Tuesday, 2018-05-29

*** germs has quit IRC00:02
*** germs has joined #openstack-keystone00:03
*** germs has quit IRC00:03
*** germs has joined #openstack-keystone00:03
*** Dinesh_Bhor has joined #openstack-keystone00:28
*** edmondsw has joined #openstack-keystone01:02
*** edmondsw has quit IRC01:07
*** namnh has joined #openstack-keystone01:17
*** gyankum has joined #openstack-keystone01:17
*** lifeless has quit IRC01:22
*** gagehugo has joined #openstack-keystone01:22
*** bhagyashris_ has quit IRC01:26
*** lifeless has joined #openstack-keystone01:27
*** bhagyashris_ has joined #openstack-keystone01:27
*** gagehugo has quit IRC01:31
*** eschwartz has quit IRC01:34
*** eschwartz has joined #openstack-keystone01:34
*** gagehugo has joined #openstack-keystone01:36
*** lifeless has quit IRC01:46
*** lifeless has joined #openstack-keystone01:53
redrobotAssuming there's no team meeting today because of Memorial Day in the US...02:03
*** threestrands has quit IRC02:05
*** threestrands_ has joined #openstack-keystone02:05
*** yankcrime has quit IRC02:07
*** _nick has joined #openstack-keystone02:08
*** baffle has quit IRC02:24
*** eschwartz has quit IRC02:25
*** eschwartz[m]_ has joined #openstack-keystone02:25
*** baffle has joined #openstack-keystone02:25
*** lbragstad[m] has quit IRC02:37
*** knikolla[m] has quit IRC02:37
*** jhesketh has quit IRC02:37
*** lbragstad[m] has joined #openstack-keystone02:37
*** knikolla[m] has joined #openstack-keystone02:37
*** jhesketh has joined #openstack-keystone02:37
*** raginbajin has quit IRC02:40
*** raginbajin has joined #openstack-keystone02:40
*** lbragstad[m] has quit IRC02:41
*** knikolla[m] has quit IRC02:41
*** nicolasbock[m] has quit IRC02:41
*** cmurphy[m] has quit IRC02:41
*** namnh has quit IRC02:41
*** baffle has quit IRC02:41
*** baffle has joined #openstack-keystone02:42
*** namnh has joined #openstack-keystone02:42
*** germs_ has joined #openstack-keystone02:44
*** germs has quit IRC02:44
*** germs_ has quit IRC02:44
*** mtreinish has quit IRC02:44
*** toddnni has quit IRC02:44
*** Tahvok has quit IRC02:44
*** Rhvs has quit IRC02:44
*** zhongjun_ has quit IRC02:44
*** jmlowe_ has quit IRC02:44
*** chrome0 has quit IRC02:44
*** zeus has quit IRC02:44
*** hugokuo has quit IRC02:44
*** portdirect has quit IRC02:44
*** jmlowe_ has joined #openstack-keystone02:45
*** chrome0 has joined #openstack-keystone02:45
*** zeus has joined #openstack-keystone02:45
*** hugokuo has joined #openstack-keystone02:45
*** portdirect has joined #openstack-keystone02:45
*** germs_ has joined #openstack-keystone02:45
*** mtreinish has joined #openstack-keystone02:45
*** toddnni has joined #openstack-keystone02:45
*** Tahvok has joined #openstack-keystone02:45
*** Rhvs has joined #openstack-keystone02:45
*** zhongjun_ has joined #openstack-keystone02:45
*** gyankum has quit IRC02:46
*** hoonetorg has quit IRC02:46
*** liuzz_ has quit IRC02:46
*** hemna has quit IRC02:46
*** redrobot has quit IRC02:46
*** evrardjp has quit IRC02:46
*** slunkad has quit IRC02:46
*** andreykurilin has quit IRC02:46
*** eEbx has quit IRC02:46
*** bhagyashris_ has quit IRC02:46
*** Dinesh_Bhor has quit IRC02:46
*** rcernin has quit IRC02:46
*** openstackgerrit has quit IRC02:46
*** zzzeek has quit IRC02:46
*** brad[] has quit IRC02:46
*** eglute has quit IRC02:46
*** alex_xu has quit IRC02:46
*** frickler has quit IRC02:46
*** germs_ has quit IRC02:47
*** gyankum has joined #openstack-keystone02:47
*** hoonetorg has joined #openstack-keystone02:47
*** liuzz_ has joined #openstack-keystone02:47
*** hemna has joined #openstack-keystone02:47
*** redrobot has joined #openstack-keystone02:47
*** evrardjp has joined #openstack-keystone02:47
*** slunkad has joined #openstack-keystone02:47
*** andreykurilin has joined #openstack-keystone02:47
*** eEbx has joined #openstack-keystone02:47
*** germs has joined #openstack-keystone02:47
*** germs has quit IRC02:47
*** germs has joined #openstack-keystone02:47
*** bhagyashris_ has joined #openstack-keystone02:48
*** Dinesh_Bhor has joined #openstack-keystone02:48
*** rcernin has joined #openstack-keystone02:48
*** openstackgerrit has joined #openstack-keystone02:48
*** zzzeek has joined #openstack-keystone02:48
*** brad[] has joined #openstack-keystone02:48
*** eglute has joined #openstack-keystone02:48
*** alex_xu has joined #openstack-keystone02:48
*** frickler has joined #openstack-keystone02:48
*** mchlumsky has quit IRC02:50
*** freerunner has quit IRC02:50
*** pooja_jadhav has quit IRC02:50
*** vegarl has quit IRC02:50
*** cz2 has quit IRC02:50
*** mgagne has quit IRC02:50
*** tobberydberg has quit IRC02:50
*** isssp has quit IRC02:50
*** adriant has quit IRC02:50
*** jroll has quit IRC02:50
*** jrist has quit IRC02:50
*** charz has quit IRC02:50
*** lifeless has quit IRC02:50
*** markvoelker has quit IRC02:50
*** weezhard has quit IRC02:50
*** dtruong has quit IRC02:50
*** jmccrory has quit IRC02:50
*** threestrands_ has quit IRC02:50
*** gagehugo has quit IRC02:50
*** jaosorior has quit IRC02:50
*** timss has quit IRC02:50
*** rvba has quit IRC02:50
*** cloudnull has quit IRC02:50
*** rybridges has quit IRC02:50
*** mchlumsky has joined #openstack-keystone02:50
*** freerunner has joined #openstack-keystone02:50
*** pooja_jadhav has joined #openstack-keystone02:50
