Friday, 2018-02-09

*** itlinux has joined #openstack-keystone00:06
*** gongysh has joined #openstack-keystone00:21
*** dave-mccowan has joined #openstack-keystone00:22
*** threestrands has joined #openstack-keystone00:27
*** threestrands has quit IRC00:27
*** threestrands has joined #openstack-keystone00:27
*** itlinux has quit IRC00:34
*** zhurong has joined #openstack-keystone00:47
*** gongysh has quit IRC00:52
*** harlowja has joined #openstack-keystone00:57
*** daidv_ has quit IRC01:05
*** zhurong has quit IRC01:11
*** zhurong has joined #openstack-keystone01:14
*** threestrands has quit IRC01:29
*** r-daneel has quit IRC01:45
*** namnh has joined #openstack-keystone02:37
*** annp has joined #openstack-keystone03:07
*** jmlowe has quit IRC03:38
*** nicolasbock has quit IRC03:39
*** dave-mccowan has quit IRC03:48
*** nicolasbock has joined #openstack-keystone03:49
*** nicolasbock has quit IRC03:56
*** gongysh has joined #openstack-keystone04:04
*** namnh has quit IRC04:13
*** gongysh has quit IRC04:26
*** gongysh has joined #openstack-keystone04:26
*** jmlowe has joined #openstack-keystone04:26
*** gongysh has quit IRC04:27
*** sticker has joined #openstack-keystone04:34
*** zhurong has quit IRC04:35
*** links has joined #openstack-keystone04:52
*** links has quit IRC04:54
*** gongysh has joined #openstack-keystone04:54
*** links has joined #openstack-keystone05:03
*** links has quit IRC05:10
*** harlowja has quit IRC05:10
*** links has joined #openstack-keystone05:12
*** gongysh has quit IRC05:15
*** harlowja has joined #openstack-keystone05:35
*** zhurong has joined #openstack-keystone05:35
*** harlowja has quit IRC05:39
*** itlinux has joined #openstack-keystone05:58
*** itlinux has quit IRC06:27
*** sticker has quit IRC06:29
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata
*** namnh has joined #openstack-keystone07:03
*** panbalag has joined #openstack-keystone07:04
*** panbalag has left #openstack-keystone07:10
*** rcernin has quit IRC07:17
*** AlexeyAbashkin has joined #openstack-keystone07:20
*** martinus__ has joined #openstack-keystone07:28
*** pcaruana has joined #openstack-keystone07:35
*** gongysh has joined #openstack-keystone07:38
*** AlexeyAbashkin has quit IRC07:44
*** AlexeyAbashkin has joined #openstack-keystone07:54
* cmurphy backs away slowly from the trello board08:17
*** tesseract has joined #openstack-keystone08:26
*** namnh has quit IRC08:27
*** d0ugal has quit IRC08:33
*** d0ugal has joined #openstack-keystone08:47
*** zhurong has quit IRC09:16
*** oxideYAALFX has joined #openstack-keystone09:24
*** oxideYAALFX has quit IRC09:24
*** edmondsw has joined #openstack-keystone09:40
*** edmondsw has quit IRC09:45
*** sambetts|afk is now known as sambetts09:50
*** AlexeyAbashkin has quit IRC09:56
*** AlexeyAbashkin has joined #openstack-keystone09:57
*** gongysh has quit IRC10:06
*** bhagyashri_s has joined #openstack-keystone10:06
*** bhagyashris has quit IRC10:08
*** brokenOL5Q5H has joined #openstack-keystone10:12
brokenOL5Q5H(_)                                               | |10:12
brokenOL5Q5H(_)                                               | |10:12
brokenOL5Q5H_ _ __ ___   ___ _   _ _ __   ___ _ __ _ __   ___| |_ ___   ___  _ __ __ _10:13
brokenOL5Q5H_ _ __ ___   ___ _   _ _ __   ___ _ __ _ __   ___| |_ ___   ___  _ __ __ _10:13
brokenOL5Q5H| | '__/ __| / __| | | | '_ \ / _ \ '__| '_ \ / _ \ __/ __| / _ \| '__/ _` |10:13
brokenOL5Q5H| | '__/ __| / __| | | | '_ \ / _ \ '__| '_ \ / _ \ __/ __| / _ \| '__/ _` |10:13
brokenOL5Q5H| | | | (__ _\__ \ |_| | |_) |  __/ |  | | | |  __/ |_\__ \| (_) | | | (_| |10:13
brokenOL5Q5H| | | | (__ _\__ \ |_| | |_) |  __/ |  | | | |  __/ |_\__ \| (_) | | | (_| |10:13
brokenOL5Q5H|_|_|  \___(_)___/\__,_| .__/ \___|_|  |_| |_|\___|\__|___(_)___/|_|  \__, |10:13
brokenOL5Q5H|_|_|  \___(_)___/\__,_| .__/ \___|_|  |_| |_|\___|\__|___(_)___/|_|  \__, |10:13
brokenOL5Q5H| |                                             __/ |10:13
brokenOL5Q5H| |                                             __/ |10:13
