Thursday, 2018-04-26

« Wednesday, 2018-04-25 Index Friday, 2018-04-27 »
*** r-daneel has quit IRC00:00
*** panbalag has joined #openstack-keystone00:51
*** namnh has joined #openstack-keystone00:51
*** kmalloc has quit IRC01:10
*** panbalag has left #openstack-keystone01:11
*** sapd has joined #openstack-keystone01:35
*** viks_ has joined #openstack-keystone02:08
*** gmann_ has joined #openstack-keystone02:08
*** wlmbasson_ has joined #openstack-keystone02:08
*** jamespage_ has joined #openstack-keystone02:09
*** breton has joined #openstack-keystone02:11
*** chrome0_ has joined #openstack-keystone02:12
*** chrome0 has quit IRC02:12
*** breton__ has quit IRC02:12
*** viks has quit IRC02:12
*** jamespage has quit IRC02:12
*** wlmbasson has quit IRC02:12
*** mordred has quit IRC02:12
*** d0ugal has quit IRC02:12
*** gmann has quit IRC02:12
*** ianw_pto has quit IRC02:12
*** viks_ is now known as viks02:12
*** wlmbasson_ is now known as wlmbasson02:12
*** jamespage_ is now known as jamespage02:13
*** ianw has joined #openstack-keystone02:13
*** mordred has joined #openstack-keystone02:13
*** d0ugal has joined #openstack-keystone02:13
*** cburgess has quit IRC02:15
*** cburgess has joined #openstack-keystone02:18
*** gongysh has joined #openstack-keystone02:19
*** edmondsw has joined #openstack-keystone02:20
*** daidv has joined #openstack-keystone02:46
*** daidv has quit IRC02:49
*** namnh_ has joined #openstack-keystone03:06
*** namnh has quit IRC03:08
*** jenglisch has quit IRC03:27
*** jenglisch has joined #openstack-keystone03:29
*** nicolasbock has quit IRC03:33
*** rvba has joined #openstack-keystone03:33
*** rvba has quit IRC03:33
*** rvba has joined #openstack-keystone03:33
*** annp has joined #openstack-keystone03:39
*** prashkre has joined #openstack-keystone03:47
*** edmondsw has quit IRC03:50
*** dklyle has joined #openstack-keystone04:02
*** ayoung has quit IRC04:08
*** prashkre has quit IRC04:14
*** edmondsw has joined #openstack-keystone04:18
*** edmondsw has quit IRC04:21
*** edmondsw has joined #openstack-keystone04:21
*** edmondsw has quit IRC04:21
*** edmondsw has joined #openstack-keystone04:22
*** namnh has joined #openstack-keystone04:23
*** namnh_ has quit IRC04:23
*** dklyle has quit IRC04:26
*** edmondsw has quit IRC04:26
*** dklyle has joined #openstack-keystone04:30
*** dklyle has quit IRC04:35
*** links has joined #openstack-keystone04:53
*** prashkre has joined #openstack-keystone05:16
*** belmoreira has joined #openstack-keystone05:19
*** prashkre has quit IRC05:20
*** prashkre has joined #openstack-keystone05:20
*** d0ugal has quit IRC05:46
*** d0ugal has joined #openstack-keystone06:13
*** tesseract has joined #openstack-keystone06:58
*** tesseract has quit IRC07:00
*** tesseract has joined #openstack-keystone07:02
*** pcaruana has joined #openstack-keystone07:31
*** rcernin has quit IRC07:32
*** AlexeyAbashkin has joined #openstack-keystone07:45
*** threestrands_ has quit IRC07:52
*** jaosorior has joined #openstack-keystone08:24
*** dtruong_ has joined #openstack-keystone08:27
*** dtruong has quit IRC08:28
*** prashkre has quit IRC08:36
*** prashkre has joined #openstack-keystone08:38
eEbxHello, I'm thinking about keystone cluster in two data centers. Can you recommend me some best practices or do you have some architectural plan?08:40
*** jmccarthy has joined #openstack-keystone08:42
jmccarthyDoes keystone support this currently ? assert:supports-zero-downtime-upgrade08:43
*** rpittau has joined #openstack-keystone08:52
*** Alexey_Abashkin has joined #openstack-keystone08:57
*** hoonetorg has quit IRC08:58
*** AlexeyAbashkin has quit IRC09:01
*** Alexey_Abashkin is now known as AlexeyAbashkin09:01
*** hoonetorg has joined #openstack-keystone09:15
cmurphyeEbx: we don't really have a good document on that yet :/ you might try the #openstack-operators room or the openstack-operators mailing list for some best practice advice09:32
eEbxcmurphy: ok thanks a lot09:33
cmurphyjmccarthy: we don't currently assert that tag, but we do support rolling upgrades (we're just short of asserting the tag by some CI requirements) and zero downtime should be achievable that way09:33