*** vegarl has joined #openstack-keystone02:50
*** cz2 has joined #openstack-keystone02:50
*** mgagne has joined #openstack-keystone02:50
*** tobberydberg has joined #openstack-keystone02:50
*** isssp has joined #openstack-keystone02:50
*** adriant has joined #openstack-keystone02:50
*** jroll has joined #openstack-keystone02:50
*** jrist has joined #openstack-keystone02:50
*** charz has joined #openstack-keystone02:50
*** lifeless has joined #openstack-keystone02:50
*** markvoelker has joined #openstack-keystone02:50
*** weezhard has joined #openstack-keystone02:50
*** dtruong has joined #openstack-keystone02:50
*** jmccrory has joined #openstack-keystone02:50
*** edmondsw has joined #openstack-keystone02:51
*** threestrands_ has joined #openstack-keystone02:51
*** gagehugo has joined #openstack-keystone02:51
*** jaosorior has joined #openstack-keystone02:51
*** timss has joined #openstack-keystone02:51
*** rvba has joined #openstack-keystone02:51
*** cloudnull has joined #openstack-keystone02:51
*** rybridges has joined #openstack-keystone02:51
*** Dinesh_Bhor has quit IRC02:52
*** Dinesh_Bhor has joined #openstack-keystone02:53
*** edmondsw has quit IRC02:55
*** Dinesh_Bhor has quit IRC03:05
*** germs has quit IRC03:11
*** cmurphy[m] has joined #openstack-keystone03:12
*** germs has joined #openstack-keystone03:12
*** germs has quit IRC03:12
*** germs has joined #openstack-keystone03:12
*** annp has joined #openstack-keystone03:14
*** nicolasbock[m] has joined #openstack-keystone03:27
*** lbragstad[m] has joined #openstack-keystone03:27
*** knikolla[m] has joined #openstack-keystone03:27
*** sonuk has joined #openstack-keystone03:41
*** Dinesh_Bhor has joined #openstack-keystone03:45
*** germs has quit IRC04:04
redrobothaha, just realized I was on the wrong channel... oops. >_<04:05
*** mvk has joined #openstack-keystone04:09
*** markvoelker has quit IRC04:19
*** markvoelker has joined #openstack-keystone04:22
*** pcichy has joined #openstack-keystone04:27
*** Dinesh_Bhor has quit IRC04:29
*** Dinesh_Bhor has joined #openstack-keystone04:53
*** masber has quit IRC05:08
*** felipemonteiro has joined #openstack-keystone05:16
*** dikonoor has joined #openstack-keystone05:19
*** masber has joined #openstack-keystone05:29
*** mujahidali has joined #openstack-keystone05:41
*** links has joined #openstack-keystone06:02
*** eschwartz[m]_ is now known as eschwartz06:06
*** gongysh has joined #openstack-keystone06:08
*** felipemonteiro has quit IRC06:11
*** hoonetorg has quit IRC06:14
*** masuberu has joined #openstack-keystone06:27
*** masber has quit IRC06:29
*** hoonetorg has joined #openstack-keystone06:31
*** pcaruana has joined #openstack-keystone06:37
*** martinus__ has joined #openstack-keystone06:46
*** Dinesh_Bhor has quit IRC06:48
*** lifeless has quit IRC06:50
*** lifeless has joined #openstack-keystone06:56
*** Dinesh_Bhor has joined #openstack-keystone06:58
*** apple01 has joined #openstack-keystone07:01
*** dikonoor has quit IRC07:07
*** dmellado has joined #openstack-keystone07:12
*** threestrands_ has quit IRC07:14
*** tesseract has joined #openstack-keystone07:14
*** belmoreira has joined #openstack-keystone07:15
*** apple01 has quit IRC07:20
*** apple01 has joined #openstack-keystone07:23
*** mujahidali has quit IRC07:29
*** apple01 has quit IRC07:29
*** apple01 has joined #openstack-keystone07:39
*** belmoreira has quit IRC07:42
*** rcernin has quit IRC07:42
*** apple01 has quit IRC07:44
*** apple01 has joined #openstack-keystone07:44
*** AlexeyAbashkin has joined #openstack-keystone07:46
*** jaosorior has quit IRC07:48
*** lifeless has quit IRC07:54
*** belmoreira has joined #openstack-keystone07:54
*** Dinesh_Bhor has quit IRC08:02
*** rajalokan has joined #openstack-keystone08:07
*** belmoreira has quit IRC08:07
*** belmoreira has joined #openstack-keystone08:08
*** apple01 has quit IRC08:22
*** apple01 has joined #openstack-keystone08:29
*** mvk has quit IRC08:31
*** mvk has joined #openstack-keystone08:31
*** jaosorior has joined #openstack-keystone08:32
*** d0ugal has joined #openstack-keystone08:43
*** d0ugal has quit IRC08:43
*** d0ugal has joined #openstack-keystone08:43
*** sonuk has quit IRC08:44
*** sonuk_ has joined #openstack-keystone08:44
*** Dinesh_Bhor has joined #openstack-keystone08:51
*** rcernin has joined #openstack-keystone08:58
*** belmoreira has quit IRC09:03
*** belmoreira has joined #openstack-keystone09:11
*** markvoelker has quit IRC09:15
*** dikonoor has joined #openstack-keystone09:18
*** pcaruana has quit IRC09:23
*** lifeless has joined #openstack-keystone09:24
*** pcaruana has joined #openstack-keystone09:27
*** s10 has joined #openstack-keystone09:33
*** _nick is now known as yankcrime09:35
*** Dinesh_Bhor has quit IRC09:45
*** pcaruana has quit IRC09:54
*** timothyb89 has quit IRC09:56
*** timothyb89 has joined #openstack-keystone09:57
*** rcernin has quit IRC10:10
*** pcaruana has joined #openstack-keystone10:10
*** gyankum has quit IRC10:11
*** namnh has quit IRC10:15
*** markvoelker has joined #openstack-keystone10:16
*** gongysh has quit IRC10:16
*** belmoreira has quit IRC10:20
*** gongysh has joined #openstack-keystone10:21
*** gongysh has quit IRC10:21
*** jmlowe_ has quit IRC10:23
*** jmlowe has joined #openstack-keystone10:23
*** nicolasbock has joined #openstack-keystone10:38
*** belmoreira has joined #openstack-keystone10:49
*** markvoelker has quit IRC10:51
*** nicolasbock[m] has left #openstack-keystone11:06
*** gyankum has joined #openstack-keystone11:24
*** pcaruana has quit IRC11:42
*** nicolasbock has quit IRC11:48
*** markvoelker has joined #openstack-keystone11:48
*** nicolasbock has joined #openstack-keystone11:51
*** neha_alhat has joined #openstack-keystone11:55
neha_alhatmordred: Hi11:56
