Tuesday, 2018-02-20

« Monday, 2018-02-19 Index Wednesday, 2018-02-21 »
*** masber has joined #openstack-keystone00:21
*** jrist has quit IRC00:24
*** AlexeyAbashkin has joined #openstack-keystone00:24
*** AlexeyAbashkin has quit IRC00:28
*** itlinux has joined #openstack-keystone00:29
itlinuxhello team.. what is the best way to use heat and add an ldap group to a project? Trying to figure it out.. no luck so far. Thanks00:31
*** oikiki has joined #openstack-keystone00:31
*** dave-mccowan has joined #openstack-keystone00:31
*** jrist has joined #openstack-keystone00:36
*** lbragstad has quit IRC00:43
*** dave-mccowan has quit IRC00:53
*** dave-mccowan has joined #openstack-keystone01:18
*** oikiki has quit IRC01:26
*** dave-mccowan has quit IRC01:29
*** blake has joined #openstack-keystone01:58
*** blake has quit IRC02:02
*** blake has joined #openstack-keystone02:03
*** blake has quit IRC02:24
*** blake has joined #openstack-keystone02:36
*** harlowja has quit IRC02:52
*** lbragstad has joined #openstack-keystone03:00
*** ChanServ sets mode: +o lbragstad03:00
*** blake has quit IRC03:05
*** dave-mccowan has joined #openstack-keystone03:11
*** AlexeyAbashkin has joined #openstack-keystone03:24
*** AlexeyAbashkin has quit IRC03:29
*** links has joined #openstack-keystone04:21
*** lbragstad has quit IRC04:26
*** ying_zuo has left #openstack-keystone04:41
*** openstackgerrit has joined #openstack-keystone04:50
openstackgerritMerged openstack/keystone master: Populate application credential data in token  https://review.openstack.org/54597104:50
*** harlowja has joined #openstack-keystone04:54
*** dave-mccowan has quit IRC05:02
openstackgerritDinesh Bhor proposed openstack/python-keystoneclient master: Add return-request-id-to-caller function(v3)  https://review.openstack.org/26745605:59
*** threestrands has quit IRC07:10
*** harlowja has quit IRC07:10
*** rcernin has quit IRC07:12
*** Suramya has joined #openstack-keystone07:24
*** pcaruana has joined #openstack-keystone07:35
*** AlexeyAbashkin has joined #openstack-keystone07:53
*** tesseract has joined #openstack-keystone08:20
*** hoonetorg has quit IRC08:24
*** hoonetorg has joined #openstack-keystone08:42
openstackgerritStefan Nica proposed openstack/keystonemiddleware master: Add option to disable using oslo_message notifier  https://review.openstack.org/54594309:52
openstackgerritStefan Nica proposed openstack/keystonemiddleware master: Add option to disable using oslo_message notifier  https://review.openstack.org/54594310:24
openstackgerritStefan Nica proposed openstack/keystonemiddleware master: Add option to disable using oslo_message notifier  https://review.openstack.org/54594310:26
*** d0ugal_ has joined #openstack-keystone10:31
*** d0ugal has quit IRC10:34
openstackgerritChris Dent proposed openstack/keystonemiddleware master: Identify the keystone service when raising 503  https://review.openstack.org/54610810:36
*** jamespage has quit IRC10:43
*** jamespage has joined #openstack-keystone10:47
*** d0ugal_ has quit IRC10:50
*** d0ugal has joined #openstack-keystone10:51
*** d0ugal has quit IRC10:51
*** d0ugal has joined #openstack-keystone10:51
*** mvk_ has quit IRC10:53
*** Supun has joined #openstack-keystone12:04
*** frickler has quit IRC12:09
*** frickler has joined #openstack-keystone12:16
*** raildo has joined #openstack-keystone12:18
openstackgerritChris Dent proposed openstack/keystonemiddleware master: Identify the keystone service when raising 503  https://review.openstack.org/54610812:22
*** panbalag has quit IRC12:25
*** frickler has quit IRC12:31
*** Supun has quit IRC12:38
*** frickler has joined #openstack-keystone12:44
*** Supun has joined #openstack-keystone13:00
*** Supun has quit IRC13:11
*** Supun has joined #openstack-keystone13:31
*** Supun has quit IRC13:43
*** Supun has joined #openstack-keystone13:43
*** panbalag has joined #openstack-keystone13:50
*** panbalag has left #openstack-keystone13:50
*** dave-mccowan has joined #openstack-keystone13:58
*** rmcall has joined #openstack-keystone14:00
*** rmcall has quit IRC14:08
*** panbalag has joined #openstack-keystone14:10
*** links has quit IRC14:15
*** larsks has joined #openstack-keystone14:19
*** larsks has left #openstack-keystone14:24
*** lbragstad has joined #openstack-keystone14:29
*** ChanServ sets mode: +o lbragstad14:29
* lbragstad is done shoveling snow for the day14:35
