Monday, 2017-03-27

*** edmondsw has quit IRC		00:02
*** catintheroof has joined #openstack-keystone		00:06
catintheroof	guys hi, if i have a fernet token in my hands, and of course access to fernet keys on keystone server, whats the best way to know to whom that token belongs and how it is configured ?	00:08
catintheroof	configured i mean, scoped	00:13
*** oomichi has quit IRC		00:39
*** oomichi has joined #openstack-keystone		00:42
breton	make a GET request to /v3/auth/tokens	00:48
breton	with the token in X-Subject-Token header	00:48
*** lucasxu has joined #openstack-keystone		00:56
*** lucasxu has quit IRC		00:57
catintheroof	breton: nice! does this needs to be authenticated ?	00:58
*** jamielennox is now known as jamielennox\|away		01:01
*** markvoelker has joined #openstack-keystone		01:01
*** liujiong has joined #openstack-keystone		01:19
*** jamielennox\|away is now known as jamielennox		01:19
*** tovin07 has joined #openstack-keystone		01:41
*** oomichi has quit IRC		02:08
*** dave-mccowan has quit IRC		02:09
*** oomichi has joined #openstack-keystone		02:12
*** niteshnarayanlal has joined #openstack-keystone		02:44
*** links has joined #openstack-keystone		03:09
*** catintheroof_ has joined #openstack-keystone		03:32
*** edmondsw has joined #openstack-keystone		03:33
*** lamt has joined #openstack-keystone		03:34
*** catintheroof has quit IRC		03:36
*** edmondsw has quit IRC		03:37
*** nicolasbock has quit IRC		03:45
*** prashkre_ has joined #openstack-keystone		04:12
*** jamielennox is now known as jamielennox\|away		04:14
*** jamielennox\|away is now known as jamielennox		04:22
*** lamt has quit IRC		04:28
*** prashkre_ has quit IRC		04:35
*** niteshnarayanlal has quit IRC		05:01
*** rcernin has joined #openstack-keystone		05:26
*** lamt has joined #openstack-keystone		05:34
*** richm has quit IRC		05:43
*** aojea has joined #openstack-keystone		05:54
*** oomichi has quit IRC		05:58
*** oomichi has joined #openstack-keystone		06:01
*** aojea has quit IRC		06:04
*** aojea has joined #openstack-keystone		06:04
*** aojea has quit IRC		06:09
*** jaosorior has joined #openstack-keystone		06:13
*** lamt has quit IRC		06:20
*** prashkre_ has joined #openstack-keystone		06:21
*** lamt has joined #openstack-keystone		06:26
*** oomichi has quit IRC		06:28
*** oomichi has joined #openstack-keystone		06:32
*** oomichi has quit IRC		06:39
*** oomichi has joined #openstack-keystone		06:43
*** lamt has quit IRC		06:53
*** jaosorior has quit IRC		06:58
*** oomichi has quit IRC		06:58
*** oomichi has joined #openstack-keystone		07:03
*** oomichi has quit IRC		07:08
*** edmondsw has joined #openstack-keystone		07:09
*** dikonoor has joined #openstack-keystone		07:09
*** oomichi has joined #openstack-keystone		07:13
*** edmondsw has quit IRC		07:14
*** aojea has joined #openstack-keystone		07:17
*** jaosorior has joined #openstack-keystone		07:18
*** pcaruana has joined #openstack-keystone		07:20
*** oomichi has quit IRC		07:38
*** oomichi has joined #openstack-keystone		07:43
*** tesseract has joined #openstack-keystone		07:44
*** namnh has joined #openstack-keystone		07:49
breton	catintheroof_: yes	07:52
*** prashkre_ has quit IRC		07:58
*** delaf has left #openstack-keystone		07:59
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:01
*** Aqsa has joined #openstack-keystone		08:10
*** bjornar_ has joined #openstack-keystone		08:24
*** rakhmerov has quit IRC		08:26
*** rakhmerov has joined #openstack-keystone		08:26
*** lxnch has joined #openstack-keystone		08:31
*** prashkre_ has joined #openstack-keystone		08:31
*** prashkre__ has joined #openstack-keystone		08:33
*** openstackgerrit has quit IRC		08:33
*** prashkre_ has quit IRC		08:35
*** namnh has quit IRC		08:54
*** namnh has joined #openstack-keystone		08:55
*** edmondsw has joined #openstack-keystone		08:57
*** edmondsw has quit IRC		09:02
*** nishaYadav has joined #openstack-keystone		09:15
nishaYadav	o/	09:15
*** dikonoor has quit IRC		09:29
*** dikonoor has joined #openstack-keystone		09:29
*** aojea_ has joined #openstack-keystone		09:34
*** aojea has quit IRC		09:37
*** liujiong has quit IRC		10:09
*** richm has joined #openstack-keystone		10:14
*** dikonoor has quit IRC		10:25
*** tovin07 has quit IRC		10:27
*** mvk has quit IRC		10:29
*** ayoung has joined #openstack-keystone		10:36
*** nicolasbock has joined #openstack-keystone		10:42
*** edmondsw has joined #openstack-keystone		10:46
*** edmondsw has quit IRC		10:50
*** raildo has joined #openstack-keystone		10:51
*** dikonoor has joined #openstack-keystone		11:06
*** dikonoor has quit IRC		11:10
*** dikonoor has joined #openstack-keystone		11:12
*** catintheroof_ has quit IRC		11:13
*** nicolasbock has quit IRC		11:16
*** dave-mccowan has joined #openstack-keystone		11:19
*** nicolasbock has joined #openstack-keystone		11:19
*** prashkre__ has quit IRC		11:29
*** zhurong has joined #openstack-keystone		11:30
*** prashkre__ has