Monday, 2017-03-20

jamielennoxnotmorgan: if you're here i completely disagree on the api-keys00:04
jamielennoxi have no problem calling them app-specific-passwords, i don't care about calling them secure bloby things00:05
jamielennoxbut i think sending the key to the service's api directly is a bad idea, and basically circumvents the token flow we've tried to make services do properly for the last few years00:06
*** dave-mccowan has joined #openstack-keystone00:14
*** catintheroof has joined #openstack-keystone00:20
*** catintheroof has quit IRC00:26
*** jamielennox is now known as jamielennox|away00:38
*** liujiong has joined #openstack-keystone01:26
*** aojea has joined #openstack-keystone01:40
*** aojea has quit IRC01:45
*** markvoelker has joined #openstack-keystone01:45
*** markvoelker has quit IRC01:49
*** wangqun has joined #openstack-keystone01:51
*** guoshan has joined #openstack-keystone02:12
*** dave-mccowan has quit IRC03:20
*** jamielennox|away is now known as jamielennox03:22
*** zhurong has joined #openstack-keystone03:25
openstackgerritMerged openstack/oslo.policy master: Comment out the rule from generated sample-policy file
*** aojea has joined #openstack-keystone03:42
*** aojea has quit IRC03:46
*** guoshan has quit IRC04:00
*** Dinesh_Bhor has joined #openstack-keystone04:08
*** zhurong has quit IRC04:16
*** links has joined #openstack-keystone04:20
*** zhurong has joined #openstack-keystone04:59
*** zhurong has quit IRC05:14
*** aojea has joined #openstack-keystone05:42
*** aojea has quit IRC05:47
*** adriant has quit IRC05:53
*** jaosorior has joined #openstack-keystone06:04
openstackgerritDinesh Bhor proposed openstack/python-keystoneclient master: Fix failing PY2 and PY3 gate jobs
*** aojea has joined #openstack-keystone06:25
*** guoshan_ has joined #openstack-keystone06:25
*** guoshan has joined #openstack-keystone06:29
*** guoshan_ has quit IRC06:29
*** guoshan has quit IRC06:45
*** guoshan has joined #openstack-keystone06:45
*** jaosorior has quit IRC06:53
*** jaosorior has joined #openstack-keystone06:55
*** jaosorior has quit IRC07:14
*** jaosorior has joined #openstack-keystone07:15
*** jaosorior has quit IRC07:16
*** jaosorior has joined #openstack-keystone07:19
openstackgerritMaciej Jozefczyk proposed openstack/keystonemiddleware master: Cross-region requests are not blocked by keystonemiddleware
*** voelzmo has joined #openstack-keystone07:41
*** zhugaoxiao has quit IRC07:57
*** zhugaoxiao has joined #openstack-keystone07:58
*** tesseract has joined #openstack-keystone07:58
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** pcaruana has joined #openstack-keystone08:14
*** rdo has quit IRC08:24
*** rdo has joined #openstack-keystone08:26
openstackgerritMaciej Jozefczyk proposed openstack/keystonemiddleware master: Cross-region requests are not blocked by keystonemiddleware
openstackgerritMaciej Jozefczyk proposed openstack/keystonemiddleware master: Cross-region requests are not blocked by keystonemiddleware
*** openstackgerrit has quit IRC09:02
*** wangqun has quit IRC10:06
*** liujiong has quit IRC10:09
*** nicolasbock has joined #openstack-keystone10:12
*** openstackgerrit has joined #openstack-keystone10:12
openstackgerritStephen Finucane proposed openstack/oslo.policy master: Use Sphinx 1.5 warning-is-error
*** knangia has quit IRC10:21
*** guoshan has quit IRC10:27
*** dikonoor has joined #openstack-keystone10:37
*** rmascena has joined #openstack-keystone10:50
*** arturb has joined #openstack-keystone10:50
*** dikonoor has quit IRC10:51
*** ayoung has joined #openstack-keystone11:05
*** zhurong has joined #openstack-keystone11:17
*** pnavarro has joined #openstack-keystone11:18
*** dikonoor has joined #openstack-keystone11:24
*** zhurong has quit IRC11:37
*** aojea has quit IRC11:45
*** aojea has joined #openstack-keystone11:46
*** dikonoor has quit IRC11:48
*** aojea has quit IRC11:50
openstackgerritColleen Murphy proposed openstack/keystone master: Speed up check_user_in_group for LDAP users
*** dikonoor has joined #openstack-keystone11:58
*** ravelar has joined #openstack-keystone12:00
*** dave-mccowan has joined #openstack-keystone12:07
openstackgerritRichard Avelar proposed openstack/keystone master: Add group_members_are_ids to whitelisted options
*** edmondsw has joined #openstack-keystone12:14
*** spilla has joined #openstack-keystone12:25
*** aojea has joined #openstack-keystone12:43
openstackgerritRichard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order
*** yuvalb has quit IRC12:53
*** yuvalb has joined #openstack-keystone12:54
*** catintheroof has joined #openstack-keystone12:57
*** markvoelker has joined #openstack-keystone13:01
*** lamt has joined #openstack-keystone13:04
*** lamt has quit IRC13:08
*** links has quit IRC13:11
*** lamt has joined #openstack-keystone13:12
*** lamt has quit IRC13:16
*** lamt has joined #openstack-keystone13:20
*** lamt has quit IRC13:25
openstackgerritRichard Avelar proposed openstack/keystone master: Don't persist revocation events when deleting a role
*** erhudy has joined #openstack-keystone13:34
lbragstaddstanek jdennis any updates on this one here?
