Monday, 2017-05-01

« Sunday, 2017-04-30 Index Tuesday, 2017-05-02 »
*** ducttape_ has joined #openstack-keystone00:01
*** aojea has quit IRC00:02
*** ducttape_ has quit IRC00:05
*** edmondsw has joined #openstack-keystone00:10
*** edmondsw has quit IRC00:15
*** ducttape_ has joined #openstack-keystone00:30
*** thorst has joined #openstack-keystone01:14
*** thorst has quit IRC01:19
*** nicolasbock has joined #openstack-keystone01:26
*** thorst has joined #openstack-keystone01:33
*** thorst has quit IRC01:41
*** ducttape_ has quit IRC01:51
*** ducttape_ has joined #openstack-keystone01:56
*** edmondsw has joined #openstack-keystone01:58
*** aojea has joined #openstack-keystone01:58
*** ducttape_ has quit IRC02:01
*** edmondsw has quit IRC02:03
*** aojea has quit IRC02:04
*** ducttape_ has joined #openstack-keystone02:16
*** ducttape_ has quit IRC02:31
*** thorst has joined #openstack-keystone02:38
*** thorst has quit IRC02:56
*** ducttape_ has joined #openstack-keystone03:03
*** ducttape_ has quit IRC03:21
*** dave-mccowan has quit IRC03:22
*** masber has quit IRC03:29
*** nicolasbock has quit IRC03:31
*** aojea has joined #openstack-keystone03:35
*** aojea has quit IRC03:40
*** aojea has joined #openstack-keystone03:45
*** aojea has quit IRC03:46
*** edmondsw has joined #openstack-keystone03:46
*** aojea has joined #openstack-keystone03:46
*** gagehugo has quit IRC03:50
*** edmondsw has quit IRC03:51
*** aojea has quit IRC03:51
*** thorst has joined #openstack-keystone03:53
*** thorst has quit IRC03:58
*** links has joined #openstack-keystone04:12
*** ducttape_ has joined #openstack-keystone04:22
*** ducttape_ has quit IRC04:26
*** lamt has quit IRC04:26
*** afred312 has quit IRC04:40
*** afred312 has joined #openstack-keystone04:41
*** thorst has joined #openstack-keystone04:54
*** thorst has quit IRC04:58
*** lamt has joined #openstack-keystone05:40
*** richm has quit IRC05:43
*** aojea has joined #openstack-keystone05:47
*** aojea has quit IRC05:52
*** thorst has joined #openstack-keystone05:54
*** thorst has quit IRC05:59
*** adriant has quit IRC06:08
*** aojea has joined #openstack-keystone06:19
*** ducttape_ has joined #openstack-keystone06:44
*** ducttape_ has quit IRC06:49
*** thorst has joined #openstack-keystone06:55
*** thorst has quit IRC07:00
*** tesseract has joined #openstack-keystone07:06
*** rcernin has joined #openstack-keystone07:12
*** edmondsw has joined #openstack-keystone07:22
*** edmondsw has quit IRC07:27
*** rcernin has quit IRC07:32
*** masber has joined #openstack-keystone07:46
*** thorst has joined #openstack-keystone07:56
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** d0ugal has quit IRC08:07
*** d0ugal has joined #openstack-keystone08:08
*** thorst has quit IRC08:15
*** aojea has quit IRC08:50
*** aojea has joined #openstack-keystone08:50
*** voelzmo has joined #openstack-keystone08:53
*** aojea has quit IRC08:54
*** thorst has joined #openstack-keystone09:12
*** thorst has quit IRC09:16
*** voelzmo has quit IRC09:30
*** voelzmo has joined #openstack-keystone09:31
*** aojea has joined #openstack-keystone09:32
*** dkushwaha has joined #openstack-keystone09:44
*** voelzmo has quit IRC09:45
dkushwahaHi all, I am from Tacker team. I have deployed new setup today. While executing some test in Tacker service, I am getting this error: keystoneauth1.exceptions.connection.ConnectFailure: Unable to establish connection to http://127.0.0.1:5000/v3/auth/tokens: HTTPConnectionPool(host='127.0.0.1', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection obje09:51
dkushwahact at 0x7f5ed3dfc750>: Failed to establish a new connection: [Errno 111] Connection refused',))09:51
dkushwahaany clue on this?09:51
*** nicolasbock has joined #openstack-keystone10:04
*** richm has joined #openstack-keystone10:14
*** ayoung has joined #openstack-keystone10:32
*** edmondsw has joined #openstack-keystone10:58
*** edmondsw has quit IRC11:03
*** chlong has joined #openstack-keystone11:07
*** thorst has joined #openstack-keystone11:14
*** thorst has quit IRC11:18
*** dave-mccowan has joined #openstack-keystone11:22
ayoung"We can't allow Domain scoped tokens to have is_admin_project set!"  "But we can keep using them as admin tokens in the default policy?"  "Oh yeah, sure that is fine."11:30
