Tuesday, 2018-02-13

« Monday, 2018-02-12 Index Wednesday, 2018-02-14 »
*** r-daneel has quit IRC00:01
*** panbalag has joined #openstack-keystone00:17
*** pramodrj07 has quit IRC00:35
*** Dinesh_Bhor has joined #openstack-keystone00:39
*** Dinesh_Bhor has quit IRC00:43
*** Dinesh_Bhor has joined #openstack-keystone00:44
*** openstackgerrit has quit IRC01:03
*** wxy has joined #openstack-keystone01:06
*** gyee has quit IRC01:07
*** itlinux has joined #openstack-keystone01:15
*** oikiki has quit IRC01:17
*** andreykurilin has quit IRC01:20
*** andreykurilin has joined #openstack-keystone01:21
*** agrebennikov has quit IRC01:30
*** lbragstad has quit IRC01:34
*** itlinux has quit IRC01:43
*** openstackgerrit has joined #openstack-keystone01:53
openstackgerritwangxiyuan proposed openstack/keystone master: Force SQLite to properly deal with foreign keys  https://review.openstack.org/12603001:53
*** itlinux has joined #openstack-keystone01:56
*** oikiki has joined #openstack-keystone02:03
*** AlexeyAbashkin has joined #openstack-keystone02:21
*** itlinux has quit IRC02:22
*** AlexeyAbashkin has quit IRC02:25
*** itlinux has joined #openstack-keystone02:27
*** r-daneel has joined #openstack-keystone02:33
*** links has joined #openstack-keystone02:35
*** itlinux has quit IRC02:40
*** oikiki has quit IRC02:49
*** harlowja has quit IRC03:04
*** Supun has joined #openstack-keystone03:21
*** sapd has quit IRC03:42
*** Supun has quit IRC03:50
*** Supun has joined #openstack-keystone03:50
*** lbragstad has joined #openstack-keystone03:52
*** ChanServ sets mode: +o lbragstad03:52
*** dave-mccowan has quit IRC03:56
*** jmlowe has joined #openstack-keystone04:04
*** links has quit IRC04:05
*** oikiki has joined #openstack-keystone04:06
*** links has joined #openstack-keystone04:24
*** Supun has quit IRC04:26
*** Supun has joined #openstack-keystone04:29
*** Supun has quit IRC04:36
*** threestrands has quit IRC04:50
*** oikiki has quit IRC05:15
*** harlowja has joined #openstack-keystone05:52
*** itlinux has joined #openstack-keystone05:59
*** itlinux has quit IRC06:08
*** harlowja has quit IRC06:33
*** martinus__ has joined #openstack-keystone06:52
*** lbragstad has quit IRC07:01
*** Dinesh_Bhor has quit IRC07:21
*** rcernin has quit IRC07:25
*** Dinesh_Bhor has joined #openstack-keystone07:25
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata  https://review.openstack.org/54382607:29
*** hoonetorg has quit IRC07:34
*** Dinesh_Bhor has quit IRC07:37
*** Dinesh_Bhor has joined #openstack-keystone07:38
*** pcaruana has joined #openstack-keystone07:41
*** Dinesh_Bhor has quit IRC07:45
*** AlexeyAbashkin has joined #openstack-keystone07:48
*** Dinesh_Bhor has joined #openstack-keystone07:49
*** hoonetorg has joined #openstack-keystone07:50
*** d0ugal has quit IRC07:52
*** d0ugal has joined #openstack-keystone08:02
*** Dinesh_Bhor has quit IRC08:04
openstackgerritJames E. Blair proposed openstack/keystoneauth master: Zuul: Remove project name  https://review.openstack.org/54384208:07
*** Dinesh_Bhor has joined #openstack-keystone08:08
*** Dinesh_Bhor has quit IRC08:09
*** Dinesh_Bhor has joined #openstack-keystone08:20
*** tesseract has joined #openstack-keystone08:26
*** Dinesh_Bhor has quit IRC09:37
*** m3m0 has joined #openstack-keystone09:55
m3m0hello, is it possible to create a group in keystone and add users from a different domain (ldap for instance?)09:55
cmurphym3m0: it's possible for users in one domain to be part of a group in another domain but it's not possible for a user in one backend (eg ldap) to be part of a group in another backend (eg sql)10:03
m3m0cmurphy: got it, thanks, then I should have something bad in my conf: I keep getting this error: UNWILLING_TO_PERFORM: {'info': 'no global superior knowledge', 'desc': 'Server is unwilling to perform'}10:15
cmurphym3m0: that looks like an ldap server error, that doesn't come from keystone10:18
