Tuesday, 2017-07-11

« Monday, 2017-07-10 Index Wednesday, 2017-07-12 »
*** masber has joined #openstack-keystone00:03
*** jessegler has quit IRC00:04
jamielennoxyea, i'd say deprecate it00:09
jamielennoxhowever there was general approval for a file backed catalog previously00:09
jamielennoxjust one that was more version independant00:09
jamielennoxspecifically because it's really easy to drop with ansible or somethgni00:10
eanderssonWould it be worth fixing the v3 support? or at least for older versions00:16
*** gongysh has quit IRC00:17
eanderssonI have a patch, but no way of saying if my patch will make it worse for other situations00:22
*** liujiong has joined #openstack-keystone00:24
*** aojea has joined #openstack-keystone00:32
*** aojea has quit IRC00:36
openstackgerritErik Olof Gunnar Andersson proposed openstack/keystone master: [WIP] Fixing multi-region support in templated v3 catalog  https://review.openstack.org/48236400:44
*** thorst has quit IRC00:45
*** edmondsw has joined #openstack-keystone00:49
*** edmondsw has quit IRC00:53
*** amyge has quit IRC01:05
eanderssonI am sure the above patch is far from fixing all the issues, but at the very least it behaves better with multi-regions now ^01:05
*** zzzeek_ has quit IRC01:09
*** zzzeek_ has joined #openstack-keystone01:11
*** thorst has joined #openstack-keystone01:28
*** zzzeek_ has quit IRC01:33
*** zzzeek_ has joined #openstack-keystone01:34
*** zzzeek_ has quit IRC01:36
*** Shunli has joined #openstack-keystone01:41
*** iurygregory has quit IRC01:43
*** iurygregory has joined #openstack-keystone01:46
*** zzzeek_ has joined #openstack-keystone01:47
openstackgerritwingwj proposed openstack/keystone master: [install] Clarify the paths of the rc files  https://review.openstack.org/48237301:55
morganmordred: ++02:01
morganmordred: i can spin up a deprecation patch soon02:01
morgani'll also look at a yaml alternative for folks who need it02:01
*** zhurong has joined #openstack-keystone02:03
*** phalmos_ has quit IRC02:23
*** aojea has joined #openstack-keystone02:32
*** aojea has quit IRC02:37
*** edmondsw has joined #openstack-keystone02:37
*** aselius has quit IRC02:38
*** edmondsw has quit IRC02:42
*** ducttape_ has joined #openstack-keystone02:46
*** iurygregory has quit IRC02:49
*** iurygregory has joined #openstack-keystone02:53
*** namnh has joined #openstack-keystone03:07
*** ducttape_ has quit IRC03:20
*** gyee has quit IRC03:23
*** thorst has joined #openstack-keystone03:29
*** thorst has quit IRC03:34
*** links has joined #openstack-keystone03:41
*** jmlowe has joined #openstack-keystone03:58
*** dave-mccowan has quit IRC04:00
*** wasmum has quit IRC04:14
*** edmondsw has joined #openstack-keystone04:25
*** wasmum has joined #openstack-keystone04:28
*** edmondsw has quit IRC04:30
*** jrist has quit IRC04:33
*** d0ugal has joined #openstack-keystone05:22
*** thorst has joined #openstack-keystone05:30
*** aojea has joined #openstack-keystone05:33
*** thorst has quit IRC05:34
*** Shunli has quit IRC05:39
*** Shunli has joined #openstack-keystone05:40
*** rcernin has joined #openstack-keystone05:41
*** d0ugal has quit IRC05:52
*** nicolasbock has joined #openstack-keystone05:55
*** pcaruana has joined #openstack-keystone06:04
*** aojea has quit IRC06:07
*** aojea has joined #openstack-keystone06:07
*** aojea has quit IRC06:12
*** aojea has joined #openstack-keystone06:12
*** edmondsw has joined #openstack-keystone06:14
openstackgerritMerged openstack/keystone master: Move caching docs into admin-guide  https://review.openstack.org/47767806:15
*** aojea has quit IRC06:16
*** edmondsw has quit IRC06:18
openstackgerritMerged openstack/keystone master: Fixing flushing tokens workflow  https://review.openstack.org/48028706:19
*** basilAB has quit IRC06:23
*** vaishali has quit IRC06:24
*** jmlowe has quit IRC06:25
*** basilAB has joined #openstack-keystone06:28
*** vaishali has joined #openstack-keystone06:29
*** zhurong has quit IRC06:40
*** zhurong has joined #openstack-keystone06:44
*** belmoreira has joined #openstack-keystone06:46
*** namnh has quit IRC06:52
*** tobberydberg has joined #openstack-keystone06:53
*** tobberyd_ has joined #openstack-keystone06:55
*** tobberydberg has quit IRC06:58
*** namnh has joined #openstack-keystone07:01
*** tesseract has joined #openstack-keystone07:02
*** aojea has joined #openstack-keystone07:15
*** zhurong has quit IRC07:30
*** thorst has joined #openstack-keystone07:31
*** openstackgerrit has quit IRC07:33
*** thorst has quit IRC07:36
*** toddnni has joined #openstack-keystone07:40
*** toddnni has quit IRC07:40
*** namnh has quit IRC07:45
*** toddnni has joined #openstack-keystone07:45
*** openstackgerrit has joined #openstack-keystone07:46
openstackgerritErik Olof Gunnar Andersson proposed openstack/keystone master: [WIP] Fixing multi-region support in templated v3 catalog  https://review.openstack.org/48236407:46
*** markvoelker_ has quit IRC07:47
*** rajalokan has joined #openstack-keystone07:55
openstackgerritSamriddhi proposed openstack/keystone master: Expanded the best practices subsection in devdocs  https://review.openstack.org/47654107:58
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:00
