Tuesday, 2017-11-28

*** AlexeyAbashkin has joined #openstack-keystone00:17
*** magicboiz has quit IRC00:21
*** AlexeyAbashkin has quit IRC00:21
*** jmlowe has quit IRC00:39
*** jmlowe has joined #openstack-keystone00:46
*** dklyle has quit IRC00:54
*** david-lyle has joined #openstack-keystone01:01
*** jose-phillips has quit IRC01:21
*** jose-phi_ has joined #openstack-keystone01:22
openstackgerritwangxiyuan proposed openstack/keystone master: Deprecate member_role_id and member_role_name  https://review.openstack.org/52246101:26
*** dave-mccowan has joined #openstack-keystone01:36
*** aselius has quit IRC02:08
*** annp has joined #openstack-keystone02:10
*** AlexeyAbashkin has joined #openstack-keystone02:16
*** zhurong has joined #openstack-keystone02:18
*** AlexeyAbashkin has quit IRC02:21
*** gagehugo has quit IRC02:42
*** gyee_ has quit IRC02:55
*** dave-mccowan has quit IRC03:12
*** dave-mccowan has joined #openstack-keystone03:13
*** dave-mcc_ has joined #openstack-keystone03:16
*** dave-mccowan has quit IRC03:18
*** links has joined #openstack-keystone03:39
*** AlexeyAbashkin has joined #openstack-keystone04:16
*** AlexeyAbashkin has quit IRC04:21
*** zhurong has quit IRC04:30
*** dave-mcc_ has quit IRC04:42
*** threestrands has quit IRC05:10
*** threestrands has joined #openstack-keystone05:10
*** threestrands has quit IRC05:10
*** threestrands has joined #openstack-keystone05:10
*** threestrands has quit IRC05:12
*** threestrands has joined #openstack-keystone05:12
*** threestrands has quit IRC05:12
*** threestrands has joined #openstack-keystone05:12
*** sticker has quit IRC05:49
*** zhurong has joined #openstack-keystone06:05
*** pcaruana has joined #openstack-keystone06:06
*** pcaruana has quit IRC06:06
*** gagehugo has joined #openstack-keystone06:51
*** threestrands has quit IRC07:04
*** zhurong has quit IRC07:05
*** namnh has joined #openstack-keystone07:06
*** josecastroleon has joined #openstack-keystone07:08
*** spectr has joined #openstack-keystone07:18
*** spectr has quit IRC07:21
*** magicboiz has joined #openstack-keystone07:30
*** magicboiz has quit IRC07:34
*** magicboiz has joined #openstack-keystone07:35
*** AlexeyAbashkin has joined #openstack-keystone07:52
*** rcernin has quit IRC07:53
*** d0ugal has joined #openstack-keystone07:55
openstackgerritwangxiyuan proposed openstack/keystone-specs master: Limits API  https://review.openstack.org/45570908:10
*** pcaruana has joined #openstack-keystone08:28
*** magicboiz has quit IRC08:36
*** AlexeyAbashkin has quit IRC08:48
*** AlexeyAbashkin has joined #openstack-keystone08:51
*** gmann is now known as gmann_afk08:53
*** magicboiz has joined #openstack-keystone08:53
*** magicboiz has quit IRC08:58
*** zhurong has joined #openstack-keystone09:20
*** sbezverk has quit IRC09:22
*** evgenyf has joined #openstack-keystone09:46
evgenyfhi guys, does anyone know why when accessing the internal keystone URL, the request is redirected to the public URL ?09:47
*** openstackgerrit has quit IRC09:48
cmurphyevgenyf: can you be more specific about what you're trying to do? is this happening with an openstackclient command?09:49
evgenyfcmurphy: I use openstack4J client and authenticate via <keystone internal URL IP>:5000/v2.0. I succeed in authentication and try to list security groups. I see the request goes to a public keystone URL (which IP is different from internal and admin)09:55
*** rcernin has joined #openstack-keystone09:55
evgenyfcmurphy: the issue is that I have  no access to the public URL IP. I do not understand why the request is going to the public URL instead of internal09:57
cmurphyevgenyf: if you succeed in authentication why are you accessing the keystone url again? it should auth with the keystone endpoint for auth and then access the neutron endpoint for security groups10:02
cmurphyevgenyf: i don't know much about openstack4J, do you have the same behavior with python-openstackclient?10:03
*** namnh has quit IRC10:07
evgenyfcmurphy: I need to check it, thanks for your help10:14
cmurphyevgenyf: i'm still not sure what it is but in python-openstackclient there are OS_ENDPOINT_TYPE and OS_INTERFACE variables that control which interface to use, likely openstack4J has a translation of that that might help10:15
