Friday, 2018-04-06

« Thursday, 2018-04-05 Index Saturday, 2018-04-07 »
*** odyssey4me has quit IRC00:11
*** odyssey4me has joined #openstack-keystone00:11
*** d0ugal has quit IRC00:13
*** d0ugal has joined #openstack-keystone00:17
*** r-daneel has quit IRC00:26
*** Dinesh_Bhor has joined #openstack-keystone00:44
*** harlowja has quit IRC01:21
*** oikiki has joined #openstack-keystone01:22
*** annp has joined #openstack-keystone02:04
*** germs has quit IRC02:23
*** germs has joined #openstack-keystone02:24
*** david-lyle has quit IRC02:42
*** david-lyle has joined #openstack-keystone02:42
*** lbragstad has joined #openstack-keystone03:11
*** ChanServ sets mode: +o lbragstad03:11
*** abhi89 has joined #openstack-keystone03:25
*** nicolasbock has quit IRC03:39
*** annp has quit IRC03:39
*** bhagyashri_s has left #openstack-keystone03:40
*** links has joined #openstack-keystone03:48
*** annp has joined #openstack-keystone03:49
*** harlowja has joined #openstack-keystone03:53
*** voelzmo has quit IRC04:04
*** rcernin has quit IRC04:04
*** germs has quit IRC04:07
*** lbragstad has quit IRC04:18
*** rcernin has joined #openstack-keystone04:19
*** Dinesh_Bhor has quit IRC05:01
*** Dinesh_Bhor has joined #openstack-keystone05:04
*** harlowja has quit IRC05:13
*** bigjools has quit IRC05:21
*** bigjools has joined #openstack-keystone05:21
*** bigjools has quit IRC05:21
*** bigjools has joined #openstack-keystone05:21
*** fiddletwix has quit IRC05:24
*** fiddletwix has joined #openstack-keystone05:29
*** zeus has quit IRC05:33
*** zeus has joined #openstack-keystone05:38
*** zeus is now known as Guest4273605:38
*** oikiki has quit IRC05:46
*** oikiki has joined #openstack-keystone06:01
*** Dinesh__Bhor has joined #openstack-keystone06:04
*** Dinesh_Bhor has quit IRC06:04
*** jaosorior has joined #openstack-keystone06:05
openstackgerritNguyen Hai proposed openstack/keystone master: Follow the new PTI for document build  https://review.openstack.org/55519606:07
*** sonuk has joined #openstack-keystone06:10
*** martinus__ has joined #openstack-keystone06:24
*** jistr has quit IRC06:30
*** jistr has joined #openstack-keystone06:32
*** markvoelker has quit IRC06:43
*** markvoelker has joined #openstack-keystone06:44
*** pcaruana has joined #openstack-keystone06:47
*** markvoelker has quit IRC06:48
*** belmoreira has joined #openstack-keystone06:53
*** tesseract has joined #openstack-keystone07:20
*** threestrands has quit IRC07:36
*** rcernin has quit IRC07:37
*** AlexeyAbashkin has joined #openstack-keystone07:41
*** oikiki has quit IRC07:58
*** oikiki has joined #openstack-keystone08:01
*** voelzmo has joined #openstack-keystone08:02
openstackgerritColleen Murphy proposed openstack/keystoneauth master: add lower-constraints job  https://review.openstack.org/55562508:05
*** oikiki has quit IRC08:16
*** pcichy has joined #openstack-keystone08:32
*** abhi89 has quit IRC08:34
*** abhi89 has joined #openstack-keystone08:36
*** voelzmo has quit IRC08:37
*** oikiki has joined #openstack-keystone08:37
*** markvoelker has joined #openstack-keystone08:44
*** oikiki has quit IRC08:48
*** voelzmo has joined #openstack-keystone08:56
*** voelzmo has quit IRC09:01
*** markvoelker has quit IRC09:18
*** Sandy619 has joined #openstack-keystone09:20
*** sonuk_ has joined #openstack-keystone09:37
*** sonuk has quit IRC09:37
*** Guest42736 has quit IRC09:39
*** bigjools has quit IRC09:40
*** bigjools has joined #openstack-keystone09:40
*** bigjools has quit IRC09:40
*** bigjools has joined #openstack-keystone09:40
*** zeus has joined #openstack-keystone09:42
*** zeus is now known as Guest238509:42
*** markvoelker has joined #openstack-keystone10:15
*** Dinesh__Bhor has quit IRC10:16
*** nicolasbock has joined #openstack-keystone10:27
*** jistr has quit IRC10:27
*** annp has quit IRC10:28
*** jistr has joined #openstack-keystone10:36
*** tesseract has quit IRC10:37
*** tesseract has joined #openstack-keystone10:38
*** markvoelker has quit IRC10:49
*** tesseract-RH has joined #openstack-keystone10:59
*** tesseract has quit IRC10:59
*** sonuk_ has quit IRC11:21
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add methods to get all of the version data  https://review.openstack.org/55915411:24