*** namnh has joined #openstack-keystone08:01
*** openstackgerrit has quit IRC08:03
*** gengchc has joined #openstack-keystone08:11
*** gengchc has quit IRC08:11
*** mvk has quit IRC08:26
*** zhurong has joined #openstack-keystone08:27
*** mvk has joined #openstack-keystone08:55
odyssey4melbragstad I think that the rolling-upgrade job can be vastly more simply configured: https://review.openstack.org/48247409:18
*** openstackgerrit has joined #openstack-keystone09:26
openstackgerritTommyLike proposed openstack/oslo.policy master: Fix parsing bug when config file is empty.  https://review.openstack.org/48247709:26
*** zhurong has quit IRC09:27
*** Shunli has quit IRC09:29
openstackgerritTommyLike proposed openstack/oslo.policy master: Fix parsing bug when config file is empty  https://review.openstack.org/48247709:32
*** thorst has joined #openstack-keystone09:32
*** mvk has quit IRC09:37
*** links has quit IRC09:37
*** thorst has quit IRC09:37
*** links has joined #openstack-keystone09:39
*** links has quit IRC09:44
*** markvoelker has joined #openstack-keystone09:48
*** links has joined #openstack-keystone09:49
*** edmondsw has joined #openstack-keystone09:50
*** mvk has joined #openstack-keystone09:51
*** d0ugal has joined #openstack-keystone09:53
*** edmondsw has quit IRC09:54
*** d0ugal has quit IRC09:59
*** namnh has quit IRC10:08
*** links has quit IRC10:13
*** liujiong has quit IRC10:20
*** ducttape_ has joined #openstack-keystone10:22
*** markvoelker has quit IRC10:22
*** stingaci has joined #openstack-keystone10:26
*** ducttape_ has quit IRC10:26
samueldmqmorning10:29
*** thorst has joined #openstack-keystone10:50
*** stingaci has quit IRC10:54
*** dave-mccowan has joined #openstack-keystone11:09
*** markvoelker has joined #openstack-keystone11:20
knikollao/11:24
*** edmondsw has joined #openstack-keystone11:38
*** edmondsw has quit IRC11:42
*** links has joined #openstack-keystone11:46
*** markvoelker has quit IRC11:53
*** links has quit IRC11:59
*** raildo has joined #openstack-keystone12:16
*** markvoelker has joined #openstack-keystone12:19
*** rajalokan has quit IRC12:45
*** edmondsw has joined #openstack-keystone12:46
*** openstackgerrit has quit IRC12:47
*** spilla has joined #openstack-keystone12:59
*** rajalokan has joined #openstack-keystone13:13
lbragstado/13:15
bhagyashrissamueldmq, mordred, jamielennox: Hi, thanks for your opinion. Sorry I am not able to reply yesterday because i am working in IST time zone. Actually i am not fully clear about suggestion so can you please explain me little bit in detail?13:27
bhagyashrissamueldmq, mordred, jamielennox: Regarding the topic log request-id at INFO level in keystoneauth.13:31
*** openstackgerrit has joined #openstack-keystone13:35
openstackgerritMerged openstack/keystone master: Move upgrade documentation to admin-guide  https://review.openstack.org/48138113:35
*** bknudson has joined #openstack-keystone13:42
hrybackilbragstad: question regarding backports -- is it generally acceptable to backport via the cherrypick -> <stable branch> in gerrit web UI or do folks do it manually and then submit via gerrit-review?13:48
lbragstadhrybacki: i typically do it manually13:48
lbragstadsomething like:13:49
lbragstad$ git checkout stable/ocata~0; git review -x <change-id>13:50
hrybackiack. Thanks lbragstad. Adam's old work is now falling on my shoulders :)13:51
lbragstad:)13:51
*** d0ugal has joined #openstack-keystone13:54
*** dklyle has quit IRC13:55
*** david-lyle has joined #openstack-keystone13:55
*** ducttape_ has joined #openstack-keystone13:57
*** jistr is now known as jistr|call13:58
*** d0ugal has quit IRC14:00
mordredbhagyashris: no worries- the suggestion is to define a new named logger just for request-id logging14:01
*** ducttape_ has quit IRC14:01
mordredbhagyashris: so - currently logger is defined as: _logger = utils.get_logger(__name__)14:01
mordredbhagyashris: which defined a logger named "keystoneauth.session"14:01
mordredbhagyashris: an aditional one could be made like "_request_id_logger = utils.get_logger("keystoneauth.request-ids")14:02
mordredlogger names can be completely arbitrary14:02
mordredbhagyashris: then at the call side, use the request_id logger intead of the normal logger14:02
mordredbhagyashris: this way a person consuming the library can say that they want to see messages for keystoneauth1.request-ids at DEBUG level but everything else at info level14:03
mordredbhagyashris: (also, it's keystoneauth1.session and keystoneauth1.request-ids fwiw)14:03
mordredbhagyashris: it will need to be plumbed through in the request, _http_log_request and _http_log_response methods so that a person can pass in their own request_ids logger .. and also so that a person who is today passing in a single logger to the logger option will have that logger used for both logger and request_ids_logger14:05
mordred(since that would be backwards compatible)14:05
bhagyashrismordred: ok. now I got point and border view.14:11
bhagyashrismordred: Thanks for whole explanation. :)14:12
*** lwanderley has joined #openstack-keystone14:12
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Use a specific logger for logging request ids  https://review.openstack.org/48257714:12
mordredbhagyashris: sure! there is a not-tested half-patch ^^14:12