joined #openstack-keystone		11:30
*** nicolasbock has quit IRC		11:42
*** dikonoor has quit IRC		11:44
*** mvk has joined #openstack-keystone		11:44
*** thorst has joined #openstack-keystone		11:45
*** nicolasbock has joined #openstack-keystone		11:45
*** dikonoor has joined #openstack-keystone		11:50
*** namnh has quit IRC		11:53
*** catintheroof has joined #openstack-keystone		12:08
*** erlon has joined #openstack-keystone		12:11
*** dave-mccowan has quit IRC		12:12
*** zhurong has quit IRC		12:12
*** edmondsw_ has joined #openstack-keystone		12:29
*** openstackgerrit has joined #openstack-keystone		12:30
openstackgerrit	Aqsa Malik proposed openstack/keystone master: Fix mapping_purge failure https://review.openstack.org/408304	12:30
*** niteshnarayanlal has joined #openstack-keystone		12:35
*** links has quit IRC		12:40
*** niteshnarayanlal has quit IRC		12:41
*** markvoelker has quit IRC		12:47
Aqsa	rodrigods : Can you please have a look at the patchset I uploaded.	12:47
rodrigods	Aqsa, sure!	12:47
Aqsa	I actually got this error : "This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset." should I rebase it?	12:48
breton	Aqsa: yes, please do rebase	12:50
*** chlong has joined #openstack-keystone		12:51
*** niteshnarayanlal has joined #openstack-keystone		12:57
openstackgerrit	Aqsa Malik proposed openstack/keystone master: Fix mapping_purge failure https://review.openstack.org/408304	12:59
Aqsa	Still got the same error.	13:00
rodrigods	Aqsa, locally do: "git checkout master"	13:01
rodrigods	then "git pull origin master"	13:01
rodrigods	then you change again to your branch and do a "git rebase master"	13:01
*** prashkre__ has quit IRC		13:03
*** prashkre__ has joined #openstack-keystone		13:04
dstanek	rodrigods: git pull will merge commit depending on setup	13:06
rodrigods	dstanek, not if working in a separate branch	13:07
rodrigods	i have assumed that	13:07
*** spilla has joined #openstack-keystone		13:07
dstanek	'git review -d ####; git fetch; git rebase origin master' is really what you want to do	13:07
rodrigods	dstanek, if the master code isn't updated, the rebase is useless	13:08
rodrigods	does git fetch do that?	13:08
dstanek	lbragstad: getting closer....bugs need to get trimmed more though	13:08
rodrigods	i thought it would only get the branches, not the commits	13:08
dstanek	'git fetch' pulls changes from the remote and makes them available locally without changing local branches	13:09
dstanek	for instance, your local master branch isn't touched, but the origin/master remotes will have the updated commits locally	13:09
rodrigods	dstanek, hmm good to know	13:11
*** niteshnarayanlal has quit IRC		13:20
nishaYadav	rodrigods, hey	13:24
rodrigods	hi nishaYadav	13:24
nishaYadav	rodrigods, in case you get some time, can you please review a keystone doc patch?	13:25
rodrigods	nishaYadav, sure	13:25
nishaYadav	rodrigods, thanks a lot :) https://review.openstack.org/#/c/450038/	13:25
rodrigods	nishaYadav, looks like you have made pretty nice comments there, will keep this review on my list and circle back when they submit another patch	13:26
rodrigods	sounds good?	13:26
nishaYadav	rodrigods, yeah, that would be really nice :)	13:27
lbragstad	dstanek well - we're down to 91 in keystone	13:34
rodrigods	lbragstad, re: https://review.openstack.org/#/c/445505/ i'm a bit overwhelmed but intend to send another patchset shortly	13:36
rodrigods	i have noticed it currently breaks our functional tests (which include the federation tests - one of them is not passing)	13:36
lbragstad	rodrigods cool - i'll be on the look out for it	13:37
lbragstad	rodrigods what you have locally is breaking functional tests?	13:37
dstanek	lbragstad: i was really hoping for the 80s	13:37
lbragstad	dstanek i think we should be able to get there this week	13:37
lbragstad	dstanek we got a good bit of stuff done last week, i bet after we follow up on a few patches we'll be there	13:38
dstanek	lbragstad: 70s by the end of bug day	13:38
rodrigods	lbragstad, i didn't test :( don't have a proper federated env currently set	13:38
lbragstad	rodrigods gotcha	13:38
dstanek	lbragstad: had some test trouble Friday, but got them working on Sat - https://review.openstack.org/#/c/447864/	13:39
lbragstad	dstanek nice!	13:39
dstanek	lbragstad: i did a bunch of test improvements this weekend. just trying to get them in a state where I can commit them	13:40
lbragstad	dstanek awesome	13:40
lbragstad	dstanek are any of them bug related? or just general improvements?	13:40
dstanek	lbragstad: improvements. things i noticed and some speedups.	13:43
*** gsilvis has quit IRC		13:43
lbragstad	dstanek is the translation patch something we should backport to ocata?	13:46
*** gsilvis has joined #openstack-keystone		13:49
dstanek	lbragstad: no	13:50
dstanek	lbragstad: oh, wait. the bug fix one right? that one yes	13:50
dstanek	the translation link from above no	13:51
dstanek	lbragstad: if you want i can backport it	13:51