brokenOL5Q5H|_|                                            |___/10:13
brokenOL5Q5H|_|                                            |___/10:13
brokenOL5Q5Hbhagyashri_s AlexeyAbashkin d0ugal tesseract pcaruana martinus__ links jmlowe annp mvk_ adriant lbragstad Exhar spiette_ openstackgerrit brad[] jaosorior sapd robcresswell gmann_ mnaser kmalloc hoonetorg masber timothyb89 david-lyle idlemind dmellado Adri2000 akrzos Dave wxy mtreinish samueldmq hrybacki jrist dtruong mchlumsky gagehugo Guest60045 alex_xu zzzeek Neptu tlbr_ aloga clayton nkinder jhesketh MeltedLux hom10:13
*** brokenOL5Q5H has quit IRC10:13
*** tbh_ has joined #openstack-keystone10:17
*** annp has quit IRC10:22
*** gongysh has joined #openstack-keystone10:35
*** gongysh has quit IRC10:56
*** d0ugal has quit IRC10:59
*** d0ugal has joined #openstack-keystone11:16
*** AlexeyAbashkin has quit IRC11:27
*** AlexeyAbashkin has joined #openstack-keystone11:30
*** nicolasbock has joined #openstack-keystone11:47
*** raildo has joined #openstack-keystone12:11
*** aloga has quit IRC12:16
*** aloga has joined #openstack-keystone12:17
*** bhagyashri_s is now known as bbs12:31
*** awestin1 has quit IRC12:32
*** awestin1 has joined #openstack-keystone12:33
*** tbh_ has quit IRC12:57
*** tesseract has quit IRC13:12
*** jmlowe has quit IRC13:26
*** betherly has quit IRC13:34
*** betherly has joined #openstack-keystone13:35
*** dave-mccowan has joined #openstack-keystone13:46
*** Supun has joined #openstack-keystone13:52
*** dave-mcc_ has joined #openstack-keystone13:53
*** edmondsw has joined #openstack-keystone13:54
*** dave-mccowan has quit IRC13:55
*** NobodyCam has quit IRC13:56
*** NobodyCam has joined #openstack-keystone13:56
*** links has quit IRC13:56
*** jmlowe has joined #openstack-keystone14:00
*** jmlowe has quit IRC14:05
*** jmlowe has joined #openstack-keystone14:13
*** dave-mcc_ has quit IRC14:17
lbragstadcmurphy: ridiculous, right?14:23
lbragstadre: trello board14:24
cmurphylbragstad: i just wanted to move a card to another lane...somehow managed to duplicate the card and "attach" it to another card14:24
cmurphyproject management is not in my future14:25
*** tesseract has joined #openstack-keystone14:28
*** david-lyle has quit IRC14:29
*** dave-mccowan has joined #openstack-keystone14:30
*** kmalloc has quit IRC14:40
*** dave-mccowan has quit IRC14:40
*** kmalloc has joined #openstack-keystone14:40
lbragstadi think it's weird to have nearly everything in the Done list14:43
cmurphythat is pretty weird14:44
*** hogepodge has quit IRC14:51
*** hogepodge has joined #openstack-keystone14:52
*** bbs has quit IRC14:54
*** Supun has quit IRC14:55
*** Supun has joined #openstack-keystone14:56
*** r-daneel has joined #openstack-keystone14:57
*** Supun has quit IRC15:02
*** dave-mccowan has joined #openstack-keystone15:03
lbragstadjust an FYI for folks15:06
lbragstadRC1 is going out the door
lbragstadbut needs to merge and we're going to need an RC215:08
cmurphydid you get an answer to your release note question?15:08
lbragstadyep - just did15:11
lbragstadlooks like we can reference the actual release notes once the branching happens15:12
lbragstadso - we have two options15:12
lbragstad1.) link to the unreleased notes and update later15:12
lbragstad2.) when we cut RC2 we'll just link to the release notes for queens then, because the branching should have already happened15:12
cmurphy2 sounds like less work15:13
cmurphywhen does branching happen?15:13
lbragstadbut, as a catch all, the release team has a tool that goes through and updates the releases with the notes at the end of every cycle15:13
cmurphyoh cool15:13
lbragstadafaik - branching happens when we merge the proposal for rc115:13
lbragstadeven though there is a work around - i'd like to get fixed for queens15:19
openstackLaunchpad bug 1714937 in OpenStack Identity (keystone) "keystone returns 500 on password change" [Low,In progress] - Assigned to Vishakha Agarwal (vishakha.agarwal)15:19
lbragstadbecause we're just going to remove it in rocky15:19