*** guoshan has joined #openstack-keystone13:39
jdennislbragstad: there doesn't appear to have been any activity since my last comment.13:42
lbragstadjdennis yeah - i was just catching up on the comments13:43
*** clenimar has quit IRC13:43
lbragstadjdennis you didn't have an alternative patch somewhere did you? just curious because I found the snippets in the review helpful13:43
jdennislbragstad: If I recall correctly Lance I just threw those snippets together in a little temp script13:47
lbragstadjdennis aha - cool, just double checking13:47
*** lamt has joined #openstack-keystone13:55
*** lamt has quit IRC13:58
dstaneklbragstad: no, waiting to see what we need to do there13:58
*** guoshan has quit IRC13:58
*** prashkre has joined #openstack-keystone14:00
lbragstaddstanek gotcha - are we waiting on someone from webob?14:00
*** lamt has joined #openstack-keystone14:01
prashkrelbragstad: Hi Lance. I have an issue with translation of messages. so while investigating found that
prashkrelbragstad: is calling on oslo_i18n module to translate messages, but oslo_i18n expecting message of type oslo_i18n._message.Message type to translate.14:04
prashkreso it simply bypassing translations.14:04
lbragstadprashkre o/14:05
dikonoorlbragstad: Hi..Do we know if keystone translations are working? From the code, it looks like it's getting skipped at the point prashkre has pointed out14:05
lbragstaddikonoor prashkre checking the code14:05
*** knangia has joined #openstack-keystone14:05
*** lamt has quit IRC14:05
dstaneklbragstad: i'll dig up my notes and update that review14:06
*** guoshan has joined #openstack-keystone14:06
lbragstaddstanek i was reading through a few of the comments jdennis made14:06
lbragstaddstanek i thought about pushing a subsequent patch that addressed them - but I haven't made it that far yet ;)14:07
lbragstaddikonoor prashkre so this is the implementation of translate you're referencing - ?14:07
prashkrelbragstad: yes.14:07
dstanekprashkre: dikonoor: how is it being skipped?14:08
dikonoorand this is the check that fails >>
prashkrelbragstad: error messages we are passing are of unicode type and it is expecting oslo_i18n._message.Message type for translation.14:09
dstanekprashkre: you're saying that error.arg[0] isn't a message?14:09
lbragstadprashkre so is never hit?14:09
*** lamt has joined #openstack-keystone14:09
lbragstadif it isn't a message, it should be getting handled by the first if statement?14:10
dikonoorL45 is hit, L48 is not14:10
lbragstad_message.Message *14:10
lbragstaddikonoor what is the type of `error_message` here - ?14:10
dstaneklbragstad: i would expect that to be a message object based on how we create exceptions14:11
dikonoorit's of type unicode ..I think that's what L44 does >> # If the object to translate is not already translatable,14:12
dikonoor        # let's first get its unicode representation14:12
dikonoor        message = six.text_type(obj)14:12
prashkrelbragstad: it is unicode type14:12
*** lamt has quit IRC14:12
dstanekdikonoor: is this in production or test?14:12
lbragstadi don't know if it's just me or not, but those two if/statements are confusing to understand right next to each other like that14:12
dikonoortest is where we found14:12
lbragstadbecause the first one get a unicode representation of the message if it's not already translated14:13
dstanekdikonoor: i don't think we translate in debug mode14:13
dikonoordstanek: Could you elaborate whats  the debug mode that you are referring to..?14:14
dstanekdikonoor: we don't translate during development - iirc14:15
dikonoordstanek : I have keystone running inside httpd ..I see there are .mo files with translated messages generated..So I'd have expected trnalsation to work14:16
*** lamt has joined #openstack-keystone14:17
dikonoordstanek: Does the translation work for you?14:19
dstaneki'm also not sure if we translate messages over the API or just for logging14:20
dstanekdikonoor: looking how14:20