cmurphyevgenyf: also the neutron service itself will call to keystone and you can configure that interface in the [keystone_authtoken] section of the neutron config file, but i'm not sure if that's the public url traffic you're seeing10:16
*** zhurong has quit IRC10:19
*** annp has quit IRC11:03
*** panbalag has joined #openstack-keystone11:39
*** panbalag has left #openstack-keystone11:39
*** efried has quit IRC11:54
*** linpopilan has quit IRC11:58
*** sapd_ has quit IRC12:03
*** sapd__ has joined #openstack-keystone12:03
*** d0ugal has quit IRC12:04
*** efried has joined #openstack-keystone12:07
*** d0ugal has joined #openstack-keystone12:07
*** raildo has joined #openstack-keystone12:10
*** aojea has joined #openstack-keystone12:44
*** dave-mccowan has joined #openstack-keystone13:06
*** aojea has quit IRC13:10
*** magicboiz has joined #openstack-keystone13:14
raildolbragstad, ping, are you around?13:15
*** links has quit IRC13:16
*** magicboiz has quit IRC13:18
*** jdennis has quit IRC13:18
*** magicboiz has joined #openstack-keystone13:19
*** edmondsw has joined #openstack-keystone13:22
raildolbragstad, about https://bugs.launchpad.net/keystone/+bug/173487113:28
openstackLaunchpad bug 1734871 in OpenStack Identity (keystone) "overcloud deployment fails on mistral action DeployStackAction" [Critical,Triaged] - Assigned to Raildo Mascena de Sousa Filho (raildo)13:28
*** magicboiz has quit IRC13:31
cmurphythat commit is definitely the cause, woops13:31
*** magicboiz has joined #openstack-keystone13:33
cmurphyi can fix13:34
raildocmurphy, I was already fixing that, I was just want to ask for a quick review on it, since it's a promotion blocker for tripleo team13:36
raildocmurphy, just keep the same pattern as role name https://github.com/openstack/keystone/blob/master/keystone/assignment/schema.py#L1813:37
cmurphyraildo: yes i would just change it to parameter_types.name13:37
raildocmurphy, ++ if you want to send that change, just go ahead, I'm ok with that in either way :)13:38
*** openstackgerrit has joined #openstack-keystone13:38
openstackgerritColleen Murphy proposed openstack/keystone master: Fix role schema in trust object  https://review.openstack.org/52341513:38
cmurphyraildo: done ^13:38
raildocmurphy, thank you so much :)13:39
cmurphynp :)13:39
raildocmurphy, btw, can we set the release of that bug for queens-2, since it's a simple change and it's also a blocker?13:41
*** jdennis has joined #openstack-keystone13:42
cmurphyraildo: i would let lbragstad make that call, i'm not really sure what the rules are13:43
cmurphyraildo: why does it need a release if you're deploying from master?13:43
raildocmurphy, hum... makes sense13:43
*** evgenyf has quit IRC14:00
*** thorst has joined #openstack-keystone14:06
*** jmlowe has quit IRC14:10
*** pcaruana has quit IRC14:13
*** pcaruana has joined #openstack-keystone14:17
openstackgerritColleen Murphy proposed openstack/keystone master: Fix role schema in trust object  https://review.openstack.org/52341514:21
*** magicboiz has quit IRC14:42
*** magicboiz has joined #openstack-keystone14:43
*** spilla has joined #openstack-keystone14:53
*** clayton has quit IRC15:20
*** clayton has joined #openstack-keystone15:21
*** d0ugal has quit IRC15:28
*** jmlowe has joined #openstack-keystone15:28
*** jmlowe has quit IRC15:30
*** phalmos has joined #openstack-keystone15:31
*** ayoung has joined #openstack-keystone15:33
*** sapd__ has quit IRC15:34
*** sapd_ has joined #openstack-keystone15:34
*** d0ugal has joined #openstack-keystone15:42
*** dklyle has joined #openstack-keystone15:43
*** david-lyle has quit IRC15:46
*** nicolasbock has joined #openstack-keystone15:49
openstackgerritMerged openstack/keystone master: Validate disabled domains and projects online  https://review.openstack.org/25327315:52
*** masuberu has joined #openstack-keystone16:01
*** masber has quit IRC16:05
*** gagehugo has quit IRC16:05
*** sbezverk has joined #openstack-keystone16:07
*** masuberu has quit IRC16:08
*** masuberu has joined #openstack-keystone16:08
*** josecastroleon has quit IRC16:15
kmalloclbragstad: +2 on system roles, lots of nits.16:21
