Tuesday, 2017-08-08

*** thorst has joined #openstack-keystone00:00
*** thorst has quit IRC00:02
*** ducttape_ has quit IRC00:04
*** thorst has joined #openstack-keystone00:05
*** jmlowe has joined #openstack-keystone00:06
*** ayoung has quit IRC00:11
*** ducttape_ has joined #openstack-keystone00:16
*** ducttape_ has quit IRC00:21
*** thorst has quit IRC00:23
*** thorst has joined #openstack-keystone00:23
*** harlowja has quit IRC00:25
*** lucasxu has joined #openstack-keystone00:27
*** thorst has quit IRC00:27
*** ducttape_ has joined #openstack-keystone00:34
*** thorst has joined #openstack-keystone00:38
*** edmondsw has joined #openstack-keystone00:42
*** edmondsw has quit IRC00:47
*** ducttape_ has quit IRC00:53
*** markvoelker has joined #openstack-keystone00:55
*** lucasxu has quit IRC00:57
*** markvoelker_ has joined #openstack-keystone00:57
*** tobberydberg has joined #openstack-keystone00:59
*** jmlowe has quit IRC01:00
*** markvoelker has quit IRC01:01
*** catintheroof has joined #openstack-keystone01:02
*** Shunli has joined #openstack-keystone01:02
*** ducttape_ has joined #openstack-keystone01:03
*** tobberydberg has quit IRC01:04
*** ducttape_ has quit IRC01:04
*** ducttape_ has joined #openstack-keystone01:05
*** lucasxu has joined #openstack-keystone01:06
*** ducttape_ has quit IRC01:07
*** ducttape_ has joined #openstack-keystone01:07
*** tobberydberg has joined #openstack-keystone01:08
*** ducttape_ has quit IRC01:08
*** zhurong has joined #openstack-keystone01:11
*** catintheroof has quit IRC01:11
*** tobberydberg has quit IRC01:14
*** jmlowe has joined #openstack-keystone01:24
*** thorst has quit IRC01:24
*** otleimat has quit IRC01:41
*** ducttape_ has joined #openstack-keystone02:13
*** tobberydberg has joined #openstack-keystone02:14
*** mtreinish has quit IRC02:17
*** ducttape_ has quit IRC02:18
*** ducttape_ has joined #openstack-keystone02:18
*** lifeless has quit IRC02:18
*** tobberydberg has quit IRC02:19
*** rodrigods has quit IRC02:19
*** lifeless has joined #openstack-keystone02:19
*** mtreinish has joined #openstack-keystone02:22
*** ducttape_ has quit IRC02:23
*** rodrigods has joined #openstack-keystone02:23
*** dstepanenko has joined #openstack-keystone02:24
*** mjax has quit IRC02:28
*** dstepanenko has quit IRC02:29
*** edmondsw has joined #openstack-keystone02:30
*** edmondsw has quit IRC02:35
*** ducttape_ has joined #openstack-keystone02:39
openstackgerritMerged openstack/keystone master: Move url safe naming docs to admin guide  https://review.openstack.org/48862502:48
*** mjax has joined #openstack-keystone02:51
*** mjax has quit IRC02:52
*** mjax has joined #openstack-keystone02:56
*** aselius has quit IRC02:56
*** ducttap__ has joined #openstack-keystone03:03
*** ducttape_ has quit IRC03:06
*** spzala has quit IRC03:16
*** david-lyle has quit IRC03:16
*** dstepanenko has joined #openstack-keystone03:19
*** david-lyle has joined #openstack-keystone03:23
*** dstepanenko has quit IRC03:24
*** ducttap__ has quit IRC03:24
*** nicolasbock has joined #openstack-keystone03:25
*** ducttape_ has joined #openstack-keystone03:31
*** ducttape_ has quit IRC03:31
*** nicolasbock has quit IRC03:39
*** lucasxu has quit IRC03:43
*** Dinesh_Bhor has joined #openstack-keystone03:45
*** dave-mccowan has quit IRC03:47
*** nicolasbock has joined #openstack-keystone03:50
*** links has joined #openstack-keystone03:53
*** spzala has joined #openstack-keystone04:17
*** spzala has quit IRC04:21
*** thorst has joined #openstack-keystone04:25
*** thorst has quit IRC04:30
*** harlowja has joined #openstack-keystone04:35
*** dstepanenko has joined #openstack-keystone04:43
*** spzala has joined #openstack-keystone04:47
*** spzala has quit IRC04:51
*** mvpnitesh has joined #openstack-keystone05:05
*** nicolasbock has quit IRC05:11
*** harlowja has quit IRC05:14
*** rajalokan has joined #openstack-keystone05:35
*** mjax has quit IRC05:52
*** nicolasbock has joined #openstack-keystone05:53
*** dstepanenko has quit IRC05:54
*** thorst has joined #openstack-keystone05:58
*** thorst has quit IRC06:03
*** tobberydberg has joined #openstack-keystone06:06
*** edmondsw has joined #openstack-keystone06:06
*** edmondsw has quit IRC06:11
*** rcernin has joined #openstack-keystone06:21
*** dstepanenko has joined #openstack-keystone06:38
*** dstepanenko has quit IRC06:39
*** dstepanenko has joined #openstack-keystone06:39
*** dstepanenko has quit IRC06:58
*** zhurong has quit IRC06:59
*** pcaruana has joined #openstack-keystone07:00
*** markvoelker_ has quit IRC07:01
*** rajalokan has quit IRC07:02
*** spzala has joined #openstack-keystone07:04
*** markvoelker has joined #openstack-keystone07:07
*** markvoelker has quit IRC07:08
*** markvoelker has joined #openstack-keystone07:08
*** spzala has quit IRC07:09
*** rajalokan has joined #openstack-keystone07:13
*** rajalokan has quit IRC07:20
*** tesseract has joined #openstack-keystone07:21
openstackgerritRajat Sharma proposed openstack/keystone master: Update URL in README.rst  https://review.openstack.org/49170107:28
*** dstepanenko has joined #openstack-keystone07:34
*** dstepanenko has quit IRC07:39
*** edmondsw has joined #openstack-keystone07:54
*** edmondsw has quit IRC07:59
*** thorst has joined #openstack-keystone07:59
*** thorst has quit IRC08:04
openstackgerritzhiguo.li proposed openstack/keystone master: Add two steps in part 'Configure the Apache HTTP server' for Ubuntu and change the related parts for RDO or SUSE  https://review.openstack.org/48958908:06
openstackgerritzhiguo.li proposed openstack/keystone master: Modify the steps in 'Configure the Apache HTTP server' for three OS  https://review.openstack.org/48958908:16
openstackgerritzhiguo.li proposed openstack/keystone master: Modify the steps in 'Configure the Apache HTTP server' for three OS  https://review.openstack.org/48958908:17
openstackgerritzhiguo.li proposed openstack/keystone master: Modify the steps of configuring the Apache server for three OS  https://review.openstack.org/48958908:25
*** aojea has joined #openstack-keystone08:32
*** aojea has quit IRC08:46
*** mvpnitesh has quit IRC08:46
*** aojea has joined #openstack-keystone08:47
*** mvpnitesh has joined #openstack-keystone08:50
*** dstepanenko has joined #openstack-keystone09:01
*** spzala has joined #openstack-keystone09:05
*** spzala has quit IRC09:10
*** nicolasbock has quit IRC09:15
*** dstepanenko has quit IRC09:26
*** Shunli has quit IRC09:34
*** edmondsw has joined #openstack-keystone09:43
*** nicolasbock has joined #openstack-keystone09:43
*** edmondsw has quit IRC09:47
*** kornicameister has quit IRC09:47
*** dstepanenko has joined #openstack-keystone09:58
*** thorst has joined #openstack-keystone10:00
*** kornicameister has joined #openstack-keystone10:00
*** dstepanenko has quit IRC10:02
*** thorst has quit IRC10:05
*** mdavidson has quit IRC10:16
*** iurygregory has quit IRC10:16
*** iurygregory has joined #openstack-keystone10:17
*** mdavidson has joined #openstack-keystone10:17
*** markvoelker has quit IRC10:17
*** odyssey4me has quit IRC10:18
*** odyssey4me has joined #openstack-keystone10:19
*** zhurong has joined #openstack-keystone10:24
*** dstepanenko has joined #openstack-keystone10:31
*** ducttape_ has joined #openstack-keystone10:32
*** ducttape_ has quit IRC10:36
*** thorst has joined #openstack-keystone10:42
*** thorst has quit IRC10:54
*** thorst has joined #openstack-keystone10:54
*** thorst has quit IRC10:59
*** spzala has joined #openstack-keystone11:07
*** spzala has quit IRC11:12
*** lwanderley has joined #openstack-keystone11:15
*** raildo has joined #openstack-keystone11:29
*** dave-mccowan has joined #openstack-keystone11:40
*** dstepanenko has quit IRC11:41
*** thorst has joined #openstack-keystone11:51
*** dstepanenko has joined #openstack-keystone11:55
*** edmondsw has joined #openstack-keystone11:57
*** jrist has joined #openstack-keystone11:58
*** aojea has quit IRC12:05
*** aojea has joined #openstack-keystone12:06
*** aojea has quit IRC12:11
*** lwanderley has quit IRC12:18
*** lwanderley has joined #openstack-keystone12:18
*** prashkre has joined #openstack-keystone12:19
hrybackilbragstad: FYI -- back online but in internal meetings for the week. Back to regular work-work on  Monday12:29
