Sunday, 2017-01-22

« Saturday, 2017-01-21 Index Monday, 2017-01-23 »
*** dims has joined #openstack-keystone00:00
*** jistr has quit IRC00:01
*** jerrygb has joined #openstack-keystone00:01
*** diazjf has quit IRC00:02
*** jistr has joined #openstack-keystone00:03
*** mvk has quit IRC00:10
*** diazjf has joined #openstack-keystone00:14
*** stingaci has joined #openstack-keystone00:15
*** diazjf has quit IRC00:15
*** stingaci has quit IRC00:19
*** jerrygb_ has joined #openstack-keystone00:22
*** jerrygb has quit IRC00:23
*** jerrygb has joined #openstack-keystone00:29
*** jerrygb_ has quit IRC00:31
*** jerrygb_ has joined #openstack-keystone00:35
*** jerrygb has quit IRC00:37
*** jerrygb has joined #openstack-keystone00:40
*** jerrygb_ has quit IRC00:42
*** stingaci has joined #openstack-keystone00:47
*** jerrygb has quit IRC00:47
*** jerrygb has joined #openstack-keystone00:47
*** stingaci has quit IRC00:51
*** jerrygb_ has joined #openstack-keystone00:53
*** jerrygb has quit IRC00:53
*** liujiong has joined #openstack-keystone01:07
*** stingaci has joined #openstack-keystone01:11
*** thorst_ has joined #openstack-keystone01:14
*** thorst_ has quit IRC01:14
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370801:15
*** stingaci has quit IRC01:15
*** jerrygb has joined #openstack-keystone01:19
*** jerrygb_ has quit IRC01:20
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370801:21
*** jerrygb has quit IRC01:44
*** thorst_ has joined #openstack-keystone01:55
*** thorst_ has quit IRC02:00
morganrderose: ping02:03
morganrderose: when did the ignore expires option land?02:03
morganrderose: in Ocata? because i'm going to say fix that now instead of saying "oh this already landed"02:03
morganif it's in newton, i'm still going to hold on my -1, and say "fix this" and make the option deprecated.02:04
morganit's a very very very bad design choice02:04
morganand had i seen it in the original patch, i would have complained there too02:04
rderosemorgan: hi02:05
morganrderose: sorry i feel *very* strongly about these types of designs02:05
rderosemorgan: understand, np02:06
morganputting uuids in config files is justification in my book for a -202:06
rderosemorgan: at the time, it was the easy & quick option02:06
rderosemorgan: understand02:06
morganftr, i didn't -2 it because i figured we could easily move away from it in either case02:06
morganand a -2 requires a lot more interactions to get removed :)02:06
rderoseright02:06
morgani mean, i can re-spin this if you want. but i'd rather be able to +2 it ^_^02:06
morgandid the password expiry stuff land in newton or ocata (pre-3?)02:07
rderosenewton02:07
morganok then my view is deprecate the option, keep the current functionality and add it as an attribute on the user02:07
morganknowing the option and functionality around it is going away02:07
rderosemorgan: creating another option for ignoring expired passwords seems out-of-scope for what I'm doing02:08
morganso the end check is (<password_change_on_first_user> and  (not in <conf.option>[deprecated] or not <user.ignore_password_expiry>)02:08
rderosemorgan: my patch is setting a password to be expired02:09
morganwell like i said, i view this lumping functionality into a -2 category as is. the choice to use that option is bad, that option is bad02:09
morgani'm happy to spin up a patch to do what i am asking for02:10
morganand make this one depend on it02:10
morganthis is one of those things i keep having to fight because it is the same design pattern used over and over and it sucks every single time02:10
rderosemorgan: so your would be to simply deprecate the current config option and use it?02:10
morgani would deprecate the current option, add a user-attribute02:11
morganand use either/both for now02:11
morganthe option drops in Q02:11
morganlike i said, happy to quickly spin a patch for that02:11
rderosemorgan: okay, go for it02:11
morganjust tell me where i should set the metadata for the user to ignore that option02:11
morganuser column?02:12
morganerm user_table column?02:12
* morgan sees a design change for P to create a more fluid set of options for user(s)02:12
morganbut for now, what is the best place to stash this option. i'll spin up the patch tonight and rebase your work on it (should be pretty darn quick)02:13