jmccarthycmurphy: Ok - this is the best docs for this at the moment is it ? https://docs.openstack.org/keystone/pike/admin/identity-upgrading.html09:35
cmurphyjmccarthy: yes or the queens version https://docs.openstack.org/keystone/queens/admin/identity-upgrading.html09:37
cmurphythough i don't think it's changed09:37
jmccarthycmurphy: Oh yes, great - thanks ! :)09:37
cmurphynp09:37
*** pcichy has quit IRC09:40
*** pcichy has joined #openstack-keystone09:40
*** mtreinish has quit IRC09:41
*** Horrorcat has quit IRC09:47
*** mtreinish has joined #openstack-keystone09:47
*** Horrorcat has joined #openstack-keystone09:48
*** Horrorcat has joined #openstack-keystone09:48
*** jaosorior has quit IRC09:49
*** prashkre has quit IRC09:49
*** prashkre has joined #openstack-keystone09:49
*** gongysh has quit IRC10:01
*** namnh has quit IRC10:14
*** nicolasbock has joined #openstack-keystone10:33
*** threestrands_ has joined #openstack-keystone11:01
*** d3mon has joined #openstack-keystone11:16
*** d3mon has left #openstack-keystone11:16
*** openstackgerrit has joined #openstack-keystone11:22
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Turn normalize_status into a class  https://review.openstack.org/56411011:22
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Infer version from old versioned service type aliases  https://review.openstack.org/56429911:22
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Make VersionData class  https://review.openstack.org/56446911:22
mordredcmurphy: ^^ that last patch should take care of your original review on the version data patches11:23
cmurphymordred: sweet11:23
*** pcichy has quit IRC11:24
mordredcmurphy: if we don't watch out, we're going to have a workable service type story11:24
cmurphywhoa11:25
*** prashkre_ has joined #openstack-keystone11:35
*** prashkre has quit IRC11:36
*** rm_work has quit IRC11:39
*** rm_work has joined #openstack-keystone11:39
*** raildo has joined #openstack-keystone11:48
*** alex_xu has quit IRC11:49
*** alex_xu has joined #openstack-keystone11:49
*** edmondsw has joined #openstack-keystone11:57
*** edmondsw_ has joined #openstack-keystone11:58
*** edmondsw has quit IRC12:02
*** edmondsw_ is now known as edmondsw12:08
gagehugoo/12:22
*** alee__ has quit IRC12:28
*** dave-mccowan has joined #openstack-keystone12:31
*** panbalag has joined #openstack-keystone12:40
*** dave-mcc_ has joined #openstack-keystone12:40
*** panbalag has left #openstack-keystone12:41
*** dave-mccowan has quit IRC12:43
*** threestrands_ has quit IRC12:58
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Infer version from old versioned service type aliases  https://review.openstack.org/56429913:04
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Allow tuples and sets in interface list  https://review.openstack.org/56449513:04
*** bhagyashris has quit IRC13:09
*** edmondsw has quit IRC13:12
*** edmondsw has joined #openstack-keystone13:12
*** alee__ has joined #openstack-keystone13:13
*** edmondsw has quit IRC13:16
*** jdennis has quit IRC13:19
*** mvk has quit IRC13:29
*** jaosorior has joined #openstack-keystone13:35
*** ediardo has quit IRC13:44
lbragstadjamielennox: the system scope one?13:57
lbragstadit's a dictionary13:57
*** mvk has joined #openstack-keystone13:58
*** pcichy has joined #openstack-keystone14:01
*** spilla has joined #openstack-keystone14:11
*** jaosorior has quit IRC14:12
*** jaosorior has joined #openstack-keystone14:13
*** edmondsw has joined #openstack-keystone14:19
*** raildo has quit IRC14:29
*** raildo has joined #openstack-keystone14:41
*** pcaruana has quit IRC14:42
*** r-daneel has joined #openstack-keystone14:45
*** dklyle has joined #openstack-keystone14:47
*** edmondsw has quit IRC14:54
*** edmondsw has joined #openstack-keystone14:54
*** jaosorior has quit IRC14:55
*** felipemonteiro_ has joined #openstack-keystone14:58
*** felipemonteiro__ has joined #openstack-keystone14:59
*** r-daneel has quit IRC15:01
*** felipemonteiro_ has quit IRC15:03
*** jdennis has joined #openstack-keystone15:04
*** jistr|mtgs is now known as jistr15:04
-openstackstatus- NOTICE: We've successfully troubleshooted the issue that prevented paste.openstack.org from loading and it's now back online, thank you for your patience.15:05
