Friday, 2017-08-18

*** stingaci has joined #openstack-keystone		00:06
*** stingaci has quit IRC		00:11
*** thorst has joined #openstack-keystone		00:11
*** masuberu has joined #openstack-keystone		00:17
*** masber has quit IRC		00:20
*** stingaci has joined #openstack-keystone		00:22
*** stingaci has quit IRC		00:26
*** dave-mccowan has joined #openstack-keystone		00:30
*** mjax has quit IRC		00:32
*** mjax has joined #openstack-keystone		00:32
*** mjax has quit IRC		00:34
*** agrebennikov has joined #openstack-keystone		00:38
*** stingaci has joined #openstack-keystone		00:38
*** stingaci has quit IRC		00:43
*** openstackgerrit has joined #openstack-keystone		00:43
openstackgerrit	Merged openstack/keystoneauth master: Protect against missing interface attribute https://review.openstack.org/488568	00:43
*** edmondsw has joined #openstack-keystone		00:55
*** aojea has joined #openstack-keystone		01:08
*** zhurong has joined #openstack-keystone		01:11
*** otleimat has quit IRC		01:12
*** aojea has quit IRC		01:14
*** zxy has joined #openstack-keystone		01:15
*** lucasxu has joined #openstack-keystone		01:20
*** lucasxu has quit IRC		01:22
*** zzzeek has quit IRC		01:23
*** zzzeek has joined #openstack-keystone		01:24
*** r-daneel has quit IRC		01:24
*** zzzeek has quit IRC		01:25
*** zzzeek has joined #openstack-keystone		01:25
*** guoshan has joined #openstack-keystone		01:29
*** masber has joined #openstack-keystone		01:34
*** masber has quit IRC		01:34
*** masuberu has quit IRC		01:34
*** thorst has quit IRC		01:36
*** edmondsw has quit IRC		01:40
*** markvoelker has joined #openstack-keystone		01:41
*** dave-mccowan has quit IRC		01:56
*** aselius has quit IRC		01:57
*** zxy has quit IRC		01:59
openstackgerrit	zhengliuyang proposed openstack/keystone master: Don't need set ephemeral user's domain when mapping https://review.openstack.org/494405	02:02
*** stingaci has joined #openstack-keystone		02:13
*** markvoelker has quit IRC		02:15
*** stingaci has quit IRC		02:18
*** stingaci has joined #openstack-keystone		02:44
*** stingaci has quit IRC		02:49
*** stingaci has joined #openstack-keystone		03:00
*** stingaci has quit IRC		03:04
*** edmondsw has joined #openstack-keystone		03:05
*** aojea has joined #openstack-keystone		03:10
*** edmondsw has quit IRC		03:11
*** markvoelker has joined #openstack-keystone		03:12
*** aojea has quit IRC		03:15
*** stingaci has joined #openstack-keystone		03:16
*** stingaci has quit IRC		03:20
*** nicolasbock_ has joined #openstack-keystone		03:25
*** stingaci has joined #openstack-keystone		03:32
*** stingaci has quit IRC		03:36
*** thorst has joined #openstack-keystone		03:36
*** thorst has quit IRC		03:40
*** markvoelker has quit IRC		03:46
*** stingaci has joined #openstack-keystone		03:48
*** masber has joined #openstack-keystone		03:49
*** agrebennikov has quit IRC		03:50
*** stingaci has quit IRC		03:52
*** masber has quit IRC		03:53
*** mkrcmari__ has joined #openstack-keystone		04:01
*** stingaci has joined #openstack-keystone		04:03
*** stingaci has quit IRC		04:08
*** aojea has joined #openstack-keystone		04:11
*** aojea has quit IRC		04:16
*** hoonetorg has joined #openstack-keystone		04:18
*** stingaci has joined #openstack-keystone		04:20
*** links has joined #openstack-keystone		04:23
*** stingaci has quit IRC		04:24
*** stingaci has joined #openstack-keystone		04:36
*** stingaci has quit IRC		04:41
*** markvoelker has joined #openstack-keystone		04:43
*** gyee has quit IRC		04:45
*** prashkre has joined #openstack-keystone		04:49
*** stingaci has joined #openstack-keystone		04:51
*** edmondsw has joined #openstack-keystone		04:54
*** stingaci has quit IRC		04:55
*** edmondsw has quit IRC		04:58
*** stingaci has joined #openstack-keystone		05:07
*** masber has joined #openstack-keystone		05:09
*** stingaci has quit IRC		05:11
*** markvoelker has quit IRC		05:16
*** stingaci has joined #openstack-keystone		05:23
*** stingaci has quit IRC		05:27
*** zhurong has quit IRC		05:38
*** stingaci has joined #openstack-keystone		05:38
*** zhurong has joined #openstack-keystone		05:42
*** stingaci has quit IRC		05:43
openstackgerrit	zhengliuyang proposed openstack/keystone master: Update parameters in sp and idp https://review.openstack.org/494449	05:54
*** stingaci has joined #openstack-keystone		05:54
*** stingaci has quit IRC		05:58
*** aojea has joined #openstack-keystone		06:12
*** markvoelker has joined #openstack-keystone		06:13
*** aojea has quit IRC		06:16
*** stingaci has joined #openstack-keystone		06:25
*** stingaci has quit IRC		06:30
*** aojea has joined #openstack-keystone		06:37
*** rcernin has joined #openstack-keystone		06:41
*** stingaci has joined #openstack-keystone		06:42
*** edmondsw has joined #openstack-keystone		06:42
*** jidar has left #openstack-keystone		06:43
*** kukacz has joined #openstack-keystone		06:43
*** kukacz_ has joined #openstack-keystone		06:44
*** markvoelker has quit IRC		06:46
*** stingaci has quit IRC		06:46
*** edmondsw has quit IRC		06:46
*** kukacz has quit IRC		06:48
*** stingaci has joined #openstack-keystone		06:57
*** stingaci_ has joined #openstack-keystone		06:59
*** stingaci has quit IRC		06:59
*** stingaci_ has quit IRC		07:11
*** tesseract has joined #openstack-keystone		07:13
*** namnh has joined #openstack-keystone		07:18
*** namnh has quit IRC		07:18
*** namnh has joined #openstack-keystone		07:19
*** namnh has quit IRC		07:20
*** pcaruana has quit IRC		07:32
