Tuesday, 2017-05-16

*** hoonetorg has joined #openstack-keystone		00:09
*** thorst_afk has joined #openstack-keystone		00:10
*** gyee has quit IRC		00:22
*** piliman974 has joined #openstack-keystone		00:25
*** dikonoor has joined #openstack-keystone		00:45
*** harlowja has joined #openstack-keystone		00:49
*** Shunli has joined #openstack-keystone		00:56
*** zzzeek has quit IRC		01:03
*** zzzeek has joined #openstack-keystone		01:05
*** gongysh has joined #openstack-keystone		01:07
*** zsli_ has joined #openstack-keystone		01:08
*** Shunli has quit IRC		01:11
*** masuberu has joined #openstack-keystone		01:17
*** thorst_afk has quit IRC		01:19
*** shuyingya has joined #openstack-keystone		01:25
*** shuyingya has quit IRC		01:26
*** shuyingya has joined #openstack-keystone		01:26
*** shuyingya has quit IRC		01:26
*** shuyingya has joined #openstack-keystone		01:28
*** thorst_afk has joined #openstack-keystone		01:28
*** zsli__ has joined #openstack-keystone		01:29
*** zsli_ has quit IRC		01:33
*** shuyingy_ has joined #openstack-keystone		01:33
*** thorst_afk has quit IRC		01:35
*** shuyingya has quit IRC		01:37
*** harlowja has quit IRC		01:42
*** Shunli has joined #openstack-keystone		01:50
*** zsli__ has quit IRC		01:50
openstackgerrit	Merged openstack/keystonemiddleware master: Update driver config parameter from string to list https://review.openstack.org/464732	01:55
*** harlowja has joined #openstack-keystone		01:56
openstackgerrit	Merged openstack/python-keystoneclient master: Updated from global requirements https://review.openstack.org/464469	01:58
*** thorst_afk has joined #openstack-keystone		02:03
*** thorst_afk has quit IRC		02:04
openstackgerrit	Merged openstack/keystoneauth master: Updated from global requirements https://review.openstack.org/464392	02:08
openstackgerrit	Merged openstack/python-keystoneclient master: Stop using oslotest.mockpatch https://review.openstack.org/462038	02:08
*** aojea has joined #openstack-keystone		02:11
adriant	lbragstad, I swear I'm not trying to be a pain, just genuinely confused by the feature. :P	02:12
openstackgerrit	Merged openstack/keystone master: Updated from global requirements https://review.openstack.org/464391	02:12
adriant	It makes sense for cloud providers where users can't talk API, but in openstack, well, it just isn't a problem.	02:12
openstackgerrit	Merged openstack/keystone master: Remove X-Auth-Token from response parameters https://review.openstack.org/462008	02:13
*** aojea has quit IRC		02:16
*** harlowja has quit IRC		02:20
openstackgerrit	Merged openstack/keystoneauth master: Fix V3ADFSPassword retrieval of scoped token https://review.openstack.org/463212	02:31
*** gongysh has quit IRC		02:39
*** ducttape_ has joined #openstack-keystone		02:43
*** piliman974 has quit IRC		02:46
*** ducttape_ has quit IRC		02:48
*** namnh has joined #openstack-keystone		03:01
*** thorst_afk has joined #openstack-keystone		03:04
openstackgerrit	Merged openstack/keystone master: Add filter explain in api ref about parents_as_list and subtree_as_list https://review.openstack.org/458307	03:13
*** zsli_ has joined #openstack-keystone		03:17
*** Shunli has quit IRC		03:18
*** thorst_afk has quit IRC		03:25
*** zsli_ has quit IRC		03:29
*** dikonoor has quit IRC		03:30
*** links has joined #openstack-keystone		03:30
*** Shunli has joined #openstack-keystone		03:33
*** Shunli has quit IRC		03:34
*** nicolasbock has quit IRC		03:35
*** Shunli has joined #openstack-keystone		03:35
*** Shunli has quit IRC		03:42
*** Shunli has joined #openstack-keystone		03:43
*** lamt has joined #openstack-keystone		03:54
*** Shunli has quit IRC		04:02
openstackgerrit	Merged openstack/python-keystoneclient master: Remove log translations in python-keystoneclient https://review.openstack.org/447805	04:11
*** dikonoor has joined #openstack-keystone		04:16
*** faizy_ has joined #openstack-keystone		04:22
*** lamt has quit IRC		04:26
*** faizy has quit IRC		04:26
adriant	cmurphy, you about?	04:34
*** lamt has joined #openstack-keystone		04:37
openstackgerrit	Merged openstack/keystonemiddleware master: Updated from global requirements https://review.openstack.org/455927	04:38
cmurphy	adriant: hi	04:43
adriant	cmurphy, Hey, I totally agree with your point, I just don't think a new user-like model is the right approach :)	04:44
adriant	non-admins need some way of creating users.	04:44
cmurphy	adriant: i think that's valid	04:45
adriant	It's a problem with keystone I've been beating my head against for ages, and just writing other stuff outside of keystone to handle for me with a admin user.	04:45
cmurphy	adriant: i'm currently tracking down all the open specs related to this issue, some of them propose refitting existing models rather than inventing new ones	04:46
adriant	I think we have all the pieces we need in keystone to do this already, just... we need better control and policy over them.	04:47
adriant	cmurphy, do tell me what you find, I sadly haven't been following this particular problem upstream as much as I should have	04:48
cmurphy	adriant: i'll add it to the thread	04:48
*** lamt has quit IRC		04:52
*** lamt has joined #openstack-keystone		04:56
*** lamt has quit IRC		05:01
*** jamielennox is now known as jamielennox\|away		05:10
*** thorst_afk has joined #openstack-keystone		05:22
*** thorst_afk has quit IRC		05:26
*** jamielennox\|away is now known as jamielennox		05:30
*** links has quit IRC		05:33
openstackgerrit	yangweiwei proposed openstack/keystone master: Update utils method in federation https://review.openstack.org/464933	05:33
