Thursday, 2017-01-19

*** DinaBelova has joined #openstack-keystone00:02
*** NikitaKonovalov has joined #openstack-keystone00:03
*** freerunner has joined #openstack-keystone00:03
openstackgerritGage Hugo proposed openstack/keystone: Allow user to change own expired password
*** david-lyle has quit IRC00:05
*** adrian_otto has quit IRC00:07
*** lamt has joined #openstack-keystone00:10
*** adrian_otto has joined #openstack-keystone00:12
openstackgerritRichard Avelar proposed openstack/keystone: WIP extend users API to add federated object
*** stingaci has joined #openstack-keystone00:19
*** adrian_otto has quit IRC00:20
*** browne has quit IRC00:21
*** adrian_otto has joined #openstack-keystone00:21
*** stingaci has quit IRC00:23
*** catintheroof has joined #openstack-keystone00:23
*** browne has joined #openstack-keystone00:25
*** adrian_otto has quit IRC00:34
*** adrian_otto has joined #openstack-keystone00:36
*** jamielennox|away is now known as jamielennox00:37
*** thorst has joined #openstack-keystone00:39
*** thorst has quit IRC00:42
*** hoangcx has joined #openstack-keystone00:50
*** lamt has quit IRC00:51
*** harlowja has joined #openstack-keystone00:52
*** ravelar has quit IRC01:07
*** thorst has joined #openstack-keystone01:11
*** thorst has quit IRC01:11
*** catintheroof has quit IRC01:13
*** catintheroof has joined #openstack-keystone01:14
*** catintheroof has quit IRC01:14
*** edmondsw has joined #openstack-keystone01:18
*** edmondsw has quit IRC01:23
openstackgerritRon De Rose proposed openstack/keystone: PCI-DSS Force users to immediately change their password upon first use
*** lucas__ has joined #openstack-keystone01:38
*** browne has quit IRC01:39
*** tqtran has quit IRC01:49
*** adrian_otto has quit IRC01:51
rderoseis there a way to tell if a user is a service user?01:56
*** markvoelker has joined #openstack-keystone01:59
rderoseI guess if they have the service role...01:59
stevemarrderose: nope01:59
rderosestevemar: darn01:59
stevemarthats a sketchy way of determining01:59
stevemarwhats up?01:59
rderosestevemar: yeah... was trying to see if I could automatically ignore service users for PCI02:00
rderosestevemar: domain scoped PCI is the answer. we'll have to do that in pike.02:02
stevemarrderose: i said that in N :P02:03
stevemarper-domain PCI, just like how we have per-domain LDAP02:04
stevemarits the same code, should be easy to do02:04
rderosestevemar: right02:04
rderosestevemar: don't worry about N, no one really believes PTLs02:05
stevemarrderose: damn whoever was PTL in N02:06
stevemarPTL elections are open!!!!!!!!!!
stevemarrderose: yeah, with per-domain PCI we'll be able to remove a lot of the "here are a list of user IDs i don't want things to happen to"02:08
rderosestevemar: yep, exactly02:09
*** thorst has joined #openstack-keystone02:15
stevemargagehugo: hmm, looking at
stevemargagehugo: it seems you didn't run the modified code?02:19
stevemar  File "/usr/local/lib/python2.7/dist-packages/osc_lib/", line 457, in prepare_to_run_command02:19
stevemar    self.client_manager.auth_ref02:19
*** thorst has quit IRC02:20
stevemarif you had set "auth_required = False" in the command class of userSetPassword, then we shuoldn't be entering that branch02:20
stevemar        if cmd.auth_required:02:20
stevemar            self.client_manager.setup_auth()02:20
stevemar            if hasattr(cmd, 'required_scope') and cmd.required_scope:02:20
stevemar                # let the command decide whether we need a scoped token02:20
stevemar                self.client_manager.validate_scope()02:20
stevemar            # Trigger the Identity client to initialize02:20
stevemar            self.client_manager.auth_ref02:20
stevemar        return02:20
stevemargagehugo: i'll play around with it02:21
stevemargagehugo: how did you set your user to be expired?02:21
gagehugostevemar: I think I did, I can try again02:25
gagehugostevemar: I have a bunch of users from previous tests and a bunch of them are expired02:26
gagehugootherwise I just change their database values02:26
*** links has joined #openstack-keystone02:33
*** darrenc_ has joined #openstack-keystone02:35
*** r1chardj0n3s_ has joined #openstack-keystone02:37
gagehugostevemar: oh, is incorrect, I did required_auth instead of auth_required02:37
*** hoangcx_ has joined #openstack-keystone02:38
*** gus__ has joined #openstack-keystone02:38
*** charz_ has joined #openstack-keystone02:40
*** BrAsS_mOnKeY has joined #openstack-keystone02:40
*** rvba` has joined #openstack-keystone02:41
*** mtreinish_ has joined #openstack-keystone02:41
*** tlbr_ has joined #openstack-keystone02:41
*** hoangcx has quit IRC02:41
*** adriant has quit IRC02:41
*** briancurtin has quit IRC02:41
*** wasmum has quit IRC02:41
*** hyakuhei has quit IRC02:41
*** rvba has quit IRC02:41
*** g2 has quit IRC02:41
*** rm_work has quit IRC02:41
*** r1chardj0n3s has quit IRC02:41
*** darrenc has quit IRC02:41
*** gus has quit IRC02:41
*** mjb has quit IRC02:41
*** jamielennox has quit IRC02:41
*** tlbr has quit IRC02:41
*** mtreinish has quit IRC02:41
*** charz has quit IRC02:41
*** mtreinish_ is now known as mtreinish02:41
*** mjb has joined #openstack-keystone02:42
gagehugostevemar: is the modified one02:42
stevemargagehugo: thats interesting02:43
stevemarit actually fired off the request02:43
stevemar  File "/home/ghugo/python-openstackclient/openstackclient/identity/v3/", line 438, in take_action02:43
stevemar    identity_client.users.update_password(current_password, password)02:43
*** yarkot has quit IRC02:44
stevemarwell, it got to the client anyway, thats good02:44
stevemarit failed to fire off the request02:44
stevemarlooks like it failed ehre:
stevemarwe need it to get to line 430 :)02:47
*** BrAsS_mOnKeY is now known as g202:47
*** agrebennikov_ has joined #openstack-keystone02:47
*** yarkot has joined #openstack-keystone02:50
stevemargagehugo: i guess we could just do a straight requests call02:50
*** adriant has joined #openstack-keystone02:51
*** markvoelker has quit IRC02:56
stevemargagehugo: this is where we bug jamielennox when he's online :P03:00
*** rm_work has joined #openstack-keystone03:00
*** wasmum has joined #openstack-keystone03:01
*** hyakuhei has joined #openstack-keystone03:01
*** henrynash has joined #openstack-keystone03:03
*** ChanServ sets mode: +v henrynash03:03
gagehugostevemar: heh03:06
gagehugoI dont think I found anything else that used auth_require = False03:06
*** markvoelker has joined #openstack-keystone03:10
*** diazjf has joined #openstack-keystone03:11
*** jamielennox|away has joined #openstack-keystone03:12
*** jamielennox|away is now known as jamielennox03:12
*** ChanServ sets mode: +v jamielennox03:12
*** woodster_ has quit IRC03:15
*** MasterOfBugs has quit IRC03:18
*** adrian_otto has joined #openstack-keystone03:19
*** adrian_otto has quit IRC03:29
*** thorst has joined #openstack-keystone03:30
stevemargagehugo: just `openstack list commands`03:34
stevemarjamielennox: gagehugo and i have questions for you!03:34
*** adrian_otto has joined #openstack-keystone03:35
stevemarjamielennox: check out ping me when you're online03:35