ayoungFor fucks sake people.11:30
ayoungIt really feels like people are actively working to make it hard to fix things.11:35
*** mvk has quit IRC11:46
*** thorst has joined #openstack-keystone11:49
*** mvk has joined #openstack-keystone12:04
*** lamt has quit IRC12:07
*** edmondsw has joined #openstack-keystone12:15
*** spilla has joined #openstack-keystone12:44
*** edmondsw_ has joined #openstack-keystone12:45
*** edmondsw_ has quit IRC12:45
*** dklyle has joined #openstack-keystone12:57
*** david-lyle has quit IRC12:57
*** lamt has joined #openstack-keystone12:58
*** hoonetorg has quit IRC13:19
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/45592713:19
*** hoonetorg has joined #openstack-keystone13:20
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient master: Updated from global requirements  https://review.openstack.org/45599513:27
*** links has quit IRC13:29
*** lbragstad_ is now known as lbragstad13:37
*** ChanServ sets mode: +o lbragstad13:37
*** gagehugo has joined #openstack-keystone13:39
*** lucasxu has joined #openstack-keystone14:04
*** phalmos has quit IRC14:05
*** lucasxu has quit IRC14:15
*** lucasxu has joined #openstack-keystone14:16
*** catintheroof has joined #openstack-keystone14:30
*** ducttape_ has joined #openstack-keystone14:34
*** catintheroof has quit IRC14:36
*** catintheroof has joined #openstack-keystone14:40
*** catintheroof has quit IRC14:42
*** phalmos has joined #openstack-keystone14:50
*** markvoelker has joined #openstack-keystone14:54
*** prajeesh-wrs has quit IRC15:04
*** aojea has quit IRC15:11
*** links has joined #openstack-keystone15:14
*** links has quit IRC15:17
*** ducttape_ has quit IRC15:17
*** ducttape_ has joined #openstack-keystone15:18
*** gagehugo has quit IRC15:22
*** gagehugo has joined #openstack-keystone15:26
*** gagehugo has quit IRC15:27
*** prashkre has joined #openstack-keystone15:27
*** gagehugo has joined #openstack-keystone15:30
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Outline policy goals  https://review.openstack.org/46034415:32
*** voelzmo has joined #openstack-keystone15:33
*** dklyle has quit IRC16:00
*** dklyle has joined #openstack-keystone16:00
*** gyee has joined #openstack-keystone16:00
*** aojea has joined #openstack-keystone16:11
*** gagehugo has quit IRC16:11
*** gagehugo has joined #openstack-keystone16:12
*** aojea has quit IRC16:16
*** dklyle is now known as david-lyle16:24
*** prashkre has quit IRC16:26
*** tesseract has quit IRC16:29
*** rderose has joined #openstack-keystone16:30
*** openstack has joined #openstack-keystone16:58
*** openstack has joined #openstack-keystone17:08
*** openstack has joined #openstack-keystone17:11
*** openstack has joined #openstack-keystone17:13
*** openstack has joined #openstack-keystone17:14
*** openstack has joined #openstack-keystone17:21
*** lucasxu has joined #openstack-keystone17:41
*** faiyaz has joined #openstack-keystone17:47
faiyazi have issue wth keystone17:47
faiyazits not allowing me to create domain default17:48
edmondswfaiyaz you'll need to give more details than that :)17:49
faiyazsure ill17:50
faiyaz ERROR keystone.common.wsgi OperationalError: (pymysql.err.OperationalError) (1045, u"Access denied for user 'keystone'@'controller' (using password: YES)")17:50
faiyazwhen i using the below command to create dafault domain17:51
faiyazopenstack project create --domain default --description "Service Project" service17:51
faiyazedmondsw are you there?17:55
*** ducttap__ has joined #openstack-keystone17:58
dstanekfaiyaz: it sounds like you mysql credentials are incorrect or that use has not been granted access to the tables17:59
*** ducttape_ has quit IRC18:00
*** voelzmo has joined #openstack-keystone18:00
*** voelzmo has quit IRC18:01
*** voelzmo has joined #openstack-keystone18:02
*** brad[] has joined #openstack-keystone18:07
edmondswdstanek faiyaz wait, if this is the default domain you're trying to create, have you previously bootstrapped keystone with some other domain?18:08
edmondswif not, that's probably your issue... check out keystone-manage18:08
edmondswthe command you tried is to create a project in the default domain, not the default domain itself. But of course you need to have boostrapped before you can do that18:11
