Thursday, 2017-08-31

« Wednesday, 2017-08-30 Index Friday, 2017-09-01 »
*** edmondsw has quit IRC00:01
*** thegreenhundred has joined #openstack-keystone00:14
*** markvoelker_ has quit IRC00:27
*** markvoelker has joined #openstack-keystone00:28
*** markvoelker has quit IRC00:28
*** thorst_afk has joined #openstack-keystone00:31
*** catintheroof has quit IRC00:35
*** markvoelker has joined #openstack-keystone00:44
*** rama_y has quit IRC00:48
*** markvoelker has quit IRC00:48
*** zhurong has joined #openstack-keystone00:49
*** Shunli has joined #openstack-keystone00:55
*** spotz has quit IRC01:00
*** wxy has joined #openstack-keystone01:14
*** spotz has joined #openstack-keystone01:35
*** mjax has quit IRC01:36
*** mjax has joined #openstack-keystone01:38
*** mjax has quit IRC01:39
*** mjax has joined #openstack-keystone01:40
*** thorst_afk has quit IRC01:41
*** mjax has quit IRC01:41
*** sapd has joined #openstack-keystone01:42
*** markvoelker has joined #openstack-keystone01:44
*** aselius has quit IRC01:46
*** sapd has quit IRC01:49
*** thorst_afk has joined #openstack-keystone02:00
*** jmlowe has quit IRC02:00
*** jmlowe has joined #openstack-keystone02:01
*** sapd has joined #openstack-keystone02:02
*** catintheroof has joined #openstack-keystone02:03
*** ducttape_ has joined #openstack-keystone02:17
*** markvoelker has quit IRC02:18
*** otleimat has quit IRC02:29
*** jamesbenson has joined #openstack-keystone02:32
*** jamesbenson has quit IRC02:37
*** thorst_afk has quit IRC02:45
*** thorst_afk has joined #openstack-keystone02:46
*** thorst_afk has quit IRC02:50
*** ducttape_ has quit IRC02:57
*** nicolasbock has quit IRC03:05
*** catintheroof has quit IRC03:07
*** jmlowe has quit IRC03:13
*** jmlowe has joined #openstack-keystone03:14
*** markvoelker has joined #openstack-keystone03:15
*** mjax has joined #openstack-keystone03:27
*** rama_y has joined #openstack-keystone03:28
*** rama_y has quit IRC03:29
*** mjax has quit IRC03:29
*** rama_y has joined #openstack-keystone03:29
*** itlinux has quit IRC03:33
*** links has joined #openstack-keystone03:39
*** thorst_afk has joined #openstack-keystone03:47
*** markvoelker has quit IRC03:48
*** thorst_afk has quit IRC03:51
*** ducttape_ has joined #openstack-keystone03:54
*** rama_y has quit IRC04:21
*** gyee has quit IRC04:23
*** zhurong has quit IRC04:29
*** itlinux has joined #openstack-keystone04:35
*** markvoelker has joined #openstack-keystone04:45
*** thorst_afk has joined #openstack-keystone04:47
*** zhurong has joined #openstack-keystone04:48
*** itlinux has quit IRC04:52
*** thorst_afk has quit IRC04:52
*** ducttape_ has quit IRC04:53
*** aojea has joined #openstack-keystone05:16
*** markvoelker has quit IRC05:19
*** markvoelker has joined #openstack-keystone05:24
*** markvoelker_ has joined #openstack-keystone05:25
*** oomichi has quit IRC05:28
*** markvoelker has quit IRC05:29
*** oomichi has joined #openstack-keystone05:30
*** aojea has quit IRC05:41
*** markvoelker_ has quit IRC05:48
*** thorst_afk has joined #openstack-keystone05:48
*** aojea has joined #openstack-keystone05:50
*** ducttape_ has joined #openstack-keystone05:51
*** edmondsw has joined #openstack-keystone05:52
*** thorst_afk has quit IRC05:53
*** aojea has quit IRC06:07
*** aojea has joined #openstack-keystone06:07
*** jamesbenson has joined #openstack-keystone06:09
*** aojea has quit IRC06:12
*** jamesbenson has quit IRC06:13
*** links has quit IRC06:15
*** pcaruana has joined #openstack-keystone06:22
*** david-lyle has quit IRC06:28
*** david-lyle has joined #openstack-keystone06:28
*** rcernin has joined #openstack-keystone06:40
*** david-lyle has quit IRC06:47
*** dklyle has joined #openstack-keystone06:47
*** thorst_afk has joined #openstack-keystone06:49
*** dklyle has quit IRC06:53
*** david-lyle has joined #openstack-keystone06:53
*** thorst_afk has quit IRC06:54
*** hoonetorg has quit IRC07:04
*** david-lyle has quit IRC07:17
*** hoonetorg has joined #openstack-keystone07:17
*** aojea has joined #openstack-keystone07:21
openstackgerritYongMing Zeng proposed openstack/keystone master: Closes-Bug:#1714179 modified:   sql.py  https://review.openstack.org/49948607:28