*** zhurong has quit IRC12:30
hrybackilbragstad: looks like I'll be able to attend PTG Wed-Fri. Is there any reason you'd need me there on Tuesday as well?12:30
*** sbezverk has joined #openstack-keystone12:35
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy master: [WIP] Support for SSL based remote checks  https://review.openstack.org/49178312:36
*** dstepanenko has quit IRC12:38
lbragstadhrybacki: welcome back!12:43
lbragstadhrybacki: it looks like the plan is to have cross-project meetings on monday and tuesday12:43
lbragstadand project specific topics will happen wednesday - friday12:43
hrybackilbragstad: Ah, yes. So much of the policy and role discussion will happen early in the week12:46
hrybackilbragstad: thanks :)12:46
*** dstepanenko has joined #openstack-keystone12:46
hrybackirole as in the hopeful default role for OS discussion12:46
lbragstadhrybacki: right - that's how it boiled down at the last PTG, too12:49
lbragstadhrybacki: i was there from Wednesday - Friday and i missed most of the discussions on policy12:49
lbragstadi spent rest of the the week tracking people down to get summaries12:49
hrybackilbragstad: interesting12:50
hrybackiOkay, I'll hit my manager back up and raise the points12:50
lbragstadhrybacki: ok - let me know12:51
*** lwanderley has quit IRC12:52
*** aojea has joined #openstack-keystone12:53
hrybackilbragstad: ack!12:55
lbragstadfwiw - i put when i'll be getting into denver and when i'll be leaving on the etherpad https://etherpad.openstack.org/p/keystone-queens-ptg12:55
*** catintheroof has joined #openstack-keystone13:00
*** lucasxu has joined #openstack-keystone13:02
*** jrist has quit IRC13:02
*** ayoung has joined #openstack-keystone13:03
prashkrelbragstad: Hi. could you please take a look at latest comment on https://review.openstack.org/#/c/490138/ and give your feedback on it to proceed further.13:03
*** clayton has quit IRC13:03
*** clayton has joined #openstack-keystone13:05
*** sbezverk has quit IRC13:07
*** spzala has joined #openstack-keystone13:08
*** links has quit IRC13:11
*** markvoelker has joined #openstack-keystone13:12
*** mvpnitesh has quit IRC13:14
lbragstadclarkb: i subscribed you to https://bugs.launchpad.net/keystone/+bug/169452513:14
openstackLaunchpad bug 1694525 in OpenStack Identity (keystone) "keystone reports 404 User Not Found during grenade tests" [Medium,Triaged]13:14
lbragstadclarkb: a couple of us have been looking at it - have you noticed that specific issue cropping up recently or do you know if there is a better logstash query for it?13:15
cmurphyo/ yeah "user not found" is too broad a search query and not necessarily an indicator of a problem13:16
lbragstadi agree13:16
*** jmlowe has quit IRC13:28
*** dstepanenko has quit IRC13:29
*** ducttape_ has joined #openstack-keystone13:42
ayounghrybacki, lbragstad One addendum to the RBAC in middleware proposal.  Note how Kubernetes does things: https://kubernetes.io/docs/admin/authorization/#determine-the-request-verb13:43
ayoungthey have more verbs than just the HTTP defined set.  I also hear rumors about a "USE" verb but I don't know what that means or how it is defined13:43
* lbragstad pins tab13:43
openstackgerritLance Bragstad proposed openstack/keystone master: Except forbidden when clearing default project IDs  https://review.openstack.org/49154613:45
lbragstadcmurphy: responded - https://review.openstack.org/#/c/491546/213:45
*** dstepanenko has joined #openstack-keystone13:48
ayounglbragstad, here is one reference to the USE verb https://github.com/kubernetes/kubernetes/issues/1763713:49
ayounglbragstad, and here is the list of verbs from the code https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/create_role.go#L5513:52
cmurphylbragstad: responded back14:01
lbragstadcmurphy: so - just to clarify, you are ok with the try/except?14:02
lbragstadif someone is writing a driver out of tree - is the right thing to raise a 403 in the unset_deafult_project_id method or is the right thing to return None?14:04
lbragstadI think I prefer avoiding None because it makes you less prone to coding around a special value14:05
lbragstadbetter described by Item 14: Prefer Exceptions to returning None from Effective Python14:07
cmurphylbragstad: i think i prefer the try/except now that i'm considering that other backends might be involved14:10
lbragstadcmurphy: ack - reverting some of the recent changes then14:10
*** jmlowe has joined #openstack-keystone14:11
cmurphylbragstad: but i don't have a very strong opinion :)14:11
cmurphyjust seems like no matter what identity backend you're using it would be pretty confusing to see a 403 when trying to delete a project14:12
openstackgerritLance Bragstad proposed openstack/keystone master: Except forbidden when clearing default project IDs  https://review.openstack.org/49154614:14
lbragstadcmurphy: yeah14:14
lbragstadcmurphy: i think the decoupled nature of all the subsystems is to blame for that14:15
lbragstadthe requirement that the resource API and the identity API have different backends makes situations like this messy14:16
lbragstad(it also leads to us using notifications as a way to enforce constraints that should otherwise be done in the backend)14:16
cmurphyyeah :/14:16
lbragstadand because of that we can't leverage database FK between systems14:17
*** lwanderley has joined #openstack-keystone14:20
*** lwanderley has quit IRC14:21
*** Guest13936 is now known as med_14:21
*** med_ has quit IRC14:21
*** med_ has joined #openstack-keystone14:21
*** med_ is now known as medberry14:21
*** lwanderley has joined #openstack-keystone14:23
*** lwanderley has quit IRC14:24
*** admcleod_ is now known as admcleod14:26
*** lwanderley has joined #openstack-keystone14:28
openstackgerritLance Bragstad proposed openstack/keystone master: Except forbidden when clearing default project IDs  https://review.openstack.org/49154614:32
lbragstadcmurphy: failed pep814:32
knikollalbragstad: doesn't the mocked _disallow_write not raise Forbidden in your test?14:35
knikollai'm a bit confused, but may be my lack of coffee yet14:36
openstackgerritLance Bragstad proposed openstack/keystone master: Except forbidden when clearing default project IDs  https://review.openstack.org/49154614:37
lbragstadknikolla: yeah - i missed that14:37
lbragstadthat mock should be better14:37