edmondswe.g. keystone-manage bootstrap --bootstrap-password ADMIN_PASS --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:35357/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne18:12
*** voelzmo has quit IRC18:12
cmurphyfaiyaz: make sure you've created the mysql grants properly as described in https://docs.openstack.org/ocata/install-guide-ubuntu/keystone-install.html#prerequisites and set up the database connection string with the right password in keystone.conf18:13
*** aojea has joined #openstack-keystone18:13
*** openstackstatus has joined #openstack-keystone18:14
*** ChanServ sets mode: +v openstackstatus18:14
edmondswoh, no, dstanek is right... I read that too fast18:14
dstanekedmondsw: :-P18:18
*** aojea has quit IRC18:18
dstanekcmurphy: getting all professional with the nick?18:18
edmondswdstanek, yeah, I stuck my tongue out at myself too :P18:19
cmurphydstanek: ya, was time to retire crinkle18:19
faiyazwhat about admin token, is it required or we can leave it as optional18:19
cmurphyfaiyaz: what documentation are you following? the admin token should not be used any more18:22
faiyazhttps://docs.openstack.org/ocata/install-guide-rdo/keystone-install.html this one18:22
faiyazocate release on centos 718:23
cmurphyfaiyaz: you should use `keystone-manage bootstrap` as described in that document and not use the admin token18:24
dstanekfaiyaz: admin token was an evil hack that isn't needed anymore18:24
faiyazi have generated it at the time of starting the setup18:25
faiyazonly generated thats it18:26
faiyazthat it wont give any problem right18:26
edmondswlbragstad see question in https://bugs.launchpad.net/keystone/+bug/1662762 ... I'm not sure how to answer that. I don't know that we have further releases on stable...?18:27
openstackLaunchpad bug 1662762 in OpenStack Identity (keystone) ocata "Authentication for LDAP user fails at MFA rule check" [High,Fix committed] - Assigned to Matthew Edmonds (edmondsw)18:27
lbragstadedmondsw afaict that's up to packages18:28
lbragstadpackagers rather18:28
lbragstadwe've merge the change, but it's up to the distribution to roll a new release with the fix18:29
edmondswlbragstad right... and they wouldn't mark bugs like this as released if/when they do that, would they?18:30
lbragstadedmondsw they usually do, i'm not sure i've seen a recent example with a stable branch though18:31
*** rderose has quit IRC18:41
*** ducttap__ has quit IRC18:41
*** ducttape_ has joined #openstack-keystone18:42
dstanekfaiyaz: no. i would suggest that you don't use it and that you remove the middleware from your pipeline if it is in there18:45
*** ducttape_ has quit IRC18:46
*** ducttape_ has joined #openstack-keystone18:58
faiyazmiddelware in the sence configuration file right18:59
*** voelzmo has joined #openstack-keystone19:01
*** aojea has joined #openstack-keystone19:04
*** ducttap__ has joined #openstack-keystone19:11
*** ducttape_ has quit IRC19:12
*** ducttape_ has joined #openstack-keystone19:12
*** ducttap__ has quit IRC19:13
openstackgerritColleen Murphy proposed openstack/keystone master: Update dead API spec links  https://review.openstack.org/46148519:16
*** david-lyle is now known as dklyle19:17
*** dklyle is now known as david-lyle19:17
ayoungedmondsw, question for you.  What was the part of the review that you thought was an Ugly Hack?  Was it the blanket requirement for `is_admin_project` to all the existing calls?19:19
edmondswayoung yes... that line I said "Abolutely not" and then something about how that was a terrible hack19:20
ayoungedmondsw, OK, so I do agree with you that this is not the end state.19:20
ayoungedmondsw, I was trying to think what an appropriate alternative would be19:20
edmondswit shouldn't be any step in the process19:20
ayoungedmondsw, so, here are the things I tripped on, and I think they point the way forward19:21
ayoung1.  there are tempest tests that do domain listing with a domain scoped token19:21
edmondswyou'd go add the is_admin_project:True check to those keystone/common/policies/*.py rules that make sense, and not to those that don't19:21
ayoung2.  there are projects scoped admin calls to create users, but no scope check done in policy19:21