*** links has quit IRC15:06
*** chudly has joined #openstack-keystone15:15
openstackgerritMerged openstack/keystone master: Remove policy service from architecture.rst  https://review.openstack.org/56423915:16
*** jdennis has quit IRC15:33
*** gyee has joined #openstack-keystone15:40
*** jmlowe has quit IRC15:44
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Update documentation to include usage for new projects  https://review.openstack.org/56434015:44
*** Guest62064 is now known as lamt15:48
*** jdennis has joined #openstack-keystone15:48
*** AlexeyAbashkin has quit IRC15:56
cmurphyif we propose moving the default roles session from Thursday to Monday at 11:35 how do people feel about that?15:56
lbragstad+1 from me15:57
gagehugoyes please15:57
lbragstadknikolla: have you heard of any updates about the mutable configs goal?15:59
lbragstadi was just reading the weekly release email and it reminded me of that16:00
*** d0ugal has quit IRC16:03
*** d0ugal has joined #openstack-keystone16:04
*** jmlowe has joined #openstack-keystone16:04
*** jmlowe has quit IRC16:05
*** empty_cup has joined #openstack-keystone16:12
empty_cupI'm trying to associate a user with a project using Keystone's REST APIs. Initially I set the default_project_id field but that seems more like a suggestion.16:14
lbragstadempty_cup: correct16:14
lbragstadempty_cup: you need to explicitly give that user authorization16:14
empty_cupI'm also assigning the role to user on project and both return successfully but when I list the projects that a user belongs to, it is empty.16:15
lbragstadempty_cup: we have a note about default_project_id here - https://developer.openstack.org/api-ref/identity/v3/index.html#users16:16
lbragstadempty_cup: which APIs are you calling? do you have a trace?16:16
empty_cupOk, the confirmation helps that I need to create a role and assign it to a user on a project16:17
empty_cuplbragstad: I'm working on a trace. Basically I create a user, then a role, assign the user to the role on an existing project.16:21
lbragstadok16:21
lbragstadthat sounds about right16:21
lbragstadwhat api are you asking for a user's projects?16:21
empty_cupAlthough when I list projects for the user there is nothing in the array. I'm using v3. I can see each in Horizon except for the role16:22
empty_cupI am creating all of the objects in a separate domain although I can view them while logging in as the default admin account on the default domain.16:23
empty_cupExcept for the role, the role doesn't show up.16:23
lbragstadhmm16:25
lbragstadare you using /v3/role_assignments16:25
lbragstador GET /v3/auth/projects ?16:25
lbragstadare you using openstackclient?16:26
empty_cupyep, v3 for everything, that's my reference16:27
empty_cupsorry, i'm using post requests for everything -- i have a python script or using curl16:27
lbragstadok - if you have a token for the user you're trying to list projects for, you should be able to use GET /v3/auth/projects16:29
lbragstadand get a list of all projects you have authorization on16:29
lbragstadotherwise, as an administrator, you should be able to call the /v3/role_assignments API and list all role assignments present in the deployment16:29
empty_cupi'm working on it, thanks for the help16:31
*** edmondsw has quit IRC16:31
*** jmccarthy has left #openstack-keystone16:31
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Infer version from old versioned service type aliases  https://review.openstack.org/56429916:41
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Allow tuples and sets in interface list  https://review.openstack.org/56449516:42
mordredlbragstad: I got the class extraction done in that stack ^^ like you wanted16:44
mordredlbragstad: https://review.openstack.org/#/c/564469/116:44
*** felipemonteiro__ has quit IRC16:45
lbragstadoh -cool16:45
