Thursday, 2016-09-01

rderose	dstanek: saw your comment regarding 362501; there is a follow up patch just in case someone has already migrated 105.	00:07
rderose	dstanek: here is the follow up patch: https://review.openstack.org/#/c/362510/	00:07
rderose	dstanek: I'd also add that we've fixed migrations in the past	00:08
dstanek	rderose: yeah, i saw that. didn't get around to testing the behavior yet	00:10
rderose	dstanek: and I'm trying to think of the risks for operators, I think it would be fine	00:11
openstackgerrit	Adrian Turjak proposed openstack/keystone-specs: Optional MFA via password + TOTP auth plugin https://review.openstack.org/345113	00:11
dstanek	why would you need two commits for this?	00:11
rderose	dstanek: in case someone has migrated to 105 and then upgrades again	00:11
rderose	upgrades from that point	00:11
dstanek	i mean what's the point of the first review? if they don't have it applied then both get applied at the same time. if the have 105 then they just get the second	00:12
rderose	dstanek: yeah, the first patch they get it applied and if applied, the second migration is ignored.	00:13
rderose	And right, if they have 105, the second patch would fix that column	00:13
rderose	dstanek: I recognize this is not ideal, but we need to be able to make adjustments like this in the middle of a release.	00:14
rderose	dstanek: at least that's my opinion :)	00:14
dstanek	rderose: you did in a follow up	00:15
rderose	true	00:15
dstanek	i don't get why you need to change the original if you have a followup migration	00:15
rderose	but thought I would fix the 105 migration	00:15
dstanek	then you have two paths that a user could have use to migrate. makes debugging later harder	00:16
rderose	dstanek: good point, but the fix to the original patch is cleaner and less code	00:16
rderose	dstanek: and like I said, we've fixed migrations in the past	00:16
dstanek	i don't think we can if we want the ability to release close to master	00:17
dstanek	it's a side effect that we'll have to deal with	00:17
rderose	dstanek: yeah	00:17
dstanek	it's only less code if you didn't have to do the followup. since you do it's just more code	00:17
*** rakhmerov has quit IRC		00:18
dstanek	to me this is like fixing a commit in git...you merged so now there is no fixing	00:19
dstanek	only with a new commit	00:19
rderose	dstanek: so no need for the second patch? is that your point	00:20
rderose	dstanek: okay, I see your point. you saying there is no fixing the original migration	00:21
dstanek	i don't see the point	00:23
*** rakhmerov has joined #openstack-keystone		00:23
dstanek	rderose: i'm interested to see other weigh in on that patch	00:24
rderose	dstanek: sounds good	00:25
*** browne has quit IRC		00:32
*** sto has quit IRC		00:46
*** sto has joined #openstack-keystone		00:46
*** gyee has quit IRC		00:51
*** chrichip has quit IRC		00:52
*** chrichip has joined #openstack-keystone		00:53
*** Michaellaneous has quit IRC		01:01
*** spzala has quit IRC		01:02
*** chlong has joined #openstack-keystone		01:18
*** tqtran has quit IRC		01:19
*** wangqun has joined #openstack-keystone		01:27
*** esp has quit IRC		01:32
*** spzala has joined #openstack-keystone		01:38
*** chrichip has quit IRC		01:38
*** EinstCrazy has joined #openstack-keystone		01:39
*** EinstCrazy has quit IRC		01:39
*** EinstCrazy has joined #openstack-keystone		01:39
*** chrichip has joined #openstack-keystone		01:39
*** hockeynut has quit IRC		01:43
*** spzala has quit IRC		01:43
*** ayoung has joined #openstack-keystone		01:43
*** ChanServ sets mode: +v ayoung		01:43
*** spzala has joined #openstack-keystone		01:45
*** davechen has joined #openstack-keystone		01:53
*** esp has joined #openstack-keystone		01:58
*** woodster_ has quit IRC		01:59
*** itisha has quit IRC		02:00
*** EinstCra_ has joined #openstack-keystone		02:04
*** spzala has quit IRC		02:05
*** esp has quit IRC		02:05
*** sdake has quit IRC		02:06
*** EinstCrazy has quit IRC		02:08
*** chrichip has quit IRC		02:16
*** chrichip has joined #openstack-keystone		02:17
*** tqtran has joined #openstack-keystone		02:18
*** tqtran has quit IRC		02:22
*** rreimberg has quit IRC		02:28
*** edtubill has joined #openstack-keystone		02:28
*** EinstCra_ has quit IRC		02:36
*** EinstCrazy has joined #openstack-keystone		02:37
*** jamielennox\|away is now known as jamielennox		02:41
*** su_zhang has joined #openstack-keystone		02:53
*** chrichip has quit IRC		02:54
*** chrichip has joined #openstack-keystone		02:55
*** esp has joined #openstack-keystone		03:03
stevemar	rderose: dstanek wheres that patch at now? i still think there should just be one migration to solve it :\	03:14
stevemar	lbragstad: o/	03:14
rderose	stevemar: fix the original patch? Or, just have the follow up patch?	03:15
stevemar	rderose: have a migration 002 that fixes it, should never alter original migrations	03:15
rderose	stevemar: we've fixed migrations in the past, so that is what I was thinking	03:15
rderose	stevemar: okay, makes sense	03:15
rderose	stevemar: have the solution now, so it will be a piece of cake	03:16
rderose	stevemar: will take care of in the morning	03:16
stevemar	rderose: coolio	03:16
rderose	:)	03:17
stevemar	rderose: that can also go into rc-1, so no worries	03:17
rderose	okay, cool	03:17
rderose	I may way until early next week then (maybe)	03:18
rderose	stevemar: driving back home to phoenix tomorrow afternoon	03:18
rderose	relocating home :)	03:18
stevemar	rderose: oooohhh that's goodness	03:18
rderose	stevemar: yeah, totally excited	03:19
stevemar	rderose: try to post whatever you have, someone else can take over if necessary	03:19
stevemar	we're a team <3	03:19
rderose	cool, will do	03:19
stevemar	feenicks	03:19
stevemar	whoever decided to spell feenicks as phoenix is just cruel	03:19
rderose	yeah	03:19
stevemar	probably the same person who decided to spell it quinoa	03:19
stevemar	keynua, obviously	03:20
rderose	feenicks ;) not my original home, but my home for the past 8 years	03:20
rderose	probably	03:20
stevemar	rderose: so next midcycle there right?	03:20
stevemar	so i can escape the cold	03:20
rderose	yeah, already have approval	03:20
rderose	totally, it will be perfect	03:20
openstackgerrit	Merged openstack/keystone: Add documentation on how to set a user's tenant. https://review.openstack.org/363292	03:21
rderose	big campus in AZ, so there will be plenty of room	03:21
stevemar	see what all the hoopla is about at intel	03:21
rderose	hahaha	03:21
rderose	hey and we've got hoops there	03:21
rderose	have to get you on court	03:21
rderose	big man	03:22
openstackgerrit	Merged openstack/keystone: Update sample uwsgi config for lazy-apps https://review.openstack.org/363929	03:22
stevemar	rderose: i'm great as long as no one else taller than me is playing	03:22
rderose	you Canadian guys do play ball don't you?	03:22
rderose	hahaha	03:23
openstackgerrit	Steve Martinelli proposed openstack/keystone: Relax the requirement for mappings to result in group memberships https://review.openstack.org/358111	03:24
stevemar	rderose: not well :P	03:31
rderose	:) it's all good	03:32
rderose	we have volley ball courts as well, ping pong...	03:32
*** davechen has quit IRC		03:34
*** davechen has joined #openstack-keystone		03:35
stevemar	rderose: you all booked for barcelona?	03:39
rderose	stevemar: just got approval yesterday	03:40
stevemar	rderose: nice	03:40
rderose	stevemar: i'll be there	03:40
rderose	yeah :)	03:40
stevemar	now to submit expense reports :\	03:42
rderose	fun :)	03:43
*** ayoung has quit IRC		03:47
*** dikonoor has joined #openstack-keystone		03:48
*** su_zhang has quit IRC		03:48
*** chrichip has quit IRC		03:48
*** su_zhang has joined #openstack-keystone		03:48
openstackgerrit	Ron De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable https://review.openstack.org/362501	03:53
*** su_zhang has quit IRC		03:53
openstackgerrit	Ron De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable https://review.openstack.org/362501	03:58
rderose	stevemar: ^ this should be ready	04:00
stevemar	rderose: nice	04:02