*** thorst has quit IRC03:36
* stevemar is trying to decide which patch he should review first03:37
*** henrynash has quit IRC03:44
*** henrynash has joined #openstack-keystone03:44
*** ChanServ sets mode: +v henrynash03:44
*** liyuenan has joined #openstack-keystone03:46
liyuenanhi everyone!03:46
liyuenani have a question about openstackclient03:46
liyuenanwhen i run openstack user list --os-cloud opnfv03:47
liyuenanit failed03:47
*** MasterOfBugs has joined #openstack-keystone03:47
liyuenanERROR: Cloud opnfv was not found.03:47
liyuenanBut I had create cloud.yaml in ~/.config/openstack03:48
openstackgerritKen Johnston proposed openstack/keystone: Fix typo in main docs page
*** diazjf has quit IRC03:50
*** nicolasbock has quit IRC03:50
*** henrynash has quit IRC03:51
*** henrynash has joined #openstack-keystone03:51
*** ChanServ sets mode: +v henrynash03:51
*** adrian_otto has quit IRC03:54
stevemarliyuenan: hmm, what does `openstack --version` say?03:58
*** adrian_otto has joined #openstack-keystone03:58
stevemarliyuenan: the docs for clouds.yaml are here:
*** ayoung has quit IRC04:03
*** edtubill has joined #openstack-keystone04:04
*** adrian_otto has quit IRC04:04
openstackgerritKen Johnston proposed openstack/keystone: Readability enhancements to architecture doc
*** henrynash has quit IRC04:07
*** jerrygb has quit IRC04:10
*** liyuenan has quit IRC04:17
*** stingaci has joined #openstack-keystone04:21
*** edtubill has quit IRC04:21
*** adrian_otto has joined #openstack-keystone04:22
*** stingaci has quit IRC04:26
*** agrebennikov_ has quit IRC04:28
*** briancurtin has joined #openstack-keystone04:31
*** agrebennikov_ has joined #openstack-keystone04:33
*** thorst has joined #openstack-keystone04:33
*** thorst has quit IRC04:38
*** liyuenan has joined #openstack-keystone04:38
*** adrian_otto has quit IRC04:38
liyuenanstevemar: openstack version is 3.7.004:39
*** adrian_otto has joined #openstack-keystone04:40
stevemarliyuenan: can you paste your clouds.yaml? (but remove the password?)04:41
*** nkinder has joined #openstack-keystone04:42
liyuenanthere is my cloud.yml04:43
*** henrynash has joined #openstack-keystone04:46
*** ChanServ sets mode: +v henrynash04:46
openstackgerritRichard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users
*** lucas__ has quit IRC04:53
MasterOfBugsHi All04:59
MasterOfBugsI am getting this error while stacking04:59
MasterOfBugsis this normal?04:59
*** dikonoor has joined #openstack-keystone04:59
MasterOfBugs+lib/keystone:init_keystone:510            rm -rf /etc/keystone/credential-keys/04:59
MasterOfBugs2017-01-18 21:12:42.028 | +lib/keystone:init_keystone:511            /usr/local/bin/keystone-manage --config-file /etc/keystone/keystone.conf credential_setup04:59
MasterOfBugs2017-01-18 21:12:42.781 | usage: keystone-manage [bootstrap|db_sync|db_version|domain_config_upload|fernet_rotate|fernet_setup|mapping_purge|mapping_engine|pki_setup|saml_idp_metadata|ssl_setup|token_flush]04:59
MasterOfBugs2017-01-18 21:12:42.781 | keystone-manage: error: argument command: invalid choice: 'credential_setup' (choose from 'bootstrap', 'db_sync', 'db_version', 'domain_config_upload', 'fernet_rotate', 'fernet_setup', 'mapping_purge', 'mapping_engine', 'pki_setup', 'saml_idp_metadata', 'ssl_setup', 'token_flush')04:59
MasterOfBugs2017-01-18 21:12:42.822 | +lib/keystone:init_keystone:1              exit_trap05:00
MasterOfBugs2017-01-18 21:12:42.827 | +./                  local r=205:00
MasterOfBugs2017-01-18 21:12:42.832 | ++./                  jobs -p05:00
MasterOfBugs2017-01-18 21:12:42.836 | +./                  jobs=05:00
MasterOfBugs2017-01-18 21:12:42.841 | +./                  [[ -n '' ]]05:00
MasterOfBugs2017-01-18 21:12:42.845 | +./                  kill_spinner05:00
MasterOfBugs2017-01-18 21:12:42.850 | +./               '[' '!' -z '' ']'05:00
MasterOfBugs2017-01-18 21:12:42.854 | +./                  [[ 2 -ne 0 ]]05:00
MasterOfBugs2017-01-18 21:12:42.858 | +./                  echo 'Error on exit'05:00
MasterOfBugs2017-01-18 21:12:42.858 | Error on exit05:00
MasterOfBugs2017-01-18 21:12:42.862 | +./                  generate-subunit 1484773774 188 fail05:00
MasterOfBugs2017-01-18 21:12:43.282 | +./                  [[ -z /opt/stack/logs/stack ]]05:00
MasterOfBugs2017-01-18 21:12:43.287 | +./                  /home/otc/devstack/tools/ -d /opt/stack/logs/stack05:00
MasterOfBugs2017-01-18 21:12:43.313 | df: '/var/lib/ureadahead/debugfs/tracing': No such file or directory05:00
MasterOfBugs2017-01-18 21:12:43.712 | +./                  exit 205:00
stevemarMasterOfBugs: is your friend :)05:00
MasterOfBugshow can i work around this?05:00
liyuenanstevemar: could you see my cloud.yml?05:00
MasterOfBugscan u please tell me the location?05:01
*** nkinder has quit IRC05:02
liyuenanMasterOfBugs: it is anohter question about openstackclient. :)05:03
stevemarMasterOfBugs: looks like you're using a newer version of devstack on an old keystone branch?05:03
stevemartrying to set up mitaka ?05:03
stevemarliyuenan: looking now05:03
stevemarMasterOfBugs: using devstack's master branch i assume?05:04
liyuenanstevemar: thankyou!05:04
*** herdesh has quit IRC05:04
MasterOfBugsi am using master branch with stable/mitaka for keystone05:04
MasterOfBugsmy local.conf05:04
MasterOfBugsis it a good idea or shall i change everything to itaka?05:05
stevemarMasterOfBugs: can't do that, gotta use the same devstack branch as the branch of openstack you want05:05
stevemarMasterOfBugs: so ... something like git clone -b stable/mitaka05:05
stevemarto get the mitaka branch of devstack05:05
stevemarthen it'll download and install a mitaka version of OpenStack for you05:06
MasterOfBugsI will give it a shot05:06
stevemarMasterOfBugs: consider getting a new VM, the one you used may be tainted05:06
stevemarliyuenan: alright, now you :)05:06
MasterOfBugsCool. WIll try it in a new VM05:06
liyuenanstevemar: :)05:06
MasterOfBugsThanks a lot Steve for your help05:07
stevemarMasterOfBugs: np05:07
stevemarliyuenan: can you run a command with --debug and paste it ?05:08
liyuenanOK,wait a minute05:08
stevemarliyuenan: hmm, a simple thing to try? remove the "----" from your clouds.yaml?05:09
stevemarliyuenan: here's what i use:
*** jerrygb has joined #openstack-keystone05:10
liyuenanI think the openstack couldn't found the cloud.yml05:12
stevemarliyuenan: mine is at /etc/openstack/05:12
stevemarcalled clouds.yaml, not clouds.yml, not sure if that makes a difference05:12
liyuenani'll move to /etc/openstck and try again05:12
stevemarliyuenan: signing off for the night, but i think its a small issue with either the directory or file name extension or adding '---' to the top, file a bug at if it's any of those things05:15
*** jerrygb has quit IRC05:15
*** adrian_otto1 has joined #openstack-keystone05:16
*** adrian_otto has quit IRC05:16
liyuenanI had found the problem. I didn't install os-client-conf currectly!05:23
liyuenanThank you!05:24
*** agrebennikov_ has quit IRC05:31
*** adriant has quit IRC05:37
*** adrian_otto1 has quit IRC05:39
*** adrian_otto has joined #openstack-keystone05:43
*** adrian_otto has quit IRC05:43
*** Jack_I has joined #openstack-keystone05:46
*** liyuenan has quit IRC05:49
*** liyuenan has joined #openstack-keystone05:51
*** liyuenan has quit IRC05:52
*** henrynash has quit IRC05:53
*** lucas__ has joined #openstack-keystone06:02
MasterOfBugsHi All06:25
