Friday, 2017-08-04

openstackgerrit	Merged openstack/keystone master: Make federation documentation consistent https://review.openstack.org/472875	00:03
openstackgerrit	Merged openstack/keystone master: Add missing comma to json sample https://review.openstack.org/486780	00:04
*** thorst_afk has joined #openstack-keystone		00:11
*** catintheroof has quit IRC		00:14
*** ducttape_ has joined #openstack-keystone		00:25
*** dstepanenko has joined #openstack-keystone		00:26
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Make revocation token list alwayws return 410 https://review.openstack.org/490685	00:27
morgan	lbragstad: ^	00:27
*** dstepanenko has quit IRC		00:31
*** lwanderley has joined #openstack-keystone		00:33
*** ducttape_ has quit IRC		00:38
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Make revocation token list alwayws return 410 https://review.openstack.org/490685	00:39
*** Shunli has joined #openstack-keystone		00:45
*** zhurong has joined #openstack-keystone		00:52
*** thorst_afk has quit IRC		00:52
*** ducttape_ has joined #openstack-keystone		01:18
*** ducttap__ has joined #openstack-keystone		01:19
*** ducttape_ has quit IRC		01:23
*** dave-mccowan has joined #openstack-keystone		01:27
*** spzala has joined #openstack-keystone		01:29
*** lwanderley has quit IRC		01:31
*** mjax has quit IRC		01:32
*** mjax has joined #openstack-keystone		01:33
*** ducttap__ has quit IRC		01:34
*** lwanderley has joined #openstack-keystone		01:34
*** mjax has quit IRC		01:36
*** edmondsw has joined #openstack-keystone		01:42
*** otleimat has quit IRC		01:42
*** thorst_afk has joined #openstack-keystone		01:42
*** edmondsw has quit IRC		01:46
*** aselius has quit IRC		01:49
*** vint_bra has joined #openstack-keystone		02:06
*** http_GK1wmSU has joined #openstack-keystone		02:12
*** http_GK1wmSU has left #openstack-keystone		02:14
*** dstepanenko has joined #openstack-keystone		02:14
*** gagehugo has quit IRC		02:16
*** spzala has quit IRC		02:17
*** thorst_a_ has joined #openstack-keystone		02:18
*** thorst_a_ has quit IRC		02:18
*** dstepanenko has quit IRC		02:19
*** gagehugo has joined #openstack-keystone		02:20
*** thorst_afk has quit IRC		02:20
*** mjax has joined #openstack-keystone		02:23
*** mjax has quit IRC		02:24
*** mjax has joined #openstack-keystone		02:25
lbragstad	mjax: well - that's part of the reason why you'd do that bit through keystonemiddleware	02:26
lbragstad	since it sits in front of each service	02:26
*** mjax has quit IRC		02:26
*** vint_bra has quit IRC		02:27
*** Shunli has quit IRC		02:28
*** Shunli has joined #openstack-keystone		02:28
*** dave-mccowan has quit IRC		02:29
*** bigjools_ has quit IRC		02:30
*** ducttape_ has joined #openstack-keystone		02:34
*** spzala has joined #openstack-keystone		02:38
*** ducttape_ has quit IRC		02:38
*** spzala has quit IRC		02:43
*** jmlowe has quit IRC		02:48
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Attempt to expose bug in multi region endpoints https://review.openstack.org/490720	02:53
lbragstad	morgan: thanks	02:55
*** spzala has joined #openstack-keystone		03:15
*** spzala has quit IRC		03:20
*** edmondsw has joined #openstack-keystone		03:30
*** edmondsw has quit IRC		03:34
*** ducttape_ has joined #openstack-keystone		03:35
*** ducttape_ has quit IRC		03:40
*** spzala has joined #openstack-keystone		03:49
*** lwanderley has quit IRC		03:50
*** prashkre_ has joined #openstack-keystone		03:51
*** spzala has quit IRC		03:54
*** aselius has joined #openstack-keystone		03:54
*** dstepanenko has joined #openstack-keystone		04:03
*** links has joined #openstack-keystone		04:03
*** dstepanenko has quit IRC		04:07
*** henrynash has quit IRC		04:12
*** prashkre_ has quit IRC		04:15
*** thorst_afk has joined #openstack-keystone		04:19
*** spzala has joined #openstack-keystone		04:30
*** edmondsw has joined #openstack-keystone		04:31
*** thorst_afk has quit IRC		04:33
*** spzala has quit IRC		04:35
*** edmondsw has quit IRC		04:36
*** dstepanenko has joined #openstack-keystone		04:57
*** mjax has joined #openstack-keystone		04:58
*** mjax has quit IRC		04:59
*** dstepanenko has quit IRC		05:02
*** spzala has joined #openstack-keystone		05:12
*** spzala has quit IRC		05:16
*** ducttape_ has joined #openstack-keystone		05:37
*** spzala has joined #openstack-keystone		05:38
*** ducttape_ has quit IRC		05:42
*** spzala has quit IRC		05:43
*** thorst_afk has joined #openstack-keystone		06:01
*** tobberydberg has joined #openstack-keystone		06:05
*** thorst_afk has quit IRC		06:05
*** tobberydberg has quit IRC		06:05
*** tobberydberg has joined #openstack-keystone		06:06
*** markvoelker has quit IRC		06:08
*** oomichi has quit IRC		06:09
*** oomichi has joined #openstack-keystone		06:10
*** spzala has joined #openstack-keystone		06:14
*** spzala has quit IRC		06:19
*** edmondsw has joined #openstack-keystone		06:19
*** edmondsw has quit IRC		06:24
*** rcernin has joined #openstack-keystone		06:30
*** dstepanenko has joined #openstack-keystone		06:45
*** spzala has joined #openstack-keystone		06:47
*** dstepanenko has quit IRC		06:49
*** spzala has quit IRC		06:51
openstackgerrit	zhengliuyang proposed openstack/keystone master: Add role_domain_id_request_body in parameters https://review.openstack.org/490765	07:03