lbragstadit should be asserting the exception is raised and handled by the manager14:37
*** aojea has quit IRC14:38
*** dstepanenko has quit IRC14:40
*** medberry is now known as med_14:43
knikollalbragstad: doesn't mock.patch.object replace the function with a mock?14:46
knikollain that case the mocked _disallow_write wouldn't raise the exception at all.14:46
lbragstadknikolla: it does - i might need to add a side_effect to that mock14:47
knikollalbragstad: yes.14:47
knikollalbragstad: besides that, patch looks good.14:48
*** gyee has joined #openstack-keystone14:48
*** links has joined #openstack-keystone14:48
openstackgerritLance Bragstad proposed openstack/keystone master: Except forbidden when clearing default project IDs  https://review.openstack.org/49154614:49
lbragstadknikolla: thanks ^14:49
*** links has quit IRC14:49
bretonhttps://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/password-totp-plugin.html has this been implemented?14:54
lbragstadbreton: yes14:57
knikollabreton: https://review.openstack.org/#/c/345113/14:57
*** tobberyd_ has joined #openstack-keystone14:57
lbragstadhttps://review.openstack.org/#/c/491478/2 can use another review14:57
lbragstad^ closes an rc bug14:57
bretonare there any docs about it?14:58
bretonhow to use user options?14:58
knikollabreton: oops, sent the wrong link. sorry14:59
*** tobberydberg has quit IRC15:00
bretonlbragstad: cool, thanks. But that thing says about totp only. How do i enable password+totp15:01
bretonlbragstad: ?15:01
*** gyee_ has joined #openstack-keystone15:01
bretoni am now seeing in the code that it is about resource options15:01
bretonand does something with multi_factor_auth_enabled15:02
bretonbut how do i use it :(15:02
*** otleimat has joined #openstack-keystone15:02
*** gyee_ has quit IRC15:04
*** tobberyd_ has quit IRC15:04
*** gyee has quit IRC15:04
*** gyee has joined #openstack-keystone15:05
morganuh... erm15:05
lbragstadit was added here - v15:05
*** jrist has joined #openstack-keystone15:05
morgansomeone needs to add docs about the auth-rules thing15:05
morganso you can *require* totp15:06
lbragstadyeah - looks like the code that added multi-factor to resource options landed without docs15:06
cmurphy-_- lol15:06
morganwell i did a ton of the resource stuff, but no one followed up w/ the docs.15:06
lbragstadmorgan: the basic flow is that an "admin" sets the RO for the users15:06
morganthats the basic idea15:07
lbragstadand the information is pulled when the user authenticates15:07
lbragstadand the mfa flow is initiated at that point, right?15:07
lbragstad^ boom - docs15:07
* lbragstad calls it a day15:07
morganthe RO is a set of "[[x,y], [z], [y,z]]" auth modules15:07
morganand if you match any of those combinations (aka, password && totp, token, token && totp [don't do this last one])15:08
morganit works15:08
morganand iirc you can add the RO on user create15:09
lbragstadmorgan: is that fact that ^ isn't documented a rc blocker?15:09
morganno. not an rc blocker15:09
lbragstadbut a bug15:09
morgani would *never* block an rc for a bug for a feature that is new.15:09
morganit can land doc wise anytime15:09
bretonthe commit was in ocata cycle15:09
lbragstadah - yes15:09
morganso, not gonna block any rc especially for that15:09
lbragstadnevermind - i'm getting my release dates mixed up15:10
morganthe 410 fix *is* an rc blocker15:10
*** lwanderley has quit IRC15:11
morgancmurphy: thanks for the +2s on the "remove positional"15:11
bretonwhy is it rc blocker? It has been like this for ages.15:11
morgani've updated the library in pypi to inactive and pushed a few doc changes to indicate it is dead.15:11
cmurphymorgan: np15:11
morganoh wait, hold on15:11
morgancrossing bugs in my mind.15:11
morganwas thinking it fixed something else as a side effect15:12
lbragstadmorgan: the 204 -> 403 is a release blocker15:12
openstackLaunchpad bug 1705081 in OpenStack Identity (keystone) "DELETE project API is failing in forbidden(403) error message" [High,In progress] - Assigned to Lance Bragstad (lbragstad)15:12
morganyeah that one15:13
*** prashkre has quit IRC15:13
* lbragstad sets https://review.openstack.org/#/c/491546/ on the desk next to morgan15:13
morganlbragstad: sorry, i don't have a desk15:13
morganmy coffee is taking up the small amount of space on the arm of the chair i am in15:14
* lbragstad gently sets https://review.openstack.org/#/c/491546/ over morgan's coffee15:14
morganlbragstad: -2, it is in the way of my coffee.15:14
*** dstepanenko has joined #openstack-keystone15:14
cmurphyyou don't get in between morgan and his coffee15:15
lbragstadthat is the correct answer, sir15:15
morgancmurphy: ++15:15
morgancmurphy: this is also awesome home-made cold brew15:15
morgan24-48hrs of brewing = amazing15:15
lbragstadmorgan: what coffee to water ration do you use for code brew?15:15
morganlbragstad: 1:10 or so, 100g coffee, 1000g water15:16
morgansomtimes i go 1:1515:16
morgandepends on the coffee15:16
morganlbragstad: using https://www.kickstarter.com/projects/735135736/you-deserve-better-coffee-make-it-now-with-the-arc15:16
bretonso how do i use the MFA? Do i need to set ro.MFA_RULES_OPT to [['password', 'totp']]?15:16
morganbreton: yes.15:17
morganuser['options'][ro.MFA_RULES_OPT] = [['password', 'totp'], ['token']] (ideally)15:17
morgani think i explicitly exemted token15:18
morganbut it never hurts to be explicit15:18
lbragstadmorgan: breton https://bugs.launchpad.net/keystone/+bug/170934415:18
openstackLaunchpad bug 1709344 in OpenStack Identity (keystone) "Identity resource options for multi-factor are undocumented" [Low,Triaged]15:18
*** dstepanenko has quit IRC15:19
bretoni wonder15:20
bretonis there a way to use something derived from the secret in TOTP15:21
morganbreton: explain?15:21
*** sbezverk has joined #openstack-keystone15:23
bretonthere is an existing system with totp. When i create a TOTP credential in keystone, i need to provide a secret for the user in the 'blob' field. I guess administrators will not be happy to give out secrets already used for existing totp tokens.15:23
bretoni wonder what can be done in this situation other than giving out second, openstack-specific tokens15:24
breton(physical tokens)15:24
*** sbezverk_ has joined #openstack-keystone15:24
morganso, in the case of say yubikey you can import a specific secret15:27
*** sbezverk has quit IRC15:28
morganin the case of the other types of hard tokens, you often have to use their hardware appliance15:28
*** lwanderley has joined #openstack-keystone15:28
morganso, if we want to support that, we need a connector to the hardware appliance.15:28
morganand a way to indicate "ask this thing for the current value"15:28
morganwe went with the google-authenticator totp model because it is pretty ubiquitous at this point and works with things such as yubikey15:29
*** lwanderley has quit IRC15:29
bretonwho are "we"?15:29
morgan"we" being the openstack keystone team. in the latter bit (choosing google-auth totp model)15:30
morganand prior "we" would be whomever is connecting to that appliance15:30
morganor the upstream team, if we want to implement support for it15:30
morganif the token is a hard-token (fob) that is part of a specific ecosystem, someone either has to import the secret and make sure the algorithm is the same *or* have a way to connect to the appliance thing that supplies the "good/bad" result.15:31