*** spzala has joined #openstack-keystone		04:05
*** jamielennox is now known as jamielennox\|away		04:05
*** su_zhang has joined #openstack-keystone		04:07
*** spzala has quit IRC		04:10
*** edtubill has quit IRC		04:24
*** su_zhang has quit IRC		04:24
*** su_zhang has joined #openstack-keystone		04:24
*** esp has quit IRC		04:25
openstackgerrit	Ron De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable https://review.openstack.org/362501	04:27
openstackgerrit	Ron De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable https://review.openstack.org/362501	04:28
*** su_zhang has quit IRC		04:28
*** links has joined #openstack-keystone		04:32
openstackgerrit	Merged openstack/keystone: Pre-cache new tokens https://review.openstack.org/309146	04:33
*** Gorian has joined #openstack-keystone		04:35
*** jraim has quit IRC		04:36
*** jraim has joined #openstack-keystone		04:36
*** esp has joined #openstack-keystone		04:37
*** zhiyan has quit IRC		04:38
*** nikhil has quit IRC		04:38
*** samueldmq has quit IRC		04:38
*** nikhil has joined #openstack-keystone		04:40
*** zhiyan has joined #openstack-keystone		04:40
*** samueldmq has joined #openstack-keystone		04:42
*** ChanServ sets mode: +v samueldmq		04:42
*** dtroyer has quit IRC		04:44
*** spedione\|AWAY has quit IRC		04:44
*** dtroyer has joined #openstack-keystone		04:44
*** esp has quit IRC		04:45
*** spedione\|AWAY has joined #openstack-keystone		04:49
*** spedione\|AWAY is now known as spedione		04:49
*** roxanaghe has quit IRC		04:56
*** pcaruana has quit IRC		04:57
*** wangqun_ has joined #openstack-keystone		04:59
*** wangqun has quit IRC		05:00
*** cargonza has quit IRC		05:04
*** jamielennox\|away is now known as jamielennox		05:04
*** cargonza has joined #openstack-keystone		05:05
*** roxanaghe has joined #openstack-keystone		05:11
*** AndyWojo has quit IRC		05:13
*** wolsen has quit IRC		05:13
*** andrewbogott has quit IRC		05:13
*** AndyWojo has joined #openstack-keystone		05:14
*** wolsen has joined #openstack-keystone		05:14
*** andrewbogott has joined #openstack-keystone		05:15
*** sdake has joined #openstack-keystone		05:23
*** roxanaghe has quit IRC		05:26
*** maestropandy has joined #openstack-keystone		05:28
*** roxanaghe has joined #openstack-keystone		05:31
*** roxanaghe has quit IRC		05:38
*** richm has quit IRC		05:39
*** adriant has quit IRC		05:49
*** edmondsw has joined #openstack-keystone		05:59
*** edmondsw has quit IRC		06:00
*** maestropandy has left #openstack-keystone		06:01
*** BharatK_ has joined #openstack-keystone		06:06
*** rcernin has quit IRC		06:08
*** amakarov_away has quit IRC		06:09
*** rakhmerov has quit IRC		06:10
*** tsufiev has quit IRC		06:10
*** amakarov has joined #openstack-keystone		06:12
*** rakhmerov has joined #openstack-keystone		06:13
*** tsufiev has joined #openstack-keystone		06:15
*** divyakkonoor has joined #openstack-keystone		06:18
*** jlk` has joined #openstack-keystone		06:21
*** jlk has quit IRC		06:21
*** dikonoor has quit IRC		06:21
*** pcaruana has joined #openstack-keystone		06:30
*** rcernin has joined #openstack-keystone		06:41
*** tsufiev has quit IRC		06:41
*** amakarov has quit IRC		06:41
*** rakhmerov has quit IRC		06:42
*** rcernin has quit IRC		06:45
*** rcernin has joined #openstack-keystone		06:45
openstackgerrit	Eric Brown proposed openstack/keystone: Correct typo in mapping_populate command's help https://review.openstack.org/364092	06:45
*** rakhmerov has joined #openstack-keystone		06:49
*** tsufiev has joined #openstack-keystone		06:53
*** amakarov has joined #openstack-keystone		06:56
*** tesseract- has joined #openstack-keystone		07:03
*** spzala has joined #openstack-keystone		07:06
*** spzala has quit IRC		07:10
*** jamielennox is now known as jamielennox\|away		07:17
*** jpena\|off is now known as jpena		07:18
*** BharatK_ has quit IRC		07:18
*** nkinder has quit IRC		07:21
*** jlvillal has quit IRC		07:22
*** jlvillal has joined #openstack-keystone		07:23
*** nkinder has joined #openstack-keystone		07:24
openstackgerrit	Merged openstack/keystone: Relax the requirement for mappings to result in group memberships https://review.openstack.org/358111	07:38
*** sdake has quit IRC		07:43
*** sdake has joined #openstack-keystone		07:44
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** jaosorior has joined #openstack-keystone		08:04
*** BharatK has joined #openstack-keystone		08:15
*** BharatK has quit IRC		08:16
*** BharatK has joined #openstack-keystone		08:17
breton	o/	08:18
*** BharatK has quit IRC		08:24
*** asettle has joined #openstack-keystone		08:26
*** BharatK has joined #openstack-keystone		08:28
*** joerch has joined #openstack-keystone		08:47
*** dobson` has joined #openstack-keystone		08:53
*** jhesketh_ has joined #openstack-keystone		08:54
*** HenryG_ has joined #openstack-keystone		08:54
*** jlvillal_ has joined #openstack-keystone		08:57
*** jlvillal has quit IRC		08:58
*** afred312 has quit IRC		08:58
*** jhesketh has quit IRC		08:58
*** darrenc has quit IRC		08:58
*** lamt has quit IRC		08:58
*** bapalm has quit IRC		08:58
*** dobson has quit IRC		08:58
*** HenryG has quit IRC		08:58
*** anteaya has quit IRC		08:58
*** brad[] has quit IRC		08:58
*** aloga has quit IRC		08:58
*** Anticimex has quit IRC		08:58
*** jidar has quit IRC		08:58
*** bapalm has joined #openstack-keystone		08:59
*** Anticimex has joined #openstack-keystone		09:00
*** aloga has joined #openstack-keystone		09:00
*** jlvillal_ is now known as jlvillal		09:00
*** jlvillal is now known as Guest77956		09:01
*** afred312 has joined #openstack-keystone		09:03
*** darrenc has joined #openstack-keystone		09:03
*** lamt has joined #openstack-keystone		09:03
*** anteaya has joined #openstack-keystone		09:03
*** brad[] has joined #openstack-keystone		09:03
*** jidar has joined #openstack-keystone		09:03
*** asettle has quit IRC		09:08
*** asettle has joined #openstack-keystone		09:12
*** mvk has joined #openstack-keystone		09:13
*** HenryG_ is now known as HenryG		09:17
*** BharatK has quit IRC		09:20
*** namnh has joined #openstack-keystone		09:21
*** HenryG has quit IRC		09:29
*** HenryG has joined #openstack-keystone		09:29
*** wangqun_ has quit IRC		09:35
joerch	Hey guys, quick question: I tried to use auth type v3unscopedsaml with Keystone as IdP (=Keystone2Keystone-federation), but it does not accept the SP's SAML request @ v3/auth/OS-FEDERATION/saml2/ecp. Is that expected behavior? Is there another way (plugin?) to use K2K-Authentication with the openstack cli client? Thanks in advance!	09:40
*** daemontool has joined #openstack-keystone		09:45
*** davechen has left #openstack-keystone		09:46
*** code-R has joined #openstack-keystone		09:59
*** sdake has quit IRC		10:01
*** asettle has quit IRC		10:05
*** richm has joined #openstack-keystone		10:09
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	10:10
openstackgerrit	Davanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c https://review.openstack.org/318435	10:10
*** code-R_ has joined #openstack-keystone		10:13
*** namnh has quit IRC		10:15
*** code-R has quit IRC		10:16
*** asettle has joined #openstack-keystone		10:16
*** jhesketh_ is now known as jhesketh		10:20
*** tqtran has joined #openstack-keystone		10:20
openstackgerrit	Mikhail Nikolaenko proposed openstack/keystone: Block global roles implying domain specific roles https://review.openstack.org/364216	10:22
*** maestropandy1 has joined #openstack-keystone		10:25
*** tqtran has quit IRC		10:25
breton	why don't we emit notifications on login failure/success?	10:35
*** sigmavirus\|awa is now known as sigmavirus		10:37
*** EinstCrazy has quit IRC		10:40
*** asettle has quit IRC		10:48
*** maestropandy1 has quit IRC		10:50
openstackgerrit	Mikhail Nikolaenko proposed openstack/keystone: Add domain check in domain-specific role implication https://review.openstack.org/351264	11:03
*** maestropandy has joined #openstack-keystone		11:30
*** maestropandy has left #openstack-keystone		11:31
*** NishaYadav has joined #openstack-keystone		11:38
*** asettle has joined #openstack-keystone		11:39
NishaYadav	o/	11:40
samueldmq	morning keystone	11:42
amakarov	hi!	11:44
openstackgerrit	Ukesh Kumar proposed openstack/keystone: check for user existence, for role add to user https://review.openstack.org/362606	11:44
marekd	samueldmq: morning.	11:47