*** rajalokan has quit IRC11:56
*** pcaruana has joined #openstack-keystone12:02
*** dikonoor has quit IRC12:05
*** raildo has joined #openstack-keystone12:06
*** sonuk_ has quit IRC12:10
*** edmondsw_ has joined #openstack-keystone12:11
*** markvoelker has quit IRC12:21
neha_alhatcmurphy: Hi12:21
cmurphyneha_alhat: it's good practice to provide some context for what you need when you try to get someone's attention https://blogs.gnome.org/markmc/2014/02/20/naked-pings/12:23
cmurphyi'm in a meeting but if you provide context it could be that someone else is around who can help :)12:27
*** mvenesio has joined #openstack-keystone12:32
*** Alexey_Abashkin has joined #openstack-keystone12:33
*** AlexeyAbashkin has quit IRC12:36
*** Alexey_Abashkin is now known as AlexeyAbashkin12:36
neha_alhatcmurphy: Actually I want to know why these parameters are registered in keystonemiddleware and also in keystoneauth. https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_opts.py#L88-L9512:39
neha_alhatcmurphy: do you hav any idea?12:39
neha_alhatcmurphy: in keystoneauth it is registered here: https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/session.py#L17012:41
*** dklyle has quit IRC12:42
*** belmoreira has quit IRC12:43
*** dikonoor has joined #openstack-keystone12:50
openstackgerritDmitry Tantsur proposed openstack/keystoneauth master: Add optional support for retrying certain HTTP codes  https://review.openstack.org/57093412:56
cmurphyneha_alhat: i think it's because of the comment here https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L919-L92212:58
neha_alhatcmurphy: Ok13:02
*** ayoung has joined #openstack-keystone13:10
*** dikonoor has quit IRC13:15
*** markvoelker has joined #openstack-keystone13:17
*** links has quit IRC13:20
*** dave-mccowan has joined #openstack-keystone13:22
*** markvoelker has quit IRC13:22
*** dave-mcc_ has joined #openstack-keystone13:25
*** dave-mccowan has quit IRC13:26
*** rmascena has joined #openstack-keystone13:27
*** dikonoor has joined #openstack-keystone13:28
*** belmoreira has joined #openstack-keystone13:29
*** raildo has quit IRC13:29
*** lbragstad has joined #openstack-keystone13:32
*** ChanServ sets mode: +o lbragstad13:32
*** mvk has quit IRC13:33
*** markvoelker has joined #openstack-keystone13:33
*** mvk has joined #openstack-keystone13:33
*** glb has joined #openstack-keystone13:40
*** apple01 has quit IRC13:41
*** apple01 has joined #openstack-keystone13:42
*** edmondsw_ is now known as edmondsw13:42
*** r-daneel has joined #openstack-keystone13:52
*** dave-mcc_ has quit IRC13:54
*** dave-mccowan has joined #openstack-keystone13:56
*** jroll has quit IRC14:01
*** jroll has joined #openstack-keystone14:02
*** apple01 has quit IRC14:18
*** apple01 has joined #openstack-keystone14:19
*** dave-mcc_ has joined #openstack-keystone14:19
*** felipemonteiro has joined #openstack-keystone14:20
*** dave-mccowan has quit IRC14:21
*** markvoelker has quit IRC14:24
*** s10 has quit IRC14:25
*** markvoelker has joined #openstack-keystone14:26
*** felipemonteiro has quit IRC14:28
*** markvoelker has quit IRC14:30
*** lifeless_ has joined #openstack-keystone14:31
*** lifeless has quit IRC14:32
*** apple01 has quit IRC14:32
*** spilla has joined #openstack-keystone14:34
*** jistr is now known as jistr|mtg14:36
*** felipemonteiro has joined #openstack-keystone14:40
*** wxy| has joined #openstack-keystone14:48
*** felipemonteiro has quit IRC14:50
*** felipemonteiro has joined #openstack-keystone14:51
*** jistr|mtg is now known as jistr14:52
*** felipemonteiro_ has joined #openstack-keystone14:54
*** felipemonteiro has quit IRC14:58
*** felipemonteiro_ is now known as felipemonteiro14:59
hrybackiuhoh keystone cores: https://review.openstack.org/#/c/570940/1/reference/principles.rst15:00
cmurphyI think the keystone team has a pretty good culture of not nitpicking :)15:04
knikollagotta love that nitpicking in a patch about not nitpicking15:05
lbragstadi'd say most, if not all, folks here are pretty good with follow-on patches15:05
hrybackiit's fun to tease all the same ;)15:05
hrybackiI think the keystone team has a pretty good culture in general15:06
*** apple01 has joined #openstack-keystone15:09
lbragstadi have recording after recording queued... there is more to catch up on than i thought15:10
*** gyee has joined #openstack-keystone15:10
*** mvenesio has quit IRC15:10
*** dave-mcc_ is now known as dave-mccowan15:13
*** dklyle has joined #openstack-keystone15:15
* hrybacki needs to remember to read everyones' blog this week15:17
* cmurphy furiously blogwriting15:18
cmurphyso many notes15:18
*** mvk has quit IRC15:19
*** mvk has joined #openstack-keystone15:20
*** apple01 has quit IRC15:21
*** apple01 has joined #openstack-keystone15:21
*** felipemonteiro has quit IRC15:23
*** felipemonteiro has joined #openstack-keystone15:24
*** lifeless_ has quit IRC15:24
*** apple01 has quit IRC15:36
*** belmoreira has quit IRC15:37
lbragstadyeah - i'm in the same boat... trying to get the pictures and words out of my head and on paper....15:42
