Monday, 2018-04-09

*** edmondsw has joined #openstack-keystone00:09
*** edmondsw has quit IRC00:14
*** panbalag has joined #openstack-keystone00:22
*** panbalag has left #openstack-keystone00:23
*** odyssey4me has quit IRC00:23
*** odyssey4me has joined #openstack-keystone00:23
*** chenyb4 has joined #openstack-keystone00:50
*** AlexeyAbashkin has joined #openstack-keystone01:50
*** AlexeyAbashkin has quit IRC01:54
*** edmondsw has joined #openstack-keystone01:57
*** alex_xu has joined #openstack-keystone01:58
*** edmondsw has quit IRC02:02
*** sapd_ has joined #openstack-keystone02:23
*** sapd has quit IRC02:26
*** markvoelker has quit IRC02:28
*** markvoelker has joined #openstack-keystone02:29
*** markvoelker has quit IRC02:34
openstackgerritwangxiyuan proposed openstack/keystone master: Unified limit update APIs Refactor
*** gagehugo has quit IRC02:40
*** gagehugo has joined #openstack-keystone02:48
*** AlexeyAbashkin has joined #openstack-keystone02:50
*** AlexeyAbashkin has quit IRC02:55
*** sonuk has joined #openstack-keystone03:26
*** edmondsw has joined #openstack-keystone03:45
*** annp has joined #openstack-keystone03:46
*** edmondsw has quit IRC03:50
*** abhi89 has joined #openstack-keystone03:52
*** chenyb4 has quit IRC04:00
*** fabian has joined #openstack-keystone04:03
*** fabian is now known as chenyb404:03
*** links has joined #openstack-keystone04:25
*** dikonoor has joined #openstack-keystone04:47
*** marius1 has joined #openstack-keystone05:08
*** marius1 has quit IRC05:17
*** edmondsw has joined #openstack-keystone05:33
*** edmondsw has quit IRC05:38
*** marius1 has joined #openstack-keystone05:40
*** zhurong has joined #openstack-keystone05:44
*** abhi89 has quit IRC05:45
*** pcichy has joined #openstack-keystone05:59
*** d0ugal has quit IRC06:12
*** martinus__ has joined #openstack-keystone06:20
*** namnh has joined #openstack-keystone06:29
*** pcaruana has joined #openstack-keystone06:35
*** namnh has quit IRC06:46
*** namnh has joined #openstack-keystone06:46
*** belmoreira has joined #openstack-keystone06:49
*** zhurong has quit IRC07:13
*** tesseract has joined #openstack-keystone07:14
*** namnh has quit IRC07:14
*** namnh has joined #openstack-keystone07:14
*** rcernin has quit IRC07:16
*** edmondsw has joined #openstack-keystone07:21
*** edmondsw has quit IRC07:26
*** d0ugal has joined #openstack-keystone07:32
*** d0ugal has quit IRC07:32
*** d0ugal has joined #openstack-keystone07:32
*** jistr is now known as jistr|dentist07:34
*** aloga has quit IRC07:34
*** aloga has joined #openstack-keystone07:34
*** hoonetorg has quit IRC07:59
*** pcichy has quit IRC08:10
*** pcichy has joined #openstack-keystone08:10
*** hoonetorg has joined #openstack-keystone08:12
*** dikonoor has quit IRC08:36
*** jistr|dentist is now known as jistr09:02
*** alex_xu has quit IRC09:03
hugokuoHi Team,09:06
hugokuoWhile making a request to Swift, there's a header in the response WWW-Authenticate: Keystone uri='' `09:07
hugokuoIs this returned by keystonemiddleware?09:07
*** alex_xu has joined #openstack-keystone09:08
*** edmondsw has joined #openstack-keystone09:10
*** dikonoor has joined #openstack-keystone09:10
wxyhugokuo: yeah.
hugokuoI'm reading RFC and  . It looks like the string should be quoted by double quote instead of single quote?09:11
*** edmondsw has quit IRC09:14
wxyhugokuo: indeed. The RFC said that.09:22
hugokuoI'll file a bug in LP09:27
hugokuoShould it be in keystone's LP or some other place?