openstackgerrit	Divya K Konoor proposed openstack/keystoneauth master: Re-use token passed in for v3 Token https://review.openstack.org/464934	05:40
*** links has joined #openstack-keystone		05:41
*** Shunli has joined #openstack-keystone		05:43
*** harlowja has joined #openstack-keystone		05:47
*** arturb has joined #openstack-keystone		06:04
*** ducttape_ has joined #openstack-keystone		06:06
*** ducttape_ has quit IRC		06:11
*** pcaruana has joined #openstack-keystone		06:22
*** gongysh has joined #openstack-keystone		06:27
*** rcernin has joined #openstack-keystone		06:32
*** zsli_ has joined #openstack-keystone		06:34
*** gongysh has quit IRC		06:35
*** zsli_ has quit IRC		06:36
*** Shunli has quit IRC		06:37
*** tobberydberg has joined #openstack-keystone		06:39
*** tobberydberg has quit IRC		06:39
*** tobberydberg has joined #openstack-keystone		06:39
*** davechen has quit IRC		06:40
*** davechen has joined #openstack-keystone		06:41
*** harlowja has quit IRC		06:50
*** edmondsw has joined #openstack-keystone		06:53
*** jaosorior has quit IRC		06:53
*** adriant has quit IRC		06:57
*** edmondsw has quit IRC		06:57
*** belmoreira has joined #openstack-keystone		07:00
*** jamielennox is now known as jamielennox\|away		07:07
*** aojea has joined #openstack-keystone		07:20
openstackgerrit	rocky proposed openstack/keystone master: Migrate render_token_data_response to keystone.common.controller https://review.openstack.org/464956	07:26
*** jamielennox\|away is now known as jamielennox		07:34
*** jaosorior has joined #openstack-keystone		07:43
*** zzzeek has quit IRC		08:00
*** zzzeek has joined #openstack-keystone		08:00
*** ducttape_ has joined #openstack-keystone		08:08
*** faizy_ has quit IRC		08:11
*** ducttape_ has quit IRC		08:15
*** mvk has quit IRC		08:19
*** jaosorior is now known as jaosorior_lunch		08:20
*** thorst_afk has joined #openstack-keystone		08:24
*** thorst_afk has quit IRC		08:29
*** mvk has joined #openstack-keystone		08:51
*** shuyingy_ has quit IRC		08:56
*** shuyingya has joined #openstack-keystone		08:56
*** arturb has quit IRC		08:56
*** belmoreira has quit IRC		09:01
*** aojea has quit IRC		09:03
*** aojea has joined #openstack-keystone		09:04
*** luisnho223 has joined #openstack-keystone		09:04
*** luisnho223 has left #openstack-keystone		09:06
*** jaosorior_lunch is now known as jaosorior		09:15
*** thorst_afk has joined #openstack-keystone		09:25
*** thorst_afk has quit IRC		09:44
openstackgerrit	Divya K Konoor proposed openstack/keystoneauth master: Re-use token passed in for v3 Token https://review.openstack.org/464934	09:48
*** piliman974 has joined #openstack-keystone		09:54
*** nicolasbock has joined #openstack-keystone		10:03
samueldmq	morning keystone	10:06
*** mvk has quit IRC		10:06
*** mvk has joined #openstack-keystone		10:12
*** namnh has quit IRC		10:18
breton	morning	10:26
*** thorst_afk has joined #openstack-keystone		10:41
*** thorst_afk has quit IRC		10:45
*** aojea has quit IRC		10:53
*** raildo has joined #openstack-keystone		11:02
openstackgerrit	rocky proposed openstack/keystone master: Migrate render_token_data_response to keystone.common.controller https://review.openstack.org/464956	11:03
*** thorst_afk has joined #openstack-keystone		11:12
*** asettle_ is now known as asettle		11:13
*** belmoreira has joined #openstack-keystone		11:34
*** jhesketh has quit IRC		11:39
*** tobberyd_ has joined #openstack-keystone		11:41
*** jhesketh has joined #openstack-keystone		11:41
*** shuyingy_ has joined #openstack-keystone		11:42
*** tobberydberg has quit IRC		11:44
*** piliman974 has quit IRC		11:44
*** tobberydberg has joined #openstack-keystone		11:45
*** tobberyd_ has quit IRC		11:45
*** shuyingya has quit IRC		11:45
*** nicolasbock has quit IRC		11:58
*** nicolasbock has joined #openstack-keystone		11:58
*** thorst_afk is now known as thorst		12:05
*** ducttape_ has joined #openstack-keystone		12:06
*** ducttape_ has quit IRC		12:11
*** dave-mccowan has joined #openstack-keystone		12:21
*** raildo has quit IRC		12:34
*** raildo has joined #openstack-keystone		12:34
*** ducttape_ has joined #openstack-keystone		12:34
*** edmondsw has joined #openstack-keystone		12:35
*** ducttape_ has quit IRC		12:35
*** shuyingya has joined #openstack-keystone		12:42
*** shuyingy_ has quit IRC		12:45
*** morgan_ is now known as morgan		12:49
*** lamt has joined #openstack-keystone		12:50
*** lamt has quit IRC		12:51
*** lamt has joined #openstack-keystone		12:55
*** piliman974 has joined #openstack-keystone		13:02
*** iurygregory has joined #openstack-keystone		13:03
*** prashkre has joined #openstack-keystone		13:04
*** edmondsw_ has joined #openstack-keystone		13:08
*** tobberydberg has quit IRC		13:08
*** tobberydberg has joined #openstack-keystone		13:08
*** edmondsw has quit IRC		13:09
*** edmondsw_ has quit IRC		13:09
*** edmondsw has joined #openstack-keystone		13:09
*** shuyingya has quit IRC		13:15
*** admcleod has quit IRC		13:18
*** prashkre_ has joined #openstack-keystone		13:20
*** prashkre has quit IRC		13:20
*** admcleod has joined #openstack-keystone		13:21
*** aojea has joined #openstack-keystone		13:21
*** aojea has quit IRC		13:27
*** jrist has quit IRC		13:43
*** rcernin has quit IRC		13:48
*** lamt has quit IRC		13:49
*** rcernin has joined #openstack-keystone		13:49
*** shuyingya has joined #openstack-keystone		13:51
*** spilla has joined #openstack-keystone		13:52
*** aojea has joined #openstack-keystone		13:52
*** ducttape_ has joined #openstack-keystone		13:52
*** jaosorior is now known as jaosorior_away		14:00
*** shuyingy_ has joined #openstack-keystone		14:04
*** lamt has joined #openstack-keystone		14:06
*** shuyingya has quit IRC		14:08
*** tobberyd_ has joined #openstack-keystone		14:14
*** tobberydberg has quit IRC		14:16
lbragstad	o/	14:17