rderosemorgan: okay, I think user table02:13
morganwfm :)02:13
morgani think that in P we should build a more fluid option table that is a [option][user][value] sql thing02:14
rderosemorgan: yeah, that would be cool02:14
morganand define the values in code, because having a ton of columns on the user table may be bad if they are unused :)02:14
morganand then we just load up the options for the user. this, and other such magic super-flags can live in that kind of relationship02:15
morgananyway, that is a PTG discussion02:15
morgani'll have some code for you shortly02:15
morganthnx for understanding ^_^02:15
rderosemorgan: alright, sounds good02:15
rderosemorgan: and thank you :)02:15
morganhmm02:16
morgansilly question, should i use the SQL migration (migrate) to populate the column from the config if the values are set?02:16
morgani feel like that might be weird.02:17
rderosemorgan: yeah, you would have to02:17
morganwell don't *have* to02:17
rderosemorgan: :)02:17
stevemarmorgan: this is why we need you in keystone :)02:17
stevemarmorgan: you make the right architectural moves :)02:17
morganbecause both the value form the option and the flag will be used in Ocata02:17
stevemarsome other dumb PTL approved using uuids in a config :(02:17
morganstevemar: i'm basing the new patch on the MFA table addition02:17
morganstevemar: FYI because i don't want to do rebase hell atm02:18
morgan[not the whole chain, just the mfa table add]02:18
morgani can rebase if we punt MFA stuff out, but i should have all the code up tomorrow for that too02:18
rderosemorgan: if not in config, how would deployers set the new user attribute?02:18
morganrderose: .update_user02:18
morganit's a soft value that is set on the user itself02:18
rderosemorgan: ah, extra field?02:18
morganyep02:18
morganhence why storing it in the user table makes sense02:19
morganstevemar: it wasn't a dumb ptl, it was, like most things, where the PTL saw good code but missed things. I never caught everything when I was PTL :P02:19
morganstevemar: i let things in i shouldn't have :P02:19
morganstevemar: but i mean, i'm happy to blame said PTL :P02:20
morganrderose: i'm happy to pull the conf data in, but it feels weird to do so in a migrate.02:20
morganrderose: i'll comment the patch once i push it so reviewers can make a call on it02:20
rderosemorgan: yeah, if you don't, deployers will just have to manually migrate02:20
rderoseor do it02:20
morganrderose: yeah.02:21
rderosemorgan: config was always the short-term option, ideally, we'll make PCI domain scoped02:21
morganthen per-user flags make a ton of sense02:21
morgansince the domain-admin may want exceptions as well02:21
rderosegood point02:22
morganwoo, since this is new data i don't have to have triggers *yay*02:23
rderosemorgan: :)02:24
openstackgerritKristi Nikolla proposed openstack/keystone: Remove LDAP write support  https://review.openstack.org/42357202:32
stevemarmorgan: :)02:50
morganknikolla: close to what i suggested, close enough though02:53
morganknikolla: +2 (i would have preffered to not rename all the methods to _ prefixed and just added the new call to the top of the deprecated methods02:53
morganknikolla: this is fine as is. i'll rebase my chain on top of it.02:53
morganstevemar: we should fix the sheer volume of deprecated warning for the CORS stuff when running unit tests and use .set defaults02:55
morganstevemar: we should also fix the identifiers in the cadf calls to be uuids02:56
knikollamorgan: i agree, but separating them somehow made a stronger case for their lack of support. at least in my mind when i did it.02:57
knikollathanks for the reviews morgan and stevemar02:57
morganknikolla: it's a lot of code shuffle really for not a big change/effect but like i said, it's fine as is and +2 :)02:57
morgani'll +A it once CI passes it02:58
knikollamorgan: thanks!03:04
*** edmondsw has joined #openstack-keystone03:06
*** edmondsw has quit IRC03:10
knikollamorgan: i like how your per-user-auth-plugin-reqs read like a story.03:13
knikollafirst there was the authhandler03:14
morganlol03:17
morgani'm trying to merge the stuff that should be in the MFA table add down so i can do the next parts here03:19