ayoungand same for users19:22
ayoungedmondsw, the problem is that without the scope checks, that is actually just as bad19:22
edmondsw?19:22
ayoungedmondsw, yeah...19:22
edmondsw?19:22
ayoungedmondsw, say I did what you said19:22
edmondswI'm not following you19:22
ayoungand then people enable is_admin project as per suggestion19:22
ayoungthey think things are locked down19:23
ayoungbut it turns out anyone on any project can do admin-level admin operations19:23
ayoungproject operations19:23
ayoungmy way, you make things way to draconian, then you loosen them up19:23
edmondswwhat do you mean by "admin-level admin operations"?19:23
edmondswsounds kinda redundant...19:23
ayoungedmondsw, well, in the Keystone case, it should be only assigning a role to a user in a proejct, but probably also creating a nested project?19:24
ayoungwe need both19:24
ayoungbut the scope checks are much harder19:24
ayounglook at how complicated the cloudsample file has become19:24
edmondswand I hope you mean any *admin* on any project can do *some* admin operations (those scoped to that project)19:24
ayoungedmondsw, yes, that is what I mean19:24
ayoungnot the is_admin_project limited operations19:25
edmondswthe cloudsample file is such a mess *because* scope checks aren't done in code where they a) belong and b) would be simpler19:25
ayoungedmondsw, ++++19:25
ayoungand then some19:25
ayoungsee, that is what I thought we were doing first19:25
ayoungso...we should probably identify per-resource what we scope should allow19:26
edmondsw++19:26
ayoungthe one funky one is create-project19:26
edmondswand that's very solvable19:26
ayoungthat should be 1. Domain scoped for top level and 2. project-scoped for nested, right?19:26
edmondswyes19:26
ayoungedmondsw, I think so.  Worried a little about backwards compat issues, but should be...19:27
ayounguser and group operations should be domain scoped19:27
edmondswyes19:27
ayoungrole assignements domain or project scoped, but need to match the scope of the assignement provided19:27
edmondswwell, mostly19:27
edmondswshowing the current user should be possible with project-scoped token19:28
ayoungis:  I should be admin on the project if I am assigning an admin role, or admin on the domain if I am assigning a domain role19:28
edmondswjust not showing other users19:28
edmondswas an example19:28
ayoungI think that if we start with the change-of-state operations we'll get the worst offenders19:28
ayoungthe reads are going to be trickier to get right, though, as there are enough different options...19:28
ayoungedmondsw, so, I think that my patch is still the right interim step.19:32
ayoungedmondsw, lock it down, tight, and then open it up one API at a time19:32
ayoungI don't want to have to get it right in a Big Bang.19:33
edmondswayoung but you're not just locking it down, you're closing off things that need to be open, i.e. breaking some cases19:33
ayoungedmondsw, I can start submitting follow on patches for the better RBAC19:33
ayoungedmondsw, let me walk you through it19:34
ayoungassuming we push this patch as is, nothing changes19:34
ayoungpeople with admin on any project still have admin on everything19:35
edmondsw"nothing changes" <- false19:35
ayoungnah, hold on19:35
edmondswnot if they're setting is_admin_project, as I am19:35
ayoungedmondsw, you are using default policy, too?19:35
edmondswno19:35
ayoungYeah, so that is going to be a strange combination19:35
ayoungdefault policy. but setting is_admin_project...19:36
edmondswthat's not what I said19:36
edmondswI said I'm NOT using default policy19:36
ayoungedmondsw, I know, and I am only changing it for default policy19:36
ayoungif you have custom policy, yours will take precedence19:36
edmondswayoung that's what is so nasty about your hack... the way you coded it, mine *won't* take precedence19:37
ayoungthe only people my patch would break things for would be people setting is_admin_project, but using default policy, and not putting all their admins in the admin project19:37
edmondswwrong19:37
edmondswas I remember it... let me go back and take another look19:38
ayoungedmondsw, do you not have a specific rule for admin_required?19:38
ayoungHeh19:38
ayoungSo easy to fool yourself on this stuff.19:39