*** tobberyd_ has quit IRC		14:19
*** tobberydberg has joined #openstack-keystone		14:20
gagehugo	o/	14:20
*** tobberydberg has quit IRC		14:22
*** tobberydberg has joined #openstack-keystone		14:22
*** tobberydberg has quit IRC		14:27
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Specification for global roles https://review.openstack.org/464763	14:48
lbragstad	cmurphy: ^ addressed your comments, thanks for the review!~	14:48
knikolla	o/	14:51
*** kfarr has joined #openstack-keystone		14:56
*** edtubill has joined #openstack-keystone		14:56
*** links has quit IRC		14:58
kfarr	Hi Keystone team! I am working on getting a gate running with only Keystone and Barbican, but devstack seems to be failing when it attempts to start Keystone	15:01
kfarr	http://logs.openstack.org/58/344458/5/experimental/gate-barbican-kmip-dsvm-functional-ubuntu-xenial-nv/06240aa/logs/devstacklog.txt.gz	15:01
kfarr	The enabled services are as follows: ENABLED_SERVICES=barbican-pykmip,pykmip-server,tempest,keystone	15:01
kfarr	(the pykmip services are barbican-related)	15:01
kfarr	so I suspect I need the mysql service enabled as well?	15:02
kfarr	Just wondering if someone could please confirm which services are needed to run a standalone keystone devstack	15:03
lbragstad	kfarr: whenever I use devstack to stand up a stand along keystone service - I enable mysql	15:03
kfarr	lbragstad ok thanks, do I also need rabbit?	15:04
lbragstad	kfarr: this is what i use - ENABLED_SERVICES=rabbit,mysql,key	15:04
breton	why does nova client require auth_url? Why can't it just use the session?	15:05
lbragstad	kfarr: i'd start by adding your barbican services to that and see if that helps	15:05
breton	oh, ok, it doesn't require.	15:06
openstackgerrit	Blake Covarrubias proposed openstack/keystoneauth master: Allow setting EndpointReference in ADFSPassword https://review.openstack.org/463432	15:07
*** piliman974 has quit IRC		15:10
*** prashkre_ has quit IRC		15:18
*** prashkre_ has joined #openstack-keystone		15:18
kfarr	lbragstad ok thank you! I will try it out	15:18
*** dikonoor has quit IRC		15:23
lbragstad	kfarr: cool - let me know how it works out	15:29
*** arunkant_ has joined #openstack-keystone		15:29
*** tobberydberg has joined #openstack-keystone		15:31
*** arunkant has quit IRC		15:33
openstackgerrit	Gage Hugo proposed openstack/keystone master: is_admin_project check for non scoped operations https://review.openstack.org/257636	15:33
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Specification for global roles https://review.openstack.org/464763	15:35
*** prashkre_ has quit IRC		15:39
*** prashkre_ has joined #openstack-keystone		15:39
*** prashkre_ has quit IRC		15:42
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Outline policy goals https://review.openstack.org/460344	15:49
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Specification for global roles https://review.openstack.org/464763	15:49
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Add policy roadmap for security https://review.openstack.org/462733	15:49
*** bkudryavtsev has joined #openstack-keystone		15:49
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Outline policy goals https://review.openstack.org/460344	15:52
*** aojea has quit IRC		15:52
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Add policy roadmap for security https://review.openstack.org/462733	15:52
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Specification for global roles https://review.openstack.org/464763	15:52
*** shuyingy_ has quit IRC		15:55
*** tobberydberg has quit IRC		15:55
*** tobberydberg has joined #openstack-keystone		15:56
*** tobberydberg has quit IRC		15:57
*** tobberydberg has joined #openstack-keystone		15:57
lbragstad	the keystone-specs gate appears to be broken	16:00
gagehugo	I think it's Jenkins, the openstack-helm docs gate is borked too	16:01
gagehugo	same error	16:01
lbragstad	gagehugo: i was able to recreate it locally	16:02
*** tobberydberg has quit IRC		16:02
lbragstad	http://paste.openstack.org/show/609693/	16:03
gagehugo	https://bugs.launchpad.net/pbr/+bug/1691129	16:03
openstack	Launchpad bug 1691129 in PBR "sphinx 1.6.1 introduces an attribute error" [Undecided,New]	16:03
lbragstad	aha - yeah that looks about right	16:04
lbragstad	sphinx 1.5.6 works for me locally	16:06
bkudryavtsev	Morning :-) Trying to setup keystone with LDAP backend here. Confused on how id's are created. Should they be generated by hand when creating ldap entries, or am I missing something?	16:06
*** rderose has joined #openstack-keystone		16:09
bkudryavtsev	e.g cn=a14dc9d9926ae250fb8a8313bf554be7,ou=Users,dc=openstack,dc=org	16:09