*** markvoelker has joined #openstack-keystone		07:43
*** stingaci has joined #openstack-keystone		07:46
*** stingaci has quit IRC		07:47
*** stingaci has joined #openstack-keystone		07:47
*** aojea has quit IRC		07:49
*** pcaruana has joined #openstack-keystone		07:54
*** ioggstream has joined #openstack-keystone		08:01
*** aojea has joined #openstack-keystone		08:03
*** nicolasbock_ has quit IRC		08:14
*** markvoelker has quit IRC		08:16
*** masber has quit IRC		08:26
*** Adri2000 has left #openstack-keystone		08:39
*** markvoelker has joined #openstack-keystone		09:14
*** markvoelker has quit IRC		09:47
*** aojea has quit IRC		09:54
*** pcaruana has quit IRC		10:02
*** edmondsw has joined #openstack-keystone		10:18
*** pcaruana has joined #openstack-keystone		10:22
*** edmondsw has quit IRC		10:22
*** markvoelker has joined #openstack-keystone		10:44
*** guoshan has quit IRC		10:46
*** zhurong has quit IRC		11:01
*** ayoung has quit IRC		11:11
*** ayoung has joined #openstack-keystone		11:17
*** markvoelker has quit IRC		11:17
*** mvk has joined #openstack-keystone		11:32
*** mkrcmari__ has quit IRC		11:35
openstackgerrit	OpenStack Proposal Bot proposed openstack/oslo.policy master: Updated from global requirements https://review.openstack.org/494878	11:40
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient master: Updated from global requirements https://review.openstack.org/494898	11:41
knikolla	o/	11:52
*** thorst has joined #openstack-keystone		11:59
*** raildo has joined #openstack-keystone		12:02
*** edmondsw has joined #openstack-keystone		12:06
*** edmondsw has quit IRC		12:11
*** prashkre has quit IRC		12:13
*** prashkre has joined #openstack-keystone		12:16
*** aojea has joined #openstack-keystone		12:18
*** rcernin has quit IRC		12:21
*** markvoelker has joined #openstack-keystone		12:25
*** edmondsw has joined #openstack-keystone		12:27
openstackgerrit	Samuel Pilla proposed openstack/python-keystoneclient master: Add project tags to keystoneclient https://review.openstack.org/481223	12:27
*** prashkre_ has joined #openstack-keystone		12:30
*** prashkre has quit IRC		12:30
*** dave-mccowan has joined #openstack-keystone		12:31
*** raildo has quit IRC		12:35
*** rcernin has joined #openstack-keystone		12:38
*** raildo has joined #openstack-keystone		12:38
*** Dinesh_Bhor has quit IRC		12:39
*** catintheroof has joined #openstack-keystone		12:40
*** catinthe_ has joined #openstack-keystone		12:41
*** catintheroof has quit IRC		12:41
*** prashkre_ has quit IRC		12:47
*** jaosorior has quit IRC		13:05
*** lucasxu has joined #openstack-keystone		13:08
knikolla	lbragstad: few questions about the global-roles patches when you're here.	13:19
*** gokhan has joined #openstack-keystone		13:34
*** david-lyle has joined #openstack-keystone		13:35
*** dklyle has quit IRC		13:36
*** sjain has joined #openstack-keystone		13:38
lbragstad	knikolla: go for it	14:02
knikolla	lbragstad: any reason to global_token (string) vs is_global (bool) ?	14:02
lbragstad	knikolla: that's a good question	14:03
lbragstad	i went back and forth on that when i original wrote this	14:03
lbragstad	i suppose the controller and manager layers could using booleans and everything gets converted to a 'global' token when in the backend	14:04
lbragstad	?	14:04
*** lwanderley has joined #openstack-keystone		14:05
knikolla	lbragstad: that would be more clear i think.	14:06
*** efried is now known as fried_rice		14:06
knikolla	i only did a high level pass of the patches though.	14:06
lbragstad	knikolla: that's fine	14:06
knikolla	today should finally have time to do a proper review :)	14:06
*** lucasxu has quit IRC		14:07
lbragstad	knikolla: do you think it's fine that drivers or out-of-tree backends do the conversion of is_global -> global_token then?	14:07
*** kukacz has joined #openstack-keystone		14:07
lbragstad	iirc that was the reason why i passed the global_token directly from the manager	14:07
knikolla	Aren't we killing out of tree assignment?	14:08
knikolla	Or is that for token?	14:09
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement manager logic for global roles https://review.openstack.org/494371	14:11
*** kukacz_ has quit IRC		14:11
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement global role assignments for users https://review.openstack.org/494374	14:11
lbragstad	knikolla: i think that was out-of-tree resource drivers	14:12
knikolla	lbragstad: true. For domains.	14:12
lbragstad	knikolla: let me rework those patches and see if it helps	14:16
*** david-lyle has quit IRC		14:16
*** dklyle has joined #openstack-keystone		14:16
knikolla	lbragstad: getting coffee and doing a proper review now	14:18
lbragstad	anyone here ever watch Silicon Valley?	14:19
knikolla	lbragstad: i watched half first episode.	14:25
knikolla	doesn't really count	14:25
lbragstad	lol	14:26
lbragstad	we just started watching it last night	14:26
*** dansmith is now known as superdan		14:26
knikolla	heard it's good	14:27
lbragstad	yeah - it's pretty funny	14:28
*** itlinux has joined #openstack-keystone		14:28
lbragstad	i was apprehensive to start it - but so far it's good	14:28
*** aojea has quit IRC		14:28
knikolla	lbragstad: i'll give it another shot.	14:29
knikolla	lbragstad: so in the sql case, global roles are stored with target=global_token	14:32
lbragstad	yeah - the target is 'global' in that case	14:33
lbragstad	instead of being a project or domain id	14:33
