Tuesday, 2017-11-28

*** AlexeyAbashkin has joined #openstack-keystone		00:17
*** magicboiz has quit IRC		00:21
*** AlexeyAbashkin has quit IRC		00:21
*** jmlowe has quit IRC		00:39
*** jmlowe has joined #openstack-keystone		00:46
*** dklyle has quit IRC		00:54
*** david-lyle has joined #openstack-keystone		01:01
*** jose-phillips has quit IRC		01:21
*** jose-phi_ has joined #openstack-keystone		01:22
openstackgerrit	wangxiyuan proposed openstack/keystone master: Deprecate member_role_id and member_role_name https://review.openstack.org/522461	01:26
*** dave-mccowan has joined #openstack-keystone		01:36
*** aselius has quit IRC		02:08
*** annp has joined #openstack-keystone		02:10
*** AlexeyAbashkin has joined #openstack-keystone		02:16
*** zhurong has joined #openstack-keystone		02:18
*** AlexeyAbashkin has quit IRC		02:21
*** gagehugo has quit IRC		02:42
*** gyee_ has quit IRC		02:55
*** dave-mccowan has quit IRC		03:12
*** dave-mccowan has joined #openstack-keystone		03:13
*** dave-mcc_ has joined #openstack-keystone		03:16
*** dave-mccowan has quit IRC		03:18
*** links has joined #openstack-keystone		03:39
*** AlexeyAbashkin has joined #openstack-keystone		04:16
*** AlexeyAbashkin has quit IRC		04:21
*** zhurong has quit IRC		04:30
*** dave-mcc_ has quit IRC		04:42
*** threestrands has quit IRC		05:10
*** threestrands has joined #openstack-keystone		05:10
*** threestrands has quit IRC		05:10
*** threestrands has joined #openstack-keystone		05:10
*** threestrands has quit IRC		05:12
*** threestrands has joined #openstack-keystone		05:12
*** threestrands has quit IRC		05:12
*** threestrands has joined #openstack-keystone		05:12
*** sticker has quit IRC		05:49
*** zhurong has joined #openstack-keystone		06:05
*** pcaruana has joined #openstack-keystone		06:06
*** pcaruana has quit IRC		06:06
*** gagehugo has joined #openstack-keystone		06:51
*** threestrands has quit IRC		07:04
*** zhurong has quit IRC		07:05
*** namnh has joined #openstack-keystone		07:06
*** josecastroleon has joined #openstack-keystone		07:08
*** spectr has joined #openstack-keystone		07:18
*** spectr has quit IRC		07:21
*** magicboiz has joined #openstack-keystone		07:30
*** magicboiz has quit IRC		07:34
*** magicboiz has joined #openstack-keystone		07:35
*** AlexeyAbashkin has joined #openstack-keystone		07:52
*** rcernin has quit IRC		07:53
*** d0ugal has joined #openstack-keystone		07:55
openstackgerrit	wangxiyuan proposed openstack/keystone-specs master: Limits API https://review.openstack.org/455709	08:10
*** pcaruana has joined #openstack-keystone		08:28
*** magicboiz has quit IRC		08:36
*** AlexeyAbashkin has quit IRC		08:48
*** AlexeyAbashkin has joined #openstack-keystone		08:51
*** gmann is now known as gmann_afk		08:53
*** magicboiz has joined #openstack-keystone		08:53
*** magicboiz has quit IRC		08:58
*** zhurong has joined #openstack-keystone		09:20
*** sbezverk has quit IRC		09:22
*** evgenyf has joined #openstack-keystone		09:46
evgenyf	hi guys, does anyone know why when accessing the internal keystone URL, the request is redirected to the public URL ?	09:47
*** openstackgerrit has quit IRC		09:48
cmurphy	evgenyf: can you be more specific about what you're trying to do? is this happening with an openstackclient command?	09:49
evgenyf	cmurphy: I use openstack4J client and authenticate via <keystone internal URL IP>:5000/v2.0. I succeed in authentication and try to list security groups. I see the request goes to a public keystone URL (which IP is different from internal and admin)	09:55
*** rcernin has joined #openstack-keystone		09:55
evgenyf	cmurphy: the issue is that I have no access to the public URL IP. I do not understand why the request is going to the public URL instead of internal	09:57
cmurphy	evgenyf: if you succeed in authentication why are you accessing the keystone url again? it should auth with the keystone endpoint for auth and then access the neutron endpoint for security groups	10:02
cmurphy	evgenyf: i don't know much about openstack4J, do you have the same behavior with python-openstackclient?	10:03
*** namnh has quit IRC		10:07
evgenyf	cmurphy: I need to check it, thanks for your help	10:14
cmurphy	evgenyf: i'm still not sure what it is but in python-openstackclient there are OS_ENDPOINT_TYPE and OS_INTERFACE variables that control which interface to use, likely openstack4J has a translation of that that might help	10:15