m3m0cmurphy: yes, indeed comes from there, I'll take a look, thanks10:19
m3m0and this is the error from keystone for reference: Group membership across backend boundaries is not allowed10:21
cmurphym3m0: right, that is what i meant by it not being possible to cross backends10:23
cmurphyit's only possible if the domains are in the same backend10:23
*** links has quit IRC10:36
*** links has joined #openstack-keystone10:49
*** zhongjun has quit IRC11:30
*** zhongjun has joined #openstack-keystone11:30
*** panbalag has left #openstack-keystone11:37
*** mwhahaha has quit IRC11:51
*** mwhahaha has joined #openstack-keystone11:52
*** robcresswell has quit IRC11:58
*** robcresswell has joined #openstack-keystone11:58
*** bhagyashri_s has joined #openstack-keystone11:59
*** bhagyashris has quit IRC12:02
*** portdirect has quit IRC12:03
*** portdirect has joined #openstack-keystone12:04
*** nkinder has quit IRC12:15
*** edmondsw has joined #openstack-keystone12:56
*** sambetts|afk is now known as sambetts12:57
*** pcaruana has quit IRC13:16
*** lbragstad has joined #openstack-keystone13:20
*** ChanServ sets mode: +o lbragstad13:20
*** dave-mccowan has joined #openstack-keystone13:36
lbragstado/13:57
cmurphy\o13:58
*** cwright has joined #openstack-keystone13:59
*** Supun has joined #openstack-keystone14:02
lbragstadthis is so weird... for some reasons https://review.openstack.org/#/c/530410/ causes keystone to store more revocation events14:06
lbragstadand one of them happens to match the token used by the administrator to clean up resources in tempest's teardown process14:06
lbragstadhence, the 40114:07
lbragstad0.014:07
cmurphyo.014:07
cmurphygo home, keystone, you're drunk14:08
lbragstadan extra assignment that isn't used does that? really?!14:08
lbragstadpretty much14:10
*** amito has quit IRC14:16
*** amito has joined #openstack-keystone14:16
*** david-lyle has quit IRC14:33
*** openstackgerrit has quit IRC14:33
*** r-daneel has quit IRC14:40
*** links has quit IRC14:47
* lbragstad shakes head14:50
*** ying_zuo has quit IRC14:58
*** ying_zuo has joined #openstack-keystone14:58
*** spilla has joined #openstack-keystone15:12
*** Supun has quit IRC15:16
cwrightHi, I'm trying to understand when to assign the `admin` role or the `service` role to a "systems" account.15:17
cwrightWe have created a user, `mollusk`, that will be accessed programatically to set quotas, etc throughout our OpenStack deployment.15:17
cwrightI've seen some places in documentation where it suggests the `admin` role should be added to the `mollusk` user, and other places I've seen it say the `service` role should be added instead.15:18
cwrightI'm also not clear which project this should be added under, `admin` project or `service` project.15:18
cwrightI may not be explaining this clearly, but does this make sense?15:18
lbragstadcwright good question - you answer is going to depend partially on what policies you have setup for the `admin` role and the `service` role, and what the `mollusk` user needs from an API perspective15:19
cwrightlbragstad: I am using default policies at this point, no customizations made so far.15:20
lbragstadcwright cool - in that case, the `service` role will have somewhat limited functionality compared to the `admin` role, but not by a whole lot15:20
cwrightWe aren't sure exactly yet what all the `mollusk` user will need to do, but we'd like it to be able to perform most (if not all) administrative tasks via the api15:21
lbragstadthe `admin` role will get you that15:21
cwrightlbragstad: do you know of a document that details the differences between `admin` and `service` roles?15:21
lbragstadcwright unfortunately, i don't think it exists15:21
lbragstadwe do have some work in flight to help with that though15:22
cwrightah ok. Where we first ran into this is with setting quota's on swift accounts. We found a document that said we needed to create a `ResellerAdmin` role and add it to `mollusk`15:22