*** gagehugo has joined #openstack-keystone16:26
cmurphywhat is the /v3/credentials API for? is it just an encrypted key-value store?16:31
*** jmlowe has joined #openstack-keystone16:38
*** AlexeyAbashkin has quit IRC16:49
*** jmlowe has quit IRC17:15
kmalloccmurphy, basically17:27
openstackgerritayoung proposed openstack/keystone master: Add is_admin_project check to policy for non scoped operations  https://review.openstack.org/25763617:27
kmalloccmurphy: it also is used for TOTP and a couple other things.17:27
kmalloccmurphy: but it's mostly a crappy (but encrypted) kvs17:28
kmallocalso, it's design almost mandates a RDBMS backing it.17:28
kmallocbecause the way the API allows for filtering.17:28
cmurphykmalloc: at first it looked like a natural place to put application credentials but looking closer that would be kind of a hard fit17:30
kmallocespecially since you can extract the private data from it17:31
kmallocwith a simple list command17:31
cmurphyyeah that seems a little silly17:31
kmallocin short, i would pretend "credentials" doesn't exist17:31
cmurphysounds good17:31
kmalloci'd be happy for a more generic backend for like app-creds and totp, etc17:31
kmallocand we could migrate totp to it.17:32
kmallocbut creds is bad, and i would have advocated deleting it but we can't >.<17:32
openstackgerritColleen Murphy proposed openstack/keystone-specs master: Repropose application credentials to queens  https://review.openstack.org/51250517:33
lbragstadkmalloc: awesome - i'll get those addressed today17:33
lbragstadin a follow on if that's cool17:33
lbragstadhrybacki: o/17:33
lbragstadhrybacki: i just responded on the mailing list ;)17:33
kmalloclbragstad: totally17:34
hrybackio/ lbragstad  -- thank you. Stupid reply button :(17:34
kmalloclbragstad: +2'd since it was all nits.17:34
* cmurphy brb before meeting17:36
hrybackilbragstad: meeting is in 22 minutes or 1hr 22 minutes?17:38
lbragstadhrybacki: 22 minutes17:39
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Address follow on comments for system-scope  https://review.openstack.org/52349117:49
*** KwozyMan has joined #openstack-keystone17:49
lbragstadhrybacki: kmalloc cmurphy ^17:49
lbragstadcmurphy: i replied to your comment on the system: {'all': true} stuff17:50
lbragstadas far as assignments go, that should all be on the path and not in the request body itself17:50
*** pcaruana has quit IRC17:53
lbragstadpre meeting ping: ayoung, breton, cmurphy, dstanek, edmondsw, gagehugo, henrynash, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rderose, rodrigods, samueldmq, spilla, aselius, dpar17:55
*** thorst has quit IRC17:57
*** thorst has joined #openstack-keystone17:58
openstackgerritMerged openstack/keystone-specs master: Specification for system roles  https://review.openstack.org/46476318:00
*** josecastroleon has joined #openstack-keystone18:02
*** thorst has quit IRC18:02
*** jmlowe has joined #openstack-keystone18:05
*** aselius has joined #openstack-keystone18:09
*** thorst has joined #openstack-keystone18:10
*** thorst has quit IRC18:14
*** jmlowe has quit IRC18:25
*** jmlowe has joined #openstack-keystone18:28
openstackgerritJaewoo Park proposed openstack/keystone master: Extend comparator support for project list by tags  https://review.openstack.org/52349918:34
*** thorst has joined #openstack-keystone18:34
*** aojea has joined #openstack-keystone18:35
*** AlexeyAbashkin has joined #openstack-keystone18:35
*** josecastroleon has quit IRC18:36
*** thorst has quit IRC18:37
*** thorst has joined #openstack-keystone18:38
*** AlexeyAbashkin has quit IRC18:40
*** aojea has quit IRC18:50
*** AlexeyAbashkin has joined #openstack-keystone18:56
openstackgerritColleen Murphy proposed openstack/keystone-specs master: Repropose application credentials to queens  https://review.openstack.org/51250518:58
cmurphyfixed ^18:58
*** AlexeyAbashkin has quit IRC19:04
lbragstad#startmeeting keystone-office-hours19:07
openstackMeeting started Tue Nov 28 19:07:08 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.19:07
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:07
