Monday, 2018-06-04

*** d0ugal has joined #openstack-keystone		00:01
*** bigdogstl has joined #openstack-keystone		00:19
*** bigdogstl has quit IRC		00:24
*** bigdogstl has joined #openstack-keystone		00:34
*** bigdogstl has quit IRC		00:39
*** bigdogstl has joined #openstack-keystone		00:45
*** bigdogstl has quit IRC		00:50
*** felipemonteiro has joined #openstack-keystone		01:09
*** bigdogstl has joined #openstack-keystone		01:11
*** bigdogstl has quit IRC		01:16
*** bigdogstl has joined #openstack-keystone		01:18
*** bigdogstl has quit IRC		01:23
*** namnh has joined #openstack-keystone		01:34
*** bigdogstl has joined #openstack-keystone		01:35
*** gongysh has joined #openstack-keystone		01:38
*** bigdogstl has quit IRC		01:39
*** germs has quit IRC		01:40
*** germs has joined #openstack-keystone		01:41
*** germs has quit IRC		01:41
*** germs has joined #openstack-keystone		01:41
*** gagehugo has quit IRC		01:44
empty_cup	it looks like a role applied to a user is only effective by the default admin on users/projects in the default domain	02:03
empty_cup	the admin user can assign a role of default admin on a user in a different domain and have it become effective	02:05
empty_cup	when using the other user, performing a role assign yields a 401 unauthorized even though the role admin is listed in the token response	02:06
empty_cup	based on a blog posting, having the default admin role on a newly created domain for a newly created user will allow that user to manage the domain with a domain scoped token	02:11
*** bigdogstl has joined #openstack-keystone		02:16
*** gagehugo has joined #openstack-keystone		02:17
empty_cup	the user is able to list objects successfully but not create new objects	02:19
empty_cup	the openstack cli says the service catalog is empty	02:19
*** bigdogstl has quit IRC		02:20
*** bigdogstl has joined #openstack-keystone		02:29
*** namnh has quit IRC		02:33
*** bigdogstl has quit IRC		02:34
*** namnh has joined #openstack-keystone		02:34
*** bigdogstl has joined #openstack-keystone		02:39
*** annp has joined #openstack-keystone		02:47
*** Dinesh_Bhor has joined #openstack-keystone		02:48
empty_cup	it's not enough to be the admin role, an admin on a freshly created domain needs to belong to a newly created project called admin	02:48
empty_cup	then the domain admin can list objects and create objects	02:48
empty_cup	as well as assign roles to objects	02:49
empty_cup	except that role assignment is not seen as effective	02:49
*** zhongjun_ has joined #openstack-keystone		02:49
empty_cup	sure it exists but it is not effective	02:50
*** bigdogstl has quit IRC		02:52
*** lifeless_ has joined #openstack-keystone		03:08
*** lifeless has quit IRC		03:09
*** EmilienM has quit IRC		03:22
*** gyankum has joined #openstack-keystone		03:22
*** EmilienM has joined #openstack-keystone		03:23
*** gyankum has quit IRC		03:24
*** lifeless has joined #openstack-keystone		03:29
*** lifeless_ has quit IRC		03:29
*** pooja_jadhav has joined #openstack-keystone		03:30
*** bigdogstl has joined #openstack-keystone		03:31
*** openstackgerrit has joined #openstack-keystone		03:31
openstackgerrit	wangxiyuan proposed openstack/python-keystoneclient master: WIP: functionality for registered limits https://review.openstack.org/572006	03:31