lbragstad	dstanek it's already proposed	13:51
lbragstad	dstanek https://review.openstack.org/#/c/450027/1	13:51
dstanek	lbragstad: looking	13:57
*** markvoelker has joined #openstack-keystone		14:00
*** agrebennikov has joined #openstack-keystone		14:01
*** nishaYadav has quit IRC		14:07
*** knangia has joined #openstack-keystone		14:08
*** chlong has quit IRC		14:09
*** zhurong has joined #openstack-keystone		14:11
*** gyee has joined #openstack-keystone		14:13
*** gyee has quit IRC		14:13
*** dave-mccowan has joined #openstack-keystone		14:16
*** bjornar_ has quit IRC		14:18
*** ravelar has joined #openstack-keystone		14:22
openstackgerrit	Richard Avelar proposed openstack/keystone master: Add federated support for get user https://review.openstack.org/448730	14:27
*** niteshnarayanlal has joined #openstack-keystone		14:31
*** dr_dolphm is now known as dolphm		14:37
*** rderose has joined #openstack-keystone		14:40
*** zhurong has quit IRC		14:41
*** phalmos has joined #openstack-keystone		14:43
*** szaher has quit IRC		14:45
*** szaher has joined #openstack-keystone		14:46
*** sjain has joined #openstack-keystone		14:55
*** dikonoor has quit IRC		14:58
*** rcernin has quit IRC		15:07
*** shewless has joined #openstack-keystone		15:12
shewless	Hello. If I know my domain name, and my project name, is there a way to get my project_id?	15:15
lbragstad	shewless https://developer.openstack.org/api-ref/identity/v3/index.html?expanded=list-projects-detail#projects	15:17
*** shewless_ has joined #openstack-keystone		15:17
lbragstad	shewless you can list projects and filter by name	15:17
shewless_	@lbragstad: sorry I got disconnected before completing my question	15:17
lbragstad	GET /v3/projects/?name=foo	15:18
shewless_	I tried exactly that but it seems like by default normal users don't have permissions to do that	15:18
lbragstad	shewless_ the default policy for project operations is admin_required	15:18
shewless_	so I thought maybe there was another way..	15:18
shewless_	@lbragstad: so how would a normal user (non admin) be able to use the API if they don't know their project_id?	15:19
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move trust to DocumentedRuleDefault https://review.openstack.org/449278	15:19
dstanek	shewless_: what exactly are you trying to do?	15:19
*** shewless has quit IRC		15:19
shewless_	dstanek: I'm trying to write a simple script that uses curl to list a users stacks	15:20
shewless_	the user has their environemnt set with a token, a project name, and a domain name	15:20
shewless_	and they can use the openstack cli with this environment	15:20
dstanek	shewless_: that api won't accept a name?	15:21
shewless_	dstanek: hmm. I can try it. Maybe it does. The API says "project_id" so I assumed it would only accept the ID	15:21
shewless_	let me try	15:21
lbragstad	shewless_ the openstack cli will do some stuff based on filtering	15:23
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move group policies to DocumentedRuleDefault https://review.openstack.org/449237	15:25
shewless_	dstanek: I get a 403 error (even as admin) if I try and list stacks using the project_name instead of project_id. 8004/v1/<project_name>/stacks	15:25
*** chlong has joined #openstack-keystone		15:25
shewless_	@lbragstad: any way I can see what the CLI is doing ?	15:26
lbragstad	this is what i can do locally - http://cdn.pasteraw.com/o7r6qzhx9cvoo634a4p7yp1iyv6y71o	15:26
shewless_	I tried --debug	15:26
shewless_	@lbragstad: is the for a normal user?	15:26
lbragstad	that's an admin user	15:27
lbragstad	querying the projects	15:27
shewless_	@lbragstad: right.. but a normal user won't be able to do that right?	15:27
lbragstad	i was just using it to show case the usage of the client	15:27
lbragstad	where you can do `openstack project show {name}`	15:27
shewless_	Okay.	15:27
lbragstad	but you can also do `openstack project show {id}`	15:27
shewless_	right.	15:28
lbragstad	shewless_ can your user do either of those?	15:28
shewless_	@lbragstad specifically form the CLI?	15:28
lbragstad	yes	15:28
*** nishaYadav has joined #openstack-keystone		15:29
*** lucasxu has joined #openstack-keystone		15:29
shewless_	@lbragstad: no they cannot do either of those	15:30
shewless_	BUT	15:31
shewless_	if they do "openstack stack list" it works somehow :)	15:31
shewless_	wait	15:31
shewless_	maybe I lied about that last part	15:31
lbragstad	stack list is a heat API	15:31
lbragstad	right?	15:31
shewless_	@lbragstad: yes but it needs to authenticate first	15:31
lbragstad	sure	15:32
shewless_	let me have a look at this. I think the CLI is just as busted as the API for normal users	15:32
shewless_	(if only token, project_name, and domain name are specified)	15:32
shewless_	maybe project_id is required to be set in the environment for non admin users?	15:32
lbragstad	shewless_ are you able to get a project scoped token?	15:33
lbragstad	shewless_ using you project name and domain name?	15:33