mordredcmurphy: ^^ that should be ready for review now - and I even added tests11:25
cmurphymordred: fantastic11:25
*** Sandy619 has quit IRC11:26
openstackgerritDoug Hellmann proposed openstack/keystoneauth master: add lower-constraints job  https://review.openstack.org/55562511:35
*** sonuk has joined #openstack-keystone11:35
*** markvoelker has joined #openstack-keystone11:46
*** jistr is now known as jistr|mtg12:02
*** raildo has joined #openstack-keystone12:08
*** abhi89 has quit IRC12:11
*** abhi89 has joined #openstack-keystone12:12
*** sonuk has quit IRC12:13
*** markvoelker has quit IRC12:19
*** fried_rice has joined #openstack-keystone12:20
fried_riceö/12:21
*** markvoelker has joined #openstack-keystone12:24
*** jistr|mtg is now known as jistr12:31
*** pooja_jadhav has joined #openstack-keystone12:37
pooja_jadhavfried_rice: Hi12:37
fried_riceHello12:37
pooja_jadhavi want dicuss with you regarding keystoneauth session12:38
fried_ricepooja_jadhav: Is this in reference to https://review.openstack.org/#/c/505764/ ?12:39
pooja_jadhavcorrect12:40
fried_riceOkay.  I remember seeing that go by, but I didn't actually review it.12:40
fried_riceLet's just heads-up the folks who did, cause they're more likely to be able to help...12:40
fried_ricekmalloc, cmurphy, mordred, cdent12:40
fried_ricepooja_jadhav: Okay, proceed with your question please :)12:40
pooja_jadhavfried_rice: Actually, i want use that split logger parameter in nova while call is going to cinder client.[1]https://github.com/openstack/nova/blob/master/nova/volume/cinder.py#L7712:41
pooja_jadhavbut how to use not getting still12:42
pooja_jadhav:(12:42
fried_ricepooja_jadhav: Okay, I'm reading over that patch, stand by...12:44
pooja_jadhavfried_rice: Sure12:44
*** odyssey4me has quit IRC12:47
*** odyssey4me has joined #openstack-keystone12:47
fried_ricepooja_jadhav: Okay, it looks to me like there's no way to do this via ksa loading.12:48
*** jmlowe has quit IRC12:48
pooja_jadhavfried_rice: Yeah, but if we want to do.. then how can we do then?12:49
fried_ricepooja_jadhav: If you want to try it out just to see if it will work the way you want it to, you can add:12:50
fried_rice  _SESSION._split_loggers = True12:50
fried_riceafter https://github.com/openstack/nova/blob/master/nova/volume/cinder.py#L8212:50
pooja_jadhavohk.. i will try and let u know12:51
fried_ricepooja_jadhav: That's not going to be a real solution.  But if it does what you want, you could probably submit a patch to openstack/keystone to expose that via a conf option.12:52
fried_ricepooja_jadhav: Then you wouldn't need to do anything to the nova code - you could just add the option in your conf file and restart the service.12:52
pooja_jadhavok12:56
openstackgerritDoug Hellmann proposed openstack/ldappool master: add lower-constraints job  https://review.openstack.org/55575713:02
*** edmondsw has joined #openstack-keystone13:07
*** david-lyle has quit IRC13:10
*** jmlowe has joined #openstack-keystone13:18
*** felipemonteiro_ has joined #openstack-keystone13:19
openstackgerritMerged openstack/ldappool master: add lower-constraints job  https://review.openstack.org/55575713:20
*** felipemonteiro__ has joined #openstack-keystone13:23
*** david-lyle has joined #openstack-keystone13:24
*** felipemonteiro_ has quit IRC13:26
*** lbragstad has joined #openstack-keystone13:28
*** ChanServ sets mode: +o lbragstad13:28
*** links has quit IRC13:28
*** lbragstad has quit IRC13:35
openstackgerritMerged openstack/keystone master: Removal of deprecated direct driver loading  https://review.openstack.org/35081513:36
openstackgerritNguyen Hai proposed openstack/keystone master: Fix incompatible requirement in lower-constraints  https://review.openstack.org/55933413:36
openstackgerritNguyen Hai proposed openstack/keystone master: Fix incompatible requirement in lower-constraints  https://review.openstack.org/55933413:38
*** lbragstad has joined #openstack-keystone13:39
*** ChanServ sets mode: +o lbragstad13:39
*** dansmith is now known as superdan13:40
openstackgerritColleen Murphy proposed openstack/keystoneauth master: add lower-constraints job  https://review.openstack.org/55562513:43