lbragstadhrybacki: do you have a patch up for the role name bits?15:43
lbragstadfor the default roles stuff?15:43
hrybackithe follow-up? I will today15:43
lbragstadok - just making sure i didn't miss it15:43
hrybackiwe landed on Jack, Johny, and Jane, right?15:43
hrybackikmalloc: ^^15:43
gagehugothought it was Alice, Bob, and Eve15:47
kmallochrybacki: "jack, johnny, and the "Grady Twins" *shiftyeyes*15:48
*** AlexeyAbashkin has quit IRC15:49
openstackgerritRaildo Mascena proposed openstack/keystone master: [WIP] - Exposing bug/1754677  https://review.openstack.org/57043816:02
*** fiddletw_ has joined #openstack-keystone16:14
*** fiddletw_ has quit IRC16:19
*** fiddletwix has joined #openstack-keystone16:19
*** fiddletwix has quit IRC16:20
*** fiddletwix has joined #openstack-keystone16:21
*** pcichy has quit IRC16:21
*** mvenesio has joined #openstack-keystone16:28
*** dikonoor has quit IRC16:34
*** mvenesio has quit IRC16:39
*** pcaruana has quit IRC16:39
*** mvenesio has joined #openstack-keystone16:39
kmallocoh wow, flask middleware is so very much easier to work with than webob things.16:46
* kmalloc rips apart some silly middleware we have.16:46
*** rmascena is now known as raildo16:50
*** markvoelker has joined #openstack-keystone16:52
*** markvoelker_ has joined #openstack-keystone16:53
*** eandersson has quit IRC16:53
*** markvoelker has quit IRC16:57
*** r-daneel has quit IRC16:59
lbragstadknikolla: i have you down first thing next week to go through the proxy call stuff17:01
lbragstad#startmeeting keystone-office-hours17:02
openstackMeeting started Tue May 29 17:02:15 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.17:02
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.17:02
openstackThe meeting name has been set to 'keystone_office_hours'17:02
*** wxy| has quit IRC17:02
* knikolla goes to grab lunch 17:02
* gagehugo ditto17:03
*** dklyle has quit IRC17:12
*** prashkre has joined #openstack-keystone17:32
*** pcichy has joined #openstack-keystone17:39
*** pcaruana has joined #openstack-keystone17:43
*** r-daneel has joined #openstack-keystone17:48
*** jaosorior has quit IRC17:49
openstackgerritHarry Rybacki proposed openstack/keystone-specs master: Follow-up -- replace 'auditor' role with 'reader'  https://review.openstack.org/57099017:55
hrybackilbragstad: ^^17:55
*** prashkre has quit IRC17:59
*** gyankum has quit IRC18:02
*** prashkre has joined #openstack-keystone18:05
*** prashkre_ has joined #openstack-keystone18:07
*** prashkre has quit IRC18:10
ayoungknikolla, I think your proxy and Istio are covering similar ground.  What I am wondering is what the API would look like for Proxy to consume18:22
ayounglbragstad, did you go to https://www.youtube.com/watch?time_continue=143&v=x9PhSDg4k6M  ?  Its pretty much Dynamic Policy reborn...how many years ago was that?18:23
lbragstadi didn't go to the one18:23
*** eschwartz has quit IRC18:23
lbragstadi had a conflict with something else i think18:23
*** ztrawhcse has joined #openstack-keystone18:24
lbragstadit was on my schedule to watch later though18:24
*** prashkre_ has quit IRC18:25
ayounglbragstad, just watched through it.  Basically, a service prior to Keystone that update multiple un-synced keystones18:25
knikollaayoung: what API are you referring to?18:25
ayounghub and spoke model18:25
ayoungknikolla, the cross-project access thing18:26
*** ztrawhcse is now known as eschwartz18:26
ayoungif a user from one project needs to access a resource in another and has to get a new token, its kinda yucky18:26
knikollaayoung: the normal openstack APIs. the proxy is transparent.18:26
ayoungknikolla, right now it is K2K, but using the users creds18:26
knikollaayoung: the proxy just goes through all the projects the user has access to18:27
ayoungI guess that would be more like get the resource, find what proejct it is, and request a token for that project..all done by the proxy?18:27
knikollaayoung: yes.18:27
ayoungmight have some scale issues there.  I would rather know which project a-priori....somehow18:28
knikollaayoung: caching works18:28
knikollago where it was last time18:28
knikollaor there might be a push model by listening through the messagebus for notifications of creations18:29
ayoungknikolla, like a symlink18:29
ayoungknikolla, lets use the volume mount as the example18:29
ayoungP1 holds the Vm18:29
ayoungP2 holds the volume18:29
ayoungIdeally, I would add a symlink in P1 to the volume18:30
ayounga placeholder that says "when you get this resource, go to P2 to get it"18:30
knikollaso explicit instead of implicit by searching for it?18:30
ayoungbut...it should be at the keystone level18:30
ayoungknikolla, what if we tagged the P1 project itself18:30
*** tesseract has quit IRC18:30
ayoung"additional resources located in P2"18:31
knikollaayoung: maybe do this at the level above in the project hierarchy18:31
ayoungknikolla, its not a strict hierarchy thing18:32
ayoungshould be a hint: not enforcing RBAC,18:32
ayoungits almost like a shadow service catalog18:33
knikollaayoung: but it makes things easier to understand. and provides a cleaner way to implement granularity by subdiving a project.18:33