*** links has joined #openstack-keystone07:29
*** tesseract has joined #openstack-keystone07:32
*** david-lyle has joined #openstack-keystone07:35
*** cfriesen_ has quit IRC07:38
*** oomichi has quit IRC07:44
*** oomichi has joined #openstack-keystone07:44
*** mjax has joined #openstack-keystone07:47
*** mjax has quit IRC07:48
*** thorst_afk has joined #openstack-keystone07:50
*** thorst_afk has quit IRC07:55
*** zsli_ has joined #openstack-keystone08:02
*** zsli_ has quit IRC08:03
*** zsli_ has joined #openstack-keystone08:04
*** Shunli has quit IRC08:05
*** zsli_ has quit IRC08:05
*** zsli_ has joined #openstack-keystone08:06
*** edmondsw has quit IRC08:08
*** zsli_ has quit IRC08:17
*** zsli__ has joined #openstack-keystone08:17
*** openstackgerrit has quit IRC08:17
*** thorst_afk has joined #openstack-keystone08:51
*** thorst_afk has quit IRC08:55
*** zsli__ has quit IRC09:11
*** zsli__ has joined #openstack-keystone09:12
*** Shunli has joined #openstack-keystone09:16
*** Nakato has quit IRC09:18
*** zsli__ has quit IRC09:19
*** Nakato has joined #openstack-keystone09:20
*** Shunli has quit IRC09:21
*** openstackgerrit has joined #openstack-keystone09:26
openstackgerritchenaidong1 proposed openstack/keystone master:     error sql function  https://review.openstack.org/49953509:26
*** jamesbenson has joined #openstack-keystone09:28
*** jamesbenson has quit IRC09:32
openstackgerritYongMing Zeng proposed openstack/keystone master: add project extra filed Closes-Bug:#1714179 modified:   sql.py  https://review.openstack.org/49948609:35
*** hoonetorg has quit IRC09:36
*** thorst_afk has joined #openstack-keystone09:51
*** hoonetorg has joined #openstack-keystone09:53
*** thorst_afk has quit IRC09:56
*** nicolasbock has joined #openstack-keystone10:02
*** nicolasbock has quit IRC10:06
*** nicolasbock has joined #openstack-keystone10:19
*** szaher has quit IRC10:41
*** szaher has joined #openstack-keystone10:46
*** thorst_afk has joined #openstack-keystone10:52
*** thorst_afk has quit IRC10:57
*** jistr is now known as jistr|biab11:12
*** dave-mccowan has joined #openstack-keystone11:18
zhuronghi, all, I am use session to auth the keystone client, and can list the uses and projects, but can not get the service_catalog info from the client by using `client.service_catalog`, can someone give me some suggestions? thanks11:28
*** thorst_afk has joined #openstack-keystone11:40
efried_offzhurong You should be using keystoneauth1, not keystoneclient.11:42
efried_offAnd discovery methods, not direct access to the service catalag.11:44
cmurphyzhurong: what's the error message when you try?11:48
cmurphyefried_off: you can still use keystoneclient for keystoney things like users and projects11:49
*** efried_off is now known as efried11:50
cmurphyand it doesn't look lik the service_catalog property of httpclient should be broken afaict11:50
efriedcmurphy Okay; thought we were trying to phase ksc out entirely.11:50
cmurphyefried: for auth, but ksa won't ever do things like list projects and whatnot11:50
efriedDuly noted, thanks.11:51
*** thegreenhundred has quit IRC11:55
zhurongcmurphy how can we get the service_catalog?11:55
*** aojea has quit IRC11:56
cmurphyzhurong: well the client has a service_catalog property http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/httpclient.py#n441 so i would think what you're trying would work, i'm wondering what the error message was when you tried it11:59
cmurphyzhurong: efried has a point though, why are you trying to access the catalog directly?11:59
zhurongcmurphy  there are no error messages, just None12:00
*** raildo has joined #openstack-keystone12:01
zhurongcmurphy I want get the endpoint using kc.client.service_catalog.url_for(service_type='compute', endpoint_type='publicURL')12:02
*** mvk has joined #openstack-keystone12:03
zhurongcmurphy This code used to work12:04