*** aselius has quit IRC		07:04
*** tesseract has joined #openstack-keystone		07:16
*** pcaruana has joined #openstack-keystone		07:38
*** ducttape_ has joined #openstack-keystone		07:38
*** faizy has joined #openstack-keystone		07:39
*** http_GK1wmSU has joined #openstack-keystone		07:42
*** http_GK1wmSU has left #openstack-keystone		07:43
*** ducttape_ has quit IRC		07:43
*** thorst_afk has joined #openstack-keystone		08:02
*** thorst_afk has quit IRC		08:06
*** markvoelker has joined #openstack-keystone		08:09
*** belmoreira has joined #openstack-keystone		08:11
*** oomichi has quit IRC		08:15
*** mdavidson has quit IRC		08:15
*** oomichi has joined #openstack-keystone		08:15
*** aojea has joined #openstack-keystone		08:19
*** aojea_ has joined #openstack-keystone		08:24
*** nicolasbock has joined #openstack-keystone		08:25
*** aojea has quit IRC		08:27
*** aojea has joined #openstack-keystone		08:30
*** aojea_ has quit IRC		08:32
*** dstepanenko has joined #openstack-keystone		08:33
*** aojea_ has joined #openstack-keystone		08:34
*** zhurong has quit IRC		08:36
*** aojea has quit IRC		08:37
*** dstepanenko has quit IRC		08:38
openstackgerrit	Pavlo Shchelokovskyy proposed openstack/keystoneauth master: Fix exception message in adapter loading https://review.openstack.org/489210	08:38
*** aojea has joined #openstack-keystone		08:39
*** aojea_ has quit IRC		08:41
*** markvoelker has quit IRC		08:43
*** zhurong has joined #openstack-keystone		08:44
*** aojea_ has joined #openstack-keystone		08:44
*** aojea has quit IRC		08:47
*** aojea has joined #openstack-keystone		08:49
*** aojea_ has quit IRC		08:52
*** aojea_ has joined #openstack-keystone		08:55
*** aojea has quit IRC		08:57
*** aojea has joined #openstack-keystone		08:59
*** mvpnitesh has joined #openstack-keystone		09:01
*** aojea_ has quit IRC		09:02
*** thorst_afk has joined #openstack-keystone		09:03
*** spzala has joined #openstack-keystone		09:03
*** spzala has quit IRC		09:03
*** spzala has joined #openstack-keystone		09:04
*** spzala has quit IRC		09:04
*** aojea_ has joined #openstack-keystone		09:05
*** thorst_afk has quit IRC		09:07
*** aojea has quit IRC		09:08
*** aojea has joined #openstack-keystone		09:11
*** mdavidson has joined #openstack-keystone		09:12
*** aojea_ has quit IRC		09:13
*** aojea_ has joined #openstack-keystone		09:16
*** aojea has quit IRC		09:20
*** aojea has joined #openstack-keystone		09:22
*** spzala has joined #openstack-keystone		09:24
*** aojea_ has quit IRC		09:25
*** aojea_ has joined #openstack-keystone		09:27
*** dstepanenko has joined #openstack-keystone		09:28
*** aojea has quit IRC		09:29
*** spzala has quit IRC		09:29
*** Shunli has quit IRC		09:32
*** dstepanenko has quit IRC		09:32
*** aojea has joined #openstack-keystone		09:32
*** aojea_ has quit IRC		09:35
*** aojea_ has joined #openstack-keystone		09:37
*** aojea has quit IRC		09:40
*** ducttape_ has joined #openstack-keystone		09:40
*** markvoelker has joined #openstack-keystone		09:41
*** aojea has joined #openstack-keystone		09:41
*** aojea_ has quit IRC		09:44
*** ducttape_ has quit IRC		09:44
*** aojea_ has joined #openstack-keystone		09:47
*** aojea has quit IRC		09:50
*** aojea has joined #openstack-keystone		09:52
*** aojea_ has quit IRC		09:55
*** edmondsw has joined #openstack-keystone		09:55
*** prashkre_ has joined #openstack-keystone		09:56
*** mvpnitesh has quit IRC		09:56
*** aojea_ has joined #openstack-keystone		09:57
*** aojea has quit IRC		10:00
*** edmondsw has quit IRC		10:00
*** aojea_ has quit IRC		10:00
*** dstepanenko has joined #openstack-keystone		10:04
*** spzala has joined #openstack-keystone		10:10
*** spzala has quit IRC		10:14
*** markvoelker has quit IRC		10:14
*** aojea has joined #openstack-keystone		10:16
*** zhurong has quit IRC		10:17
*** openstackgerrit has quit IRC		10:18
*** edmondsw has joined #openstack-keystone		10:36
*** edmondsw has quit IRC		10:40
*** ducttape_ has joined #openstack-keystone		10:41
*** ducttape_ has quit IRC		10:46
*** faizy has quit IRC		10:51
*** thorst_afk has joined #openstack-keystone		11:04
*** thorst_afk has quit IRC		11:08
*** markvoelker has joined #openstack-keystone		11:11
*** spzala has joined #openstack-keystone		11:11
*** spzala has quit IRC		11:16
*** http_GK1wmSU has joined #openstack-keystone		11:37
*** http_GK1wmSU has left #openstack-keystone		11:38
*** markvoelker has quit IRC		11:45
*** edmondsw has joined #openstack-keystone		11:47
*** thorst_afk has joined #openstack-keystone		11:51
*** thorst_afk has quit IRC		11:52
*** edmondsw has quit IRC		11:52
*** aojea has quit IRC		11:53
*** dave-mccowan has joined #openstack-keystone		11:55
*** rmascena has joined #openstack-keystone		12:02
*** erlon has joined #openstack-keystone		12:03
*** thorst has joined #openstack-keystone		12:06
*** openstackgerrit has joined #openstack-keystone		12:13
openstackgerrit	M V P Nitesh proposed openstack/keystone master: Added support for a ``description`` attribute for V3 Identity Roles https://review.openstack.org/484348	12:13
samueldmq	morning keystone	12:22
cmurphy	morning samueldmq	12:23
*** edmondsw has joined #openstack-keystone		12:23
*** spzala has joined #openstack-keystone		12:25
*** spzala has quit IRC		12:30
*** markvoelker has joined #openstack-keystone		12:31
*** dstepanenko has quit IRC		12:44
*** dstepanenko has joined #openstack-keystone		12:49
*** spzala has joined #openstack-keystone		12:49
*** lwanderley has joined #openstack-keystone		12:50
*** spzala has quit IRC		12:54
*** jmlowe has joined #openstack-keystone		13:04
*** spzala has joined #openstack-keystone		13:11
*** catintheroof has joined #openstack-keystone		13:17
*** aojea has joined #openstack-keystone		13:19
lbragstad	o/	13:25
*** aojea_ has joined #openstack-keystone		13:26
*** aojea has quit IRC		13:27
*** aojea has joined #openstack-keystone		13:30
*** mjax has joined #openstack-keystone		13:31
cmurphy	\o	13:32