bretonis there support for totp in openstackclient?15:32
*** jmlowe has quit IRC15:32
*** jmlowe has joined #openstack-keystone15:32
breton*for MFA15:32
morgandepends on if we have the stuff implemented in ksa15:33
morgansince osc leans on ksa's auth plugins15:33
bretonand in ksa?15:33
morgani just don't know off the top of my head15:33
lbragstadyeah - it looks like there is support for totp in ksa15:34
morganlbragstad: i don't think ksa supports multiple auth-plugins atm though15:34
morganwhich was a todo by... uh... who was working on mfa before i re-wrote for the RO code?15:34
morganlbragstad: yes. but can you send both TOTP and password via ksa?15:35
lbragstadnonameentername proposed the original implementation15:35
morgani don't think so15:35
morgannah, was someone else15:35
morgani don't remember who it was though.15:35
bretonlooks like we can't indeed.15:35
morganbreton: so that is something we need to fix.15:36
lbragstadsounds like we need a bug opened against ksa?15:36
*** tobberydberg has joined #openstack-keystone15:38
*** tobberyd_ has joined #openstack-keystone15:41
lbragstadmorgan: breton by multiple auth plugins you mean ksa needs to be able to understand ['password', 'totp'] like flows?15:41
*** tobberydberg has quit IRC15:42
bretonlbragstad: yep15:43
*** tobberyd_ has quit IRC15:45
*** aselius has joined #openstack-keystone15:52
lbragstadbreton: morgan feel free to fill in the context as you see fit - https://bugs.launchpad.net/keystoneauth/+bug/170936215:53
openstackLaunchpad bug 1709362 in keystoneauth "Add support for multiple authentication plugins" [Wishlist,Triaged]15:53
*** rmascena has joined #openstack-keystone15:54
*** raildo has quit IRC15:56
*** rmascena is now known as raildo16:01
*** tobberydberg has joined #openstack-keystone16:07
*** dstepanenko has joined #openstack-keystone16:09
*** tobberydberg has quit IRC16:11
*** dstepanenko has quit IRC16:13
bretonso in case of MFA16:14
bretonif i have 2FA -- password and totp16:15
bretonpassword succeeds, totp fails16:15
bretonhow many notifications will be emitted?16:15
bretonand what notifications? success+fail? just fail?16:15
*** lwanderley has joined #openstack-keystone16:18
*** pcaruana has quit IRC16:27
openstackgerritSamriddhi proposed openstack/keystone master: Fill in content in CLI Documentation  https://review.openstack.org/49066916:29
*** rcernin has quit IRC16:31
*** tesseract has quit IRC16:31
*** markvoelker has quit IRC16:36
*** lwanderley has quit IRC16:37
lbragstadotleimat: o/16:45
lbragstadotleimat: looking to pick up https://bugs.launchpad.net/keystone/+bug/1645568 ?16:45
openstackLaunchpad bug 1645568 in OpenStack Identity (keystone) " keystone-manage mapping_purge fails silently" [Low,Triaged] - Assigned to Omar Tleimat (otleimat)16:45
*** lwanderley has joined #openstack-keystone16:45
otleimatlbragstad after reviewing the comments, is the issue that still remains the ability to have " a combination of --domain-name --public-id --local-id and --type, and now that's not possible anymore since they are all mutually exclusive"? Also, I was going to extend the coverage of the unit tests16:59
samueldmqmorning keystone17:00
gagehugosamueldmq o/17:00
samueldmqgagehugo: o/17:01
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy master: [WIP] Support for SSL based remote checks  https://review.openstack.org/49178317:17
*** prashkre has joined #openstack-keystone17:21
*** spzala has quit IRC17:29
*** tobberydberg has joined #openstack-keystone17:33
*** sbezverk_ has quit IRC17:37
*** markvoelker has joined #openstack-keystone17:37
*** tobberydberg has quit IRC17:37
*** ducttape_ has quit IRC17:39
*** sbezverk has joined #openstack-keystone17:42
*** markvoelker has quit IRC17:44
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy master: [WIP] Support for SSL based remote checks  https://review.openstack.org/49178317:44
*** sjain has joined #openstack-keystone17:45
*** ducttape_ has joined #openstack-keystone17:49
lbragstadotleimat: the problem with that specific bug is that the code is attempting to figure out the required argument - when it probably should have been designed to use a library to enforce mutual exclusiveness17:56
lbragstadthe result of hand-rolling the code to do that in keystone is that its buggy17:57
*** dstepanenko has joined #openstack-keystone17:57
*** jrist has quit IRC17:57
*** lwanderley has quit IRC17:58
lbragstadotleimat: based on the latest comments in https://review.openstack.org/#/c/408304/ it sounds like we need to figure out what all the possibilities are and re-center on that17:58
lbragstadit appears the approach ^ is missing a couple cases17:58
lbragstad(which is also a good sign that it's not properly tested17:59
*** spzala has joined #openstack-keystone17:59
*** tobberydberg has joined #openstack-keystone18:00
*** tellesnobrega has joined #openstack-keystone18:00
*** spzala has quit IRC18:01
*** dstepanenko has quit IRC18:01
*** spzala has joined #openstack-keystone18:01
otleimatlbragstad: thanks for the overview, I'll take a closer look at it this week18:02
lbragstadotleimat: awesome - let me know if you need any help18:03
*** tobberydberg has quit IRC18:04
*** ducttape_ has quit IRC18:09
*** ducttape_ has joined #openstack-keystone18:09
*** prashkre has quit IRC18:17
*** spilla has joined #openstack-keystone18:17
*** ducttape_ has quit IRC18:20
*** prashkre has joined #openstack-keystone18:21
*** jeremyfreudberg has joined #openstack-keystone18:21
tellesnobregaayoung, ping18:22
ayoungping tellesnobrega18:22
ayoungping: tellesnobrega: Name or service not known18:22
ayoungtraceroute tellesnobrega18:22
ayoungtellesnobrega: Name or service not known18:22
ayoungCannot handle "host" cmdline arg `tellesnobrega' on position 1 (argc 1)18:22
*** ducttape_ has joined #openstack-keystone18:22
ayoungnslookup tellesnobrega18:22
tellesnobregaayoung, I remember that you told me in Boston that if I needed help with trusts I should ping you18:22
ayoung** server can't find tellesnobrega: NXDOMAIN18:22
ayoungI would never have said that.18:23
ayoungI would have said you should ask me....18:23
ayoungping carries no payload18:23
ayoungand its at the layer 2 level...message would never get tom18:23
ayoungto me18:23
tellesnobregaayoung, true, I might have heard you wrong18:23
ayoungat a minimum use UDP somehow18:23
ayounganyway...yes, I can help with trusts18:23
ayoungwhat do you need18:23
tellesnobregawe are hitting an issue on sahara with trusts, related with keystone_authtoken that prevents sahara to create trusts for the cluster18:25
tellesnobregathis is the bug that was reported18:25
openstackLaunchpad bug 1709091 in Sahara ""Failed to create trust" on pike" [Critical,Confirmed]18:25
tellesnobregado you happen to have seen this before?18:29
*** spilla has quit IRC18:31
*** nicolasbock has quit IRC18:32
*** tobberydberg has joined #openstack-keystone18:32
ayoungtellesnobrega, assume I know nothing about Sahara.  What user is making the call to create the Trust, who is the trustor, and who is the trustee?18:33
tellesnobregaayoung, I would say that the user is sahara and18:35
tellesnobregatrustor = keystone.auth()18:35
tellesnobrega        trustee = keystone.auth_for_admin(project_name=CONF.keystone_authtoken.admin_tenant_name)18:35