*** gyankum has joined #openstack-keystone09:34
wxy I think.09:34
hugokuothx man09:34
openstackgerritwangxiyuan proposed openstack/keystone master: Mark the idp's domain_id unique
*** dikonoor has quit IRC09:48
*** namnh has quit IRC09:58
*** marius1 has quit IRC09:58
*** namnh has joined #openstack-keystone09:58
*** ygl has joined #openstack-keystone09:59
yglhi all09:59
yglI am unable to delete other users' stacks as admin user09:59
yglcan someone help me what exactly to modify in the heat policy.json file10:00
*** namnh has quit IRC10:08
*** dikonoor has joined #openstack-keystone10:10
yglcan anyone help me please10:16
*** chenyb4 has quit IRC10:17
*** ygl has left #openstack-keystone10:17
*** gyankum has quit IRC10:27
*** nicolasbock has joined #openstack-keystone10:34
*** marius1 has joined #openstack-keystone10:42
*** panbalag has joined #openstack-keystone10:44
*** panbalag has left #openstack-keystone10:44
*** dikonoor has quit IRC10:49
*** marius1 has quit IRC10:55
*** dikonoor has joined #openstack-keystone10:57
*** edmondsw has joined #openstack-keystone10:58
*** edmondsw has quit IRC11:03
*** marius1 has joined #openstack-keystone11:05
*** marius1 has quit IRC11:07
*** sonuk has quit IRC11:39
*** gyankum has joined #openstack-keystone11:45
*** sonuk has joined #openstack-keystone12:03
*** edmondsw has joined #openstack-keystone12:04
*** gyankum has quit IRC12:04
*** raildo has joined #openstack-keystone12:04
*** panbalag has joined #openstack-keystone12:31
*** nicolasbock has quit IRC12:33
*** marius1 has joined #openstack-keystone12:34
*** nicolasbock has joined #openstack-keystone12:37
*** odyssey4me has quit IRC12:38
*** odyssey4me has joined #openstack-keystone12:38
*** dave-mccowan has joined #openstack-keystone12:41
*** dave-mcc_ has joined #openstack-keystone12:44
*** dave-mccowan has quit IRC12:45
*** pcaruana has quit IRC12:46
*** panbalag has left #openstack-keystone12:53
*** panbalag has joined #openstack-keystone12:56
*** panbalag has left #openstack-keystone12:57
*** AlexeyAbashkin has joined #openstack-keystone13:01
*** dikonoo has joined #openstack-keystone13:02
*** dikonoor has quit IRC13:06
*** chenyb4 has joined #openstack-keystone13:08
*** AlexeyAbashkin has quit IRC13:10
*** AlexeyAbashkin has joined #openstack-keystone13:10
*** pcaruana has joined #openstack-keystone13:11
*** AlexeyAbashkin has quit IRC13:17
*** AlexeyAbashkin has joined #openstack-keystone13:17
*** lbragstad has joined #openstack-keystone13:27
*** ChanServ sets mode: +o lbragstad13:27
*** david-lyle has quit IRC13:31
*** markvoelker has joined #openstack-keystone13:34
*** AlexeyAbashkin has quit IRC13:34
*** markvoelker_ has joined #openstack-keystone13:36
*** AlexeyAbashkin has joined #openstack-keystone13:37
*** belmoreira has quit IRC13:38
*** markvoelker has quit IRC13:39
*** idlemind has joined #openstack-keystone13:40
*** dikonoo has quit IRC13:42
*** mvk has quit IRC13:42
*** dikonoo has joined #openstack-keystone13:42
*** dikonoor has joined #openstack-keystone13:45
*** dikonoo has quit IRC13:49
*** r-daneel has joined #openstack-keystone13:54
*** chenyb4 has quit IRC14:00
*** felipemonteiro has joined #openstack-keystone14:00
*** spilla has joined #openstack-keystone14:01
*** markvoelker_ has quit IRC14:03
*** dikonoo has joined #openstack-keystone14:04
*** dikonoor has quit IRC14:09
*** felipemonteiro_ has joined #openstack-keystone14:09
*** felipemonteiro has quit IRC14:12
*** r-daneel_ has joined #openstack-keystone14:16
*** dikonoor has joined #openstack-keystone14:18
*** r-daneel has quit IRC14:18
*** r-daneel_ is now known as r-daneel14:18
openstackgerritDoug Hellmann proposed openstack/keystonemiddleware master: add lower-constraints job
*** dikonoor has quit IRC14:18
*** dikonoor has joined #openstack-keystone14:19
*** dikonoo has quit IRC14:19
openstackgerritDoug Hellmann proposed openstack/keystoneauth master: add lower-constraints job