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move access token to DocumentedRuleDefault https://review.openstack.org/449265	15:33
shewless_	@lbragstad: yes I believe so	15:33
lbragstad	shewless_ look in the auth response	15:34
lbragstad	shewless_ if you have a project scoped token, you should see a project specific section of the token response that has information about the project you're scoped to	15:34
shewless_	@lbragstad: let me have a look. This is how I'm generating the token BTW: http://paste.ubuntu.com/24261432/	15:35
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move revoke events to DocumentedRuleDefault https://review.openstack.org/449346	15:36
lbragstad	shewless_ yeah - if you inspect the entire request, you should be able to find some project information in there, since you're asking for a project-scoped token	15:36
shewless_	@lbragstad: I've set that request to be a one time action. The user subsequently would already have their token	15:37
shewless_	and basically no other information	15:37
shewless_	I'm thinking I might just change the policy to allow users to list projects	15:38
shewless_	since this is a private cloud	15:38
* lbragstad shewless_ you can get the project id from the auth response - http://cdn.pasteraw.com/mqseyda47z5ukjbrra55h313bqvbj2v		15:39
lbragstad	using project name and domain name to scope the token	15:39
lbragstad	shewless_ this is the request I made - http://cdn.pasteraw.com/gnbpqwby7niqbhf3z4yro7o61wblsl1	15:40
shewless_	oooh	15:41
shewless_	@lbragstad: interesting let me try that	15:41
shewless_	..and thank you so far for the help	15:41
lbragstad	shewless_ no problem - i smashed both into a single paste - http://cdn.pasteraw.com/e53indqcd4jxhsoiw43jhmy82ed84aq	15:41
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move region policies to DocumentedRuleDefault https://review.openstack.org/449213	15:41
openstackgerrit	Gage Hugo proposed openstack/keystone-specs master: Add Project tags https://review.openstack.org/431785	15:42
shewless_	@lbragstad: I could make my auth method "token" if I already have a token right?	15:43
lbragstad	shewless_ yep	15:43
lbragstad	shewless_ but are you trying to reauthenticate for a token?	15:44
lbragstad	shewless_ you should be able to get the same information if you validate the token you just got in your first step	15:45
openstackgerrit	Richard Avelar proposed openstack/keystone master: Remove policy file from source and refactor tests https://review.openstack.org/449675	15:46
lbragstad	shewless_ for example - http://cdn.pasteraw.com/lsvigeu3tbgy5y9xmzzhvjr27ysxm8w	15:47
lbragstad	shewless_ so - based on your script (http://paste.ubuntu.com/24261432/)	15:47
lbragstad	you should be able to do `curl -X GET -H "X-Subject-Token: $token" -H "X-Auth-Token: $token" http://localhost:35357/v3/auth/tokens \| python -m json.tool`	15:48
*** aojea has joined #openstack-keystone		15:48
lbragstad	to validate the token you just received using your script	15:48
lbragstad	substituting the auth endpoint for your own	15:49
shewless_	@lbragstad: not trying to get a new token	15:49
shewless_	just want to validate the one I already received	15:50
lbragstad	shewless_ cool - so you should be able to validate the token you already have from authenticating via your script	15:50
*** aojea_ has quit IRC		15:50
lbragstad	you can validate the token you already have (with itself) by passing it as the X-Auth-Token and the X-Subject-Token and perform a GET /v3/auth/token/	15:51
lbragstad	the response from token validation should contain all the information should received about the token when it was created	15:52
lbragstad	s/should/you/	15:52
openstackgerrit	Gage Hugo proposed openstack/keystone-specs master: Remove pbr warnerrors in favor of sphinx check https://review.openstack.org/439914	15:53
shewless_	@lbragstad: thanks. I'll play around with this info and see what I can do	15:53
dolphm	lbragstad: i'd suggest landing this ASAP to avoid endless merge conflict resolution - i assume dstanek would +2 after his revision https://review.openstack.org/#/c/447864/	15:53
lbragstad	shewless_ sounds good	15:53
lbragstad	dolphm ++ good call	15:53
lbragstad	dolphm I saw that this morning - i'll review it before lunch	15:54
dolphm	lbragstad: it's super straight forward, other than the testing changes	15:55
lbragstad	dolphm did you see any follow ups from sdages concerns?	15:55
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move user policies to DocumentedRuleDefault https://review.openstack.org/449240	15:57
lbragstad	dolphm i should clarify - sdague had some comments on a similar patch being made to nova	15:59
*** aojea has quit IRC		15:59
dolphm	lbragstad: on the mailing list?	15:59
lbragstad	dolphm yeah - there was a thread on the mailing list	16:00
lbragstad	dstanek let me see if I can dig it up	16:00
*** aojea has joined #openstack-keystone		16:00
lbragstad	er dolphm ^	16:00