jeremyfreudberg(tellesnobrega, i'm back)18:35
ayoungnope try again18:36
ayoungyour answer does not map to the world18:36
ayoungtellesnobrega, let me try asking a different way18:36
tellesnobregaayoung, jeremyfreudberg was the one running the test18:36
tellesnobregahe may know that in more details18:36
ayoungsay I am a human user with the ayoung username in the system18:36
ayoungI go to sahara and something kicks off a trust create, right?18:37
tellesnobregaayoung, correct18:37
*** tobberydberg has quit IRC18:37
ayoungtellesnobrega, so the trustor would be ayoung.  Who is the trustee?18:37
jeremyfreudbergayoung, trustee should be sahara service user18:38
jeremyfreudbergor whatever creds are in [keystone_authtoken] section18:39
ayoungjeremyfreudberg, one service user created on a per-human-user bassis?18:39
ayoungyuck...but OK18:39
ayoungso, lets say that username is sahara18:39
jeremyfreudbergayoung, sure18:39
jeremyfreudberg(i'm assuming i have trustor trustee in the right order, i always get the the who's who of that backwards)18:40
jeremyfreudbergbut the issue is not with creating the trusts themselves18:40
ayoungIf I trust you, I am the trustor, you are the trustee18:40
jeremyfreudbergthe issue is with accessing the private keystone_authtoken configs18:40
ayoungI really worked hard to try and come up with language that was human consumable here18:40
*** markvoelker has joined #openstack-keystone18:40
jeremyfreudbergayoung, that makes sense18:40
ayoungjeremyfreudberg, so, I trust Sahara to do something on my behalf18:41
ayoungtrustor=ayoung, trustee=sahara18:41
ayoungnow, since I sent my token to sahara, that is what sahara is going to use to make the trust.18:41
ayoungNot its own token18:41
tellesnobregaThis delegates a trust from the current user to the Sahara admin user18:42
ayoungThe bug report does not say why the trust create failed.  But my first guess would be that you used the wrong token18:42
jeremyfreudbergmy question (and our issue) is not really about that though, our trust system does work. the issue revovles around simply reading the config18:42
*** tellesnobrega has left #openstack-keystone18:43
jeremyfreudbergsome keystonemiddleware magic and [keystone_authtoken] being private18:43
*** tellesnobrega has joined #openstack-keystone18:43
ayoungum....ok...so this is not a trust question?18:43
jeremyfreudbergayoung, no, not really18:44
ayoungjeremyfreudberg, what values do you need from auth_token?18:45
*** tobberydberg has joined #openstack-keystone18:45
ayoungthe murano code posted there looks semi-sane18:45
jeremyfreudbergayoung, i believe at least username and project_name18:45
jeremyfreudbergayoung, we tried the murano code, as well as https://github.com/openstack/heat/blame/master/heat/common/endpoint_utils.py#L3418:46
jeremyfreudbergbut we still get the error with trying to find those configs18:46
ayoungif you are creating a trust, then you probably only need the service userid18:46
ayoungto createa a trust, you need a trustor, a trustee, and a set of roles18:46
ayoungfrom the config, you only get, I think, the username18:46
ayoungwith v3, there is a domain name or id in there.  That is probably what you need18:47
*** markvoelker has quit IRC18:48
jeremyfreudbergayoung, hmm...18:48
*** tobberydberg has quit IRC18:49
ayoungI'm kindof confused about what you are tryuing to do, but if it is create a trust, and you want to get the trustee information out of the auth_token section, you need keystone_authtoken.username and eystone_authtoken.user_domain_id18:49
jeremyfreudbergayoung, sorry i'm being confusing (knikolla can attest, i sit across from him)... you're right that our entire problem is that we are having issues grabbing the right configs for the trustee18:50
ayoungjeremyfreudberg, then I blame knikolla for the whole thing18:51
jeremyfreudberghttps://github.com/openstack/sahara/blob/master/sahara/service/trusts.py#L89  and https://github.com/openstack/sahara/blob/master/sahara/utils/openstack/keystone.py#L86 is how we do it now, you're saying we don't need all that?18:51
jeremyfreudbergreplace second link with our attempt https://review.openstack.org/#/c/485521/2/sahara/utils/openstack/keystone.py@7718:52
knikollaGimme a sec.18:52
ayoungI'm not familiar with keystone.auth_for_admin(project_name=CONF.keystone_authtoken.admin_tenant_name)18:54
ayoungbut it looks like it should be18:54
jeremyfreudbergayoung, it's our own wrapper that eventually trickles down to v3.Password18:54
ayoungjeremyfreudberg, is that pulling out the service users ID?18:55
jeremyfreudbergayoung, username=CONF.keystone_authtoken.username,18:56
jeremyfreudberg        password=CONF.keystone_authtoken.password, project_name = CONF.keystone_authtoken.project_name (formerly admin_tenant_name) user_domain_name=CONF.keystone_authtoken.user_domain_name,18:56
jeremyfreudberg        project_domain_name=CONF.keystone_authtoken.project_domain_name18:56
jeremyfreudbergsorry, very bad paste18:56
ayoungthe actual API param is trustor_user_id and trustee_user_id18:57
ayoungnot sure about what python-keystoneclient exposes them as18:58
jeremyfreudbergayoung, we aren't even at that point yet, though18:58
jeremyfreudbergwe're still stuck trying to grab any config value from [keystone_authtoken]...18:58
lbragstad#startmeeting keystone-office-hours19:00
openstackMeeting started Tue Aug  8 19:00:44 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.19:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:00
openstackThe meeting name has been set to 'keystone_office_hours'19:00
mordredcmurphy, morgan, lbragstad: I agree with what I see in the summary - adding a microversion header without actually supporting microversions seems like a very bad idea19:01
lbragstadmordred: ack19:01
lbragstadmordred: we've punted that until we can discuss our approach to microversions at the PTG19:01
mordredlbragstad: I think that's a great plan19:02
lbragstadcmurphy: i think https://bugs.launchpad.net/keystone/+bug/1692090 needs more info19:04
openstackLaunchpad bug 1692090 in OpenStack Identity (keystone) "_dn_to_id ignores user_id_attribute" [Low,In progress] - Assigned to Boris Kudryavtsev (bkudryavtsev)19:04
lbragstadcmurphy: based on your comment - i'm inclined to think you agree19:04
cmurphylbragstad: yes i think that might be solveable in config19:05
lbragstadcmurphy: ack - removed from rc1 and marked as Incomplete19:05
cmurphylbragstad: also it seemed like the solution was making another round trip to ldap which is :(19:06
*** tellesnobrega has left #openstack-keystone19:06
lbragstadmorgan: your 410 gone patch addressed https://bugs.launchpad.net/keystone/+bug/1696308 ?19:07
openstackLaunchpad bug 1696308 in OpenStack Identity (keystone) "list revoked tokens API returns 500 when pki_setup is not run" [Wishlist,Triaged] - Assigned to Nisha Yadav (ynisha11)19:07
morganyeah it does19:08
*** sjain has quit IRC19:09
ayoungjeremyfreudberg, HTTP_X_USER_ID, HTTP_X_SERVICE_USER_ID19:20
*** ducttap__ has joined #openstack-keystone19:26
*** ducttape_ has quit IRC19:29
*** aojea has joined #openstack-keystone19:30
*** ducttape_ has joined #openstack-keystone19:31
*** ducttap__ has quit IRC19:34
*** tobberydberg has joined #openstack-keystone19:38
*** markvoelker has joined #openstack-keystone19:44
*** dstepanenko has joined #openstack-keystone19:45
*** prashkre has quit IRC19:46
*** dstepanenko has quit IRC19:50
*** markvoelker has quit IRC19:51
*** aojea has quit IRC19:51
*** jmlowe has quit IRC19:54
openstackgerritLance Bragstad proposed openstack/keystone master: Attempt caching list_projects_for_user  https://review.openstack.org/48714319:56