*** hemna has joined #openstack-keystone19:42
hemnahey guys, I'm trying to install keystone from source from the stable/ocata branch and I'm running into pbr conflicts with oslo packages19:43
hemnafor example, keystone's requirements.txt in stable/ocata says it wants pbr<2.0.0,>=1.8 # Apache-2.019:44
hemnaand also oslo.db>=4.15.0 # Apache-2.019:44
hemnathat installs pbr 1.10.019:44
ayounghemna, where does that conflict?19:45
hemnaand oslo.db 4.21.0, but that wants pbr !=2.1.0>,>=2.0.019:45
hemnaother oslo packages do the same19:46
ayoungneed older oslo19:46
hemnasure, but installing via pip install . gets me oslo.db >= 4.1.5.0  (in keystone/requirements.txt)19:46
hemnaerr 4.15.019:47
hemnasorry19:47
*** ducttape_ has quit IRC19:47
edmondswayoung so your change isn't as bad as I thought... I can still override what you've set19:47
*** ducttape_ has joined #openstack-keystone19:47
hemnasince there is no upper constraint, the conflict is bound to happen.19:47
ayoung:)19:47
ayoungedmondsw, Heh...and now I understand your worry19:48
edmondswayoung but I think it breaks some cases when someone is using default policy if they setup admin_project19:48
ayoungedmondsw, yes, it would.  But either they need better policy, or they need to put their admin users in the admin_project until then19:48
edmondswe.g. why should I have to be is_admin_project:True to list roles?19:48
edmondswan admin on any project should be able to list roles, so that they can see what their options are for assigning roles to the users in their project19:49
edmondswyet with your change, per https://github.com/openstack/keystone/blob/b53640f5ccfc6d55f121a69fc230fb2a3ea96aba/keystone/common/policies/role.py#L23 using the rule you hacked...19:49
ayoungedmondsw, agreed.  But try not to scope creep me too bad on a patch that was supposed to merge 6 months ago?19:50
ayoungedmondsw, instead, lets get a follow on patch written with appropriate policy, and have people review that specificially19:50
ayoungof course, I still need to deal with the damn tempest change...19:50
gagehugohemna pip install oslo.db==4.15.0 should fix the problem, might have to do install older pbr too if 4.21 oslo.db updated it19:51
ayoungedmondsw, this stuff is hard, and I don't have sign off to work on it any more...I'm working on borrowed time as it is19:51
edmondswayoung or... we update this patch to add that is_admin_project:True only where it's needed instead of to all places using RULE_ADMIN_REQUIRED19:51
ayoungedmondsw, ewww19:51
ayoungplease no19:51
edmondswayoung I hear that... I don't have enough time for this either19:51
ayoungI mean...I kindof already did that19:51
edmondswyou did?19:51
ayoungits the scope check that bothers me19:51
ayoungyeah, I faked it on two calls just to get unit tests to pass19:52
ayoungsee the last revision19:52
ayounghttps://review.openstack.org/#/c/257636/23/keystone/common/policies/user.py19:52
ayoungand19:52
edmondswayoung I was just looking at the last revision, and still see RULE_ADMIN_REQUIRED including is_admin_project19:52
ayounghttps://review.openstack.org/#/c/257636/23/keystone/common/policies/project.py19:52
edmondswoh, you are doing essentially the opposite of what I was saying19:53
ayoungedmondsw, that seems to be my norm!19:53
edmondswchanging 2 places to not use RULE_ADMIN_REQUIRED instead of changing all other places that use it to also check is_admin_project19:53
ayoungmost places want the is_admin_check in keystone19:54
ayoungonly a small subset are actually supposed to be scoped19:54
edmondswayoung right... so most places should have a change in this changeset19:54
ayoungI want the damn role check out of the code, too19:54
edmondswayoung it's impossible to review as-is... I have to separately go find all the places that use that rule and see if they should be checking is_admin_project:True or not19:54
ayoungonly the scope check should be in the code...19:54
edmondswand then point out things like list roles that shouldn't, and so are wrong in this patch19:55
ayoungedmondsw, I think you are starting from the wrong assumption19:55
edmondswand I think you are :)19:55
ayoungyou are assuming that people with admin on a non-admin project shouild have the ability to do things seamlessly19:55