cmurphy	evgenyf: also the neutron service itself will call to keystone and you can configure that interface in the [keystone_authtoken] section of the neutron config file, but i'm not sure if that's the public url traffic you're seeing	10:16
*** zhurong has quit IRC		10:19
*** annp has quit IRC		11:03
*** panbalag has joined #openstack-keystone		11:39
*** panbalag has left #openstack-keystone		11:39
*** efried has quit IRC		11:54
*** linpopilan has quit IRC		11:58
*** sapd_ has quit IRC		12:03
*** sapd__ has joined #openstack-keystone		12:03
*** d0ugal has quit IRC		12:04
*** efried has joined #openstack-keystone		12:07
*** d0ugal has joined #openstack-keystone		12:07
*** raildo has joined #openstack-keystone		12:10
*** aojea has joined #openstack-keystone		12:44
*** dave-mccowan has joined #openstack-keystone		13:06
*** aojea has quit IRC		13:10
*** magicboiz has joined #openstack-keystone		13:14
raildo	lbragstad, ping, are you around?	13:15
*** links has quit IRC		13:16
*** magicboiz has quit IRC		13:18
*** jdennis has quit IRC		13:18
*** magicboiz has joined #openstack-keystone		13:19
*** edmondsw has joined #openstack-keystone		13:22
raildo	lbragstad, about https://bugs.launchpad.net/keystone/+bug/1734871	13:28
openstack	Launchpad bug 1734871 in OpenStack Identity (keystone) "overcloud deployment fails on mistral action DeployStackAction" [Critical,Triaged] - Assigned to Raildo Mascena de Sousa Filho (raildo)	13:28
*** magicboiz has quit IRC		13:31
cmurphy	that commit is definitely the cause, woops	13:31
*** magicboiz has joined #openstack-keystone		13:33
cmurphy	i can fix	13:34
raildo	cmurphy, I was already fixing that, I was just want to ask for a quick review on it, since it's a promotion blocker for tripleo team	13:36
raildo	cmurphy, just keep the same pattern as role name https://github.com/openstack/keystone/blob/master/keystone/assignment/schema.py#L18	13:37
cmurphy	raildo: yes i would just change it to parameter_types.name	13:37
raildo	cmurphy, ++ if you want to send that change, just go ahead, I'm ok with that in either way :)	13:38
*** openstackgerrit has joined #openstack-keystone		13:38
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Fix role schema in trust object https://review.openstack.org/523415	13:38
cmurphy	raildo: done ^	13:38
raildo	cmurphy, thank you so much :)	13:39
cmurphy	np :)	13:39
raildo	cmurphy, btw, can we set the release of that bug for queens-2, since it's a simple change and it's also a blocker?	13:41
raildo	s/release/milestone	13:41
*** jdennis has joined #openstack-keystone		13:42
cmurphy	raildo: i would let lbragstad make that call, i'm not really sure what the rules are	13:43
cmurphy	raildo: why does it need a release if you're deploying from master?	13:43
raildo	cmurphy, hum... makes sense	13:43
*** evgenyf has quit IRC		14:00
*** thorst has joined #openstack-keystone		14:06
*** jmlowe has quit IRC		14:10
*** pcaruana has quit IRC		14:13
*** pcaruana has joined #openstack-keystone		14:17
openstackgerrit	Colleen Murphy proposed openstack/keystone master: Fix role schema in trust object https://review.openstack.org/523415	14:21
*** magicboiz has quit IRC		14:42
*** magicboiz has joined #openstack-keystone		14:43
gagehugo	o/	14:52
lbragstad	o/	14:53
*** spilla has joined #openstack-keystone		14:53
*** clayton has quit IRC		15:20
*** clayton has joined #openstack-keystone		15:21
*** d0ugal has quit IRC		15:28
*** jmlowe has joined #openstack-keystone		15:28
*** jmlowe has quit IRC		15:30
*** phalmos has joined #openstack-keystone		15:31
*** ayoung has joined #openstack-keystone		15:33
*** sapd__ has quit IRC		15:34
*** sapd_ has joined #openstack-keystone		15:34
knikolla	o/	15:40
*** d0ugal has joined #openstack-keystone		15:42
*** dklyle has joined #openstack-keystone		15:43
*** david-lyle has quit IRC		15:46
*** nicolasbock has joined #openstack-keystone		15:49
openstackgerrit	Merged openstack/keystone master: Validate disabled domains and projects online https://review.openstack.org/253273	15:52
*** masuberu has joined #openstack-keystone		16:01
*** masber has quit IRC		16:05
*** gagehugo has quit IRC		16:05
*** sbezverk has joined #openstack-keystone		16:07
*** masuberu has quit IRC		16:08
*** masuberu has joined #openstack-keystone		16:08
*** josecastroleon has quit IRC		16:15
kmalloc	lbragstad: +2 on system roles, lots of nits.	16:21