*** lamt has quit IRC14:21
*** lamt has joined #openstack-keystone14:23
*** lamt has quit IRC14:24
*** agrebennikov has joined #openstack-keystone14:25
dstaneklbragstad: dikonoor: prashkre: i'm going to guess that they are not working for exceptions14:32
dikonoordstanek: DO you think so because of the unicode type problem that prashkre was talking about?14:32
dstanekdikonoor: that's what is happening, but the question is why.... i think is is because needs to come before keystone.exception is imported14:33
dstaneklbragstad: i'm not sure why the default is not set to lazy. you'd think that everyone has similar import time issues14:35
lbragstaddstanek right - interesting14:40
dstanekdikonoor: prashkre: trying moving that above the keystone imports and see if it works14:41
prashkredstanek: sure will try and let you know.14:42
*** dikonoor has quit IRC14:45
prashkredstanek: yes. it worked.14:45
prashkredstanek: able to see translated messages.14:46
*** lamt has joined #openstack-keystone14:46
dstanekprashkre: nice14:46
lbragstadprashkre dstanek sounds like we need to open a bug then?14:46
ravelarlbragstad we still use project_id and domain_id revocation for revoke_by_audit_chain_id right?
lbragstadravelar well - it doesn't look like it's used much -
lbragstadravelar revoke_chain defaults to False and is only set to True in tests14:48
lbragstadravelar so it could be a behavior that we test for but don't actually expose14:49
prashkredstanek: lbragstad: I will open a bug on translate messages issue.14:49
ravelarsorry I put them together lol14:49
lbragstadprashkre awesome - thanks14:49
dstanekprashkre: thanks!14:49
ravelarlbragstad I see14:50
lbragstadravelar another thing that we can do is run coverage on it and see if that's even tested14:50
lbragstadit looks like it is, but I don't think we can actually hit that branch of code through an API (i.e. a user can't dictate that behavior)14:50
lbragstadat least from what i can tell14:50
lbragstadwhich might be a good thing if we decide we want to prune it14:51
ravelarlbragstad, so when do we ever even revoke an audit_chian14:51
ravelarother than the tests14:51
*** lamt has quit IRC14:54
lbragstadravelar that's a good question, we also have
lbragstadravelar which has some logic that is intertwined with the revocation API14:55
*** lamt has joined #openstack-keystone14:56
*** aselius has joined #openstack-keystone14:57
*** lamt has quit IRC14:57
*** jlopezgu has joined #openstack-keystone15:00
*** pnavarro has quit IRC15:01
*** chris_hultin|AWA is now known as chris_hultin15:02
*** lamt has joined #openstack-keystone15:05
openstackgerritRichard Avelar proposed openstack/keystone master: Remove extra duplicate 'be' in description
*** rderose has joined #openstack-keystone15:06
*** lamt has quit IRC15:06
*** phalmos has joined #openstack-keystone15:10
lbragstadravelar here is a list of all revoke_api usage I can see (excluding tests)
*** pnavarro has joined #openstack-keystone15:16
*** jamielennox has quit IRC15:17
ravelarlbragstad yeah, I figured the most that is happening has to be in providers so I am looking at the functions that use them and tracing up to the parent ones15:17
lbragstadravelar these might not be needed anymore and
ravelarlbragstad ahh another one, nice catch ha15:18
lbragstadravelar i removed them, running tests now15:20
*** richm has joined #openstack-keystone15:22
*** lamt has joined #openstack-keystone15:22
*** lamt has quit IRC15:23
*** guoshan has quit IRC15:24
openstackgerritRichard Avelar proposed openstack/keystone master: Don't persist rev event when deleting access token
lbragstaddstanek about the py35 things we were talking about over the weekend, is that something we should just open a bug for?15:29
lbragstaddstanek if it only needs a couple testing bits, a spec might be a little heavy handed15:29
openstackgerritAnthony Washington proposed openstack/oslo.policy master: oslopolicy-sample-generator description support
*** phalmos has quit IRC15:30
notmorganlbragstad: audit_chain revokes were explicitly for the case of needing to kill all tokens that were subject to rescopes. It wasn't widely used except, perhaps, in a password change case?15:32