cmurphyzhurong: ah that is definitely something that keystoneauth should be doing, see https://docs.openstack.org/keystoneauth/latest/using-sessions.html12:04
zhurongcmurphy yeah, I am using the session way like the docs12:04
zhurongcmurphy and then can not get the endpoint from this code `kc.client.service_catalog.url_for(service_type='compute', endpoint_type='publicURL')`12:05
zhurongcmurphy seems we can not get service_catalog directly, thanks. I will change the way12:09
cmurphyzhurong: hmm it could be that all of the recent changes in keystoneauth broke something in keystoneclient :(12:14
cmurphyzhurong: let us know if you can't get it working12:14
*** jistr|biab is now known as jistr12:20
*** catintheroof has joined #openstack-keystone12:30
*** rama_y has joined #openstack-keystone12:34
*** jaosorior has quit IRC12:37
*** thegreenhundred has joined #openstack-keystone12:38
*** jaosorior has joined #openstack-keystone12:38
*** hidekazu has joined #openstack-keystone12:44
*** hidekazu has quit IRC12:44
*** jaosorior has quit IRC12:44
*** jaosorior has joined #openstack-keystone12:45
*** jaosorior has quit IRC12:45
*** jaosorior has joined #openstack-keystone12:46
*** dave-mccowan has quit IRC12:57
*** dave-mcc_ has joined #openstack-keystone13:09
*** zhurong has quit IRC13:14
openstackgerritLuke Hinds proposed openstack/python-keystoneclient master: Adds bandit nosec flag to hashlib.sha1  https://review.openstack.org/49959513:22
*** rama_y has quit IRC13:34
*** gyee has joined #openstack-keystone13:41
*** edmondsw has joined #openstack-keystone13:51
*** ducttape_ has quit IRC13:56
*** ducttape_ has joined #openstack-keystone13:57
*** josecastroleon has quit IRC13:57
*** jaosorior has quit IRC13:57
*** jaosorior has joined #openstack-keystone13:59
*** josecastroleon has joined #openstack-keystone13:59
*** cristicalin has joined #openstack-keystone14:05
*** ducttape_ has quit IRC14:11
*** itlinux has joined #openstack-keystone14:15
*** gyee has quit IRC14:17
*** gyee has joined #openstack-keystone14:17
openstackgerritLuke Hinds proposed openstack/python-keystoneclient master: Adds bandit nosec flag to hashlib.sha1  https://review.openstack.org/49959514:22
*** ioggstream has joined #openstack-keystone14:22
gagehugolbragstad ^14:24
gagehugothere's a ps in bandit to add sha1 to the list of unsecure hashes, but it currently fails on keystone and ksc, but we use hmac-sha1 which isn't "insecure" so it's more or less a false flag14:27
*** cfriesen_ has joined #openstack-keystone14:31
lbragstadkmalloc: do you happen to know why groups don't have an `enabled` attribute?14:41
*** jamesbenson has joined #openstack-keystone14:42
*** ducttape_ has joined #openstack-keystone14:44
*** ducttap__ has joined #openstack-keystone14:45
*** rama_y has joined #openstack-keystone14:45
*** rama_y has quit IRC14:46
*** josecastroleon has quit IRC14:48
*** ducttape_ has quit IRC14:48
*** josecastroleon has joined #openstack-keystone14:51
*** josecastroleon has quit IRC14:53
*** cristicalin has quit IRC15:08
*** cristicalin has joined #openstack-keystone15:10
*** kbaegis has joined #openstack-keystone15:12
*** cristicalin has quit IRC15:13
*** lwanderley has joined #openstack-keystone15:17
kmallocuh15:23
kmallocbecause we never needed it?15:23
kmallocgroups themselves kindof never justified an enabled/disabled attr15:23
kmallocif we need it, it is easy to add, but it would only affect user->(group)role->project not anything else15:23
kmallocunless we break functionality (aka disabled group = user disabled)15:23
kmallocvs domain disable15:24
lbragstadyeah - just curious,15:26
lbragstadfor some reason i thought that was implemented given the pattern in the rest of the keystone entities15:27
lbragstadso i wrote a test for it in the global roles work15:27
lbragstadthen i realized it wasn't possible15:27
lbragstad:)15:27
lbragstadcc hrybacki ^15:27
kmalloci am not opposed to adding it15:28
kmallocbut *shrug* i'd like a clear story on what we're using it for15:28