cmurphylbragstad: here is a reward https://review.openstack.org/#/c/546065/14:36
lbragstadsweet14:37
*** david-lyle has quit IRC14:38
*** Supun has quit IRC14:47
*** Supun has joined #openstack-keystone14:48
*** hoonetorg has quit IRC14:54
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Repropose JWT specification for Rocky  https://review.openstack.org/54190314:55
*** d0ugal has quit IRC14:59
*** d0ugal has joined #openstack-keystone15:00
*** r-daneel has joined #openstack-keystone15:07
*** itlinux has quit IRC15:16
*** Supun has quit IRC15:18
gagehugoo/15:19
lbragstadmorning15:20
*** hoonetorg has joined #openstack-keystone15:25
knikollao./15:29
openstackgerritChris Dent proposed openstack/keystonemiddleware master: Identify the keystone service when raising 503  https://review.openstack.org/54610815:32
*** d0ugal has quit IRC15:36
*** d0ugal has joined #openstack-keystone15:40
openstackgerritKristi Nikolla proposed openstack/keystone master: Only upload SP metadata to testshib.org if IDP id is testshib  https://review.openstack.org/54547115:41
*** gagehugo has left #openstack-keystone15:44
*** gagehugo has joined #openstack-keystone15:44
knikollalbragstad: want eyes on "keystone refactor"?15:47
lbragstadknikolla my "rewrite keystone" patch?15:47
*** david-lyle has joined #openstack-keystone15:47
knikollayes, that one.15:47
knikollajust had my morning coffee, so it's the perfect time, haha.15:48
lbragstadlol15:48
lbragstadsure - https://review.openstack.org/#/c/545450/15:48
lbragstadit's still really rough - i'm more of less just hacking away at it to see how we can approach breaking it apart15:49
knikollalbragstad: saw the WIP prefix so I thought to ask first :)15:49
lbragstadknikolla if you see any seems where we can split it into smaller changes, that'd be helpful15:50
lbragstadseams*15:50
*** nkinder has joined #openstack-keystone15:50
*** d0ugal has quit IRC15:52
knikollalbragstad: first question is why have both KeystoneToken and TokenModel?15:53
lbragstadknikolla good question15:53
lbragstadthe KeystoneToken subclasses dict15:53
lbragstadso when we used it originally, we'd have a token reference and then just pass the entire token reference to the model and get back an object15:54
lbragstadthe TokenModel bit was an attempt to try and approach it differently15:54
lbragstad(since we're not keeping references anywhere15:54
lbragstad)15:54
lbragstadinstead - if you have information about an authorization context, you can pass those as kwargs to a TokenModel object and get back an object representation that you can query15:55
knikollamakes sense. so the goal is to remove the one subclassing dict?15:56
lbragstadyeah - i'm not sure15:56
lbragstadi don't really see a reason in keeping it if we don't use dictionaries anymore15:56
lbragstador pass dictionaries around to do get KeystoneToken objects15:56
lbragstads/do//15:56
lbragstadtotally open to suggestions here15:57
knikollalbragstad: i agree.15:57
lbragstadone thing i noticed when working on it though was...15:57
lbragstadit *should* force us to figure out what exactly defines a token15:58
lbragstadinstead of just passing a dictionary that may or maynot have some keys present in it15:58
knikolla++15:58
knikolladictionaries are the one feature i'm usually most conflicted about when programming.15:58
lbragstadi'm not exactly sure how that is going to look yet, but i didn't think it was a bad thing15:58
*** panbalag1 has joined #openstack-keystone15:59
*** panbalag1 has left #openstack-keystone15:59
*** panbalag has quit IRC15:59
knikolla"oh, nice, i don't have to write a class for this thing" and then you end up passing it around the entire application.15:59
lbragstadright15:59
lbragstadwe rely on that a lot in the token provider api15:59
lbragstadwe have a lot of hooks that looks for specific things in a dictionary to do something16:00
lbragstadand depending on how complicated the dictionary is, it can be tough to follow16:00
knikollalbragstad: that logic should be moved inside the class instead of outside maybe16:00
*** rodrigods has quit IRC16:01
lbragstadyeah - that was another bit i was fighting with16:01
lbragstadhow much validation do you do when you create the object?16:01
lbragstador do you leave some of that for the view to render?16:01
knikollalbragstad: enough for it to always be in a consistent state.16:01
lbragstad(since the view is essentially the v3 representation of the token)16:01