MasterOfBugsCan anyone tell me how to update theb Babel package06:26
MasterOfBugsContextualVersionConflict: (Babel 2.2.0 (/usr/local/lib/python2.7/dist-packages), Requirement.parse('Babel>=2.3.4'), set(['castellan']))06:26
MasterOfBugsI am getting this error06:26
gagehugopip install Babel 2.3.406:26
gagehugopip install --upgrade Babel might work too?06:27
MasterOfBugsCool Gotcha06:27
MasterOfBugsI uninstalled and installed06:27
MasterOfBugsThanks a lot gage06:27
*** lucas__ has quit IRC06:27
*** thorst has joined #openstack-keystone06:34
*** thorst has quit IRC06:39
*** richm has quit IRC06:42
*** hoangcx_ has quit IRC06:56
*** jerrygb has joined #openstack-keystone07:00
*** jerrygb has quit IRC07:05
*** stingaci has joined #openstack-keystone07:19
*** hoangcx has joined #openstack-keystone07:22
*** stingaci has quit IRC07:23
*** masber has quit IRC07:30
*** voelzmo has joined #openstack-keystone07:38
*** voelzmo has quit IRC07:39
*** voelzmo has joined #openstack-keystone07:43
bretonoh wow07:52
*** haplo37_ has quit IRC08:00
*** hoangcx_ has joined #openstack-keystone08:01
*** hoangcx has quit IRC08:03
*** haplo37_ has joined #openstack-keystone08:03
*** stingaci has joined #openstack-keystone08:06
*** tesseract has joined #openstack-keystone08:13
*** openstackgerrit has quit IRC08:33
*** masber has joined #openstack-keystone08:34
*** thorst has joined #openstack-keystone08:35
*** thorst has quit IRC08:39
*** hoangcx_ is now known as hoangcx08:45
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** pnavarro has joined #openstack-keystone09:20
*** arunkant has quit IRC09:29
*** hyakuhei has quit IRC09:36
*** hyakuhei has joined #openstack-keystone09:36
*** hyakuhei has quit IRC09:36
*** hyakuhei has joined #openstack-keystone09:36
*** mvk has quit IRC09:54
*** hoangcx has quit IRC10:07
*** masber has quit IRC10:26
*** jerrygb has joined #openstack-keystone10:28
*** mvk has joined #openstack-keystone10:30
*** jerrygb has quit IRC10:33
*** thorst has joined #openstack-keystone10:35
*** thorst has quit IRC10:40
*** masber has joined #openstack-keystone10:41
*** r1chardj0n3s_ is now known as r1chardj0n3s10:43
*** masber has quit IRC11:06
*** richm has joined #openstack-keystone11:11
*** zhugaoxiao has joined #openstack-keystone11:14
*** ayoung has joined #openstack-keystone11:25
*** ChanServ sets mode: +v ayoung11:25
*** zhugaoxiao has quit IRC11:29
*** zhugaoxiao has joined #openstack-keystone11:29
stevemarbreton: only ksm/ksa/pycadf for now11:29
*** nicolasbock has joined #openstack-keystone11:36
*** ayoung has quit IRC12:06
*** edmondsw has joined #openstack-keystone12:07
*** masber has joined #openstack-keystone12:20
*** jerrygb has joined #openstack-keystone12:29
*** jerrygb has quit IRC12:34
*** thorst has joined #openstack-keystone12:37
*** catintheroof has joined #openstack-keystone12:43
*** dave-mccowan has joined #openstack-keystone12:48
*** links has quit IRC13:11
*** jerrygb has joined #openstack-keystone13:13
*** ayoung has joined #openstack-keystone13:14
*** ChanServ sets mode: +v ayoung13:14
*** AlexOughton has quit IRC13:20
*** AlexOughton has joined #openstack-keystone13:21
*** ayoung has quit IRC13:25
*** ayoung has joined #openstack-keystone13:27
*** ChanServ sets mode: +v ayoung13:27
*** Jack_I has quit IRC13:27
*** agrebennikov_ has joined #openstack-keystone13:31
*** ayoung has quit IRC13:38
*** lucas__ has joined #openstack-keystone13:38
*** ayoung has joined #openstack-keystone13:38
*** ChanServ sets mode: +v ayoung13:38
*** ayoung has quit IRC13:39
dstanekstevemar: morning13:40
*** ayoung has joined #openstack-keystone13:43
*** ChanServ sets mode: +v ayoung13:43
*** agrebennikov_ has quit IRC13:47
stevemardstanek: ahoy13:48
dstanekstevemar: ha, i just commented on the review13:55
dstanekstevemar: for webob i was going to submit a second patch, but ran out of time13:55
stevemardstanek: don't forget to review the stuff here: :)13:56
*** markvoelker has quit IRC13:57
dstanekstevemar: already on it :-) test for auto provising are running now13:57
*** markvoelker has joined #openstack-keystone14:01
*** lamt has joined #openstack-keystone14:02
*** lamt has quit IRC14:04
*** openstackgerrit has joined #openstack-keystone14:13
openstackgerritMerged openstack/keystone: switch @hybrid_property to @property
*** agrebennikov_ has joined #openstack-keystone14:14
*** ayoung has quit IRC14:16
openstackgerritMerged openstack/keystone: Fix typo in main docs page
*** dikonoor has quit IRC14:36
openstackgerritLance Bragstad proposed openstack/keystone: Add documentation for auto-provisioning
*** nkinder has joined #openstack-keystone14:53
*** edmondsw_ has joined #openstack-keystone14:55
*** edmondsw has quit IRC14:56
*** v1k0d3n has joined #openstack-keystone15:00
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users
openstackgerritKen Johnston proposed openstack/keystone: Readability enhancements to architecture doc
*** adrian_otto has joined #openstack-keystone15:14
openstackgerritLance Bragstad proposed openstack/keystone: Implement federated auto-provisioning
openstackgerritLance Bragstad proposed openstack/keystone: Add documentation for auto-provisioning
*** edtubill has joined #openstack-keystone15:19
*** lucas__ has quit IRC15:20
*** lucas__ has joined #openstack-keystone15:21
*** jaugustine has joined #openstack-keystone15:23
*** MasterOfBugs has quit IRC15:23
*** sheel has quit IRC15:27
*** markvoelker_ has joined #openstack-keystone15:28
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table
*** markvoelker has quit IRC15:29
*** markvoelker has joined #openstack-keystone15:31
*** jaosorior has joined #openstack-keystone15:31
*** ayoung has joined #openstack-keystone15:31
*** ChanServ sets mode: +v ayoung15:31
*** adrian_otto has quit IRC15:31
*** lucas__ has quit IRC15:32
*** markvoelker_ has quit IRC15:33
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users
*** ravelar has joined #openstack-keystone15:34
*** lamt has joined #openstack-keystone15:40
*** dikonoor has joined #openstack-keystone15:42
*** chris_hultin|AWA is now known as chris_hultin15:45
*** chris_hultin is now known as chris_hultin|AWA15:45
stevemarrderose: i guess you still need to do a migration for federated users even if you just add the domain_id to the federated_users table?15:46
stevemarrderose: mucking around with FKs of the user table makes my ears perk up15:46
stevemarthats why i was asking to isolate it to federated_users table, far fewer deployments have things in there15:47
*** chris_hultin|AWA is now known as chris_hultin15:47
rderosestevemar: yeah, totally understand15:48
rderosestevemar: tried really hard to make it simple, but eventually came to this design15:49
rderosestevemar: the domain_id is needed in the user table, as all users (including federated) should belong to a domain15:50
rderosestevemar: and it's needed in the local_user table to enforce domain_id/name uniqueness15:50