kmalloclbragstad: i have a chunk of the code for removing the @dependency decorators15:29
lbragstadkmalloc: yeah - let's wait for that15:29
kmallocworking on it npow15:29
lbragstadkmalloc: damn... which ones?15:29
kmallocnow*15:29
kmallocall of them.15:29
lbragstadi have a string of patches, too15:29
kmallocmy code is deleting the entire @provides and @requires15:29
lbragstadoh...15:29
lbragstadwait15:29
lbragstadnevermind15:29
kmallocthough we could keep @requires15:29
lbragstadsorry - i thought you were talkinhg about @v2_deprecated15:29
kmallocno no, that was on my list for post PTG15:30
kmalloci didn't want to touch it until people were back and fully engaged15:30
kmallocin short...15:31
kmallochttps://www.irccloud.com/pastebin/Fzshpyyv/15:32
kmalloc^15:32
lbragstadnice15:32
kmallocmanager (on __init__) registers with that object15:32
*** pcaruana has quit IRC15:32
kmallocand then we do provider_api.<blah>_api15:32
kmallocinstead of self.<blah>_api15:32
kmallocbasically, we make the managers (effectively) singletons15:33
kmalloci have a couple more enhancements to make (such as locking the provider_api registry)15:34
lbragstadyeah - i guess my main motivation for digging into dstanek's stuff was to get rid of the anti-pattern of having to register providers]15:34
kmallocwell, this will simplify it all15:34
kmallocno more registering15:34
lbragstadaweseome15:34
kmallocno more decorators15:34
lbragstadi'm game15:34
kmallocjust use the api you need.15:34
lbragstad++15:34
kmallocand if it's a manager, it is auto-registered15:34
kmalloci did add a __provides_api attribute15:35
kmallocto the manager15:35
kmallocfelt easier than decorators or other magic15:35
lbragstadright15:36
*** edmondsw has quit IRC15:40
*** otleimat has joined #openstack-keystone15:42
*** itlinux has quit IRC15:46
kmalloclbragstad: hm15:47
kmalloclbragstad: this change is going to be massive15:47
kmalloclbragstad: i think i'm going to undo it and still lean on self.XXX_api15:48
knikollao/15:48
kmallocsimply to not have a 5000+line change15:48
lbragstadkmalloc: yeah... that's a lot15:48
kmallocbecause every single self.XXX_api call would be changed.15:48
kmallocthat is uuuugly15:48
lbragstadkmalloc: can we do it in two steps?15:49
lbragstadsomehow?15:49
kmallocyeah15:49
kmallocwell i'm just going to lean on __getattrr__15:49
*** ayoung has joined #openstack-keystone15:50
*** edmondsw has joined #openstack-keystone15:51
*** kbaegis has quit IRC15:55
*** kbaegis has joined #openstack-keystone15:55
*** edmondsw has quit IRC15:56
*** mvk has quit IRC15:59
*** lwanderley has quit IRC15:59
knikollalbragstad: starting today, i'm back to my usual level of keystone involvement.16:05
lbragstadknikolla: whew :) that's good to hear16:06
*** rama_y has joined #openstack-keystone16:11
*** lwanderley has joined #openstack-keystone16:11
lbragstadknikolla: did you get the ceph thing figured out?16:15
knikollalbragstad: unfortunately not. we declared death yesterday.16:17
lbragstad:(16:17
knikollaa manual step went awry and there was a big % of placement groups lost, so chances of getting a full multi-gigabyte rbd object out of it are very small.16:18
*** hoonetorg has quit IRC16:18
knikollai'll probably blog a write-up in the coming days.16:18
*** jamesbenson has quit IRC16:19
openstackgerritMorgan Fainberg proposed openstack/keystone master: WIP: Remove dependency injection  https://review.openstack.org/49970316:23
kmalloclbragstad: ^ that is the 1st WIP, i could split it into 2 patches though.16:24
kmallocadd functionality, and then a delete decorators16:24
kmallocit wont pass tests.16:24
kmallocbecause injection tests just aren't fixed16:24
kmalloc(it wont pep8 either)16:24
kmalloclbragstad: but i wanted your opinion on the direction before doing the next round of cleanup16:24
*** jamesbenson has joined #openstack-keystone16:28
*** jamesbenson has quit IRC16:30
*** jistr is now known as jistr|afk16:31
lbragstadkmalloc: awesome - i'll take a look16:31