*** sonuk has joined #openstack-keystone		03:33
*** bigdogstl has quit IRC		03:40
*** bigdogstl has joined #openstack-keystone		03:52
*** bigdogstl has quit IRC		03:59
*** sonuk_ has joined #openstack-keystone		04:09
*** sonuk has quit IRC		04:12
*** sonuk has joined #openstack-keystone		04:13
*** sonuk_ has quit IRC		04:14
*** bigdogstl has joined #openstack-keystone		04:22
*** bigdogstl has quit IRC		04:27
*** gongysh has quit IRC		04:31
*** germs has quit IRC		04:34
*** bigdogstl has joined #openstack-keystone		04:37
*** felipemonteiro has quit IRC		04:43
*** empty_cup has quit IRC		04:46
*** bigdogstl has quit IRC		04:58
*** bigdogstl has joined #openstack-keystone		05:02
*** Dinesh_Bhor has quit IRC		05:03
*** bigdogstl has quit IRC		05:07
*** bigdogstl has joined #openstack-keystone		05:12
*** bigdogstl has quit IRC		05:17
*** bigdogstl has joined #openstack-keystone		05:25
*** bigdogstl has quit IRC		05:30
*** links has joined #openstack-keystone		05:38
*** bigdogstl has joined #openstack-keystone		05:46
*** hoonetorg has joined #openstack-keystone		05:49
*** bigdogstl has quit IRC		05:58
*** Dinesh_Bhor has joined #openstack-keystone		05:58
*** martinus__ has joined #openstack-keystone		06:08
*** Dinesh_Bhor has quit IRC		06:25
*** Dinesh_Bhor has joined #openstack-keystone		06:27
*** bigdogstl has joined #openstack-keystone		06:34
*** bigdogstl has quit IRC		06:39
*** ispp has joined #openstack-keystone		06:53
*** liuzz has joined #openstack-keystone		06:58
*** bigdogstl has joined #openstack-keystone		07:01
*** bigdogstl has quit IRC		07:05
*** pcaruana has joined #openstack-keystone		07:12
*** pcaruana is now known as pcaruana\|worksho		07:14
*** Dinesh__Bhor has joined #openstack-keystone		07:15
*** sapd_ has quit IRC		07:15
*** sapd_ has joined #openstack-keystone		07:15
*** bigdogstl has joined #openstack-keystone		07:16
*** tesseract has joined #openstack-keystone		07:16
*** Dinesh_Bhor has quit IRC		07:17
openstackgerrit	Merged openstack/oslo.policy master: Remove erroneous newline in sample generation https://review.openstack.org/571830	07:19
*** bigdogstl has quit IRC		07:20
*** Dinesh__Bhor has quit IRC		07:26
*** Dinesh__Bhor has joined #openstack-keystone		07:31
*** bigdogstl has joined #openstack-keystone		07:34
*** AlexeyAbashkin has joined #openstack-keystone		07:35
*** jistr is now known as jistr\|mtgs		07:38
*** bigdogstl has quit IRC		07:39
*** tesseract-RH has joined #openstack-keystone		07:45
*** tesseract has quit IRC		07:48
*** tesseract-RH has quit IRC		07:48
*** tesseract has joined #openstack-keystone		07:49
*** bigdogstl has joined #openstack-keystone		07:54
*** ispp has quit IRC		07:56
*** ispp has joined #openstack-keystone		07:58
*** bigdogstl has quit IRC		07:59
*** jaosorior has joined #openstack-keystone		08:05
*** rcernin has quit IRC		08:13
*** liuzz has quit IRC		08:13
*** gongysh has joined #openstack-keystone		08:16
*** bigdogstl has joined #openstack-keystone		08:22
*** AlexeyAbashkin has quit IRC		08:27
*** bigdogstl has quit IRC		08:27
*** AlexeyAbashkin has joined #openstack-keystone		08:27
*** tnogisto has joined #openstack-keystone		08:43
*** ispp has quit IRC		08:47
*** bigdogstl has joined #openstack-keystone		08:49
*** ispp has joined #openstack-keystone		08:49
*** bigdogstl has quit IRC		08:54
*** bigdogstl has joined #openstack-keystone		09:23
*** bigdogstl has quit IRC		09:27
*** bigdogstl has joined #openstack-keystone		09:42
*** sapd_ has quit IRC		09:45
*** sapd_ has joined #openstack-keystone		09:45
*** Dinesh__Bhor has quit IRC		09:47
*** bigdogstl has quit IRC		09:48
*** bigdogstl has joined #openstack-keystone		10:01
*** namnh has quit IRC		10:05
*** bigdogstl has quit IRC		10:06
*** ispp has quit IRC		10:11
*** gongysh has quit IRC		10:13
*** gongysh has joined #openstack-keystone		10:14
*** bigjools_ has joined #openstack-keystone		10:14
*** gongysh has quit IRC		10:15
*** frickler_ has joined #openstack-keystone		10:16
*** bigjools_ has left #openstack-keystone		10:16
*** alex_xu_ has