*** mvk has joined #openstack-keystone14:21
*** jroll has quit IRC14:22
*** marius1 has quit IRC14:22
*** jroll has joined #openstack-keystone14:23
openstackgerritDoug Hellmann proposed openstack/python-keystoneclient master: add lower-constraints job
*** r-daneel has quit IRC14:27
*** belmoreira has joined #openstack-keystone14:30
*** r-daneel has joined #openstack-keystone14:35
kmallocWxy, hugokuo : that may be python library representation. Remember ' and " are both acceptable. Is that actually the header on the wire or what ksm passes down via request. If it is the latter, the rfc doesn't matter, we're in Python and ' is the default.14:37
*** ayoung has joined #openstack-keystone14:38
*** dklyle has joined #openstack-keystone14:51
*** dikonoor has quit IRC14:52
*** dikonoor has joined #openstack-keystone14:53
*** AlexeyAbashkin has quit IRC14:54
*** marius1 has joined #openstack-keystone14:56
hugokuokmalloc: It's not the later one as I know.14:58
lbragstadrelatively easy review here -
*** dikonoo has joined #openstack-keystone15:00
*** dikonoor has quit IRC15:04
*** dikonoor has joined #openstack-keystone15:04
*** dikonoo has quit IRC15:06
lbragstadknikolla: ty15:11
knikollalbragstad: that's a long != list.15:11
knikollalbragstad: this should be failing right?
knikollaoh you rebased on top of the fix.15:13
lbragstadyeah - i was thinking about just merging those two patches together and writing a release note15:14
lbragstadthat'd be a pretty easy thing to propose and have ready for tomorrow15:15
knikollalbragstad: release note with the test or in a separate patch?15:17
lbragstadknikolla: i was going to squash and and write a release note15:18
lbragstadso it would all be in one pathc15:18
knikollalbragstad: sounds good. ping me when you get that up so i can review, both look good.15:18
*** felipemonteiro_ has quit IRC15:19
lbragstad++ i should be able to get to that after lunch for sure15:19
lbragstaddoing a bunch of bug triage now15:19
*** felipemonteiro_ has joined #openstack-keystone15:19
lbragstadknikolla: i did see that new bug you opened about federated login after deleting a shadow user15:19
lbragstadi wonder it that is cache related?15:20
hrybackilbragstad: have 15 mins to chat default role spec at like 1PM your time?15:20
lbragstadhrybacki: sure15:20
hrybackilbragstad: ++15:20
lbragstadmy schedule is open today, so just ping me whenever15:21
*** marius1 has quit IRC15:21
knikollalbragstad: disabling caching and checking real quick.15:22
*** marius1 has joined #openstack-keystone15:23
knikollalbragstad: yup, disabling caching fixed that.15:23
lbragstadso the shadow user api doesn't clear the cache when a shadow user is deleted?15:24
knikollalooks like it.15:24
knikollahad some students discover it when playing around with mappings.15:26
*** prometheanfire has left #openstack-keystone15:33
*** marius1 has quit IRC15:33
*** germs has joined #openstack-keystone15:34
*** germs has quit IRC15:34
*** germs has joined #openstack-keystone15:34
*** germs has quit IRC15:35
*** germs has joined #openstack-keystone15:36
*** germs has quit IRC15:36
*** germs has joined #openstack-keystone15:36
*** links has quit IRC15:37
*** dikonoo has joined #openstack-keystone15:39
lbragstadkmalloc: hugokuo so is confirmed?15:40
openstackLaunchpad bug 1762362 in keystonemiddleware "[RFC] HTTP header field values should be quoted by double quote rather than single-quote" [Undecided,New]15:40
*** dikonoor has quit IRC15:43
*** fiddletwix has quit IRC15:44
*** gyee has joined #openstack-keystone15:45
*** fiddletwix has joined #openstack-keystone15:45
*** jdennis has quit IRC15:46
*** timothyb89_ is now known as timothyb8915:46
*** jdennis has joined #openstack-keystone15:46
*** nicolasbock has quit IRC15:52
*** belmoreira has quit IRC15:58
hugokuolbragstad: I filed it. That's confirmed the ksm returned single quote. But if it should follow the RFC will be determined by upstream core team.15:59
