quit IRC20:42
ayounghtruta, raildo I have been laughing at myself for the past 5 minutes....didn't realize that spec had merged last summer20:43
ayoungsorry for overreaction.  I need to pay attention to details20:43
raildoayoung: np :)20:44
*** mylu has joined #openstack-keystone20:44
ayoungwhere is the corresponding code review raildo ?20:44
htrutaayoung: here it is: https://review.openstack.org/#/c/244248/11/doc/source/policy_mapping.rst20:44
*** harlowja has joined #openstack-keystone20:45
*** harlowja_ has quit IRC20:45
raildoayoung: for the fernet error?20:45
*** AJaeger has joined #openstack-keystone20:46
AJaegerhi keystone cores, could I get another +2 on a keystoneauth patch to remove argparse, please? https://review.openstack.org/27037020:46
*** mylu has quit IRC20:47
ayoungraildo, I won't -2, but please consider that comment sticky until addressed or you get me to retract it20:47
ayoungraildo, no ,on cascade20:47
htrutaayoung: that's on me and pauloegf20:48
ayounghtruta, deal.20:48
htrutaraildo is kind of innocent in that20:48
raildoayoung: htruta this is open source, I can fix it ¬¬20:48
raildo(i'm kidding)20:48
ayounghtruta, tree operations should, in general, follow the pattern you would see using a file system, but better to be more transactional20:49
ayoungso check permissions on each node of the tree, then execute on each20:49
*** mylu has joined #openstack-keystone20:49
htrutaayoung: got it20:50
*** raildo is now known as raildo-afk20:54
*** diazjf has quit IRC20:54
*** bknudson has joined #openstack-keystone20:55
*** ChanServ sets mode: +v bknudson20:55
*** clenimar has quit IRC20:57
*** daemontool has joined #openstack-keystone21:00
*** daemontool_ has quit IRC21:03
*** AJaeger has left #openstack-keystone21:04
*** pauloegf has quit IRC21:05
*** diazjf has joined #openstack-keystone21:06
*** daemontool_ has joined #openstack-keystone21:07
*** jsavak has quit IRC21:09
*** jsavak has joined #openstack-keystone21:10
*** daemontool has quit IRC21:10
mfischhey keystoners (who are not flying): you ever seen a case where the catalog is okay but endpoint-list is blank?21:11
mfischthe db is also ok21:11
*** timcline has joined #openstack-keystone21:23
mfischnm21:23
mfischv3 vs v2 issue21:23
*** boris-42 has quit IRC21:23
*** richm has quit IRC21:25
*** timcline has quit IRC21:28
*** rcernin has quit IRC21:28
*** timcline has joined #openstack-keystone21:30
*** avarner_ has joined #openstack-keystone21:30
*** lhcheng_ has quit IRC21:31
*** lhcheng has joined #openstack-keystone21:32
*** ChanServ sets mode: +v lhcheng21:32
*** EinstCrazy has joined #openstack-keystone21:32
*** vgridnev has quit IRC21:33
*** avarner has quit IRC21:34
*** timcline has quit IRC21:35
*** avarner_ has quit IRC21:38
*** jaosorior_ has quit IRC21:39
*** mylu has quit IRC21:41
*** timcline has joined #openstack-keystone21:49
*** ayoung has quit IRC21:51
lbragstadmfisch got it figured out?21:51
*** richm has joined #openstack-keystone21:54
*** e0ne has quit IRC21:57
mfischlbragstad: yeah puppet is using v3 to make endpoints and v2 api call can't figure it out21:58
mfischso keystone endpoint-list wont work21:58
mfischI'm going to start dropping a v3 API openrc file into place too21:58
*** ayoung has joined #openstack-keystone21:58
*** ChanServ sets mode: +v ayoung21:58
*** avarner has joined #openstack-keystone21:59
openstackgerritayoung proposed openstack/keystone: Implied Roles API  https://review.openstack.org/24261421:59
lbragstadmfisch ah - ok makes sense22:00
mfischI told the team WWAYD v3!!!22:01
*** tonytan4ever has quit IRC22:05
*** gokrokve has quit IRC22:06
*** mylu has joined #openstack-keystone22:06
*** diazjf has quit IRC22:07
*** su_zhang has quit IRC22:08
*** diazjf has joined #openstack-keystone22:10
*** alexvictorchan has joined #openstack-keystone22:14
*** mylu has quit IRC22:14
*** mhickey has quit IRC22:15
*** mylu has joined #openstack-keystone22:16
bknudsonopenrc should set OS_CLOUD22:16
*** jsavak has quit IRC22:17
*** jsavak has joined #openstack-keystone22:18
jamielennoxmfisch, bknudson: agreed, don't worry too much about a v3 openrc, switch to using OS_CLOUD22:21
*** daemontool has joined #openstack-keystone22:23
*** jbell8_ has quit IRC22:25
*** daemontool_ has quit IRC22:27
*** timcline has quit IRC22:31
*** gokrokve has joined #openstack-keystone22:31
openstackgerritBrant Knudson proposed openstack/keystone: Update bandit.yaml  https://review.openstack.org/26704422:35
openstackgerritBrant Knudson proposed openstack/keystone: Enable bandit tests  https://review.openstack.org/26705122:35
*** jsavak has quit IRC22:35
*** gokrokve has quit IRC22:36
*** jsavak has joined #openstack-keystone22:36
tjcocozzTom Cocozzello proposed openstack/python-openstackclient: Return names in list role assignments https://review.openstack.org/#/c/255363 :-)22:38
*** e0ne has joined #openstack-keystone22:39
*** daemontool_ has joined #openstack-keystone22:39
*** su_zhang has joined #openstack-keystone22:41
*** daemontool has quit IRC22:42
*** tonytan4ever has joined #openstack-keystone22:47
*** ninag_ has quit IRC22:48
*** ninag has joined #openstack-keystone22:48
*** mylu has quit IRC22:52
*** henrynash has joined #openstack-keystone22:52
*** ChanServ sets mode: +v henrynash22:52
*** ninag has quit IRC22:52
*** pnavarro has quit IRC22:54
*** boris-42 has joined #openstack-keystone22:54
*** dims has joined #openstack-keystone22:55
*** alexvictorchan has quit IRC22:55
*** mylu has joined #openstack-keystone22:55
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity - Separate user identities  https://review.openstack.org/26204522:55