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"19:07
*** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/5F0h9Hoe/keystone"19:07
openstackThe meeting name has been set to 'keystone_office_hours'19:07
lbragstadfyi - i'll be multi-tasking meeting for the next hour19:09
openstackgerritMerged openstack/keystone master: Fix role schema in trust object  https://review.openstack.org/52341519:09
lbragstadwe do have a list of office-hours tagged bugs available, too19:10
lbragstad#link https://goo.gl/tRbEsD19:10
*** KwozyMan_ has joined #openstack-keystone19:13
*** KwozyMan has quit IRC19:15
*** aojea has joined #openstack-keystone19:34
*** links has joined #openstack-keystone19:38
*** aojea has quit IRC19:39
*** links has quit IRC19:42
knikollai'm picking this up https://bugs.launchpad.net/keystone/+bug/129115719:43
openstackLaunchpad bug 1291157 in OpenStack Identity (keystone) "idp deletion should trigger token revocation" [Medium,In progress] - Assigned to Lance Bragstad (lbragstad)19:43
lbragstadknikolla: oh - sweet19:43
lbragstadknikolla:  i was just about to start working on that but i'll move on to the next one :)19:44
lbragstadi'm going to pickup reviews for https://bugs.launchpad.net/keystone/+bug/172869019:45
openstackLaunchpad bug 1728690 in OpenStack Identity (keystone) "member_role_id/name conf options reference v2" [Medium,In progress] - Assigned to wangxiyuan (wangxiyuan)19:45
lbragstadi can also pick up https://bugs.launchpad.net/keystone/+bug/166262319:45
openstackLaunchpad bug 1662623 in OpenStack Identity (keystone) "Testing keystone docs are outdated" [Wishlist,Confirmed]19:45
*** aojea has joined #openstack-keystone19:51
efriedlbragstad cmurphy https://review.openstack.org/523515 Release keystoneauth 3.2.119:52
efriedlbragstad cmurphy I still really want to get https://bugs.launchpad.net/keystoneauth/+bug/1707993 done and in a release, but I'm stymied by the unit tests.19:52
openstackLaunchpad bug 1707993 in keystoneauth "EndpointData.url should regurgitate my endpoint_override" [Low,In progress] - Assigned to Eric Fried (efried)19:52
cmurphyefried: yeah those tests are really hard to wrap a single brain around :(19:54
*** aojea has quit IRC19:56
openstackgerritLance Bragstad proposed openstack/keystone master: Update keystone testing documentation  https://review.openstack.org/52352420:17
*** phalmos has quit IRC20:20
*** raildo has quit IRC20:21
*** pcaruana has joined #openstack-keystone20:21
*** phalmos has joined #openstack-keystone20:30
*** KwozyMan_ has quit IRC20:34
lbragstadcmurphy: nice find - https://bugs.launchpad.net/keystone/+bug/173383620:46
openstackLaunchpad bug 1733836 in OpenStack Identity (keystone) "Support LDAP server discovery via DNS SRV records" [Wishlist,New]20:46
knikollalbragstad: quick thought, can we make it so that unscoped tokens give the identity endpoint in the service catalog?20:46
lbragstadknikolla: jamielennox had that idea a while back20:47
knikollathe empty catalog messes up the clients20:47
lbragstadknikolla: i think it was actually proposed as a specification20:47
lbragstadi want to say there were some patches available for it, too20:47
lbragstadknikolla: yep20:48
lbragstad#link https://review.openstack.org/#/c/107333/20:48
knikollai'll give it a look20:49
knikollathere's been several cases where i had to use the api directly because clients didn't like unscoped tokens for stuff which unscoped tokens should work20:50
*** spilla has quit IRC20:50
lbragstadknikolla: yeah - we've had the discussion before20:50
lbragstadknikolla: and i know jamielennox had some work proposed for it20:51
lbragstadit might just be that it didn't get finished20:51
*** spilla has joined #openstack-keystone20:51
cmurphylbragstad: customer wanted that actually, not 100% sure keystone is the right place for it but thought i could bring it up20:51
knikollacool. yeah, proposed for kilo, that predates me by a full cycle.20:51
lbragstadcmurphy: it's a good discussion20:52
lbragstadcmurphy: what the status of python-ldap?20:52
*** edmondsw_ has joined #openstack-keystone20:52
cmurphyi forget, kmalloc ^ ?20:52