marekd	samueldmq: Identity API v2.0 is going to be removed in O or Q release?	11:48
marekd	cause release notes for mitaka claim it will be Q, not sure if typo or not.	11:48
*** jpena is now known as jpena\|lunch		11:56
dstanek	good morning all	12:02
*** jaosorior has quit IRC		12:06
*** jaosorior has joined #openstack-keystone		12:06
marekd	dstanek: hey!	12:08
*** NishaYadav has quit IRC		12:09
*** NishaYadav has joined #openstack-keystone		12:13
*** BharatK has joined #openstack-keystone		12:16
openstackgerrit	Mikhail Nikolaenko proposed openstack/keystone: Block global roles implying domain specific roles https://review.openstack.org/364216	12:20
*** BharatK has quit IRC		12:21
* NishaYadav waves hello \o		12:24
samueldmq	marekd: I am not aware of removing v2.0 API in O or Q	12:29
samueldmq	marekd: dstanek morning	12:29
*** mvk has quit IRC		12:30
*** raildo has joined #openstack-keystone		12:30
odyssey4me	dolphm dstanek lbragstad FYI os_keystone now has nginx/uwsgi configuration options - and they're tested and voting for the role :)	12:32
samueldmq	marekd: looks like some v2.0 APIs will be removed in Q, except for auth and ec2	12:42
samueldmq	marekd: https://review.openstack.org/#/c/251530/13/releasenotes/notes/deprecate-v2-apis-894284c17be881d2.yaml	12:42
*** Kimmo___ is now known as Kimmo_		12:44
openstackgerrit	Alexander Makarov proposed openstack/keystone: Unified delegation trust driver https://review.openstack.org/291871	12:45
NishaYadav	I am really grateful to everyone for helping me complete Outreachy internship. Glad to inform that I got accepted for the Travel Support Program. Also, a pesentation submitted by samueldmq, vkmc and me - "A dice with several faces: Coordinators, mentors and interns on OpenStack Outreachy internships" got accepted for inclusion.	12:46
NishaYadav	A big thanks to samueldmq, vkmc, rodrigods, stevemar, dolphm, henrynash and all other contributors.	12:46
NishaYadav	To share my journey and express gratitude, I recently wrote an article, https://nishayadavsite.wordpress.com/2016/08/31/wrapping-up-openstack-outreachy-internship/	12:47
samueldmq	NishaYadav: nice, congratulations :-)	12:48
dstanek	odyssey4me: nice	12:49
NishaYadav	samueldmq, :D	12:49
*** markvoelker has joined #openstack-keystone		12:50
NishaYadav	dstanek, thanks to you too ^^, sorry looked for your IRC nick using david :/	12:50
*** links has quit IRC		12:51
dstanek	NishaYadav: your welcome and congrats	12:52
dstanek	that's exciting	12:52
NishaYadav	dstanek, thank you :D	12:52
*** jpena\|lunch is now known as jpena		12:55
*** spzala has joined #openstack-keystone		12:59
*** andreykurilin has left #openstack-keystone		13:02
*** jdennis has quit IRC		13:06
*** rreimberg has joined #openstack-keystone		13:07
*** markvoelker has quit IRC		13:07
*** ezpz has joined #openstack-keystone		13:07
*** arunkant has quit IRC		13:08
*** su_zhang has joined #openstack-keystone		13:15
raildo	congrats NishaYadav!	13:18
NishaYadav	thanks raildo for help :D	13:20
*** jdennis has joined #openstack-keystone		13:21
raildo	NishaYadav, np, you're doing an amazing work here, don't go away after your internship :)	13:22
NishaYadav	raildo, sure I want to keep contributing	13:22
raildo	NishaYadav, awesome	13:22
NishaYadav	raildo, thanks :D	13:23
*** markvoelker has joined #openstack-keystone		13:23
*** asettle is now known as asettle-afk		13:26
*** markvoelker has quit IRC		13:28
*** roxanaghe has joined #openstack-keystone		13:33
marekd	samueldmq: exactly - i saw the same thing, was just wodering if this is really Q or just a typo and O should be there.	13:37
marekd	dstanek: have knowledge on that? ^^	13:37
*** roxanaghe has quit IRC		13:37
marekd	dstanek: i was asking samueldmq whether V2 API are going to be removed in O or Q release.	13:38
samueldmq	marekd: I think that's correct, we are giving a 4-release deprecation	13:38
marekd	samueldmq: usually it was only 2 releases, but that's fine.	13:39
samueldmq	we decided that 2 releases was too short for removing a set of APIs	13:39
raildo	marek, samueldmq actually I hope to make the v3-only jobs voting by Otaca	13:41
raildo	at least we can avoid to have new issues related to the v2	13:42
samueldmq	raildo: yeah, but other services use auth	13:42
raildo	so, as we said in the v2-deprecation patch, we will remove on O or Q release	13:42
samueldmq	and we're not removing v2.0 auth and ec2 in Q	13:42
raildo	samueldmq, now on newton, we fixed a lot of issues to make this services use keystoneauth session	13:43
stevemar	o/	13:43
*** ayoung has joined #openstack-keystone		13:43
*** ChanServ sets mode: +v ayoung		13:43
samueldmq	raildo: nice, that's a great step	13:43
*** gordc has joined #openstack-keystone		13:44
raildo	so, the core services doesn't have issues on this direction	13:44
samueldmq	raildo: I am just saying services using v3.0 or v2.0 auth is orthogonal to remove v2.0 deprecated APIs (not auth)	13:44
raildo	and we have this v3-only jobs, to find any problem related to it	13:44
raildo	samueldmq, ++	13:44
marekd	raildo: cool!	13:44
samueldmq	stevemar: morning	13:44
stevemar	NishaYadav: glad to hear you got travel support :)	13:45
raildo	stevemar, do you believe we can make this v3-only jobs voting on Otaca?	13:45
raildo	I think it would be better talk to TC about this, and have an agreement in barcelona	13:45
stevemar	raildo: sure, why not, sounds like a reasonable expectation	13:46
stevemar	raildo: are the v3 only jobs passing or failing today?	13:46
raildo	stevemar, they are passing, I'll generate some graphics with this jobs behavior	13:46
stevemar	raildo: coolio	13:46
*** NishaYadav has quit IRC		13:46
raildo	in the last 2-3 months	13:46
*** asettle-afk has quit IRC		13:47
*** asettle-afk has joined #openstack-keystone		13:48
lbragstad	dstanek for key_hash - if we make it non-nullable	13:48
lbragstad	what would we want it to have for a default value?	13:48
*** openstackgerrit has quit IRC		13:49
*** openstackgerrit has joined #openstack-keystone		13:49
samueldmq	stevemar: raildo: so I think ppl want data to show the v3 jobs are stable	13:50
samueldmq	and will not increase the fail rate of their set of jobs	13:50
stevemar	samueldmq: i would want that :)	13:50
raildo	samueldmq, exactly :)	13:51
samueldmq	:-)	13:51
samueldmq	raildo: so it might be intersting to watch the fail rate very close	13:51
samueldmq	and try to mitigate any issue	13:51
raildo	stevemar, samueldmq I'll get this information and come back to talk about it, asap	13:51
samueldmq	the fail rate of the job must be almost equal to 0	13:51
samueldmq	raildo: nice	13:52
*** asettle-afk has quit IRC		13:52
samueldmq	stevemar: is there anything that needs immediate attention today/tomorrow?	13:53
stevemar	samueldmq: https://review.openstack.org/#/c/362501/ and https://review.openstack.org/#/c/355618/	13:53
raildo	samueldmq, stevemar for example this job on ceilometer http://status.openstack.org/openstack-health/#/job/gate-ceilometer-dsvm-functional-mongodb-identity-v3-only	13:53
raildo	the failure rate is close to 0	13:54
samueldmq	stevemar: okay, so we're holding release on those ?	13:54
stevemar	samueldmq: yes	13:54
samueldmq	stevemar: we go for triggers then?	13:54
stevemar	samueldmq: well thats the choice :)	13:54
samueldmq	stevemar: ok, so we have until tomorrow?	13:54
stevemar	i think i may propose to cut today, was waiting for lbragstad and dolphm to come online	13:54
lbragstad	stevemar i'	13:54
lbragstad	i'm here	13:54
*** Guest77956 is now known as jlvillal		13:55
stevemar	samueldmq: i think it's better to do something about it today...	13:55
stevemar	lbragstad: yo	13:55
samueldmq	stevemar: okay, I am on it now	13:55
*** rodrigods has quit IRC		13:55
*** rodrigods has joined #openstack-keystone		13:55
lbragstad	dolphm are you around?	13:55
stevemar	lbragstad: so i'm thinking about proposing the milestone3 driver based on current master	13:55
samueldmq	stevemar: lbragstad: is there a high risk of merging that in last minute and break things ?	13:55
lbragstad	samueldmq I personally don't think so - but others might feel differently	13:56
samueldmq	lbragstad: do we have tests to make sure the rolling upgrade actually works ?	13:56
samueldmq	making requests during the upgrade process	13:57