*** itlinux has quit IRC		14:36
*** itlinux has joined #openstack-keystone		14:37
knikolla	lbragstad: i think it's better to let drivers decide how to store global roles.	14:37
knikolla	IMO	14:38
lbragstad	knikolla: so converting the boolean to something if they want to?	14:38
*** lwanderley has quit IRC		14:38
lbragstad	and persisting it that way	14:38
knikolla	they can still ignore the string if they want	14:38
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement backend logic for global roles https://review.openstack.org/494338	14:38
lbragstad	knikolla: ^ pushing the boolean into the backend	14:39
lbragstad	pushed*	14:39
knikolla	lbragstad: good that you also fixed the `targets = ['global']` to `[GLOBAL_TOKEN]`	14:40
*** lwanderley has joined #openstack-keystone		14:40
lbragstad	knikolla: yeah	14:41
lbragstad	not quite sure why i didn't do that in the first place	14:41
knikolla	lbragstad: when does queens open up for dev?	14:43
lbragstad	knikolla: it's open	14:44
lbragstad	https://review.openstack.org/#/c/494666/	14:44
knikolla	lbragstad: approved ^^	14:45
lbragstad	cool	14:45
lbragstad	i'll repropose the global roles spec to queens today	14:46
knikolla	cool	14:46
knikolla	also lift the -2 from project-tags patches	14:46
*** lwanderley has quit IRC		14:46
openstackgerrit	Merged openstack/keystone-specs master: Create Queens directory for specs https://review.openstack.org/494666	14:49
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement manager logic for global roles https://review.openstack.org/494371	14:55
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement manager logic for global roles https://review.openstack.org/494371	14:55
*** itlinux has quit IRC		14:56
lbragstad	knikolla: good call - done	14:58
*** david-lyle has joined #openstack-keystone		15:04
*** dklyle has quit IRC		15:04
*** davechen has quit IRC		15:08
*** links has quit IRC		15:10
*** otleimat has joined #openstack-keystone		15:14
*** aselius has joined #openstack-keystone		15:15
*** john89 has joined #openstack-keystone		15:16
*** spilla has joined #openstack-keystone		15:23
lbragstad	ayoung: curious if you have a follow up to https://review.openstack.org/#/c/492529/ ?	15:24
lbragstad	or know if the author hangs out in IRC?	15:24
ayoung	lbragstad, I sent Jose an email but have not heard back from him. I can p[ing Tim Bell on Twitter, though...that is always effective?	15:24
lbragstad	when in doubt - always twiiter	15:25
lbragstad	twitter*	15:25
ayoung	Done	15:26
lbragstad	ayoung: thank you	15:26
openstackgerrit	Gage Hugo proposed openstack/keystone master: Add new tags attribute to project https://review.openstack.org/470317	15:26
* lbragstad goes to refills coffee		15:27
lbragstad	knikolla: i'll repropose the controller bits when i get back	15:27
knikolla	lbragstad: sounds good.	15:27
lbragstad	knikolla: a more critical eye on the testing of that layer would be good	15:27
knikolla	lbragstad: coffee makes for very critical eyes	15:28
knikolla	and i've had a lot of it	15:28
*** gyee has joined #openstack-keystone		15:28
knikolla	lbragstad: what was the consensus on list dedups? https://review.openstack.org/#/c/491574/2/keystone/common/utils.py	15:36
*** david-lyle has quit IRC		15:37
*** dklyle has joined #openstack-keystone		15:37
*** dklyle has quit IRC		15:44
*** david-lyle has joined #openstack-keystone		15:46
*** swain has joined #openstack-keystone		15:48
lbragstad	knikolla: i tested a few different implementations that dedup lists of dictionaries and timed them	15:55
lbragstad	knikolla: https://gist.github.com/lbragstad/a81776e2c679f728c19cad7f3a35703f	15:55
*** sapd has quit IRC		15:55
knikolla	lbragstad: have the results handy?	15:56
lbragstad	knikolla: sure - let me run them quick	15:57
lbragstad	knikolla: http://paste.openstack.org/show/618785/	15:58
knikolla	lbragstad: cool. let me rerun that with larger lists and see if that changes anything.	16:00
knikolla	lbragstad: while we don't expect anyone to have more than a few roles on the same project. people might have a lot of projects where they have roles.	16:00
knikolla	so the scenario changes a bit	16:00
lbragstad	right	16:00
lbragstad	knikolla: feel free to elaborate on the gist	16:00
lbragstad	or add more test cases to it	16:00
*** prashkre has joined #openstack-keystone		16:05
*** spilla has quit IRC		16:08
*** pcaruana has quit IRC		16:12
*** tesseract has quit IRC		16:12
*** rcernin has quit IRC		16:12
knikolla	lbragstad: the dict method starts becoming faster at n=5	16:14
lbragstad	knikolla: nice	16:14
knikolla	http://paste.openstack.org/show/618786/	16:14
openstackgerrit	Octave Orgeron proposed openstack/keystone master: Enables MySQL Cluster support for Keystone https://review.openstack.org/431229	16:15
knikolla	modify the range loop	16:15
*** markvoelker has quit IRC		16:16
lbragstad	knikolla: i left a note on gagehugo's review	16:22
openstackgerrit	Octave Orgeron proposed openstack/keystone master: Enables MySQL Cluster support for Keystone https://review.openstack.org/431229	16:22
lbragstad	knikolla: you're results would be helpful, too	16:22
*** aojea has joined #openstack-keystone		16:24
*** stingaci has quit IRC		16:25
*** itlinux has joined #openstack-keystone		16:29
knikolla	lbragstad: http://paste.openstack.org/show/618787/	16:30
*** itlinux has quit IRC		16:31
*** aojea has quit IRC		16:31
lbragstad	knikolla: nice	16:31
*** ioggstream has quit IRC		16:32
knikolla	lbragstad: since projects for dedup will be in the range of tens, it makes sense to optimize.	16:33