*** gagehugo has joined #openstack-keystone		16:26
cmurphy	what is the /v3/credentials API for? is it just an encrypted key-value store?	16:31
*** jmlowe has joined #openstack-keystone		16:38
*** AlexeyAbashkin has quit IRC		16:49
*** jmlowe has quit IRC		17:15
kmalloc	cmurphy, basically	17:27
openstackgerrit	ayoung proposed openstack/keystone master: Add is_admin_project check to policy for non scoped operations https://review.openstack.org/257636	17:27
kmalloc	cmurphy: it also is used for TOTP and a couple other things.	17:27
kmalloc	cmurphy: but it's mostly a crappy (but encrypted) kvs	17:28
kmalloc	also, it's design almost mandates a RDBMS backing it.	17:28
kmalloc	because the way the API allows for filtering.	17:28
cmurphy	kmalloc: at first it looked like a natural place to put application credentials but looking closer that would be kind of a hard fit	17:30
kmalloc	especially since you can extract the private data from it	17:31
kmalloc	with a simple list command	17:31
cmurphy	yeah that seems a little silly	17:31
kmalloc	in short, i would pretend "credentials" doesn't exist	17:31
cmurphy	sounds good	17:31
kmalloc	i'd be happy for a more generic backend for like app-creds and totp, etc	17:31
kmalloc	and we could migrate totp to it.	17:32
kmalloc	but creds is bad, and i would have advocated deleting it but we can't >.<	17:32
openstackgerrit	Colleen Murphy proposed openstack/keystone-specs master: Repropose application credentials to queens https://review.openstack.org/512505	17:33
lbragstad	kmalloc: awesome - i'll get those addressed today	17:33
lbragstad	in a follow on if that's cool	17:33
lbragstad	hrybacki: o/	17:33
lbragstad	hrybacki: i just responded on the mailing list ;)	17:33
kmalloc	lbragstad: totally	17:34
hrybacki	o/ lbragstad -- thank you. Stupid reply button :(	17:34
kmalloc	lbragstad: +2'd since it was all nits.	17:34
* cmurphy brb before meeting		17:36
hrybacki	lbragstad: meeting is in 22 minutes or 1hr 22 minutes?	17:38
lbragstad	hrybacki: 22 minutes	17:39
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Address follow on comments for system-scope https://review.openstack.org/523491	17:49
*** KwozyMan has joined #openstack-keystone		17:49
lbragstad	hrybacki: kmalloc cmurphy ^	17:49
lbragstad	cmurphy: i replied to your comment on the system: {'all': true} stuff	17:50
kmalloc	+2	17:50
lbragstad	as far as assignments go, that should all be on the path and not in the request body itself	17:50
*** pcaruana has quit IRC		17:53
lbragstad	pre meeting ping: ayoung, breton, cmurphy, dstanek, edmondsw, gagehugo, henrynash, hrybacki, knikolla, lamt, lbragstad, lwanderley, kmalloc, rderose, rodrigods, samueldmq, spilla, aselius, dpar	17:55
*** thorst has quit IRC		17:57
*** thorst has joined #openstack-keystone		17:58
openstackgerrit	Merged openstack/keystone-specs master: Specification for system roles https://review.openstack.org/464763	18:00
*** josecastroleon has joined #openstack-keystone		18:02
*** thorst has quit IRC		18:02
*** jmlowe has joined #openstack-keystone		18:05
*** aselius has joined #openstack-keystone		18:09
*** thorst has joined #openstack-keystone		18:10
*** thorst has quit IRC		18:14
*** jmlowe has quit IRC		18:25
*** jmlowe has joined #openstack-keystone		18:28
openstackgerrit	Jaewoo Park proposed openstack/keystone master: Extend comparator support for project list by tags https://review.openstack.org/523499	18:34
*** thorst has joined #openstack-keystone		18:34
*** aojea has joined #openstack-keystone		18:35
*** AlexeyAbashkin has joined #openstack-keystone		18:35
*** josecastroleon has quit IRC		18:36
*** thorst has quit IRC		18:37
*** thorst has joined #openstack-keystone		18:38
*** AlexeyAbashkin has quit IRC		18:40
*** aojea has quit IRC		18:50
*** AlexeyAbashkin has joined #openstack-keystone		18:56
openstackgerrit	Colleen Murphy proposed openstack/keystone-specs master: Repropose application credentials to queens https://review.openstack.org/512505	18:58
cmurphy	fixed ^	18:58
*** AlexeyAbashkin has quit IRC		19:04
lbragstad	#startmeeting keystone-office-hours	19:07
openstack	Meeting started Tue Nov 28 19:07:08 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	19:07
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	19:07
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"		19:07
*** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/5F0h9Hoe/keystone"		19:07
openstack	The meeting name has been set to 'keystone_office_hours'	19:07
lbragstad	fyi - i'll be multi-tasking meeting for the next hour	19:09
openstackgerrit	Merged openstack/keystone master: Fix role schema in trust object https://review.openstack.org/523415	19:09
lbragstad	we do have a list of office-hours tagged bugs available, too	19:10
lbragstad	#link https://goo.gl/tRbEsD	19:10
*** KwozyMan_ has joined #openstack-keystone		19:13
*** KwozyMan has quit IRC		19:15
*** aojea has joined #openstack-keystone		19:34
*** links has joined #openstack-keystone		19:38
*** aojea has quit IRC		19:39
*** links has quit IRC		19:42
knikolla	i'm picking this up https://bugs.launchpad.net/keystone/+bug/1291157	19:43
openstack	Launchpad bug 1291157 in OpenStack Identity (keystone) "idp deletion should trigger token revocation" [Medium,In progress] - Assigned to Lance Bragstad (lbragstad)	19:43
lbragstad	knikolla: oh - sweet	19:43
lbragstad	knikolla: i was just about to start working on that but i'll move on to the next one :)	19:44
lbragstad	i'm going to pickup reviews for https://bugs.launchpad.net/keystone/+bug/1728690	19:45
openstack	Launchpad bug 1728690 in OpenStack Identity (keystone) "member_role_id/name conf options reference v2" [Medium,In progress] - Assigned to wangxiyuan (wangxiyuan)	19:45
lbragstad	i can also pick up https://bugs.launchpad.net/keystone/+bug/1662623	19:45
openstack	Launchpad bug 1662623 in OpenStack Identity (keystone) "Testing keystone docs are outdated" [Wishlist,Confirmed]	19:45
*** aojea has joined #openstack-keystone		19:51
efried	lbragstad cmurphy https://review.openstack.org/523515 Release keystoneauth 3.2.1	19:52
efried	lbragstad cmurphy I still really want to get https://bugs.launchpad.net/keystoneauth/+bug/1707993 done and in a release, but I'm stymied by the unit tests.	19:52
openstack	Launchpad bug 1707993 in keystoneauth "EndpointData.url should regurgitate my endpoint_override" [Low,In progress] - Assigned to Eric Fried (efried)	19:52
cmurphy	efried: yeah those tests are really hard to wrap a single brain around :(	19:54
*** aojea has quit IRC		19:56
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update keystone testing documentation https://review.openstack.org/523524	20:17
*** phalmos has quit IRC		20:20
*** raildo has quit IRC		20:21
*** pcaruana has joined #openstack-keystone		20:21
*** phalmos has joined #openstack-keystone		20:30
*** KwozyMan_ has quit IRC		20:34
lbragstad	cmurphy: nice find - https://bugs.launchpad.net/keystone/+bug/1733836	20:46
openstack	Launchpad bug 1733836 in OpenStack Identity (keystone) "Support LDAP server discovery via DNS SRV records" [Wishlist,New]	20:46
knikolla	lbragstad: quick thought, can we make it so that unscoped tokens give the identity endpoint in the service catalog?	20:46
lbragstad	knikolla: jamielennox had that idea a while back	20:47
knikolla	the empty catalog messes up the clients	20:47
lbragstad	knikolla: i think it was actually proposed as a specification	20:47
lbragstad	i want to say there were some patches available for it, too	20:47
lbragstad	knikolla: yep	20:48
lbragstad	#link https://review.openstack.org/#/c/107333/	20:48
knikolla	i'll give it a look	20:49
knikolla	there's been several cases where i had to use the api directly because clients didn't like unscoped tokens for stuff which unscoped tokens should work	20:50
*** spilla has quit IRC		20:50
lbragstad	knikolla: yeah - we've had the discussion before	20:50
lbragstad	knikolla: and i know jamielennox had some work proposed for it	20:51
lbragstad	it might just be that it didn't get finished	20:51
*** spilla has joined #openstack-keystone		20:51
cmurphy	lbragstad: customer wanted that actually, not 100% sure keystone is the right place for it but thought i could bring it up	20:51
knikolla	cool. yeah, proposed for kilo, that predates me by a full cycle.	20:51
lbragstad	cmurphy: it's a good discussion	20:52
lbragstad	cmurphy: what the status of python-ldap?	20:52
*** edmondsw_ has joined #openstack-keystone		20:52
cmurphy	i forget, kmalloc ^ ?	20:52
cmurphy	iirc there are two and we're using the python3-compatible one	20:52
lbragstad	was there hesitation to add it because of resources or another reason?	20:53