lbragstadyeah - that's a role specifically for swift15:22
cwrightwe aren't sure what limitations `ResellerAdmin` has15:23
lbragstadright...15:23
cwrightoh, ok did not know that15:23
lbragstadwe'll - by specifically for swift, i mean, swift defines it and expects it in it's service logic15:23
lbragstadwell*15:23
lbragstadit's pretty much an opinionated set of authorization rules for swift15:24
cwrightok, so do you know if swift would respect the `admin` role as well, or for swift are we required to use `ResellerAdmin`?15:24
*** Supun has joined #openstack-keystone15:25
lbragstadi believe ResellerAdmin is a specific set of cases for swift, so i'm not sure reusing it for anything else will work as expected, but let me double check the code15:25
cwrightlbragstad: thanks so much15:25
knikollao/15:26
lbragstad"Users with the Keystone role defined in reseller_admin_role (ResellerAdmin by default) can operate on any account. The auth system sets the request environ reseller_request to True if a request is coming from a user with this role. This can be used by other middlewares."15:27
*** r-daneel has joined #openstack-keystone15:27
lbragstadsome related stuff here - https://docs.openstack.org/swift/latest/overview_auth.html#configuring-swift-to-use-keystone15:27
cwrightreading now...15:28
lbragstadi don't think swift uses oslo.policy either15:29
lbragstadedmondsw ping15:30
edmondswlbragstad headed into a mtg...15:30
lbragstadedmondsw cwright has a couple questions that are a bit over my head regarding ResellerAdmin15:30
lbragstadedmondsw and you're *way* more knowledgable there than I am ;)15:31
edmondswcwright ping me in 30 min if I don't get back to you before that15:32
cwrightedmondsw: thanks, will circle back then15:32
lbragstadcwright from what i know, swift handles policy and authorization a bit different than some of the other projects15:35
lbragstadmost of the other projects don't really defined roles needed for the service15:36
lbragstadbut they define policies around what they assume to be there (like the `admin` role)15:36
lbragstadsince that's really the only role guaranteed to be present after bootstrapping keystone15:36
lbragstadideally, we'd like to move towards something like https://review.openstack.org/#/c/523973/15:37
cwrightlbragstad: yea. I think the swift differences are responsible for part of my trouble understanding this, but also i'm not sure which project I should be using15:42
cwrightshould the roles to `mollusk` be added in the `admin` or `service` projects?15:42
cwrightis `admin` special?15:42
lbragstadoh - yeah, that's another good question15:42
lbragstadyes and no15:43
lbragstadif anything is really considered special in openstack authorization model, it's the presence of a role with the name 'admin'15:43
lbragstada lot of projects will look for a role named 'admin' when trying to determine if a user should be able to escalate privileges15:44
lbragstadwhich is in the token reference in the authenticate and validation responses15:44
cmurphylbragstad: fyi i won't be at the meeting tonight15:45
lbragstadwhich can be problematic because it means that anyone with a role names 'admin' on any project can do cloud administrator activities15:45
lbragstadcmurphy ack - thanks for the heads up15:46
lbragstadrole named *15:46
cwrightso is it recommended to not assign the admin role generally?15:47
lbragstadcwright by default - i wouldn't give admin to anyone who isn't expected to administer the deployment15:47
lbragstadbecause you're giving them the power to do just about anything15:48
m3m0nnhello :) is it possible to create a group for my ldap users? openstack group create group_for_ldap --domain ldap, because it fails with this error: UNWILLING_TO_PERFORM: {'info': 'no global superior knowledge', 'desc': 'Server is unwilling to perform'}15:48