*** cmurphy has quit IRC		16:14
lbragstad	bkudryavtsev: are you following a guide?	16:18
*** kfarr has quit IRC		16:18
bkudryavtsev	Not quite. There is no direct guide that I could find, so I'm experimenting. Here's what my initial ldap directory looks like: http://paste.openstack.org/show/609702/	16:21
bkudryavtsev	The admin id (CN) is the one generated by bootstrap for sql initially	16:22
*** ducttape_ has quit IRC		16:24
*** ducttape_ has joined #openstack-keystone		16:25
*** tobberydberg has joined #openstack-keystone		16:27
*** belmoreira has quit IRC		16:30
*** tobberydberg has quit IRC		16:31
bkudryavtsev	It works, but id's need to be generated by hand. Doesn't seem to be right.	16:38
lbragstad	bkudryavtsev: when you say "by hand" do you mean manually in LDAP?	16:38
bkudryavtsev	Yes. I am generating the shasum and manually adding it to ldap	16:39
bkudryavtsev	Creating users through the openstack client does not work as well, but as I understand, that's how it should be with LDAP. Or am I wrong?	16:41
lbragstad	bkudryavtsev: got it - keystone doesn't support writing to ldap	16:41
lbragstad	for identity backends	16:41
lbragstad	that functionality was deprecated in mitaka	16:41
bkudryavtsev	Makes sense	16:41
lbragstad	https://docs.openstack.org/releasenotes/keystone/mitaka.html	16:41
bkudryavtsev	But if users are created manually in LDAP, how should ID's be generated?	16:42
lbragstad	bkudryavtsev: that's a good question - keystone doesn't have an opinion on that as far as I know	16:43
lbragstad	a safe assumption might be to use uuid4 since that's how we generate the ids when using sql backends	16:43
ayoung	we meet in an hour 15, right?	16:44
lbragstad	ayoung: yep	16:44
ayoung	TY	16:44
lbragstad	bkudryavtsev: otherwise something that ensures global uniqueness	16:44
*** piliman974 has joined #openstack-keystone		16:46
*** jdennis1 has joined #openstack-keystone		16:46
*** jdennis has quit IRC		16:47
*** jdennis1 has quit IRC		16:48
*** jdennis has joined #openstack-keystone		16:50
*** jdennis has quit IRC		16:51
*** jdennis has joined #openstack-keystone		16:52
*** pcaruana has quit IRC		16:53
*** rcernin has quit IRC		16:53
*** cmurphy has joined #openstack-keystone		16:54
lbragstad	morgan: o/	17:03
*** ducttap__ has joined #openstack-keystone		17:04
bkudryavtsev	Is there a specific reason that CN is the default attribute for uuid's? It seems much more convenient to use CN for names instead (and have SN or OU be the id)	17:05
*** ducttape_ has quit IRC		17:05
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update sample configuration file for Pike https://review.openstack.org/465121	17:06
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update sample configuration file for Pike https://review.openstack.org/465121	17:07
*** sjain has joined #openstack-keystone		17:11
*** ducttap__ has quit IRC		17:16
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystoneauth master: Allow setting EndpointReference in ADFSPassword https://review.openstack.org/463432	17:21
openstackgerrit	Kristi Nikolla proposed openstack/keystone master: Handle NotFound when listing role assignments for deleted users https://review.openstack.org/458954	17:21
*** tobberydberg has joined #openstack-keystone		17:28
samueldmq	knikolla: couple of comments on the tests, otherwise looks great! ^	17:28
*** tobberydberg has quit IRC		17:32
*** raildo has quit IRC		17:34
*** prashkre has joined #openstack-keystone		17:35
*** harlowja has joined #openstack-keystone		17:50
*** raildo has joined #openstack-keystone		17:52
lbragstad	morgan: did you happen to have an idea of what constitutes a highly-threaded server versus a low-threaded server in this comment? https://github.com/openstack/oslo.cache/blob/master/oslo_cache/_opts.py#L32-L45	17:53
*** tobberydberg has joined #openstack-keystone		17:56
*** edtubill has quit IRC		17:57
*** ducttape_ has joined #openstack-keystone		17:58
*** ducttap__ has joined #openstack-keystone		17:59
knikolla	samueldmq: thanks for the quick review. :)	17:59
*** henrynash has joined #openstack-keystone		18:00
*** tobberydberg has quit IRC		18:00
lbragstad	morgan: i'm specifically asking about https://bugs.launchpad.net/keystone/+bug/1690756	18:01
openstack	Launchpad bug 1690756 in oslo.cache "cache 'backend' argument description is ambiguous" [Undecided,New]	18:01
knikolla	lbragstad: meeting time?	18:01
*** mvk has quit IRC		18:01
*** ducttape_ has quit IRC		18:03
*** gyee has joined #openstack-keystone		18:06
*** openstackgerrit has quit IRC		18:17
*** henrynash has quit IRC		18:22
*** rmascena has joined #openstack-keystone		18:22
*** henrynash has joined #openstack-keystone		18:22
*** raildo has quit IRC		18:24
*** rmascena is now known as raildo		18:24
*** jose-phillips has quit IRC		18:27
*** jose-phillips has joined #openstack-keystone		18:27
*** henrynash has quit IRC		18:29
samueldmq	sjain: hi	18:39
*** spilla has quit IRC		18:39
asettle	lbragstad: yo I missed your pings :)	18:47
lbragstad	asettle: you going to be around in 15 minutes?	18:47
asettle	Uhhhh	18:48
asettle	In theory?	18:48
asettle	I'll be cooking dinner I hope :P	18:48
lbragstad	aha :)	18:48
lbragstad	asettle: couple questions on docs liaison things	18:48
asettle	lbragstad: shoot them my way and I'll answer intermittently? :D	18:48