*** david-lyle has quit IRC13:44
openstackgerritMerged openstack/keystonemiddleware master: Update links in README  https://review.openstack.org/55718913:49
*** pcichy has quit IRC13:49
*** melwitt is now known as jgwentworth14:02
*** germs has joined #openstack-keystone14:10
*** germs has quit IRC14:11
*** germs has joined #openstack-keystone14:11
*** germs has quit IRC14:15
lbragstadcmurphy: an application credential token can't be used to change a user's password can it?14:23
cmurphylbragstad: it could if it has the user's original password https://developer.openstack.org/api-ref/identity/v3/index.html#change-password-for-user14:25
lbragstadahh14:26
lbragstadok - nevermind14:26
cmurphy:)14:26
lbragstadi thought i remember a restriction in there somewhere that might help with https://bugs.launchpad.net/keystone/+bug/1755874/14:27
openstackLaunchpad bug 1755874 in OpenStack Identity (keystone) "Ability to block users from changing passwords is missing in Kesystone v3" [Undecided,In progress] - Assigned to Pavlo Shchelokovskyy (pshchelo)14:27
*** r-daneel has joined #openstack-keystone14:27
lbragstadi just read the use case they described...14:27
cmurphyyeah we didn't any restrictions on that for app creds14:29
cmurphyhaving a policy that users can't change their own passwords seems really weird and anti-security to me but i guess it's a real world use case we should allow14:29
lbragstadmhmm14:30
lbragstadunless there is a different workflow we can support somehow that doesn't require us to open that back up14:31
cmurphywe can enforce password strength14:32
lbragstadyeah14:32
cmurphythat seems like the main thing they want14:33
lbragstadsounds like the layer that sits on top of keystone does that too14:33
lbragstadbut i assume that's been around for a while if they implemented that for v2.014:33
lbragstadso - sure... some system creates a new user for some set of operations and a user *could* change the password directly using keystone14:34
lbragstadbut it won't buy them much because keystone can be configured to match the same password strength requirements that the layer on top of keystone requires?14:34
openstackgerritNguyen Hai proposed openstack/keystone master: Follow the new PTI for document build  https://review.openstack.org/55519614:35
cmurphyauditability i guess, if they're tracking password changes through this other layer and don't want to track them through keystone14:36
lbragstadthat could be true14:37
cmurphysounds like they have a system in place and we broke them, so we could either enable the change that unbreaks their system or we could encourage them to use our system14:38
cmurphy¯\_(ツ)_/¯14:38
*** jdennis has quit IRC14:39
lbragstadsure - i'll leave a comment14:39
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Add methods to get all of the version data  https://review.openstack.org/55915414:40
cmurphylbragstad: fyi i'll be on vacation all next week and hopefully not looking at my computer14:41
lbragstadcmurphy: ack - thanks for the heads up14:41
lbragstadcmurphy: i'm jealous ;)14:41
lbragstaddoing anything fun?14:42
*** jdennis has joined #openstack-keystone14:42
*** abhi89 has quit IRC14:43
cmurphymeeting up with some friends to go camping in Iceland :D14:43
*** abhi89 has joined #openstack-keystone14:44
lbragstadoh... wow14:44
* lbragstad gives cmurphy his camera14:44
lbragstadplease take some pictures14:44
cmurphyi plan to14:44
lbragstads/some/lots of/14:44
cmurphy:)14:44
lbragstadthat's going to be amazing14:44
lbragstadalso - pretty hard to get onto irc while camping14:45
*** david-lyle has joined #openstack-keystone14:45
*** Guest2385 is now known as zeus14:50
*** zeus has quit IRC14:51
*** zeus has joined #openstack-keystone14:51
*** felipemonteiro__ has quit IRC14:55
*** felipemonteiro__ has joined #openstack-keystone14:56
*** spilla has joined #openstack-keystone14:58
*** dangtrinhnt has joined #openstack-keystone15:02
knikollacmurphy: have fun!15:03
*** dangtrinhnt has quit IRC15:08
openstackgerritMatthew Thode proposed openstack/keystone master: Fix incompatible requirement in lower-constraints  https://review.openstack.org/55933415:09