m3m0I don't understand why ldap is involved here other than for querying if it is supposed to be read-only15:49
lbragstadm3m0 that kind of looks like an error from a separate backend? do your keystone.logs say anything?15:49
m3m0yep, I have a separate backend for ldap15:49
lbragstadcwright fwiw, we're going to be working to improve a lot of this (or that is the plan)15:49
cmurphym3m0: you can't create groups in ldap from keystone, keystone treats ldap as read-only15:50
lbragstadcwright we implemented a feature in Queens that introduces a new assignment scope15:50
m3m0other than the stacktrace and this:  {'info': 'no global superior knowledge', 'desc': 'Server is unwilling to perform'}, not much15:50
lbragstadcwright so in addition to being able to assign users and groups roles on projects and domains, you're going to have the ability to assign users roles on the "system"15:50
cwrightlbragstad: i see.15:51
lbragstadcwright long story short, we should hopefully be able to get away from having to overload roles with special values15:51
lbragstadwhich will make things simpler and allow for tighter access control15:52
m3m0cmurphy: if I want to create a group for my ldap users in keystone, is there anything I can do? modifying my ldap model maybe?15:52
lbragstadm3m0 yeah - i think you'd have to do the creation in ldap, which should show up via keystone when you query groups15:52
lbragstadcwright http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html the problem description here does a bit better job of explaining it15:53
*** david-lyle has joined #openstack-keystone15:54
cwrightso, sorry to keep coming back to this, but for my `mollusk` user who we want to be able to do most admin actions via the api, is there a reason to set the project to `admin` or `service`?15:54
cwrightopenstack user create --domain XYZ --password '{{ account.password }}' --project admin mollusk15:54
cwrightor --project service15:54
cwrightthis is one of the last pieces that my brain is struggling to grasp :)15:55
m3m0lbragstad: is this the only conf I would need to change? group_tree_dn = ou=Groups,dc=example,dc=org and group_objectclass = groupOfNames?? (from https://docs.openstack.org/keystone/pike/admin/identity-integrate-with-ldap.html)15:55
lbragstadcwright sorry - i got off on a tangent there15:56
lbragstadcwright the `admin` project also has special meaning15:56
lbragstadto a certain extent15:56
lbragstadit was used to escalate privileges15:57
lbragstadso if you had a token scoped to the admin project, you be able to do administrator-like things15:57
lbragstadbut until we get all the system scope stuff rolled out - `admin` is probably what you want15:57
lbragstadcwright http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html#alternatives explains the significance of the `admin` project15:59
lbragstadm3m0 i believe so - but i'd have to double check15:59
m3m0I changed those parameters, restart httpd and query: openstack group list --domain ldap with no luck :(15:59
cwrightlbragstad: ok thanks so much, i'll read all this and get back to you if i have further questions.  i really appreciate you taking the time here15:59
lbragstadcwright absolutely, it's confusing stuff and we have a lot of moving parts going on16:00
lbragstadcwright happy to get feedback if you have any16:00
*** itlinux has joined #openstack-keystone16:01
lbragstadm3m0 are you using domain configuration for the ldap domain?16:02
m3m0do you mean the conf in /etc/keystone/domains/keystone.ldap.conf?16:03
m3m0if so, yes16:03
lbragstadcorrect16:05
ayounglbragstad, and there you have bug 968696 in a nutshell16:10
openstackbug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] https://launchpad.net/bugs/968696 - Assigned to Adam Young (ayoung)16:10
lbragstadayoung i'm getting so good at describing it...16:11
ayounglbragstad, evetually you will realize that we want the "RBAC from Middleware" proposal I wrote up.  We need an inventory of calls, and a way to map them back to the roles.16:12