morganit's being... weird.03:19
morganthe ldap bits are so annoying to debug03:19
knikollai wish my ldap3 driver wouldn't have been dropped03:22
*** BrAsS_mOnKeY is now known as g203:29
*** g2 is now known as g2[ATL]03:29
stevemarmorgan: file bugs so we don't forget03:40
stevemarmorgan: hopefully our RC period is quiet and we can stamp them out03:41
morganstevemar: these aren't bugs03:41
morganoh the cors things03:41
morganyeah03:41
morgani'll toss bugs up03:41
stevemarmorgan: real bugs have been filed for far less :P03:41
stevemarmorgan: gonna +W knikolla's work03:42
morgankk03:42
stevemarthanks knikolla!03:43
knikollastevemar: anytime. i said i'd do it around november, so i'm pretty late actually.03:44
stevemarknikolla: :)03:48
stevemarknikolla: no worries, it was *really* tangled up03:48
stevemarmorgan: i'll look at your stuff now03:48
stevemarmorgan: thoughts on the domain id migration for federated users?03:48
morganstevemar: i'll look at that once i post my rebase of the MFA table add on knikolla's ldap patch03:50
stevemarmorgan: coolio03:51
morganstevemar: then i need to drive home and run an errand and i'll get back to the fix for rderose and expire_password_ignore03:51
morganand *then* I'll write the api stuff(s) for MFA03:51
stevemarmorgan: alright, i'll probably be asleep by then :P03:51
morgani figured as much03:51
openstackgerritMorgan Fainberg proposed openstack/keystone: Add user_mfa_rules table  https://review.openstack.org/41816603:52
morgan^ rebase on knikolla's patch03:53
openstackgerritMorgan Fainberg proposed openstack/keystone: Auth Method Handlers now return a response object always  https://review.openstack.org/42095503:53
openstackgerritMorgan Fainberg proposed openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse  https://review.openstack.org/42291203:53
stevemarawesome sauce03:56
*** nicolasbock has quit IRC04:06
*** richm has quit IRC04:15
openstackgerritMorgan Fainberg proposed openstack/keystone: Add user_mfa_rules table  https://review.openstack.org/41816604:44
openstackgerritMorgan Fainberg proposed openstack/keystone: Auth Method Handlers now return a response object always  https://review.openstack.org/42095504:44
openstackgerritMorgan Fainberg proposed openstack/keystone: Auth Plugins pass data back via AuthHandlerResponse  https://review.openstack.org/42291204:44
openstackgerritMorgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules  https://review.openstack.org/42354804:49
morganphew. now that is correctly rebased04:49
openstackgerritMorgan Fainberg proposed openstack/keystone: Process and validate auth methods against MFA rules  https://review.openstack.org/42354804:50
*** dikonoor has joined #openstack-keystone05:12
*** mnaser has quit IRC05:15
*** mordred has quit IRC05:16
*** afazekas has quit IRC05:16
*** mordred has joined #openstack-keystone05:16
*** afazekas has joined #openstack-keystone05:21
openstackgerritMerged openstack/keystone: Remove LDAP write support  https://review.openstack.org/42357205:23
*** mnaser has joined #openstack-keystone05:31
*** liujiong has quit IRC05:34
*** liujiong has joined #openstack-keystone05:34
stevemardims: is there a specific version of py35 that we'll be using? 3.5.2 / 3.5.3?05:45
*** afazekas has quit IRC05:48
*** mnaser has quit IRC05:49
*** afazekas has joined #openstack-keystone05:50
*** dikonoor has quit IRC05:56
*** mnaser has joined #openstack-keystone06:04
openstackgerritSteve Martinelli proposed openstack/keystone: update entry points related to paste middleware  https://review.openstack.org/42375306:11
*** edmondsw has joined #openstack-keystone06:42
*** dikonoor has joined #openstack-keystone06:45
*** edmondsw has quit IRC06:46
*** voelzmo has joined #openstack-keystone08:04
*** liujiong has quit IRC08:58
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-keystone09:00