lbragstad	samueldmq rolling upgrades or credential encryption?	13:57
lbragstad	or both?	13:57
samueldmq	lbragstad: both	13:57
lbragstad	no	13:57
lbragstad	we don't have a rolling upgrade test framework yet	13:57
lbragstad	i did it manually	13:58
lbragstad	and documented it	13:58
* lbragstad https://gist.github.com/lbragstad/ddfb10f9f9048414d1f781ba006e95d1#upgrade		13:58
samueldmq	lbragstad: cool	13:58
samueldmq	lbragstad: is it too bad if we don't get that in this release?	13:59
dstanek	lbragstad: why do you need a default? after the contract runs everything will be encrypted right?	13:59
lbragstad	dstanek a bunch of tests fail if you set nullable=False for key_hash	13:59
dstanek	lbragstad: are they valid tests?	14:00
samueldmq	maybe we gotta figure out the cause of the failures	14:00
lbragstad	keystone.tests.unit.test_sql_upgrade.SqlDataMigrationUpgradeTests.test_start_version_db_init_version	14:00
lbragstad	keystone.tests.unit.test_sql_upgrade.PostgreSQLOpportunisticFullMigration.test_migration_002_migrate_unencrypted_credentials	14:00
lbragstad	and a bunch in test_backend_sql	14:00
*** su_zhang has quit IRC		14:01
lbragstad	its probably because we are inserting things without key_hash set in the reference and the backend doesn't allow it to be null	14:01
*** su_zhang has joined #openstack-keystone		14:01
*** ddieterly has joined #openstack-keystone		14:01
dstanek	ok, let me take a deeper look. post migration though there should be no way to get a null in there so those tests bad be broken	14:01
dstanek	i can see why the migration would fail though	14:02
lbragstad	dstanek correct - it should be nullable=False because Newton code would always pass in a key_hash	14:02
lbragstad	dstanek can we do alter tables in contract?	14:02
lbragstad	and switch it to null when we clean up the old rows?	14:03
lbragstad	er - old columns?	14:03
*** michauds has joined #openstack-keystone		14:03
*** asettle-afk has joined #openstack-keystone		14:03
*** jaosorior has quit IRC		14:04
samueldmq	lbragstad: I think that's reasonable, as it won't break any node	14:04
*** asettle-afk is now known as asettle		14:04
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	14:05
*** su_zhang has quit IRC		14:06
lbragstad	dstanek addressed all your other comments ^	14:06
openstackgerrit	Ron De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable https://review.openstack.org/362501	14:06
lbragstad	stevemar what is your thought on the trigger stuff?	14:08
stevemar	lbragstad: its a lose-lose for me :)	14:12
stevemar	lbragstad: i either piss the keystone team off, or the rest of openstack :)	14:12
*** ravelar has joined #openstack-keystone		14:13
stevemar	lbragstad: even with the code to make it optional that dolphm proposed, the bp is still not yet complete, the grenade and devstack work are not merged	14:13
stevemar	and i need to give the release team a hash today	14:13
stevemar	if i cut out the credential encryption work, i push the decision about triggers to whichever poor soul is the ptl after me	14:14
samueldmq	hehe	14:14
stevemar	lbragstad: and that is my summary about the situation	14:15
lbragstad	ok - what about the technical details - how do you feel about it?	14:15
*** itisha has joined #openstack-keystone		14:15
samueldmq	I'd tend to be conservative on merging things in the last minute	14:16
samueldmq	but perhaps fixes could be backported if needed ?	14:16
lbragstad	it's a feature	14:16
lbragstad	it can't be backported	14:16
samueldmq	yes, I mean, if we merge it and we discover bugs	14:16
samueldmq	fixes could be backported	14:17
lbragstad	oh - right	14:17
lbragstad	stevemar the code left to propose to keystone is two change (docs and the implementation), the grenade change isn't going to merge until we merge the docs,	14:20
stevemar	lbragstad: in terms of the technical details, i think for the specific case we're looking at, triggers is fine.	14:21
stevemar	lbragstad: the credentials backend is barely used	14:21
*** tqtran has joined #openstack-keystone		14:22
openstackgerrit	Ron De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable https://review.openstack.org/362501	14:24
dstanek	stevemar: we're tying to make it more useful!	14:25
*** spedione is now known as spedione\|AWAY		14:26
*** tqtran has quit IRC		14:26
stevemar	dstanek: i know :)	14:26
odyssey4me	lbragstad sooo... is the online keystone upgrade thing a go, or is the idea dying in a fire? has code for it actually been implemented yet, and is it ready to build out something to test it out in OSA?	14:28
odyssey4me	I see that the use of triggers is causing quite a conversation on the ML.	14:28
*** spedione\|AWAY is now known as spedione		14:28
lbragstad	odyssey4me we have an implementation that is based on the triggers approach up for review	14:28
lbragstad	odyssey4me the encryption of credentials at rest in keystone was a thing we wanted to land this cycle and i ended up picking up with work after we made the tentative decision to go with triggers	14:29
lbragstad	odyssey4me you can find the implementation here - https://review.openstack.org/#/c/355618/41	14:30
lbragstad	odyssey4me the documentation is here - https://review.openstack.org/#/c/354497/5	14:30
lbragstad	odyssey4me and my informal walk-through of a rolling upgrade is here - https://gist.github.com/lbragstad/ddfb10f9f9048414d1f781ba006e95d1#upgrade	14:30
odyssey4me	lbragstad thanks, I'll be keeping an eye on those	14:31
lbragstad	odyssey4me np	14:31
*** NishaYadav has joined #openstack-keystone		14:33
*** NishaYadav is now known as Guest15743		14:33
*** ddieterly is now known as ddieterly[away]		14:34
*** slberger has joined #openstack-keystone		14:34
*** tonytan4ever has joined #openstack-keystone		14:47
openstackgerrit	Richard Avelar proposed openstack/keystone: POC sql query revoked tokens https://review.openstack.org/359371	14:49
*** erhudy has joined #openstack-keystone		14:49
lbragstad	rderose congrats!!	14:49
raildo	congrats rderose!	14:50
*** haplo37__ has joined #openstack-keystone		14:52
rderose	what?	14:53
lbragstad	rderose checkout the mailing list ;)	14:53
stevemar	:]	14:55
*** ddieterly[away] is now known as ddieterly		14:56
dstanek	rderose: !	14:57
*** edtubill has joined #openstack-keystone		14:58
marekd	stevemar: got a question for ya. So, if nova,cinder, etc talks to keystone over identity api v2.0 and I as a user use v3, is it all going to work correctly?	14:59
dstanek	marekd: yes believe it will be fine. the only thing i remember as being a problem is catalog things created with one version don't show up in the other, but i don't remember specifics there	15:01
bknudson	why are nova, cinder, etc., talking to keystone?	15:01
bknudson	if the auth token middleware is talking v2 then users that aren't in the default domain are going to fail	15:01
marekd	bknudson: say, uuid tokens and auth.	15:01
marekd	bknudson: ok, makes sense.	15:02
marekd	bknudson: thanks	15:02
marekd	dstanek: ty	15:03
*** pcaruana has quit IRC		15:03
stevemar	marekd: what bknudson and dstanek said	15:03
marekd	stevemar: sure	15:03
stevemar	marekd: when setting up auth token middleware, make sure you set it up to use v3	15:03
stevemar	just specify the default domain for service acounts	15:04
dstanek	marekd: can you just turn v2 off? :-D	15:04
samueldmq	rderose: congrats! :)	15:04
bknudson	the version is optional for auth token. it'll do version discovery if you don't set it.	15:04
stevemar	dstanek: "Contrats"	15:05
dstanek	stevemar: did i make a boo boo?	15:06
stevemar	dstanek: a tiny one	15:06
dstanek	stevemar: i've had enough success for the week and i'm ok with that	15:06
*** rcernin has quit IRC		15:06
stevemar	dstanek: :)	15:11
stevemar	dstanek: you can retire now that you've fixed the cache	15:11
dstanek	stevemar: i can't	15:12
stevemar	dstanek: few more years	15:13
dstanek	didn't get a golden parachute	15:13
openstackgerrit	Richard Avelar proposed openstack/keystone: POC sql query revoked tokens https://review.openstack.org/359371	15:16
*** joerch has quit IRC		15:17
ayoung	does keystone-manage fernet_rotate not accept an external key? How are Key synchronizations supposed to be done across multiple keystone servers?	15:17