notmorganor initially15:32
lbragstadcc ravelar ^15:32
*** chlong has joined #openstack-keystone15:33
lbragstadnotmorgan and that revokes based on the token's audit_id attribute, correct?15:33
lbragstadat least that's how i think it worked the last i checked15:33
openstackgerritMorgan Fainberg proposed openstack/keystone master: Support new hashing algorithms for securely storing password hashes
notmorganit is intended to15:34
notmorganso audit id is (audit_id, chain_audit_id)15:35
*** lamt has joined #openstack-keystone15:35
ravelarnotmorgan lbragstad ahh thanks! I was looking for what the history behind it was since now it looks like it isn't really used anywhere15:35
notmorganif you revoke the chain, we look at the chain id, and if it doesn't exist we look at audit_id15:35
notmorganthe reason for audit_id to include a chain is so you can see the rescopes15:35
notmorganand track a token to a specific auth15:35
notmorganit doesn't show the direct parent, just the original auth's token_id15:36
notmorganthe idea is we should be able to revoke any/all tokens for a given auth15:36
notmorganwe shouldn't remove that functionality unless we're really dropping all revoke(s).15:36
lbragstadnotmorgan i don't think we're going to do that15:43
lbragstadnotmorgan i think we should start by pruning the unused revocation events from the implementation the best we can15:43
lbragstad for example15:43
lbragstad^ passes tests for me locally15:43
lbragstadcc ravelar15:43
ravelarlbragstad nice15:44
ravelarlbragstad that is on top of right?15:44
*** lamt has quit IRC15:44
lbragstadravelar no - i just did that one off of master15:45
*** jaosorior has quit IRC15:45
ravelarlbragstad ahh right, I saw assignment and role and thought we were talking about that patch15:46
ravelarcool, looks like your patch from awhile back does alot of this already now15:47
lbragstadravelar nope - just started looking at places in keystone where we use the revocation API15:47
*** lamt has joined #openstack-keystone15:47
openstackgerritGage Hugo proposed openstack/keystone-specs master: Add Project tags
*** lamt has quit IRC15:50
*** links has joined #openstack-keystone15:51
ravelarlbragstad the best part is most of the revocation unit tests already cover the change by testing that the API returns the expected information or by checking the token no longer contains revoked info15:51
*** lamt has joined #openstack-keystone15:52
openstackgerritLance Bragstad proposed openstack/keystone master: Remove unnecessary revocation events
lbragstadravelar ^15:54
lbragstadravelar feel free to steal that15:54
*** links has quit IRC15:55
*** links has joined #openstack-keystone15:56
*** voelzmo has quit IRC15:56
TahvokCan you run the bootstrap commands multiple times? Is it idempotent?15:57
openstackgerritLance Bragstad proposed openstack/keystone master: Remove revocation API dependency from resource API
lbragstadTahvok yes - it should be15:57
lbragstadTahvok we had a bug opened that we fixed in ocata and backported to both newton and mitaka
openstackLaunchpad bug 1647800 in OpenStack Identity (keystone) newton "keystone-manage bootstrap isn't completely idempotent" [High,Fix released] - Assigned to Lance Bragstad (lbragstad)15:59
*** jaosorior has joined #openstack-keystone15:59
TahvokWait.. It was available in Mitaka as well?16:00
TahvokFunny as it was not mentioned in ubuntu install guide16:00
TahvokDoesn't matter as we're moving to Ocata now..16:01
*** Aqsa has joined #openstack-keystone16:02
lbragstadTahvok was bootstrap not idempotent for you?16:02
lbragstadTahvok or did you notice an unexpected behavior?16:03
*** voelzmo has joined #openstack-keystone16:03
Tahvoklbragstad: I didn't try. I just askend..16:05
*** links has quit IRC16:05
ravelarlbragstad will do!16:06
lbragstadTahvok sounds good16:06
openstackgerritLance Bragstad proposed openstack/keystone master: Remove revocation API dependency from identity API
lbragstadravelar steal ^ that one, too16:07
*** phalmos has joined #openstack-keystone16:09
lbragstadravelar here is my updated list of places that use the revoke_api -