lbragstad	knikolla: yeah - i'm good with that	16:33
gagehugo	knikolla lbragstad nice!	16:35
*** mvk_ has joined #openstack-keystone		16:36
*** Guest75213 is now known as med_		16:37
*** med_ has quit IRC		16:37
*** med_ has joined #openstack-keystone		16:37
*** mjax has joined #openstack-keystone		16:38
*** itlinux has joined #openstack-keystone		16:38
*** mvk_ has quit IRC		16:38
*** prashkre has quit IRC		16:39
*** mvk has quit IRC		16:39
*** mvk has joined #openstack-keystone		16:40
*** mvk_ has joined #openstack-keystone		16:43
*** catinthe_ has quit IRC		16:43
*** catintheroof has joined #openstack-keystone		16:45
*** mvk has quit IRC		16:46
*** sjain has quit IRC		16:50
gagehugo	lbragstad knikolla we would have to use dedup_by_dict_values for projects since a list cannot be hashed so list_comprehension won't work and the list is not guaranteed to be in order so "project in unique_projects" won't work either if the tags are the same but out of order	16:51
knikolla	check your emails for talk approval notifications for sydney	16:51
knikolla	gagehugo: yeah, we should use the dict method.	16:51
gagehugo	will do, thanks for putting that example together	16:52
lbragstad	gagehugo: a containment check does a deep copy comparison though	16:54
lbragstad	so order shouldn't matter	16:54
lbragstad	i think?	16:54
lbragstad	but dedup_by_dict_values is more performant	16:55
gagehugo	http://paste.openstack.org/show/618789/	16:56
gagehugo	lbragstad idk, the test originally was failing even though it was the same project, but the tags were returned out of order	16:57
lbragstad	weird, i figured a deep copy comparison would catch that!	16:57
lbragstad	oh - wait.. it is	16:58
lbragstad	it doesn't consider the lists to be the same if they are ordered differently	16:58
gagehugo	yeah	16:58
gagehugo	the list messes it all up	16:58
gagehugo	for anything else in the object, it works fine	16:59
*** itlinux has quit IRC		17:03
*** lucasxu has joined #openstack-keystone		17:06
*** stingaci has joined #openstack-keystone		17:18
lbragstad	knikolla: double checking here - but global roles don't make any sense with inheritance do they?	17:18
lbragstad	global role assignment should only be direct role assignments	17:19
knikolla	lbragstad: yes	17:19
knikolla	lbragstad: or implied?	17:19
lbragstad	inheritance - specifically	17:21
lbragstad	i can kinda think of cases where implied roles make sense globally	17:21
*** stingaci has quit IRC		17:22
knikolla	i agree about inheritance. i was thinking ahead.	17:25
knikolla	lbragstad: so in terms of implication. "project/domain -> global", "global -> global" kinda make sense	17:28
lbragstad	knikolla: for implied roles or inherited roles	17:29
lbragstad	implied right?	17:29
knikolla	implied yes. i'm thinking out loud.	17:29
lbragstad	i was more thinking 'admin' implies 'member' which implies 'observer'	17:30
knikolla	hmmm.. let me refresh my implied roles.	17:31
lbragstad	and assigning Jane 'admin' globally means that her effective assignments would include 'admin, 'member', and 'observer' through expanding the implied roles	17:31
knikolla	lbragstad: yes. global -> global. right?	17:32
lbragstad	right	17:32
lbragstad	but i'm not sure i completely understand what you mean by global -> global	17:32
lbragstad	or are you saying the following should be possible:	17:33
knikolla	lbragstad: i was thinking if there was any use case where we want to be able to imply a global role from a non global role.	17:33
lbragstad	'admin' implies 'member' on Project A	17:33
lbragstad	or 'admin' on Project A implies 'observer' globally	17:33
knikolla	the second	17:34
lbragstad	hmm	17:34
*** itlinux has joined #openstack-keystone		17:34
lbragstad	my knee jerk reaction is to say that's dangerous	17:34
knikolla	agree.	17:34
lbragstad	is there a use case floating around from something like that?	17:35
knikolla	except for making the transition smoother	17:35
knikolla	nothing pops into my mind	17:35
lbragstad	yeah - so for the transition they can either do something like ^ with implied roles	17:36
lbragstad	or grant the users who need global rights a role globally	17:36
knikolla	let's only allow global implies global then. unless someone brings a plausible use case.	17:37
lbragstad	i agree	17:38
lbragstad	iirc we have similar constraints on global roles and domain roles	17:39
lbragstad	where you can't have one imply the other	17:39
knikolla	s/global/project/?	17:40
lbragstad	knikolla: well - we technically have global roles	17:42
lbragstad	today	17:42
lbragstad	but you just can't assign them globally	17:42
lbragstad	when you create a role, it's available for use by any project or domain	17:42
lbragstad	but we also have domain role which are only available for assignment within that domain	17:42
lbragstad	domain roles*	17:42
knikolla	lbragstad: oh right.	17:42
lbragstad	i want to say we have a restriction somewhere in the implied roles API that prevents you from having a domain role imply a "global" role or vice versa	17:43
knikolla	lbragstad: in my mind they're just "normal" roles, haha.	17:43
lbragstad	knikolla: right	17:43
lbragstad	knikolla: "well, you see, they're global roles, but they're not..."	17:43
knikolla	lbragstad: "the good, the bad and the ugly: the three types of keystone roles"	17:44
knikolla	(after we add global global)	17:44
lbragstad	one global to rule them all	17:44
* lbragstad is now officially confused		17:45