joined #openstack-keystone		10:17
*** bigdogstl has joined #openstack-keystone		10:18
*** eglute_s has joined #openstack-keystone		10:19
*** _glb has joined #openstack-keystone		10:19
*** zzzeek_ has joined #openstack-keystone		10:19
*** zzzeek has quit IRC		10:20
*** eglute has quit IRC		10:20
*** alex_xu has quit IRC		10:20
*** frickler has quit IRC		10:20
*** glb has quit IRC		10:20
*** bigdogstl has quit IRC		10:23
*** rha has quit IRC		10:23
*** rha has joined #openstack-keystone		10:25
*** rha has quit IRC		10:25
*** rha has joined #openstack-keystone		10:25
*** bigdogstl has joined #openstack-keystone		10:37
*** rha has quit IRC		10:38
*** sonuk has quit IRC		10:39
*** tesseract has quit IRC		10:41
*** rha has joined #openstack-keystone		10:41
*** rha has quit IRC		10:41
*** rha has joined #openstack-keystone		10:41
*** dave-mccowan has joined #openstack-keystone		10:41
*** bigdogstl has quit IRC		10:42
*** tesseract has joined #openstack-keystone		10:44
*** dave-mcc_ has joined #openstack-keystone		10:47
*** dave-mccowan has quit IRC		10:47
*** ispp has joined #openstack-keystone		10:47
*** bigdogstl has joined #openstack-keystone		10:52
*** bigdogstl has quit IRC		11:02
*** bigdogstl has joined #openstack-keystone		11:09
*** bigdogstl has quit IRC		11:13
*** jrollinhatin is now known as jroll		11:20
*** lifeless_ has joined #openstack-keystone		11:21
*** lifeless has quit IRC		11:22
*** sonuk has joined #openstack-keystone		11:37
*** edmondsw has joined #openstack-keystone		12:12
*** sonuk has quit IRC		12:13
*** jroll has quit IRC		12:29
*** jroll has joined #openstack-keystone		12:30
*** bigdogstl has joined #openstack-keystone		12:34
*** openstackgerrit has quit IRC		12:34
*** frickler_ is now known as frickler		12:39
*** bigdogstl has quit IRC		12:39
*** empty_cup has joined #openstack-keystone		12:45
empty_cup	st	12:46
*** empty_cup has quit IRC		12:46
*** empty_cup has joined #openstack-keystone		12:48
empty_cup	not sure why it's so difficult for a domain admin to grant roles to users and have those roles count as effective.	12:50
*** JohnG has quit IRC		12:50
empty_cup	why would a domain admin be able to grant roles to users and not have them count as effective? what's the use case for that?	12:51
*** Guest85905 is now known as zeus		13:19
*** zeus has quit IRC		13:19
*** zeus has joined #openstack-keystone		13:19
*** raildo has joined #openstack-keystone		13:20
*** Guest34116 has quit IRC		13:24
elbragstad	kmalloc: nice i can review all those today	13:24
*** ispp has quit IRC		13:27
*** rmascena has joined #openstack-keystone		13:27
*** ispp has joined #openstack-keystone		13:28
*** raildo has quit IRC		13:29
kmalloc	elbragstad: there is a chunk more work, but I wanted to discuss structure before moving a ton of stuff.	13:42
*** elbragstad is now known as lbragstad		13:42
lbragstad	kmalloc: so for https://review.openstack.org/#/c/571911/1/keystone/tests/unit/test_v3_oauth1.py,unified	13:42
kmalloc	Yeah.	13:43
lbragstad	that test was written to expect a failure because the role name is 'fake_name'	13:43
lbragstad	and return a 404, but it never processes that because the request path is missing /v3/ ?	13:43
kmalloc	Right, and it was getting a 404, but the wrong 404	13:43
kmalloc	Yep	13:43
lbragstad	got it - that makes sense	13:43
kmalloc	Once we are on flask, I'm going to make tests explode badly with the wrong 404	13:44
kmalloc	Like "Programmer Fail 404, do not pass go"	13:44
lbragstad	using an assertion?	13:44
kmalloc	Something like that	13:44
kmalloc	But I want to get everything native flask	13:45
lbragstad	sure	13:45
kmalloc	Easier to do.	13:45