ayoung"get Network from PN, Storage from PS, IMage from PI"18:33
*** markvoelker_ has quit IRC18:33
ayoungand...yes, you should be able to tag that on a parent project and have it inherited down18:34
knikollaayoung: same thing but with different clouds and you have the open cloud exchange we want.18:34
ayoungknikolla, ooooooh18:34
*** eschwartz has quit IRC18:35
ayoungso...part of it could be the Auth URL for the remote project18:35
knikollaayoung: it's in the keystone service catalog. all service providers are there.18:35
ayoungknikolla, but in this case it would be a pointer to the SP18:35
ayounglike "on this project, for networkm, us SP1:PN18:36
ayoungproject level hints18:36
knikollalike a local project symlinking to a remote cloud's project?18:36
knikollai've called these sister-projects during presentations.18:37
ayoungknikolla, do you have a formal proposal for how to annotate the sister-projects?18:38
*** pcaruana has quit IRC18:39
*** lbragstad has quit IRC18:39
knikollaayoung: no I don't. In my notes I have "scope to a project with the same name as the local one, on the domain assigned to the IdP".18:40
*** ztrawhcse has joined #openstack-keystone18:40
ayoungknikolla, OK...starting another etherpad for this18:40
*** felipemonteiro_ has joined #openstack-keystone18:40
*** ztrawhcse is now known as eschwartz18:41
*** markvoelker has joined #openstack-keystone18:42
*** dtruong_ has joined #openstack-keystone18:43
knikollaayoung: minus the annotation stuff (proxy goes everywhere searching for stuff), the cross-attaching thing works already.18:44
*** felipemonteiro has quit IRC18:44
ayoungknikolla, ++18:45
*** pcichy_ has joined #openstack-keystone18:45
ayoungknikolla, this could be big18:45
*** spilla has quit IRC18:46
ayoungknikolla, I think we have the topic for our Berlin presentation18:46
knikollaayoung: what's different this time than the other times I proposed this?18:46
ayoung"We've done unspeakable things with Keystone"18:46
ayoungknikolla, the fact that we can use it inside a single openstack deployment for one18:47
ayoungthe annotations for second18:47
ayoungand constant repitition to beat it through people's heads, of course18:47
*** timothyb89_ has joined #openstack-keystone18:47
ayoungwe call it keystone-istio to get people's attention, too18:47
ayoungits real service mesh type stuff18:47
*** weezhard_ has joined #openstack-keystone18:48
*** felipemonteiro_ has quit IRC18:51
*** felipemonteiro_ has joined #openstack-keystone18:51
*** jmccrory_ has joined #openstack-keystone18:51
*** pcichy has quit IRC18:52
*** timothyb89 has quit IRC18:52
*** weezhard has quit IRC18:52
*** dtruong has quit IRC18:53
*** jmccrory has quit IRC18:53
*** pcichy_ is now known as pcichy18:53
*** jmccrory_ is now known as jmccrory18:53
*** lbragstad has joined #openstack-keystone19:00
*** ChanServ sets mode: +o lbragstad19:00
*** Guest32198 is now known as melwitt19:06
*** AlexeyAbashkin has joined #openstack-keystone19:06
*** AlexeyAbashkin has quit IRC19:10
*** AlexeyAbashkin has joined #openstack-keystone19:11
*** dave-mccowan has quit IRC19:12
knikollaayoung: istio is more about connecting apps though, right?19:13
ayoungknikolla, its about any app to app communication, and used for multiple use cases.  pretty much all cross cutting concernts19:14
ayoungaccess control, Denial of Service control,  bl;ue/green deployments19:15
ayoungit is a proxy layer.  those are typically used for 3 things19:15
ayoungsecurity, lazy load, remote access19:15
ayounglogging is often done that way, too19:16
knikollai have concerns on performance for a generic app proxy with python. the openstack-service to openstack-service use case is slightly different since they are terribly slow anyway.19:17
ayoungknikolla, Istio is in Go19:18
*** markvoelker has quit IRC19:18
ayoungkmalloc, who makes your 1/4 rack?19:18
knikollaayoung: you want to adopt istio or make what we have more similar to istio?19:19
kmallocayoung: startach19:19
kmallocayoung: or something like that, sec19:19
*** markvoelker has joined #openstack-keystone19:19
ayounghttps://www.amazon.com/12U-4-Post-Open-Rack/dp/B0037ECAJA  kmalloc19:19
kmallocayoung: https://www.amazon.com/gp/product/B00P1RJ9LS/ref=oh_aui_search_detailpage?ie=UTF8&psc=119:19
kmallocsame thing, different seller19:20
ayoungkmalloc, ah even better price tho19:20
kmallocthey make a few options, up to 42U19:20
kmallocdo not get the 2-post or the 2-post-HD. wont work for you19:21
ayoungkmalloc, these the shelve rails19:21
*** markvoelker has quit IRC19:22
kmallocayoung: i used https://www.amazon.com/gp/product/B00TCELZTK for the UPS, you can also get https://www.amazon.com/gp/product/B0013KCLQC for heavier items19:22
kmallocthe full shelf is VERY nice.19:22
ayoungI think for the poweredges I want the rail version19:23
kmallocsure, be wary though, some of the rail versons don't play well with server cases, they consume just enough (~1-2mm) space that the servers scrape19:24
kmallocso measure your servers and make sure you have a few mm on either side where the rails would normally go19:24
kmallocshouldn't really be an issue with any "real" server with rail mount points19:24
ayoungwhat about these:19:25
kmalloci don't see how those would work for anything19:26