*** felipemonteiro has joined #openstack-keystone16:45
*** lbragstad[m] has joined #openstack-keystone16:46
*** eschwartz has quit IRC16:48
*** germs has joined #openstack-keystone16:50
*** germs has quit IRC16:50
*** germs has joined #openstack-keystone16:50
*** anyone has joined #openstack-keystone16:51
*** ediardo has joined #openstack-keystone16:55
*** lbragstad has quit IRC17:07
*** dklyle has quit IRC17:12
*** germs has quit IRC17:13
*** germs has joined #openstack-keystone17:13
*** germs has quit IRC17:13
*** germs has joined #openstack-keystone17:13
empty_cuplbragstad[m]: I confirmed by using the roles?domain_id that I see the role created. And I have a trace of activity. Is there a pastebin of choice the channel uses?17:19
empty_cupI feel like I'm really close to understanding how keystone works17:19
mordredempty_cup: http://paste.openstack.org is a good one17:21
mordredempty_cup: and yay for understanding!17:21
*** germs has quit IRC17:24
*** germs has joined #openstack-keystone17:25
*** germs has quit IRC17:25
*** germs has joined #openstack-keystone17:25
*** germs has quit IRC17:26
*** germs has joined #openstack-keystone17:26
*** germs has quit IRC17:26
*** germs has joined #openstack-keystone17:26
empty_cupPasted here: http://paste.openstack.org/show/719965/17:26
*** belmoreira has quit IRC17:32
*** anyone is now known as eschwartz17:32
*** prashkre__ has joined #openstack-keystone17:38
*** prashkre_ has quit IRC17:38
empty_cupi'm starting to think it may be influenced by the scope of the admin token17:41
lbragstad[m]empty_cup: which API are you calling?17:43
*** germs has quit IRC17:46
*** germs has joined #openstack-keystone17:47
*** germs has quit IRC17:47
*** germs has joined #openstack-keystone17:47
knikollalbragstad[m]: i haven't checked with regards to mutable config. will do.17:47
*** alee__ has left #openstack-keystone17:47
empty_cuplibragstad: http://localhost/identity/v317:47
lbragstad[m]that's the root path of the v3 api17:49
*** felipemonteiro has quit IRC17:51
*** felipemonteiro has joined #openstack-keystone17:51
empty_cupoh sorry, i misunderstood the question, which api call? the pastebin contains the resulting text for each API call. i can include the URL data as well17:51
lbragstad[m]lines 15 and 16 in your paste seem to be missing the call you made?17:54
*** mvk has quit IRC17:55
empty_cuplbragstad[m]: /roles?domain_id= using the same domain_id fed into the creation commands17:59
lbragstad[m]oh - gotcha18:00
lbragstad[m]so - that's only going to give you a list of role filtered by the domain, were you looking for it to give you a list of people with authorization on that domain?18:00
empty_cupthat's a good point, i'll find the other command that will list authorized users18:10
lbragstad[m]empty_cup: https://developer.openstack.org/api-ref/identity/v3/index.html#id594 might help18:16
*** felipemonteiro_ has joined #openstack-keystone18:17
*** felipemonteiro has quit IRC18:21
*** lbragstad has joined #openstack-keystone18:22
*** ChanServ sets mode: +o lbragstad18:22
*** dklyle has joined #openstack-keystone18:22
*** tesseract has quit IRC18:24
*** mvk has joined #openstack-keystone18:31
*** harlowja has joined #openstack-keystone18:46
empty_cupok i was applying the role to the domain and not on the project. that's fixed18:55
empty_cupnow through the use of policy.json i can craft a policy that says this role has the ability to create users only within this project18:56
lbragstad[m]technically - yes...18:56
empty_cupis there a better way?18:57
lbragstad[m]but we do have some stuff in the works to make it so that you don't have to roll a custom policy for that kind of thing https://bugs.launchpad.net/keystone/+bug/174802718:57
openstackLaunchpad bug 1748027 in OpenStack Identity (keystone) "The v3 users API should account for different scopes" [High,Triaged] - Assigned to sonu (sonu-bhumca11)18:57
empty_cupneat19:06
empty_cupnow that i have the trifecta of role, project, and user. when i list projects for user the array is still empty. should it be empty or populated with the project?19:07
lbragstadhow are you listing the projects for a user?19:08
lbragstadGET /v3/auth/projects ?19:08