*** voelzmo has quit IRC09:09
*** lamt has quit IRC09:17
*** edmondsw has joined #openstack-keystone10:18
*** edmondsw has quit IRC10:23
*** haplo37_ has quit IRC10:37
*** haplo37_ has joined #openstack-keystone10:37
*** gus__ has quit IRC10:40
*** gus has joined #openstack-keystone10:42
*** lennyb has quit IRC10:56
*** dikonoor has quit IRC11:21
*** dikonoor has joined #openstack-keystone11:23
*** nicolasbock has joined #openstack-keystone11:49
*** mvk has joined #openstack-keystone11:57
*** masber has quit IRC11:57
*** masber has joined #openstack-keystone11:58
*** martinus__ has quit IRC12:08
*** martinus__ has joined #openstack-keystone12:13
*** voelzmo has joined #openstack-keystone12:27
*** voelzmo has quit IRC12:32
*** thorst_ has joined #openstack-keystone12:55
*** thorst_ has quit IRC12:56
*** jerrygb has joined #openstack-keystone12:59
*** jerrygb_ has joined #openstack-keystone13:01
*** jerrygb has quit IRC13:04
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users tests  https://review.openstack.org/42370513:13
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370813:14
*** jefrite has quit IRC13:17
*** jefrite has joined #openstack-keystone13:26
rderosemorgan stevemar: I added a comment to the PCI patch, thinking about this some more, I think we should wait on taking the ignore lists out of configuration. Too big of change at this late hour.13:37
rderosemorgan stevemar: And while I know morgan feels strongly about the design, it is out-of-scope for this patch and can be addressed later on.13:38
*** jerrygb has joined #openstack-keystone13:41
*** jerrygb_ has quit IRC13:44
*** edmondsw has joined #openstack-keystone13:55
*** thorst_ has joined #openstack-keystone13:57
*** edmondsw has quit IRC13:59
*** thorst_ has quit IRC14:02
*** dancn has quit IRC14:11
knikollao/14:28
*** jamielennox is now known as jamielennox|away14:28
*** dancn has joined #openstack-keystone14:30
*** dikonoor has quit IRC14:33
*** jose-phillips has joined #openstack-keystone15:05
*** thorst_ has joined #openstack-keystone15:09
*** richm has joined #openstack-keystone15:13
*** thorst_ has quit IRC15:14
*** nicolasbock has quit IRC15:19
*** jose-phillips has quit IRC15:22
*** rdo has quit IRC15:31
*** rdo has joined #openstack-keystone15:33
*** catintheroof has joined #openstack-keystone15:45
*** thorst_ has joined #openstack-keystone15:55
*** voelzmo has joined #openstack-keystone15:58
*** thorst_ has quit IRC16:00
morganrderose: well I'm maintaining my -116:01
*** v1k0d3n has quit IRC16:01
morganand I'll.have the change posted today as promised.16:01
morganI am very against lumping.more.on that config16:02
morganas said, I view those things as -2 worthy.16:02
*** jerrygb has quit IRC16:03
*** spotz_zzz has joined #openstack-keystone16:05
*** spotz_zzz is now known as spotz16:05
*** v1k0d3n has joined #openstack-keystone16:05
*** jerrygb has joined #openstack-keystone16:11
*** spotz is now known as spotz_zzz16:15
*** voelzmo has quit IRC16:21
*** diazjf has joined #openstack-keystone16:23
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users tests  https://review.openstack.org/42370516:45
*** mvk has quit IRC16:51
*** stingaci has joined #openstack-keystone16:56
*** thorst_ has joined #openstack-keystone16:57
*** jerrygb has quit IRC17:02
*** thorst_ has quit IRC17:02
*** diazjf has quit IRC17:07
*** catinthe_ has joined #openstack-keystone17:10
*** catintheroof has quit IRC17:11
*** voelzmo has joined #openstack-keystone17:14
*** jerrygb has joined #openstack-keystone17:16
*** voelzmo has quit IRC17:19
*** jerrygb has quit IRC17:20
*** v1k0d3n has quit IRC17:22
*** v1k0d3n has joined #openstack-keystone17:23
*** richm has quit IRC17:25
*** stingaci has quit IRC17:27
*** jerrygb has joined #openstack-keystone17:27
*** edmondsw has joined #openstack-keystone17:31
*** voelzmo has joined #openstack-keystone17:31
rderosemorgan: understand, I'll look for your patch. and as I said my comments, there is also the lockout ignores list.17:32
*** portdirect is now known as portdirect_away17:33
*** edmondsw has quit IRC17:35
*** jerrygb has quit IRC17:38
*** stingaci has joined #openstack-keystone17:43
*** stingaci has quit IRC17:47
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table  https://review.openstack.org/40987418:28
*** stingaci has joined #openstack-keystone18:29
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table  https://review.openstack.org/40987418:30