lbragstad	asettle: we had a session at the forum about the future of the docs team, are we still going to need docs liaison?	18:49
lbragstad	asettle: we have a couple folks who are interested in helping out, but might not be able to commit to the entire role	18:55
*** openstackgerrit has joined #openstack-keystone		18:58
openstackgerrit	ayoung proposed openstack/keystone-specs master: Commit to RBAC in middleware in Pike release https://review.openstack.org/452198	18:58
*** hrybacki has joined #openstack-keystone		19:01
openstackgerrit	ayoung proposed openstack/keystone-specs master: Role Check on Body Key https://review.openstack.org/456974	19:01
edmondsw	ayoung there are things that are only readable by admin today... adding middleware is not going to change that	19:01
ayoung	edmondsw, yes it will, and I am going to make you walk me through it	19:02
asettle	lbragstad: A docs liaison would definitely be helpful :) just someone we can reach out to on an intermittent basis (you know, questions, concerns - a point of contact, really)	19:02
edmondsw	ayoung middleware can make things more restrictive... not less	19:02
ayoung	edmondsw, I know. But I am not saying "never shall an operator edit a policy file ever again"	19:02
ayoung	edmondsw, I am saying we can't have people edit a policy file to manage RBAC.	19:03
ayoung	What I can do is post a sample policy file that lets them, then, manage RBAC via this API for APIS that are too restrictive	19:03
*** aojea has joined #openstack-keystone		19:04
edmondsw	ayoung and if the admin role restriction is in code rather than policy?	19:04
ayoung	edmondsw, then file a bug and fix it.	19:04
lbragstad	asettle: cool - so hrybacki knikolla and cmurphy were all curious about the responsibilities	19:04
edmondsw	ayoung that's the kind of thing I'm trying to get fixed	19:05
ayoung	edmondsw, a lot of stupid has been done. Mostly because the tools required to fix it were not in place.	19:05
edmondsw	I'd give different reasons, but I agree that there's a lot of stupid	19:05
asettle	lbragstad (cc hrybacki knikolla and cmurphy ) - the responsibilities vary. We mostly just require that hte individual is able to be contacted for doc related questions. Occasionally this will mean verifying a patch for us on the docs gerrit page, helping us triage bugs related to keystone, and other random activities.	19:06
asettle	We do have a docs meeting, butw e're probably going to change that, so, hoepfully we'll have it at a better time slot for everyone	19:06
lbragstad	asettle: nice	19:07
hrybacki	asettle: is the next meeting this or next Thursday?	19:07
openstackgerrit	Kristi Nikolla proposed openstack/keystone master: Handle NotFound when listing role assignments for deleted users https://review.openstack.org/458954	19:07
asettle	hyakuhei: this thursday, 2100 UTC #openstack-meeting-alt	19:10
asettle	Normally hosted by me, unless I forget, and keep watching television as per last time :P	19:10
asettle	It's fortnightly :)	19:10
ayoung	edmondsw, I'm hearing a lot of "No because something else is broken." And I am saying "without a replacement we cannot fix what is broken." We don't need new spacs for the 968696 work, we need current patches to be reviewed, improved, and merged. We have a slew of people that are going to take on that work, and it is laid out in the agenda for the policy meeting tomorrow.	19:10
ayoung	But if the RBAC middleware stuff gets blocked, that is it. We are saying we can't fix it. We have people actively working on it.	19:12
ayoung	All I want is the guaranteee from keystone core that it is going to be accepted.	19:12
ayoung	The majority of the concerns I've heard have been covered by the default rules.	19:12
ayoung	Upgrades that add a new API will be covered by a default rule like this:	19:13
ayoung	VERB: * path: * role: Member	19:13
ayoung	And, unless they make a new API that should only be done by Admin, that will work just fine for the first rotation	19:13
ayoung	if the API should be Admin only, they continue to enforce that in policy for now	19:14
*** slberger has joined #openstack-keystone		19:14
ayoung	once we have a good sense of the actual library of APIs, we switch the default rule to	19:14
ayoung	VERB: * path: * role: admin	19:14
ayoung	and now all new APIs are opt-in by default	19:14
ayoung	something new comes up that should be member or lower, needs a new, explicit route	19:14
*** slberger has left #openstack-keystone		19:15
ayoung	lbragstad, ^^ is the upgrade story. I'm going to add that and more details to the spec	19:15
openstackgerrit	Kristi Nikolla proposed openstack/keystone master: Handle NotFound when listing role assignments for deleted users https://review.openstack.org/458954	19:16
knikolla	samueldmq: would appreciate another review :) ^^	19:16
*** harlowja has quit IRC		19:17
samueldmq	knikolla: reviewed	19:18
samueldmq	knikolla: let me know if that makes sense to you	19:18
knikolla	samueldmq: it does make sense. since i was debugging the test i know it's not empty, but i'll add a check anyway. thanks	19:18
samueldmq	knikolla: nice	19:20
*** prashkre has quit IRC		19:21
lbragstad	ayoung: that would probably work for most upgrade cases - but there is a disconnect with the defaults provided by the policy in code at the service	19:23
ayoung	lbragstad, I'm aware. But to date those are Admin only with few exceptions	19:23