mordredbhagyashris: but might be a good basis to start from - feel free to take that over and modify it or whatnot - I figured tossing up a few lines of code might be the clearest :)14:13
bhagyashrismordred: yeah, sure I will try my best and will check and will also ask  in case of any doubt. thanks. :)14:16
*** ducttape_ has joined #openstack-keystone14:17
*** zzzeek_ has quit IRC14:18
*** zzzeek_ has joined #openstack-keystone14:21
*** d0ugal has joined #openstack-keystone14:25
*** spzala has joined #openstack-keystone14:27
*** lwanderley has quit IRC14:27
*** gyee has joined #openstack-keystone14:27
*** d0ugal has quit IRC14:31
*** rcernin has quit IRC14:38
*** rcernin has joined #openstack-keystone14:40
*** openstackgerrit has quit IRC14:48
*** openstackgerrit has joined #openstack-keystone14:50
openstackgerritYaguang Tang proposed openstack/keystonemiddleware master: Remove PKI/PKIZ auth support and tests  https://review.openstack.org/48189514:50
*** jmlowe has joined #openstack-keystone14:56
hrybackilbragstad: are we still accepting backports to Newton? The timeline for stable branches accepting backports reads a bit loose and fast14:59
*** chandankumar has left #openstack-keystone15:00
*** phalmos has joined #openstack-keystone15:05
*** dklyle has joined #openstack-keystone15:11
*** david-lyle has quit IRC15:11
*** zzzeek_ has quit IRC15:12
*** dklyle is now known as david-lyle15:15
*** aselius_ has joined #openstack-keystone15:15
openstackgerritOmar Tleimat proposed openstack/keystone master: WIP: Add project tags  https://review.openstack.org/47031715:16
*** rcernin has quit IRC15:18
*** jistr|call is now known as jistr15:22
*** rajalokan has quit IRC15:26
*** catintheroof has joined #openstack-keystone15:28
*** rderose has joined #openstack-keystone15:29
*** zzzeek_ has joined #openstack-keystone15:30
*** tobberydberg has joined #openstack-keystone15:35
*** tobberyd_ has quit IRC15:38
*** belmoreira has quit IRC15:38
raildolbragstad, backports for ocata and newton for the flushing tokens: https://review.openstack.org/#/c/482606/ https://review.openstack.org/#/c/482601/15:39
*** tobberydberg has quit IRC15:39
lbragstadraildo: nice - thank you15:40
lbragstadraildo: looks like the original patch for stable/newton will have to be rebased once https://review.openstack.org/#/c/482606/1 merges?15:40
raildolbragstad, hum, I'm not sure, since there are in different branches...15:48
*** tobberydberg has joined #openstack-keystone15:56
*** jmlowe has quit IRC15:57
*** tobberydberg has quit IRC16:00
*** jmlowe has joined #openstack-keystone16:00
*** aojea has quit IRC16:03
*** sjain has joined #openstack-keystone16:10
*** edmondsw has quit IRC16:17
*** edmondsw_ has joined #openstack-keystone16:19
*** lwanderley has joined #openstack-keystone16:20
*** jmlowe has quit IRC16:22
*** phalmos has quit IRC16:23
*** edmondsw_ has quit IRC16:23
*** spzala has quit IRC16:37
*** spilla has quit IRC16:43
*** toddnni has quit IRC16:43
morganwould someone be kind enough to re-spin this and fix comments:https://review.openstack.org/#/c/477566/4 (mordred) I'd like to get this landed so we can release KSA with lots of discovery goodness16:46
openstackgerritEric Fried proposed openstack/keystoneauth master: Miscellaneous cleanup in discover.py  https://review.openstack.org/48227116:47
*** sjain_ has joined #openstack-keystone16:54
*** sjain has quit IRC16:57
*** spzala has joined #openstack-keystone17:02
*** spzala has quit IRC17:03
*** spzala has joined #openstack-keystone17:03
*** lwanderley has quit IRC17:07
*** lwanderley has joined #openstack-keystone17:07
*** lwanderley has quit IRC17:14
openstackgerritNicolas Helgeson proposed openstack/keystone master: WIP: Add project tags  https://review.openstack.org/47031717:19
*** lwanderley has joined #openstack-keystone17:22
*** feefifofum has joined #openstack-keystone17:23
feefifofumhi17:24
feefifofumis there a set of default roles that are created for domains?17:24
*** sjain_ has quit IRC17:31
*** edmondsw has joined #openstack-keystone17:35
openstackgerritErik Olof Gunnar Andersson proposed openstack/keystone master: Fixing multi-region support in templated v3 catalog  https://review.openstack.org/48236417:37
openstackgerritErik Olof Gunnar Andersson proposed openstack/keystone master: Fixing multi-region support in templated v3 catalog  https://review.openstack.org/48236417:38
lbragstadfeefifofum: unfortunately no17:39
lbragstadfeefifofum: that's certainly something we'd like to work towards though17:40
*** lwanderley has quit IRC17:41
*** leticiawanderley has joined #openstack-keystone17:41
*** leticiawanderley is now known as lwanderley17:41
feefifofumlbragstad: darn.. ok17:42
*** toddnni has joined #openstack-keystone17:44
*** aojea has joined #openstack-keystone17:44
*** zzzeek_ has quit IRC17:46
openstackgerritMerged openstack/keystoneauth master: Nix EndpointData.get_versioned_data(authenticated)  https://review.openstack.org/48226017:47
openstackgerritNicolas Helgeson proposed openstack/keystone master: WIP: Add project tags  https://review.openstack.org/47031717:48
*** zzzeek_ has joined #openstack-keystone17:49
*** aojea has quit IRC17:49
*** spilla_ has joined #openstack-keystone17:53
*** sjain has joined #openstack-keystone17:57
lbragstadreminder that the keystone meeting is about to start in #openstack-meeting17:58