*** mjax has quit IRC		13:33
*** aojea_ has quit IRC		13:33
*** dstepanenko has quit IRC		13:33
*** lucasxu has joined #openstack-keystone		13:34
*** aojea_ has joined #openstack-keystone		13:35
*** vint_bra has joined #openstack-keystone		13:35
samueldmq	\o/	13:36
*** aojea has quit IRC		13:37
*** aojea has joined #openstack-keystone		13:40
*** aojea_ has quit IRC		13:42
*** aojea_ has joined #openstack-keystone		13:45
*** vint_bra has quit IRC		13:46
*** jistr is now known as jistr\|mtg		13:46
*** jmlowe has quit IRC		13:47
*** dansmith is now known as superdan		13:47
*** Dinesh_Bhor has quit IRC		13:47
*** aojea has quit IRC		13:48
*** efried_zzz is now known as fried_rice		13:49
*** aojea has joined #openstack-keystone		13:50
*** aojea_ has quit IRC		13:53
*** bhagyashris has quit IRC		13:54
*** aojea_ has joined #openstack-keystone		13:55
prashkre_	lbragstad: Hi. Gud morning!	13:55
prashkre_	lbragstad: could you please take a look at latest comment on https://review.openstack.org/#/c/490138/.	13:56
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove policy for self-service password changes https://review.openstack.org/485818	13:57
*** ducttape_ has joined #openstack-keystone		13:57
*** aojea has quit IRC		13:58
*** sjain has joined #openstack-keystone		13:59
*** aojea has joined #openstack-keystone		14:00
*** dstepanenko has joined #openstack-keystone		14:01
*** aojea_ has quit IRC		14:04
*** aojea_ has joined #openstack-keystone		14:05
*** dstepanenko has quit IRC		14:05
*** aojea has quit IRC		14:08
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Remove duplicate sample files https://review.openstack.org/488609	14:08
*** ducttape_ has quit IRC		14:08
*** jmlowe has joined #openstack-keystone		14:09
*** aojea has joined #openstack-keystone		14:11
*** links has quit IRC		14:12
*** aojea_ has quit IRC		14:13
*** aojea_ has joined #openstack-keystone		14:16
lbragstad	we'll need to kick https://review.openstack.org/#/c/485818/ back through the door once it passes	14:19
*** aojea has quit IRC		14:19
*** aojea has joined #openstack-keystone		14:22
lbragstad	also - quick update	14:23
lbragstad	we're down to 14 bugs that are targeted to rc1	14:23
lbragstad	https://goo.gl/Uiqz8Z	14:23
cmurphy	\o/	14:23
lbragstad	we started the week with about 22	14:23
*** lwanderley has quit IRC		14:24
lbragstad	a couple are suspect to configuration or transients - i'm not convinced they will require patches to keystone to fix, but something we should look into regardless	14:24
cmurphy	i'm pretty sure https://bugs.launchpad.net/keystone/+bug/1689468 can be closed, then we're down to 13	14:24
openstack	Launchpad bug 1689468 in OpenStack Identity (keystone) "odd keystone behavior when X-Auth-Token ends with carriage return" [Low,In progress] - Assigned to Gage Hugo (gagehugo)	14:24
samueldmq	lbragstad: I am not really getting what that change is doing	14:24
samueldmq	https://review.openstack.org/#/c/485818	14:24
samueldmq	lbragstad: why doesn't it make sense anymore to have a separate policy to protect the self-service api?	14:25
*** aojea_ has quit IRC		14:25
lbragstad	the policy for checking the self-service password api was pulled into code (e.g. the api is no longer wrapped with @controller.protected	14:25
lbragstad	)	14:25
lbragstad	cmurphy: oh - good call - that whole fix lives within middleware now, right?	14:26
lbragstad	i think i left a comment on that yesterday?	14:26
samueldmq	lbragstad: so it checks the owner thing inside the upadte_user method?	14:26
cmurphy	lbragstad: ya i think so	14:26
*** lwanderley has joined #openstack-keystone		14:26
lbragstad	samueldmq: it check that the password matches	14:26
*** lwanderley has quit IRC		14:26
lbragstad	samueldmq: gagehugo explains it a bit here - https://review.openstack.org/#/c/404022/	14:26
*** aojea_ has joined #openstack-keystone		14:27
lbragstad	cmurphy: cool - thanks for pointing that one out	14:27
*** aojea_ has quit IRC		14:28
samueldmq	lbragstad: I am getting it ... but wouldn't that user (trying to update their own passowrd)	14:28
samueldmq	need to match the rule for update_user too? (in which case might be admin)	14:28
samueldmq	s/admin/admin protected/	14:28
lbragstad	samueldmq: it's a separate entry point - we expose a self-service password api in the controller	14:29
*** aojea has quit IRC		14:29
lbragstad	which eventually calls into self.identity_api.update_user in the maanger	14:29
samueldmq	lbragstad: ah so policy file is not checked at all	14:29
lbragstad	which isn't protected (since controller.update_user) is protected in the manager	14:29
lbragstad	right	14:29
*** josecastroleon has quit IRC		14:30
samueldmq	lbragstad: re-approved that one. assuming jenkins will be happy	14:30
*** ducttape_ has joined #openstack-keystone		14:31
lbragstad	i hope so	14:31
lbragstad	i need to look into some transients today	14:31
lbragstad	or monday	14:31
lbragstad	these three are problematic	14:32
lbragstad	https://bugs.launchpad.net/keystone/+bug/1694525	14:32
openstack	Launchpad bug 1694525 in OpenStack Identity (keystone) "keystone reports 404 User Not Found during grenade tests" [Medium,Triaged]	14:32
lbragstad	https://bugs.launchpad.net/keystone/+bug/1702211	14:32
openstack	Launchpad bug 1702211 in OpenStack Identity (keystone) "test_password_history_not_enforced_in_admin_reset failed in tempest test" [Medium,Confirmed]	14:32
lbragstad	https://bugs.launchpad.net/keystone/+bug/1703917	14:32
openstack	Launchpad bug 1703917 in OpenStack Identity (keystone) "Sometimes test_update_user_password fails with Unauthorized" [Medium,Triaged]	14:32
*** dstepanenko has joined #openstack-keystone		14:33
lbragstad	those ^ all seem like transients of some kind	14:34