ayoung	and, the exceptions I know of are actually non functional in the deploys I've seen, as they depend on roles that are not created	19:24
ayoung	advsvc	19:24
openstackgerrit	Kristi Nikolla proposed openstack/keystone master: Handle NotFound when listing role assignments for deleted users https://review.openstack.org/458954	19:30
knikolla	samueldmq: all done	19:30
lbragstad	ayoung: do we have a plan in place for mitigating that in the future?	19:31
openstackgerrit	Kristi Nikolla proposed openstack/keystone master: Handle NotFound when listing role assignments for deleted users https://review.openstack.org/458954	19:31
ayoung	lbragstad, yeah. Here is what I just put in the spec	19:31
ayoung	http://paste.openstack.org/show/609714/	19:32
ayoung	lbragstad, we should have a pretty good inventory of the APIs from the API docs today. Just assuming it won't be 100% out the door	19:33
ayoung	another alternative would be to not do a catch all, or do a catch all with a role that you never assign, and then find out what APIs you just can't call....	19:34
samueldmq	knikolla: thanks well done	19:34
knikolla	samueldmq: thanks	19:35
knikolla	easy fix	19:35
knikolla	i'm getting a lot of failures when i run the test locally on master	19:37
samueldmq	knikolla: ++ one bug less yay	19:37
knikolla	i predict a broken gate	19:37
knikolla	or wait, i hadn't pulled. will report back soon.	19:41
knikolla	all appears good. i didn't have the fixes for the oslo.config changes	19:43
*** sjain has quit IRC		19:50
openstackgerrit	Felipe Monteiro proposed openstack/keystone-specs master: Patrole (RBAC) Keystone Gating https://review.openstack.org/464678	19:59
*** slberger has joined #openstack-keystone		20:03
ayoung	knikolla, +2A. Not sticky if it fails CI, of course.	20:04
*** harlowja has joined #openstack-keystone		20:04
*** slberger has left #openstack-keystone		20:05
knikolla	ayoung: thanks.	20:05
openstackgerrit	ayoung proposed openstack/keystone-specs master: Commit to RBAC in middleware in Pike release https://review.openstack.org/452198	20:06
lbragstad	breton: edmondsw is https://bugs.launchpad.net/keystone/+bug/1684994 invalid now that https://bugs.launchpad.net/keystone/+bug/1687115 is opened?	20:07
openstack	Launchpad bug 1684994 in OpenStack Identity (keystone) "POST v3/auth/tokens API is returning unexpected 500 error when ldap credentials are incorrect" [Undecided,New]	20:07
openstack	Launchpad bug 1687115 in OpenStack Identity (keystone) "LDAPServerConnectionError gives out too much info" [Low,In progress] - Assigned to xuhaigang (rocky0722)	20:07
lbragstad	I wouldn't mind closing the first one, but i'm also not sure why we didn't just reuse the original bug report	20:08
edmondsw	lbragstad I think they're different, and the first one's fix would rely on the changes made under the second	20:08
edmondsw	but add to them	20:08
jose-phillips	hey someone	20:09
jose-phillips	can help me with something really quick	20:09
jose-phillips	im trying to connect to keystone	20:09
jose-phillips	externally	20:09
jose-phillips	but when i tried i got this error	20:09
jose-phillips	Unable to establish connection to http://10.1.20.2:35357/v2.0/projects:	20:09
jose-phillips	this ip address is wrong	20:10
jose-phillips	is the internal ip of the server	20:10
*** dave-mccowan has quit IRC		20:10
ayoung	jose-phillips, config options	20:10
knikolla	jose-phillips: is this devstack?	20:10
jose-phillips	no im running on my computer to a productive fuel openstack	20:10
jose-phillips	using python-keystoneclient	20:10
jose-phillips	with nova works great	20:10
*** markvoelker has joined #openstack-keystone		20:11
ayoung	jose-phillips, look at the keystone.conf file for the values public_endpoint and admin_endpoint	20:11
lbragstad	edmondsw: what's the fix for https://bugs.launchpad.net/keystone/+bug/1684994 then if https://bugs.launchpad.net/keystone/+bug/1687115 fixes subclassing?	20:11
openstack	Launchpad bug 1684994 in OpenStack Identity (keystone) "POST v3/auth/tokens API is returning unexpected 500 error when ldap credentials are incorrect" [Undecided,New]	20:11
openstack	Launchpad bug 1687115 in OpenStack Identity (keystone) "LDAPServerConnectionError gives out too much info" [Low,In progress] - Assigned to xuhaigang (rocky0722)	20:11
knikolla	jose-phillips: 10...* are private ip addresses	20:11
ayoung	if you are using discovery, those values might be messing you up. They should be explicitly unset (I think)	20:11
jose-phillips	oh	20:11
jose-phillips	i saw the values on ocnfig	20:11
jose-phillips	admin have the internal ip	20:12
jose-phillips	i should set public_endpoint?	20:12
ayoung	No	20:12
ayoung	do not explicitly set them	20:12
ayoung	and if they are set, unset them	20:12
edmondsw	lbragstad start raising LDAPServerConnectionError when LDAP credentials are invalid	20:12
jose-phillips	just admin endpoint is set	20:12
ayoung	config options there are used for the discovery page, and if set to the internal values, will mess up the clients	20:12
jose-phillips	exist a way to force on the keystoneclient connection	20:12
ayoung	jose-phillips, what is it set to? The internal value?	20:12
jose-phillips	i mean on python-keystone client	20:13
edmondsw	lbragstad, under 1687115, change LDAPServerConnectionError to use a more generic error message and HTTP 500 instead of 504	20:13
ayoung	look in keystone.conf	20:13