lbragstad	the inherited + implied + global stuff is going to take a lot of testing	17:48
*** lucasxu has quit IRC		17:48
knikolla	lbragstad: hmmm... the thing i said about three types of roles is actually wrong.	17:48
knikolla	as we're allowing global role assignment with "normal" roles. right?	17:48
knikolla	normal as in non-domain roles.	17:49
lbragstad	knikolla: correct	17:49
lbragstad	knikolla: keystone doesn't have the ability to create per project roles	17:49
knikolla	lbragstad: yep. it's just that they need to have a project/domain target.	17:50
knikolla	when assigned	17:50
*** juliandemille has joined #openstack-keystone		17:51
lbragstad	knikolla: you mean global roles today?	17:51
lbragstad	right?	17:51
knikolla	yes	17:51
juliandemille	Hello everyone, I've been having some issues with Keystone on a CentOS 7 system and would like to know how to troubleshoot it	17:53
knikolla	lbragstad: i think i have a pretty clear idea now.	17:53
*** itlinux has quit IRC		17:54
knikolla	lbragstad: got myself confused mostly by repeatedly reading bp/global-roles and assuming that they'd be a different type rather than just a different assignment.	17:55
lbragstad	knikolla: ideally, we could go through and attempt to apply a consistent pattern to the assignment API	17:55
lbragstad	when creating a role you can specific a domain, a project, or None	17:55
lbragstad	which denotes where that role can be used	17:56
lbragstad	None means that it can be used by all projects and all domains (hence being global)	17:56
lbragstad	when creating a role assignment - you can grant a role to three scopes, a domain, a project, or None	17:56
lbragstad	None is effectively global	17:56
lbragstad	then its all a matter of validation	17:56
lbragstad	if the role is project-specific, make sure it matches the project in the assignment	17:57
juliandemille	The error log is at this pastebin: https://pastebin.com/raw/4sbrFsCH	17:57
lbragstad	juliandemille: looks like you need to install memcached	17:57
lbragstad	or python-memcached	17:57
lbragstad	knikolla: the same thing would apply for domain roles and domain role assignments	17:58
juliandemille	@lbragstad Pip claims python-memcached is installed, and Yum claims memcached is installed	17:58
knikolla	lbragstad: hmmm.. that would require a lot of work on the policy side.	17:58
lbragstad	knikolla: it would	17:59
lbragstad	knikolla: the nice part would be that if you build the API to accept generalized targets (regardless of global, domain, or project) you can reuse all of it to implement global roles, global role assignments, domain roles, domain role assignments, project roles, and project role assignments	17:59
knikolla	lbragstad: that is true. #v4	18:00
lbragstad	juliandemille: actually - it looks like it's tripping over a backend import	18:02
juliandemille	lbragstad: How can I debug that?	18:02
lbragstad	juliandemille: are you specifying anything in particular in your config?	18:02
lbragstad	or are you relying on default?	18:03
lbragstad	defaults*?	18:03
juliandemille	lbragstad: I just configured the SQL options	18:03
lbragstad	juliandemille: which release are you using?	18:03
juliandemille	lbragstad: Ocata	18:04
lbragstad	juliandemille: and you're specifying your backends like `driver = sql`?	18:04
juliandemille	Yes	18:04
*** stingaci has joined #openstack-keystone		18:04
*** itlinux has joined #openstack-keystone		18:05
lbragstad	juliandemille: what are you using for a token driver?	18:06
juliandemille	Let me check	18:06
juliandemille	sql	18:08
lbragstad	what about provider?	18:08
lbragstad	`keystone.conf [token] provider`	18:08
juliandemille	That line is commented out	18:09
*** stingaci has quit IRC		18:09
*** mvk_ has quit IRC		18:10
lbragstad	juliandemille: it seems to be complaining about:	18:13
lbragstad	super(PersistenceManager, self).__init__(CONF.token.driver)	18:13
lbragstad	and fails in importutils because it can't load that backend	18:13
juliandemille	Should I uncomment it? 'provider = fernet'	18:14
lbragstad	juliandemille: well - fernet is the default token provider and sql is the default token driver (which isn't used if fernet is in place)	18:14
lbragstad	https://github.com/openstack/keystone/blob/stable/ocata/keystone/conf/token.py#L76	18:14
lbragstad	https://github.com/openstack/keystone/blob/stable/ocata/keystone/conf/token.py#L62	18:14
lbragstad	so you could try commenting those out and see what happens using the defaults that are registered in code	18:15
*** itlinux has quit IRC		18:16
juliandemille	That throws this error in mod_wsgi: https://pastebin.com/raw/JiXm7M4q	18:17
*** swain has quit IRC		18:18
lbragstad	juliandemille: oh - run `keystone-manage fernet_setup`	18:19
*** lucasxu has joined #openstack-keystone		18:20
lbragstad	juliandemille: can you paste a copy of your config with sensitive stuff redacted?	18:20
juliandemille	lbragstad: In a minute, yes	18:20
*** stingaci has joined #openstack-keystone		18:20
juliandemille	After running fernet_setup, I got a 401 Unauthorized	18:21
lbragstad	juliandemille: you got a 401 when doing what?	18:21
lbragstad	just authenticating or validating a token?	18:21
juliandemille	Trying the `openstack service create` command	18:21
lbragstad	well - we might be past the module issue	18:22
lbragstad	what was the error specifically?	18:22
lbragstad	the logs might have more info	18:22
juliandemille	2017-08-18 14:20:58.594 21745 WARNING keystone.common.wsgi [req-ca081ac6-97ed-4dcb-9375-b2726b163790 - - - - -] Authorization failed. The request you have made requires authentication. from ::1	18:23