openstackgerrit	Richard Avelar proposed openstack/keystone: POC sql query revoked tokens https://review.openstack.org/359371	15:18
*** NishaYadav has joined #openstack-keystone		15:18
*** NishaYadav is now known as Guest67103		15:18
*** mvk has joined #openstack-keystone		15:19
*** Guest15743 has quit IRC		15:19
bknudson	golden parachute means you get paid when you're fired	15:19
*** nisha_ has joined #openstack-keystone		15:19
*** browne has joined #openstack-keystone		15:20
lbragstad	ayoung key sync is current done by an external process	15:21
lbragstad	usually using configuration management	15:21
*** Guest67103 has quit IRC		15:23
ayoung	lbragstad, yeah, but we should have a tool it calls to import/export keys	15:23
*** sdake has joined #openstack-keystone		15:23
ayoung	lbragstad, thinking along these lines https://etherpad.openstack.org/p/keystone-fernet-token-cms	15:23
dstanek	ayoung: the expectation is that your existing configuration management tools would push out the key	15:26
dstanek	ayoung: i think you can generate your own key, assuming it's valid	15:26
dstanek	push that out and run the migration step....but lbragstad would have to confirm	15:26
*** esp has joined #openstack-keystone		15:26
ayoung	dstanek, we provide the init and the rotate functions, but they assume the keys never leave the container. If their is a CMS component, either the CMS generates the keys and distributes, or we rotate on one server and sync. Either way, we should provide a contract for the CMS	15:27
lbragstad	yeah - rotation can be approached a number of ways	15:28
ayoung	lbragstad, I	15:28
lbragstad	rotation on a single node and syncing from that node is how osa approached the problem	15:28
ayoung	lbragstad, I'd like to see it like this:	15:28
ayoung	cms gets a new key to the server and puts it in a staging location, ideally, still encrypted. then meystone-manage fernet-rotate-external reads that file, decrypts it, and puts it into rotation	15:29
dstanek	ayoung: so encrypt the encryption key?	15:30
ayoung	maybe keystone-manage fernet-import and keystone-manage fernet-export	15:30
ayoung	dstanek, for transport? Absoluetely	15:30
dstanek	ayoung: you can already make your CMS create and distribute a key if you want	15:30
ayoung	using asymmetric crypto.	15:30
lbragstad	ayoung your key repository could be encrypted source control	15:30
*** rcernin has joined #openstack-keystone		15:31
lbragstad	or even ansible-vault	15:31
*** BharatK has joined #openstack-keystone		15:34
odyssey4me	oh by the way, could barbican be used for fernet key distribution/storage?	15:36
* redrobot pokes head in at the mention of barbican		15:37
stevemar	odyssey4me: i think someone had a topic about that for the summit	15:37
bknudson	redrobot: keystone has all sorts of keys, for tokens and for credentials	15:40
bknudson	ayoung: the fernet keys are stored in a certain directory on disk. Users just get them from there and put them there.	15:41
*** roxanaghe has joined #openstack-keystone		15:44
lbragstad	odyssey4me we have a spec proposed to keystone's backlog to make the fernet backend pluggable	15:44
lbragstad	odyssey4me one option once that is implemented is to introduce a driver for barbican	15:45
*** nisha_ has quit IRC		15:45
dstanek	lbragstad: odyssey4me: and someone has already posted an implementation https://review.openstack.org/#/c/356499/	15:45
*** nisha_ has joined #openstack-keystone		15:46
*** BharatK_ has joined #openstack-keystone		15:47
*** BharatK has quit IRC		15:47
*** BjoernT has joined #openstack-keystone		15:49
*** markvoelker has joined #openstack-keystone		15:51
*** chrisshattuck has joined #openstack-keystone		15:53
*** gyee has joined #openstack-keystone		15:58
*** roxanaghe has quit IRC		15:58
odyssey4me	oh neat!	16:01
* odyssey4me adds this to his watch list		16:01
*** andrewbogott has quit IRC		16:05
*** andrewbogott has joined #openstack-keystone		16:05
*** jlk` is now known as jlk		16:06
*** jlk has quit IRC		16:06
*** jlk has joined #openstack-keystone		16:06
*** rreimberg has quit IRC		16:07
*** GB21 has joined #openstack-keystone		16:11
*** ezpz has quit IRC		16:11
*** BharatK_ has quit IRC		16:21
*** ezpz has joined #openstack-keystone		16:22
*** BharatK has joined #openstack-keystone		16:23
*** NishaYadav has joined #openstack-keystone		16:27
*** NishaYadav is now known as Guest27157		16:27
*** nisha_ has quit IRC		16:30
*** BharatK has quit IRC		16:31
stevemar	lbragstad: can you bring in dolphm's changes into your encryption patch?	16:33
stevemar	lbragstad: i'd rather have it as one thing	16:33
*** su_zhang has joined #openstack-keystone		16:36
*** daemontool has quit IRC		16:40
*** su_zhang has quit IRC		16:41
*** su_zhang has joined #openstack-keystone		16:41
*** woodster_ has joined #openstack-keystone		16:42
openstackgerrit	Dolph Mathews proposed openstack/keystone: Only create triggers during a rolling upgrade https://review.openstack.org/360723	16:45
*** asettle has quit IRC		16:49
*** asettle has joined #openstack-keystone		16:49
*** asettle has quit IRC		16:54
*** nisha_ has joined #openstack-keystone		16:55
*** su_zhang has quit IRC		16:57
*** markvoelker has quit IRC		16:58
*** su_zhang has joined #openstack-keystone		16:58
*** Guest27157 has quit IRC		16:58
*** su_zhang has quit IRC		16:58
*** tesseract- has quit IRC		17:01
openstackgerrit	Ron De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable https://review.openstack.org/362501	17:05
*** edtubill has quit IRC		17:06
*** mvk has quit IRC		17:07
*** tqtran has joined #openstack-keystone		17:07
*** amakarov is now known as amakarov_away		17:09
*** tqtran has quit IRC		17:12
openstackgerrit	David Stanek proposed openstack/keystone: Fixes migration where password created_at is nullable https://review.openstack.org/362501	17:15
*** tonytan4ever has quit IRC		17:16
*** code-R_ has quit IRC		17:17
*** pauloewerton has joined #openstack-keystone		17:20
stevemar	dtroyer: any chance you can take another look at https://review.openstack.org/362450	17:24
*** dobson` has quit IRC		17:26
*** snecklifter has joined #openstack-keystone		17:27
*** ddieterly is now known as ddieterly[away]		17:27
dtroyer	stevemar: sure...	17:28
dtroyer	+A	17:28
snecklifter	ayoung: hello, can I ask you about fermet tokens on tripleo HA?	17:29
snecklifter	store keys on shared storage and run keystone-manage fermet_setup on one controller?	17:30
*** rakhmerov has quit IRC		17:30
snecklifter	good way forward or there be dragons? :)	17:30
*** snecklifter is now known as snecklifter\|brb		17:31
*** tsufiev has quit IRC		17:31
stevemar	thanks dtroyer	17:32
stevemar	heading out for 2 hours, dolphm don't let the house burn down	17:32
*** tsufiev has joined #openstack-keystone		17:32
*** rakhmerov has joined #openstack-keystone		17:35
ayoung	snecklifter\|brb, was just having that conversation	17:40
ayoung	I think the general approach is to do that, but on the undercloud, and then publish the keystone-fernet-keys from undercloud to overcloud	17:40
lbragstad	stevemar yeah - i can do that working on addressing a couple final comments and I'll push a new revision	17:41
openstackgerrit	Mikhail Nikolaenko proposed openstack/keystone: [WIP] Move fernet utils to backend https://review.openstack.org/356499	17:42
*** chrisshattuck has quit IRC		17:42
*** jpena is now known as jpena\|away		17:46
*** mvk has joined #openstack-keystone		17:53
openstackgerrit	Merged openstack/keystone: Correct typo in mapping_populate command's help https://review.openstack.org/364092	17:55
*** dobson has joined #openstack-keystone		17:56
*** chrisshattuck has joined #openstack-keystone		17:56
*** phalmos has joined #openstack-keystone		17:57
*** harlowja_ has joined #openstack-keystone		17:58
openstackgerrit	Merged openstack/keystone: Document credential encryption https://review.openstack.org/354497	17:58
*** joerch has joined #openstack-keystone		17:59
*** harlowja has quit IRC		18:00
*** phalmos_ has joined #openstack-keystone		18:00
*** ravelar has quit IRC		18:01
*** ravelar has joined #openstack-keystone		18:02
*** amakarov_away has quit IRC		18:02
*** phalmos has quit IRC		18:03
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	18:05