dolphm	lbragstad: i read through several posts - the only concerns i recall from sdague were about the reversal of policy and removing supporting testing infrastructure, etc, from nova	16:01
lbragstad	dolphm i must have stumbled across it in review	16:01
dolphm	lbragstad: i basically only read as far as to understand the i18n team's position - which make sense to me (although i might have suggested simply appending the translated log messages to the english ones, if they're available)	16:01
lbragstad	dolphm oh - instead of removing the translated ones altogether, just supply both?	16:02
dolphm	i trust that they know their audience better than we do	16:02
dolphm	lbragstad: right; keep the _LI() calls, but have the translation engine simply append the translation in oslo.i18n	16:03
lbragstad	that's not a bad suggestion	16:03
dolphm	that way you get the english thing that's google-able, and the translated thing that's localized for you	16:03
dolphm	lbragstad: if it's worth suggesting, i could revive the november thread	16:04
antwash	lbragstad : thanks for taking the time to comment on the policies patches	16:04
*** aojea has quit IRC		16:04
lbragstad	antwash no problem - that's for proposing them	16:04
lbragstad	antwash still working through a bunch of them	16:04
lbragstad	dolphm the testing/maintenance concern is still tricky though	16:05
dstanek	dolphm: that's my favorite patch	16:05
dolphm	dstanek: lol	16:05
dolphm	lbragstad: on our end, my suggestion wouldn't change anything in terms of testing or maintenance	16:05
lbragstad	dolphm right - it's more of a maintenance thing for the i18n team	16:06
*** prashkre__ has quit IRC		16:06
dstanek	in another channel someone was saying that the expectation is that operators understand English already	16:06
lbragstad	i remember that being an argument like 4 years ago when I worked on an openstack product	16:07
Aqsa	dstanek : Thanks it worked.	16:08
dstanek	i don't remeber all of the cited sources, but config, code, etc. are in English	16:08
lbragstad	i specifically remember operators wanting to keep the english version of the logs because it was easier to find tracebacks	16:08
lbragstad	and more google-able	16:08
dstanek	Aqsa: the git stuff?	16:18
openstackgerrit	Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441	16:18
Aqsa	dstanek: yes	16:18
dstanek	Aqsa: awesome. i fetch and rebase a lot in my workflow	16:19
openstackgerrit	Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441	16:20
Aqsa	dstanek: is it possible to change the ownership of the bug to yourself if you are just an author?	16:21
*** MasterOfBugs has joined #openstack-keystone		16:28
dstanek	Aqsa: you want it assigned to you, you mean?	16:29
dstanek	or to someone else?	16:29
*** mvk has quit IRC		16:29
Aqsa	I mean i am submitting patches to the bug that is owned by someone else, i want to change the ownership to myself too.	16:30
dstanek	Aqsa: you can do it manually by just assigning it to yourself. i believe there is still automation that will do that for you, but i'm not entirely sure.	16:31
dstanek	honsestly, i usually don't explicitly assign things to me although i probably should	16:31
lbragstad	if you propose a patch with 'closes-bug #{bug_number}	16:33
lbragstad	in the message, there is some infrastructure that will go through and automatically assign the bug to the person who committed the patch set	16:34
Aqsa	Oh alright!	16:36
Aqsa	thanks	16:36
lbragstad	Aqsa no problem	16:37
*** rcernin has joined #openstack-keystone		16:37
*** adrian_otto has joined #openstack-keystone		16:38
*** Aqsa has quit IRC		16:41
*** jaosorior has quit IRC		16:41
*** nishaYadav has quit IRC		16:43
*** sjain has quit IRC		16:47
*** gyee has joined #openstack-keystone		16:54
*** tesseract has quit IRC		16:59
dolphm	antwash: i'm definitely not going to leave this comment on all your patches, but before i continue reviewing: https://review.openstack.org/#/c/449346/2/keystone/common/policies/revoke_event.py	17:02
dolphm	antwash: will operations ever include anything other than method/path pairs in dictionaries?	17:04
dolphm	antwash: i.e. are there any other keys that might appear in an operation?	17:04
dolphm	antwash: like a header, or something?	17:04
*** rcernin has quit IRC		17:08
*** mvk has joined #openstack-keystone		17:12
*** pcaruana has quit IRC		17:12
*** nishaYadav has joined #openstack-keystone		17:15
*** harlowja has quit IRC		17:18
*** nishaYadav has quit IRC		17:20
*** chlong has quit IRC		17:22
*** markvoelker has quit IRC		17:23
*** harlowja has joined #openstack-keystone		17:24
*** bjornar_ has joined #openstack-keystone		17:25
lbragstad	dolphm will operators ever include anything other than method/path or will developers even include anything other than method/path?	17:28
lbragstad	FYI for everyone - there is a spec proposed for keystone to accept the storage of limits to improve the hierarchical quotas story https://review.openstack.org/#/c/440815/4	17:30