*** kbaegis has quit IRC16:31
*** kbaegis1 has joined #openstack-keystone16:31
lbragstadi'm about to push a bunch of cleanup myself16:31
*** browne has joined #openstack-keystone16:42
*** jamesbenson has joined #openstack-keystone16:45
*** mjax has joined #openstack-keystone16:46
*** itlinux has joined #openstack-keystone16:46
*** jamesbenson has quit IRC16:48
*** lwanderley has quit IRC16:58
*** lwanderley has joined #openstack-keystone16:58
*** dave-mcc_ is now known as dave-mccowan17:01
openstackgerritGage Hugo proposed openstack/keystone master: Add JSON schema validation for project tags  https://review.openstack.org/48448317:02
openstackgerritGage Hugo proposed openstack/keystone master: Add database migration for project tags  https://review.openstack.org/48445617:02
openstackgerritGage Hugo proposed openstack/keystone master: Add policy for project tags  https://review.openstack.org/48675717:02
openstackgerritGage Hugo proposed openstack/keystone master: Refactor removal of duplicate projects/domains  https://review.openstack.org/49157417:02
openstackgerritGage Hugo proposed openstack/keystone master: Implement backend logic for project tags  https://review.openstack.org/49972617:02
openstackgerritGage Hugo proposed openstack/keystone master: Implement project tags logic into manager  https://review.openstack.org/49972717:02
openstackgerritGage Hugo proposed openstack/keystone master: Implement project tags API controller and router  https://review.openstack.org/49972817:02
*** aojea has joined #openstack-keystone17:07
*** jamesbenson has joined #openstack-keystone17:07
*** ayoung has quit IRC17:07
*** aojea has quit IRC17:10
*** aojea has joined #openstack-keystone17:10
*** jamesbenson has quit IRC17:10
*** rcernin has quit IRC17:12
*** tesseract has quit IRC17:14
itlinuxhi all, what's the best way to assign roles to a group?17:18
*** aojea has quit IRC17:19
*** aojea has joined #openstack-keystone17:20
*** aojea has quit IRC17:24
*** kbaegis1 has quit IRC17:31
lbragstaditlinux: we have an api for that here https://developer.openstack.org/api-ref/identity/v3/index.html#roles17:33
*** aahh has joined #openstack-keystone17:33
lbragstadPUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} will grant a group a role on a project17:33
lbragstadfor example17:33
*** browne has quit IRC17:37
*** kbaegis has joined #openstack-keystone17:42
*** edmondsw has joined #openstack-keystone17:42
*** edmondsw_ has joined #openstack-keystone17:44
*** edmondsw has quit IRC17:46
*** edmondsw_ has quit IRC17:48
*** jistr|afk is now known as jistr17:50
*** links has quit IRC17:52
*** ioggstream has quit IRC17:57
aahhhi @lbragstad18:02
lbragstado/18:02
aahhhow exactly do we sanitize our logs18:02
aahhwhich has passwords and cookies18:02
lbragstadaahh: what debug level are you using/18:03
aahhi hapened to read up https://security.openstack.org/guidelines/dg_protect-sensitive-data-in-files.html18:03
lbragstadif you use debug level logging it can be insecure18:03
aahhyeah right now its not secure18:04
lbragstadyeah - ^ that's an example of DEBUG log level exposing sensitive information18:04
lbragstadif you use a lower debug level, that information shouldn't be exposed18:04
aahhokay besides the debug levels , is there a way I can handle the sensitive information on the logs18:05
lbragstadaahh: this is a related bug report that has some context - https://bugs.launchpad.net/keystoneauth/+bug/163897818:05
openstackLaunchpad bug 1638978 in keystoneauth "Debug data isn't sanitized" [Medium,Triaged] - Assigned to Dinesh Bhor (dinesh-bhor)18:05
*** ducttap__ has quit IRC18:06
cmurphyin theory even debug shouldn't expose super-sensitive things https://bugs.launchpad.net/keystone/+bug/147952318:06
openstackLaunchpad bug 1479523 in OpenStack Identity (keystone) "Stop using debug for insecure responses" [Wishlist,Fix released] - Assigned to Brant Knudson (blk-u)18:06
lbragstadcmurphy: ++18:07
lbragstadit would be good to get that fixed, too18:07
lbragstadi know the debug level stuff has been proposed as a work around18:07