*** mvk has quit IRC15:50
rderosestevemar:, user.domain_id -> local_user.user_id, local_user.domain_id (composite fk) solves both of these15:51
*** Jack_I has joined #openstack-keystone15:53
*** spzala has joined #openstack-keystone16:01
*** lamt has quit IRC16:02
*** adrian_otto has joined #openstack-keystone16:03
*** voelzmo has quit IRC16:04
*** david-lyle has joined #openstack-keystone16:06
*** lamt has joined #openstack-keystone16:13
*** thorst is now known as thorst_afk16:19
*** lucas__ has joined #openstack-keystone16:22
*** lamt has quit IRC16:25
*** lamt has joined #openstack-keystone16:30
*** hrybacki is now known as hrybacki|afkish16:32
*** links has joined #openstack-keystone16:37
*** thorst_afk is now known as thorst_16:37
*** lucas__ has quit IRC16:44
*** edtubill has quit IRC16:51
*** david-lyle has quit IRC16:55
*** spzala has quit IRC16:56
*** jistr is now known as jistr|afk16:57
openstackgerritLance Bragstad proposed openstack/keystone: Add documentation for auto-provisioning
openstackgerritLance Bragstad proposed openstack/keystone: Implement federated auto-provisioning
*** edtubill has joined #openstack-keystone17:01
*** diazjf has joined #openstack-keystone17:03
*** pnavarro has quit IRC17:04
*** lamt has quit IRC17:05
*** lamt has joined #openstack-keystone17:06
*** links has quit IRC17:11
*** ravelar has quit IRC17:12
*** dikonoor has quit IRC17:14
lbragstadstevemar what specifically did you want added here - ?17:15
lbragstadjust things to talk about during the PTG?17:15
*** ravelar has joined #openstack-keystone17:18
*** david-lyle has joined #openstack-keystone17:18
*** david-lyle has quit IRC17:18
*** pnavarro has joined #openstack-keystone17:19
*** mvk has joined #openstack-keystone17:19
openstackgerritDavid Stanek proposed openstack/keystone: Small fixes for WebOb 1.7 compatibiltity
openstackgerritDavid Stanek proposed openstack/keystone: *DO NOT MERGE* test of webob 1.7.1
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS
morgandstanek: but I WANT TO MERGE IT. *presses button* :P17:23
*** david-lyle has joined #openstack-keystone17:28
*** stingaci has quit IRC17:28
dstanekmorgan: i won't get in your way17:29
*** browne has joined #openstack-keystone17:37
*** stingaci has joined #openstack-keystone17:39
*** stingaci has quit IRC17:39
*** stingaci has joined #openstack-keystone17:39
stevemarlbragstad: yes, i'm not sure how the PTG will go :P17:39
stevemarlbragstad: treat it like a midcycle maybe?17:40
stevemarlist of big topics to talk about ?17:40
lbragstadstevemar i'm assuming you just want people to dump ideas in there?17:40
lbragstadand then we'll sort them into buckets?17:40
stevemarlbragstad: well, i won't be PTL at the PTG, so its not my problem :D17:40
stevemarok ok, not problem, but the structure is not for me to decide :D17:41
lbragstadstevemar you seem *way* too excited about those two statements17:41
*** stingaci has quit IRC17:42
dstaneklbragstad: ++17:42
stevemarlbragstad: you have no idea17:43
*** adrian_otto has quit IRC17:46
*** diazjf has quit IRC17:54
*** lucas has joined #openstack-keystone17:56
*** jistr|afk is now known as jistr18:01
*** jdennis has quit IRC18:03
*** lucas has quit IRC18:04
*** jdennis has joined #openstack-keystone18:07
*** stingaci has joined #openstack-keystone18:08
stevemarrderose: yeah, the code is just hard to read and test18:08
rderosestevemar: I know and the triggers just make it 10x worse18:09
rderosestevemar: appreciate the review18:09
stevemarrderose: i'll muster up the energy to review it again today18:10
openstackgerritRichard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users
rderosestevemar: cool, thx18:15
*** adrian_otto has joined #openstack-keystone18:17
*** david-lyle has quit IRC18:18
*** catinthe_ has joined #openstack-keystone18:18
*** catintheroof has quit IRC18:18
morganstevemar: i don't know how this previously even worked.18:25
morganstevemar: the methods [] in the token body seems.... wonky as hell18:25
morganoooh i see it now18:26
morgan*rolls eyes*18:26
kfox1111is anyone using cephfs for fernet key storage?18:32
lbragstadkfox1111 not that I am aware of18:33
kfox1111k. just curious. :)18:33
lbragstadkfox1111 sounds interesting though18:33
kfox1111yeah. looking at ways to implement it in kolla-kubernetes.18:35
kfox1111could do it as a read only cephfs mount on all the keystone containers,18:36
lbragstadkfox1111 ah - then do the rotation using ceph18:36
kfox1111and a scheduledjob container that does the rolling with rw access to cephfs.18:36
*** spilla has joined #openstack-keystone18:37
*** hrybacki|afkish is now known as hrybacki|sick18:40
morgankfox1111: is cephfs stable?18:40
morgankfox1111: i haven't used it in ages, but it wasn't really before, only rbd was18:40
*** stingaci has quit IRC18:41
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS
openstackgerritMorgan Fainberg proposed openstack/keystone: Add user_mfa_rules table
openstackgerritMorgan Fainberg proposed openstack/keystone: Auth Method Handlers now return a response object always
*** Jack_V has joined #openstack-keystone18:54
*** lucas has joined #openstack-keystone18:55
kfox1111morgan: it became stable in jewel.18:57
kfox1111been using it for about a year though without issue on a fairly large storage system.18:58
*** Jack_I has quit IRC18:58
openstackgerritMorgan Fainberg proposed openstack/keystone: Add SQL Upgrade Tests for MFA rules
*** lucas has quit IRC19:02
*** voelzmo has joined #openstack-keystone19:05
*** voelzmo has quit IRC19:05
*** lucas has joined #openstack-keystone19:06
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Test cross domain implied roles
dstaneksamueldmq: you around?19:08
dstaneksamueldmq: lbragstad has force my hand and i need to finish the federation mapping documentation revisions i started. was hoping you could take a peek and see if it helps clear things up?19:09
dstaneki just need to rebase on top of lbragstad's new stuff19:09
*** voelzmo has joined #openstack-keystone19:10
*** MasterOfBugs has joined #openstack-keystone19:12
*** jose-phillips has joined #openstack-keystone19:14
*** diazjf has joined #openstack-keystone19:15
catinthe_guys, quick question, should a domain admin (not a cloud admin) be able to modify project quotas ?19:19
lbragstaddstanek sure19:19
lbragstaddstanek do you have a link?19:19
dstaneklbragstad: i will in just a few. making a few doc changes that i mentioned in your review. and then i'll cherry pick mine on top19:20
lbragstaddstanek cool19:20
openstackgerritRodrigo Duarte proposed openstack/keystone: Expose bug for cross domain implied roles
rodrigodshey ^ we need eyes on this (and in the related bug)19:22
catinthe_rodrigods: quick question, should a domain admin (not a cloud admin) be able to modify project quotas ?19:24
rodrigodscatinthe_, i'd say yes19:24
catinthe_rodrigods: you'd say yes ? or is yes ?19:25
rodrigodscatinthe_, i would say yes19:25
catinthe_rodrigods: sorry but i need to confirm to check if its an horizon bug19:26
*** ravelar has quit IRC19:26
rodrigodsthe tricky part is because other services aren't aware of domains19:26
catinthe_or a feature not supported by keystone19:26
rodrigodscatinthe_, this is missing19:26