kmalloclbragstad: that might not be ksm, it might be an underlying liv16:04
lbragstadyeah - keystone doesn't use ksm?16:04
kmallocNot directly, afair16:04
kmallocI can check when o get home.16:05
kmallocBut my guess is it isn't keystone or ksm.16:05
hugokuoThis line in ksm header_val = 'Keystone uri=\'%s\'' % self._auth_uri16:06
hugokuoI tested it by change the code to have double quote and it works as expected.16:06
openstackgerritLance Bragstad proposed openstack/keystone master: Allow cleaning up non-existant group assignments
lbragstadknikolla: ^16:14
*** panbalag has joined #openstack-keystone16:17
*** panbalag has left #openstack-keystone16:17
*** felipemonteiro_ has quit IRC16:17
* lbragstad breaks for lunch16:17
*** AlexeyAbashkin has joined #openstack-keystone16:18
*** spilla has quit IRC16:21
*** spilla has joined #openstack-keystone16:22
yankcrimelbragstad: some good news for your return - switching keystone's token provider out from uuid to fernet solved my federation-related woes16:23
yankcrimethanks again for the help!16:23
*** sonuk has quit IRC16:23
openstackgerritJohannes Grassler proposed openstack/keystone-specs master: Add capabilities to application credentials
*** germs has quit IRC16:28
*** germs has joined #openstack-keystone16:28
*** germs has quit IRC16:28
*** germs has joined #openstack-keystone16:28
*** germs has quit IRC16:28
*** germs has joined #openstack-keystone16:28
*** germs has quit IRC16:28
*** germs has joined #openstack-keystone16:28
*** germs has quit IRC16:31
*** germs has joined #openstack-keystone16:33
*** germs has quit IRC16:33
*** germs has joined #openstack-keystone16:33
*** germs has quit IRC16:35
*** tesseract has quit IRC16:48
*** jgwentworth is now known as melwitt16:51
-openstackstatus- NOTICE: zuul was restarted to update to the latest code; please recheck any changes uploaded within the past 10 minutes16:51
kmallocyankcrime: i am glad to hear that.16:59
kmallocyankcrime: i figured that would work for you, but good for confirmation16:59
kmallocwow, we screwed that up: Www-Authenticate: Keystone uri=''17:01
kmallocthat looks... wrong somehow17:01
kmallocnot just in the ' vs "17:01
*** AlexeyAbashkin has quit IRC17:02
*** david-lyle has joined #openstack-keystone17:04
kmallochugokuo: if you want to propose a fix for ' vs " (and tests) we'll happily take / review it17:04
*** germs has joined #openstack-keystone17:06
*** germs has quit IRC17:06
*** germs has joined #openstack-keystone17:06
*** dklyle has quit IRC17:07
lbragstadyankcrime: awesome! let us know if you run into any other snags :)17:08
kmalloclbragstad: yeah fixing the quotes is the corrective action in ksm17:09
*** AlexeyAbashkin has joined #openstack-keystone17:09
*** germs has quit IRC17:09
*** germs has joined #openstack-keystone17:10
*** germs has quit IRC17:10
*** germs has joined #openstack-keystone17:10
lbragstadkmalloc: nice17:10
lbragstadi confirmed the bug17:10
kmalloclbragstad: is ready for eyes/merging17:10
*** germs has quit IRC17:12
*** felipemonteiro has joined #openstack-keystone17:24
lbragstadkmalloc: oh - sweet17:26
lbragstadthat was on my list today17:26
openstackgerritDoug Hellmann proposed openstack/keystoneauth master: add lower-constraints job
kmallocjgrassler: o/ need a minor fix for the capabilities17:32
kmallocjgrassler: but... it can be a follow up17:33
*** r-daneel has quit IRC17:33
*** felipemonteiro_ has joined #openstack-keystone17:42
*** marius1 has joined #openstack-keystone17:42
*** mvk has quit IRC17:44
*** felipemonteiro has quit IRC17:46
*** dklyle has joined #openstack-keystone17:52
*** david-lyle has quit IRC17:53
lbragstadi need to review that today, too17:57
*** AlexeyAbashkin has quit IRC18:01
hrybackilbragstad: still free? :)18:05
*** marius1 has quit IRC18:08
*** panbalag has joined #openstack-keystone18:09
*** panbalag has quit IRC18:12
openstackgerritMerged openstack/keystone master: Use the new pysaml2 constraints