*** rmascena has joined #openstack-keystone16:02
*** rmascena is now known as raildo_16:02
knikollathere's not much that a view can do if the object fails validation.16:02
lbragstadright16:03
knikollaso the model needs to make sure to forbid anything that turns into into an invalid state.16:03
lbragstadwould you consider the token model to fail creating an object if a user's domain is disabled?16:03
knikollaprogramming video games makes you think a lot about interactions between entities, lol16:03
lbragstador would you leave that to the controller (view) to check16:03
knikollalbragstad: controller, as you wouldn't be able to get a token in the first place.16:04
lbragstadso the controller would do the:16:04
lbragstadif not token.user.enabled:16:04
lbragstadraise Forbidden()16:04
*** spilla has joined #openstack-keystone16:04
*** raildo has quit IRC16:04
*** raildo_ is now known as raildo16:05
knikollalbragstad: wouldn't you not even be able to create a token in that case?16:05
*** afazekas is now known as afazekas|air16:05
lbragstadi think i had my terms mixed up16:05
lbragstadyou must have meant controller as the token model?16:06
lbragstadand i meant controller as the view?16:06
*** Supun has joined #openstack-keystone16:06
*** itlinux has joined #openstack-keystone16:06
knikollalbragstad: i haven't dived into the code to see exactly how keystone does the division yet. so i was going with the general case.16:06
lbragstadoh16:06
*** d0ugal has joined #openstack-keystone16:07
lbragstadright now - we rely on a utility class to validate a token dictionary16:07
knikollawith view being what renders the token object into whatever token format. the controller handling the token creation. and token model representing the token.16:07
knikollaand controller also connecting the various pieces together.16:07
lbragstadright16:07
lbragstadi have a basic representation of the model and most of the business logic in the auth/controller.py currently16:09
knikollai see.16:12
*** links has joined #openstack-keystone16:15
*** d0ugal has quit IRC16:17
lbragstadtotally open to suggestions16:19
*** pcaruana has quit IRC16:21
knikollalbragstad: IMO. i think a lot of what's in auth/controller.py can be moved inside the object. the object doesn't have to be a 1-1 representation of the rendering of a token, so there's less burden on setting thinks exactly as they should be rendered, that should be done by the view.16:24
knikollaand the model should handle as much of the validation as it can reason about it's internal state.16:24
lbragstadyeah - that's true16:25
*** Supun has quit IRC16:26
*** AlexeyAbashkin has quit IRC16:26
openstackgerritColleen Murphy proposed openstack/keystonemiddleware master: Identify the keystone service when raising 503  https://review.openstack.org/54610816:32
*** d0ugal has joined #openstack-keystone16:34
kmalloccmurphy: nice, thanks for the relnote update ^16:39
kmalloclbragstad: pushed the SQLite FK change through16:41
lbragstadkmalloc was that one all squared away?16:44
lbragstadcmurphy we're not going to allow people to create application credentials for other users, are we?16:45
lbragstadlike - that shouldn't be something an administrator of any kind should be able to do?16:45
kmalloclbragstad: as far as i could tell, yes16:45
cmurphylbragstad: that's true right now, because it's following what we do for trusts16:46
lbragstadcmurphy ++16:46
*** gyee has joined #openstack-keystone16:46
*** r-daneel has quit IRC16:55
*** d0ugal has quit IRC16:59
*** itlinux has quit IRC17:02
*** d0ugal has joined #openstack-keystone17:03
*** itlinux has joined #openstack-keystone17:05
*** r-daneel has joined #openstack-keystone17:13
*** harlowja has joined #openstack-keystone17:23
*** pcaruana has joined #openstack-keystone17:36
*** links has quit IRC17:37
*** d0ugal has quit IRC17:38
*** Supun has joined #openstack-keystone17:44
openstackgerritMerged openstack/keystonemiddleware master: Updated from global requirements  https://review.openstack.org/54554417:55
*** AlexeyAbashkin has joined #openstack-keystone17:57
*** d0ugal has joined #openstack-keystone18:00
*** AlexeyAbashkin has quit IRC18:02
*** openstackgerrit has quit IRC18:03
*** d0ugal has quit IRC18:05
*** Supun has quit IRC18:05
*** dklyle has joined #openstack-keystone18:08
*** d0ugal has joined #openstack-keystone18:11
*** david-lyle has quit IRC18:12
*** Supun has joined #openstack-keystone18:13
*** openstackgerrit has joined #openstack-keystone18:13
openstackgerritMerged openstack/keystonemiddleware master: Add option to disable using oslo_message notifier  https://review.openstack.org/54594318:13