cmurphyiirc there are two and we're using the python3-compatible one20:52
lbragstadwas there hesitation to add it because of resources or another reason?20:53
*** spilla has quit IRC20:55
cmurphylbragstad: security concerns https://mail.python.org/pipermail/python-ldap/2013q4/003299.html also concerns that changing how the url is read is a major change in behavior - "<hyc> it would be a major behavior change, I think no." from https://mail.python.org/pipermail/python-ldap/2013q4/003298.html20:56
*** edmondsw has quit IRC20:56
cmurphybut that thread is from four years ago and was probably for the older python-ldap, not the one we're using20:56
cmurphyso probably worth revisiting with the current maintainer20:56
cmurphyi guess they're merging back https://github.com/pyldap/pyldap/blob/master/README#L221:00
*** thorst has quit IRC21:03
*** spilla has joined #openstack-keystone21:04
*** aojea has joined #openstack-keystone21:09
*** aojea has quit IRC21:09
*** aojea has joined #openstack-keystone21:11
kmalloccmurphy: hmmm.21:18
kmalloccmurphy: we moved to a py3 compat one, didn't we?21:18
kmallocoh wow. *eye roll*21:19
cmurphykmalloc: yes we did, i see pyldap in setup.cfg21:19
kmallocpyldap ... back to python-ldap, annoying.21:20
* kmalloc grumps.21:21
kmallocI have to order a new part for my bike so i can use it on my trainer.21:21
*** pcaruana has quit IRC21:21
*** edmondsw_ is now known as edmondsw21:27
openstackgerritMerged openstack/keystone-specs master: Outline policy goals  https://review.openstack.org/46034421:29
*** thorst has joined #openstack-keystone21:30
*** rcernin has quit IRC21:33
*** openstackstatus has quit IRC21:42
*** openstack has joined #openstack-keystone21:43
*** ChanServ sets mode: +o openstack21:43
*** openstackstatus has joined #openstack-keystone21:44
*** ChanServ sets mode: +v openstackstatus21:44
lbragstadcmurphy: thoughts on what to do with that section?21:45
cmurphylbragstad: sounds like we could just remove it? if someone wants to make the changes to tox.ini to get it to work they could add docs back21:46
lbragstadyeah... that's what i'm thinking21:46
cmurphybut i don't feel like anyone is desperate for that functionality21:47
openstackgerritLance Bragstad proposed openstack/keystone master: Update keystone testing documentation  https://review.openstack.org/52352421:47
lbragstadimo most people limit the test set before pruning output21:48
*** sticker has joined #openstack-keystone21:55
*** thorst has quit IRC21:56
jamielennoxlbragstad, knikolla: the identity endpoint in the unscoped token would be really useful for a lot of client stuff, however particularly the older clients and non-python clients test whether the token is scoped via the presence of the catalog instead of the presence of project_id or domain_id22:15
jamielennoxwith keystoneauth taking most of that away now it might be something that can be explored again22:16
jamielennoxbut it's an annoying assumption that people make22:16
* cmurphy waves at jamielennox22:16
jamielennoxhello - i still lurk22:17
jamielennoxand i would still like a volunteer to take over: https://review.openstack.org/#/c/507726/22:18
jamielennoxwait - it's way too early for cmurphy22:18
cmurphyon my way out for the night :)22:19
*** rcernin has joined #openstack-keystone22:23
openstackgerritayoung proposed openstack/keystone master: Shift to check_policy for resource creation  https://review.openstack.org/46267022:24
lbragstadjamielennox: woo, that'd be awesome22:25
ayoungjamielennox, you can help me debug the failure on this first: https://review.openstack.org/#/c/257636/3722:26
ayoungIts something Tempest related, I am fairly sure they trigger the is_admin_project not being on a context by setting it in a config file somewhere. But I don't know how.22:27
*** thorst has joined #openstack-keystone22:27
jamielennoxayoung: sure, you need to get someone to land that patch i just mentioned in tempest, convert keystone over to using the "system" creds for those operations and then flip the switch22:27
jamielennoxyou can't land this stuff in a reasonable way until tempest supports it22:28
ayoungjamielennox, just the opposite22:28