lbragstadand as soon as rocky is open, we can start ripping *all* that stuff out15:19
cmurphyneed to review that again15:21
lbragstadi started tinkering with it yesterday once i got a development box back up and running, but i'm kinda scrapping what i had in favor of a test that recreates it15:25
openstackgerritOpenStack Release Bot proposed openstack/keystone master: Update reno for stable/queens
*** david-lyle has joined #openstack-keystone15:30
*** AlexeyAbashkin has quit IRC15:40
*** AlexeyAbashkin has joined #openstack-keystone15:42
*** AlexeyAbashkin has quit IRC15:46
*** Supun has joined #openstack-keystone15:48
*** david-lyle has quit IRC15:51
*** david-lyle has joined #openstack-keystone15:55
openstackgerritMerged openstack/keystone master: Imported Translations from Zanata
*** r-daneel has quit IRC15:59
*** Supun has quit IRC16:00
*** pcaruana has quit IRC16:01
*** jmlowe has quit IRC16:06
lbragstadso - i don't think we have anything to fix here
openstackLaunchpad bug 1714937 in OpenStack Identity (keystone) "keystone returns 500 on password change" [Low,In progress] - Assigned to Vishakha Agarwal (vishakha.agarwal)16:07
lbragstadthe token.driver configuration option behaves just like any other configuration option and fails on startup if keystone doesn't recognize the value16:08
lbragstadwhich seems totally reasonable16:08
cmurphyhmm i guess so16:10
cmurphywhat if they have a custom driver?16:10
*** jaosorior has quit IRC16:10
*** itlinux has joined #openstack-keystone16:10
lbragstadif you provide a custom driver, you need to make an entry point for it so keystone can load it up with stevedore16:16
lbragstadand then you need to build with it16:17
lbragstadfor example -
lbragstad^ the project provides a couple auth plugins and token providers that do exactly that16:18
lbragstadso long as keystone has the driver/provider available in it's namespace, it shouldn't value16:19
cmurphyokay i agree16:21
*** links has joined #openstack-keystone16:49
*** knasim-wrs has joined #openstack-keystone16:52
*** Supun has joined #openstack-keystone17:03
*** martinus__ has quit IRC17:10
*** AlexeyAbashkin has joined #openstack-keystone17:12
*** links has quit IRC17:15
*** Supun has quit IRC17:31
*** sambetts is now known as sambetts|afk17:36
knasim-wrsmorganfainberg: does oslo_cache.dict honour the CONF.cache.cache_expiration_time option, or do we need to explicitly pass it into the backend as  cache_backend argument?  Doing some testing with oslo_cache.dict and not seeing it clearing my cache after the configured 300seconds17:36
*** harlowja has joined #openstack-keystone17:37
* lbragstad steps away for lunch17:42
knasim-wrskmalloc: does oslo_cache.dict honour the CONF.cache.cache_expiration_time option, or do we need to explicitly pass it into the backend as  cache_backend argument?  Doing some testing with oslo_cache.dict and not seeing it clearing my cache after the configured 300seconds17:42
kmallocknasim-wrs: it should honor that as that is baked into dogpile.cache, but honestly, i'll need to check17:42
kmallocit wont explicitly clear, but it will clear on a .get, it scrubs the dict when you retrieve vs automatically17:43
*** r-daneel has joined #openstack-keystone17:48
*** AlexeyAbashkin has quit IRC17:48
knasim-wrsalso looks like the catalog caching and token caching times don't derive from the cache expiration time17:50
knasim-wrsthey have to be independantly17:50
knasim-wrssame for resource caching time17:50
*** david-lyle has quit IRC17:50
kmallocknasim-wrs: so, need to pass in an argument to the backend17:51
kmallocso it wont expire unless you pass that in explicitly =/17:51
* kmalloc grumbles about inconsistent backend arguments17:51
kmallocthe in-process cache is not well tested17:51
kmallocbecause our stance has been it's ill suited for much of anything outside of testing.17:52
kmalloc(like POC)17:52
kmalloclooks like it's not going to meet your needs without patches17:52