kmallocnot surew what the heck those even are19:26
ayoungyeah...thought they were rails at first19:26
knikollaayoung: ping again, you are thinking of adopting istio or morphing what we already have in mixmatch to be more like istio?19:31
ayoungknikolla, I'm still digesting what I saw at the summit19:31
ayoungI think we need something like Istio19:31
ayoungwhether that is Istio or your proxy or something else yet is unclear19:31
ayoungknikolla, I think that the proxuy technology is one  question, and what APIs Keystone needs to support it is a second related one19:33
*** lifeless has joined #openstack-keystone19:34
*** AlexeyAbashkin has quit IRC19:34
knikollaayoung: it depends how many birds are you trying to hit19:34
knikollai have something that fits the openstack-service to openstack-service19:34
knikollawhich probably won't work with app to app.19:35
ayoungknikolla, take some time to look at Istio, and tell me if it is an effort you could support.19:36
knikollaayoung: i'll play around with it.19:37
ayoungknikolla, TYVM19:37
knikollait was about time i learned Go. :/19:45
*** felipemonteiro_ has quit IRC19:49
*** markvoelker has joined #openstack-keystone19:49
*** markvoelker_ has joined #openstack-keystone19:50
*** felipemonteiro has joined #openstack-keystone19:51
*** markvoelker has quit IRC19:54
*** harlowja has joined #openstack-keystone20:00
*** homeski has joined #openstack-keystone20:01
*** AlexeyAbashkin has joined #openstack-keystone20:20
*** AlexeyAbashkin has quit IRC20:25
*** pcichy has quit IRC20:27
*** mvenesio has quit IRC20:29
*** mvenesio has joined #openstack-keystone20:30
*** mvenesio_ has joined #openstack-keystone20:33
*** spilla has joined #openstack-keystone20:34
*** r-daneel has quit IRC20:34
*** mvenesio has quit IRC20:34
*** r-daneel has joined #openstack-keystone20:34
*** mvenesio_ has quit IRC20:37
rm_workkeystone seems to do hard-deletes on projects in the DB -- is that a correct assessment? and if so, is there any way to make it do soft-deletes, or any specific reason it wasn't done that way?20:42
*** jmlowe has quit IRC20:42
lbragstadrm_work: we support disabling projects, which does just about the same thing you'd expect a soft delete to do20:42
rm_workso it may just be a "using it wrong" issue20:43
lbragstadif you disable a project, users can't authenticate to it, use it, etc...20:43
*** jmlowe has joined #openstack-keystone20:44
*** martinus__ has quit IRC21:00
*** StefanPaetowJisc has joined #openstack-keystone21:03
*** raildo has quit IRC21:03
*** edmondsw has quit IRC21:13
rm_worklbragstad: the issue we're trying to solve is around orphaned objects -- keystone projects get deleted and we have servers and stuff that we now can't see who owned them21:13
lbragstadyeah - that's a problem21:13
rm_workbut if we can't control exactly what users do -- i feel like we should be able to enforce soft-delete (disable) only21:13
lbragstadone thing that might help21:13
rm_worklike i'd be tempted to locally patch the delete call to just set the disabled flag instead21:14
rm_workif `soft_delete = True` or something in config21:14
lbragstadwhat if your delete flow does a disable first?21:14
rm_worki mean this is like21:14
rm_workend-users delete a project21:15
rm_workit's not really something we control, unless we refuse project deletes based on policy21:15
lbragstadthen consume the notification from keystone about the disabled project and clean things up before you delete it21:15
rm_workwhich is just confusing for everyone involved21:15
lbragstadthat was one of the main reasons we implemented notification support in keystone21:16
rm_workok well isn't that still a patch to keystone we'd have to do?21:16
rm_workto change the "delete" call to do a disable first?21:16
lbragstadno - more like horizon, but still a patch somewhere, yes21:16
rm_workI can't control what John Doe CloudUser does with his projects21:16
rm_workwe don't use horizon, just API21:16
rm_workand the issue is when random end-users create projects, use them, and then delete them with resources still on them21:17
rm_workvia the API21:17
lbragstadthe idea was that keystone would emit notifications about state changes for projects, then other services would subscribe to the queue21:17
lbragstadit could see the notification come in via the message bus (which still isn't ideal... but)21:17
lbragstadpull the project id out of the payload21:17
lbragstadand clean up instances/volumes accordingly21:18
rm_workso we should be listening to the keystone notifications and deleting everything that exists for projects based on their ID? (this sounds like a Reaper related thing)21:18
rm_workbut that's ... really not what we want, I think. what we want is just a soft-delete <_<21:18
lbragstadeven if you have a soft delete, something has to do the clean up21:19
rm_workI guess we could have something listen to the notifications, and for each deleted project it sees, just archive that to another table or something21:19
rm_worknot necessarily21:19
rm_worksometimes it's because someone left the company and we need to reassign their stuff to another project, or deal with it intelligently at least21:19
rm_workrather than blindly wipe everything out21:19
rm_workor just someone does something dumb21:19
rm_workand we need to undo it21:19