*** AlexeyAbashkin has joined #openstack-keystone18:28
*** mvk has joined #openstack-keystone18:29
*** jdennis has quit IRC18:30
*** jdennis has joined #openstack-keystone18:30
*** dikonoo has quit IRC18:47
*** marius1 has joined #openstack-keystone18:58
*** AlexeyAbashkin has quit IRC19:09
ayounglbragstad, hrybacki kmalloc so as prep for my talk at summit...I wrote a second article on Istio and Keystone, this time looking into RBAC.  this is on top of what I wrote before
ayoungand knikolla and cmurphy of course...just didn't see you actively posting.  But Everyone....19:44
knikollaayoung: i'll have a look. never found the time to dive into istio though i've heard it mentioned to me multiple times.19:48
ayoungknikolla, pretty sure it is "keystone middleware for Kubernetes based services"19:48
knikollaayoung: not limited to that though19:49
ayoungplus a few other things, like a mutual Cert validation layer, but its the RBAC part that interests me19:49
knikollaand it is the other part that interests me :)19:55
lbragstadldap developer docs available
*** marius1 has quit IRC20:03
*** pcichy has quit IRC20:04
hrybackiayoung: domain scope was pulled from the spec -- look back in the comments for more detail about that20:15
hrybackitl;dr there is no 'real' domain scope (yet)20:15
ayounghrybacki, it is in the examples20:15
hrybackihanging chad, needs to be pulled as well. Good catch20:15
ayounghrybacki, no20:16
ayounghrybacki, domain scope needs to be put back in there, or domains themselves need to go away20:16
hrybackiayoung: domain scope will come, and we will add it then. This was discussed in length20:16
ayoungHorizon now has support for domain scoped tokens20:16
ayoungit is a real thing20:16
hrybackiI'll let cmurphy weigh in here. We can emulate domain scope but it's not actually domain scope20:17
ayoungI'm more concerned about the Implied Roles comment20:17
ayounghrybacki, cloudsamplev2 is in wide usage20:17
ayoungdomain scope is real, its just not in default policy20:17
ayounghrybacki, so I'd recommend putting domain scoped back in, and you can caveat it that way20:19
hrybackiayoung: that was my literal approach but I was dissuaded by cmurphy and the team agreed20:20
ayounghrybacki, you were right and they were wrong.20:21
hrybackiayoung: I disagree with you know and past Harry :P20:21
ayounghrybacki, so, if the goal is to make Domain scoping go away, I would be in full support20:22
ayounghowever, users and groups are not owned by projects, and I absolutetly should not need a System scoped token to create either20:22
ayoungI mean, I know domains were a mistake20:23
ayoungbut they are not one was can sweep under the rug now20:23
hrybackiAll arguments I raised, the team discussed, and rejected20:23
hrybackiI agree with them now (to be clear)20:23
kmallocdomain scoping can be sidelines20:23
kmallocwe cannot remove it/make it go away20:23
kmallocbecause it is part of the v3 api20:23
kmallocsidelined* and/or suggested to "not be used"20:24
hrybackiWRT implied roles. Our aim (at the project level) is make these alterations by way of policy file changes that move into policy-in-code after being vetted20:24
hrybackisimple, quick, and easily modifiable. Customers will /really/ start to flip if we don't offer these things soon20:25
hrybackiimplied roles were also discussed in length (during one of the office hours sessions IIRC)20:26
ayounghrybacki, it was a tool built explicitly to aid in this problem20:28
hrybackiayoung: that doesn't mean it's right for right now20:29
hrybackiwe really need to keep this as simple as possible right now20:29
hrybackimaybe I misunderstand how you are advising we use them here. But minor mods to policy files is acceptable other projects and the team after a lot of discussion at PTG20:30
ayounghrybacki, simple:20:31
ayoungcreate 2 rules20:31
ayoungadmin implies memember20:31