kmalloc	There is also a lot more.code deletion after paste.deploy is removed, but I figured do it in steps.	13:47
lbragstad	yeah	13:47
lbragstad	are there any deployment changes people are going to have to be aware of?	13:47
kmalloc	It should just work.	13:47
kmalloc	Note no testing or tempest changes besides some internal massaging	13:48
*** r-daneel has joined #openstack-keystone		13:48
kmalloc	If we support loadable middleware (I can add that in)	13:48
kmalloc	Then yes, paste-ini doesn't exist	13:49
kmalloc	So new way to do thst	13:49
kmalloc	But a vanilla keystone will work and just call the new flask app instead of the paste loader	13:50
lbragstad	whoa...	13:53
lbragstad	ms is buying github?	13:54
kmalloc	That's what we all hear	13:54
kmalloc	Wonder if Jesse Keating got a nice payout (assuming the rumor is true) :)	13:55
kmalloc	Not a rumor.	13:56
kmalloc	Confirmed :)	13:56
lbragstad	yeah - confirmed	13:56
lbragstad	https://blog.github.com/2018-06-04-github-microsoft/	13:59
*** r-daneel_ has joined #openstack-keystone		14:04
*** felipemonteiro has joined #openstack-keystone		14:05
*** ispp has quit IRC		14:06
*** dave-mcc_ is now known as dave-mccowan		14:06
*** r-daneel has quit IRC		14:06
*** spilla has joined #openstack-keystone		14:07
empty_cup	lol that link is certainly making the rounds	14:07
*** ispp has joined #openstack-keystone		14:08
lbragstad	i usually start my day grabbing a link to github and saw the banner	14:09
*** r-daneel_ has quit IRC		14:09
kmalloc	Personally I think it is good news for both companies.	14:10
*** r-daneel has joined #openstack-keystone		14:10
lbragstad	i hope it is...	14:10
*** links has quit IRC		14:10
lbragstad	i can see the relationship making sense with how much ms uses github	14:11
*** felipemonteiro__ has joined #openstack-keystone		14:13
*** xinran__ has joined #openstack-keystone		14:14
*** felipemonteiro has quit IRC		14:14
*** felipemonteiro_ has joined #openstack-keystone		14:15
*** r-daneel has quit IRC		14:15
*** r-daneel has joined #openstack-keystone		14:16
kmalloc	lbragstad: we need a totally new test for that conditional	14:16
kmalloc	also, we never tested anything with the past test on bad_id	14:16
kmalloc	it was doing the same thing as before: 404 because it was unrouted	14:16
lbragstad	damn :(	14:16
kmalloc	your asssertion we tested other bits implies we hit the controller at all	14:17
kmalloc	:P	14:17
kmalloc	we didn't	14:17
kmalloc	this was largely bad copy-pasta that "passed testing" but didn't actually test anything useful	14:17
lbragstad	right... so how do we have less coverage with the test that actually hits the controller?	14:17
kmalloc	shrug because we're no longer hitting the unrouted 404	14:18
*** felipemonteiro__ has quit IRC		14:18
kmalloc	or because i had to make a new role for it to even pass	14:19
kmalloc	because the user didn't have authorization to touch the api if i dind't make a new role	14:19
*** alex_xu_ has quit IRC		14:20
*** alex_xu has joined #openstack-keystone		14:20
lbragstad	ahh	14:20
kmalloc	lbragstad: http://logs.openstack.org/12/571912/1/check/openstack-tox-cover/85d317d/cover/keystone_oauth1_controllers_py.html#n416 is the conditional we never ever hit before	14:22
kmalloc	we are clearly hitting it now	14:22
kmalloc	see previous one that you approved before the fix	14:23
kmalloc	http://logs.openstack.org/11/571911/1/check/openstack-tox-cover/71c443c/cover/keystone_oauth1_controllers_py.html#n416	14:23
kmalloc	that is all we really changed.	14:23
*** itlinux has quit IRC		14:23
lbragstad	yeah - looking at it again	14:23
kmalloc	also, test coverage % is a bad metric. it is easy to cause it to go down for no real reason	14:24