openstackgerritMerged openstack/keystone master: Update OBS install docs for v2 removal
*** dave-mccowan has quit IRC17:57
*** dave-mccowan has joined #openstack-keystone17:58
*** Supun has joined #openstack-keystone17:59
*** AlexeyAbashkin has joined #openstack-keystone18:00
*** jmlowe has joined #openstack-keystone18:01
*** AlexeyAbashkin has quit IRC18:04
*** AlexeyAbashkin has joined #openstack-keystone18:08
logan-ping on -- easy friday review and its a pike deployment blocker for me till this merges :)18:23
*** aojea has joined #openstack-keystone18:32
*** aojea_ has joined #openstack-keystone18:34
*** aojea has quit IRC18:37
*** aojea has joined #openstack-keystone18:39
*** aojea_ has quit IRC18:42
*** aojea_ has joined #openstack-keystone18:44
*** aojea has quit IRC18:47
*** aojea has joined #openstack-keystone18:49
*** aojea_ has quit IRC18:52
*** aojea_ has joined #openstack-keystone18:54
*** aojea_ has quit IRC18:56
*** aojea has quit IRC18:57
*** david-lyle has joined #openstack-keystone19:02
lbragstadlogan-: looks good - i passed it along to the stable team19:02
lbragstadto approve19:02
*** lbragstad has quit IRC19:18
*** AlexeyAbashkin has quit IRC19:21
*** lbragstad has joined #openstack-keystone19:37
*** ChanServ sets mode: +o lbragstad19:37
*** idlemind has quit IRC19:37
*** idlemind has joined #openstack-keystone19:38
*** AlexeyAbashkin has joined #openstack-keystone19:49
*** AlexeyAbashkin has quit IRC19:53
*** raildo has quit IRC19:55
*** tesseract has quit IRC20:00
*** Supun has quit IRC20:04
openstackgerritGage Hugo proposed openstack/keystone master: Add functional testing gate
*** ayoung has joined #openstack-keystone20:20
*** ayoung has quit IRC20:26
*** dave-mccowan has quit IRC20:39
*** martinus__ has joined #openstack-keystone20:44
lbragstadknikolla o/20:45
lbragstadi started working on your patch for 48757920:45
lbragstadbah - key bindings are messing me up20:46
openstackLaunchpad bug 1658641 in OpenStack Identity (keystone) "Moving/disabling LDAP users break Keystone queries depending on role ID" [Medium,In progress] - Assigned to Kristi Nikolla (knikolla)20:46
lbragstadthoughts on my last comment there ^?20:46
knikollayep. exactly for that my patch adds an `--assignments` option20:47
knikollawithout that option the current behaviour is preserved20:47
knikollawith that option it also purges assignments20:47
knikolla`--invalid` + `--assignments` only purges assignments for invalid users20:47
lbragstadafter tracing things, that seemed like what you were going for20:47
lbragstaddoes '--invalid' + '--assignments' not purge identities?20:48
knikollalbragstad: it does purge only the invalid identities and their assignments20:48
lbragstadotherwise - mapping purge drops all identities for the entire domain backend, regardless of them being present in ldap/ad?20:49
knikollalbragstad yes, since they are regeneratable20:49
knikollaa user list brings them back. but assignment removal needs to be explicit20:49
knikollaotherwise behaviour changes dramatically.20:49
lbragstadis it possible to use `--assignments` in that case?20:50
knikollalbragstad: yup, that's what assignments triggers.20:50
knikollapurge_mappings returns a list of users20:50
knikollaand goes through that, finds the assignments for those users/groups and removes them20:50
lbragstadbut if assignments is used in that case, is it going to drop all assignments for all users?20:51
knikollanot, just the ones returned from mapping_purge20:51
knikollabasically... the filters do the same filtering20:51
knikollawith an additional `--invalid` filter which can be combined with `--all` `--domain`, etc.20:51
knikollaassignments are only removed from what passes all filters. (returned from purge_mappings function in the driver)20:52
knikollathis way if u don't use either of the new two options, everything is still the same. `--invalid` does additional filtering to the already existing filters.20:53
knikollaand `--assignments` removes the assignments to whatever passes all the filters20:53