catinthe_rodrigods: sure, but cloud admin on a domain enabled is able to modify them using keystone as proxy19:26
catinthe_rodrigods: so, isnt that possible from a domain admin perspective ?19:27
rodrigodscatinthe_, this is something that should be enforced via policy19:27
rodrigodssince other services aren't "domain aware"19:27
rodrigodsthey can't19:27
*** adrian_otto has quit IRC19:28
*** tesseract has quit IRC19:29
* stevemar will be in a metal tube tomorrow19:31
dstaneklbragstad: uggg... i have to word-smith for projects19:31
*** voelzmo has quit IRC19:33
*** openstackgerrit has quit IRC19:33
*** adrian_otto has joined #openstack-keystone19:33
*** voelzmo has joined #openstack-keystone19:34
*** nkinder has quit IRC19:39
*** jamiec has joined #openstack-keystone19:40
*** ravelar has joined #openstack-keystone19:42
lbragstadstevemar we don't have tracked in your handy-dandy spreadsheet do we?19:45
lbragstadstevemar aha - nevermind...19:46
*** lucas has quit IRC19:46
lbragstadstevemar I see you have that pushed into Pike19:47
*** lucas has joined #openstack-keystone19:47
*** david-lyle has joined #openstack-keystone19:48
stevemarlbragstad: its on the fence19:48
stevemarlbragstad: review it, if it makes it, all good. but i assume its going to be multiple releases19:48
lbragstadstevemar it is - i was perusing the stuff in the etherpad and I didn't see it there, but I didn't look at the pike one19:48
lbragstads/etherpad/spreadsheet/ (same thing, right?)19:49
stevemarlbragstad: more or less :P19:49
stevemarlbragstad: i'm reviewing it, if it lands i'm OK with it19:49
stevemarif it doesn't meh19:49
lbragstadstevemar cool - i think ravelar has another patch set coming sometime today19:49
knikollalbragstad nice to see you run :)19:50
lbragstadknikolla thanks!19:51
morganstevemar: sql tests posted. about to start on the next small batch of auth path19:54
stevemarmorgan: can i get your take on from a security PoV ?19:54
morganstevemar: sure19:55
morganfwiw, the concept is def something we talked about so yay19:55
morganreviewing code now19:55
stevemarmorgan: so if PCI is enabled, and a user has an expired password, how can he/she reset it on their own19:56
morganftr: I am against more config options19:56
stevemarbasically it involves removing the auth decorator which makes me nervous19:56
morganuse policy19:56
morgannot more config options19:56
morganreading code things19:56
*** openstackgerrit has joined #openstack-keystone19:59
openstackgerritGage Hugo proposed openstack/keystone: Allow user to change own expired password
*** spilla has quit IRC20:00
*** lucas has quit IRC20:01
dstaneklbragstad: stevemar: keystone-horizon meeting?20:02
lbragstaddstanek i'm assuming it's still on... I haven't seen a cancellation notice of any kind.20:03
dstanekisn't it supposed to be now or is my calendar fubar?20:03
*** spilla has joined #openstack-keystone20:03
lbragstaddstanek nope - your calendar != fubar20:04
knikollayeah, i have it on calendar for now too20:05
*** dave-mccowan has quit IRC20:08
*** dave-mccowan has joined #openstack-keystone20:09
morgangagehugo: bah you just pushed another patch while i was reviewing20:11
morgangagehugo: FYI I'm going to -1 the new one and say "see comments on #19"20:11
samueldmqdstanek: hi, I am around now20:11
samueldmqSure a may have a look. Is it up for review yet?20:11
samueldmqlbragstad: has shadow mappings merged yet?20:12
gagehugomorgan: sure20:12
lbragstadsamueldmq not yet20:12
lbragstadsamueldmq i believe it has been approved though20:12
morgangagehugo: in short, don't add another config option20:13
samueldmqKk, If not I will take a final look and approve it.20:13
samueldmqSorry it has been a long week in LCA, timezones, etc20:14
samueldmqlbragstad: ^20:14
morgangagehugo: or at the very least do not add a whole extra @protected decorator20:14
morganyou can check directly in the controller change passwor dmethod20:14
morgangagehugo: i am unsure if we would allow the changing of passwords at all if you can't change an expired password self-service wise20:14
lbragstadsamueldmq awesome - thanks!20:15
morganstevemar: ^ cc question re password change20:15
*** darrenc_ is now known as darrenc20:15
stevemarmorgan: include gagehugo too20:15
morganstevemar: i was talking to gagehugo ;)20:15
gagehugomorgan: so would reverting to how it was done in #16 be better?20:15
morganbefore we do that, asking steve's opionion20:15
gagehugomorgan: I added the config because I've seen this handled both ways before20:15
morganwe have a TON of knobs in keystone and a lot will never be set20:16
morganor used20:16
morganthis feels like one of them. my guess is you either can't change your password or you can20:16
morganexpired or not20:16
morganbut i'm open to the current impl if we think it is super important to have the knob20:16
gagehugoah ok I see what you mean20:16
morganthe only hard requirement i have is default it to true20:16
lbragstadsamueldmq both of my patches have been approved -
stevemarmorgan: gagehugo we can have the knob, but set it to true!20:16
samueldmqlbragstad: cool. And I assume the docs dstanek was refering to were "Add documentation for auto-provisioning"20:16
lbragstadsamueldmq but dstanek has another one of the way to improve the docs20:17
morgansane defaults :)20:17
stevemarmorgan: gagehugo its still going to depend on someone setting the PCI expires knob20:17
morganalso the @protected decorator should be sufficient20:17
stevemarand i can't imagine someone wants all their users to expire but NOT have this ability20:17
morganyou shouldn't need *another* decorator20:17
samueldmqlbragstad: ah okay, so another one based on your docs ^ ?20:17
morgani'm re-looking at that part20:17
morganbut i really, really, don't want to add more of these @protected decorators20:18
gagehugodstanek: ^^20:18
lbragstadsamueldmq yeah - i think he is in the process of working on it now, and cherry-picking it on top of my docs patch20:18
morganit makes security maintenance a nightmare (it already is)20:18
morganbut more and more places to manage where things are gated on is not helping us20:18
samueldmqlbragstad: Sweet, thanks! I will review it20:18
stevemargagehugo: hehe, did dstanek tell you to add one and morgan tell you not to? :)20:19
gagehugostevemar: heh20:20
gagehugoI'm fine either way20:20
morgani want to kill the decorators20:20
morganthey are stupidly complex and hard to debug20:20
gagehugoI did have to ask him for help, double decorators is a bit tricky20:20
morganfrom a pure security and maintenance standpoint, that is sufficient for me to advocate not having more.20:20
dstanekadd what?20:20
lbragstadmorgan i feel like you've had this discussion with dstanek before20:20
morgandstanek: @protected_optional20:20
dstanekoh, right20:20
morgandstanek: *another* @protected decorator20:21
dstanekyou don't what a second decorator?20:21
morgani don't want a 3rd... or is this a 4th?20:21
dstaneki didn't like the idea of "softening" the one we have20:21
morganwe already did that with callback=<callback>20:21
lbragstadsounds like we need a sixth20:21
morganyou could write a callback that does exactly what the new one does if wanted.20:21