*** ducttape_ has quit IRC		14:36
*** nicolasbock has quit IRC		14:39
fried_rice	mordred https://bugs.launchpad.net/keystoneauth/+bug/1708673 FYI.	14:41
openstack	Launchpad bug 1708673 in keystoneauth "Register deprecated opts with Adapter.get_conf_options" [Undecided,New]	14:41
fried_rice	mordred (This is to your suggestion of deprecating [ironic]api_endpoint, which I'm gonna hack on the nova side in the meantime.)	14:42
*** sjain has quit IRC		14:43
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: WIP: Adapter.get_conf_options(deprecated_opts) https://review.openstack.org/490895	14:55
fried_rice	mordred ^^ for same	14:56
*** dstepanenko has quit IRC		14:57
*** jistr\|mtg is now known as jistr		15:01
*** aselius has joined #openstack-keystone		15:06
openstackgerrit	Rohan Arora proposed openstack/keystone master: Added versions to keystone headers https://review.openstack.org/468189	15:10
openstackgerrit	Eric Fried proposed openstack/keystoneauth master: WIP: Adapter.get_conf_options(deprecated_opts) https://review.openstack.org/490895	15:11
lbragstad	prashkre_: did you have anything for this locally? https://bugs.launchpad.net/keystone/+bug/1705081	15:13
openstack	Launchpad bug 1705081 in OpenStack Identity (keystone) "DELETE project API is failing in forbidden(403) error message" [High,Triaged] - Assigned to prashkre (prashkre)	15:13
*** rcernin has quit IRC		15:14
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Clarify SELinux note in LDAP documentation https://review.openstack.org/490902	15:14
*** lucasxu has quit IRC		15:15
*** ducttape_ has joined #openstack-keystone		15:16
*** dstepanenko has joined #openstack-keystone		15:17
prashkre_	lbragstad: I don't have. It is dependent on https://bugs.launchpad.net/keystone/+bug/1705072.	15:17
openstack	Launchpad bug 1705072 in OpenStack Identity (keystone) "clearing default project_id from users using wrong driver implementation" [Medium,Triaged]	15:17
*** ayoung has quit IRC		15:17
lbragstad	prashkre_: there isn't a patch up that addresses ^ is there?	15:18
lbragstad	I'm just going through what we've targeted for rc1	15:19
knikolla	o/	15:22
*** jaosorior has quit IRC		15:23
lbragstad	knikolla: o/	15:24
prashkre_	lbragstad: I don't think we have a patch for it as well.	15:26
lbragstad	prashkre_: ok - just checking	15:26
prashkre_	lbragstad: patch for https://bugs.launchpad.net/keystone/+bug/1705081 is simple but as it is dependent on other but I was waiting for it.	15:28
openstack	Launchpad bug 1705081 in OpenStack Identity (keystone) "DELETE project API is failing in forbidden(403) error message" [High,Triaged] - Assigned to prashkre (prashkre)	15:28
*** spzala has quit IRC		15:28
lbragstad	prashkre_: got it	15:28
*** ducttape_ has quit IRC		15:29
*** spzala has joined #openstack-keystone		15:33
openstackgerrit	Merged openstack/keystoneauth master: Fix exception message in adapter loading https://review.openstack.org/489210	15:37
*** spzala has quit IRC		15:38
*** belmoreira has quit IRC		15:44
*** otleimat has joined #openstack-keystone		15:46
*** dstepanenko has quit IRC		15:53
*** sjain has joined #openstack-keystone		15:53
*** dstepanenko has joined #openstack-keystone		15:59
knikolla	lbragstad: unfortunately tuesdays haven't worked too well for me for office hours in the past weeks	15:59
*** lucasxu has joined #openstack-keystone		16:00
*** sjain has quit IRC		16:06
*** pcaruana has quit IRC		16:10
*** jmlowe has quit IRC		16:19
*** dstepanenko has quit IRC		16:22
*** prashkre_ has quit IRC		16:23
*** ayoung has joined #openstack-keystone		16:30
*** spzala has joined #openstack-keystone		16:35
cmurphy	I'm confused about https://bugs.launchpad.net/keystone/+bug/1705081, how does an ldap user get a default project in the first place?	16:37
openstack	Launchpad bug 1705081 in OpenStack Identity (keystone) "DELETE project API is failing in forbidden(403) error message" [High,Triaged] - Assigned to prashkre (prashkre)	16:37
cmurphy	in my env they don't have a default and trying to assign them one 403's	16:38
*** spzala has quit IRC		16:41
openstackgerrit	Merged openstack/keystone master: Add role_domain_id_request_body in parameters https://review.openstack.org/490765	16:41
openstackgerrit	Merged openstack/keystone-tempest-plugin master: Removes unnecessary utf-8 encoding https://review.openstack.org/485199	16:42
samueldmq	cmurphy: I think I am getting your point	16:45
*** spzala has joined #openstack-keystone		16:45
samueldmq	as LDAP users don't have default project ID, that _unset_default_project thing should not even be triggered to LDAP users	16:45
samueldmq	oh no. actually, the driver should just bypass and not throw 403	16:46
samueldmq	if I am getting the bug correctly, you should not be able to delete any project when ldap identity backend is used	16:47
morgan	samueldmq: ++	16:47
samueldmq	morgan: o/	16:48
*** spilla has joined #openstack-keystone		16:49
openstackgerrit	Merged openstack/keystone master: Remove policy for self-service password changes https://review.openstack.org/485818	16:54
*** dstepanenko has joined #openstack-keystone		16:55
*** dstepanenko has quit IRC		17:00
*** dstepanenko has joined #openstack-keystone		17:02
*** eandersson has quit IRC		17:03
stevemar	holy wall-o-text mordred	17:03
*** sjain has joined #openstack-keystone		17:07
*** mjax has joined #openstack-keystone		17:15
cmurphy	samueldmq: well now i'm more confused	17:21
samueldmq	cmurphy: :-)	17:21
*** edmondsw_ has joined #openstack-keystone		17:23
*** prashkre_ has joined #openstack-keystone		17:24
lbragstad	cmurphy: yeah - the issue is that if a project is deleted, the callback will try and call into the ldap backend if configured to do so	17:25