openstackgerritMatthew Thode proposed openstack/keystone master: Use the new pysaml2 constraints  https://review.openstack.org/55821715:09
*** felipemonteiro_ has joined #openstack-keystone15:10
*** felipemonteiro__ has quit IRC15:14
openstackgerritNguyen Hai proposed openstack/keystone master: Follow the new PTI for document build  https://review.openstack.org/55519615:23
*** jmlowe_ has joined #openstack-keystone15:23
*** jmlowe has quit IRC15:23
*** abhi89 has quit IRC15:28
*** belmoreira has quit IRC15:30
*** openstackgerrit has quit IRC15:33
*** pcaruana has quit IRC15:49
gagehugoo/15:55
*** r-daneel has quit IRC16:03
*** germs has joined #openstack-keystone16:11
*** germs has quit IRC16:11
*** germs has joined #openstack-keystone16:11
*** AlexeyAbashkin has quit IRC16:12
*** germs has quit IRC16:16
kmalloclbragstad, cmurphy: so... there is a minor issue to fix the password-change API blocking bit16:24
kmallocand it is because @protected is wonky16:24
* lbragstad dreads that refactor too16:25
kmallocthe most immediate mechanism to block in that bug is use ninx/apache and put a block rule into http[s]://identity/v3/users/*/password16:26
*** germs has joined #openstack-keystone16:30
*** germs has quit IRC16:30
*** germs has joined #openstack-keystone16:30
*** germs has quit IRC16:30
*** germs has joined #openstack-keystone16:31
*** germs has quit IRC16:31
*** germs has joined #openstack-keystone16:31
kmalloclbragstad: oh man, i know how to fix the bug w/o code on our end16:37
kmallocwe have minimum password change times.16:38
lbragstadoh!16:38
kmallocright?!16:38
* lbragstad checks the implementation16:39
kmallocyeah i am looking at that now16:39
kmallocoh.16:39
kmallocmaybe we don't have that16:39
kmallocwe might need to add that.16:39
lbragstadyeah...16:40
lbragstadwe have unique last pass count16:41
*** r-daneel has joined #openstack-keystone16:41
kmalloclets just add minimum password change time16:41
kmallocrather than implement policy due to issues with @protected16:42
kmallocuntil that refactor lands16:42
lbragstadwhat's the status of that refactor?16:42
lbragstadi haven't had a chance to dig into it yet16:42
kmalloc... i don't know what the status is16:43
lbragstadoh - no worries, i was just curious16:43
lbragstadi've buried myself in the token provider refactor, but i think i need a break from that for a while16:43
*** spilla has quit IRC16:44
kmalloci don't think much yeah16:44
kmallocs/don't think much16:44
kmallocannnnyway16:44
kmalloci don't think much has been done on the refactor16:45
kmalloci can try and dig in some, but, it's a beast of a refactor16:45
kmallocthe issue is that it touches soooooo very much16:45
*** spilla has joined #openstack-keystone16:45
lbragstadyeah :(16:45
kmalloclet me start my NAS [old] -> NAS [new]16:45
kmalloctransfer16:46
kmallocneed to move ~4TB today16:46
kmallocand i'll start poking at the refactor16:46
lbragstadsweet16:47
lbragstadthe refactors we have on our plate this release are _massive_16:47
kmallocyeah16:48
lbragstadi started breaking the "rewrite keystone" patch into a series16:48
kmallocbut it's all VERY good stuff that makes keystnoe better16:48
lbragstadi failed, like 4 times16:48
kmallochonestly, i want to re-write a ton of keystone.16:48
kmalloconce we break @protected, the flask re-write will be easy16:48
lbragstadyesterday i pulled the entire new model into a separate change, which is cool.. but then i attempted to remove the KeystoneToken model16:49
lbragstadso s/KeystoneToken/TokenModel/ everywhere in keystone16:49
lbragstadand then went over like a kicking a hornets nest16:50
lbragstadthe problem is that we need to validate the token, then we pass it to the KeystoneTOken model to get an object16:50
lbragstadbut with the new model, we use composition16:50
kmallocright16:50
lbragstadso - we validate the token and then handpick values to build a token model using TokenModel?16:51
lbragstadwhich just defeats the purpose16:51
kmallocwell, we know what the values from the fernet payload mean16:51
kmallocand we should be able to do composition with a "hey this is issued"16:51