lbragstad	we should be sure to review that ^ document well since it will have quite a bit of keystone related work	17:30
*** prashkre__ has joined #openstack-keystone		17:30
dolphm	lbragstad: both? i'm moreso asking what the API supports	17:33
dolphm	lbragstad: [('METHOD'	17:33
dolphm	lbragstad: whoops, [('METHOD', '/path/'), ... ] would have been easier to maintain if that's the case	17:34
openstackgerrit	Merged openstack/keystone master: Remove log translations in keystone https://review.openstack.org/447864	17:35
*** chlong has joined #openstack-keystone		17:38
*** prashkre has joined #openstack-keystone		17:39
openstackgerrit	Ron De Rose proposed openstack/keystone-specs master: API keys https://review.openstack.org/438761	17:40
*** lucasxu has quit IRC		17:40
*** prashkre__ has quit IRC		17:42
*** dave-mccowan has quit IRC		17:46
openstackgerrit	Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441	17:48
*** nishaYadav has joined #openstack-keystone		17:50
*** nishaYadav is now known as Guest47169		17:51
*** Guest47169 is now known as nishaYadav_		17:51
*** nishaYadav_ has quit IRC		17:51
notmorgan	samueldmq: FYI, I just cancelled my boston lodging, wont be able to make it	17:55
notmorgan	too much personal stuff going on right around that time	17:55
samueldmq	notmorgan: oh	17:56
samueldmq	notmorgan: sure, I am glad you take care of your personal life too! :)	17:56
samueldmq	notmorgan: thanks for letting me know	17:56
*** adrian_otto has quit IRC		17:57
notmorgan	yeah	17:57
notmorgan	you'll kill it for that presentation though	17:57
samueldmq	notmorgan: that's my hope. I won't leave space for demo gods.	17:59
samueldmq	;)	17:59
lbragstad	dolphm oh - sure, i see what you mean	18:01
*** dave-mccowan has joined #openstack-keystone		18:01
lbragstad	dolphm afaik - only developers will be using the API	18:01
lbragstad	dolphm well - to be more specific, project developers looking to supply more details for policy	18:02
antwash	dolphm : sorry I was zoned out, but when the policy in generated it shows in the format "method" : "path"	18:04
lbragstad	ravelar did you have a similar patch to https://review.openstack.org/#/c/437388/ somewhere?	18:04
antwash	s/in/is	18:05
*** aojea has joined #openstack-keystone		18:05
openstackgerrit	Richard Avelar proposed openstack/keystone master: Remove policy file from source and refactor tests https://review.openstack.org/449675	18:05
ravelar	lbragstad ^	18:06
* notmorgan zones out again.		18:08
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move user policies to DocumentedRuleDefault https://review.openstack.org/449240	18:09
ravelar	lbragstad I have Implements: blueprint policy-in-code in https://review.openstack.org/#/c/448826/	18:10
*** aojea has quit IRC		18:10
hlo323	rodrigods: hi, I have set up a devstack environment. what should be my next step?	18:10
ravelar	lbragstad not sure if it matters if I put it in both or just one of the patches and implements in the other	18:10
*** lucasxu has joined #openstack-keystone		18:11
lbragstad	ravelar technically i don't think it matters, i think it's just an un-enforced formality?	18:11
dstanek	rderose: lbragstad: i'll going to call the current though of an api keys implementation 'restricted passwords' because i don't have a better name	18:12
lbragstad	dstanek did you have a path for making api keys replace tokens?	18:12
lbragstad	dstanek via signed requests?	18:12
dstanek	lbragstad: that is definitely a path forward	18:12
dstanek	could we/will we? no idea, but true api keys are a step in that direction	18:13
openstackgerrit	Richard Avelar proposed openstack/keystone master: Remove policy file from source and refactor tests https://review.openstack.org/449675	18:13
lbragstad	dstanek was that documented/eluded to in your proposal?	18:14
*** catintheroof has quit IRC		18:15
lbragstad	dstanek i believe https://review.openstack.org/#/c/440593/ was the one?	18:16
dstanek	lbragstad: don't remember, but i don't think so. that's what we were discussing at PTG	18:16
dstanek	lbragstad: yep, that was my brain dump of how api keys would work, since the other api key spec was describing restricted passwords	18:17
lbragstad	dstanek right	18:17
lbragstad	dstanek we should take a stab at laying out the path to removing bearer tokens with api keys	18:18
*** MasterOfBugs has quit IRC		18:18
lbragstad	dstanek what was the gist of it?	18:18
*** lamt has joined #openstack-keystone		18:23
lbragstad	ravelar FYI - i abandon https://review.openstack.org/#/c/437388/ in favor of your approach	18:24
*** Aqsa has joined #openstack-keystone		18:26
*** ravelar has quit IRC		18:26
lbragstad	rderose do you have anything regarding the API key spec that you want to discuss tomorrow during the keystone meeting	18:27
lbragstad	rderose i'm filling out the agenda and I have some time carved off for spec discussion	18:27
rderose	lbragstad: yeah, you could add me at the end	18:28