openstackgerrit	Samriddhi proposed openstack/keystone master: Fill in content in User Documentation https://review.openstack.org/490667	17:26
*** edmondsw has quit IRC		17:26
*** openstackstatus has quit IRC		17:27
*** openstack has joined #openstack-keystone		17:28
*** openstackstatus has joined #openstack-keystone		17:29
*** ChanServ sets mode: +v openstackstatus		17:29
samueldmq	cmurphy: and you would get a 403 on project delete, even if the project was successfully deleted?	17:32
samueldmq	not sure what state the project ends in, maybe it was actually deleted	17:33
*** spzala has quit IRC		17:35
*** Guest46292 is now known as amrith		17:35
lbragstad	i think in this case the resource backend is configured to use LDAP	17:37
cmurphy	o.0	17:38
lbragstad	prashkre_: right? ^	17:38
lbragstad	also - can't you set a default_project_id attribute on a user in LDAP and have it pass through keystone?	17:39
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Make revocation token list alwayws return 410 https://review.openstack.org/490685	17:40
prashkre_	cmurphy:samueldmq: first thing is because of bug https://bugs.launchpad.net/keystone/+bug/1705072, call back never goes to ldap. so one the bug 1705072 is fixed, all the delete project requests will end up in 403, even though project is deleted successfully	17:40
openstack	Launchpad bug 1705072 in OpenStack Identity (keystone) "clearing default project_id from users using wrong driver implementation" [Medium,Triaged]	17:40
lbragstad	knikolla: do you think that will be the pattern moving forward?	17:40
morgan	lbragstad: ok there we go that should pass tests now	17:40
prashkre_	so once*	17:41
cmurphy	lbragstad: there is a user_default_project_id_attribute but i don't think it does anything, looking at the code	17:41
morgan	cmurphy: it did something in the past, mostly when we were dealing with r/w ldap backends	17:41
morgan	but since we don't do read/write anymore...	17:41
cmurphy	morgan: yeah, if you look at it now it's pretty much just registered with osloconfig and then never used again	17:42
morgan	it shouldn't even call to the ldap server (it should simply skip any read-only backend) when iterating	17:42
morgan	cmurphy: sounds about right	17:42
* lbragstad shudders		17:42
prashkre_	cmurphy: since ldap is readonly, we can't have user_default_project_id attribute set, but for sql backends I hope it can have..	17:42
lbragstad	prashkre_: when you ran into that issue - you configured the identity and resource backends to use LDAP, right?	17:42
morgan	prashkre_: any/all read-write backends should get called	17:43
prashkre_	lbragstad: I have configured identity backend as ldap. sorry, what do you meant by resource backend?	17:46
lbragstad	prashkre_: https://github.com/openstack/keystone/blob/4e986235713758f2df5ae12e66ca3e5e93edd551/keystone/conf/resource.py#L18-L25	17:46
lbragstad	the default is sql which supports read/write	17:46
lbragstad	prashkre_: the bug you filed describes a 403 when cleaning up the project	17:47
lbragstad	prashkre_: so - it would appear something except LDAP is configured for the resource backend?	17:47
prashkre_	lbragstad: resource backend is default, i.e. sql.	17:48
lbragstad	so [resource] driver = sql and [identity] driver = ldap in order to recreate that bug	17:50
*** dstepanenko has quit IRC		17:51
lbragstad	and when you DELETE /v3/project/{project_id} it's failing because it's attempting to cleanup that project ID from the default project ID of the users stored in the identity backend	17:51
lbragstad	aha - that makes sense	17:51
prashkre_	lbragstad: until we fix the issue in https://bugs.launchpad.net/keystone/+bug/1705072, you can't reproduce 403 error with delete project.	17:52
openstack	Launchpad bug 1705072 in OpenStack Identity (keystone) "clearing default project_id from users using wrong driver implementation" [Medium,Triaged]	17:52
lbragstad	well - that's with multiple domain support with LDAP configured - specifically	17:53
lbragstad	you should be able to recreate https://bugs.launchpad.net/keystone/+bug/1705081 with a single domain and a single ldap identity backend, right?	17:54
openstack	Launchpad bug 1705081 in OpenStack Identity (keystone) "DELETE project API is failing in forbidden(403) error message" [High,Triaged] - Assigned to prashkre (prashkre)	17:54
prashkre_	yes, you are right.	17:55
lbragstad	so it sounds like https://bugs.launchpad.net/keystone/+bug/1705072 doesn't have to be fixed before https://bugs.launchpad.net/keystone/+bug/1705081	17:56
openstack	Launchpad bug 1705072 in OpenStack Identity (keystone) "clearing default project_id from users using wrong driver implementation" [Medium,Triaged]	17:56
openstack	Launchpad bug 1705081 in OpenStack Identity (keystone) "DELETE project API is failing in forbidden(403) error message" [High,Triaged] - Assigned to prashkre (prashkre)	17:56
lbragstad	we should be able to work fixes in parallel?	17:57
prashkre_	lbargstad: I assume bypassing this https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py#L92 by setting it to pass will fix the issue.	17:58
prashkre_	since ldap is readonly we don't need to worry about unsetting the attribute	17:59
lbragstad	prashkre_: it would - but we need to make sure that method is only invoked by the callback	17:59
*** prashkre_ has quit IRC		17:59
lbragstad	otherwise will have a regression on our hands because we were raising an exception but now we won't be	17:59
*** prashkre_ has joined #openstack-keystone		17:59
lbragstad	prashkre_: we do need make sure that we raise an exception if someone is trying to unset that attribute manually via the api (which should result in a 403(	18:00