*** AlexeyAbashkin has joined #openstack-keystone18:13
*** pcaruana has quit IRC18:16
*** AlexeyAbashkin has quit IRC18:17
openstackgerritMerged openstack/keystone master: Force SQLite to properly deal with foreign keys  https://review.openstack.org/12603018:19
*** oikiki has joined #openstack-keystone18:23
*** harlowja has quit IRC18:23
*** spilla has quit IRC18:25
*** Supun has quit IRC18:29
lbragstadcmurphy fyi - i took a stab at https://bugs.launchpad.net/keystone/+bug/175061518:35
openstackLaunchpad bug 1750615 in OpenStack Identity (keystone) "The v3 application credential API should account for different scopes" [High,Triaged]18:35
lbragstadi've had opening those bugs for the FIXMEs on my list of things to do for a while18:36
lbragstadbut that acceptance criteria certainly isn't set in stone18:36
lbragstadjust wanted to get things kick started - and that seems like an interesting resource18:36
cmurphylbragstad: cool18:36
* lbragstad is anxious to talk about user-scope18:36
*** d0ugal has quit IRC18:38
*** d0ugal has joined #openstack-keystone18:39
*** tesseract has quit IRC18:45
*** panbalag has joined #openstack-keystone18:49
*** panbalag has left #openstack-keystone18:51
*** d0ugal has quit IRC18:51
*** dklyle has quit IRC18:53
*** harlowja has joined #openstack-keystone18:55
*** d0ugal_ has joined #openstack-keystone18:57
*** harlowja_ has joined #openstack-keystone18:59
*** david-lyle has joined #openstack-keystone18:59
*** harlowja has quit IRC18:59
*** david-lyle has quit IRC19:04
*** david-lyle has joined #openstack-keystone19:04
lbragstad#startmeeting keystone-office-hours19:06
openstackMeeting started Tue Feb 20 19:06:54 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.19:06
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:06
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"19:06
*** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/5F0h9Hoe/keystone"19:06
openstackThe meeting name has been set to 'keystone_office_hours'19:06
lbragstadalright - today i'm going to focus on the opposite of what we should be doing for office hours19:07
lbragstadin other words, i'm going to open a bunch of bugs to document the FIXMEs for scope types19:07
openstackgerritMerged openstack/keystonemiddleware master: Identify the keystone service when raising 503  https://review.openstack.org/54610819:13
*** nixi_girl has joined #openstack-keystone19:22
*** spilla has joined #openstack-keystone19:29
*** d0ugal_ has quit IRC19:45
*** Suramya has quit IRC19:49
*** d0ugal_ has joined #openstack-keystone19:56
*** dave-mccowan has quit IRC19:57
*** jroll has quit IRC19:58
*** d0ugal_ has quit IRC20:03
*** d0ugal_ has joined #openstack-keystone20:04
*** raildo has quit IRC20:05
*** jroll has joined #openstack-keystone20:07
*** d0ugal_ has quit IRC20:10
*** d0ugal_ has joined #openstack-keystone20:14
*** AlexeyAbashkin has joined #openstack-keystone20:23
lbragstadgagehugo ping20:23
lbragstadstill in a workshop?20:23
gagehugoo/20:23
gagehugoyeah but multitasking20:23
lbragstadok - i'm trying to wrap my head around https://github.com/openstack/keystone/blob/68df7bf1f3b3d6ab3f691f59f1ce6de6b0b1deab/keystone/common/policies/project.py#L101-L108 but it can wait20:25
lbragstadif you're busy20:25
lbragstadi'm not sure i'd be able to multitask with the questions i'm asking myself right now :)20:25
gagehugothat todo seems correct imo20:25
gagehugoproject admin should be able to tag their project, system admin tag all20:26
*** AlexeyAbashkin has quit IRC20:27
lbragstadok - so projects tags aren't intended for things like billing/accounting, even though they totally could be used for it according to the current implementation20:27
gagehugopreferably not haha20:27
gagehugobut yeah20:27
gagehugoare you thinking they should probably be project only?20:29
*** d0ugal_ has quit IRC20:30
lbragstadwell- i'm just thinking about it20:36
*** dave-mccowan has joined #openstack-keystone20:36
lbragstadbecause i'm trying to write some acceptance criteria for how they should behave with different scopes20:37
lbragstadand it led me to "should we assume people are going to use this feature for things like billing and accounting?"20:37