*** raildo has quit IRC		20:13
edmondsw	lbragstad then once it's more generic you're free to use it for other things like invalid credentials	20:13
openstackgerrit	Merged openstack/keystoneauth master: Allow setting EndpointReference in ADFSPassword https://review.openstack.org/463432	20:14
jose-phillips	o should set	20:15
jose-phillips	public_bind_host?	20:16
lbragstad	edmondsw: oh - like in valid LDAP credentials when a user authenticates?	20:16
edmondsw	lbragstad I'm not super invested in that... if we like returning 504 for the current case that raises that exception, we could just cleanup the corresponding error message and invalidate 1684994	20:16
edmondsw	lbragstad invalid LDAP credentials as in the credentials that are in keystone's conf that allow it to authenticate itself to the LDAP server	20:17
edmondsw	not the user's credentials	20:17
edmondsw	we opened this because I got a bug saying that when those LDAP credentials expire, the error that is returned to the user doesn't give them any clue as to what's wrong	20:17
edmondsw	I don't want it to says the LDAP credentials are invalid, which is giving away too much information to your end user	20:18
edmondsw	but I thought maybe it could give a more generic message	20:18
lbragstad	edmondsw: oh - sure	20:18
ayoung	jose-phillips, that is Deprecate. Set none of it	20:18
lbragstad	edmondsw: and when those expire anything that uses that connection will emit that error	20:18
edmondsw	yeah	20:18
lbragstad	got it	20:19
ayoung	jose-phillips, it might also be that the values are coming out of the service catalog, in which case, your installer put private values in there	20:19
ayoung	35357 is needed for admin ops, but the client gets the values from the service catalog.	20:19
edmondsw	lbragstad today it says "An unexpected error prevented the server from fulfilling your request", and it seemed like we could give a message with a little more detail than that without saying your configured creds are bad	20:20
edmondsw	lbragstad but at the end of the day, it's already an HTTP 500, which is the right code, and when a user sees that they should talk to the operator, and when they look at the logs the problem is pretty clear, so... improving the error message here is almost a nit	20:22
lbragstad	edmondsw: yeah - it seems the majority of that fix lies in https://bugs.launchpad.net/keystone/+bug/1687115	20:24
openstack	Launchpad bug 1687115 in OpenStack Identity (keystone) "LDAPServerConnectionError gives out too much info" [Low,In progress] - Assigned to xuhaigang (rocky0722)	20:24
lbragstad	which is fixing the actual security bits	20:24
*** nkinder has quit IRC		20:27
openstackgerrit	Merged openstack/keystone master: Role name is unique within the owning domain https://review.openstack.org/464290	20:29
openstackgerrit	Merged openstack/keystone master: Update sample configuration file for Pike https://review.openstack.org/465121	20:30
*** thorst has quit IRC		20:31
bkudryavtsev	Unrelated: when user_id_attribute is set to sn in keystone.conf, group users (members) are not listed upon `openstack user list --domain mydomain --group mygroup`. After digging through the code, it seems that group users are searched by dn only. Considering that my ldap directory is setup correctly (http://paste.openstack.org/show/609719/), could this be a bug? A plain `openstack user list` works OK and lists all the users.	20:32
edmondsw	lbragstad yeah, https://bugs.launchpad.net/keystone/+bug/1684994 would probably just be a one-line fix to start raising the exception in a new case, once the fix goes in for the other bug	20:33
openstack	Launchpad bug 1684994 in OpenStack Identity (keystone) "POST v3/auth/tokens API is returning unexpected 500 error when ldap credentials are incorrect" [Low,New]	20:33
lbragstad	edmondsw: ack	20:37
*** nkinder has joined #openstack-keystone		20:39
*** ducttap__ has quit IRC		20:50
*** thorst has joined #openstack-keystone		20:51
edmondsw	lbragstad did you mean to mark ocata fix released on https://bugs.launchpad.net/keystone/+bug/1662762 ?	20:54
openstack	Launchpad bug 1662762 in OpenStack Identity (keystone) ocata "Authentication for LDAP user fails at MFA rule check" [High,Fix committed] - Assigned to Matthew Edmonds (edmondsw)	20:54
edmondsw	you added the comment, but didn't mark it	20:54
*** thorst has quit IRC		20:55
*** thorst has joined #openstack-keystone		20:59
*** thorst has quit IRC		21:02
*** DavidPurcellATT has joined #openstack-keystone		21:05
lbragstad	edmondsw: no - i just wanted to leave the comment so that folks subscribed to the bug knew it was released	21:08
*** raildo has joined #openstack-keystone		21:08
edmondsw	lbragstad so why not mark it released at the top?	21:08
*** slberger has joined #openstack-keystone		21:08
*** slberger has left #openstack-keystone		21:09
lbragstad	edmondsw: I suppose I could do that - i was looking at the milestones	21:09
lbragstad	edmondsw: dione	21:09
lbragstad	done*	21:09
edmondsw	lbragstad cool... I was wondering if there was something I was missing	21:09
knikolla	this is probably why keystone-specs gate is failing http://lists.openstack.org/pipermail/openstack-dev/2017-May/116821.html	21:10
knikolla	the first bug linked is exactly the error by which keystone-specs fails	21:10
*** thorst has joined #openstack-keystone		21:11
knikolla	lbragstad: i see you posted in that bug already. guess i'm too slow, haha.	21:11