lbragstad	403)	18:00
prashkre_	lbragstad: what are the other api	18:02
prashkre_	?	18:02
prashkre_	which user can manually trigger to unset that attribute.	18:02
lbragstad	http://paste.openstack.org/show/617561/	18:02
*** tobberydberg has quit IRC		18:02
lbragstad	looks like its limited to only being called from keystone/identity/core.py	18:02
lbragstad	which is good	18:03
*** spzala has joined #openstack-keystone		18:03
lbragstad	but this is also changing a 403 -> 204 http://specs.openstack.org/openstack/api-wg/guidelines/api_interoperability.html	18:04
lbragstad	cc cmurphy morgan samueldmq ^	18:05
samueldmq	lbragstad: and that requires a version change, correct?	18:06
morgan	which is a behavior break and requires a change	18:06
* lbragstad sigh		18:06
morgan	now... if it was a 5xx -> 204 it would be different	18:06
morgan	this is a case where you might get TC buy-in though	18:06
morgan	you'll want to raise this up to the TC level	18:06
morgan	nooooowwww	18:06
morgan	you could also do something wonky	18:06
morgan	you could make it raise a 403 even if it works.	18:07
lbragstad	since it makes using the default resource backend with ldap identity unusable in a way	18:07
morgan	so behavior is the same but the underlying actions are done	18:07
morgan	so basically, hold the 403, and keep iterating (when it occurs) and then re-raise it	18:07
prashkre_	lbragstad: it is being called only with event from delete project API.	18:07
lbragstad	right	18:07
morgan	also this is inconsistent, some backends are 403ing some are 204ing, some configs are doing other things	18:07
morgan	this case might be ok to just fix	18:08
lbragstad	if you have the resource backend configured to use mysql and the identity backend to use ldap - you're going to see this error everytime do try to delete a project	18:08
morgan	because it is different based upon how openstack is configured	18:08
morgan	so... ask the TC	18:08
morgan	if they say "no don't fix"	18:08
lbragstad	ack	18:08
lbragstad	i'll head over to -tc and poke around	18:08
morgan	then hold the 403 when it happens, and then re-raise when things are finished being cleaned up	18:08
morgan	then behavior is the same	18:08
morgan	so try: except 403: 403_caught=True. and in the for loop, for/finally: if 403, raise 403	18:09
* cmurphy -> off to do friday things, bbl		18:15
lbragstad	cmurphy: o/	18:16
*** sjain has quit IRC		18:19
knikolla	friday things are nice	18:19
* morgan is hiding in a/c filled office		18:20
morgan	it's a bit toasty here in the PNW	18:20
clarkb	the smoke is worse than the heat though. My eyes and throat hate me rightn ow	18:20
*** dstepanenko has joined #openstack-keystone		18:22
morgan	clarkb: and i'm in Seattle, the smoke is so bad	18:23
*** dstepanenko has quit IRC		18:26
*** openstackstatus has quit IRC		18:26
*** openstack has joined #openstack-keystone		18:27
*** openstackstatus has joined #openstack-keystone		18:28
*** ChanServ sets mode: +v openstackstatus		18:28
*** prashkre_ has quit IRC		18:47
*** lwanderley has joined #openstack-keystone		18:55
*** lwanderley has quit IRC		18:57
*** lwanderley has joined #openstack-keystone		18:58
mjax	lbragstad: is there a unit test for provider issuing tokens? I didn't see one looking through the folder, but maybe I missed it	19:00
lbragstad	mjax: yeah - that should be in keystone/tests/unit/test_v3_auth.py and keystone/tests/unit/test_auth.py	19:01
lbragstad	^ those are API tests	19:01
lbragstad	the unit tests are in keystone/tests/unit/token/*	19:01
*** thorst has quit IRC		19:03
*** sjain has joined #openstack-keystone		19:05
*** thorst has joined #openstack-keystone		19:06
*** thorst has quit IRC		19:10
*** thorst has joined #openstack-keystone		19:18
openstackgerrit	Gage Hugo proposed openstack/keystone-specs master: Update project-tags spec https://review.openstack.org/484529	19:20
*** thorst has quit IRC		19:20
*** thorst has joined #openstack-keystone		19:20
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add project tags api-ref documentation and reno https://review.openstack.org/472396	19:25
*** lwanderley has quit IRC		19:30
mjax	lbragstad: Sorry to trouble you again, but could you tell me about how a request to keystone to issue a token works? I see the authenticate user methods in controllers.py https://github.com/openstack/keystone/blob/fffc84db79fabb2bb35367387dd4b19e9dafb6d1/keystone/auth/controllers.py#L107, but I'having trouble following it	19:36
edmondsw_	lbragstad replied on the ML... I think you missed a line in the API guidelines	19:36
*** spilla has quit IRC		19:46
edmondsw_	mjax something in particular that's tripping you up there?	19:47
*** ducttape_ has joined #openstack-keystone		19:55
openstackgerrit	Merged openstack/keystone master: Remove duplicate sample files https://review.openstack.org/488609	19:58
*** ducttape_ has quit IRC		20:00
openstackgerrit	Gage Hugo proposed openstack/keystone master: Shift to check_policy for resource creation https://review.openstack.org/462670	20:05
*** dstepanenko has joined #openstack-keystone		20:10
*** dstepanenko has quit IRC		20:14
mjax	edmondsw_: yea, I'm not that used to the loosely typed style of python, so I'm having some trouble connecting what each of the variables are and what they do	20:17
edmondsw_	mjax you mean the input parameters, or in general?	20:18
edmondsw_	one in particular?	20:19
lbragstad	edmondsw_: mtrienish responded	20:20
edmondsw_	lbragstad yeah, I saw :(	20:20
mjax	yup, a lot of them, for starters: auth, request, method_names,	20:20
lbragstad	unfortunately "broken handling" can't be classified for 4XX =/	20:20