lbragstad	that could be caused by a number of things	18:23
lbragstad	you could check to make sure you have the right role to make that request	18:24
lbragstad	can you do an `openstack token issue`?	18:24
juliandemille	I'm currently using the admin token. How can I make sure it's configured correctly?	18:24
*** stingaci has quit IRC		18:24
lbragstad	juliandemille: the admin token as in the configuration file?	18:25
juliandemille	lbragstad: Yes	18:25
lbragstad	ohhh	18:25
lbragstad	juliandemille: you're bootstrapping your deployment, right?	18:25
juliandemille	lbragstad: Bootstrapping it?	18:25
lbragstad	juliandemille: does your keystone deployment consist of any information outside of a user?	18:25
lbragstad	does it contain service or endpoints for other things yet?	18:26
juliandemille	lbragstad: No, it's brand new	18:26
lbragstad	cool	18:26
lbragstad	juliandemille: we built a utility to help with that and it doesn't require the ADMIN token	18:26
lbragstad	juliandemille: https://docs.openstack.org/keystone/latest/admin/identity-bootstrap.html	18:26
openstackgerrit	Gage Hugo proposed openstack/keystone master: Refactor removal of duplicate projects/domains https://review.openstack.org/491574	18:26
lbragstad	juliandemille: see the note here - https://docs.openstack.org/keystone/latest/admin/identity-bootstrap.html#using-a-shared-secret	18:27
*** user1911 has joined #openstack-keystone		18:28
lbragstad	juliandemille: it essentially boils down to the fact there are two different ways to bootstrap a new keystone deployment	18:28
lbragstad	the first, and original, way was to use the ADMIN token and special middleware that would allow you to make any request to keystone so long as you knew the shared secret	18:28
lbragstad	but... that is a large security vulnerability	18:29
lbragstad	so we introduced a second way, which is `keystone-manage bootstrap`	18:29
lbragstad	and it must be done from a keystone-node (not via the API)	18:29
juliandemille	Okay, I ran the bootstrap, but I'm still getting a 401 when using the new credentials	18:30
lbragstad	juliandemille: are you using an rcfile to source your envs?	18:30
lbragstad	or passing them on the commandline?	18:30
juliandemille	Command line	18:30
lbragstad	juliandemille: here is an example of the vars that i use - http://paste.openstack.org/show/618795/	18:32
user1911	@juliandemille: if you set insecure_debug = true in keystone.conf it will tell you why it's failing	18:32
lbragstad	can you double check that the vars you're passing on the command line match what bootstrap just created?	18:32
*** catinthe_ has joined #openstack-keystone		18:33
lbragstad	`keystone-manage bootstrap` should have left you with an admin user, admin project, ensured the default domain is in place, and optionally an identity service with endpoints	18:33
*** catinth__ has joined #openstack-keystone		18:33
juliandemille	__init__() got an unexpected keyword argument project_name	18:33
lbragstad	trace?	18:34
juliandemille	No trace is appearing	18:34
lbragstad	you're getting that when you do an `openstack token issue`?	18:34
juliandemille	Yes	18:35
*** catintheroof has quit IRC		18:35
lbragstad	juliandemille: sounds like an issue with openstackclient	18:35
user1911	did you set the identity api version to 3?	18:35
user1911	--os-identity-api-version 3	18:36
lbragstad	or that ^	18:36
juliandemille	Yes	18:36
*** catinthe_ has quit IRC		18:37
lbragstad	what version of python-openstackclient are you using?	18:38
juliandemille	3.8.1-1.el7.noarch	18:39
lbragstad	juliandemille: can you authenticate via curl and see if that works?	18:40
juliandemille	lbragstad: How can I do that?	18:41
lbragstad	https://developer.openstack.org/api-ref/identity/v3/#authentication-and-token-management	18:41
clarkb	you can also pass the debug flag to osc which should show you the curl equivalent requests	18:41
lbragstad	clarkb: ++	18:41
lbragstad	i always forget about that	18:41
user1911	@lbragstad: could i ask you some qq's?	18:42
lbragstad	user1911: sure	18:42
lbragstad	clarkb: we got that race condition with password updates fixed	18:42
user1911	so i was looking at this line on the keystone policy file: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L3	18:42
user1911	"cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)	18:42
clarkb	lbragstad: oh nice, have a link to the patch? curious what the problem was	18:42
lbragstad	clarkb: https://review.openstack.org/#/c/493259/	18:43
user1911	where it says domain_id:admin_domain_id... isn't the only way to get the domain_id from the domain token?	18:43
user1911	since project tokens don't seem to have a domain_id associated with them	18:43
*** john89 has quit IRC		18:44
lbragstad	user1911: yeah - that seems specific to domain_scoped tokens	18:44
lbragstad	projects belong to domains though, too	18:44
user1911	ok that seems unusual to me, since i can't seem to do much with domain tokens	18:44
user1911	since i assume they don't have a service catalog associated with them	18:45
lbragstad	user1911: they do	18:45
lbragstad	user1911: you can get a domain scoped token that has a service catalog	18:45
user1911	oh really?	18:45
lbragstad	but - most of openstack doesn't really understand domain scoped tokens yet	18:45
lbragstad	we have a lot of policy work to get that realized consistently across the rest of the projects	18:45