ayoungwe need it in one place.16:12
ayoungI'm pretty sure if you look at istio and 3scale, that is a part of what they are providing.16:13
ayounggetting a scope on everything is a huge part of that, and I hope we are almost there....are we?16:13
lbragstadgetting there... still have a lot of work to get things fixed up across the other services16:16
ayounglbragstad, what is the plan for that...specifically for Nova?  I think that is the hardest one.16:17
lbragstadit's part of our agenda at the PTG16:17
ayoungI had a hack that was a starting point based on is_admin_project we should probably revisit...lemme see16:17
ayounghttps://review.openstack.org/#/c/384148/  lbragstad so that was my take on the way that the API calls should be scoped16:18
ayoungconvert the is_admin_project mechanism to a scoped token, and you should have the same general thing16:18
lbragstadyeah - i have one of those in flight - https://review.openstack.org/#/c/525772/16:19
ayoungFor example RULE: global_admin  should be system:admin16:19
lbragstadi need to respin it16:19
ayoungcool.  and it looks like Ken is actively reviewing16:20
edmondswcwright alright, finally out of my meeting, starting to read back16:20
ayoungcreate:attach_volume is project scoped16:21
edmondswcwright the "service" role is really just for OpenStack services like nova. I don't think I've ever seen that given to an end user16:21
ayoungon the create:forced_host....wow I didn't know we had that.  I would think that you would need a system scoped token to do that, though.16:21
*** agrebennikov has joined #openstack-keystone16:22
edmondswResellerAdmin is the default admin role for swift. Though you can call that something else if you prefer. It is configurable16:22
edmondswcwright more about that here: https://github.com/openstack/swift/blob/d2e32b39e8bead7984d205d532a489908be655ef/doc/source/overview_auth.rst#L30816:23
ayounglbragstad, do we have an overall inventory of policy points?  I started doing that back years ago, and then got tripped up over network: being a duplicated prefisx betweenn nova nad neutron.  But I think we can work around that by prefixing the service to the policy16:23
lbragstadayoung right - there is a ton of stuff like that16:23
ayoungits a little redundant for identity16:23
ayoungidentity:identity:create_user etc16:23
lbragstadi'm not sure if there is a master doc16:23
ayoungI am pretty sure there is not one16:24
lbragstadbut it shouldn't be hard to get now that you can generate it using policy in code16:24
ayoungyep.16:24
ayoungI had worked with things along these lines in Tripleo:16:24
ayounghttps://adam.younglogic.com/2016/08/rbac-policy-update-tripleo/16:24
edmondswcwright here's at least one place it's checked in the code to give you an idea what it's allowed to do: https://github.com/openstack/swift/blob/3135878d2fe9909f49fcadeeb9cc6c6933d06127/swift/common/middleware/keystoneauth.py#L41816:25
edmondswcwright I think the swift folks would typically expect you to keep ResellerAdmin and admin roles separate, but I'm not a swift expert16:28
cwrightedmondsw: thanks. I sometimes see `swiftoperator` and sometimes I see `ResellerAdmin`. have been trying to see if there is a difference, or if that is just a renaming16:28
*** sambetts is now known as sambetts|afk16:29
ayounglbragstad, so system level permissions are not going to be sufficient to do project scoped operations?  We'll have to explicitly state that an API needs a system scoped role to allow for an override?16:31
edmondswcwright mollusk will need a role on the project that contains the resources you want him to manage. E.g. if you want his VMs in "projectA" then you give him a role on "projectA".16:32
edmondswcwright and give out the admin role carefully... it is the one role that can actually do things against other projects besides the one where it has a role16:33