edmondsw_	that could be clearer in the guidelines. Then again, the guidelines in general could be a lot clearer	20:20
edmondsw_	that whole topic is still a mess	20:21
lbragstad	sounds like a ptg discussion	20:21
edmondsw_	yeah... I'm frustrated that we're saying we have to follow API guidelines without having the ability (microversions) to follow API guidelines... so we can't fix things	20:21
edmondsw_	maddening	20:22
edmondsw_	mjax it can be difficult sometimes... I generally end up using a lot of greps to find where things are called and see what they're passing	20:23
mjax	mmm was hoping for a bit of a high levelish explanation of what's going on to speed things up. Do you know of a resource that can let me know what each dict variable is expected to hold? Like I see an auth_context['project_id'] but idk what else is in there	20:26
knikolla	lbragstad: when was the unset default_project_id function added? i see no unset_default_project_id in newton/ocata	20:27
lbragstad	knikolla: it's relatively new	20:28
lbragstad	knikolla: gagehugo wrote the fix	20:28
knikolla	if it's not in newton on ocata, means it's only in master. so it's not like we're changing something from a release	20:29
knikolla	or*	20:29
lbragstad	knikolla: actually - sorry, i think someone else wrote the fix	20:29
lbragstad	i'm getting my wires crossed	20:29
* gagehugo is confused		20:29
knikolla	https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8	20:29
lbragstad	https://github.com/openstack/keystone/commit/51d5597df729158d15b71e2ba80ab103df5d55f8	20:29
lbragstad	yep	20:29
lbragstad	gagehugo: sorry - i'm saying you did stuff you didn't do	20:30
lbragstad	gagehugo: ignorem e	20:30
gagehugo	heh	20:30
knikolla	my point is. if we haven't released a release with this yet we should be able to change the api	20:30
lbragstad	knikolla: good point	20:31
lbragstad	knikolla: do you want to raise that as a point on the thread/	20:31
lbragstad	we've only released the behavior in milestones	20:32
lbragstad	(i'm not sure how that affects things though)	20:32
lbragstad	cc morgan ^	20:32
morgan	lbragstad: technically we should be fine	20:35
lbragstad	if we haven't released it yet	20:36
-openstackstatus- NOTICE: Gerrit is being restarted to pick up CSS changes and should be back momentarily		20:36
edmondsw_	mjax I believe auth is the body of the auth request	20:36
lbragstad	and since the callback coupling only existed in pike - this call would have been successful on previous releases, too	20:36
edmondsw_	mjax and method_names would be the method info from the body, parsed out by AuthInfo	20:37
edmondsw_	mjax does that help?	20:37
*** sjain has quit IRC		20:38
mjax	I'm reading through AuthInfo now	20:38
edmondsw_	mjax one suggestion for you would be to add "import rpdb; rpdb.set_trace()" as a breakpoint somewhere, and then do something to trigger this code running (call the API to request a token) and then telnet to port 4444	20:39
edmondsw_	that will get you into the debugger, and you can walk through and see what things are doing and what other vars are available with what contents	20:40
*** rmascena has quit IRC		20:40
mjax	edmondsw_: thanks i'll try that	20:41
knikolla	lbragstad: answering the email now.	20:41
*** ducttape_ has joined #openstack-keystone		20:42
lbragstad	knikolla: awesome - thank you	20:44
knikolla	lbragstad: replied. :)	20:45
*** ducttape_ has quit IRC		20:47
*** lucasxu has quit IRC		20:51
lbragstad	knikolla: i was going to suggest that we log something in the fix	20:51
lbragstad	knikolla: but since we're in string freeze - that can wait	20:51
knikolla	lbragstad: i'm unsure how ldap would ever come to have default projects in their users.	20:54
knikolla	lbragstad: https://github.com/openstack/keystone/blob/fa63f893d487d54fe932e42ad9b53eea7a24932f/keystone/conf/ldap.py#L206	20:54
knikolla	it's not the default behavior.	20:55
knikolla	also the concept of a default project store into the user information seems wrong in general, since makes the identity backend have to know about the assignment backend	20:57
morgan	lbragstad: it is wrong...	20:57
morgan	but we have a history	20:57
morgan	and can't change it =/	20:57
morgan	that is long long long ago history\	20:57
knikolla	maybe deprecate it and introduce a "default role assignment"	20:58
*** spzala has quit IRC		20:58
lbragstad	knikolla: it was a v2.0 ism that crept into v3 in a weird way	21:00
lbragstad	in v2.0, if you created a user that had a `default_project_id` attribute set, the user would automatically get a role on the project specified in the user reference	21:01
lbragstad	knikolla: historical context can be found here https://bugs.launchpad.net/keystone/+bug/1662911	21:03
openstack	Launchpad bug 1662911 in Designate "v3 API create_user does not use default_project_id" [Critical,Triaged] - Assigned to Graham Hayes (grahamhayes)	21:03
knikolla	lbragstad: hard to fix it now without breaking expected behavior.	21:03
lbragstad	knikolla: right - we either pull the odd v2.0 behavior into v3 or remove the default_project_id attribute from v3	21:03
lbragstad	the later breaks api compatibility	21:04
lbragstad	so - i guess we we do v4 we make it better by completely isolating assignment from identity	21:04
lbragstad	and leave nothing to assumption when creating users	21:04
knikolla	lbragstad: not necessarily. we can have it pull the "default project" from something else. like the assignment table and the concept of a default role assignment	21:04
knikolla	on the surface we can preserve api compat. but on the place it's stored is different	21:05
lbragstad	well - part of the issue is that in v2.0 setting the default_project_id on a user meant something, in v3 it means less	21:06