ayoungI dont' think it works like that19:55
ayoungthey are going to be confused when this hits no matter what19:56
edmondswdefine "do things seamlessly"?19:56
ayoungthere are things they can do now that they won't be able to do once it hits, like edit endpoints19:56
ayoungetc...19:56
*** prashkre has quit IRC19:56
edmondswunless you're advocating that we force people to customize policy to get things working again...19:56
ayounggetting this change in allows us to get the appropriate changes in to Tempest, and the other projects19:56
ayoungedmondsw, I'm assuming that default policy + is_admin_project is not the norm19:57
edmondswif one of us spent the time we are spending talking about this instead just fixing the patch to do it properly, we'd be done by now19:57
ayoungI am assuming that people won't sit on changes for a year, either19:57
ayoungwhich has proven to be a bad assumption19:57
ayoungI am assuming that people actual want to make progess on this, and not live with it broken19:58
edmondswdefault policy + is_admin_project isn't the norm today... it will be, though19:58
ayoungbut instead, people have ignored instead of actively worked on it19:58
ayoungedmondsw, there are steps we need to go through to get there19:58
ayoungwe need a comparable change to this one into Nova, Glance, etc19:59
ayoungand then into Tempest19:59
ayoungand then, we can write new policy19:59
ayoungso, please, instead of holding this up, help me move it forward19:59
ayoungedmondsw, we've had people committing "fixes" that keep making it hard to fix this20:00
ayounganyone touching is_admin_project based code right now probably does not understand the scope of the problem20:01
ayoungonly a handful of people did, probably: you, me and Jamie.20:01
*** ducttap__ has joined #openstack-keystone20:04
*** ducttape_ has quit IRC20:04
edmondswayoung let me pull down your patch and try to make a couple changes hopefully we can both agree on20:09
ayoungedmondsw, I would love that20:09
ayoungedmondsw, think we need to loosen up list_domains in order for tempest to pass, but that should actually be OK20:10
ayoungno reason a domain admin can't list domains, right....20:10
ayoungHeaddesk...20:11
faiyazedmondsw still i am getting error https://pastebin.com/xLBga6T020:11
lbragstadedmondsw not sure you were around when i originally proposed this - https://review.openstack.org/#/c/460344/420:15
edmondswlbragstad just saw it today, added it to my list20:15
edmondswfaiyaz sorry, but I don't use mysql so I'm probably not the best person to help you fix that20:16
faiyazhow to remove the admin token from middleware20:17
dstanekfaiyaz: that means that your database credentials are incorrect20:17
faiyazi have give correct database password its not accepting i guess20:19
dstanekfaiyaz: can you login from the command line with it?20:19
faiyazi am trying in command line it self20:20
ayounglbragstad, there is probably a point we should make, maybe in that document, that also addresses a point dstanek brought up a few times:20:20
ayoungwe tend to think of roles like "Member" and "Admin" and policy rules as compute:create_server20:20
dstanekfaiyaz: make sure you try from the controller host20:21
faiyazyes i am trying from controller host20:21
dstanekfaiyaz: i would guess that you granted access to 'keystone'@'localhost' instead of 'keystone'@'controller'20:21
ayoungand when people ask "why can'twe manage on compute:create_server instead of the URL" the reason is the mapping you discuss in that doc:20:21
ayoungThe mapping of policies to operations should be easy to maintain.20:22
faiyazyes20:22
faiyazlocalhost i have given20:22
ayounglbragstad, I'm, pretty sure that is what you mean, but people are going to keep asking it until we find a way to make it clear:  if we have a URL, we need a way to automate mapping that to the policy in effect20:23
lbragstadayoung it is - my goal for that document is to use it as we review proposed solutions20:24
lbragstadayoung we always get hung up trying to explain this stuff, and people don't really have any sort of reference for what we want to do long-term20:24
ayounglbragstad, we should also probably have a big caveat in that document about not breaking things, specifically the scope check20:25