*** aojea has joined #openstack-keystone20:09
*** lucasxu has quit IRC20:17
lbragstadcmurphy: ^ that passes tests now20:23
lbragstad(at least locally)20:23
lbragstadi have a patch for my other todo from today's meeting20:24
*** aojea has quit IRC20:24
lbragstadrunning tests locally at the moment20:24
openstackgerritEric Fried proposed openstack/keystoneauth master: WIP: Adapter.get_conf_options(deprecated_opts)  https://review.openstack.org/49089520:24
*** jeremyfreudberg has left #openstack-keystone20:24
cmurphylbragstad: why did the hints arg get dropped?20:25
cmurphythat seems not backwards compatible20:25
lbragstadcmurphy: still working through that bit20:26
lbragstadour caching decorator doesn't let us cache methods that accept kwargs20:27
*** aojea has joined #openstack-keystone20:28
cmurphyhrm :(20:28
*** jmlowe has joined #openstack-keystone20:28
lbragstadcmurphy: oh!20:29
lbragstadcmurphy: i remember now20:29
lbragstadcmurphy: no only does it cause weird things with caching20:29
lbragstadcmurphy: it's not even used20:30
*** tobberydberg has quit IRC20:30
cmurphyoh you're right20:30
*** tobberydberg has joined #openstack-keystone20:30
lbragstadi should pull that out into it's own change20:30
cmurphyyes please20:31
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Unset project ids for all identity backends  https://review.openstack.org/49191620:35
*** tobberydberg has quit IRC20:35
*** ducttape_ has quit IRC20:39
*** ducttape_ has joined #openstack-keystone20:42
*** ducttape_ has quit IRC20:46
*** aojea has quit IRC20:51
*** sbezverk has quit IRC20:53
openstackgerritLance Bragstad proposed openstack/keystone master: Cache GET /v3/users/{user_id}/projects  https://review.openstack.org/48714320:57
openstackgerritLance Bragstad proposed openstack/keystone master: Remove hints from list_user_projects API  https://review.openstack.org/49192120:57
openstackgerritEric Fried proposed openstack/keystoneauth master: Adapter.get_conf_options(deprecated_opts)  https://review.openstack.org/49089520:57
efried^ ready; closes bug https://bugs.launchpad.net/keystoneauth/+bug/170867320:59
openstackLaunchpad bug 1708673 in keystoneauth "Register deprecated opts with Adapter.get_conf_options" [Undecided,In progress] - Assigned to Eric Fried (efried)20:59
openstackgerritMerged openstack/keystone master: Document required `type` mapping attribute  https://review.openstack.org/49147821:01
*** spzala has quit IRC21:02
*** ducttape_ has joined #openstack-keystone21:05
*** gyee has quit IRC21:05
cmurphylbragstad: so with 491921 - do we need to worry about it breaking out-of-tree drivers?21:07
cmurphythis isn't breaking an api contract at all?21:07
lbragstadi don't believe it is? but i'll walk through how i understand it to be sure21:09
lbragstadso before that change - that api will have attempted to extract things from the request and builds a hints object21:09
lbragstadbased on query strings and whatnot21:10
*** aojea has joined #openstack-keystone21:10
lbragstadregardless of what the user passed in - keystone would always return the same list of assignments (which is arguably broken behavior)21:10
lbragstadso - as far as what keystone returns, it should be the same before and after the patch21:11
lbragstadfrom a driver perspective - the hints object was never passed to a driver so I don't think it should affect folks maintaining their own assignment backend21:11
*** mjax has joined #openstack-keystone21:12
lbragstadcmurphy: call me out on it if that doesn't seem right though21:13
cmurphylbragstad: no that makes sense21:14
cmurphylbragstad: minor comment on the patch21:14
lbragstadcmurphy: reading21:14
lbragstadthis might be worth investigating though? https://github.com/openstack/keystone/blob/de5efb234809c1af43f8d98c29759588c0333f29/keystone/assignment/controllers.py#L27321:15
lbragstadjust to see if wrap_collection does anything with hints in the response21:15
lbragstad(which would mean it would be inconsistent with the actual response body since it was never passed to the backend)21:16
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Unset project ids for all identity backends  https://review.openstack.org/49191621:17
cmurphyhmm iirc it does do things, like imposing list limits21:17
lbragstadcmurphy: right21:17
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Unset project ids for all identity backends  https://review.openstack.org/49191621:19
clarkblbragstad: I think I have time now to look at that grenade thing again. Looks like the logs for the case I found have already been expired and deleted :/21:21
lbragstadclarkb: yeah - cmurphy and i noticed that earlier21:22
clarkbmy memory of the original case was that tests were failing due to the bug so it wasn't just a warning. IIRC nova couldn't boot instances because some system user apparently did not exist21:22
*** sbezverk has joined #openstack-keystone21:22
*** StefanPaetowJisc has joined #openstack-keystone21:22
clarkbthat said all of the hits for your logstash query are failed jobs21:22
clarkbso I don't think its "normal" at least not during tempest runs21:23
clarkboh except those are all for the midonet job which likely is just broken21:24
clarkboh and that was only last 15 minutes derp21:24
*** StefanPaetowJisc has quit IRC21:24
openstackgerritLance Bragstad proposed openstack/keystone master: Remove hints when listing domains and project for users  https://review.openstack.org/49192121:25
*** StefanPaetowJisc has joined #openstack-keystone21:25
openstackgerritGage Hugo proposed openstack/keystone master: WIP - Add description for relationship links in api-ref  https://review.openstack.org/49193421:28
gagehugolbragstad: ^ WIP but let me know if that would be a good approach to take for describing the relationship links21:28
*** StefanPaetowJi-1 has joined #openstack-keystone21:28
clarkblbragstad: I noticed http://logs.openstack.org/17/479517/20/check/gate-grenade-dsvm-neutron-ubuntu-xenial/94d3489/logs/apache/keystone.txt?level=WARNING#_2017-08-08_21_10_44_518 while digging into logs for the earlier issue, not sure if this is expected (maybe just a bad patch?)21:29
lbragstadgagehugo: thanks21:30
lbragstadclarkb: interesting - that seems consistent with our direction21:30
*** StefanPaetowJisc has quit IRC21:30
*** StefanPaetowJi-1 is now known as StefanPaetowJisc21:31
lbragstadclarkb: https://github.com/openstack/keystone/blob/de5efb234809c1af43f8d98c29759588c0333f29/keystone/middleware/core.py#L51-L7121:31
lbragstadmight need to update the paste file for that service?21:31
openstackgerritEric Fried proposed openstack/keystoneauth master: Protect against missing interface attribute  https://review.openstack.org/48856821:32
efried^ ready; closes bug https://bugs.launchpad.net/keystoneauth/+bug/170727321:32
openstackLaunchpad bug 1707273 in keystoneauth "get_adapter_conf_options(include_deprecated=False) results in NoSuchOptError" [Undecided,In progress] - Assigned to Eric Fried (efried)21:32