*** spilla has quit IRC		20:55
cmurphy	lbragstad: security concerns https://mail.python.org/pipermail/python-ldap/2013q4/003299.html also concerns that changing how the url is read is a major change in behavior - "<hyc> it would be a major behavior change, I think no." from https://mail.python.org/pipermail/python-ldap/2013q4/003298.html	20:56
*** edmondsw has quit IRC		20:56
lbragstad	mmm	20:56
cmurphy	but that thread is from four years ago and was probably for the older python-ldap, not the one we're using	20:56
cmurphy	so probably worth revisiting with the current maintainer	20:56
lbragstad	++	20:58
cmurphy	i guess they're merging back https://github.com/pyldap/pyldap/blob/master/README#L2	21:00
lbragstad	huh	21:02
*** thorst has quit IRC		21:03
*** spilla has joined #openstack-keystone		21:04
*** aojea has joined #openstack-keystone		21:09
*** aojea has quit IRC		21:09
*** aojea has joined #openstack-keystone		21:11
kmalloc	cmurphy: hmmm.	21:18
kmalloc	cmurphy: we moved to a py3 compat one, didn't we?	21:18
kmalloc	oh wow. eye roll	21:19
cmurphy	kmalloc: yes we did, i see pyldap in setup.cfg	21:19
kmalloc	pyldap ... back to python-ldap, annoying.	21:20
cmurphy	lol	21:20
* kmalloc grumps.		21:21
kmalloc	I have to order a new part for my bike so i can use it on my trainer.	21:21
*** pcaruana has quit IRC		21:21
*** edmondsw_ is now known as edmondsw		21:27
openstackgerrit	Merged openstack/keystone-specs master: Outline policy goals https://review.openstack.org/460344	21:29
*** thorst has joined #openstack-keystone		21:30
*** rcernin has quit IRC		21:33
lbragstad	woo!	21:33
*** openstackstatus has quit IRC		21:42
*** openstack has joined #openstack-keystone		21:43
*** ChanServ sets mode: +o openstack		21:43
*** openstackstatus has joined #openstack-keystone		21:44
*** ChanServ sets mode: +v openstackstatus		21:44
lbragstad	cmurphy: thoughts on what to do with that section?	21:45
cmurphy	lbragstad: sounds like we could just remove it? if someone wants to make the changes to tox.ini to get it to work they could add docs back	21:46
lbragstad	yeah... that's what i'm thinking	21:46
cmurphy	but i don't feel like anyone is desperate for that functionality	21:47
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Update keystone testing documentation https://review.openstack.org/523524	21:47
lbragstad	right	21:47
lbragstad	imo most people limit the test set before pruning output	21:48
*** sticker has joined #openstack-keystone		21:55
*** thorst has quit IRC		21:56
jamielennox	lbragstad, knikolla: the identity endpoint in the unscoped token would be really useful for a lot of client stuff, however particularly the older clients and non-python clients test whether the token is scoped via the presence of the catalog instead of the presence of project_id or domain_id	22:15
jamielennox	with keystoneauth taking most of that away now it might be something that can be explored again	22:16
jamielennox	but it's an annoying assumption that people make	22:16
* cmurphy waves at jamielennox		22:16
jamielennox	hello - i still lurk	22:17
jamielennox	and i would still like a volunteer to take over: https://review.openstack.org/#/c/507726/	22:18
jamielennox	wait - it's way too early for cmurphy	22:18
cmurphy	on my way out for the night :)	22:19
*** rcernin has joined #openstack-keystone		22:23
openstackgerrit	ayoung proposed openstack/keystone master: Shift to check_policy for resource creation https://review.openstack.org/462670	22:24
lbragstad	jamielennox: woo, that'd be awesome	22:25
ayoung	jamielennox, you can help me debug the failure on this first: https://review.openstack.org/#/c/257636/37	22:26
ayoung	Its something Tempest related, I am fairly sure they trigger the is_admin_project not being on a context by setting it in a config file somewhere. But I don't know how.	22:27
*** thorst has joined #openstack-keystone		22:27
jamielennox	ayoung: sure, you need to get someone to land that patch i just mentioned in tempest, convert keystone over to using the "system" creds for those operations and then flip the switch	22:27
jamielennox	you can't land this stuff in a reasonable way until tempest supports it	22:28
ayoung	jamielennox, just the opposite	22:28
ayoung	jamielennox, I don't want tempest changing yet if I can help it	22:28
ayoung	but somewhere in the logs I can see that is_admin_proejct=False	22:28