kmalloc	better to look at actual coverage of code.	14:24
lbragstad	did i have my links mixed up?	14:24
lbragstad	ah - i think i did	14:24
lbragstad	nevermind	14:25
kmalloc	:)	14:25
lbragstad	so - https://review.openstack.org/#/c/571911/1 yields http://logs.openstack.org/11/571911/1/check/openstack-tox-cover/71c443c/cover/keystone_oauth1_controllers_py.html#n382	14:25
*** felipemonteiro_ has quit IRC		14:25
kmalloc	yes	14:25
kmalloc	and the new one fixes that	14:25
lbragstad	https://review.openstack.org/#/c/571912/1 yields http://logs.openstack.org/12/571912/1/check/openstack-tox-cover/85d317d/cover/keystone_oauth1_controllers_py.html#n382	14:25
*** felipemonteiro_ has joined #openstack-keystone		14:25
lbragstad	ah - ok	14:25
kmalloc	i could have made this all work with flask if i had made flask throw a json 404 for unrouted URLs	14:26
kmalloc	but, that seemed like a hack and tended to net incorrect test passage	14:26
kmalloc	so i left it, but also corrected these tests before proposing the move to flask	14:27
lbragstad	right - which feels better IMO	14:27
kmalloc	exactly	14:27
kmalloc	less question of "is this an api or notanapi	14:28
kmalloc	"	14:28
kmalloc	and the next step will be building a testing server-404 that we can assert on everytime rather than a "is_json" only check	14:28
kmalloc	but structre of moving to flask blueprints will come first.	14:29
kmalloc	so we can be 100% flask native	14:29
kmalloc	lbragstad: responded to your comment	14:33
kmalloc	the +1	14:33
kmalloc	not the +2.	14:33
kmalloc	but, tl;dr - if someone was hitting a non-API and liked being fooled into thinking it was an API	14:34
kmalloc	it might be a breaking change to them. but, we're not changing the status we're just being clear about what the difference between an API and non-API is.	14:34
kmalloc	i can still make flask do app/json	14:35
kmalloc	but i felt the text/html response is better.	14:35
kmalloc	and it is largely flask does the right thing and our home-grown wsgi thing did the wrong thing.	14:35
*** felipemonteiro_ has quit IRC		14:36
*** ispp has quit IRC		14:37
*** felipemonteiro has joined #openstack-keystone		14:37
*** felipemonteiro_ has joined #openstack-keystone		14:38
kmalloc	also lbragstad https://review.openstack.org/#/c/571955/ is a pattern i am proofing out, if we make all managers and controllers work like that, we can instantiate them on demand	14:40
kmalloc	AND handle things like reloading configs live	14:40
kmalloc	and possibly all configs.	14:40
lbragstad	sounds like that'd be nice for the community goal	14:41
kmalloc	exactly	14:41
kmalloc	if we share state of all the mutable thing(s) and have a mechanism to initiate a change out these bits, we can live-reload	14:42
*** felipemonteiro has quit IRC		14:42
kmalloc	but that is the first pass at it to show how it works and to make providerAPIs better in a single run	14:42
kmalloc	rebinding __dict__ is kindof amazing on that front and hitting a .locked setup ends up working well for ensuring we don't change values accidently	14:43
kmalloc	esp. for say drivers	14:43
lbragstad	eyah	14:43
lbragstad	i'll make a point to look at that one too	14:43
kmalloc	but what if we (on request) just fire up instances of the important things.	14:43
kmalloc	we become way more dynamic	14:43
*** ispp has joined #openstack-keystone		14:45
lbragstad	that sounds kinda like what dstanek was talking to me about	14:46
lbragstad	a long time ago he brought up the idea of dynamic loading per request so that you only load what you need for a request instead of building this dictionary with a weird dependency relationship	14:46