rderose	I'm working on the spec now	18:28
lbragstad	rderose sounds good	18:28
dstanek	lbragstad: if you had api keys then you implement request signing. that's it for support. i don't know what would have to happen to move all of openstack to use it. i think there would be some deployment complexities	18:30
*** d0ugal has quit IRC		18:31
*** aojea has joined #openstack-keystone		18:32
*** ravelar has joined #openstack-keystone		18:34
*** aojea has quit IRC		18:37
openstackgerrit	Ron De Rose proposed openstack/keystone-specs master: Access Keys https://review.openstack.org/450415	18:40
dstanek	rderose: what made you choose the name access keys?	18:41
rderose	dstanek: I think the 'key' part makes sense	18:45
rderose	dstanek: and decided on 'access' since this version of the spec requires requesting a scoped token	18:45
dstanek	rderose: that's what aws calls their api keys	18:45
dstanek	https://aws.amazon.com/developers/access-keys/	18:45
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move trust to DocumentedRuleDefault https://review.openstack.org/449278	18:45
*** d0ugal has joined #openstack-keystone		18:47
antwash	lbragstad : https://review.openstack.org/#/c/449240/3/keystone/common/policies/user.py -- I don't see any problem with it. We could easily add "Deprecated" to the description	18:48
rderose	dstanek: I also wanted a name that would allow us to move towards a more standard API key.	18:48
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move user policies to DocumentedRuleDefault https://review.openstack.org/449240	18:48
rderose	dstanek: So maybe we start with requiring you to request a scoped token, but later we rework it so that you don't have to	18:48
dstanek	rderose: what do you mean?	18:48
lbragstad	antwash true - dstanek dolphm rderose do you have a preference?	18:49
dstanek	rderose: i don't think we want to call it access keys since that's not really what it is	18:49
rderose	dstanek: it's not AWS's access key	18:50
lbragstad	antwash also - we should have some sort of convention for punctuation in descriptions	18:50
dstanek	rderose: exactly	18:50
lbragstad	antwash i'm seeing some patches that have it proposed in the description, and others that don't	18:50
dstanek	lbragstad: ?	18:50
antwash	Yeah I was seeing that missing the "."	18:50
rderose	dstanek: but again, it could be more like AWS access key in the future. to me this would just be a start; improves security today.	18:51
rderose	biting off a small chunk now	18:51
antwash	dstanek: adding "deprecated" to the policy description	18:51
lbragstad	antwash i suppose our help text for configuration options is complete with periods, we could be consistent with that	18:52
dstanek	rderose: what take an intermediate step? if we add a real api-key concept then we'd have to some up with another name right?	18:52
antwash	List projects for user (deprecated)	18:52
antwash	^ example	18:52
dstanek	antwash: what's the question? do i like that?	18:52
lbragstad	`GET /v3/OS-FEDERATION/projects List projects for federated user (deprecated).`	18:52
antwash	dstanek : yeah how do you all feel about adding that "deprecated" portion mainly	18:53
dstanek	rderose: i think what we really need to have in that spec the rationale, usecases and future vision. i don't think i'd waste time on an implementation until we have that	18:53
lbragstad	dstanek in the descriptions for policies, should we advertise deprecated policies as such?	18:53
rderose	dstanek: we have the use case (at least the one I'm trying to address); still working on this spec	18:54
dstanek	antwash: if it's deprecated then we should add it. deprecating policies seems really, really hard to me	18:54
lbragstad	er - a better question would be, should we advertise deprecated API as such in policy descriptions?	18:54
rderose	dstanek: I'll add future vision as well	18:54
dstanek	rderose: i think the reason you keep changing the implementation is that we don't have that part solid yet	18:54
rderose	dstanek: true	18:55
dstanek	antwash: for example if we remvove a policy entry or remove a label then we are potentially making someone's cloud really insecure	18:55
lbragstad	dstanek i don't think we're that far yet - right now we're just trying to figure out if we use the policy file as another thing to advertise deprecated APIs	18:56
dstanek	rderose: your best bet is just stick with an architecture design process. collect input from stakeholders and come up with a vision from there	18:56
lbragstad	not deprecating policies	18:56
dstanek	lbragstad: oh, then no. i wouldn't document API deprecations there. people will be confused like I just was.	18:57
lbragstad	ok	18:57
lbragstad	cc antwash	18:57
lbragstad	dstanek that's a valid point	18:57
antwash	cool, I'll remove it :) thanks guys	18:57
lbragstad	antwash no problem - thank you	18:58
lbragstad	antwash and if i made that comment on other patch sets, feel free to disregard	18:58