*** ravelar1 has joined #openstack-keystone		18:06
*** ravelar has quit IRC		18:06
lbragstad	I'll rebase ^ once the other migration merges	18:07
lbragstad	cc dstanek dolphm stevemar	18:07
*** tqtran has joined #openstack-keystone		18:09
dolphm	lbragstad: is henry's gating?	18:09
dolphm	lbragstad: what other migration?	18:09
lbragstad	dolphm https://review.openstack.org/#/c/362501/	18:09
dolphm	lbragstad: ah, so we need to abandon henry's then	18:10
*** ravelar1 has quit IRC		18:10
*** ravelar has joined #openstack-keystone		18:10
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	18:10
lbragstad	dolphm modified the primary_key_hash() method ^ too	18:10
*** hoonetorg has quit IRC		18:11
dolphm	lbragstad: gotcha	18:11
dolphm	lbragstad: L742? self.	18:12
dolphm	lbragstad: err https://review.openstack.org/#/c/355618/43/keystone/cmd/cli.py	18:12
lbragstad	dolphm line 49 - 50 here - https://review.openstack.org/#/c/355618/43/keystone/credential/providers/fernet/core.py	18:13
*** su_zhang has joined #openstack-keystone		18:13
henrynash	dolpm: yes, we don't need mine, i"ll kill iy	18:13
henrynash	iy	18:13
henrynash	it	18:13
henrynash	!	18:13
dolphm	henrynash: d	18:13
dolphm	o	18:13
dolphm	ne	18:13
dolphm	henrynash:	18:14
dolphm	!	18:14
henrynash	o	18:14
henrynash	k	18:14
*** phalmos_ has quit IRC		18:14
dolphm	henrynash: i thought you'd be gone by now :)	18:14
henrynash	rderose: hey, one question on the infamous 105 re-make, this means that sqlite DBs are left with the created_at column nullable, yes?	18:15
*** hoonetorg has joined #openstack-keystone		18:16
*** tonytan4ever has joined #openstack-keystone		18:16
*** ntpttr has joined #openstack-keystone		18:16
*** awayne has quit IRC		18:17
*** tonytan4ever has quit IRC		18:17
dolphm	henrynash: i believe he's gone for the weekend	18:17
henrynash	rderose: I am not at all worried that we don't support rolling updated with sqlite, but a but worried that even if you do a standard new install with sqlite, the column is still nullable..whereas the otehr DBS would have it non-nullable..	18:17
henrynash	dolphm: ah	18:18
dolphm	henrynash: that sounds like something we should fix though... dstanek ^	18:18
*** openstackgerrit has quit IRC		18:18
*** openstackgerrit has joined #openstack-keystone		18:18
lbragstad	dolphm i'm just going to rebase on rderose's commit so that I can do the rename now	18:19
lbragstad	from 002 to 003	18:19
dolphm	lbragstad: ++	18:19
lbragstad	running tests now	18:19
dolphm	lbragstad: i meant to say - go ahead and do it now	18:19
lbragstad	should have a new patch up shortly	18:20
henrynash	dolphm: I'm not sure why in https://review.openstack.org/#/c/362501/27/keystone/common/sql/contract_repo/versions/002_password_created_at_not_nullable.py we set the column nullable for sqlite...since we know there only new code running in the contract phase	18:20
*** GB21 has quit IRC		18:21
dolphm	henrynash: rderose: dstanek: that had to be a mistake, right?	18:22
dstanek	dolphm: henrynash: no, it's because the default doesn't work there and since we have code that depends on the default being automatic he left it nullable	18:24
dolphm	dstanek: isn't the only code that depends on it being automatic in the data migration?	18:24
dstanek	we talked about this before, but I don't remember the deets	18:24
henrynash	dstanek: ah, but now...the new code does not rely on the default....it always puts a value in there, the need for the default was becasue while there is old code running it doesn't know to put in a value for this column	18:25
dstanek	i'd have to look, but i thought no. otherwise we wouldn't need a default	18:25
dolphm	henrynash: dstanek: i proposed a change to switch it to non-nullable, but only running tests now https://review.openstack.org/#/c/364491/	18:26
henrynash	dstanek: actually, I think the sql model in code has the default in there....but I was pretty sure the code always set the value...	18:27
dstanek	the tests fails	18:28
dstanek	http://paste.openstack.org/show/565766/	18:28
dstanek	this is a case where sqlite sucks	18:28
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	18:28
henrynash	dstanek: damn!	18:29
dstanek	henrynash: ?	18:29
*** harlowja_ has quit IRC		18:31
*** harlowja has joined #openstack-keystone		18:32
dolphm	dstanek: sqlite.	18:32
dstanek	failed us again	18:33
samueldmq	lbragstad: does 355618 now have the changes from 360723 added to it ?	18:33
*** ddieterly[away] is now known as ddieterly		18:34
dolphm	dstanek: actually, the sqlite error makes sense to me... but mysql and postgres would allow this schema and reject non-compliant inserts?	18:36
*** phalmos has joined #openstack-keystone		18:37
henrynash	dstanek: which test failed...sql_upgrade?...since our actual driver code always puts a value in there....	18:37
dolphm	lbragstad: woo, dtroyer +2/+A'd the grenade patch (thanks!)	18:38
dstanek	keystone.tests.unit.test_sql_upgrade.SqlContractSchemaUpgradeTests.test_start_version_db_init_version for sure and i think there was one more	18:38
dstanek	henrynash: actually 5 tests failed	18:39
lbragstad	samueldmq yep	18:39
dolphm	dstanek: i had 4 tests fail	18:39
dstanek	lots of keystone.tests.unit.test_sql_upgrade stuff	18:39
samueldmq	lbragstad: are all the existing credentials migrated upon migration ?	18:39
dolphm	keystone.tests.unit.test_sql_upgrade.SqlDataMigrationUpgradeTests.test_start_version_db_init_version	18:39
dolphm	keystone.tests.unit.test_sql_upgrade.SqlContractSchemaUpgradeTests.test_start_version_db_init_version	18:39
samueldmq	lbragstad: or are they migrated on-demand?	18:39
dolphm	keystone.tests.unit.test_sql_banned_operations.TestKeystoneContractSchemaMigrationsSQLite.test_walk_versions	18:39
dolphm	keystone.tests.unit.test_sql_upgrade.FullMigration.test_migration_002_password_created_at_not_nullable	18:40
dolphm	dstanek: do you have a transient? ^	18:40
dstanek	dolphm: oh, it looks like i also failes because of a version conflict with oslo.context	18:40
dolphm	dstanek: sounds like a personal problem	18:40
dstanek	maybe they released today? wasn't seeing this earlier today	18:40
lbragstad	samueldmq they are migrated during the data migration	18:40
lbragstad	then they are migrated at will by the operator	18:41
henrynash	dolphm: 002 contract failure is expected since that explicit tests to see if we set the column nullable not	18:41
dolphm	dstanek: nope	18:41
dolphm	dstanek: https://pypi.python.org/pypi/oslo.context	18:41
dstanek	weird	18:41
samueldmq	lbragstad: but after running 003 all credentials will be encrypted	18:41
henrynash	dolphm: ah, sorry, ignore that comment !	18:41
samueldmq	lbragstad: is that right?	18:41
lbragstad	samueldmq yes	18:41
henrynash	dolphm: I'll see if I can play with that later	18:41
dstanek	got one of these: pkg_resources.ContextualVersionConflict: (oslo.context 2.8.0 (/opt/stack/keystone/.tox/py27/lib/python2.7/site-packages), Requirement.parse('oslo.context>=2.9.0'), set(['keystone']))	18:41
lbragstad	if this goes into Newton - you have to encrypt credentials if you're going to put them in keystone	18:42
samueldmq	lbragstad: operator run expand and can stay how long they want there	18:42
dolphm	dstanek: oh, maybe something else suddenly required >=2.9	18:42
samueldmq	lbragstad: but once migrate is run, everything will be encrypted	18:42
dstanek	i'll have to -r my next test run	18:42
dolphm	samueldmq: after the --migrate, you can still run both the previous and the next release	18:43
dstanek	samueldmq: that's a good thing	18:43
dolphm	samueldmq: after --migrate, the data exists in the database as both plaintext and ciphertext	18:43
samueldmq	yes	18:43
dolphm	--contract drops the plaintext, so it's only encrypted	18:43
dstanek	dolphm: i thought we were just not allowing writes	18:43
dolphm	dstanek: from the app	18:44
lbragstad	samueldmq after you run expand you won't be able to create any more credentials	18:44
lbragstad	until you run the contract	18:44
samueldmq	what happens if the operator run `keystone-manage credential_migrate` when there is a mix of encrypted and plain text credentials in the database?	18:44
lbragstad	samueldmq that won't work	18:45
lbragstad	because credential_migrate is designed to re-encrypt credentials, not migrate plaintext ones	18:45