*** lamt has quit IRC16:13
*** lamt has joined #openstack-keystone16:14
*** tesseract has quit IRC16:15
*** Aqsa has quit IRC16:16
*** jamielennox has joined #openstack-keystone16:19
*** lamt has quit IRC16:19
*** jamielennox is now known as jamielennox|away16:21
openstackgerritRichard Avelar proposed openstack/keystone master: Don't persist rev event when deleting access token
*** pcaruana has quit IRC16:27
*** lamt has joined #openstack-keystone16:29
*** ravelar has quit IRC16:34
*** lamt has quit IRC16:40
*** lamt has joined #openstack-keystone16:41
*** lamt has quit IRC16:43
prashkrelbragstad: dstanek: created bug for translation of messages.16:46
openstackLaunchpad bug 1674415 in OpenStack Identity (keystone) "keystone exception messages are not translating when locale is set" [Undecided,New]16:46
*** voelzmo has quit IRC16:47
*** voelzmo has joined #openstack-keystone16:47
*** lamt has joined #openstack-keystone16:48
*** MasterOfBugs has joined #openstack-keystone16:49
*** ravelar has joined #openstack-keystone16:49
TahvokAccording to the Ocata doc:
*** lamt has quit IRC16:49
*** jaosorior has quit IRC16:50
TahvokIt says to remove the admin_token_auth from the keystone-paste.ini file. However, as I'm using the bootstrap mechanism, I don't need it in the first place (am I right?). So why it's in the config in the first place?16:50
notmorganTahvok: to prevent breaking people16:52
TahvokYou mean people who upgrade to Ocata? But they would use their old config anyway.16:52
notmorganTahvok: it comes down to folks who do upgrades, we need to telegraph the removals waaaay in advance, especially what is a "default" configuration that many folks do minor changes to (such as a the paste-ini)16:52
*** jaosorior has joined #openstack-keystone16:52
notmorganwe're removing the actual class that the paste-ini would load. some people deploy paste-ini with config management (i.e. ansible)16:53
notmorganso we throw a warning to ensure they know to remove it from the paste-ini.16:53
notmorganyou don't need it if you use bootstrap16:53
notmorganbut if we were to just drop the class, and the same paste-ini is used, keystone breaks and can't load at all16:53
TahvokI'm not asking to remove the class16:54
TahvokI'm asking to remove the configuration16:54
notmorganright, but we're telling people we are removing the class16:54
notmorganyou are 100% a-ok removing it in the config16:54
TahvokAnd it's completely fine if it won't be in the config, for people who upgrade - as they will use their workig configuration anyway..16:55
notmorganit is in the config because people break when we change things there, unless we do it sloooooowly16:55
TahvokCurrently, as I see it, it only confuses new users. This config that comes from the Ocata package doesn't help anyone - not new users, as they need to remove it, not upgrading users, as they don't use it at all.16:56
notmorganwe don't do packaging16:56
Tahvoknotmorgan: it's part of Ocata's branch:
notmorganwe could not change octata's paste-ini realistically16:58
notmorganthe mechanism ubuntu is saying to use for setup is an old old old one16:58
notmorganin pike we have removed it16:58
notmorganit's one of those lag behind the times.16:58
Tahvoknot for Ocata16:58
notmorganok, lets back up16:59
TahvokUbuntu is using bootstrap in ocata:
notmorgan1) it's out of pike16:59
notmorgan2) we can't change ocata16:59
TahvokI see it's been removed for future release, so maybe less important now..16:59
notmorgan3) people didn't actually remove and still rely on the non-bootstrap form for setup so we're taking more aggressive action, it just takes time to do16:59
notmorganit was something we couldn't "fix" for ocata, i see what you're asking now17:00
TahvokI just bringed my thought that it was confusing new users..17:00
notmorganbut past ocata we can :)17:00
notmorganand we have17:00
notmorganin Pike it isn't in paste-ini by default, and i think it is Q where we remove it completely17:00
TahvokYes, and thanks for that!17:00