antwash	++	18:58
lbragstad	antwash if you update, just say we talked about it in IRC :)	18:58
* lbragstad meanders away to find a cup of coffee		18:59
antwash	lbragstad: also if that's the case they should be removed from here to : https://review.openstack.org/#/c/448826/	19:01
*** phalmos has quit IRC		19:02
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move user policies to DocumentedRuleDefault https://review.openstack.org/449240	19:04
antwash	awe never mind I had it confused lol you're referring to the method	19:05
antwash	s/method/path	19:06
openstackgerrit	Anthony Washington proposed openstack/keystone master: Move user policies to DocumentedRuleDefault https://review.openstack.org/449240	19:07
*** aojea has joined #openstack-keystone		19:09
*** adrian_otto has joined #openstack-keystone		19:12
lbragstad	ravelar https://review.openstack.org/#/c/449675/ passes for me locally	19:13
antwash	To answer your question here: https://review.openstack.org/#/c/449255/ -- I was using (https://github.com/openstack/keystone/blob/master/doc/source/policy_mapping.rst) to figure out some of the mapping	19:13
lbragstad	but it might require a patch to tempest	19:13
*** erlon has quit IRC		19:15
notmorgan	lbragstad: if you didn't see, skipping boston	19:15
notmorgan	lbragstad: sorry =/	19:15
lbragstad	notmorgan i saw :(	19:16
lbragstad	antwash it looks like all your DocumentedDefaultRule patches are in a single string based on one another?	19:19
antwash	lbragstad, yeah I did them all on the same branch -- is that bad?	19:19
antwash	locally	19:20
lbragstad	antwash no - that's not necessarily bad	19:20
lbragstad	antwash we just might be able to move through them faster if they are all based on master individually?	19:21
lbragstad	s/?//	19:21
lbragstad	since i don't think there is a reason they all can't be based directly on master, right?	19:21
*** samueldmq has quit IRC		19:23
*** samueldmq has joined #openstack-keystone		19:24
*** lamt has quit IRC		19:56
*** antwash_ has quit IRC		19:57
*** lamt has joined #openstack-keystone		19:58
*** niteshnarayanlal has quit IRC		20:08
*** markvoelker has joined #openstack-keystone		20:09
*** jamielennox is now known as jamielennox\|away		20:13
*** markvoelker has quit IRC		20:22
*** catintheroof has joined #openstack-keystone		20:23
*** jamielennox\|away is now known as jamielennox		20:24
*** catintheroof has quit IRC		20:39
*** shewless_ has quit IRC		20:42
antwash	lbragstad: well I really made the first change parent to the Policy 5 implementation and the rest just followed right after. That's really why they're like that	20:49
lbragstad	antwash ah - so once https://review.openstack.org/#/c/448826/ merges we should be able to rebase all of those on master	20:51
lbragstad	that should make reviewing them go much faster	20:51
lbragstad	s/reviewing/merging/	20:51
antwash	lbragstad: yeah that makes sense, then theres no conflicts	20:54
*** aojea has quit IRC		20:57
*** aojea has joined #openstack-keystone		20:57
lbragstad	antwash well - for the most part conflicts will be minimal from what i can tell, but it makes it so that we can approve several of them in parallel	20:57
lbragstad	antwash instead of only sending one through the gate at a time.	20:57
*** aojea has quit IRC		21:02
*** aojea has joined #openstack-keystone		21:02
*** edmondsw_ has quit IRC		21:03
*** edmondsw_ has joined #openstack-keystone		21:05
*** prashkre has quit IRC		21:07
*** edmondsw_ has quit IRC		21:09
*** bjornar_ has quit IRC		21:12
*** prashkre has joined #openstack-keystone		21:18
*** prashkre has quit IRC		21:20
*** dave-mccowan has quit IRC		21:27
*** lucasxu has quit IRC		21:34
*** Aqsa has quit IRC		21:37
*** lucasxu has joined #openstack-keystone		21:41
*** lxnch has quit IRC		21:41
*** spilla has quit IRC		21:42
antwash	lbragstad: awe I see what you're saying now. good to know for the future	21:42
*** raildo has quit IRC		21:44
openstackgerrit	Richard Avelar proposed openstack/keystone master: Validate rolling upgrade is run in order https://review.openstack.org/437441	21:54
*** thorst has quit IRC		22:02
*** thorst has joined #openstack-keystone		22:03
*** chlong has quit IRC		22:03
*** david-lyle has quit IRC		22:04
*** david-lyle has joined #openstack-keystone		22:05
*** thorst has quit IRC		22:07
*** aojea has quit IRC		22:13
*** aojea has joined #openstack-keystone		22:13
*** aojea has quit IRC		22:18
*** amrith has left #openstack-keystone		22:20
*** lamt has quit IRC		22:36
*** edmondsw has joined #openstack-keystone		22:47
*** thorst has joined #openstack-keystone		22:50
*** lucasxu has quit IRC		22:51
*** edmondsw has quit IRC		22:52
*** markvoelker has joined #openstack-keystone		22:52
*** thorst has quit IRC		22:53
*** agrebennikov has quit IRC		22:53
*** thorst has joined #openstack-keystone		23:24
*** nkinder has quit IRC		23:36
*** thorst has quit IRC		23:39

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!