*** dave-mccowan has quit IRC18:07
aahhhow exactly does the config files protection work , what i mean is based on the link here https://security.openstack.org/guidelines/dg_protect-sensitive-data-in-files.html18:09
aahhis it possible to leverage this18:09
*** jdennis has quit IRC18:09
lbragstadaahh: that's all oslo specific stuff18:09
lbragstadthose libraries are what implement the masking of sensitive data18:09
aahhokay , i guess then this still doesnt help securing what we want to if the debug levels are high18:11
*** ducttape_ has joined #openstack-keystone18:11
lbragstadwhich options are being leaked and are they not flagged with `secret=True` in the project?18:12
*** edmondsw has joined #openstack-keystone18:12
*** dave-mccowan has joined #openstack-keystone18:15
aahhnot right now , am just developing a new identity driver and it handles few cookie information which are not declared as 'secret=True' at the moment18:15
lbragstadah - if you set secret does that fix the issue?18:15
*** ducttape_ has quit IRC18:16
aahhi havent tested yet , I wanted to know where is the file location where we can setup this18:16
*** edmondsw has quit IRC18:17
*** edmondsw has joined #openstack-keystone18:17
lbragstadaahh: i assume you're setting configuration options for your identity driver?18:19
lbragstadaahh: you could probably tack those options into keystone or create a separate configuration file18:19
*** brad[]` has quit IRC18:20
aahhI prefer to write a seperate config file but for now , could you point out where in keystone can we have that set up18:20
*** browne has joined #openstack-keystone18:20
*** ducttape_ has joined #openstack-keystone18:21
*** jistr is now known as jistr|off18:21
*** edmondsw has quit IRC18:21
*** browne has quit IRC18:22
aahhis it keystone/conf/auth.py18:22
*** kbaegis has quit IRC18:23
*** kbaegis has joined #openstack-keystone18:24
*** edmondsw has joined #openstack-keystone18:25
*** jdennis has joined #openstack-keystone18:26
*** edmondsw has quit IRC18:29
*** lwanderley has quit IRC18:30
*** lwanderley has joined #openstack-keystone18:32
lbragstadaahh: https://github.com/openstack/keystone/blob/master/keystone/conf/identity.py is where the identity options are registered18:37
aahhgreat, so I create an entry point for the cookie in this file and fetch it from this file as keystone.conf.identity.cookie inside my identity driver18:39
lbragstadright - so long as it's registered you should be able to use the oslo.config CONF object to retrieve it18:46
lbragstadCONF.identity.cookie, for example18:46
*** jamesbenson has joined #openstack-keystone18:59
*** rcernin has joined #openstack-keystone19:01
*** jamesbenson has quit IRC19:03
*** jose-phillips has quit IRC19:04
*** jose-phillips has joined #openstack-keystone19:07
*** edmondsw has joined #openstack-keystone19:07
knikollalbragstad: so the spec for global roles hasn't merged yet right?19:10
lbragstadknikolla: no - i need to respin it19:10
lbragstadsome have reviewed it and pointed out some useful bits19:10
aahh@lbragstad : however when i try to retrieve on the code , it throws an error on the type found. Expected string and the server could not comply with the request19:11
lbragstadaahh: do you have a paste?19:11
*** edmondsw has quit IRC19:12
*** hoonetorg has joined #openstack-keystone19:14
aahh@lbragstad : http://paste.openstack.org/show/DtOn6ZVIjb1fy6XA2LnT/19:17
lbragstadaahh: did you add the new opt to https://github.com/openstack/keystone/blob/master/keystone/conf/auth.py#L8019:19
lbragstad>?19:19
aahhI have only modified the existing password opt19:20
aahhi just set that one to 'secret = True'19:20
*** brad[] has joined #openstack-keystone19:21
*** jose-phillips has quit IRC19:22
lbragstadaahh: oh - that's the name of a plugin - it's not actually used as a passwor d19:23
lbragstadso protecting it with secret=True won't do much19:23
lbragstadyou might need to add a different option to pull in the value you want19:24
aahhwhere exactly do we set up the config for this specific user case , is it possible19:24