*** jaugustine has quit IRC20:21
morganbut i would make that API unprotected20:21
lbragstadmoar decorators please!20:22
morganor make it so it can be blocked but doesn't do the whole other protected logic20:22
morganvia policy.json20:22
morganit really needs to be an "open" not token-required API20:22
morganor simply a 403 if it is disabled20:22
morganiirc that is what we discussed last time20:23
morganmakeing it an open API, most of the time you need it you wont be able to get a token20:23
dstanekmorgan: a callback is a good idea; i just don't like the 'protected' optionally protecting20:23
morganlike i said, I'd go a step further and not do @protected at all20:24
morganit really shouldn't be locked behind a token20:24
gagehugomorgan: that was the original design20:24
morganbut if we *need* to lock it optionally, roll the current new decorator into a callback.20:24
morganand pass it as @protected(callback=<callback>)20:24
morgandstanek: is there a reason you want it behind @protected?20:25
morganbesides "it was already there"?20:25
dstanekmorgan: not in particular. that is what the original review was doing to apply policy.20:26
morganyay lbragstad is running for PTL, means I don't have to :P20:26
morgani'm inclined to say the API should be open20:26
morgannot under @protected20:26
morganat all20:26
*** stingaci has joined #openstack-keystone20:26
morgangagehugo: so here are the 2 "fixes" needed for me to lift the -1:20:27
morgangagehugo: Default the option to True (if you keep the option)20:27
gagehugomorgan: sure20:28
morgangagehugo: either drop @protected from the API *or* roll the new functionality into the callback=<>20:28
gagehugomorgan: dropping it seems easier :)20:28
morganit does.20:28
morganbut if we need it, i'll not make dropping it a hard requirement20:28
morgansince we already have the option to modify @protected with a callback, we might as well use it.20:29
openstackgerritDavid Stanek proposed openstack/keystone: Updates to project mapping documentation
openstackgerritDavid Stanek proposed openstack/keystone: WIP for federated mapping doc improvements
gagehugoI almost feel like if we drop the @protected it may not be really worth it to keep the config20:30
dstaneklbragstad: samueldmq: ^20:30
lbragstaddstanek sweet - thanks!20:30
dstaneklbragstad: samueldmq: i'm not done, but i wanted to give samueldmq a preview20:30
morgangagehugo: i have added comments to patchset #20 to the effect of what we discussed here :)20:30
gagehugomorgan: thanks20:31
*** voelzmo has quit IRC20:31
morgangagehugo: so the config option is orthogonal to @protected20:31
*** stingaci has quit IRC20:31
morgangagehugo: either you want to allow disabling of changing expired passwords or not20:31
morgani personally don't think that option will ever be toggled20:31
morgansince you can disable a user with disabled=True20:31
morganrather than locking them due to an expired password20:31
gagehugomorgan: yeah. I like giving people choices, but you're probably right that it will probably never be changed if default is true20:32
gagehugoand yeah the disabled thing is true too20:32
morganbut if you and others think that level of control is needed, i'm not blocking on it20:32
morgani like giving options, i don't like giving options that control every single detail and providing a non-opinionated service. it leads to wildly different experiences depending on many elements in a matrix depending on deployment20:33
morganIMO configs should never affect the end user experience to the core APIs20:33
morgan(exception being such as the auth workflow being different for SSO/SAML/OIDC/etc)20:33
samueldmqdstanek: cool, looking at it now20:34
morganbut the core APIs and how they respond, how they interact, etc should be baseline regardless of the deployment.20:34
gagehugomorgan: agreed20:34
samueldmqlbragstad: BTW, awesome candidacy email.20:34
lbragstadsamueldmq thanks :)20:34
morganlbragstad: you know what you're walking into right?20:35
morganlbragstad: just make sure you're aware of it.20:35
stevemarmorgan: a blast!20:35
lbragstadmorgan not a clue20:35
morganstevemar: you're just loopy from doing it 3 cycles in a row. admit it20:35
stevemargagehugo: do you have any questions about morgan's comments?20:35
*** lucas has joined #openstack-keystone20:35
morganstevemar:  ;)20:35
* lbragstad wonders what all these buttons do! 20:35
stevemarmorgan: delirious20:35
gagehugostevemar: not yet, I'll take a look at them after I get out of this meeting20:37
morgangagehugo: you can ignore the comments on #1920:37
morgangagehugo: just the new one on #20 and that will be sufficient imo20:37
gagehugomorgan: ok, thanks for looking it over20:37
morganfrom a pure security standpoint. it's no worse/better than anything else in keystone20:38
morgani don't see it introducing anything new/questionable20:38
stevemarthanks morgan20:38
morganor exposing anything weird. we still require old password20:38
morganit's just modifying how we allow changing of passwords20:39
*** adrian_otto has quit IRC20:39
morganonce the auth occurs20:39
dstaneksamueldmq:  i see why you were confused about local and remote being rules. we actually defined those as rules in our documentation20:39
morgan(old password that is)20:39
morganit would be an issue if we didn't have an explicit passwordexpired exception20:40
morganbut since we do, nbd20:40
morganstevemar: i want to point out authenticate_for_token is a TERRIBLE method name20:40
stevemarno one has changed it since G?20:41
samueldmqdstanek: :-)20:41
samueldmqdstanek: so, on those docs. If the Target there is deployers, I am not sure it's worth it to add all those implementation details.20:43
*** nicodemus_ has joined #openstack-keystone20:43
samueldmqI mean, that can be a long doc for those who Just want to know the principle behind it and anexo example.20:44
morganstevemar: yep.20:44
morganstevemar: it's bad =/20:44
openstackgerritMerged openstack/keystone: Implement federated auto-provisioning
morganbut meh20:44
samueldmqOn the other hand the details are very useful for those who want to know the impl details, like me (not a deployer)20:45
dstaneksamueldmq: what implementation details?20:45
dstaneksamueldmq: i only added things you need to know in order to write a mapping20:45
samueldmqdstanek: this part do the mapping is entered in a loop and we stop after the first match, this JSON becomes this one internally but with lista instead20:46
*** pnavarro has quit IRC20:46
*** voelzmo has joined #openstack-keystone20:46
dstaneksamueldmq: as an operator writing a mapping don't you need to know that?20:46
dstanekhi nicodemus_20:46
*** browne has quit IRC20:47
*** diazjf has quit IRC20:47
nicodemus_what would be the correct way to get the domain-id in an API if I receive a project-scoped token?20:47
dstaneksamueldmq: i actually thought people would ding me on the opposite. the docs are written from an operator point of view and don't exactly translate to the implementation directly. logically, but not directly20:48
*** ravelar has quit IRC20:49
samueldmqdstanek: yeah, I thought logically could be enough. Like itwas before but applying your commentss.20:49