lbragstad	knikolla: yep - we have some patches up for the fix - https://review.openstack.org/#/q/topic:bug/1691224	21:12
knikolla	lbragstad: :) capping is not exactly a fix, but nevertheless it should unblock things	21:15
lbragstad	knikolla: true - i mis-typed	21:21
lbragstad	it should get us around the issue while a real fix is committed upstream	21:21
*** eandersson has joined #openstack-keystone		21:23
*** ducttape_ has joined #openstack-keystone		21:23
knikolla	ayoung: i saw a spec you had up 1 year and a half ago about token constraints. i received a similar proposal by one of our researchers who is doing a security study on openstack asking me for feedback. what was the reasoning behind dropping that spec?	21:26
knikolla	ayoung: I'm curious about your "I think we are headed this way by other means" comment.	21:26
*** mvk has joined #openstack-keystone		21:29
*** lamt has quit IRC		21:31
ayoung	knikolla, the RBAC spec is the primary one	21:31
*** rderose has quit IRC		21:32
ayoung	knikolla, there was a lot of pushback against using the service catalog as a way to say "this token is valid for this service"	21:32
ayoung	and so doing anything like that would require additional data, essentially duplicating the service catalog	21:32
ayoung	the RBAC stuff, plus the ability to request a token with a single role in it is the only thing that I could see actually making it through the review process, but obviously people here are too hard headed to even make progress on that.	21:33
ayoung	I'm really sick of it	21:33
*** raildo has quit IRC		21:35
knikolla	ayoung: i see. with enough role granularity, having a token with a single role is like having a token constrained to an operation. makes sense.	21:36
ayoung	knikolla, right	21:36
ayoung	knikolla, I think that we will eventually need better ways to specify sets of roles, so that "list roles" doesn't return everything in the system	21:37
ayoung	hence the 3 tiered approach from the talk	21:37
knikolla	ayoung: agree.	21:38
ayoung	I could see the domain specific roles as the org roles. Member and admin get broken into workflow roles. Specirfic operations get role names that match the current policy rules. So compute:create_server would become a role, but you only see it if you add the --operational flag	21:38
knikolla	ayoung: it makes much more sense to me than what we currently have, and i hope we get there.	21:40
ayoung	knikolla, we will. Tomorrow at the policy meeting I have on the agenda the set of tasks with names next to them	21:42
ayoung	my challenge to people will be "lead, follow, or get out of the way"	21:43
ayoung	We need to hit the 968696 stuff, and having people dedicated to that should make people a little more comfortable with taking following steps	21:43
*** thorst has quit IRC		21:51
*** aojea has quit IRC		21:55
*** blake has joined #openstack-keystone		21:56
*** henrynash has joined #openstack-keystone		21:59
*** edmondsw has quit IRC		21:59
*** edmondsw has joined #openstack-keystone		22:00
blake	jamielennox or samueldmq: Would either of you mind looking at this? https://bugs.launchpad.net/keystoneauth/+bug/1687314	22:03
openstack	Launchpad bug 1687314 in keystoneauth "ADFSPassword plugin not registered in entrypoints" [Undecided,In progress] - Assigned to Blake Covarrubias (blakegc)	22:03
blake	Final change to wrap up my ADFSPassword related changes	22:04
*** edmondsw has quit IRC		22:04
*** DavidPurcellATT has quit IRC		22:15
blake	samueldmq: Thank you!	22:15
*** henrynash has quit IRC		22:35
*** dave-mccowan has joined #openstack-keystone		22:36
rm_work	hey, does keystone support setting a "default region"?	22:38
rm_work	I've read some stuff that indicates to me that the concept of a default region exists, but I can't find proof of this, or how to get/set it	22:38
breton	rm_work: what's "default region"?	22:40
rm_work	I don't even know	22:40
rm_work	I mean like	22:40
rm_work	I guess if you asked the catalog for an endpoint, and didn't specify a region, would it just 400? or would it select one from a "default" region (maybe hardcoded in config?)	22:41
rm_work	like I found this: https://github.com/rackerlabs/mimic/issues/657 which is for some rackspace thing	22:42
rm_work	so is it only a Rackspace Identity concept?	22:42
rm_work	lbragstad: ^^	22:43
openstackgerrit	Merged openstack/keystone master: Handle NotFound when listing role assignments for deleted users https://review.openstack.org/458954	22:46
rm_work	also, is there a reason there isn't a way to "list roles for a user for ALL projects"?	22:47
rm_work	not seeing anything in docs	22:47
*** adriant has joined #openstack-keystone		22:56
*** piliman974 has quit IRC		23:10
*** blake has quit IRC		23:15
*** portdirect has joined #openstack-keystone		23:19
*** ducttape_ has quit IRC		23:29
*** jmccrory is now known as jmccrory_awaythi		23:30
*** jmccrory_awaythi is now known as jmccrory_away		23:30
openstackgerrit	Merged openstack/keystoneauth master: Add ADFSPassword to keystoneauth1 entry points https://review.openstack.org/463234	23:33
*** Aurelgadjo has quit IRC		23:36
*** piliman974 has joined #openstack-keystone		23:39
*** Aurelgadjo has joined #openstack-keystone		23:43
*** thorst has joined #openstack-keystone		23:51
*** thorst has quit IRC		23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!