*** sjain_ has joined #openstack-keystone18:00
*** sjain_ has quit IRC18:00
*** tobberydberg has joined #openstack-keystone18:04
*** ducttape_ has quit IRC18:12
*** ducttape_ has joined #openstack-keystone18:13
*** spzala has quit IRC18:14
*** spzala has joined #openstack-keystone18:16
*** ducttape_ has quit IRC18:17
*** sjain__ has joined #openstack-keystone18:18
*** sjain has quit IRC18:20
*** spzala has quit IRC18:21
*** edmondsw_ has joined #openstack-keystone18:23
*** ducttape_ has joined #openstack-keystone18:23
*** spzala has joined #openstack-keystone18:24
*** tesseract has quit IRC18:25
*** edmondsw has quit IRC18:25
*** spzala_ has joined #openstack-keystone18:26
*** spzala has quit IRC18:27
*** ducttape_ has quit IRC18:27
*** ducttape_ has joined #openstack-keystone18:32
*** switch_aesch has joined #openstack-keystone18:36
*** switch_aesch has quit IRC18:37
*** aojea has joined #openstack-keystone18:45
*** dtroyer has quit IRC18:47
*** dtroyer has joined #openstack-keystone18:49
*** nicolasbock has quit IRC18:50
gagehugobrb, then can do office hours18:57
lbragstad#startmeeting office-hours19:00
openstackMeeting started Tue Jul 11 19:00:06 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.19:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:00
openstackThe meeting name has been set to 'office_hours'19:00
morgano/19:00
lbragstado/19:01
morganok everyone, office hours! turn on the music, order pizza, party time :P19:01
*** tobberydberg has quit IRC19:02
*** tobberydberg has joined #openstack-keystone19:02
*** aojea has quit IRC19:04
*** tobberydberg has quit IRC19:06
*** tobberydberg has joined #openstack-keystone19:06
*** spzala_ has quit IRC19:06
*** sjain__ has quit IRC19:07
*** tobberydberg has quit IRC19:10
*** mvk has quit IRC19:11
openstackgerritMatthew Edmonds proposed openstack/keystone master: fix assert_admin  https://review.openstack.org/48235919:13
openstackgerritEric Fried proposed openstack/keystoneauth master: Make Discover.version_data accept null max_version  https://review.openstack.org/48225019:14
lbragstadmorgan: i agree!19:15
eanderssonlbragstad, https://bugs.launchpad.net/keystone/+bug/170366619:18
openstackLaunchpad bug 1703666 in OpenStack Identity (keystone) "Templated catalog does not handle multi-regions properly" [Undecided,New]19:18
eanderssonI failed a bit at the markup :D19:18
*** tobberydberg has joined #openstack-keystone19:18
eanderssonWish you could preview before you posted a bug19:19
morgango ahead and edit it :)19:19
lbragstadeandersson: you should be able to edit the description19:19
eanderssonOh lol19:20
eanderssonIs there markup for code?19:21
lbragstadeandersson: unfortunately no19:21
*** rajalokan has joined #openstack-keystone19:23
*** rajalokan has quit IRC19:23
*** ducttape_ has quit IRC19:23
*** ducttape_ has joined #openstack-keystone19:23
gagehugoo/19:25
gagehugoI was looking at https://bugs.launchpad.net/keystone/+bug/1702211 yesterday, it's an odd bug19:25
openstackLaunchpad bug 1702211 in OpenStack Identity (keystone) "test_password_history_not_enforced_in_admin_reset failed in tempest test" [Undecided,Confirmed]19:25
openstackgerritMerged openstack/keystoneauth master: Fix _run_discovery caching  https://review.openstack.org/48175419:27
cmurphycatching up on meeting logs19:29
openstackgerritErik Olof Gunnar Andersson proposed openstack/keystone master: Fixing multi-region support in templated v3 catalog  https://review.openstack.org/48236419:29
cmurphysamueldmq: lbragstad the sample dsta script was useful for having data to work with without having to set up a devstac19:29
cmurphybut i don't feel strongly about getting rid of it19:30
cmurphyi always devstack now19:30
lbragstadgagehugo: interesting - was that a timing issue?19:31
lbragstadcmurphy: yeah - i'm in the same boat for the most part :-/19:31
*** aojea has joined #openstack-keystone19:31
gagehugolbragstad, no idea. either that or maybe some weird race condition19:32
gagehugofrom the frequency log that mriedem posted it looks like it started failing on 07/0119:32
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Implement global role assignments  https://review.openstack.org/48178119:34
*** aojea has quit IRC19:39
*** tobberydberg has quit IRC19:44
*** tobberydberg has joined #openstack-keystone19:44
*** tobberydberg has quit IRC19:46
*** tobberydberg has joined #openstack-keystone19:46
openstackgerritMatthew Edmonds proposed openstack/keystone master: don't validate trust in policy  https://review.openstack.org/48219019:47
*** lwanderley has quit IRC19:48
lbragstadhere's a patch that closes a bug https://review.openstack.org/#/c/470425/1619:51
* cmurphy is home and ready to officehours19:54
lbragstad\o/19:54
cmurphylbragstad: did you see my comments on that one?19:54
cmurphyit doesn't fix the bug19:54
lbragstadcmurphy: https://review.openstack.org/#/c/470425/16 ?19:54
cmurphylbragstad: ya19:55
lbragstadcmurphy: checking19:55
bknudsonwhy is it only the token header gets trimmed? seems like all headers should get the same treatment19:56
bknudsonalso, you'd expect the web server would handle fixing up the request.19:57