edmondswcwright including really powerful things like deleting VMs, volumes, etc.16:33
ayounglbragstad, that is going to be a problem with "delete" calls.  RIght now, if a user deletes a project in Keystone, there is going to be no way to clean up resources int Nova et alles, as there will be no way to get a project scoped token, and the deletes don't have a system scoped role annotated on them16:33
edmondswcwright but unfortunately there isn't always an alternative today... sometimes you just have to give the admin role to let someone do what they need to do. We're working on that.16:34
ayoungI'm not sure how we implemented it, but I always envisioned the system scoped roles being allowed in to any project to perform the same operations.  So, say we had a "cleanup" role that could delete VMs, on the project level, that role is allowed to cdelete vms in the project, and at the systme level it is allowed to delete VMs in any project16:35
ayoungis that how we have it?16:35
ayoungcuz I see your patch has a bunch of scope_types=['system', 'project']),16:35
lbragstadhmmm16:42
lbragstadi see what you mean with the delete case16:43
*** Supun has quit IRC16:44
*** Supun has joined #openstack-keystone16:45
*** itlinux has quit IRC16:46
ayounglbragstad, why would you ever have a project scoped operation that a system scoped operator could not perform, too?16:47
*** pcaruana has joined #openstack-keystone16:47
lbragstadmy thinking there was that if an operation required a project for ownership of the resource, you won't have to modify the API to account for that when the scope isn't in the token itself16:48
ayoungI see that as kindof separate from the access enforcement.  Yes, it may mean that a service scoped token cannot be used to do a certain call, but not due to access control rules, just due to API specification16:49
ayounglets limit the scoping to either project OR system with system implying project at the enforcement level16:49
ayoungcleaner, simpler to implement, and it is required in most cases16:50
*** itlinux has joined #openstack-keystone16:50
*** oikiki has joined #openstack-keystone16:55
*** openstackgerrit has joined #openstack-keystone16:58
openstackgerritMurali Annamneni proposed openstack/keystone master: [WIP] Enables MySQL Cluster support for Keystone  https://review.openstack.org/43122916:58
agrebennikov@here hey folks, maybe anybody else can explain a little bit about federation mappings? Is it possible to have groups assignments only and have a user assertions to contain the groups he belongs to?17:17
openstackgerritLance Bragstad proposed openstack/keystone master: Expose bug in /role_assignments API with system-scope  https://review.openstack.org/54401117:18
openstackgerritLance Bragstad proposed openstack/keystone master: Fix querying role_assignment with system roles  https://review.openstack.org/54401217:18
lbragstadcmurphy ayoung ^17:18
openstackgerritLance Bragstad proposed openstack/keystone master: Grant admin a role on the system during bootstrap  https://review.openstack.org/53041017:19
lbragstad^ that should pass tempest now17:19
lbragstadwe'll need to backport those two patches to stable/queens for rc217:19
*** Supun has quit IRC17:22
openstackgerritLance Bragstad proposed openstack/keystone master: Fix querying role_assignment with system roles  https://review.openstack.org/54401217:23
openstackgerritLance Bragstad proposed openstack/keystone master: Grant admin a role on the system during bootstrap  https://review.openstack.org/53041017:23
lbragstadcc kmalloc knikolla gagehugo17:24
*** itlinux has quit IRC17:26
kmallochmm17:28
*** itlinux has joined #openstack-keystone17:31
*** AlexeyAbashkin has quit IRC17:38
kmalloclbragstad: those were easy17:39
lbragstadkmalloc easy reviews?17:44
kmalloclbragstad: yeah17:45
lbragstadthat's the goal :)17:46