ayoungmember implies reader20:31
ayoungor auditor whatever it is called20:31
ayoungtag the API with the Lowest level role20:31
ayoungno need for the OR statements20:31
ayoungfor project scoped apis, you still need the right system scoped role to get at it20:32
hrybackiI see what you are suggesting now. Create the implications during the bootstrap process and keep the policy files clean as possible?20:32
ayoungso you could give someone system:auditor and they can read all of the auditor roles20:32
hrybackiokay, I have to run to an appt. I'm gonna reflect on this while I walk20:32
kmalloclbragstad: responded to your comments20:35
kmallocneed some more feedback before I post an updated patch20:35
*** pcaruana has quit IRC20:36
lbragstadkmalloc: ack -20:39
lbragstadthoughts on ?20:39
openstackLaunchpad bug 1729933 in OpenStack Identity (keystone) "region update doesn't update extras" [Undecided,In progress] - Assigned to David Lyle (david-lyle)20:39
ayoungkmalloc, do you honestly thinkg there is an alternative to doing domain scoped for users and groups?  DO we honestly want to make people system admins in order to add new users?  Adding users should be cheap...its role assignements that are dangerous.20:39
kmallocayoung: no, i am not advocating for anything it was just a comment20:51
kmallocayoung: we can sideline we can say don't do this, we cannot remove the functionality from keystone20:51
kmalloclbragstad: ugh, extras20:51
kmalloclbragstad: sigh20:52
lbragstad=/ yeah...20:52
ayoungkmalloc, lbragstad one topic I want to discuss at the summit is multi-site OpenStack deployements where the different regions/sites are on different versions of OpenStack.20:52
kmalloclbragstad: if it never worked for region, even if the table exists, i'll -2 any added extras support20:52
ayoungSomething like the hub-and-spoke model, where a central keystone just forwards to another keystone20:52
kmallocayoung: theoretically possible with federation20:53
kmallocrealistically... unknown20:53
lbragstadi think the domain scope thing with users and group can still happen, i don't expect it to be system-scope for ever20:53
lbragstadif you're referencing the default roles specification20:53
*** spilla has quit IRC20:55
*** r-daneel has joined #openstack-keystone21:00
kmalloclbragstad: just commented on the bug21:03
kmalloclbragstad: basically if we can show regions EVER supported "Extras" we need to add it back in21:03
*** harlowja has joined #openstack-keystone21:03
*** martinus__ has quit IRC21:03
kmallocelse, nope, nope, not doing it, no, nope, no thanks21:03
kmallocthough I am not opposed to a Region['VendorData'] like thing21:03
kmallocthat is explicitly outlined as deployment specific21:04
kmalloc[AND is a little smarter, like Resource-Opts is, where a "None" clears the value]21:04
ayoungkmalloc, I think there is a little bit more to it than just Federation.  I'll try to write up a decent agenda.21:07
ayounglbragstad, are we going to have breakout rooms for design, or has all of that been conceded to the PTGs?21:07
*** r-daneel has quit IRC21:15
*** spilla has joined #openstack-keystone21:16
*** r-daneel has joined #openstack-keystone21:16
lbragstadayoung:  i don't think so21:17
lbragstadi think the rooms we get are for large discussions21:18
lbragstadlike cross-project things21:18
lbragstador feedback sessions21:18
lbragstade.g. i don't think we'd get a room to work on keystone-specific things21:18
lbragstadthey're also time-boxed to 40 minutes or so21:18
ayounglbragstad, OK, so multi-site is a cross project topic.21:21
ayounglbragstad, what I am realizing now is that even if there are multiple openstacks in a single org, they need to be only loosly-unified.  If that makes sense21:21
ayounglike, maybe you only upgrade one at a time21:22
ayoungbut you still want a unified Keystone scheme for them21:22
kmallocthere is no reason you can't use a bleeding edge keystone with an ancient <everything else>21:22