user1911	does that include the openstack client as well?	18:46
*** prashkre has joined #openstack-keystone		18:46
user1911	i'll usually get an error like "service catalog was empty"	18:46
user1911	if I try to run keystone stuff with a domain token	18:46
lbragstad	(e.g. listing instances with a project scoped token means something different from listing instances with a domain scoped token)	18:46
user1911	ok understand that	18:47
juliandemille	ArgsAlreadyParsedError (HTTP 500) from wsgi	18:47
lbragstad	user1911: the openstackclient might omit the service catalog when asking for domain-scoped tokens	18:47
user1911	ahh that would make sense	18:47
lbragstad	the token api has a ?nocatalog query parameter	18:48
*** itlinux has joined #openstack-keystone		18:49
user1911	I see	18:49
lbragstad	also - there have been issues with that specific policy file	18:49
lbragstad	and i don't think it's a drop in replacement for the default policy file	18:49
lbragstad	cc edmondsw knows more about that though	18:50
user1911	yes we've been trying to test it as a replacement to our current policy file	18:50
juliandemille	lbragstad: HTTP 500: ArgsAlreadyParsedError from mod_wsgi	18:50
edmondsw	lbragstad what's the question?	18:51
lbragstad	juliandemille: https://bugs.launchpad.net/keystone/+bug/1466485	18:51
openstack	Launchpad bug 1466485 in OpenStack Identity (keystone) "keystone fails with: ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option" [Critical,Expired]	18:51
lbragstad	edmondsw: user1911 had some questions on the v3 policy we have in tree	18:51
user1911	yes, specifically https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L3	18:52
lbragstad	edmondsw: specifically where domain_id:admin_domain_id is used - https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L3	18:52
edmondsw	reading back	18:52
lbragstad	user1911: beat me to the punch!	18:52
user1911	:)	18:52
lbragstad	user1911: is your nick randomly generated?	18:52
edmondsw	yes, the domain_id bit there is for domain-scoped tokens	18:52
lbragstad	edmondsw: oh - that makes sense	18:53
edmondsw	that domain_id:admin_domain_id was a precursor to the is_admin_project:True thing, I believe, and not great	18:53
user1911	@lbragstad: no i picked it myself :)	18:53
edmondsw	I actually removed it in my customization :)	18:53
user1911	and yes it's a reference to a shady group of ppl	18:53
user1911	:p	18:53
juliandemille	lbragstad: After bruteforcing it, I got a 401	18:53
lbragstad	edmondsw: oh - that makes sense - i was going to say i haven't heard about that in a while	18:54
user1911	@edmondsw: so it would make sense if we dropped the domain_id bit?	18:54
edmondsw	user1911 I think so, but let me check something...	18:55
lbragstad	user1911: to the best of my knowledge, i'm not sure it's used	18:55
user1911	ok	18:57
user1911	I can see it being used in the future	18:57
lbragstad	but i'll deter to edmondsw for clarification :)	18:58
edmondsw	user1911 I am really dredging my memory hear, but I think a few years ago we had the idea of using admin_domain where you had to configure each OpenStack service to know what that was, and that's a mess...	18:58
edmondsw	so we pretty much dropped that in favor of is_admin_project where keystone is the only thing that needs to know what that is	18:59
lbragstad	juliandemille: is there anything more specific in the keystone logs?	18:59
juliandemille	Nope	18:59
edmondsw	user1911 I believe it's left just for backward compatibility, so I would not use it if I were you	18:59
juliandemille	Authorization failed	18:59
edmondsw	going into a mtg now...	18:59
user1911	@edmondsw: thanks a lot. that clarified quite a bit	19:00
edmondsw	user1911 np	19:00
user1911	thanks @lbragstad for the help too!	19:00
lbragstad	user1911: anytime!	19:00
*** user1911 has quit IRC		19:03
*** markvoelker has joined #openstack-keystone		19:05
*** lucasxu has quit IRC		19:06
*** stingaci has joined #openstack-keystone		19:07
juliandemille	lbragstad: No additional info from Keystone, just unauthorized	19:08
*** stingaci has quit IRC		19:11
lbragstad	juliandemille: and you're sure the information specified on the command line matches what you supplied to bootstrap and what bootstrap created?	19:12
juliandemille	Fairly sure, let me make sure the bootstrap worked	19:13
*** itlinux has quit IRC		19:15
*** itlinux has joined #openstack-keystone		19:18
juliandemille	Yes, I am	19:18
*** stingaci has joined #openstack-keystone		19:22
juliandemille	lbragstad: Bootstrap worked correctly, and I am 100% sure I'm passing the right information	19:25
lbragstad	if you turn debug logging in keystone does that give you more information?	19:26
*** ducttape_ has quit IRC		19:26
*** ducttape_ has joined #openstack-keystone		19:26
*** stingaci has quit IRC		19:30
juliandemille	lbragstad: How can I do that?	19:33
lbragstad	juliandemille: https://github.com/openstack/keystone/blob/stable/ocata/keystone/conf/default.py#L166-L174	19:35
lbragstad	setting that option to True in your keystone configuration file	19:35
juliandemille	That just gave me a 500	19:37
juliandemille	Nope, the same bug	19:37
juliandemille	401	19:37
lbragstad	juliandemille: yeah - i expected it to give you a little more information in your keystone log file	19:40
juliandemille	Nothing useful there	19:41