notmorganand no longer even keep the class17:00
*** voelzmo has quit IRC17:01
notmorganthe functionality is still there, which we will remove, but we can't until some deployment tools are fixed (triple-o being the big one)17:01
notmorganwe've specifically been asked to maintain the admin-token-thing until they are fixed (it's actuvely being worked on)17:01
TahvokI just ansible modules will keep up with the changes.. Currently you can't really authenticate normally with them to keystone api v317:01
TahvokI just hope*17:02
notmorganyou can't? aren't ansible modules based on shade?17:02
notmorganif so, shade absolutely can auth and work with v3.17:02
notmorganmordred: ^ cc17:02
Tahvoknotmorgan: they are. But apparently there are bugs in shade17:02
* notmorgan blinks.17:02
notmorgani've used shade with v3, fwiw17:03
TahvokI know that. I'm speaking of the old mechanism, with admin token17:03
notmorganoh yeah, admin token can't work with v317:03
TahvokIt can.. You just need to work around it17:03
notmorganit basically wasn't useful for anything except setting up a user17:03
TahvokYou need to specify env variable to use v3: OS_IDENTITY_API_VERSION: "3"17:04
notmorgan"can" and "work correctly and in a usable way" are two different things ;)17:04
notmorganadmin-token barely worked with v2 :P17:04
TahvokWell, it was usable..17:04
TahvokI'm just glad that admin token is finally gone..17:04
notmorganwell, it isn't "gone gone" but it is definitely not the way we test/run/do much of anything17:04
notmorganand the default behavior is it is disabled/17:05
TahvokAnd hooorrayy to that17:05
TahvokBootstrap is working really great for me17:06
notmorgangood to hear!17:06
Tahvoklbragstad: and it appears to be actually idempotent17:06
notmorganyeah we had some bugs on bootstrap for that17:06
notmorganbut it was a goal to make it idempotent17:06
lbragstadTahvok awesome!17:08
openstackgerritAnthony Washington proposed openstack/keystone master: Minor cleanup for 435609
openstackgerritAnthony Washington proposed openstack/keystone master: Minor clean up for 435751
*** rmascena_ has joined #openstack-keystone17:16
*** rmascena has quit IRC17:17
*** agrebennikov has quit IRC17:23
*** rmascena_ is now known as rmascena17:25
*** agrebennikov has joined #openstack-keystone17:31
*** jaosorior has quit IRC17:35
*** chlong has quit IRC17:42
*** masber has quit IRC17:43
*** masber has joined #openstack-keystone17:46
*** ravelar has quit IRC17:50
*** ravelar has joined #openstack-keystone18:01
*** masber has quit IRC18:05
*** chris_hultin is now known as chris_hultin|AWA18:07
*** catintheroof has quit IRC18:08
*** catintheroof has joined #openstack-keystone18:08
openstackgerritRichard Avelar proposed openstack/keystone master: Policy in code
*** prashkre has quit IRC18:14
*** adrian_otto has joined #openstack-keystone18:17
*** browne has joined #openstack-keystone18:21
*** jamielennox|away is now known as jamielennox18:24
lbragstadgagehugo couple last questions/comments about my tags discussion with edleafe
lbragstadcc notmorgan rodrigods ^18:37
rodrigodslbragstad, cool, will take a look later today18:41
*** gus has quit IRC18:41
*** gus has joined #openstack-keystone18:45
gagehugolbragstad: got a meeting in a few but I'll take a look18:49
*** david-lyle_ has joined #openstack-keystone18:52
*** david-lyle has quit IRC18:52
*** david-lyle_ is now known as david-lyle18:53
*** lamt has joined #openstack-keystone18:55
*** masber has joined #openstack-keystone18:58
*** lamt has quit IRC18:59
*** lamt has joined #openstack-keystone19:03
*** Aqsa has joined #openstack-keystone19:03
*** lamt has quit IRC19:11
notmorganlbragstad: i just replied to one of your comments/question19:12
lbragstadnotmorgan cool - thanks19:13
*** chris_hultin|AWA is now known as chris_hultin19:17
*** masber has quit IRC19:17
*** gyee has joined #openstack-keystone19:20
openstackgerritMorgan Fainberg proposed openstack/keystone master: Support new hashing algorithms for securely storing password hashes