rm_workand it's a lot easier to undo an accidental project delete, than wiping out all resources in the cloud for that project :P21:20
rm_workor rather21:20
rm_workit's a lot easier to undo an accidental project delete *when all it did is remove one DB record*, as opposed to issuing cascading deletes to all services in the cloud for all objects21:21
lbragstadi'm hearing two different use cases here21:21
rm_workyou're not wrong i guess21:22
lbragstad1.) you want to clean up orphaned objects in certain cases21:22
lbragstad2.) and transfer of ownership21:22
rm_workwell, we don't want it automated in ANY case21:22
rm_workwe want to be able to deal with it later21:22
rm_workin all cases21:22
rm_workjust that the way projects get deleted might be different21:22
rm_workbut in all cases, what we want is them to be soft-deleted21:22
rm_workand not clean up anything21:23
rm_workthe issue is not that the orphans exist21:23
rm_workit's that we can't tell who they used to belong to21:23
rm_workfor auditing purposes, or making a decision on cleanup21:23
lbragstadkmalloc: has opinions on this, and we were going to discuss it in YVR but i'm not sure we did21:24
rm_workjust seems like soft-delete is done in most places, except keystone (and maybe neutron?)21:25
lbragstadif you had a soft delete capability in keystone, how would you expect it to work differently from disable?21:25
rm_worki'm not sure i would21:25
rm_worki mean i would probably literally implement it as "if CONF.soft_delete: disable; else: delete"21:26
rm_workyou COULD go a little further and have a deleted flag... and just use that as a sort of explicit filter (?show_deleted=true)21:26
lbragstadso - why not restrict project deletion to system administrators and just leave disable available to customers21:27
rm_workbut i don't know if that's necessary21:27
rm_worklbragstad: that's what i mentioned earlier as the only solution i could think of21:27
rm_workbut it seems like a bad solution just because as an outlier it is very confusing to people21:27
rm_workbut yes, we could do that21:27
lbragstadif your users can disable/enable and not delete - then you can manually do whatever you need to as a system admin21:27
*** r-daneel has quit IRC21:28
rm_worknot sure how many thousands of workflows we'd break21:28
*** r-daneel has joined #openstack-keystone21:28
lbragstadwould those workflows still break if you had CONF.soft_delete?21:28
rm_workwhich seems like the main blocker, because if we did that there's a good chance whoever ok'd it would be fired :P21:28
rm_workbecause it would still say "204 OK" or whatever21:28
rm_workand then ideally be filtered from API lists21:29
rm_work(by default)21:29
rm_workthe same as how every other soft-delete that i'm aware of works21:29
rm_workbasically it just pretends to delete, unless you really go digging21:29
rm_workso from a typical user's perspective, they couldn't tell the difference21:30
rm_workbut it doesn't remove the DB entry and throw a wrench in auditing21:30
rm_worka quick fix for us could be like, throw a delete-trigger on the project table and have it archive -- at least we could look them up later if we HAD to <_< right now even that isn't possible. sometimes we get lucky looking through backups if the project was long-lived...21:31
rm_work^^ but that is dumb and i would never actually do that (it's just an example)21:32
rm_workI'm honestly surprised this hasn't come up frequently21:32
lbragstadit has21:33
lbragstadvery often actually21:33
rm_workbasically yes, that seems right21:35
rm_workbut I wouldn't say it's *too* heavy handed21:36
lbragstadit would be a lot of work to our API21:38
rm_workit seems like the work would be more on the backends side21:39
rm_workfor the API wouldn't you just have to add another query param?21:39
rm_worklike "show_deleted"?21:39
lbragstadyeah - we'd probably need to support something like that21:39
lbragstadand implement soft deletes for all keystone resources, mainly for consistency21:39
rm_workyeah that expands the scope of things a little, but i don't think you're wrong21:40
lbragstad(i can imagine it being frustrating to have projects soft delete but not something else like users or groups)21:40
rm_worki still think it's something that's needed.21:40
lbragstadwe'd also need to double check the api with HMT21:40
rm_workbut i guess maybe there aren't enough people that agree with my opinion for it to have happened21:41
*** felipemonteiro has quit IRC21:41
rm_workwhich means it probably won't any time soon, unless I go do it :P (and then get agreement from enough cores to accept the patches)21:41
lbragstadi don't think people is disagreeing with you, but no one has really stepped up to do the work21:41
rm_workso you think if it was done, no one would object to merging?21:41
lbragstadthe last time i discussed it around the Newton time frame, people were only opposed to the dev resource aspect of it21:42
lbragstadand making sure if we did it, it was done consistently21:42
lbragstadi don't think people had super strong opinions on saying absolutely not to soft-deletes21:42
lbragstadwow - typing is really hard21:43
rm_workit can be, yes :P21:43
lbragstadthat was the main purpose of the post that i wrote21:43
lbragstadi think the use case for auditing is important, but at the time those were the three options that were clear to me21:43