cmurphyi have no idea19:58
*** aojea has joined #openstack-keystone19:58
cmurphyi could be totally wrong, maybe edmondsw_ could test it to see if it actually solves his problem19:59
edmondsw_cmurphy I'll try to do that20:00
*** lwanderley has joined #openstack-keystone20:00
edmondsw_I've got 4 policy-related bug fixes out for review if anyone wants me to give pointers to them20:01
lbragstadbknudson: yeah - that's a good point20:03
lbragstadedmondsw_: i just started reviewing https://review.openstack.org/#/c/482142/20:03
edmondsw_lbragstad tx. The really bad one is https://review.openstack.org/48235920:05
*** edmondsw_ is now known as edmondsw20:07
*** lwanderley has quit IRC20:08
openstackgerritMatthew Edmonds proposed openstack/keystone master: remove default rule  https://review.openstack.org/48216420:11
morganlbragstad: i'm going to propose a deprecation of the template catalog and (hopefully) a YAML-based one to replace that is actually tested...20:11
morganlbragstad: that is based upon convos yesterday20:11
lbragstadmorgan: it sounds like eandersson is using the templated catalog20:12
morganright, hence the yaml replacement20:13
lbragstadmorgan: so what exactly would we be deprecating?20:14
morganthe current templated one20:14
morganthere would be a new one, that is named something else20:14
lbragstadwhat format is that in?20:14
lbragstader - does it have a format?20:14
morganthe current one is basically write out a json doc and we replace some stuff in it20:14
morganit's not formatted really.20:14
lbragstadah20:14
morganit is terrible20:15
lbragstadthat makes sense20:15
bknudsonI think we still need to support replacement since swift puts the project in the URL?20:16
morganthat is the plan20:16
lbragstadmorgan: since eandersson is currently relying on it - i want to make sure that coordination happens20:16
morganjust going to make the input enforced.20:16
morganexpect regions, etc all in a yaml format that would be similar to the current in-db model20:17
*** rderose has quit IRC20:17
lbragstadmorgan: does eandersson on board with the deprecation of the existing templated catalog?20:20
morgandunno20:20
lbragstads/does/is/20:20
morganhe was part of the convo esterday20:20
morganit will be much better with something that is actually using the same mechanisms as the DB to render20:21
morganthe current templated catalog is ... frightening.20:21
lbragstadthere is also https://github.com/openstack/keystone/blob/0731dab01a5d2da9650b67ebe8b91e825795c0ba/keystone/catalog/backends/templated.py#L244-L29720:22
morganthose will mostly be the same20:22
morganthis is a FS based catalog20:22
morganno writes allowed, CMS is there to do that job20:22
lbragstadthat makes sense20:23
morgani mean... we *could* support writes... but lets not do that silly thing20:23
eanderssonyes - for sure we should deprecate it20:29
eanderssonand if needed replace it with a better alternative20:30
*** feefifofum has quit IRC20:30
eanderssonlbragstad, can't we just remove those overrides, as they are already implemented in the base class?20:30
eanderssone.g. https://github.com/openstack/keystone/blob/0731dab01a5d2da9650b67ebe8b91e825795c0ba/keystone/catalog/backends/base.py#L37820:31
lbragstadeandersson: i don't see a problem with that20:32
lbragstadwe take that approach elsewhere in keystone20:32
morganyou can't remove with them being abstract20:32
morganyou must redefine abstract methods on the subclass20:32
edmondswlbragstad cmurphy was right, https://review.openstack.org/#/c/470425/16 doesn't fix the bug20:32
morganedmondsw: that code looked suspect20:32
openstackgerritEric Fried proposed openstack/keystoneauth master: Update docs and add a release note  https://review.openstack.org/47756620:33
eanderssonlbragstad, Yea I agree, but not all of them are implemented at the moment20:33
eandersson(sorry defined, obviously not implemented)20:33
morganbasically... don't send the /r /n etc in headers... you will be sad20:33
cmurphyya...found a few sources saying just don't do that20:33
morgancmurphy: ++20:33
edmondswmorgan yeah, but when a customer does that...20:33
morganedmondsw: you point them at the docs in curl saying "yeah don't"20:34
lbragstadedmondsw: removed my +1 accordingly20:34
edmondswmorgan it was odd that neutron worked fine and keystone didn't20:34
morganedmondsw: apache makes a difference20:34
gagehugois it a bug then?20:34
morganunlikely20:34
*** thorst has quit IRC20:35
edmondswmorgan :) sure but it was a really hard to pin down issue... wasn't obvious they had the /r in the header unless you're an awk god20:35
morganheh20:35
*** ducttape_ has quit IRC20:36
edmondswmorgan I don't think it's an apache thing, actually... the neutron curl command was targeted at an apache reverse proxy20:37
morganah20:37
lbragstadeandersson: are you using the templated catalog backend?20:37
lbragstads/are/aren't/20:37
cmurphyedmondsw: morgan my test reproduced it with just uwsgi20:37
morganah20:38
morgan*shrug*20:38
edmondswcmurphy yeah, I'm not sure why the author of this test isn't just reproducing the problem and then testing their fix against it until it actually fixes it20:38
edmondsws/test/fix/20:38
eanderssonI am yes20:38
cmurphyedmondsw: yeah :/20:38