kmallocvs "this is new"16:51
kmalloccomposition should work the same16:52
lbragstadoh - yeah.. that'd mean building the model generation into the validation path right?16:52
kmallocit's a big change to the internals16:52
kmallocyeah16:52
lbragstadright.. i didn't do that16:52
kmallocbut that is the way to do it and how we discussed it16:52
lbragstadall i did was introduce the new model and attempt to replace all usage of the old model with the new one16:52
lbragstadwhich kinda backfired16:52
kmallocyeah16:52
lbragstadand it got really messy16:52
lbragstadi think we need to wait until validate_token returns an instance of TokenModel16:52
kmallocif anything do it inverse, compose validation 1st16:53
kmallocTHEN everything else16:53
lbragstadinstead of making all the different places in keystone do composition on blank token models16:53
lbragstad++16:53
lbragstadyeah16:53
lbragstadi think that's what i learned yesterday16:53
kmallocand maybe just make a wrapper interface for the tokenmodel (new)16:53
kmallocso we can interface the token the same way elsewhere16:53
kmallocthen drop the interface16:53
*** fried_rice is now known as fried_rolls16:53
kmallocit's transitional code, but it would make it easy16:54
lbragstadok - so what if i do this16:54
kmallocand we can just drop the magic methods to see what all still references the old style16:54
lbragstad1.) propose the new token model16:54
lbragstad2.) rework the authentication API to construct token models and whatnot16:54
lbragstad3.) rework the validation path to construct token models16:55
kmalloc1a. implement interface for tokenmodel to work like current dict-model.16:55
lbragstadhow do you do that?16:55
kmallocbasically some magic __getitem__ __setitem__16:55
lbragstadone model accepts a dictionary and the other doesn't accept anything?16:55
lbragstads/?//16:55
kmallocjust implement __getitem__ __setitem__ that knows the token dict format16:56
lbragstadkt = token_model.KeystoneToken(token_data=token_data)16:56
kmallocand sets the values16:56
lbragstadmmm16:56
kmallocthen you can just use the KeystoneToken directly16:56
kmalloceverywhere16:56
kmallocsimple search/replace16:56
kmallocthen rework bits to compose16:56
kmallocand direct access16:56
lbragstadso - under the hood KeystoneToken proxies to TokenModel?16:56
kmallocno16:56
kmallocimplement on KeystoneToken __getitem__ that knows what the format should be16:57
kmallocits the dict magic get method16:57
*** links has joined #openstack-keystone16:57
kmallocso KeystoneToken()['user'] etc returns dicts of the keystonetoken values16:57
kmallocand KeystoneToken()['user']['id'16:58
kmallocand KeystoneToken()['user']['id'] = XXXXX16:58
kmallocwould set the ritght thin16:58
kmallocnow that i think about it16:58
kmallocmight be a massive amount of work16:58
lbragstadyeah16:58
lbragstadthat's how i have things now16:58
kmallocmaybe just a .to_dict()16:58
lbragstadwith the new model16:58
kmallocor _to_dict()16:58
lbragstadit all @property methods16:58
kmallocand just render a token from the @propertys16:59
kmallocso keystonetoken.to_dict()[<normal_otken_lookup]16:59
kmallocsince we already need the code to render the dicts16:59
kmallocfor controller bits16:59
lbragstadfor exmple - https://review.openstack.org/#/c/555931/1/keystone/models/token_model.py@86917:00
kmalloceh, i think your proposed steps work fine17:00
lbragstadso17:00
lbragstad1.) introduce new model17:00
lbragstad2.) make authentication path use new model17:00
lbragstad3.) make validation path use new model17:01
kmallocyep17:01
lbragstad4.) convert instances of KeystoneToken to use TokenModel (which is returned from PROVIDERS.token_provider_api.validate_token(token_id))17:01
lbragstad5.) remove duplicate model17:01
kmallocyep17:02
lbragstad6.) profit17:02
lbragstadbecause everyone loves a good refactor, amiright?17:02
*** links has quit IRC17:06
*** links has joined #openstack-keystone17:08
*** david-lyle has quit IRC17:09
lbragstadok - i'm going to step away for lunch quick17:12
*** openstackgerrit has joined #openstack-keystone17:18
openstackgerritMatthew Thode proposed openstack/keystone master: Fix incompatible requirement in lower-constraints  https://review.openstack.org/55933417:18