*** markvoelker has joined #openstack-keystone17:46
*** pcaruana has quit IRC17:55
openstackgerritLance Bragstad proposed openstack/keystone master: Fix querying role_assignment with system roles  https://review.openstack.org/54401217:57
openstackgerritLance Bragstad proposed openstack/keystone master: Grant admin a role on the system during bootstrap  https://review.openstack.org/53041017:57
lbragstadgagehugo kmalloc sorry - had to add a release note ^17:57
kmalloclbragstad: +2'd again17:58
lbragstadkmalloc thanks17:58
kmalloclbragstad:  i'm going to be on vacation again next week (partial week)17:59
kmalloclbragstad: i think17:59
kmalloclbragstad: still working out if i need to revisit going to the ptg.18:00
lbragstadkmalloc sounds good - thanks for the heads up... hopefully you can make it18:00
*** pcaruana has joined #openstack-keystone18:06
*** david-lyle has quit IRC18:11
openstackgerritMerged openstack/keystone master: Remove the sql token driver and uuid token provider  https://review.openstack.org/54306018:13
*** oikiki has quit IRC18:25
*** oikiki has joined #openstack-keystone18:25
kmalloclbragstad: i tossed a -2 on https://review.openstack.org/#/c/431229/2618:27
kmallocthis need documented test case before it can land.18:28
kmalloci want it to land18:28
kmallocbut the fact it is rebased over and over dropping my -1 has brought me to toss a -2 until we have documented test plan going forward18:28
*** idlemind has quit IRC18:28
*** itlinux has quit IRC18:30
*** spiette_ has quit IRC18:33
*** idlemind has joined #openstack-keystone18:35
*** Supun has joined #openstack-keystone18:38
*** oikiki has quit IRC18:38
*** oikiki has joined #openstack-keystone18:39
*** tesseract has quit IRC18:40
*** itlinux has joined #openstack-keystone18:44
*** pcaruana has quit IRC18:45
*** itlinux has quit IRC18:57
*** itlinux has joined #openstack-keystone18:59
*** david-lyle has joined #openstack-keystone19:02
*** harlowja has joined #openstack-keystone19:03
*** rmcall has joined #openstack-keystone19:07
openstackgerritLance Bragstad proposed openstack/keystone master: Expose bug in /role_assignments API with system-scope  https://review.openstack.org/54401119:20
openstackgerritLance Bragstad proposed openstack/keystone master: Fix querying role_assignment with system roles  https://review.openstack.org/54401219:20
openstackgerritLance Bragstad proposed openstack/keystone master: Grant admin a role on the system during bootstrap  https://review.openstack.org/53041019:20
*** david-lyle has quit IRC19:29
*** david-lyle has joined #openstack-keystone19:32
*** itlinux has quit IRC19:39
*** itlinux has joined #openstack-keystone19:43
*** itlinux has quit IRC19:46
lbragstad#startmeeting keystone-office-hours19:54
openstackMeeting started Tue Feb 13 19:54:54 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.19:54
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:54
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"19:54
*** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/5F0h9Hoe/keystone"19:54
openstackThe meeting name has been set to 'keystone_office_hours'19:54
* lbragstad fails at meetings19:55
lbragstadi should have started that about 55 minutes about, but whatever19:55
kmallocheh20:01
*** McClymontS has joined #openstack-keystone20:14
*** McClymontS has quit IRC20:17
*** spilla has quit IRC20:20
*** spilla has joined #openstack-keystone20:23
openstackgerritLance Bragstad proposed openstack/keystone master: Delete system role assignments when deleting users  https://review.openstack.org/54362220:25
openstackgerritLance Bragstad proposed openstack/keystone master: Expose bug in system assignment when deleting users  https://review.openstack.org/54406720:25
lbragstadthat should take care of https://bugs.launchpad.net/keystone/+bug/174926420:25
openstackLaunchpad bug 1749264 in OpenStack Identity (keystone) "System role assignments exist after removing users" [High,In progress] - Assigned to Lance Bragstad (lbragstad)20:25