lbragstadayoung i think that fits/is covered with point #2 https://review.openstack.org/#/c/460344/4/specs/keystone/ongoing/policy-goals.rst20:25
dstanekfaiyaz: since you are connecting from controller you have to grant access to 'keystone'@'controller'20:25
faiyazok ill do that now20:26
ayounglbragstad, Heh.  What is clear to you and me is not clear to people coming to this for the first time.  "easy to maintain" implies "don't break it" but I don't think people realize how easy it is to break it.20:26
lbragstadayoung agree - but i also want this document to be something like a "5 minute read"20:27
*** voelzmo has quit IRC20:27
lbragstadlike - this is what we want our policy story to look like20:27
lbragstadayoung I should elaborate on something else though, too20:28
lbragstadayoung ideally - we should be able to break each goal into specs/solutions20:28
lbragstadand i imagine that is where we're going to get more detail defined20:28
dstaneklbragstad: we need an "identity on the toilet" series20:29
lbragstaddstanek right - i agree20:29
lbragstaddstanek something that gets the point across without losing people in the details20:29
faiyazno luck..!! same error20:31
faiyazAn unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-e88ebf11-b1a0-44d3-b3b0-3fadac96a88c)20:31
dstanekfaiyaz: what's the actual error now? same perms issue?20:34
dstanekfaiyaz: what do your grant statements look like?20:34
faiyaz MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'controller' \     -> IDENTIFIED BY 'keystonedb'; Query OK, 0 rows affected (0.01 sec)20:35
faiyaz ERROR keystone.common.wsgi ProgrammingError: (pymys ql.err.ProgrammingError) (1146, u"Table 'keystone.project' doesn't exist") [SQL:  u'SELECT project.id AS project_id, project.name AS project_name, project.domain _id AS project_domain_id, project.description AS project_description, project.en abled AS project_enabled, project.extra AS project_extra, project.parent_id AS p roject_parent_id, project.is_domain AS project_i20:40
*** ducttap__ has quit IRC20:45
*** ducttape_ has joined #openstack-keystone20:45
*** ducttap__ has joined #openstack-keystone20:48
*** ducttape_ has quit IRC20:48
openstackgerritayoung proposed openstack/keystone master: Add is_admin_project check to policy  https://review.openstack.org/25763620:50
*** thorst has quit IRC20:56
dstanekfaiyaz: did you sync the db?20:59
faiyazyes..21:00
faiyazmy error code got changed21:05
faiyazThe request you have made requires authentication. (HTTP 401) (Request-ID: req-c776a2b5-baf7-42bd-93e4-e2be54413626)21:05
faiyaznot it is http 40121:05
*** markvoelker has quit IRC21:06
faiyazdo i need to get auth url as https or http21:08
*** thorst has joined #openstack-keystone21:15
*** aojea has quit IRC21:18
*** spilla has quit IRC21:19
*** thorst has quit IRC21:20
*** edmondsw has quit IRC21:24
*** adriant has joined #openstack-keystone21:37
*** faiyaz has quit IRC21:38
*** ducttap__ has quit IRC21:40
*** ducttape_ has joined #openstack-keystone21:41
*** lucasxu has quit IRC21:42
*** catintheroof has joined #openstack-keystone21:50
*** markvoelker has joined #openstack-keystone21:57
*** rderose has joined #openstack-keystone22:11
*** thorst has joined #openstack-keystone22:11
*** thorst has quit IRC22:16
openstackgerritEric Fried proposed openstack/keystoneauth master: Introduce keystoneauth1.loading.adapter  https://review.openstack.org/46033722:21
efriedjamielennox mordred ^^22:21
efriedUT done.22:21
*** browne has joined #openstack-keystone22:32
*** catintheroof has quit IRC22:39
*** lamt has quit IRC22:39
*** browne has quit IRC22:43
*** thorst has joined #openstack-keystone22:46
*** browne has joined #openstack-keystone22:54
*** thorst has quit IRC22:59
*** thorst has joined #openstack-keystone22:59
*** edmondsw has joined #openstack-keystone23:02
*** ducttape_ has quit IRC23:23
*** ducttape_ has joined #openstack-keystone23:24
*** phalmos has quit IRC23:28
*** rderose has quit IRC23:32
mordredefried: ++23:48
*** jamielennox is now known as jamielennox|away23:56
*** edmondsw has quit IRC23:56
*** jamielennox|away is now known as jamielennox23:58
« Sunday, 2017-04-30 Index Tuesday, 2017-05-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!