ayoung	and that should not happen yet	22:28
jamielennox	i think i turned it on	22:28
ayoung	IN tempest?	22:29
ayoung	How? Let me understand that part, first, and, sure, I'll help tag team on whatever changes need to happen to close this out	22:29
ayoung	lbragstad, are you ok with https://review.openstack.org/#/c/462670/	22:30
jamielennox	oh no, still WIP: https://review.openstack.org/#/c/503140/	22:30
ayoung	Its your -1, but I think you backed off it.	22:30
lbragstad	ayoung: yeah - let me follow up on that	22:30
ayoung	jamielennox, so why would is_admin_project ever be false without that? I note that admin_project_name is not set in the keystone for devstack for the test	22:31
*** aojea has quit IRC		22:31
*** thorst has quit IRC		22:31
jamielennox	it shouldn't be without that set	22:35
jamielennox	that's why that patch exists so i could see what failed when i turned it on and there are a number of settings in cinder that already use is_admin_project	22:36
*** edmondsw has quit IRC		22:36
lbragstad	#endmeeting	22:36
jamielennox	though keystone is always a funny beast, we thought we were understood policy and so don't actually use the standard policy tools that all the other projects do	22:36
jamielennox	so keystone itself might set is_admin_project because that's a non-standard path	22:37
lbragstad	hmm	22:37
lbragstad	#endmeeting	22:37
*** thorst has joined #openstack-keystone		22:38
*** edmondsw has joined #openstack-keystone		22:39
openstackgerrit	Lance Bragstad proposed openstack/keystone-specs master: Add policy roadmap for security https://review.openstack.org/462733	22:39
*** thorst has quit IRC		22:42
*** edmondsw has quit IRC		22:43
lbragstad	#endmeeting	22:45
lbragstad	looks like openstack meeting bot is having some issues	22:45
cmurphy	i think it got restarted	22:47
lbragstad	oh	22:48
lbragstad	sounds like something i can test	22:48
lbragstad	#startmeeting keystone-office-hours	22:48
openstack	Meeting started Tue Nov 28 22:48:47 2017 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.	22:48
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	22:48
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"		22:48
*** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/5F0h9Hoe/keystone"		22:48
openstack	The meeting name has been set to 'keystone_office_hours'	22:48
lbragstad	$do-work	22:49
lbragstad	#endmeeting	22:49
*** openstack changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html \| Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting \| Bugs that need triaging: http://bit.ly/2iJuN1h \| Trello: https://trello.com/b/5F0h9Hoe/keystone"		22:49
openstack	Meeting ended Tue Nov 28 22:49:09 2017 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	22:49
openstack	Minutes: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-11-28-22.48.html	22:49
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-11-28-22.48.txt	22:49
openstack	Log: http://eavesdrop.openstack.org/meetings/keystone_office_hours/2017/keystone_office_hours.2017-11-28-22.48.log.html	22:49
lbragstad	sweet	22:49
ayoung	Are we going to have the keystone meetings in here now?	22:52
openstackgerrit	ayoung proposed openstack/keystone master: Add is_admin_project check to policy for non scoped operations https://review.openstack.org/257636	22:53
lbragstad	i don't think so - just office hours	22:53
lbragstad	until we get told otherwise?	22:53
cmurphy	i don't think anyone is kicking us out of the meeting channels	22:54
ayoung	jamielennox, BTW matt wants to maintain the ability to enforce policy on the token in Keystone. Says changing that is non-backwards compat and a regression	22:54
jamielennox	ayoung: ergh, any idea what he wants out of that? i wasn't going to remove it immediately but there's really nothing that should be available on keystone and not on the other services	22:55
jamielennox	also, it's super dependant on the token format which is wrong	22:56
ayoung	jamielennox, just that changing that is going to break custome policy deployed in lots of places	22:56
*** spilla has quit IRC		22:56
ayoung	yeah, and we still support both v2 and v3 tokens for the moment	22:56
jamielennox	ayoung: sure there's a deprecation period, but i'd like that not to be a forever policy and just tell us what he needs	22:57
ayoung	OH, I think deprecation is fine, but I think we need to explicitly add it in to the oslo-context that we use to check policy in Keystone's controllers	22:57