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity - Separate user identities  https://review.openstack.org/26204522:56
*** tonytan4ever has quit IRC22:59
*** doug-fish has quit IRC23:00
*** e0ne has quit IRC23:02
*** ebalduf has joined #openstack-keystone23:06
*** jsavak has quit IRC23:19
*** avarner has quit IRC23:21
*** diazjf has quit IRC23:22
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/27279023:24
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/27279123:24
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/27279223:24
*** mylu has quit IRC23:26
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements  https://review.openstack.org/27281723:28
*** gokrokve has joined #openstack-keystone23:28
*** sigmavirus24 is now known as sigmavirus24_awa23:28
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements  https://review.openstack.org/27282423:28
*** roxanaghe has joined #openstack-keystone23:28
*** darrenc is now known as darrenc_afk23:28
*** ebalduf has quit IRC23:28
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/27282523:28
*** spzala has quit IRC23:28
*** spzala has joined #openstack-keystone23:29
*** spzala has quit IRC23:29
*** spzala has joined #openstack-keystone23:29
*** ebalduf has joined #openstack-keystone23:31
*** ebalduf has quit IRC23:32
*** gokrokve has quit IRC23:33
*** alexvictorchan has joined #openstack-keystone23:33
*** pushkaru has quit IRC23:36
*** darrenc_afk is now known as darrenc23:36
*** pushkaru has joined #openstack-keystone23:36
navidpjamielennox,23:36
*** mylu has joined #openstack-keystone23:38
navidpjamielennox, hi have q auestion, where this options.url is getting value or initialized https://github.com/openstack/python-openstackclient/blob/master/openstackclient/shell.py#L211-L21523:38
jamielennoxnavidp: oh, bah, that's kinda stupid23:39
jamielennoxok23:39
*** mylu has quit IRC23:39
navidpjamielennox, looking at tests in openstack client put a traceback in use service token part it never gets called23:41
jamielennoxnavidp: so here OSC is looping through every plugin in the system and installing every possible option into the --help text23:42
jamielennoxhttps://github.com/openstack/python-openstackclient/blob/master/openstackclient/api/auth.py#L5223:42
jamielennoxthis is terrible and has been discussed a few times23:42
jamielennoxOSC registers its own plugin https://github.com/openstack/python-openstackclient/blob/master/openstackclient/api/auth_plugin.py#L53 that has url and token options23:43
*** pushkaru has quit IRC23:43
jamielennoxso basically it's saying if the users have set url and token but not auth_type == token_endpoint then set it for them23:43
jamielennoxand that's a compatability thing because of how OSC worked prior to plugins23:44
jamielennoxnavidp: if you can kill off that loop through all plugins that would be great23:44
navidpjamielennox, i would defenitely wanna do that, so is it getting used with current plugins?23:46
navidpjamielennox, shouldnt it get the default domain from conf instead of hard coding it ? https://github.com/openstack/python-openstackclient/blob/master/openstackclient/shell.py#L4123:47
jamielennoxnavidp: so yea, by setting auth_type = token_endpoint L213 it means that it's going to use the OSC specific plugin23:47
*** mylu has joined #openstack-keystone23:48
navidpjamielennox, is there ant tests in osc that tests this L213 ?23:48
jamielennoxin ksa we 'compromised' and now the admin_token plugin access URL/TOKEN https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/_plugins/admin_token.py#L2623:48
jamielennoxnavidp: i'm not sure23:48
jamielennoxdelete it and check23:49
navidpjamielennox, put a traceback didnt get caught23:49
openstackgerrithenry-nash proposed openstack/keystone: Projects acting as domains  https://review.openstack.org/23128923:49
jamielennoxnavidp: not good - but not surprising23:49
navidpjamielennox, thanks i think this was the part that i was looking :)23:50
jamielennoxnavidp: so you can tell from the ksa register function whether a plugin is chosen, but i don't know if you can tell from os-client-config23:52
*** lhcheng has quit IRC23:52
jamielennoxhttps://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/cli.py#L4623:53
jamielennoxso from a pure KSA perspective the way i'd do that is23:53
jamielennoxif not loading.register_argparse_arguments(..):23:53
jamielennox    parser.add_argument('--os-url', default=env.get('OS_URL'))23:54
navidpjamielennox, i will try this and see what i get, thanks for your help23:55
jamielennoxsame for token and that way when load_from_argparse_arguments failed you would be able to check the value of options.os_url and options.os_token wihtout relying on the plugins being registered23:55
*** shoutm has joined #openstack-keystone23:55
jamielennoxi'm not familiar enough with how os-c-c handle argparse to know if that would work the same way23:56
*** pushkaru has joined #openstack-keystone23:56
navidpjamielennox, do you know who should i contact for it ?23:57
jamielennoxfor os-c-c? mordred and maybe greghaynes23:58
navidpjamielennox, ok will do23:58
jamielennoxit's likely you're pushing the boundaries of it, so generally figure out what you need and he'll readily take patches23:59
« Monday, 2016-01-25 Index Wednesday, 2016-01-27 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!