clarkbinteresting that you chose to log that as an error... should be warning imo. Errors should be for fatal actions21:32
*** raildo has quit IRC21:32
clarkblbragstad: its probably because in grenade we don't update the configs between versions so we write the old version then update install and start new version with old config21:32
clarkb(but thats totally not an error)21:33
*** dstepanenko has joined #openstack-keystone21:33
lbragstadclarkb: here's the change https://review.openstack.org/#/c/427878/21:33
lbragstaddigging into it to see if there is history behind the reasoning21:34
clarkblbragstad: I've tried searching logstash tempest.txt on grenade jobs for timeouts based on the original bugs info, and I'm not finding anything so guessing this bug can be ignored/closed and we'll just have to debug it if it shows up again21:34
lbragstadmorgan: do you remember the context of why that ^ was an error instead of a warning?21:35
clarkblbragstad: cmurphy so ya I think I'd just mark that as incomplete or invalid until we have more infos21:35
cmurphyclarkb: \o/ best kind of bug21:36
morganthat is supposed to be an error21:36
morgandon't have that in your paste-ini21:36
clarkbbut it isn't an error if the service is perfectly capable of functioning...21:36
*** markvoelker has joined #openstack-keystone21:37
morganit is going away as in it *will* break your cloud when it's deleted21:37
clarkbsure definitely log it21:37
morganit's logged as an error because of that21:37
clarkbwarning would be appropriate21:37
morgani disagree.21:37
*** dstepanenko has quit IRC21:37
morganwe did warning before and it wasn't high enough21:37
morganthings broke people horribly21:37
clarkbthe problem with error is anytime I see an error in my logs I think fire21:37
*** thorst has quit IRC21:37
clarkband the problem is lots of software doesn't actually log errors for fires and it leads to people ignoring errors21:38
clarkbthen you miss real fires21:38
morganthis is a fire, if we remove it it errors and breaks the cloud in non-easy to diagnose ways21:38
* clarkb looks at gerrit's logs and has a sad21:38
morganthis *must* be removed this release.21:38
clarkbmorgan: thats not what grenade says21:38
*** edmondsw has quit IRC21:38
lbragstadmorgan: you mean in Queens?21:38
clarkbgrenade says keystone is working fine despite the error21:38
morganbefore queens21:38
clarkbnext release then21:39
morganif it is not removed in queens you break. and break badly. paste-ini is many times CMS managed (sigh)21:39
clarkbnot this release21:39
morganit must be removed in this release, not there by next21:39
clarkb(so grenade is doing the right thing)21:39
morganif it is still there next release, you are 100% broken and it is not a clear error21:39
morganpaste errors are really unclear/unfun21:39
morganand confusing21:40
morganthis is an error case. it is an operator must make a change.21:40
clarkbanyways my point is it works fine in pike as evidenced by grenade21:40
lbragstadthis says if was deprecated *this* release and staged for removal in Queens https://github.com/openstack/keystone/blob/de5efb234809c1af43f8d98c29759588c0333f29/keystone/middleware/core.py#L55-L5821:40
clarkband there are better ways to address that (like the work to make paste data not config)21:40
morganlbragstad: correct21:40
morganclarkb: i tried, i lost that battle21:40
clarkbif it was actually an error grenade should fail imo21:40
morganthe way to do that is delete paste from our deps21:40
morganyou can't make it not config otherwise21:41
morganlbragstad: when the code is deleted, paste fails if it's still there21:41
clarkbas is you have a honeypot for people debugging real errors that will only cause confusion21:41
morganclarkb: i wanted to remove paste and make everything a simple wsgi app, i was told in no uncertain terms by other cores that that was a -2 because people use it as config and add elements to the pipeline21:41
morganwell, then i guess we'll just disagree. in my experience, when a change is needed within the cycle that will totally hork your cloud next upgrade, it is worthy of an error21:42
*** markvoelker has quit IRC21:44
* morgan stands by the decision that it is an error.21:44
morganif the ptl wants to change it, he may. i'm not going to block a change like that.21:45
morganor ptl supporitng a change for it.21:45
clarkbI'm just giving my opinion as a person that oeprates a ton of different software and reads a lot of openstack logs21:45
clarkbusing error too much leads to people ignoring it and also creates confusion when looking for causes of real failures21:45
morganthe error log did exactly what it was supposed to do btw21:45
morganit brought your attention to the paste-ini21:45
clarkbyup, but if I'm debugging why nova can't boot an instance that isn't useful21:46
morganas an operator you'd see that and fix your config, no?21:46
morganearly on. but it doesn't break your cloud *today*21:46
clarkbyes, but not while I am firefighting21:46
clarkbits just noise and not helpful21:46
morgananyway, i simply disagree here.21:47
morganthis is telegraphing a "will break your cloud" [it's not critical, it is an error in the config] change21:48
openstackgerritEric Fried proposed openstack/keystoneauth master: Protect against missing interface attribute  https://review.openstack.org/48856821:48
openstackgerritEric Fried proposed openstack/keystoneauth master: Adapter.get_conf_options(deprecated_opts)  https://review.openstack.org/49089521:48
efriedokay NOW they're ready.21:49
clarkbmorgan: you might want to link to docs/release notes in that case21:49
morganclarkb: if it is a huge deal, propose a fix that downgrades it and have lbragstad approve it. i stand by this choice.21:49
clarkbmorgan: so that it is clear where the delineation is and why things aren't on fire now21:50
clarkbas is the message says "you are broken cloud on fire"21:50
lbragstadit doesn't look like it's in the cinder paste.ini21:53
morganthis is only in the keystone paste-ini21:53
openstackgerritMorgan Fainberg proposed openstack/keystone master: Make an error state message more explicit  https://review.openstack.org/49193821:56
lbragstadweird - so where is that getting set?21:56
morgangrenade doesn't update the paste-ini21:56
morganor use the new one21:56
morganso the code says "oh hey this is a bad config. this will break your cloud in the next release'21:56
morgan'fix your config'21:57
morganif the operator was using the default paste-ini from pike, no issue would occur21:57
morganbut if they manage paste-ini as config (which they shouldn't, but i lost that argument as said before)21:57
morganthey would need to fix it to prevent a future "omg totally broken"21:58
openstackMeeting ended Tue Aug  8 22:01:50 2017 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:01
openstackMinutes:        http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-08-08-19.00.html22:01
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-08-08-19.00.txt22:01
openstackLog:            http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-08-08-19.00.log.html22:01
*** markvoelker has joined #openstack-keystone22:04
*** StefanPaetowJisc has quit IRC22:04
*** markvoelker_ has joined #openstack-keystone22:05
*** markvoelker has quit IRC22:09
efriedmordred If I specify an endpoint_override to my Adapter, and I say adap.get_endpoint_data(discover_versions=False, skip_discovery=True), do I expect that ksa will NOT try to GET at whatever I specified as my endpoint_override?22:25