lbragstadbased on my discussions with various people21:44
lbragstadbut - yeah... it's an important use case and I get it, but i also know kmalloc and ayoung have a bunch of thoughts on this21:46
lbragstadi wouldn't be opposed to discussing it again, and seeing if we can do something to Stein or T21:47
lbragstaddiscussing it as a larger group*21:47
rm_workyeah, I mean, I'll be in Denver21:47
lbragstadfor the PTG?21:47
rm_workif we want to discuss it then21:48
lbragstadwe can throw it on the meeting agenda to for next week21:48
lbragstadif you feel like getting more feedback sooner than september21:48
*** mvk has quit IRC21:50
rm_workwhat time are your meetings?21:50
lbragstad1600 UTC on tuesdays21:51
lbragstadso - 11:00 AM central21:51
lbragstadrm_work: are you based in texas?21:51
rm_worknot anymore21:52
rm_workkinda ... nomadic21:52
lbragstadack - i wasn't sure21:52
rm_workyeah after I left castle, I go all over :P21:52
lbragstadwell - we can throw it on the agenda for next week if you'll be around21:53
lbragstadotherwise, the use case seems straight-forward enough to kickstart on the mailing list21:53
rm_workyeah we could do a quick topic on it I suppose -- I can try to show up for that21:57
gyeelbragstad, I supposed we don't support directly mapping a federated user into a domain admin (domain-scoped token) do we? It's been awhile since I looked that piece of code. Just curious if anything has changed.21:57
rm_workjust for feedback purposes -- though whether or not it is important enough to us to get resources on it anytime soon is another question21:57
rm_workwhich is why i figured PTG would be easier timing21:57
*** spilla has quit IRC21:57
lbragstadgyee: ummm21:58
lbragstadyou could map a user into a group with an admin role assignment on a domain21:59
lbragstadbut are you asking if trading a SAML assertion for a domain-scoped token works?21:59
gyeebut do we directly issued a domain-scoped token as the result of that?21:59
gyeeI don't remember we ever support that21:59
lbragstadgyee: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_federation.py#L3861 ?22:01
lbragstadoh - wait...22:01
lbragstadthat's an IDP test case22:01
lbragstadall these tests seem to authenticate for an unscoped token before trading it for a domain-scoped token22:02
*** StefanPaetowJisc has quit IRC22:03
gyeeright, that's what I thought22:03
lbragstadbut part of that flow with horizon is asking which project you want22:03
lbragstadto work on22:03
lbragstadso if it lists domains, horizon might support building a domain-scoped authentication request22:04
gyeelet me dive into that code again, someone told me today you can get a domain-scoped token for federation user22:04
lbragstadi feel like this was on the list of things we wanted to improve with horizon a few releases back22:04
gyeebut I don't remember ever seeing that functionality22:05
lbragstadcmurphy: _might_ know off the top of her head?22:05
lbragstadi remember she was working on some of that stuff during those joint team meetings between keystone and horizon22:05
gyeek, let me check with her as well22:06
gyeethanks man22:06
lbragstadgyee: no problem, let me know if you hit anything weird22:06
openstackMeeting ended Tue May 29 22:06:32 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:06
openstackMinutes:        http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-05-29-17.02.html22:06
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-05-29-17.02.txt22:06
openstackLog:            http://eavesdrop.openstack.org/meetings/keystone_office_hours/2018/keystone_office_hours.2018-05-29-17.02.log.html22:06
*** lifeless has quit IRC22:07
ayoungrm_work, you are singing my song22:10
ayounggyee!  Good to hear from you!22:10
ayoungrm_work, I would support allowing projects being created with a specific ID22:11
rm_workayoung: so you generally agree with what I am asking for?22:11
ayoungthat would give us 2 things22:11
ayoung1 support for undeleting a project in order to clean up orphaned resourcews22:11
ayoung2 a way to sync 2 keystones22:12
ayoungthe question is what restrictions would we put around it22:12
ayoungI suggested it before, and dolphm thought it was too big an API change, but I still think it is the right thing22:12
ayoungrm_work, I wanted a lot of things over the years22:12
ayounglike the ability to pre-create Federated users in the databases, and to have their IDs hashed22:13
cmurphylbragstad: gyee umm i'm not sure off the top of my head22:13
cmurphyit would be easy to test though22:13
ayoungso that the ID is predictable.  again, for the multi-keystone case22:13
ayoungwhich is looking more and more to be the dominant use case22:13
gyeeayoung, yeah, still working on openstack stuff :-)22:14
*** rcernin has joined #openstack-keystone22:18
rm_workso maybe I don't need a meeting topic :)22:23
*** lifeless has joined #openstack-keystone23:10
*** lifeless_ has joined #openstack-keystone23:23
*** lifeless has quit IRC23:25
*** cz2 has quit IRC23:33
*** cz2 has joined #openstack-keystone23:36
*** felipemonteiro has joined #openstack-keystone23:41
*** openstackstatus has joined #openstack-keystone23:43
*** ChanServ sets mode: +v openstackstatus23:43
*** felipemonteiro has quit IRC23:50

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!