lbragstad	that what the data_migration piece of the migration does	18:45
samueldmq	lbragstad: ok, I am reading https://review.openstack.org/#/c/355618/45/keystone/cmd/cli.py	18:46
lbragstad	samueldmq the gist i have walks through everything step by step	18:46
lbragstad	doing a rolling upgrade while encrypting credentials	18:46
samueldmq	lbragstad: and L677-679 the operator is advised to run credential_migrate there, as credential_rotate just failed	18:47
dolphm	lbragstad: it'll work - because there can't be a mix :)	18:47
dolphm	it was a trick question :P	18:47
lbragstad	true	18:47
lbragstad	samueldmq yes - we have to keep rotation and migration lock step in order to protect against over-rotation	18:47
dolphm	samueldmq: the triggers reject writes to the new column, so you won't go into the migration with anything but plaintext	18:47
lbragstad	the way we do that is by checking the key_hash attribute of each credential	18:47
lbragstad	against the key_hash of the current primary key	18:48
samueldmq	ah okay, so there is no way to have a mix of them (plaintext and encrypted)	18:48
lbragstad	if any of them don't match - we know that there are credentials that need to be re-encrypted	18:48
lbragstad	so we should abort the rotation until we can be 100% sure we're not going to over-rotate	18:48
*** david-lyle has quit IRC		18:49
samueldmq	lbragstad: yes, I was asking that because if we allowed it when there is a mix of plaintext and encrypted	18:50
*** su_zhang has quit IRC		18:50
samueldmq	the encrypted ones would be re-encrypted	18:50
lbragstad	yeah - credential_migrate will only re-encrypt existing credentials	18:50
*** david-lyle has joined #openstack-keystone		18:50
dstanek	to that end. it is possible that the migration fails and gets restarted and thing are encrypted twice?	18:51
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	18:54
*** ddieterly has quit IRC		18:55
*** phalmos has quit IRC		18:55
*** asettle has joined #openstack-keystone		18:56
*** divyakkonoor has quit IRC		18:56
*** dikonoor has joined #openstack-keystone		18:57
*** dikonoo has joined #openstack-keystone		18:57
dolphm	dstanek: yeah, that's possible with the current implementation, because it's a blind select	18:58
dolphm	dstanek: ideally, it'd be like select .. where not_encrypted limit 10; or whatever	18:59
samueldmq	lbragstad: dolphm : if during the migration the credential API will be read-only, why do we need triggers copying the data back and forth ?	18:59
dolphm	samueldmq: the triggers are not copying data	18:59
dolphm	samueldmq: read the triggers :)	18:59
samueldmq	dolphm: will do, I am starting with lbragstad's gist :-)	19:00
*** nisha_ is now known as nishaYadav		19:02
*** ddieterly has joined #openstack-keystone		19:05
samueldmq	lbragstad: dolphm: if newton code verified that if can create credentials only when the 'blob' column does not exist	19:06
samueldmq	we wouldn't need triggers	19:06
samueldmq	and the mitaka node could keep adding credentials through the proccess	19:06
samueldmq	I don't really see the value of triggers in this case if we are only using them to block writes	19:10
*** jdennis has quit IRC		19:10
samueldmq	maybe I am missing something	19:10
*** jdennis has joined #openstack-keystone		19:10
*** phalmos has joined #openstack-keystone		19:12
*** gyee has quit IRC		19:13
dstanek	dolphm: ++	19:13
*** harlowja_ has joined #openstack-keystone		19:13
*** tonytan4ever has joined #openstack-keystone		19:16
*** tonytan4ever has quit IRC		19:16
*** harlowja has quit IRC		19:17
*** arunkant has joined #openstack-keystone		19:18
dolphm	samueldmq: then the application would - forever - have to inspect the state of the schema before operating on it	19:18
dolphm	samueldmq: in this case, i think that'd be safe, but that can also lead to race conditions during a rolling upgrade	19:19
*** nishaYadav has quit IRC		19:20
samueldmq	dolphm: well, not forever, but until next release when we remove the check	19:20
*** su_zhang has joined #openstack-keystone		19:20
dolphm	samueldmq: unless your schema checking statements are in a transaction with your inserts, for example	19:20
*** arunkant_web has joined #openstack-keystone		19:20
samueldmq	dolphm: ++	19:21
dolphm	samueldmq: right - that's a lot of time to be constantly querying the schema though :)	19:21
dolphm	samueldmq: this is certainly not the best example of using triggers during a rolling upgrade	19:21
samueldmq	dolphm: yeah, if that could be done within the insert query it'd be ideal	19:21
samueldmq	dolphm: maybe, but if we didn't use it we would postpone our decision on triggers to the summit	19:22
samueldmq	at the same time we get this feature in	19:22
samueldmq	if that makes sense..	19:22
dolphm	samueldmq: if we land this now, we'll have some feedback to discuss at the summit	19:22
dolphm	samueldmq: if we don't ship triggers, we won't learn anything new between now and the summit	19:22
dolphm	samueldmq: we'll just have the same "omg triggers" feedback that we've already heard	19:23
samueldmq	dolphm: and if we decide to not go with triggers anymore	19:23
samueldmq	dolphm: we just adapt those migration scripts ?	19:24
dolphm	by shipping them in newton as part of rolling upgrades, the operators that are super interested in rolling upgrades will be able to evaluate them as part of a real release, and we'll get real feedback. if they don't work for some deployers for some reason, we'll learn why and evolve from there	19:24
dolphm	and for those deployers where triggers are either objectionable or actually don't work for some reason (db2!), offline upgrades with db_sync is still an option that doesn't involve any triggers	19:25
*** dikonoo has quit IRC		19:25
*** dikonoor has quit IRC		19:25
*** spzala has quit IRC		19:25
dolphm	if we decide not to go with triggers, we'll just stop adding new ones. i wouldn't want to go back and drop code like that or anything	19:25
*** chrichip has joined #openstack-keystone		19:25
*** su_zhang has quit IRC		19:25
*** spzala has joined #openstack-keystone		19:26
dolphm	samueldmq: so, if you consider rolling upgrades to be an experimental feature, then you're also opting into our experimental trigger-based approach. if you don't want to go the experimental route, db_sync still behaves the same old way	19:27
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	19:27
lbragstad	dstanek fixed the key_hash nullable problem ^	19:27
samueldmq	dolphm: ah okay, so rolling upgrade is experimental	19:27
dolphm	fundamentally, we'll need the --expand, --migrate, --contract options of db_sync no matter our rolling upgrade implementation, it's just that the order of operations around those commands will be different (i.e. when you can bring the next release online, how long things take, etc)	19:28
samueldmq	dolphm: I agree with you with trying and see what operators think about it	19:28
samueldmq	dolphm: ++	19:28
dolphm	samueldmq: i'm happy to call it experimental myself. more importantly, i don't want to break deployers that want to continue with upgrading with downtime and vanilla db_sync	19:28
samueldmq	dolphm: ++	19:28
samueldmq	dolphm: adding it and gathering feedback is a good idea	19:29
samueldmq	tahnks for clarifying on the plans	19:29
samueldmq	:-)	19:29
dolphm	samueldmq: happily	19:29
dstanek	lbragstad: in case i haven't said it recently...you rock!	19:33
* lbragstad blushes		19:34
*** ddieterly is now known as ddieterly[away]		19:41
openstackgerrit	David Stanek proposed openstack/keystone: Fixes spelling mistakes https://review.openstack.org/364527	19:42
*** snecklifter\|brb is now known as snecklifter		19:43
snecklifter	ayoung: ok, thanks, that makes more sense	19:44
*** asettle has quit IRC		19:46
*** asettle has joined #openstack-keystone		19:47
*** asettle has quit IRC		19:48
*** su_zhang has joined #openstack-keystone		19:54
ayoung	snecklifter, I wrote this:	19:56
ayoung	https://etherpad.openstack.org/p/keystone-fernet-token-cms	19:56
*** asettle has joined #openstack-keystone		19:59
snecklifter	ayoung: sure, i see where you're going with that	20:00
ayoung	snecklifter, so, assuming Tripleo is using swift artifacts to do the deployment, we would need to have the secrest encruypted in the tarball copied over to the controller nodes...otherwise, they are posted for all the world to see	20:01