lbragstadeandersson: i'm just wondering why you wouldn't be opposed to deprecating and removing it then20:39
lbragstadunless i'm missing something obvious20:39
eanderssonI'll rather move over to sql20:40
eanderssonand we are not going to pike anytime soon20:40
eanderssonSo we would have to stick with the semi-functional templated implementation for too long20:40
gagehugomorgan cmurphy edmondsw: I'll ping kaerie about it20:41
edmondswgagehugo tx20:41
eanderssonMoving to a yaml based variant would be an alternative, but we couldn't really go there unless we backported that to Mitaka, or maybe Newton/Ocata.20:41
gagehugoI can mess around with it too after I take a look at this random failing tempest test20:42
morganeandersson: right, but you might be able to backport the code yourself.20:42
morganfor your install20:42
morganuntil you move to pike20:42
eanderssonYep - that is for sure an alternative20:43
*** ducttape_ has joined #openstack-keystone20:46
eanderssonIt just makes more sense for us to go move to the production ready alternative.20:46
lbragstadeandersson: morgan so - let's recap the options for the templated catalog backend20:47
lbragstad1.) formally deprecate it for removal20:47
lbragstad2.) support it in a well known format (like yaml)20:47
morganyep20:49
*** zzzeek_ has quit IRC20:49
lbragstadis that it?20:49
lbragstadi guess there would be a 3rd option20:50
lbragstad3.) perform option 1, deprecating all existing templated catalog stuff and start fresh with option 2 introducing a new backend for YAML officially20:51
lbragstadso - maybe option 3 is actually option 2 just spelled out20:51
eanderssonNr 3 is what I would recommend as well20:52
*** spilla_ has quit IRC20:56
*** tobberydberg has quit IRC20:57
morganoption 3 was what i was planning20:57
lbragstadi certainly wouldn't be opposed to #3 if someone is willing to do the work20:57
*** tobberydberg has joined #openstack-keystone20:57
morganit isn't a ton of work20:58
morgani have to grab my laptop, ... anyway20:58
lbragstadit sounds like we're in agreement that deprecation of the existing templated catalog is in order20:59
*** tobberydberg has quit IRC21:01
eanderssonhaving fun writing tests for the multi-region patch21:04
*** catintheroof has quit IRC21:04
*** jmlowe has joined #openstack-keystone21:05
eanderssonnot sure how to handle attributes21:05
eandersson> v3_catalog[service_type][attr] = value21:06
eanderssonguessing the endpoint should have the id?21:07
lbragstadit should be consistent with what the sql implementation does with the exception of write operations21:08
lbragstadedmondsw: i'm missing the bit here at line 202 - https://review.openstack.org/#/c/482359/2/keystone/common/authorization.py21:08
lbragstadedmondsw: the patch ends up doing the same thing as before, right?21:09
lbragstadthe action ends up being `identity:<operation>` right?21:09
edmondswlbragstad if you call check_protection, yes... but if you call assert_admin, no21:10
edmondswlbragstad the places that use check_protection expect that to be added... the places that call assert_admin don't21:10
*** zzzeek_ has joined #openstack-keystone21:11
lbragstadoh - line 13021:11
edmondswyep, 12921:11
edmondswoh, right, 130 on the new file21:11
lbragstadedmondsw: how'd you stumble across this?21:15
lbragstadedmondsw: testing a custom policy?21:15
edmondswlbragstad digging into why tests failed for https://review.openstack.org/#/c/482164/21:16
*** raildo has quit IRC21:16
edmondswwhich I had proposed after digging into and proposing https://review.openstack.org/48214221:17
edmondswwhich was a result of reviewing our customized policy changes for pike and noticing that didn't look right21:17
edmondswhttps://review.openstack.org/482190 also came out of that as well21:18
edmondswlbragstad so it was quite a chain of events21:18
edmondswI'm quite happy to be fixing a 4 year old defect with that last one...21:18
lbragstadso - correct me if i'm wrong21:19
lbragstadbut https://review.openstack.org/#/c/482359/2 will be tested by default once https://review.openstack.org/#/c/482164/2 merges?21:20
edmondswlbragstad yes... once there's no default rule, that can't hide issues like this21:22
lbragstadbecause identity:admin_required didn't exist and was getting caught by the default - which ended up having the same result21:22
edmondswlbragstad exactly21:23
lbragstadhmmm tricky21:23
*** pcaruana has quit IRC21:23
edmondswyep21:23
edmondswI think we may also need to merge https://review.openstack.org/482142 before the default rule is removed21:23
edmondsws/may //21:23
edmondswbut I can't base https://review.openstack.org/482164 on multiple changes21:24
lbragstadedmondsw: yeah - that one looks good21:24
eanderssonSo there is a second bug with templated - the endpoint id is used as the id for the service21:24
eanderssonwhich is an expected bug21:24
lbragstadedmondsw: since a policy is changing, a release note would make sense i think, would you agree?21:24
edmondswlbragstad I'm adding a rel note21:24
edmondswlbragstad do you think it should be a security or fixes note?21:25
lbragstadwell - the default is still in place and that's true for all previous releases, right?21:25
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add paragraph clarifying major and micro versions  https://review.openstack.org/48271021:26