*** alex_xu has quit IRC		14:47
empty_cup	i haven't found a lot of resources that spell out the exact circumstances of what makes a role effective. roles are effective for the default admin on the default domain but do not appear to occur in domains outside the default.	14:47
kmalloc	lbragstad: what dstanek was alluding to was the dependency injection being smarter	14:49
*** alex_xu has joined #openstack-keystone		14:49
kmalloc	but we can at least head that way	14:49
hrybacki	FYI: Microsoft talks of purchasing GH appear to be confirmed: https://www.theverge.com/2018/6/4/17422788/microsoft-github-acquisition-official-deal	14:49
empty_cup	note, it's stable/queens, and i'm running it without referencing an external policy.json file	14:49
kmalloc	hrybacki: yep.	14:49
hrybacki	I wonder if/how that will affect OpenStack?	14:50
kmalloc	not meaningfully	14:50
hrybacki	okay good	14:50
kmalloc	we mirror our code to github. but we don't use them as authoritative	14:50
kmalloc	also, i think it's a good thing for both github and microsoft	14:51
* hrybacki nods		14:51
hrybacki	I hope you are right :)	14:51
kmalloc	microsoft is a solid company, with a good culture these days [afaict]	14:51
kmalloc	and they support some decent level of opensource (more than some other "big" companies)	14:51
kmalloc	github has had a lot of struggles	14:51
kmalloc	and MS knows how to run businesses	14:51
kmalloc	i think it'll help github get things smoothed out (esp. since they've been lacking, what a CEO for months?), and help microsoft with more solid platform offerings.	14:52
kmalloc	i doubt much will change wrt github for most users.	14:52
lbragstad	i hope you're right :)	14:54
*** ispp has quit IRC		15:00
*** tesseract-RH has joined #openstack-keystone		15:01
*** tesseract has quit IRC		15:02
*** pcichy has quit IRC		15:03
*** pcichy has joined #openstack-keystone		15:04
kmalloc	lbragstad: also the delete_tokens patch changes no behavior	15:04
kmalloc	lbragstad: you may want to load up your tentative +1 on the flask conversion patch	15:05
kmalloc	the delete_tokens one still issues json 404s	15:05
kmalloc	lbragstad: or even a no score (fwiw)	15:06
kmalloc	the first 4 patches in the flaskification chain are just test fixes	15:06
*** bigdogstl has joined #openstack-keystone		15:06
knikolla	o/	15:08
*** lifeless_ has quit IRC		15:08
kmalloc	hi knikolla	15:09
kmalloc	knikolla: i sent an email to some folks at redhat about our convos at the summit.	15:09
kmalloc	knikolla: :) and around the federation stuff.	15:09
kmalloc	knikolla: hopefully they like the direction and we can make life at the MOC better	15:10
kmalloc	wrt keystone and helping to eliminate the proxy-hacky-ness	15:10
knikolla	kmalloc: awesome!	15:11
kmalloc	lbragstad: another future looking bit with flask, is i expect a hard split between identity and assignment to be easier, with a proxy-shim between it (so it can still feel like a single app) but you can run parts in isolation with the IDP part being almost like a federated source of ID	15:11
lbragstad	interesting	15:12
kmalloc	so we isolate all assignment/things and all identity things as two separate apps.	15:12
*** bigdogstl has quit IRC		15:12
kmalloc	for compat we can just proxy-shim it.	15:12
*** bigdogstl has joined #openstack-keystone		15:13
*** felipemonteiro_ is now known as felipemonteiro		15:14
*** felipemonteiro has quit IRC		15:14
kmalloc	lbragstad: specifically thinking about the "edge-compute" scenarios	15:14
kmalloc	lbragstad: if you're only deploying the authz bits and app-creds, it eliminates potential PII leaking and limits the data that could be sourced due to compromise	15:15
kmalloc	lbragstad: we'll need to massage the data in the shadow tables.	15:15