openstackgerritMatthew Thode proposed openstack/keystone master: Use the new pysaml2 constraints  https://review.openstack.org/55821717:18
kmalloclbragstad: i'll propose the "minimum password change time" thing shortly17:22
kmalloclbragstad: and make it so -1 is a "never allowed",17:23
*** tesseract-RH has quit IRC17:35
*** voelzmo has joined #openstack-keystone17:45
*** AlexeyAbashkin has joined #openstack-keystone17:46
*** AlexeyAbashkin has quit IRC17:50
*** voelzmo has quit IRC17:59
*** brad[] has quit IRC18:03
*** brad[] has joined #openstack-keystone18:04
*** voelzmo has joined #openstack-keystone18:09
openstackgerritLance Bragstad proposed openstack/keystone master: Introduce new TokenModel object  https://review.openstack.org/55912918:10
*** voelzmo has quit IRC18:14
*** abhi89 has joined #openstack-keystone18:15
*** jessegler has joined #openstack-keystone18:20
jessegler#openstack-security18:21
*** r-daneel has quit IRC18:23
*** r-daneel has joined #openstack-keystone18:25
*** felipemonteiro_ has quit IRC18:31
*** felipemonteiro_ has joined #openstack-keystone18:32
*** david-lyle has joined #openstack-keystone18:40
*** fried_rolls is now known as fried_rice18:59
*** felipemonteiro__ has joined #openstack-keystone19:00
*** felipemonteiro_ has quit IRC19:03
*** cz2 has quit IRC19:03
kmalloclbragstad: almost have the password opt override added for min_password_age19:20
kmalloclbragstad: i am also implementing the case where if min_password_age is -1 in config, it makes password changes impossible.19:21
lbragstadcool19:21
kmallocso, you will now have a useropt "min_password_age" which overrides the global conf only if it is greater than the global conf19:22
kmalloc(basically, we only take the highest of the two values)19:22
kmallocEXCEPT if the value is -1 for either19:22
kmallocwhich means passwords may not be changed via the change_password API19:22
lbragstadthat makes se19:24
lbragstadsense*19:24
lbragstadknikolla: did you have the patch to replace non-existant users with @ while listing role assignments?19:25
* lbragstad thinks something in our ldap implementation regressed19:25
lbragstadi'm noticing something pretty strange19:26
lbragstadif i have a user in ldap, i can create a role assignment for them, and everything is fine and dandy19:26
lbragstadif i remove the user from ldap directly, i still see the role assignment19:27
lbragstadif i attempt to remove the role assignment, i get an error saying the user can't be found, which makes sense19:27
lbragstadbut the role assignment doesn't go away19:27
lbragstadand then after some period of time... the user name in the assignment list switches to @?19:28
*** abhi89 has quit IRC19:28
knikollalbragstad:  that was a long time ago, yeah i think i did a patch for smth like that.19:28
knikollaChanged names with empty string though19:29
knikollaNot sure about the @19:29
lbragstadhttp://paste.openstack.org/show/718621/19:29
lbragstadi had a developers@Users group19:30
knikollaOh, because @ divides the username and domain19:30
lbragstadand an lbragstad@Users user19:30
knikollaWhich both are empty strings19:30
lbragstadyeah19:30
*** cz2 has joined #openstack-keystone19:30
lbragstadif i do `openstack role assignment list` i see the stale records19:31
lbragstadwith the IDs19:31
knikollaI think my patch was only for listing, not deleting.19:31
* knikolla is on the subway. Will be home in 10 mins or so.19:32
lbragstadok - no worries19:32
*** gagehugo has quit IRC19:47
kmalloclbragstad: just finishing tests and then docs19:50
kmalloclbragstad: and we should really implement domain-specific overrides for all the DSS stuff.19:53
lbragstadfor PCI?19:53
kmallochttps://www.irccloud.com/pastebin/c8D2uU2Y/19:55
kmalloclbragstad: yeah.19:55
kmallocpci-dss*19:55
kmalloclbragstad: once tests pass locally i'll toss in docs19:55
kmallocand a reno19:55
kmallocand we can tag that bug as closed19:55
kmallocthe user resource options stuff is nice to work with.19:56
kmalloclbragstad: i'm pleased with the code just because adding a resource is straightforward19:57
kmallocs/resource/option19:57