lbragstaddo we ever have a case were --invalid doesn't want to be run with --assignments?20:54
knikollalbragstad: probably not.20:54
lbragstadwhat happens if i remove all id_mappings for an entire backend20:55
lbragstadand i go to list role assignments20:55
knikolladepends. if you do include names, it will probably fail.20:55
knikollaif you do user list before that. it will not fail, unless you have invalid users.20:56
lbragstadright - assuming i don't have invalid usrs20:56
lbragstadsay i'm an operator and i want to clean out a domain20:56
lbragstadremove all users for the domain, their mappings, and role assignments20:56
knikolla`keystone-manage mapping_purge --domain <domain_id> --assignments`20:57
lbragstadright- ok20:57
lbragstadbecause otherwise it would be possible to break things20:57
lbragstadbecause if you did `keysotne-manage mapping_purge --domain <domain_id>`20:57
knikollayep, that's why i had to split up the option to remove assignments and the option for only invalid.20:58
lbragstadand started querying keystone for role_assignments with names, then you'd get an error20:58
lbragstadbecause the assignments *for valid user* would still be around...20:58
lbragstadok - i think this is making sense...20:59
knikollayes, but adding assignment removal to an existing command that only cleans up things which can be regenerated is risky20:59
lbragstadthat was part of my concern in the comment20:59
lbragstadbut if they aren't cleaned up, keystone breaks when listing role assignments with names21:00
knikollalbragstad: user list after mapping purge solves that21:01
lbragstadif an operator removes all identity for a specific domain and doesn't clean up the assignments, then it would still be broken right?21:01
lbragstads/it/listing role assignments with names/21:02
knikollalbragstad: i think we enforce assignment deletion on user deletion?21:02
knikollaor u mean delete the entire domain21:02
lbragstadoh - i suppose21:03
lbragstadif they delete the entire domain, including it's contents, that would be users, too21:03
lbragstadi was trying to see if there is a path where providing --assignments without --invalid would be useful21:04
knikollaeither way the only things that would break are admin only commands, with one off admin commands to fix the state21:04
lbragstadotherwise - why not just implement a single flag --cleanup-invalid-assignments21:05
lbragstadwhere any invalid users in the domain in question have their IDs removed from assignment tables21:05
knikollahmmm... i can't think of a case where users would need more flexibility than that21:05
knikollaprobably my patch has too much flexibility21:06
lbragstadit's kind of a slippery slope21:06
knikollaimplementation is the same, all that changes is `--cleanup-invalid-assignments = --all --invalid --assignments`21:07
lbragstadis --all for all domains?21:07
lbragstador is --all for all users in a specific domain?21:07
knikollaall is for all domains. there is a --domain option for a single domain21:07
lbragstadwould --cleanup-invalid-assignments --domain <domain_id> be useful?21:08
lbragstadthere isn't a reason to clean up one domain and no the other is there?21:08
knikollai can't think of a reason why u would want invalid assignments to persist21:09
lbragstadif users come back and get the same ID, then operators are going to have to back and rebuild the assignments for the user by hand21:10
knikollabut then you have an api call that doesn't work until that happens21:11
lbragstadi can see both sides of it21:13
lbragstadif its a knee jerk reaction to role_assignments with names not working, then a user logs in after getting things fixed with their ldap groups and they don't see any of their projects, they have to find an operator21:14
knikollalet me go through the bug report again21:14
lbragstadmaybe ^ that's a super specific case21:14
knikollai might be misremembering what is the real issue21:14
lbragstada lot of the examples in the bug report highlight a specific user..21:14