ayoung	I forget, did we even change Keystone to use context yet?	22:58
jamielennox	ayoung: no, i had multiple attempts and i was mid way through another when i left	23:02
jamielennox	ayoung: this was on the path again: https://review.openstack.org/#/c/508619/	23:03
jamielennox	i was trying to make policy enforcement not a decorator and break up the controller so we could pass context around like everyone else	23:03
ayoung	Oh, I like that one	23:03
jamielennox	but those sort of reviews lag	23:03
ayoung	jamielennox, I had a pre-req	23:03
*** swain has joined #openstack-keystone		23:03
ayoung	jamielennox, look at this one: https://review.openstack.org/#/c/462670/	23:04
jamielennox	that seems to be heading down the same path	23:05
ayoung	jamielennox, yeah	23:05
ayoung	jamielennox, we should be able to do your check once, in the wsgi layer. No?	23:06
jamielennox	yea, that's all it is	23:06
jamielennox	the rest of that patch is just explicitly calling out all the routes we have that don't need policy enforcement	23:06
jamielennox	so that the protection is opt-out not opt-in	23:06
ayoung	cool, yeah , I see now. We just still have a bunch of extensions that have one offs you covered there as well	23:06
ayoung	ok, with my code change, yours should be much smaller. Everything should go through check_policy, and you can set the flag on the way out	23:07
jamielennox	i mean long term i think it's valuable, but really it's mostly so that short term we could start tweaking how we did enforcement and know we didn't introduce a bug	23:07
jamielennox	yea, so i had WIP follow ups to that patch where i was pulling apart the policy checks and trying to simplify it	23:08
jamielennox	remove all those database getter functions from the controller	23:08
jamielennox	the flag is set on the request, my plan was that check_policy would take the request as a parameter and so would be set automatically once checked	23:09
jamielennox	but check_protection is a horrible function with crazy inputs because it's designed as a wrapper and it should be possible to break it up into something you can actually follow	23:10
ayoung	jamielennox, yep. It was just a minimal change to consolidate to a single function	23:15
ayoung	once its there, we can make it private, and make it sane	23:15
ayoung	but the primary effort needs to be close 968696 and getting a sane policy across the board. I really care jack about anything else	23:16
ayoung	That patch series is coming up on 2 years old.	23:16
jamielennox	ayoung: i think the more you push it under the covers without fixing tempest the bigger that fight is going to be	23:17
ayoung	jamielennox, there is a rational ordering	23:17
jamielennox	i had gansham and mtreinish on board for that patch i just need someone to actually work it through	23:17
*** lbragstad has quit IRC		23:17
ayoung	we need the fix in Keystone, but inactive. Then we explicitly enable in Tempest	23:18
ayoung	nothing else is going to work	23:18
ayoung	We can't lock Keystone in to the bad behavior, but it looks like that is what is happening anyway	23:18
jamielennox	(if gmann_afk see's that sorry for the complete butchering of spelling your name)	23:18
*** edmondsw has joined #openstack-keystone		23:18
jamielennox	the fix is done for keystone, the patch i put up gives you a rollover for tempest for old and new scenarios and if you just have to enable both at once	23:19
jamielennox	then you can roll project by project and just put up the corresponding tempest fix as you go	23:19
jamielennox	IMO anything else is itching for a fight that we keep losing	23:20
ayoung	We don't lose. Nobody shows up, and the fight is cancelled.	23:22
ayoung	Seriosuly, though, I suspect that oslo-context is the cause of this failure	23:22
ayoung	THere is nothing in Tempest that sets the admin project AFAICT	23:22
*** edmondsw has quit IRC		23:23
ayoung	and yet, I'm seeing 'is_admin_project': False in the keystone logs, and I don't know why else that would be the case	23:23
*** lbragstad has joined #openstack-keystone		23:24
*** ChanServ sets mode: +o lbragstad		23:24
ayoung	I wonder...are we even using oslo-policy in keystone? If not...then how does any of this work...we must be	23:25
lbragstad	we use oslo.policy to register our own policies and we slim it into the "policy API"	23:27