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	20:01
snecklifter	ayoung: yes exactly	20:01
ayoung	alternatively, with OSP10 and later, we have mistral, so we could do something where we do a direct communication with the node to push any new keys down	20:01
snecklifter	this is testing with OSP9	20:02
ayoung	snecklifter, so no Mistral?	20:02
snecklifter	ayoung: correct	20:03
ayoung	snecklifter, is Ansible an option?	20:04
snecklifter	it is	20:04
snecklifter	in fact we're doing a lot of post install customization with it like ELK	20:04
*** ddieterly[away] is now known as ddieterly		20:04
snecklifter	so if the keys are being copied over ssh then no problem?	20:05
ayoung	snecklifter, I had something that would generate an ansible inventory from the undercloud openstack server list	20:07
ayoung	let me see...	20:07
snecklifter	oh thats not too much of a problem, we are using custom hostnames	20:08
snecklifter	and predictable IPs	20:08
snecklifter	ayoung: actually ignore that, i see what you mean i think	20:09
*** tonytan4ever has joined #openstack-keystone		20:11
*** phalmos has quit IRC		20:11
*** gyee has joined #openstack-keystone		20:13
*** ChanServ sets mode: +v gyee		20:13
ayoung	snecklifter, https://paste.fedoraproject.org/419316/14727608/	20:13
snecklifter	ayoung: cool, thanks, i'm stuck in the bash scripting era	20:15
ayoung	snecklifter, Python is the new bash	20:15
snecklifter	ayoung: so i'm told... <sigh>	20:15
*** tonytan_brb has joined #openstack-keystone		20:16
ayoung	snecklifter, I just like using the python-keystone API and python-nova APIs from time to time to make sure I can remember how	20:16
*** tonytan4ever has quit IRC		20:17
snecklifter	ayoung: ok, thanks for help, so all three controllers reading same fernet keys from shared storage seems sane to you?	20:18
ayoung	snecklifter, yeah, they have to be in sync.	20:19
snecklifter	ayoung: sure	20:19
ayoung	snecklifter, there is no advantage to keeping the keys distinct, as they are all symmetric	20:19
ayoung	thus, if you have the key, you can sign things	20:19
ayoung	so, what really matters is who can read that shared storage	20:19
*** spzala has quit IRC		20:19
ayoung	and I think the answer is keystone only	20:19
ayoung	Overcloud process should probably be only able to write to it	20:20
snecklifter	ayoung: sure but keystone is running as apache	20:21
snecklifter	but still lock down to keystone uid/gid	20:21
ayoung	snecklifter, no it is not	20:21
ayoung	keystone is running as Keystone	20:21
ayoung	apache is running as apache	20:21
ayoung	$ ps -ef \| grep keystone	20:22
ayoung	stack 2901 26815 0 20:21 pts/0 00:00:00 grep --color=auto keystone	20:22
ayoung	keystone 18605 18604 0 18:08 ? 00:01:04 keystone-admin -DFOREGROUND	20:22
ayoung	keystone 18606 18604 1 18:08 ? 00:01:30 keystone-main -DFOREGROUND	20:22
ayoung	keystone is a wsgi process kicked off by apache, but it is a separate user	20:22
snecklifter	ah ok, had not delved into this	20:22
ayoung	snecklifter, list is my life	20:22
snecklifter	prviously all eventlet	20:22
ayoung	such as it is	20:22
ayoung	https://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/ snecklifter look at the date.	20:23
snecklifter	ayoung: wow	20:23
snecklifter	ayoung: i read your blog but not the dates	20:23
snecklifter	ayoung: let me guess, it happened but took 3 times longer than you expected, right?	20:24
ayoung	3 is probably a low estimate	20:24
snecklifter	ayoung: well, the good news is that you can now explain process ownership to newbs like me :)	20:25
snecklifter	on channels like this	20:25
snecklifter	ayoung: ok, thanks very much for help, much appreciated	20:26
snecklifter	on UK time so signing off	20:26
ayoung	same here...kid duty	20:27
*** ddieterly is now known as ddieterly[away]		20:28
*** gordc has quit IRC		20:30
*** ddieterly[away] is now known as ddieterly		20:30
*** itisha has quit IRC		20:30
*** jpena\|away is now known as jpena\|off		20:35
stevemar	lbragstad: dolphm back	20:45
*** ayoung has quit IRC		20:46
openstackgerrit	Merged openstack/keystone: Fixes migration where password created_at is nullable https://review.openstack.org/362501	20:50
*** phalmos has joined #openstack-keystone		20:51
*** chrichip has quit IRC		20:53
*** chrichip has joined #openstack-keystone		20:54
*** browne has quit IRC		20:59
*** arunkant_web has quit IRC		21:00
*** ddieterly is now known as ddieterly[away]		21:01
*** raildo has quit IRC		21:01
*** ddieterly[away] is now known as ddieterly		21:03
*** phalmos has quit IRC		21:03
*** ezpz has quit IRC		21:12
*** pauloewerton has quit IRC		21:16
openstackgerrit	David Stanek proposed openstack/keystone: Fixes credential key rotation https://review.openstack.org/364557	21:20
*** rcernin has quit IRC		21:24
samueldmq	lbragstad: just left a few comments in the credential change	21:26
openstackgerrit	David Stanek proposed openstack/keystone: Only cache callables in the base manager https://review.openstack.org/364562	21:29
openstackgerrit	Steve Martinelli proposed openstack/keystone: Fixes spelling mistakes https://review.openstack.org/364527	21:31
*** ddieterly has quit IRC		21:31
*** chrisshattuck has quit IRC		21:36
samueldmq	dolphm: lbragstad: dstanek: btw, related to credentials, but in client side, see https://review.openstack.org/#/c/352567/	21:41
*** adriant has joined #openstack-keystone		21:42
*** adriant has quit IRC		21:45
*** spedione is now known as spedione\|AWAY		21:47
*** su_zhang has quit IRC		21:51
*** chrisshattuck has joined #openstack-keystone		21:52
*** su_zhang has joined #openstack-keystone		21:53
*** ddieterly has joined #openstack-keystone		21:53
*** haplo37__ has quit IRC		21:59
*** adriant has joined #openstack-keystone		21:59
*** ravelar has quit IRC		22:02
*** michauds has quit IRC		22:04
*** chrisshattuck has quit IRC		22:14
*** krotscheck has quit IRC		22:15
*** krotscheck has joined #openstack-keystone		22:15
*** ddieterly is now known as ddieterly[away]		22:17
*** spzala has joined #openstack-keystone		22:20
*** browne has joined #openstack-keystone		22:20
*** erhudy has quit IRC		22:22
*** spzala has quit IRC		22:24
*** adriant has quit IRC		22:25
*** phalmos has joined #openstack-keystone		22:25
*** ayoung has joined #openstack-keystone		22:30
*** ChanServ sets mode: +v ayoung		22:30
*** ntpttr has quit IRC		22:31
openstackgerrit	Lance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest https://review.openstack.org/355618	22:31
lbragstad	dolphm new patch ^	22:31
*** ntpttr has joined #openstack-keystone		22:31
*** ddieterly[away] is now known as ddieterly		22:38
*** ddieterly is now known as ddieterly[away]		22:42
*** tonytan_brb has quit IRC		22:43
stevemar	dolphm: lbragstad: i'll review that after dinner	22:45
stevemar	dolphm: we have til eod to merge it ;)	22:45
lbragstad	stevemar cool - thanks	22:45
stevemar	team code review on hangouts!	22:45
*** adriant has joined #openstack-keystone		22:45
lbragstad	stevemar sounds good - ping me on google hangouts (so i get it on my phone) when you're ready?	22:48
lbragstad	i'm gonna try and step away for a bit	22:48
*** BjoernT has quit IRC		22:50
*** su_zhang has quit IRC		22:50
*** su_zhang has joined #openstack-keystone		22:52
*** ayoung has quit IRC		23:05
*** ddieterly[away] has quit IRC		23:05
*** markvoelker has joined #openstack-keystone		23:11
*** slberger has left #openstack-keystone		23:16
*** su_zhang has quit IRC		23:16
*** chlong has quit IRC		23:33
*** arunkant has quit IRC		23:41
*** Guest99973 has quit IRC		23:43
*** ravelar has joined #openstack-keystone		23:48
*** markvoelker has quit IRC		23:51
openstackgerrit	Eric Brown proposed openstack/oslo.policy: Update reno for stable/newton https://review.openstack.org/362375	23:51
*** ravelar has quit IRC		23:53
*** markvoelker has joined #openstack-keystone		23:56
openstackgerrit	Eric Brown proposed openstack/keystoneauth: Update reno for stable/newton https://review.openstack.org/362412	23:57
openstackgerrit	Eric Brown proposed openstack/keystonemiddleware: Update reno for stable/newton https://review.openstack.org/362414	23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!