lbragstadedmondsw: can you walk me through the case where it *should* be considered a security issue?21:26
*** aojea has quit IRC21:26
edmondswlbragston see breton's comments in the bug21:27
edmondswlbragstad ^21:27
edmondswnot sure what my fingers were doing there :)21:27
lbragstadoh - so it would be considered a security issue if the deployer relaxed the default21:28
lbragstadbut didn't realize they were also relaxing get_identity_providers21:29
lbragstadhmm21:29
*** aojea has joined #openstack-keystone21:33
*** aojea has quit IRC21:33
edmondswlbragstad yeah... I'm inclined to put it in the security section of the rel notes, but not backport anything21:34
edmondswlbragstad I should probably also add a rel note to the change removing the default rule21:35
lbragstadso - policy in code has only been effective for pike21:35
*** aojea has joined #openstack-keystone21:35
edmondswlbragstad yes, but the typo for identity:get_identity_providers goes back to the default policy.json file we shipped in past releases21:35
lbragstadso - if someone wanted to "backport" the fix it would consist of correcting their policy operation21:35
*** thorst has joined #openstack-keystone21:35
morganlbragstad: deprecation patch about to be posted (catalog)21:36
edmondswlbragstad right, the backport would be to update the default policy.json file and/or to change the code to look for the typo version... neither of which I like21:36
morgani should have a yaml-loading catalog in a couple hours as well.21:36
lbragstadmorgan: awesome - thank you21:36
lbragstadcc eandersson ^21:36
edmondswtaht's really an or, not an and/or21:36
lbragstadedmondsw: so the options are21:36
lbragstad1.) backport the default that corrects the type21:37
lbragstadtypo*21:37
lbragstad2.) correct the code to look for get_identity_providers (which breaks conventions)21:37
lbragstadi agree in that option 2 seems like the wrong approach21:37
lbragstadbut what's wrong with option 1?21:37
eanderssonYou'll probably have that done before I get working unit tests working for this lol21:38
edmondswlbragstad I don't know that #1 really helps anyone21:38
edmondswlbragstad if you've already customized policy, you're not going to take a new default policy.json file and apply it21:38
lbragstadis there a negative side-effect outside of that?21:38
edmondswif you're not customizing policy, then things are already working ok21:38
lbragstadwhat about consuming a new release note proposed to stable/ocata and stable/newton?21:39
edmondswlbragstad probably not...21:39
edmondswlbragstad we could certainly propose patches to the stable releases that a) updates the policy.json to fix the typo and b) adds a rel note warning about the issue21:40
lbragstadedmondsw: that would at least flag things to deployers that read release notes21:40
openstackgerritMorgan Fainberg proposed openstack/keystone master: Deprecate the templated catalog  https://review.openstack.org/48271421:40
edmondswlbragstad that read release notes long after the release :)21:40
lbragstadhow they apply that change is obviously up to them - but at least they'd know21:40
morganlbragstad: ^ very simple patch.21:40
lbragstadedmondsw: true - it's more or less only for following procedure ;)21:41
openstackgerritMatthew Edmonds proposed openstack/keystone master: fix identity:get_identity_providers typo  https://review.openstack.org/48214221:41
edmondswlbragstad I'm fine with it21:41
*** ducttape_ has quit IRC21:41
lbragstadedmondsw: ok - i'll update the bug report then21:41
edmondswlbragstad ^ that adds a rel note21:41
*** thorst has quit IRC21:42
eanderssonWriting tests for this is going to require a lot more fixes than what I did :p21:46
eanderssonsince this is being back-ported from the v2 catalog, IDs are not at all implemented properly21:47
openstackgerritMatthew Edmonds proposed openstack/keystone master: remove default rule  https://review.openstack.org/48216421:48
lbragstadedmondsw: looks good - one minor nit inline21:49
lbragstads/inline/in the release note/21:50
eanderssondo we even care about ids for this? they are not in the example config https://github.com/openstack/keystone/blob/master/etc/default_catalog.templates21:51
lbragstadeandersson: i would imagine that would get rewritten to yaml - based on morgan's work21:51
edmondswlbragstad fixed21:52
eanderssonsure - but do we want to backport the yaml work as well?21:52
openstackgerritMatthew Edmonds proposed openstack/keystone master: fix identity:get_identity_providers typo  https://review.openstack.org/48214221:52
eanderssonor do we want to fix the current implementation pre-pike?21:52
openstackgerritMerged openstack/keystoneauth master: Make Discover.version_data accept null max_version  https://review.openstack.org/48225021:52
lbragstadeandersson: we won't be able to fix stable/ocata without landing something in pike first21:57
*** jmlowe has quit IRC21:57
lbragstadbut i doubt we'd backport fixes for the templated catalog to ocata anyway21:57
eanderssonYep - so do we want to just skip my patch and go straight to yaml?21:57
*** ducttape_ has joined #openstack-keystone21:58
lbragstadeandersson: yeah - that would seem reasonable21:58
eanderssonIt's just weird to have a feature so broken :D21:58