ayoungjamielennox, I don't want tempest changing yet if I can help it22:28
ayoungbut somewhere in the logs I can see that is_admin_proejct=False22:28
ayoungand that should not happen yet22:28
jamielennoxi think i turned it on22:28
ayoungIN tempest?22:29
ayoungHow?  Let me understand that part, first, and, sure, I'll help tag team on whatever changes need to happen to close this out22:29
ayounglbragstad, are you ok with https://review.openstack.org/#/c/462670/22:30
jamielennoxoh no, still WIP: https://review.openstack.org/#/c/503140/22:30
ayoungIts your -1, but I think you backed off it.22:30
lbragstadayoung: yeah - let me follow up on that22:30
ayoungjamielennox, so why would is_admin_project ever be false without that?  I note that admin_project_name is not set in the keystone for devstack for the test22:31
*** aojea has quit IRC22:31
*** thorst has quit IRC22:31
jamielennoxit shouldn't be without that set22:35
jamielennoxthat's why that patch exists so i could see what failed when i turned it on and there are a number of settings in cinder that already use is_admin_project22:36
*** edmondsw has quit IRC22:36
jamielennoxthough keystone is always a funny beast, we thought we were understood policy and so don't actually use the standard policy tools that all the other projects do22:36
jamielennoxso keystone itself might set is_admin_project because that's a non-standard path22:37
*** thorst has joined #openstack-keystone22:38
*** edmondsw has joined #openstack-keystone22:39
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Add policy roadmap for security  https://review.openstack.org/46273322:39
*** thorst has quit IRC22:42
*** edmondsw has quit IRC22:43
lbragstadlooks like openstack meeting bot is having some issues22:45
cmurphyi think it got restarted22:47
lbragstadsounds like something i can test22:48
lbragstad#startmeeting keystone-office-hours22:48
openstackMeeting started Tue Nov 28 22:48:47 2017 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.22:48
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.22:48
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"22:48
*** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/5F0h9Hoe/keystone"22:48
openstackThe meeting name has been set to 'keystone_office_hours'22:48
*** openstack changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/5F0h9Hoe/keystone"22:49
openstackMeeting ended Tue Nov 28 22:49:09 2017 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:49
openstackMinutes:        http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-11-28-22.48.html22:49
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-11-28-22.48.txt22:49
openstackLog:            http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-11-28-22.48.log.html22:49
ayoungAre we going to have the keystone meetings in here now?22:52
openstackgerritayoung proposed openstack/keystone master: Add is_admin_project check to policy for non scoped operations  https://review.openstack.org/25763622:53
lbragstadi don't think so - just office hours22:53
lbragstaduntil we get told otherwise?22:53
cmurphyi don't think anyone is kicking us out of the meeting channels22:54
ayoungjamielennox, BTW matt wants to maintain the ability to enforce policy on the token in Keystone. Says changing that is non-backwards compat and a regression22:54
jamielennoxayoung: ergh, any idea what he wants out of that? i wasn't going to remove it immediately but there's really nothing that should be available on keystone and not on the other services22:55
jamielennoxalso, it's super dependant on the token format which is wrong22:56
ayoungjamielennox, just that changing that is going to break custome policy deployed in lots of places22:56
*** spilla has quit IRC22:56
ayoungyeah, and we still support both v2 and v3 tokens for the moment22:56
jamielennoxayoung: sure there's a deprecation period, but i'd like that not to be a forever policy and just tell us what he needs22:57
ayoungOH, I think deprecation is fine, but I think we need to explicitly add it in to the oslo-context that we use to check policy in Keystone's controllers22:57
ayoungI forget, did we even change Keystone to use context yet?22:58