lbragstadaahh: maybe something like http://paste.openstack.org/show/620133/19:25
*** jamesbenson has joined #openstack-keystone19:27
*** ducttape_ has quit IRC19:27
*** ducttape_ has joined #openstack-keystone19:27
*** edmondsw has joined #openstack-keystone19:28
*** jamesbenson has quit IRC19:31
*** edmondsw has quit IRC19:32
*** jamesbenson has joined #openstack-keystone19:34
*** aselius has joined #openstack-keystone19:35
aahhokay , i guess there is a problem with that , the input that I make use to get the cookie is the password itself . So technically I need a way to sanitize them on the logs19:36
aahhsorry for the confusion19:36
aahh@lbragstad19:36
lbragstadahh - so you were passing the cookie in the actual request to keystone?19:37
lbragstadnot by specifying it in configuration19:37
*** brad[] has quit IRC19:38
aahhits the same password we get in from the client and checked in the identity driver whether its a password or cookie and then validated accordingly , handled on the code19:40
*** tonytan4ever has joined #openstack-keystone19:50
*** brad[] has joined #openstack-keystone20:06
*** cristicalin has joined #openstack-keystone20:09
*** lwanderley has quit IRC20:12
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 service and endpoint APIs  https://review.openstack.org/49977920:16
openstackgerritLance Bragstad proposed openstack/keystone master: more catalog things for pep8  https://review.openstack.org/49978020:16
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 assignment APIs  https://review.openstack.org/49978120:16
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 resource APIs  https://review.openstack.org/49978220:16
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 identity APIs  https://review.openstack.org/49978320:16
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 token APIs  https://review.openstack.org/49978420:16
openstackgerritLance Bragstad proposed openstack/keystone master: Remove the v2_deprecated decorator  https://review.openstack.org/49978520:16
openstackgerritLance Bragstad proposed openstack/keystone master: Remove the v2_deprecated decorator  https://review.openstack.org/49978520:18
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 token APIs  https://review.openstack.org/49978420:18
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 service and endpoint APIs  https://review.openstack.org/49977920:18
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 assignment APIs  https://review.openstack.org/49978120:18
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 identity APIs  https://review.openstack.org/49978320:18
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 resource APIs  https://review.openstack.org/49978220:18
gagehugooh my20:18
lbragstadyeah...20:18
lbragstadi'm fried20:19
knikollathat is beautiful20:19
lbragstadi just about cried when i deleted the keystone.resource.controllers.Tenant20:20
lbragstadstraight up tears of joy20:20
gagehugoare we keeping anything from v2?20:21
knikollaauth20:21
lbragstadwe haev to keep the v2 authentication api and ec2 api20:21
gagehugoah20:21
lbragstaduntil the T release20:21
gagehugoew20:21
lbragstadbut... we've gotten rid of a lot of intermix testing as a result20:22
lbragstadwhich should actually give us an opportunity to clean up a lot of our tests20:22
knikollalbragstad: won't they fail tempest?20:28
lbragstadknikolla: yeah - i'm sure they will20:28
lbragstadi still need to get a patch up to address that20:29
knikollaso i'll hold my horses on the +2 button.20:30
lbragstadknikolla: yeah - mostly just wanted to get that proposed for the PTG in case we need to run it by anyone there20:32
knikollacool :)20:32
openstackgerritGage Hugo proposed openstack/python-keystoneclient master: Adds bandit nosec flag to hashlib.sha1  https://review.openstack.org/49959520:34
*** jose-phillips has joined #openstack-keystone20:35
openstackgerritLance Bragstad proposed openstack/keystone master: Remove unused v2.0 test utilities  https://review.openstack.org/49979120:35