dstaneksamueldmq: ?20:49
*** diazjf has joined #openstack-keystone20:49
samueldmqdstanek: I AM not an operator, thats useful to me though20:49
lbragstadstevemar where was your etherpad on the things that needed to merge?20:49
*** browne has joined #openstack-keystone20:49
dstaneklbragstad: this one ?20:50
lbragstaddstanek yep20:50
samueldmqdstanek: what I was considering to be too detailed is in "how mappings" work, one May Just Skip that If find not useful.20:51
*** voelzmo has quit IRC20:51
samueldmqdstanek: and it is still there for those who want more details. So that makes sense to me20:51
stevemargagehugo: you're getting close!20:51
gagehugostevemar: \o/20:51
dstaneksamueldmq: if you don't know how they are processed you can't write one20:52
gagehugostevemar: this patch set was definitely interesting to work on20:52
dstanekthat's why i get asked the same questions all of the time. "Why isn't my last rule being used?" or "Why isn't this in the direct maps? The conditional matches!"20:53
samueldmqdstanek: hmm you're right. We stop after the first match, correct?20:53
samueldmqdstanek: yes, that's correct. Thanks for clarifying20:53
dstaneksamueldmq: yep. before i submit for real i'll double check everything. this was just my brain dump after our conversation last week20:54
dstaneki still need to go through and make sure everything is consistent20:54
*** ravelar has joined #openstack-keystone20:54
samueldmqdstanek: nice!20:54
dstaneknicodemus_: v2 or v3?20:54
nicodemus_dstanek, v320:55
samueldmqBTW well done lbragstad and dstanek on getting that auto-provisioning done!20:55
dstaneknicodemus_: doesn't the token response contain the domain id?20:55
lbragstadsamueldmq not a problem - thanks for reviewing20:55
dstaneksamueldmq: that was all lbragstad.20:55
samueldmqMy pleasure reviewing :)20:56
dstaneksamueldmq: the only thing i did was a small change to the mapping engine20:56
samueldmqCool. lbragstad has been doing awesome specially this cycle.20:56
samueldmqWell, gotta run, brb20:57
lbragstadsamueldmq later20:57
nicodemus_dstanek, to ellaborate: I added some domain support to an API, and just know realize that horizon can make a call with a project-scoped token. So, whta I need to do now (since a project can belong to a single domain) is to ask keystone about the domain ID of the token's project ID20:57
*** pablo|500| has quit IRC20:57
nicodemus_dstanek, and before starting to code aimlessly... perhaps you could guide me about the recommended way20:57
stevemarspilla: your patch is up next!21:00
*** lucas has quit IRC21:01
*** lucas has joined #openstack-keystone21:01
*** Jack_V has quit IRC21:03
*** jaugustine has joined #openstack-keystone21:04
spillastevermar: :D21:05
*** ravelar has quit IRC21:07
*** ravelar has joined #openstack-keystone21:08
*** v1k0d3n has quit IRC21:09
dstanekstevemar: you guys are approving too fast for me. i think i need to start at the bottom of the list21:11
dstaneknicodemus_: i think you'll get back user information if you validate the token21:12
dstaneknicodemus_: what do you need the domain for?21:12
nicodemus_dstanek, because I have several resources that contain the domain-id metadata, and need to filter those resources to show only the ones that belong to the same domain as the token (even if the token doesn't contain the domain-id)21:14
dstaneknicodemus_: gotcha21:15
nicodemus_I was thinking issuing a keystone project show with the project ID to get the domain ID, would that be better or worse than validating the token?21:15
nicodemus_^^^ meaning importing keystone-client in the code and so on21:16
openstackgerritRichard Avelar proposed openstack/keystone: Add queries for federated attributes in list_users
dstaneknicodemus_: we'll do you want to know the domain of the user or the project since they can be different21:18
nicodemus_the domain of the project21:18
dstaneknicodemus_: them upi21:19
dstanekyou'll need to query the project21:19
dstaneknicodemus_: because the user can scope to a project in a given domain they have access to other resources in that same domain?21:20
nicodemus_dstanek, that is correct21:22
*** slunkad has quit IRC21:22
dstaneknicodemus_: that seems like a strange assumption. what is the service you are working on?21:23
morganstevemar: almost done with the base changes for the MFA ruleset21:24
morganstevemar: woo, this is going pretty well.21:24
stevemarmorgan: nice!21:24
*** henrynash has joined #openstack-keystone21:24
*** ChanServ sets mode: +v henrynash21:24
stevemarwe might just have an MFA story for this cycle ;)21:24
nicodemus_dstanek, I'm altering gnocchi, but it is a custom modification that we are trying out21:24
*** slunkad has joined #openstack-keystone21:25
dstaneknicodemus_: cool, i would just not expect to have access to one project because i have access to another in the same domain, for instance21:26
morganstevemar: this opens the doors for much needed simplification but this is basic restructuring. in about ~2 more patches the "load rules" and make sure the methods match at least one rule. The nice thing is if you re-scope, your MFA rules will still match because the methods for the tokens are [token + all previous methods]21:26
morganstevemar: so we will know if an original auth had, say totp, or password + totp, etc21:26
dstaneki don't know anything about the gnocchi architecture though so i don't know how it's resources are organized21:26
stevemarmorgan: thats awesome21:27
morganstevemar: in theory we could *require* some APIs to have TOTP this way21:27
morgansuch as administrative things by adding a value to poicy saying methods must be MFA or some such21:27
nicodemus_dstanek, the idea is that if the gnocchi API receives a project scoped token, I need to get the domain ID in order to know what resources to show21:27
morganstevemar: meaning a user could disable MFA rules but not act until they re-enabled it21:28
nicodemus_dstanek, do you know if querying for the project details is something that keystone would cache?21:28
morgannicodemus_: keystone tries to cache many things if possible for both a given request and if you enable memcache caching21:29
*** voelzmo has joined #openstack-keystone21:29
*** woodster_ has joined #openstack-keystone21:30
dstaneknicodemus_: yep, enable memcache caching and make sure you specifically cache resources21:30
nicodemus_morgan, we do have memcache enabled, just wanted to double-check before seeing my keystone suffering under the load :)21:30
morgannicodemus_: it should cache requests for project reference21:30
morgannicodemus_: there are few things (credential backend) and some other stuff we don't cache21:31
morganwe also do not cache list operations21:31
morganbut if you do get-project(id) basically, it should be cached21:31
nicodemus_dstanek, morgan, awesome. Thanks a lot!! :D21:31
nicodemus_appreciate it21:31
morganhappy to help :)21:31
* morgan taps foot waiting for unit tests...21:32
dstanekthis adding domain_id is giving me headaches trying to think about the consequences21:32
morgandstanek: to what are you adding domain_id?21:32
*** voelzmo has quit IRC21:33
dstanekmorgan: no i...