lbragstadif so - how does that affect how the API should work from an RBAC perspective20:38
lbragstadwhen you tag an nova instance or neutron network, as the creator of the resource do you have power to tag it?20:39
*** pcaruana has joined #openstack-keystone20:40
*** oikiki has quit IRC20:48
*** oikiki has joined #openstack-keystone20:48
gagehugonova yes20:54
gagehugohttps://github.com/openstack/nova/blob/master/nova/policies/server_tags.py20:54
gagehugoADMIN_OR_OWNER20:54
*** dave-mccowan has quit IRC20:56
*** d0ugal_ has joined #openstack-keystone20:56
*** spilla has quit IRC20:58
lbragstadok20:58
*** dmellado has quit IRC20:58
lbragstadso - then we'd be somewhat consistent20:58
lbragstadwith that approach20:59
*** r-daneel_ has joined #openstack-keystone20:59
gagehugoyeah we tried to follow the other projects in terms of policy if I remember correctly20:59
lbragstadyep20:59
*** r-daneel has quit IRC21:00
*** r-daneel_ is now known as r-daneel21:00
*** spilla has joined #openstack-keystone21:05
*** spilla_ has joined #openstack-keystone21:07
*** spilla has quit IRC21:07
*** spilla_ has quit IRC21:13
*** spilla has joined #openstack-keystone21:13
*** AlexeyAbashkin has joined #openstack-keystone21:23
*** AlexeyAbashkin has quit IRC21:27
*** pcaruana has quit IRC21:37
*** aojea has joined #openstack-keystone21:40
*** aojea has quit IRC21:44
*** oikiki_ has joined #openstack-keystone21:59
*** oikiki has quit IRC22:02
*** d0ugal_ has quit IRC22:03
lbragstad#endmeeting22:07
*** openstack changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/5F0h9Hoe/keystone"22:07
openstackMeeting ended Tue Feb 20 22:07:26 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:07
openstackMinutes:        http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-02-20-19.06.html22:07
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-02-20-19.06.txt22:07
openstackLog:            http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-02-20-19.06.log.html22:07
*** dmellado has joined #openstack-keystone22:18
*** r-daneel has quit IRC22:22
*** r-daneel has joined #openstack-keystone22:22
*** threestrands has joined #openstack-keystone22:23
openstackgerritGage Hugo proposed openstack/keystone master: Add functional testing gate  https://review.openstack.org/53101422:26
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 policies  https://review.openstack.org/54642022:27
lbragstadnot super critical - but we should try and get ^ backported before rc222:27
gagehugolbragstad are we keeping https://review.openstack.org/#/c/546420/1/doc/source/getting-started/policy_mapping.rst@136 in there?22:30
lbragstadoh - i missed one22:30
gagehugoI think validate has one as well22:30
lbragstadahh - i didn't grep doc/22:30
gagehugolol22:30
gagehugosneaky leftovers22:31
lbragstadyou can't hide from me!22:32
*** rcernin has joined #openstack-keystone22:33
openstackgerritLance Bragstad proposed openstack/keystone master: Remove v2.0 policies  https://review.openstack.org/54642022:38
gagehugolbragstad also when you get a chance, does the job name here make sense https://review.openstack.org/#/c/53101422:38
lbragstadkeystone-osh-functional-local ?22:39
gagehugoyeah22:40
lbragstadit makes sense - is that the way it is reference elsewhere in the community?22:41
gagehugothe tempest ones are 'keystone-dsvm-functional' so I followed that, but added local to try to differentiate22:41
lbragstadreferenced*22:41
lbragstadwe seemed to do that differently with the osa one22:41
lbragstadopenstack-ansible-keystone-rolling-upgrade22:41
gagehugonova's are 'nova-tox-functional22:42
lbragstadhmm - worst case we can rename it - right22:42
gagehugoyeah22:42
lbragstadisn't not set in stone22:42
gagehugothat's what's nice about in-repo jobs22:42
lbragstad++22:42
lbragstadgood point22:42
*** nixi_girl has quit IRC22:48
*** itlinux has quit IRC22:49
*** spilla has quit IRC22:51
*** jmlowe has quit IRC23:01
*** openstackgerrit has quit IRC23:04
*** nkinder has quit IRC23:15
*** jmlowe has joined #openstack-keystone23:19
*** AlexeyAbashkin has joined #openstack-keystone23:23
*** AlexeyAbashkin has quit IRC23:27
*** nkinder has joined #openstack-keystone23:28
*** r-daneel has quit IRC23:34
*** r-daneel has joined #openstack-keystone23:35
*** Tahvok has quit IRC23:46
*** Tahvok has joined #openstack-keystone23:47
*** r-daneel has quit IRC23:50
« Monday, 2018-02-19 Index Wednesday, 2018-02-21 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!