*** jamesbenson has quit IRC20:41
openstackgerritLance Bragstad proposed openstack/keystone master: Remove deprecated secure_proxy_ssl_header config  https://review.openstack.org/49979820:50
*** jamesbenson has joined #openstack-keystone20:51
bretonwow20:52
*** jamesbenson has quit IRC20:55
lbragstadi feel like i just deleted half of keystone21:00
kmalloclbragstad: lol21:04
kmalloclbragstad: dude. i will so be happy to +2/+A those21:04
kmalloci hope it only fails v2-identity specific tests in tempest21:05
kmalloclbragstad: i will be *very* stoked to see that go away21:05
*** nkinder has quit IRC21:08
*** thorst_afk has quit IRC21:08
*** tonytan4ever has quit IRC21:12
lbragstadkmalloc: me too21:14
*** raildo has quit IRC21:16
*** dave-mccowan has quit IRC21:20
openstackgerritLance Bragstad proposed openstack/keystone master: Remove deprecated secure_proxy_ssl_header config  https://review.openstack.org/49979821:23
*** nkinder has joined #openstack-keystone21:23
*** catintheroof has quit IRC21:31
*** cfriesen_ is now known as cfriesen21:34
*** thorst_afk has joined #openstack-keystone21:34
*** thorst_afk has quit IRC21:36
*** thorst_afk has joined #openstack-keystone21:39
cfriesenis there a way to list which users are in a group via the openstack client?22:12
lbragstadopenstack role assignment list should help with that22:13
lbragstadcfriesen: openstack group contains user is specifically built for that22:16
*** ducttape_ has quit IRC22:17
*** ducttape_ has joined #openstack-keystone22:18
cfriesenlbragstad: that's not quite what I'm looking for though, since it asks for the user/group up front.   "openstack role assignment list" seems to work22:18
lbragstadcfriesen: `openstack group contains user $GROUP $USER`22:18
*** cristicalin has quit IRC22:19
lbragstadcfriesen: oh - you're looking for who is in a group?22:19
cfriesenlbragstad: yes22:19
lbragstadcfriesen: we do have an api for that22:19
lbragstadhttps://developer.openstack.org/api-ref/identity/v3/index.html#groups22:19
lbragstadbut it doesn't look like it's being covered by the openstack client22:20
lbragstadGET v22:20
lbragstadGET /v3/groups/{group_id}/users22:20
*** aojea has joined #openstack-keystone22:20
openstackgerritLance Bragstad proposed openstack/keystone master: Remove the v2_deprecated decorator  https://review.openstack.org/49978522:21
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 token APIs  https://review.openstack.org/49978422:21
openstackgerritLance Bragstad proposed openstack/keystone master: Remove unused v2.0 test utilities  https://review.openstack.org/49979122:21
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 assignment APIs  https://review.openstack.org/49978122:21
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 identity APIs  https://review.openstack.org/49978322:21
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 resource APIs  https://review.openstack.org/49978222:21
cfriesen"openstack role assignment list --project <project_id>" comes close enough for my purposes, though maybe a bit indirect.22:21
lbragstadcfriesen: sounds good22:22
*** ducttape_ has quit IRC22:22
*** aojea has quit IRC22:25
*** edmondsw has joined #openstack-keystone22:30
*** rcernin has quit IRC22:30
*** itlinux has quit IRC22:34
*** aojea has joined #openstack-keystone22:37
*** thegreenhundred has quit IRC22:38
*** nkinder has quit IRC22:41
*** nkinder has joined #openstack-keystone22:53
*** aojea has quit IRC22:58
*** aojea has joined #openstack-keystone22:58
*** aojea has quit IRC23:03
*** aahh has quit IRC23:07
*** kbaegis has quit IRC23:20
*** thorst_afk has quit IRC23:39
*** ducttape_ has joined #openstack-keystone23:41
*** rama_y has quit IRC23:48
*** edmondsw has quit IRC23:48
*** catintheroof has joined #openstack-keystone23:55
*** flwang has left #openstack-keystone23:55
*** edmondsw has joined #openstack-keystone23:59
« Wednesday, 2017-08-30 Index Friday, 2017-09-01 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!