*** david-lyle has quit IRC21:35
dstanekrderose: i don't understand the new constraints in your domain_id patch21:35
*** nicodemus_ has quit IRC21:35
*** adrian_otto has joined #openstack-keystone21:36
rderosedstanek: the new unique constraint21:37
dstanekrderose: our data model is uber screwy. do we need a unique constraint on the user table for (id, domain)?21:39
*** david-lyle has joined #openstack-keystone21:39
dstanekrderose: is that how you are keeping the local_user values in sync?21:39
*** david-lyle has quit IRC21:39
rderosedstanek: yes, in order to have a composite fk constraint in the child tables, we needs unique constraint in user table21:39
*** david-lyle has joined #openstack-keystone21:39
rderosedstanek: the fk constraint will keep the domain_id (and user_id for that matter) in sync21:40
rderosedstanek: having the composite fk (user_id, domain_id) allows us to set the domain_id for all users in the user table21:41
rderosedstanek: but also keeps an entry in the local_user table to enforce domain_id + name unique constraint21:42
*** henrynash has quit IRC21:45
*** thorst_ has quit IRC21:45
rderosedstanek: I know it appears complex, but all we're really doing is creating a composite foreign key between user and local_user, such that:21:47
rderoseuser (id, domain_id) => local_user fk(user_id, domain_id)21:47
dstanekdo we test upgrades against supported DBs in the gate21:49
*** bandrus has left #openstack-keystone21:50
lbragstaddstanek we have the opportunistic tests, but that's it21:50
dstaneklbragstad: that's unfortunate. i don't know if they triggers work :-)21:51
dstanekrderose: is there any reason why the triggers handle the user.domain_id differently?21:53
rderosedstanek: are you referring to postgresql and mysql?21:54
dstanekmysql checks that domain_id is null where pg doen't21:54
rderoseyeah, for pg, I'm just blindly updating the domain_id21:55
rderosepg does triggers differently where you define a function21:55
*** arunkant has joined #openstack-keystone21:55
rderosedstanek: really, for inserts you only need to set the domain_id if it is null21:56
rderosedstanek: old code running at that point21:56
dstanekany reason? why you don't do nuke the domain_id in mysql/sqlite the same way?21:56
rderosedstanek: I could have, but if new code is running, it's being set21:56
*** diazjf has quit IRC21:57
openstackgerritSamuel Pilla proposed openstack/keystone: Add password expiration queries for PCI-DSS
rderosedstanek: the inconsistency is really because I created the mysql and sqlite triggers first, got them working21:58
rderoseand much later worked on the pg21:58
*** lucas has quit IRC22:00
dstanekok, it's doubtful they make a different anyway since i don't think there is a way to change domain_id via the api, is there?22:00
dstaneki'd have to check update_user, but i didn't think it would do that22:01
*** dave-mccowan has quit IRC22:08
*** thorst_ has joined #openstack-keystone22:11
*** adriant has joined #openstack-keystone22:12
rderosedstanek: correct22:15
*** thorst_ has quit IRC22:15
rderosedstanek: actually, sorry, I believe you can update the domain_id for a user22:16
rderosethrough update_user22:16
lbragstadhave folks here played with story board much?22:19
*** ravelar has quit IRC22:24
stevemarlbragstad: nope22:25
openstackgerritGage Hugo proposed openstack/keystone: Allow user to change own expired password
*** spilla has quit IRC22:28
lbragstadstevemar I haven't played with it in a while22:28
lbragstadlooks a lot different than what I remember!22:28
*** spilla has joined #openstack-keystone22:35
*** chris_hultin is now known as chris_hultin|AWA22:35
knikollaarghh, anybody has a minute for git help?22:35
stevemargagehugo: quick release note clean up and you get a +222:36
stevemarknikolla: just state your problem :)22:36
knikollastevemar: i rebased on top of a review, and when i do git-review it's telling me that i will publish both commits (mine and the one i rebased on top of)22:37
knikollamaybe rebasing changed the changeid of the previous one22:37
lbragstadknikolla it could have22:38
lbragstadknikolla if you `git review -d <change-you-want-to-base-off-of>` you should get placed at that exact point in time of the latest ps22:38
openstackgerritGage Hugo proposed openstack/keystone: Allow user to change own expired password
gagehugostevemar: thanks!22:38
lbragstadknikolla then you can do `git review -x <your-change>` to cherry pick on top of it22:39
lbragstadknikolla that should only change the patch you cherry picked22:39
knikollalbragstad: will try that! thanks!22:39
lbragstadknikolla so you should be able to do `git review --yes --no-rebase` and it shouldn't push a new version of the patch you based your change on22:40
*** thorst_ has joined #openstack-keystone22:40
*** thorst_ has quit IRC22:43
lbragstadknikolla yeah - that looks good22:47
rderosedstanek: saw you pagination comment22:48
lbragstadknikolla if you double check - you'll see that rodrigods's commit sha is 9005858a0, which is the same as the latest commit sha here
lbragstadknikolla so there shouldn't be anything you have locally that is different from what rodrigods has in patch set 2 ^22:48
rderosedstanek: originally was executing an update from select statement on the entire table, but ran into table locking22:49
*** spilla has quit IRC22:49
rderosedstanek: have we done pagination before with sqlalchemy? looking for an example...22:49
knikollalbragstad: alright, thanks!22:49
openstackgerritKristi Nikolla proposed openstack/keystone: Forbid creation of cross-domain implied roles
lbragstadknikolla does that make sense?22:49
lbragstadknikolla hah - yep! so you're change will be based on rodrigods' now22:50
knikollalbragstad: yes, it makes sense. thanks!22:50
lbragstadknikolla no problem!22:50
knikollahad somehow avoided basing my work on unmerged patches till now.22:51
morganstevemar: can you taste being not PTL anymore? :)22:51
morgandstanek: i think i removed the "side effect" bit of the plugins mucking around in auth_context22:53
morgandstanek: woo.22:53
morgandstanek: way more work than expected22:54
morganbut it's passing now.22:54
*** adrian_otto has quit IRC22:56
*** lamt has quit IRC23:00
*** lamt has joined #openstack-keystone23:01
stevemarmorgan: it tastes so good!23:01
openstackgerritKristi Nikolla proposed openstack/keystone: Forbid creation of cross-domain implied roles
*** david-lyle has quit IRC23:03
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table
morganstevemar: our unit tests have gotten really slow again23:04
openstackgerritKristi Nikolla proposed openstack/keystone: Forbid creation of cross-domain implied roles
*** lamt has quit IRC23:06
morganrderose: ugh, the shadow stuff that landed in the mapped auth plugin just made for a reallly ugly rebase23:15
rderose:) sorry23:16
rderosemorgan: ^23:16
morganok now i need to remember --theirs vs --ours23:17
morganif i am rebasing...23:17
morganrderose: do you know if i need --theirs or --ours if i want to get the upstream copy in rebase?23:18
rderosemorgan: hmm... I don't23:20
rderosemorgan: haven't done that before23:21
*** chris_hultin|AWA is now known as chris_hultin23:21
*** edtubill has quit IRC23:22
*** gyee has joined #openstack-keystone23:22
*** ChanServ sets mode: +v gyee23:22
*** jaugustine has quit IRC23:24
morganrderose: it is 'ours'23:25
morganrderose: since "ours" is master, and "theirs" is the feature branch i am on23:25
morgan*never remembers these things*23:25
openstackgerritMorgan Fainberg proposed openstack/keystone: Add user_mfa_rules table
openstackgerritMorgan Fainberg proposed openstack/keystone: Auth Method Handlers now return a response object always
openstackgerritMorgan Fainberg proposed openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse
openstackgerritMorgan Fainberg proposed openstack/keystone: Add SQL Upgrade Tests for MFA rules
rderosemorgan: ah, gotcha23:27
morganrderose: can you tell me what is wrong with my migration in 422817?23:33
morgani'm not seeing where i screwed up23:33
morganbut the table isn't being created?23:33
rderosehmm... looking23:35
openstackgerritMorgan Fainberg proposed openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse
*** gyee has quit IRC23:36
morganrderose: or it is an issue with the test23:36
rderosemorgan: I don't think it's an issue with the test23:38
*** jaosorior has quit IRC23:38
rderosemorgan: btw you don't need this line I think: session = self.sessionmaker()23:38
morganthat is the pep8 fai;l23:39
morganbut that doesn't tell me why the py35 test failed23:39
rderosemorgan: where is migration 14?23:39
rderosemorgan: I only see the test23:39
*** gyee has joined #openstack-keystone23:39
*** ChanServ sets mode: +v gyee23:39
*** furface has joined #openstack-keystone23:39
rderosemorgan: ah, got it23:40
morgansorryt prev patch23:40
*** thorst_ has joined #openstack-keystone23:44
dstanekrderose: i'm actually curious to know what would happen if all the users were modfied at once. table locking for some period of time?23:45
rderosedstanek: yep, table locking23:46
rderosethat's why I switched to doing row by row23:46
rderosedstanek: I first took that approach, updating all at once, but ran into table locking in my migration tests23:47
*** thorst_ has quit IRC23:48
dstanekrderose: is it doing it row-by-row now?23:51
dstanekso autocommitting i mean23:52
rderosedstanek: I'm pulling all local_users and then updating the user table row-by-row23:53
*** MasterOfBugs has quit IRC23:53
rderosedstanek: so the update statement is getting executing within the for loop for each record23:53
dstanekis it autocommitting?23:54
rderosedstanek: if it does that by default, yes23:54
rderosedstanek: checking23:54
rderosedstanek: yeah, it looks like sqlalchemy will issue a commit automatically:23:56
rderosedstanek: hmm...23:57
rderosedstanek: it will issue a commit automatically, sorry had to read that twice23:59

Generated by 2.14.0 by Marius Gedminas - find it at!