ayoung	lbragstad, I meant oslo-context	23:28
lbragstad	oh	23:28
ayoung	lbragstad, so is_admin_project defaulting happens there....that was jamielennox's push	23:29
ayoung	I had an alternative, that did it in the keystone layer:	23:29
lbragstad	so then we could keep the transition limits to oslo libraries	23:29
lbragstad	er - compatibility	23:29
jamielennox	we need to get out of the opinion that keystone is special here	23:29
jamielennox	there's nothing we should be doing that is different to the other services	23:30
jamielennox	oslo.context and oslo.policy are designed to play nice and abstract all this from services and keystone should use that	23:30
lbragstad	++	23:31
ayoung	jamielennox, your statement, while accurate (and I wholeheartedly support) is actually irrelevant	23:31
ayoung	something needs to default it, and it does not matter if it is the keystone server or oslo policy	23:32
ayoung	er	23:32
ayoung	context	23:32
ayoung	I think that this level of defaulting actually should have happened in Keystone, but we still should have migrated Keystone over to oslo-context	23:32
ayoung	so...the question is, does keystone enforce on oslo-context, and I think the answer is "not yet:	23:33
ayoung	and that is what is messing me up	23:33
jamielennox	it does not, it builds its own policy dict and uses oslo.policy	23:33
ayoung	but then...why are any tokens coming through with is_admin_project=True in tempest	23:33
jamielennox	is_admin_project=True makes some sense	23:34
jamielennox	because the default is true	23:34
jamielennox	its =False that's concerning	23:34
ayoung	its only the default in oslo-context	23:35
ayoung	is maybe some of keystone checking on context, and some on the token itself?	23:35
ayoung	ok...lets agree to get Keystone testing on oslo-context as the next order of business. check_policy can get out of the dictionary business, but we do still need to append the token to the oslo-context to make Matt Happy	23:36
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/context.py we have some context handling	23:38
ayoung	jamielennox, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/authorization.py#n135 is where is_admin_project is set, direct off the token	23:39
jamielennox	can clean that up as well, most of the user_id= project_id= has been moved into oslo.context	23:40
jamielennox	see i would like to kill that whole dict in favour of the oslo.context	23:40
ayoung	jamielennox, go for it. I'm in full support	23:41
ayoung	I think that is where the breakage for token.* policy came in, too	23:41
ayoung	jamielennox, is it just replacing the call here http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/authorization.py#n78 to a call to oslo-context? Or even puling the context out of the environemnt?	23:42
lbragstad	yeah - i remember looking at something in nova that was similar to that	23:42
jamielennox	so keeping in mind that there are two parts to keystone, the auth and the crud	23:43
jamielennox	the token model stuff is all useful for auth because we are building a lot	23:43
jamielennox	for the crud components we just need to use the values from the environment that auth_token middleware sets	23:43
jamielennox	so it's basically just request.context = oslo_context.Context.from_environment(env)	23:44
ayoung	it only gets called here http://git.openstack.org/cgit/openstack/keystone/tree/keystone/middleware/auth.py#n196	23:44
jamielennox	it gets called there and assigned as request.environ[authorization.AUTH_CONTEXT_ENV]	23:45
jamielennox	which there then gets used	23:45
*** thorst has joined #openstack-keystone		23:46
ayoung	I think it is a one line change. Testing	23:50
ayoung	jamielennox, I think my change was over writing that, and so mine can be pulled out	23:50
*** thorst has quit IRC		23:50
jamielennox	i was trying to limit what used that field but from memory there are still a couple of places that i couldn't get rid of	23:51
ayoung	jamielennox, look at that function...I think 2/3rds of it is redundant	23:51
jamielennox	well, i had multiple attempts at it :)	23:51
ayoung	lets see if the one liner still passes the unit tests	23:52
ayoung	if so, I'll submit it, and a follow on that starts removing dead code	23:52
*** lbragstad has quit IRC		23:56
ayoung	- Failed: 1160	23:57
ayoung	OK, so no	23:57

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!