*** aojea has quit IRC19:22
*** aojea has joined #openstack-keystone19:22
*** lamt has joined #openstack-keystone19:24
*** aojea has quit IRC19:27
*** lamt has quit IRC19:33
*** adrian_otto has quit IRC19:34
openstackgerritRob Crittenden proposed openstack/keystone master: Include the requested URL in authentication errors
*** masber has joined #openstack-keystone19:50
*** voelzmo has joined #openstack-keystone19:51
*** voelzmo has quit IRC19:56
*** lamt has joined #openstack-keystone20:00
*** lamt has quit IRC20:04
*** masber has quit IRC20:13
gagehugolbragstad: interesting, thanks for clarifying with edleafe20:14
*** dave-mcc_ has joined #openstack-keystone20:15
gagehugolbragstad: so is the consensus that we should focus on limiting via # per request rather than # per project? (as like you said, maintaining a large list almost limits itself)20:15
*** rakhmerov has quit IRC20:15
*** rakhmerov__ has joined #openstack-keystone20:15
*** kencjohnston_ has joined #openstack-keystone20:15
*** knangia_ has joined #openstack-keystone20:15
gagehugoyou can change the entire list by the # limit, but add more if you wish?20:16
lbragstadgagehugo i tend to lean that way - because it's less validation for us to do and it provides a faster implementing without having to calculate existing tags20:16
lbragstadbut i am still waiting to hear what others say about that specific approach20:16
*** waj334_ has joined #openstack-keystone20:16
lbragstadgagehugo if you do PUT /v3/projects/{project_id}/tags and supply a list ['foo', 'bar', 'baz'] those will be the tags for that project20:17
*** adrian_otto has joined #openstack-keystone20:17
gagehugolbragstad: if we follow the WG spec, yes20:17
gagehugoalso I am fine with that implementation, it would be nice to avoid having to validate every single call multiple times20:17
gagehugofor tags20:18
lbragstadgagehugo if you make a subsequent call with PUT /v3/projects/{project_id}/tags ['foo', 'bar', 'baz', 'qux'] then entire list is rewritten20:18
lbragstadbut I can also do PUT /v3/projects/{project_id}/tags/foo, PUT /v3/projects/{project_id}/tags/bar, PUT /v3/projects/{project_id}/tags/baz, PUT /v3/projects/{project_id}/tags/qux20:18
*** Aurelgad1o has joined #openstack-keystone20:19
*** aloga_ has joined #openstack-keystone20:21
*** DuncanT_ has joined #openstack-keystone20:22
*** jmccrory_ has joined #openstack-keystone20:22
lbragstadso - the possibility for things to get out of hand is there20:22
*** John341_ has joined #openstack-keystone20:22
lbragstadif a user exceeds the total number of tags we allow to be modified in a single PUT request20:22
*** Tahvok_ has joined #openstack-keystone20:23
*** aojea has joined #openstack-keystone20:23
*** bauruine_ has joined #openstack-keystone20:24
*** lunarlamp has joined #openstack-keystone20:24
gagehugofor that case, looking at nova they return a 403 for instance tags, but neutron returns a 400 for network tags20:24
*** markd_ has joined #openstack-keystone20:26
gagehugoif it exceeds the total number allowed in a single request when doing a PUT request20:27
*** aojea has quit IRC20:28
*** knangia has quit IRC20:29
*** dave-mccowan has quit IRC20:29
*** mvk has quit IRC20:29
*** bauruine has quit IRC20:29
*** DuncanT has quit IRC20:29
*** Aurelgadjo has quit IRC20:29
*** waj334 has quit IRC20:29
*** aloga has quit IRC20:29
*** mdavidson has quit IRC20:29
*** jmccrory has quit IRC20:29
*** John341 has quit IRC20:29
*** kencjohnston has quit IRC20:29
*** mariusv has quit IRC20:29
*** Tahvok has quit IRC20:29
*** Tahvok_ is now known as Tahvok20:29
*** jmccrory_ is now known as jmccrory20:29
*** lunarlamp is now known as mariusv20:29
*** knangia_ is now known as knangia20:29
*** waj334_ is now known as waj33420:29
*** mvk has joined #openstack-keystone20:29
lbragstadgagehugo the guidelines say that we should return a 400 Bad Request if the number of tags in the request exceeds the limit, right?20:30
gagehugolbragstad yeah20:31
gagehugowhich seems right imo20:31
*** DuncanT_ is now known as DuncanT20:32
*** dave-mcc_ is now known as dave-mccowan20:33
lbragstadjamielennox does this make sense?