ayoungand thus having a database sync21:22
kmallocand regions can be other deploys.21:22
*** edmondsw has quit IRC21:22
ayoungkmalloc, heh yes there is. and it has n othing to do with Keystone21:22
kmalloci think that is how most orgs end up doing it21:22
ayoungand everything to do with our deployment tool21:22
kmallocthis sounds like an inflexible deployment tool :P21:23
kmallocbut yeah, that is how i've seen folks crack that nut21:23
kmallocit's still not pretty21:23
ayoungbut I think having DB sync between version of Keystone is a reasonable design discussion21:23
kmalloci.. well21:23
kmalloci think this sounds kindof awful21:24
ayounglike, how to make a deployment work when one part is on Q and one is on R and one is on S21:24
*** edmondsw has joined #openstack-keystone21:24
kmalloceveryone use "S" keystone *shiftyeyes*21:24
ayoungTHey named it for Brian?21:24
kmallocin all honesty, i would refrain from referencing "db" anywhere in it.21:24
kmallocsimply so as to circumvent the convo around db-replication :P21:25
ayoungkmalloc  yep21:25
kmallocso, what I *think* you're looking for is something we sortof proposed in the past.21:25
ayoungkmalloc, the other convo I want to have is "how do I delete a project without orphaning the majority of my resources"21:26
ayoungah...pause on mine...go on21:26
kmallocsomething that may intercept a keystone call and replicate it [public interface] to other keystones via rest.21:26
kmallocand some mechanism to "replay"/"catchup"21:26
ayoungthing is, our REST Apis are not create firendly, as they tend to allocate new IDs21:28
kmallocbut- it wont scale out.21:28
ayoungwe'd want to make sure that a new Create is done with the ID from the server that has the right to create that record21:28
kmalloci was actually thinking of something that would be a dogpile proxy, and it would talk to other dogpile proxies21:28
*** edmondsw has quit IRC21:29
kmallocbut it has a lot of potential issues.21:29
ayoungMy original view was that, in a multi-keystone deployment, each keystone server would be canonical for a subset of domains, and could write data for those, but only read data for other domains21:29
ayoungI'm not wedded to that impl, but I think the bones is21:29
kmallocso you'd capture at just below the manager layer, and replicate that out to the other keystones21:29
ayoung"what data can I write locally, and what do I need to sync"21:30
ayoungI'm not sure where capture would happen.  I think I'd be pretty flexible on the impl21:30
kmallocit would need to be below the manager i think..21:31
kmallocbut there are a lot of issues with "what if someone did an update for some new data that R dodens't know about via the S keystone and that is forwarded"21:31
kmalloci think it's kindof going to be full of awful pitfalls/21:31
ayoungkmalloc, right.  But on the other hand, we can map it out, and at least start sketching out a solution21:33
ayoungWe couild even say "it starts with K2K21:33
ayoung"but we need to keep data in sync"21:33
kmalloci'd need to talk more, but honestly, i think k2k still solves 95-99% of what you're asking for21:34
kmallocand really only has a lower bound of minimum supportable keystone21:35
ayoungkmalloc, I'm OK with K2K as the basis.  Just want to map out the full use cases, including how to automate project creation and mapping.21:46
*** raildo has quit IRC21:50
*** spilla has quit IRC22:12
*** rcernin has joined #openstack-keystone22:14
*** r-daneel has quit IRC22:15
*** r-daneel has joined #openstack-keystone22:16
*** r-daneel has quit IRC22:32
*** r-daneel has joined #openstack-keystone22:32
*** felipemonteiro_ has quit IRC22:36
*** dave-mcc_ has quit IRC22:49
*** r-daneel has quit IRC23:07
*** lbragstad has quit IRC23:17
*** lbragstad has joined #openstack-keystone23:36
*** ChanServ sets mode: +o lbragstad23:36
*** lbragstad has quit IRC23:47

Generated by 2.15.3 by Marius Gedminas - find it at!