jamielennoxayoung: no, i had multiple attempts and i was mid way through another when i left23:02
jamielennoxayoung: this was on the path again: https://review.openstack.org/#/c/508619/23:03
jamielennoxi was trying to make policy enforcement not a decorator and break up the controller so we could pass context around like everyone else23:03
ayoungOh, I like that one23:03
jamielennoxbut those sort of reviews lag23:03
ayoungjamielennox, I had a pre-req23:03
*** swain has joined #openstack-keystone23:03
ayoungjamielennox, look at this one: https://review.openstack.org/#/c/462670/23:04
jamielennoxthat seems to be heading down the same path23:05
ayoungjamielennox, yeah23:05
ayoungjamielennox, we should be able to do your check once, in the wsgi layer.  No?23:06
jamielennoxyea, that's all it is23:06
jamielennoxthe rest of that patch is just explicitly calling out all the routes we have that don't need policy enforcement23:06
jamielennoxso that the protection is opt-out not opt-in23:06
ayoungcool, yeah , I see now.  We just still have a bunch of extensions that have one offs you covered there as well23:06
ayoungok, with my code change, yours should be much smaller.  Everything should go through check_policy, and you can set the flag on the way out23:07
jamielennoxi mean long term i think it's valuable, but really it's mostly so that short term we could start tweaking how we did enforcement and know we didn't introduce a bug23:07
jamielennoxyea, so i had WIP follow ups to that patch where i was pulling apart the policy checks and trying to simplify it23:08
jamielennoxremove all those database getter functions from the controller23:08
jamielennoxthe flag is set on the request, my plan was that check_policy would take the request as a parameter and so would be set automatically once checked23:09
jamielennoxbut check_protection is a horrible function with crazy inputs because it's designed as a wrapper and it should be possible to break it up into something you can actually follow23:10
ayoungjamielennox, yep.  It was just a minimal change to consolidate to a single function23:15
ayoungonce its there, we can make it private, and make it sane23:15
ayoungbut the primary effort needs to be close 968696 and getting a sane policy across the board.  I really care jack about anything else23:16
ayoungThat patch series is coming up on 2 years old.23:16
jamielennoxayoung: i think the more you push it under the covers without fixing tempest the bigger that fight is going to be23:17
ayoungjamielennox, there is a rational ordering23:17
jamielennoxi had gansham and mtreinish on board for that patch i just need someone to actually work it through23:17
*** lbragstad has quit IRC23:17
ayoungwe need the fix in Keystone, but inactive. Then we explicitly enable in Tempest23:18
ayoungnothing else is going to work23:18
ayoungWe can't lock Keystone in to the bad behavior, but it looks like that is what is happening anyway23:18
jamielennox(if gmann_afk see's that sorry for the complete butchering of spelling your name)23:18
*** edmondsw has joined #openstack-keystone23:18
jamielennoxthe fix is done for keystone, the patch i put up gives you a rollover for tempest for old and new scenarios and if you just have to enable both at once23:19
jamielennoxthen you can roll project by project and just put up the corresponding tempest fix as you go23:19
jamielennoxIMO anything else is itching for a fight that we keep losing23:20
ayoungWe don't lose.  Nobody shows up, and the fight is cancelled.23:22
ayoungSeriosuly, though, I suspect that oslo-context is the cause of this failure23:22
ayoungTHere is nothing in Tempest that sets the admin project AFAICT23:22
*** edmondsw has quit IRC23:23
ayoungand yet, I'm seeing 'is_admin_project': False in the keystone logs, and I don't know why else that would be the case23:23
*** lbragstad has joined #openstack-keystone23:24
*** ChanServ sets mode: +o lbragstad23:24
ayoungI wonder...are we even using oslo-policy in keystone?  If not...then how does any of this work...we must be23:25
lbragstadwe use oslo.policy to register our own policies and we slim it into the "policy API"23:27