lbragstadeandersson: yeah - the templated stuff is a mess21:58
eanderssonCould we maybe update our documentation for newton/ocata?21:58
lbragstadeandersson: saying what exactly?21:59
eanderssonDon't try to use with multiple regions!21:59
openstackgerritGage Hugo proposed openstack/keystone master: WIP - Trims whitespace from request headers  https://review.openstack.org/47042521:59
eanderssonor not intended for production :D21:59
eanderssonbasically just slap a warning lable on it21:59
*** jmlowe has joined #openstack-keystone22:01
openstackgerritEric Fried proposed openstack/keystoneauth master: Update docs and add a release note  https://review.openstack.org/47756622:03
openstackgerritMerged openstack/keystoneauth master: Expand some discover.py docstrings  https://review.openstack.org/48220722:03
lbragstadeandersson: we document a few of the warts with it already https://docs.openstack.org/keystone/latest/configuration.html#service-catalog22:04
lbragstad#endmeeting22:04
openstackMeeting ended Tue Jul 11 22:04:40 2017 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:04
openstackMinutes:        http://eavesdrop.openstack.org/meetings/office_hours/2017/office_hours.2017-07-11-19.00.html22:04
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/office_hours/2017/office_hours.2017-07-11-19.00.txt22:04
openstackLog:            http://eavesdrop.openstack.org/meetings/office_hours/2017/office_hours.2017-07-11-19.00.log.html22:04
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add paragraph clarifying major and micro versions  https://review.openstack.org/48271022:05
lbragstadthanks for coming to office hours - i'll be sending a recap tonight22:08
lbragstadstepping away for a bit22:08
*** jmlowe has quit IRC22:09
*** aojea has quit IRC22:12
*** dave-mccowan has quit IRC22:14
openstackgerritColleen Murphy proposed openstack/keystoneauth master: Add paragraph clarifying major and micro versions  https://review.openstack.org/48271022:16
*** markvoelker has quit IRC22:16
*** markvoelker has joined #openstack-keystone22:17
openstackgerritMerged openstack/keystoneauth master: normalize_version_number([1]) => (1, 0) and docs  https://review.openstack.org/48130922:20
*** edmondsw has quit IRC22:26
*** bknudson has quit IRC22:28
morganlbragstad, eandersson: see this as an example yaml config22:33
morganhttps://www.irccloud.com/pastebin/oqFD3CG0/22:33
morganmordred: ^ cc22:33
morganthe in-memory data structure looks like:22:34
morganhttps://www.irccloud.com/pastebin/eu1cyeK2/22:34
lbragstadaha - nice22:34
morganhmm. something is wonky there22:37
morgananyway, something like that22:37
mordredmorgan: neat!22:40
morganthe yaml is a bit off, working it out22:40
mordredmorgan, cmurphy: btw- efried found another thing that we need to fix beore release22:40
morganbut it's close22:40
mordredwith ksa22:40
* mordred is working on patch now22:41
mordredit's almost like reviewing the docs pointed out places where there was a problem :)22:41
morganoh hah. re-serializing it did the back-refs weirdly22:42
morganthat explains it22:42
*** brad[] has quit IRC22:46
*** brad[] has joined #openstack-keystone22:49
morganmordred:  ok here we go22:50
morganhttps://www.irccloud.com/pastebin/CHcq8KLI/22:50
morganThat is the expected input yaml22:50
morganor so22:50
morgannot sure if i like that or if I would prefer to not do the back-ref stuff22:51
mordredmorgan: wow - fun22:52
mordredmorgan: I mean- the back-refs are 0_o - otoh - they totally work22:52
morganyeah22:53
morganif we support the backrefs a non-backref version would be really explicit22:53
morganif we just verify region in "regions"22:53
morganfor endpoints, its simpler to read22:53
morganthoughts?22:55
*** ducttape_ has quit IRC22:55
* mordred staring22:55
morganif we do something without backrefs (meaning no full data struct) it would be like:22:56
mordredmorgan: I think the backrefs are easy enough to copy-pasta for folks - I think most folks dont' actually understand yaml backreferences - but it's easy enough to read for the endpoint section22:57
morganhttps://www.irccloud.com/pastebin/C5EpG4Tz/22:57
morgan^ that is no back-refs.22:57
mordredmorgan: that's also pretty readable - assuming region is validated22:57
morganand a version of the original one without backrefs, (aka expanded)22:57
morganhttps://www.irccloud.com/pastebin/P7oLSZoi/22:58
morganif we support backrefs, this last one is the non-backref expanded version22:58
morganwe could just validate region/service22:58
morganin the no-backref-supported version22:58
* morgan leans towards not supporting backrefs22:59
mordredyah. I think it's less for people to mess up23:00
morganok. i'll go with that but i'm going to supply examples that are more json-y23:00
openstackgerritGage Hugo proposed openstack/keystone master: Trim invalid characters from token authentication  https://review.openstack.org/47042523:31
openstackgerritGage Hugo proposed openstack/keystone master: Trim invalid characters from token authentication  https://review.openstack.org/47042523:33
*** d0ugal has joined #openstack-keystone23:36
*** thorst has joined #openstack-keystone23:47
« Monday, 2017-07-10 Index Wednesday, 2017-07-12 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!