empty_cup/v3/users/{user_id}/projects19:09
empty_cupas an admin from default19:09
lbragstadempty_cup: and the user is in a different domain with a role assignment on a project in a different domain?19:10
lbragstadempty_cup: i was able to do this locally - http://paste.openstack.org/raw/719967/19:17
lbragstadi was operating as the 'admin' user from devstack which has the administrator role and is within the default domain19:18
empty_cupcool, i'm looking at it. i've been using the 'admin' user from devstack as well19:23
*** ediardo has quit IRC19:23
*** felipemonteiro__ has joined #openstack-keystone19:46
*** felipemonteiro_ has quit IRC19:46
mordredlbragstad: did morgan change his nick again or is he just not in channel?19:47
lbragstadi think kmalloc just dropped19:48
lbragstadi'm unaware of a nick change19:48
lbragstadbut - would totally believe it if he did change nicks again :)19:48
mordredright? tough to keep up with him on that :)19:48
lbragstadit took me about 2 days to catch on to kmalloc19:49
mordredlbragstad: in any case, the plan of "make an sdk patch consuming the alias patches to make sure we didn't miss anything" TOTALLY bore fruit and caught a bug19:49
lbragstadnice!19:49
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Infer version from old versioned service type aliases  https://review.openstack.org/56429920:10
mordredlbragstad: ^^ this time with winning included20:13
openstackgerritMerged openstack/oslo.policy master: Trivial: Update pypi url to new url  https://review.openstack.org/56336820:29
*** jmlowe has joined #openstack-keystone20:33
*** raildo has quit IRC20:34
*** belmoreira has joined #openstack-keystone20:57
*** pcichy has quit IRC20:59
openstackgerritDoug Hellmann proposed openstack/oslo.policy master: make the sphinxpolicygen extension handle multiple input/output files  https://review.openstack.org/56462721:00
empty_cuplbragstad: is there the ability for a project "admin" to create users scoped to a specific project within a specific domain?21:00
openstackgerritMonty Taylor proposed openstack/keystoneauth master: Infer version from old versioned service type aliases  https://review.openstack.org/56429921:01
lbragstadempty_cup: an admin can give users roles on specific projects, which essentially acts as scope21:02
lbragstadempty_cup: are you trying to find a way to make it so that a user can only work within one project?21:02
lbragstadother wise users at technically scoped to domains21:02
lbragstadwhich act as containers for users, groups, and projects21:03
lbragstadand sometimes roles21:03
openstackgerritDoug Hellmann proposed openstack/oslo.policy master: make the sphinxpolicygen extension handle multiple input/output files  https://review.openstack.org/56462721:03
*** prashkre__ has quit IRC21:04
empty_cuplbragstad: oh, i'm starting to see that's not how it is designed. the user is created in the domain and then based on roles is allowed into projects21:07
*** dklyle has quit IRC21:08
*** david-lyle has joined #openstack-keystone21:08
lbragstadcorrect21:11
lbragstadkeystone tries to be explicit with authorization21:12
lbragstadso even if a user's domain is set, they don't automatically get authorization on projects within that domain21:12
lbragstadan administrator of some kind must grant them authorization explicitly21:12
empty_cupgot it21:26
*** spilla has quit IRC21:31
*** belmoreira has quit IRC21:46
*** dave-mcc_ has quit IRC22:02
*** rcernin has joined #openstack-keystone22:23
*** felipemonteiro__ has quit IRC22:28
*** david-lyle is now known as dklyle22:33
jamielennoxlbragstad: ok, it's kind of weird (or just not something we'd done before) passing a dict through the environment headers22:55
jamielennoxis it a known dict or something that will change frequently?22:56
*** annp has quit IRC23:13
*** annp has joined #openstack-keystone23:14
*** empty_cup has quit IRC23:17
*** jmccrory has quit IRC23:17
*** jmccrory has joined #openstack-keystone23:18
*** gyee has quit IRC23:54
« Wednesday, 2018-04-25 Index Friday, 2018-04-27 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!