lbragstadright19:57
lbragstadyeah - that is nice19:57
kmalloclbragstad: next challene, i need to standup keycloak or freeipa locally on my network so i can get my NAS to have consistent uids19:58
kmallocayoung: i am frightened, i am actually thinking of standing up keycloak locally for my home network... just had to share (krb5 and all that)19:59
kmalloclbragstad: and i need to stand up some ansible for all my stuff *eek* this is like I am actually an engineer or something.20:00
kmalloclbragstad: annnd, i'm actually developing python on windows (gonna see if subsystem for linux will work for unit tests)20:00
*** gagehugo has joined #openstack-keystone20:03
lbragstad0.o20:06
lbragstadpython on windows?20:06
kmallocyep20:07
lbragstadi know it's possible, but i always found it to be a pain sharing source between the development environment and the environment the project actually runs in20:07
kmallocoh, i just symlink: <WSL ROOT>/home/notmorgan/userprofile -> /mnt/c/User/<windowsuser>/Documents/ and have stuff under there20:07
kmalloci even have proper ssh-agent and all that running20:08
kmallocin bash20:08
kmalloci expect this will explode in my face20:08
lbragstadlol20:08
*** mchlumsky has quit IRC20:10
*** mchlumsky has joined #openstack-keystone20:12
knikollawhy is it still snowing in april...20:18
lbragstadi just did something with ldap + keystone that technically shouldn't be possible20:25
lbragstadldap blows my mind some days20:25
*** links has quit IRC20:28
gagehugoknikolla right?!20:30
kmalloclbragstad: what did you do?20:39
lbragstadthis - https://bugs.launchpad.net/keystone/+bug/175104520:40
openstackLaunchpad bug 1751045 in OpenStack Identity (keystone) "The removal of a role on a non existing group throws an error" [Undecided,In progress] - Assigned to Jose Castro Leon (jose-castro-leon)20:40
lbragstad^ i couldn't recreate it20:40
lbragstadbut i have no idea how not20:40
kmallochmm20:40
kmallocwhat version of keystone is he using20:41
kmallocbecause shadow stuff might have 100% mitigated that20:41
lbragstadwe used to have a fix for getting that to work with users...20:42
*** spilla has quit IRC20:42
lbragstadwell - we still have that fix20:42
kmallocright20:42
lbragstadtechnically - it should blow up here https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L403-L41320:43
lbragstadbut it doesnt?20:44
kmalloccheck to see if it's hitting shadow user stuff20:44
kmallocbecause the api.get would work if the group is shadowed20:44
kmallocright?20:44
kmalloclbragstad: also, it's funny, but unit tests are running.20:45
kmallocbut man it's slow20:45
kmalloclbragstad: what was the invocation to run unit tests with the pretty output?20:46
lbragstadadded so logging to figure out what in the world is going on20:46
lbragstadthat's a good question, i'm not quite sure?20:47
*** edmondsw has quit IRC20:47
ayoungkmalloc, there is a reason all this technology exists, you know.20:49
kmallocayoung: do you rtememebr the magic subunit-trace invocation w/ tox20:50
kmallocayoung: this is driving me batty, i want to see the tests running20:50
ayoungkmalloc, so I remeber  enable the venv and run the command tox runs20:50
kmallocthere was something needed piping to like subunit-trace20:51
ayoungoslo_debug_helper {posargs}20:52
ayoung  What is that?20:52
kmallocno idea20:52
ayounghttps://docs.openstack.org/os-testr/latest/user/subunit_trace.html20:52
ayoungstestr run20:53
*** AlexeyAbashkin has joined #openstack-keystone20:53
ayoungsomething like that?20:53
kmallocayoung: yeah, but i can't seem to get it to work.20:56
lbragstadbah! caching bites me again20:57
*** AlexeyAbashkin has quit IRC20:57
lbragstadonce i disabled caching i was able to recreate it21:00
kmallocayoung: it's working now21:00
kmalloclbragstad: AHA21:01
kmalloclbragstad: yeaaaah21:01
*** panbalag has joined #openstack-keystone21:01
*** panbalag has left #openstack-keystone21:01
lbragstadthat group was being cached...21:01
kmalloclbragstad: rememebr, only 2 hard things in computer science21:01
kmalloclbragstad: naming things, caching, off-by-one-errors21:01
lbragstadlol21:01
lbragstadexactly21:01
kmalloci also like the async data version of that too21:02