*** stingaci has joined #openstack-keystone		19:41
*** stingaci has quit IRC		19:46
*** cfriesen_ has joined #openstack-keystone		19:58
*** stingaci has joined #openstack-keystone		19:58
*** edmondsw has quit IRC		19:59
cfriesen_	has anyone ever considered extending the API to deal more efficiently with many regions? ie scoping the initial authorization such that the returned endpoints correspond only to a particular region? Otherwise I could see the endpoint list getting very long if there are many regions.	19:59
*** stingaci has quit IRC		20:02
*** stingaci has joined #openstack-keystone		20:14
*** stingaci has quit IRC		20:18
*** itlinux has quit IRC		20:22
*** aselius has quit IRC		20:23
*** otleimat has quit IRC		20:23
*** itlinux_ has joined #openstack-keystone		20:29
*** stingaci has joined #openstack-keystone		20:30
*** kukacz_ has joined #openstack-keystone		20:33
*** stingaci has quit IRC		20:34
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement global role assignments for users https://review.openstack.org/494374	20:34
ayoung	lbragstad, ooooh goody!	20:36
ayoung	lbragstad, so...how are they going to look in the token validation response?	20:36
ayoung	Scope: Global?	20:37
ayoung	Global tokens?	20:37
*** kukacz has quit IRC		20:37
lbragstad	ayoung: yeah - something like that	20:38
lbragstad	ayoung: not entirely sure yet - still working those bits out	20:38
lbragstad	i think i'm going to propose two different ways of getting them though	20:38
ayoung	lbragstad, so long as getting a global scoped token is different from an unscoped token, I think we are ok	20:38
ayoung	make it a deliberate action	20:38
lbragstad	ayoung: yeah - that's one of the proposals	20:38
ayoung	and, just like we can't go from project scoped to project scoped, we can't go from global to project	20:38
ayoung	cool	20:39
ayoung	Will global roles show up on a project scoped token?	20:39
*** stingaci has joined #openstack-keystone		20:40
lbragstad	ayoung: i don't think so?	20:40
lbragstad	they will show up when you ask for your role assignments	20:41
*** stingaci_ has joined #openstack-keystone		20:42
*** stingaci has quit IRC		20:46
ayoung	lbragstad, maybe it is something people can explicitly ask for: project scoped + global roles.	20:47
*** itlinux_ has quit IRC		20:48
*** stingaci has joined #openstack-keystone		20:48
lbragstad	ayoung: yeah - possibly	20:49
lbragstad	ayoung: the scoping bits are going to require some thought	20:49
lbragstad	besides the obvious cases	20:50
ayoung	lbragstad, also, we need to think what the policy enforcement is going to look like	20:50
lbragstad	yeah	20:50
ayoung	I am almost tempted to call them something other than roles	20:50
ayoung	like clusterroles in kubernetes	20:51
ayoung	that way, policy would be:	20:51
ayoung	globalrole: admin or (role: admin and project: proejct)	20:51
*** stingaci_ has quit IRC		20:52
lbragstad	that's still coupling the scope check i policy - no?	20:52
*** stingaci has quit IRC		20:53
*** itlinux has joined #openstack-keystone		20:58
*** edmondsw has joined #openstack-keystone		20:59
*** prashkre has quit IRC		21:00
*** dave-mccowan has quit IRC		21:01
juliandemille	lbragstad: I've given up, so I reinstalled following the manual's instructions, but now the python-openstackclient doesn't understand project environment variables	21:03
lbragstad	juliandemille: did you install the same version of python-openstackclient?	21:04
*** edmondsw has quit IRC		21:04
juliandemille	lbragstad: Both 3.8.2 and 3.12.0 didn't work	21:04
*** dave-mccowan has joined #openstack-keystone		21:12
*** thorst has quit IRC		21:13
*** dave-mccowan has quit IRC		21:15
lbragstad	juliandemille: the #openstack-sdks channel might have more information on that	21:16
juliandemille	Ok	21:16
lbragstad	sounds like an issue with python-openstackclient	21:16
openstackgerrit	Samuel Pilla proposed openstack/python-keystoneclient master: Add project tags to keystoneclient https://review.openstack.org/481223	21:17
*** superdan is now known as dansmith		21:19
*** catintheroof has joined #openstack-keystone		21:22
*** catinth__ has quit IRC		21:25
*** jmlowe_ has joined #openstack-keystone		21:28
*** jmlowe has quit IRC		21:29
*** thorst has joined #openstack-keystone		21:30
*** thorst has quit IRC		21:31
*** juliandemille has quit IRC		21:32
*** itlinux has quit IRC		21:33
*** juliandemille has joined #openstack-keystone		21:34
*** aselius has joined #openstack-keystone		21:37
*** kukacz_ is now known as kukacz		21:40
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement global role assignments for groups https://review.openstack.org/481781	21:42
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement global role assignments for groups https://review.openstack.org/481781	21:46
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement global role assignments for users https://review.openstack.org/494374	21:46
*** kukacz__ has joined #openstack-keystone		21:49
*** kukacz has quit IRC		21:53
*** kukacz__ has quit IRC		21:53
*** catintheroof has quit IRC		21:57
*** lbragstad has quit IRC		21:59
*** raildo has quit IRC		22:19
*** thorst has joined #openstack-keystone		22:31
*** thorst has quit IRC		22:36
*** ducttap__ has joined #openstack-keystone		22:46
*** edmondsw has joined #openstack-keystone		22:48
*** ducttape_ has quit IRC		22:50
*** edmondsw has quit IRC		22:52
*** stingaci has joined #openstack-keystone		23:12
*** ducttape_ has joined #openstack-keystone		23:14
*** ducttap__ has quit IRC		23:18
*** thorst has joined #openstack-keystone		23:37
*** thorst has quit IRC		23:41

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!