openstackLaunchpad bug 1672696 in keystonemiddleware "Cross-region requests are not blocked by keystonemiddleware" [Undecided,New] - Assigned to Maciej Jozefczyk (maciej.jozefczyk)20:37
*** ravelar has quit IRC20:40
jamielennoxlbragstad: umm, IMO not really20:41
*** pnavarro has quit IRC20:42
lbragstadjamielennox you can setup services to be per region,20:42
jamielennoxthere's no way for keystonemiddleware to know what region it's in, and what region it was contacted in20:42
jamielennoxit's just receiving requests20:42
lbragstadjamielennox yeah - we also don't scope tokens to regions in anyway20:42
jamielennoxthere's things like keystone is looked up in catalog, and we should probably have a region config for that20:43
jamielennoxbut no-one's ever cared20:43
jamielennoxbut there's no real way to say that this token should only be available in this region20:43
*** adriant has joined #openstack-keystone20:44
knikolladoes any service so far make use of x-service-token to restrict api calls?20:46
notmorganlbragstad: I am.against leveraging the catalog to block access20:47
jamielennoxknikolla: not really as yet, there is some needed work on oslo.policy and such to make some rules that can make this possibl e20:48
jamielennoxwhich i would love some help with as i don't have much time to be in it atm20:48
knikollajamielennox: yep, i ran a codesearch and the only thing i found is a nova patch to make nova start using it when nova makes the calls.20:50
knikollathat broke some things i'm doing with k2k20:50
jamielennoxknikolla: they do that for the token expiration stuff, which is good, but we need somethings in for example nova's policy that say this function can only be called with a service token20:51
jamielennoxknikolla: broke k2k? how?20:51
knikollajamielennox: i maintain a proxy that routes calls between openstack services in separate deployments using k2k for auth.20:51
lbragstadnotmorgan that makes sense - if they wanted to limit the expose of services in specific regions that would have to be done by associating a region to the service, no?20:51
notmorgannot sure how that would work either, but... I mean, sure?20:52
jamielennoxlbragstad: right, it's not a problem to use a token across regions, it just means you need to have things configured correctly20:52
knikollajamielennox: and i only have mappings for users, as i don't want services to be admins in different clouds. so service token doesn't validate.20:53
notmorganjamielennox: they want the opposite, to filter out things and not have it auth, I think?20:53
lbragstadjamielennox notmorgan i think that's how i understood it?20:53
*** aojea has joined #openstack-keystone20:54
jamielennoxyea, i'm not sure what taht would mean, we'd need to basically do endpoint filtering to make sure the endpoint that ksm thinks it is is somewhere in the catalog20:54
jamielennoxand we rejected that concept when gyee wanted it20:54
jamielennoxknikolla: you're doing k2k for service users?20:55
jamielennoxservice-token is really only something that is going to be relevant to the cloud that it's on20:55
jamielennoxi don't see (atm) nova talking to a glance in a differnet cloud20:56
knikollajamielennox: no, i don't need to for now. services use the user's token for communication between them.20:56
knikollajamielennox: with a proxy it can. it can even boot from images and attach volumes in ceph from stuff in other clouds.20:57
knikollabut if the attaching a volume flow requires a service token, i'll have to figure something out.20:58
*** david_cu has joined #openstack-keystone21:00
*** sebie01 has joined #openstack-keystone21:06
*** chris_hultin is now known as chris_hultin|AWA21:11
*** aojea has quit IRC21:11
*** aojea has joined #openstack-keystone21:12
*** aojea has quit IRC21:16
openstackgerritAnthony Washington proposed openstack/oslo.policy master: oslopolicy-sample-generator description support
mordredTahvok: if you hit shade bugs that block you from getting things done, please let me know (or feel free to spam the #openstack-shade channel) - there's always a billion things to balance on any given day, but we try to respond to user problems as quickly as we can21:23
*** aojea has joined #openstack-keystone21:25
* lbragstad dangles in front of everyone to go review21:26
* mordred hands lbragstad a pie21:30
*** spilla has quit IRC21:31
lbragstadantwash one final comment on that we can address separately - but if you tack it onto the existing review that'd be fine, too21:32
antwashawe yeah, cool -- I add a release note about the DocumentedDefaultRule21:33
antwashs/I/I will21:34
*** sebie01 has quit IRC21:52
openstackgerritLance Bragstad proposed openstack/keystone master: define Response charset
*** dave-mccowan has quit IRC22:12
*** aojea has quit IRC22:19
*** aojea has joined #openstack-keystone22:20
*** aojea has quit IRC22:24
*** edmondsw has quit IRC22:26
openstackgerritMerged openstack/keystone master: Remove extra duplicate 'be' in description
*** ravelar has joined #openstack-keystone22:28
*** masber has joined #openstack-keystone22:45
*** donu7 has joined #openstack-keystone22:55
donu7Hello, is this channel appropriate for keystone related troubleshooting ?22:55
*** phalmos has quit IRC22:58
*** aselius has quit IRC23:00
*** rmascena has quit IRC23:04
*** lespaul has joined #openstack-keystone23:07
lespaulHello. I'm using Keystone with Swift. When reloading the Proxy server, I'm getting a Keystone plugin password not found. Any ideas what could be causing this?
*** catintheroof has quit IRC23:13
*** masber has quit IRC23:32
*** jamielennox is now known as jamielennox|away23:36
*** jamielennox|away is now known as jamielennox23:40
*** gyee_ has joined #openstack-keystone23:41
*** gyee has quit IRC23:43
*** dave-mccowan has joined #openstack-keystone23:44

Generated by 2.14.0 by Marius Gedminas - find it at!