knikolla	lbragstad: i understand that.	21:07
lbragstad	ohhh	21:08
lbragstad	i think i see what you're getting at	21:08
knikolla	lbragstad: our contract is our api though,	21:08
knikolla	not our representation of objects.	21:08
lbragstad	sure	21:08
lbragstad	i agree	21:08
lbragstad	well - kind of, because the default_project_id is represented in the API with users	21:09
lbragstad	so - we could remove it in the backend and introduce a hybrid property to the identity sql backend to pull the default project id from the assignment table or something like that - but the default_project_id is expected to be in the user reference	21:09
knikolla	lbragstad: yes	21:10
lbragstad	it would make the identity backend implementation for sql not care as much about a table that has default_project_id in the schema - but we still have to emit the property through the API	21:10
lbragstad	my suggestion is that when we do v4 - we don't allow project ids to be associated with users in that way	21:11
lbragstad	all user assignment relationships should be explicit through the assignment api	21:11
knikolla	lbragstad: i agree.	21:11
knikolla	lbragstad: it will still be ugly though, since we will need to support v3 at the same time.	21:12
lbragstad	then we don't have to do weird stuff like this - https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L174-L219	21:12
lbragstad	true	21:12
knikolla	lbragstad: ewww	21:12
lbragstad	knikolla: yeah...	21:12
knikolla	lbragstad: let's just kill the concept of a "default project" in v4.	21:14
lbragstad	agreed	21:14
lbragstad	the plan was to do that in v3	21:14
lbragstad	but the attribute bled over from the v2.0 implementation	21:14
knikolla	understood.	21:15
lbragstad	which is the confusing part - because default_project_id means something in v2.0 but not quite the same thing in v3 =/	21:15
knikolla	i think i'm lucky i came on board in the v3 era.	21:15
knikolla	rather than v2.0 era.	21:15
knikolla	or i'm unlucky that i came on board in the, both versions era.	21:16
knikolla	still unsure on that, haha.	21:16
knikolla	lbragstad: so in v2.0 it auto scopes the auth if you don't specify a project, right?	21:16
knikolla	lbragstad: what does it do in v3?	21:17
lbragstad	knikolla: the auto-scoping logic also applies to v3 :(	21:17
lbragstad	i spent a day pulling my hair out once trying to figure out why i couldn't get an unscoped token	21:17
lbragstad	from v3 when i didn't specify scope	21:18
knikolla	lbragstad: ooooo… i never knew about this auto-scoping since i've never assigned a default project to anything.	21:18
lbragstad	yeah - if you're user has a default_project_id, you'll by default get a token scoped to that project even if you omit scope from your request	21:19
lbragstad	the big difference between v2.0 and v3 is that with v2.0 if you created a user with `default_project_id` set, keystone would automatically create the assignment for you	21:20
lbragstad	if you do that in v3 - it doesn't really do anything besides just shove the project id in the user reference before persisting it to the backend	21:21
lbragstad	someone still has to come along and manually give that user an assignment on their "default project":	21:21
lbragstad	^ causes much confusion	21:21
*** thorst has quit IRC		21:21
knikolla	that's ugly.	21:21
*** thorst has joined #openstack-keystone		21:22
lbragstad	yeah - there be dragons	21:22
*** spzala has joined #openstack-keystone		21:22
knikolla	i'll make my voice heard during the v4 design when/if it happens.	21:24
lbragstad	knikolla: if we separate auth from v4 - v4 can happen sooner	21:25
lbragstad	v2.0 -> v3 auth was the biggest hurdle we faced moving to v3	21:25
*** thorst has quit IRC		21:26
knikolla	lbragstad: agree.	21:26
*** spzala has quit IRC		21:26
knikolla	time for me to do friday things too. have a good weekend o/	21:28
lbragstad	knikolla: have a good weekend!	21:33
*** dave-mccowan has quit IRC		21:38
openstackgerrit	Gage Hugo proposed openstack/keystone master: Shift to check_policy for resource creation https://review.openstack.org/462670	21:40
*** agrebennikov has joined #openstack-keystone		21:43
*** agrebennikov has quit IRC		21:43
*** agrebennikov has joined #openstack-keystone		21:43
*** agrebennikov has quit IRC		21:43
*** agrebennikov has joined #openstack-keystone		21:44
*** ducttape_ has joined #openstack-keystone		21:44
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Make revocation token list alwayws return 410 https://review.openstack.org/490685	21:46
*** edmondsw_ has quit IRC		21:47
*** ducttape_ has quit IRC		21:48
* lbragstad heads out to go sit in a kayak for two days		21:51
*** dstepanenko has joined #openstack-keystone		21:58
*** dstepanenko has quit IRC		22:04
*** fried_rice is now known as efried_WEEKEND		22:16
*** thorst has joined #openstack-keystone		22:22
*** thorst has quit IRC		22:28
*** spzala has joined #openstack-keystone		22:34
*** spzala has quit IRC		22:45
*** efried_WEEKEND has quit IRC		22:48
*** spzala has joined #openstack-keystone		22:51
*** spzala has quit IRC		22:52
*** superdan is now known as dansmith		22:52
*** spzala has joined #openstack-keystone		22:54
*** catintheroof has quit IRC		22:56
*** efried_WEEKEND has joined #openstack-keystone		22:58
*** ducttape_ has joined #openstack-keystone		23:03
*** ducttape_ has quit IRC		23:07
*** lbragstad has quit IRC		23:22
*** edmondsw has joined #openstack-keystone		23:36
*** edmondsw has quit IRC		23:40
*** dstepanenko has joined #openstack-keystone		23:46
*** agrebennikov has quit IRC		23:50
*** dstepanenko has quit IRC		23:51

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!