*** itlinux has joined #openstack-keystone20:35
*** pramodrj07 has joined #openstack-keystone20:37
*** pramodrj07 has quit IRC20:38
openstackgerritLance Bragstad proposed openstack/keystone master: Expose bug in system assignment when deleting groups  https://review.openstack.org/54407320:50
openstackgerritLance Bragstad proposed openstack/keystone master: Delete system role assignments when deleting groups  https://review.openstack.org/54407420:50
lbragstadsame goes for https://bugs.launchpad.net/keystone/+bug/1749267 and ^20:50
openstackLaunchpad bug 1749267 in OpenStack Identity (keystone) queens "System role assignments exist after removing groups" [High,Triaged]20:50
*** spilla has quit IRC21:02
*** spilla has joined #openstack-keystone21:06
*** rmcall has quit IRC21:13
*** Supun has quit IRC21:17
*** oikiki has quit IRC21:26
*** oikiki has joined #openstack-keystone21:26
*** martinus__ has quit IRC21:30
lbragstadthis is ready for another pass21:35
openstackgerritLance Bragstad proposed openstack/keystone master: Fix querying role_assignment with system roles  https://review.openstack.org/54401221:38
openstackgerritLance Bragstad proposed openstack/keystone master: Grant admin a role on the system during bootstrap  https://review.openstack.org/53041021:38
lbragstadhttps://review.openstack.org/#/c/544011/221:39
lbragstadhere is a link for all the patches in that series for both master and stable/queens - https://review.openstack.org/#/q/topic:bug/1748970+(status:open+OR+status:merged)21:42
*** openstackstatus has quit IRC21:43
lbragstada few more for the user bug (proposed to master and stable/queens) https://review.openstack.org/#/q/topic:bug/1749264+(status:open+OR+status:merged)21:44
*** openstackstatus has joined #openstack-keystone21:44
*** ChanServ sets mode: +v openstackstatus21:44
kmallock21:45
lbragstadand finally https://review.openstack.org/#/q/topic:bug/1749267+(status:open+OR+status:merged)21:45
lbragstador i could make it easier on everyone with - https://goo.gl/aWTZDv21:46
lbragstad^ includes all patches to master and backports21:46
lbragstadthe bugs we talked about today21:46
kmalloc+2 on all21:47
lbragstadthe code review equivalent of a grand slam21:48
*** afazekas has quit IRC21:50
*** afazekas has joined #openstack-keystone21:52
*** gyee has joined #openstack-keystone22:00
*** rcernin has joined #openstack-keystone22:05
*** r-daneel has quit IRC22:07
*** itlinux has quit IRC22:23
*** itlinux has joined #openstack-keystone22:27
kmalloclbragstad: looks like failing tests22:28
lbragstaddigging into it now22:28
kmalloclbragstad: 2018-02-13 21:32:24.586485 | primary | ImportError: /opt/stack/new/tempest/.tox/tempest/local/lib/python2.7/site-packages/netifaces.so: undefined symbol: PyUnicodeUCS2_FromString22:29
kmalloclooks like some issues with not keystone22:29
lbragstadhmm - because https://review.openstack.org/#/c/544073/1 and https://review.openstack.org/#/c/544074/1 failed22:29
lbragstadone on neutron-grenade22:29
lbragstadand the other on keystone-dvsm-functional22:30
kmallocyeah same error22:30
lbragstadwhat log are you seeing that in?22:31
kmallocjob output22:31
kmallocin both failed test runs22:31
kmallochttp://logs.openstack.org/74/544074/1/check/keystone-dsvm-functional/91fc65e/job-output.txt.gz22:32
lbragstadoh - i was buried in the logs already22:33
lbragstadthat's strange22:33
lbragstadrechecked both22:34
kmalloc                                                                     vvvc                                                 '''''''''22:34
kmallocyeah sounds good.22:34
*** itlinux has quit IRC22:46
*** spilla has quit IRC22:59
kmalloclbragstad: pushed the changes to master through. waiting for those to land so we can hit stab/queens23:23
« Monday, 2018-02-12 Index Wednesday, 2018-02-14 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!