efried(never mind that Adapter.get_endpoint_data doesn't take those kwargs today - in my sandbox it does, and passes them down to auth.get_endpoint_data)22:26
mordredefried: so - that's a really weird call to make - what's the intent?22:27
efriedmordred Well, ultimately I'm trying to "fix" the thing where I specify an endpoint_override, but get_endpoint_data().url gives me back something that ain't that.22:27
*** dstepanenko has joined #openstack-keystone22:27
mordredyah. that's a thing I totally agree with :)22:28
efriedSo I'm playing around in a sandbox and noticing that when I say adapter_with_endpoint_override.get_endpoint_data(), it takes a sec - longer if my endpoint_override is e.g. external and/or not a real service.22:28
mordredefried: so - yeah, I 'd expect get_endpoint_data(discover_versions=False, skip_discovery=True) to not do a fetch - although honestly I'm not 100% sure we should expose that on the adapter call22:29
efriedmordred Wellll...22:29
mordredbut - igoring that for a sec - I do think we should make sure it's possible to get the URL that's been given and avoid additional calls22:29
*** spzala has joined #openstack-keystone22:30
mordredthe reason I say I'm not sure we should expose it is that get_endpoint is there for if you just want a URL - and get_endpoint should pass skip_discovery=True already, right?22:30
efriedOkay, so yeah, if I just have an adapter with an endpoint override and I say get_endpoint(), it skips everything and regurgitates my endpoint_override.  That's fine.22:30
mordredget_endpoint_data ultimately needs to make the call because the point of it is mostly to get you the metainfo about the endpoint in question22:31
mordredand it can't fetch that data without doing a GET22:31
efriedShit, I guess the only reason I really care to go through get_endpoint_data at all in this case is because nova's _ContextAuthPlugin is busted.22:31
mordredHOWEVER - we need to make sure that if we give an endpoint_override and call get_endpoint_data that we don't wind up returning a different URL from the discovery dict22:32
efriedyuh, that's the subject of https://bugs.launchpad.net/keystoneauth/+bug/170799322:32
openstackLaunchpad bug 1707993 in keystoneauth "EndpointData.url should regurgitate my endpoint_override" [Low,Triaged]22:32
mordredif you give endpoint_override you should ALWAYS get it back22:32
*** dstepanenko has quit IRC22:32
efried...which I can fix with the suggested solution - though I'm still unsure how to test it.22:32
efriedWhich is what I was trying to figure out when I got into this rabbit hole.22:33
efriedCause of course I started off putting endpoint_override = http://foo.com:1234 into my conf.22:34
efriedexpecting to get that back.22:34
efriedwhich... kinda happens after a long time if I let it go.22:34
mordredefried: well - you can put in some requests_mock things into the unittest and make sure nothing hits that url22:34
efriedmordred I don't think that's what I want to test.22:35
efriedI actually want to test the fix for https://bugs.launchpad.net/keystoneauth/+bug/170799322:35
openstackLaunchpad bug 1707993 in keystoneauth "EndpointData.url should regurgitate my endpoint_override" [Low,Triaged]22:35
efriedand mebbe forget about that other thing :)22:35
efriedright now if I do that - set the service_url to the endpoint_override - all the existing tests pass.22:36
efriedWhat I actually need is a test that fails without that fix, of course.22:36
mordredyah- well, we do want to make sure we're not causing an additinal GET - but that should be covered by skip_discovery (which even mentions endpoint_override in its docs :) )22:36
*** markvoelker has joined #openstack-keystone22:36
mordredefried: so - I think two things:22:37
efriedmordred Not causing an additional GET - additional because we're setting both service_url and catalog_url?  Or because we're using an endpoint_override?22:37
mordredefried: you need a test that sets up a version discovery doc that has a different url than when you're using for endpoint_override22:37
*** markvoel_ has joined #openstack-keystone22:37
mordredso that you can see if fail beuase it'll return hte url it finds from that - and then that setting serice_url = endpoint_override makes it not fail in that way22:38
*** thorst has joined #openstack-keystone22:38
mordredefried: the additional GET should be covered by skip_discovery ... if we call get_endpoint_data and skip_discovery is false, we should expect it to grab the version document for the endpoint in question22:39
mordredefried: which is my way of saying I think your issue has 2 hedas - the functional/important one is your suggestion of setting service_url=endpoint_override - which I think is the right fix and you should do it22:40
*** gyee has joined #openstack-keystone22:40
*** markvoelker_ has quit IRC22:40
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy master: [WIP] Support for SSL based remote checks  https://review.openstack.org/49178322:40
*** markvoelker has quit IRC22:41
efriedmordred Okay, so if I put that up, could I talk you into doing the UT (or at least getting me started)?22:42
openstackgerritEric Fried proposed openstack/keystoneauth master: WIP: Return the endpoint_override from EndpointData  https://review.openstack.org/49194722:43
*** thorst has quit IRC22:43
mordredefried: yes - although it'll be tomorrow morning before I can22:44
efriedmordred Sure, no problem.  TIA.22:44
efriedmordred In case a mutual-back-scratch helps my case, https://review.openstack.org/#/c/488568/6/keystoneauth1/tests/unit/loading/test_adapter.py  :)22:46
openstackgerritMerged openstack/keystone master: Except forbidden when clearing default project IDs  https://review.openstack.org/49154623:00
*** markvoelker has joined #openstack-keystone23:01
*** markvoel_ has quit IRC23:03
*** spzala has quit IRC23:05
*** spzala has joined #openstack-keystone23:05
*** spzala has quit IRC23:05
*** spzala has joined #openstack-keystone23:06
*** spzala has quit IRC23:06
*** spzala has joined #openstack-keystone23:07
*** spzala has quit IRC23:07
*** spzala has joined #openstack-keystone23:07
*** spzala has quit IRC23:07
*** spzala has joined #openstack-keystone23:08
*** spzala has quit IRC23:08
openstackgerritMerged openstack/keystone master: Fill in content in CLI Documentation  https://review.openstack.org/49066923:08
*** aojea has quit IRC23:12
*** markvoelker has quit IRC23:18
*** markvoelker has joined #openstack-keystone23:18
*** ducttape_ has quit IRC23:19
*** markvoelker has quit IRC23:23
*** ducttape_ has joined #openstack-keystone23:25
*** catintheroof has quit IRC23:29
otleimatFor parsing arguments in the command line in python, does anyone know a good way to require at least one option but not limit it to one? All solutions I've seen require you to add logic. I was wondering if there any builtin options for this. A mutually exclusive group solves the requiring at least one option but limits it to at most one. Would appreciate any feedback23:46
morganNot that I am aware of23:59
morganIt would be custom logic.23:59

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!