kmallocholy crap. i'm... running 32 python test runners under windows subsystem for linux21:02
kmallocit's... working21:02
kmallocheh, load: 0.5221:02
*** itlinux has joined #openstack-keystone21:03
kmalloclbragstad: i... i want another threadripper now.21:03
kmalloc... obligatory: COULD YOU IMAGINE A BEOWULF CLUSTER OF THOSE!?! *sigh* I'm ... making it clear how long i've lurked on the intertubes now21:04
kmallocayoung: yeah, well i guess I'm back to having a far more complex home lab than expected ;)21:06
*** martinus__ has quit IRC21:06
kmalloclbragstad: our tests are stupid chatty about debug things like scope-check failures21:07
kmalloclbragstad: we should make sure we aren't emitting that cruft unlessw e care21:07
lbragstadyeah - i need to fix that21:10
lbragstadnot the chattyness21:10
lbragstadthe actual tests21:10
lbragstadto do things  properly with scope21:10
ayoungI actually built Beowulf clusters for a living. I cannot imagine a Beowulf cluster of those.21:12
*** itlinux has quit IRC21:18
kmallocayoung: lol21:19
kmallocayoung: i really do want to setup a few compute nodes that are all 1950x processors21:19
kmallocayoung: it would be fantastic.21:19
kmallocbut i don't have that kind of money21:19
ayoungRunning Windows?21:20
kmalloci run it locally for reasons of lazyness21:20
kmallocbut i would run those nodes under linux21:20
ayounghttps://adam.younglogic.com/2012/03/shared-nothing-diskless-boot/21:20
kmallocyeah i've done that before21:21
kmallocit's fantastic.21:21
ayoungKinda want to do that for an OpenStack cluster21:21
kmallocthat is how we managed all of our nodes at myspace [largely my design]21:21
kmallocand how we did it at blizzard21:21
kmallocayoung: it wouldn't be too hard to do that for some of openstack, but parts need stateful storage [but i guess that could be outside of the root]21:24
kmallocnotably libvirt is a culprit.21:24
kmallocand some cinder things21:24
ayoungiSCSI for that21:24
kmallocsure.21:25
kmallocyou'd have some wonky21:25
kmallocfor some things21:25
*** felipemonteiro__ has quit IRC21:25
kmallocbut generally it would be doable for the API nodes themselves.21:26
openstackgerritLance Bragstad proposed openstack/keystone master: Allow to remove a group deleted out-of-band from LDAP  https://review.openstack.org/54696921:39
openstackgerritLance Bragstad proposed openstack/keystone master: Add a test for cleaning up stale group assignments  https://review.openstack.org/55943521:39
*** raildo has quit IRC21:41
openstackgerritLance Bragstad proposed openstack/keystone master: Add a test for cleaning up stale group assignments  https://review.openstack.org/55943521:43
openstackgerritLance Bragstad proposed openstack/keystone master: Add a test for cleaning up stale group assignments  https://review.openstack.org/55943521:43
openstackgerritMorgan Fainberg proposed openstack/keystone master: Allow blockin users from self-service password change  https://review.openstack.org/55943822:13
openstackgerritMorgan Fainberg proposed openstack/keystone master: Allow blocking users from self-service password change  https://review.openstack.org/55943822:15
openstackgerritMorgan Fainberg proposed openstack/keystone master: Allow blocking users from self-service password change  https://review.openstack.org/55943822:15
kmalloclbragstad: ^ there ya go22:16
gagehugonice22:19
lbragstadkmalloc: awesome - thanks for picking that up22:19
*** fried_rice is now known as efried22:23
*** superdan is now known as dansmith22:25
openstackgerritMerged openstack/keystone master: Fix incompatible requirement in lower-constraints  https://review.openstack.org/55933422:35
openstackgerritMorgan Fainberg proposed openstack/keystone master: Allow blocking users from self-service password change  https://review.openstack.org/55943822:57
*** r-daneel has quit IRC23:20
*** lbragstad has quit IRC23:34
*** itlinux has joined #openstack-keystone23:39
*** jessegler has quit IRC23:41
*** AlexeyAbashkin has joined #openstack-keystone23:53
*** AlexeyAbashkin has quit IRC23:58
« Thursday, 2018-04-05 Index Saturday, 2018-04-07 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!