*** stingaci has quit IRC18:33
*** catintheroof has joined #openstack-keystone18:34
*** catinthe_ has quit IRC18:38
*** dave-mccowan has joined #openstack-keystone18:39
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users tests  https://review.openstack.org/42370518:41
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370818:42
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table  https://review.openstack.org/40987418:46
*** thorst_ has joined #openstack-keystone18:47
openstackgerritRon De Rose proposed openstack/keystone: Add domain_id to the user table  https://review.openstack.org/40987418:48
openstackgerritRon De Rose proposed openstack/keystone: Refactor shadow users tests  https://review.openstack.org/42370518:50
*** thorst_ has quit IRC18:50
openstackgerritRon De Rose proposed openstack/keystone: Set the domain for federated users  https://review.openstack.org/42370818:50
*** v1k0d3n has quit IRC19:01
*** voelzmo has quit IRC19:02
*** voelzmo has joined #openstack-keystone19:02
*** voelzmo has quit IRC19:03
*** stingaci has joined #openstack-keystone19:16
*** thorst_ has joined #openstack-keystone19:16
*** stingaci has quit IRC19:20
*** catintheroof has quit IRC19:21
*** v1k0d3n has joined #openstack-keystone19:24
*** lamt has joined #openstack-keystone19:39
*** v1k0d3n has quit IRC19:42
*** v1k0d3n has joined #openstack-keystone19:43
*** lamt has quit IRC19:53
*** diazjf has joined #openstack-keystone19:59
*** voelzmo has joined #openstack-keystone20:01
*** voelzmo has quit IRC20:02
*** dave-mccowan has quit IRC20:07
*** diazjf has quit IRC20:21
*** diazjf has joined #openstack-keystone20:25
*** v1k0d3n has joined #openstack-keystone20:25
*** v1k0d3n has quit IRC20:25
*** v1k0d3n has joined #openstack-keystone20:26
*** thorst_ has joined #openstack-keystone20:32
*** diazjf has quit IRC20:41
*** thorst_ has quit IRC20:44
*** lamt has joined #openstack-keystone20:48
*** severion has joined #openstack-keystone20:55
*** severion has quit IRC20:56
*** severion has joined #openstack-keystone20:59
*** v1k0d3n has quit IRC20:59
*** severion has quit IRC20:59
*** pnavarro has quit IRC20:59
*** v1k0d3n has joined #openstack-keystone20:59
*** voelzmo has joined #openstack-keystone21:02
*** thorst_ has joined #openstack-keystone21:06
*** thorst_ has quit IRC21:06
*** edmondsw has joined #openstack-keystone21:07
*** mvk has joined #openstack-keystone21:07
*** voelzmo has quit IRC21:09
*** edmondsw has quit IRC21:11
*** jerrygb has joined #openstack-keystone21:18
*** jerrygb has quit IRC21:23
*** stingaci has joined #openstack-keystone21:34
*** stingaci has quit IRC21:39
*** rdo has quit IRC21:44
*** agrebennikov_ has joined #openstack-keystone21:45
*** diazjf has joined #openstack-keystone21:51
*** nkinder has quit IRC21:55
*** rdo has joined #openstack-keystone21:57
*** stingaci has joined #openstack-keystone22:07
*** jamielennox|away is now known as jamielennox22:10
*** stingaci has quit IRC22:11
*** catintheroof has joined #openstack-keystone22:19
*** diazjf has quit IRC22:20
*** stingaci has joined #openstack-keystone22:24
*** furface has joined #openstack-keystone22:24
*** catintheroof has quit IRC22:26
*** catintheroof has joined #openstack-keystone22:27
*** stingaci has quit IRC22:28
*** catintheroof has quit IRC22:32
*** jamielennox is now known as jamielennox|away22:38
*** diazjf has joined #openstack-keystone22:38
*** dikonoor has joined #openstack-keystone22:46
*** thorst_ has joined #openstack-keystone22:52
*** diazjf has quit IRC22:55
*** nicolasbock has joined #openstack-keystone22:55
*** stingaci has joined #openstack-keystone22:56
*** thorst_ has quit IRC22:57
*** thorst_ has joined #openstack-keystone23:00
*** jamielennox|away is now known as jamielennox23:00
*** stingaci has quit IRC23:00
*** thorst_ has quit IRC23:03
*** masber has quit IRC23:03
*** masber has joined #openstack-keystone23:03
*** masber has quit IRC23:06
*** masber has joined #openstack-keystone23:07
*** stingaci has joined #openstack-keystone23:12
*** stingaci has quit IRC23:16
*** richm has joined #openstack-keystone23:18
*** lamt has quit IRC23:31
*** stingaci has joined #openstack-keystone23:44
*** stingaci has quit IRC23:48
*** jamielennox is now known as jamielennox|away23:50
« Saturday, 2017-01-21 Index Monday, 2017-01-23 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!