lbragstadi also have no experience operating ldap backed domain deployments, so i'm not sure what's reasonable from an operator perspective21:15
knikollacause i just remembered a previous patch from me
* lbragstad got excited21:17
lbragstadfor a second i was like "how does that not fix too?!"21:17
openstackLaunchpad bug 1658641 in OpenStack Identity (keystone) "Moving/disabling LDAP users break Keystone queries depending on role ID" [Medium,In progress] - Assigned to Kristi Nikolla (knikolla)21:17
knikollayes, so the issue described in the current bug is listing users of a project fails21:20
knikollasee, i got confused with a bug i fixed a year ago, lol21:20
knikollain that cause purging the mappings and assignments will fix it.21:20
* knikolla needs coffee21:22
knikollaanother approach would be to delete a role assignment for a user when get_user returns 40421:22
lbragstadwhich would affect more than just mappings21:22
lbragstador the domain specific backend mapping case21:23
lbragstadthat'd be a 401 -> 200 though for the role_assignment with names API21:23
knikollathe with names is not the issue, and it used to give a 40421:24
knikollathe issue is when listing users by project21:25
knikollaas it does a get assignments, and then get user on all that was returned21:25
knikollabut get user will fail for invalid users21:25
knikollatherefore return 40421:25
knikollasimilar issue but not quite.21:26
*** ayoung has joined #openstack-keystone21:30
lbragstadso - today21:31
lbragstadif you list role_assignment with names, and you have invalid mappings because users were removed from the backend, you'll get a 40121:32
lbragstadbecause it's going to try and pull a user reference for a user that doesn't exist21:34
lbragstadknikolla correct me if i'm wrong, but GET role_assignments is currently an admin only API21:43
knikollano, you'll get 200 because we'll fill in empty names.21:44
knikollawhat you'll get a 404 for is:21:44
knikollalisting users for a project21:44
knikollaat least from reading the bug report. i'm going to do some playing around during the weekend with ldap21:45
knikollaand see all the commands that break21:45
knikollamight be something else.21:45
knikollaand yes, get role assignments is admin only. listing users of a project is also admin only.21:45
knikollaalmost everything in keystone is admin only.21:45
lbragstadbut eventually - we'd probably want to expand the checks on those to open them up to non-system administrators21:47
lbragstadbecause that seems useful21:47
lbragstadi guess what i'm getting at is, right now the API breaks for cloud operators21:47
lbragstadwhen listing users for a project and those users don't exist in the backend21:48
lbragstadbut if we start making the policy checks a bit smarter, and allow them to be called by domain or project administrator (without exposing data outside the project or domain they are scoped to) then it will be a bug that affects them, too21:49
knikollayup, i agree21:49
knikollaand they won't have access to cloud admin commands to remedy the issue21:50
lbragstadbecause that flow wouldn't be ideal21:51
lbragstad1.) company administrator does stuff in AD that shuffles users around21:51
lbragstad2.) users with domain administrators role assignments in keystone start seeing the GET role_assignments API break with 40421:52
lbragstad3a.) domain administrators have to start submitting tickets to system administrators to cleanup their mappings and assignments21:53
lbragstad3b.) domain administrators have to start submitting tickets to the team that manages the corporate AD deployment to possibly break process and unshuffle users21:53
*** mchlumsky has quit IRC22:02
*** martinus__ has quit IRC22:05
*** r-daneel has quit IRC22:09
*** ildikov has quit IRC22:13
*** ildikov has joined #openstack-keystone22:14
*** dave-mccowan has joined #openstack-keystone22:40
*** trident has joined #openstack-keystone22:51
*** edmondsw has quit IRC22:59
*** knasim-wrs has quit IRC23:03
*** lbragstad has quit IRC23:49

Generated by 2.15.3 by Marius Gedminas - find it at!