ayounglbragstad, I meant oslo-context23:28
ayounglbragstad, so is_admin_project defaulting happens there....that was jamielennox's push23:29
ayoungI had an alternative, that did it in the keystone layer:23:29
lbragstadso then we could keep the transition limits to oslo libraries23:29
lbragstader - compatibility23:29
jamielennoxwe need to get out of the opinion that keystone is special here23:29
jamielennoxthere's nothing we should be doing that is different to the other services23:30
jamielennoxoslo.context and oslo.policy are designed to play nice and abstract all this from services and keystone should use that23:30
ayoungjamielennox, your statement, while accurate (and I wholeheartedly support) is actually irrelevant23:31
ayoungsomething needs to default it, and it does not matter if it is the keystone server or oslo policy23:32
ayoungI think that this level of defaulting actually should have happened in Keystone, but we still should have migrated Keystone over to oslo-context23:32
ayoungso...the question is, does keystone enforce on oslo-context, and I think the answer is "not yet:23:33
ayoungand that is what is messing me up23:33
jamielennoxit does not, it builds its own policy dict and uses oslo.policy23:33
ayoungbut then...why are any tokens coming through with is_admin_project=True in tempest23:33
jamielennoxis_admin_project=True makes some sense23:34
jamielennoxbecause the default is true23:34
jamielennoxits =False that's concerning23:34
ayoungits only the default in oslo-context23:35
ayoungis maybe some of keystone checking on context, and some on the token itself?23:35
ayoungok...lets agree to get Keystone testing on oslo-context as the next order of business. check_policy can get out of the dictionary business, but we do still need to append the token to the oslo-context to make Matt Happy23:36
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/context.py  we have some context handling23:38
ayoungjamielennox, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/authorization.py#n135  is where is_admin_project is set, direct off the token23:39
jamielennoxcan clean that up as well, most of the user_id= project_id= has been moved into oslo.context23:40
jamielennoxsee i would like to kill that whole dict in favour of the oslo.context23:40
ayoungjamielennox, go for it.  I'm in full support23:41
ayoungI think that is where the breakage for token.* policy came in, too23:41
ayoungjamielennox, is it just replacing the call here  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/authorization.py#n78 to a call to oslo-context?  Or even puling the context out of the environemnt?23:42
lbragstadyeah - i remember looking at something in nova that was similar to that23:42
jamielennoxso keeping in mind that there are two parts to keystone, the auth and the crud23:43
jamielennoxthe token model stuff is all useful for auth because we are building a lot23:43
jamielennoxfor the crud components we just need to use the values from the environment that auth_token middleware sets23:43
jamielennoxso it's basically just request.context = oslo_context.Context.from_environment(env)23:44
ayoungit only gets called here http://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/auth.py#n19623:44
jamielennoxit gets called there and assigned as request.environ[authorization.AUTH_CONTEXT_ENV]23:45
jamielennoxwhich there then gets used23:45
*** thorst has joined #openstack-keystone23:46
ayoungI think it is a one line change.  Testing23:50
ayoungjamielennox, I think my change was over writing that, and so mine can be pulled out23:50
*** thorst has quit IRC23:50
jamielennoxi was trying to limit what used that field but from memory there are still a couple of places that i couldn't get rid of23:51
ayoungjamielennox, look at that function...I think 2/3rds of it is redundant23:51
jamielennoxwell, i had multiple attempts at it :)23:51
ayounglets see if the one liner still passes the unit tests23:52
ayoungif so, I'll submit it, and a follow on that starts removing dead code23:52
*** lbragstad has quit IRC23:56
ayoung - Failed: 116023:57
ayoungOK, so no23:57

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!