*** ispp has joined #openstack-keystone		15:17
kmalloc	lbragstad: fwiw, i have been pondering a way to split each of ekystone's subsystems into it's own microservice since dolphm was the ptl.	15:17
kmalloc	not that it's really a good plan to do it in that extreme of a manner	15:17
kmalloc	but, just the core "how would this be done" [esp. splitting say Auth to an endpoint, IDP management to an endpoint, and everything else] is a good exercise in "how did we construct this"	15:18
*** ispp has quit IRC		15:18
hrybacki	Google's text auto-responses are getting so good I'm fairly certain anyone 'behind the seat' could trick most of my friends were my acct hijacked -_-	15:20
lbragstad	kmalloc: sure - seems like an interesting case to design for	15:21
lbragstad	i can see people wanting to split out the authz/authn bits... that feels useful	15:21
*** itlinux has joined #openstack-keystone		15:23
*** bigdogstl has quit IRC		15:29
*** pcaruana\|worksho has quit IRC		15:35
*** r-daneel_ has joined #openstack-keystone		15:36
*** r-daneel has quit IRC		15:38
*** r-daneel_ is now known as r-daneel		15:38
*** openstackgerrit has joined #openstack-keystone		15:40
openstackgerrit	Merged openstack/keystone master: Correct test_v3_oauth1.test_bad_authorizing_roles_name https://review.openstack.org/571911	15:40
lbragstad	huh	15:45
lbragstad	intersting	15:45
*** AlexeyAbashkin has quit IRC		15:45
lbragstad	not sure if it is related	15:45
lbragstad	but i ran keystone unit tests w/o the flask chain and they completed in 100s flat	15:45
*** mvenesio has joined #openstack-keystone		15:45
lbragstad	with the flask chain including paste removal, they complete in 93s flat	15:45
lbragstad	kmalloc: ok - i've gone through the flask changes...	15:49
lbragstad	looks good, thanks for picking that up!	15:49
*** jmlowe has quit IRC		15:49
hrybacki	lbragstad: just saw this while running tox -- not sure if you've seen it. Jumping into a meeting but will look aftewards: https://paste.fedoraproject.org/paste/B~nJrD-SHsiRCyPBpMnhRw	16:00
lbragstad	hrybacki: yeah - you need an updated version of oslo.policy	16:07
lbragstad	tox -r --notest should fix it for you	16:07
*** gyee has joined #openstack-keystone		16:08
*** pcichy has quit IRC		16:09
*** pcichy has joined #openstack-keystone		16:10
*** felipemonteiro has joined #openstack-keystone		16:19
kmalloc	:)	16:22
lbragstad	stepping out for a run quick	16:25
lbragstad	kmalloc: have you taken a gander at https://review.openstack.org/#/c/540803/ ?	16:27
lbragstad	cc anyone else interested on that front	16:27
*** bigdogstl has joined #openstack-keystone		16:28
kmalloc	I have not	16:28
*** harlowja has joined #openstack-keystone		16:28
kmalloc	I can maybe later today	16:28
kmalloc	lbragstad: if someone has a custom paste, their customization is lost.	16:31
kmalloc	Paste.deploy is a dead project	16:31
kmalloc	We will have to break them at some point. But that said, keystone will work, which is what I was aiming for	16:31
kmalloc	Paste is terrible, and the way customization in it works makes for a highly variable experience deploying and consuming	16:32
*** bigdogstl has quit IRC		16:32
kmalloc	We should just make the call and drop it. With an upgrade note.	16:33
kmalloc	I can add in a way to load middleware, via keystone config	16:33
kmalloc	But we should just go with the hard break in rocky	16:33
kmalloc	Rubnign keystone will continue to work with the wsgi entry point scripts	16:34
kmalloc	Since those are updated	16:34
*** tesseract-RH has quit IRC		16:34
kmalloc	Basically paste.ini is made obsolete without changing much of any behavior.	16:35
*** edmondsw has quit IRC		16:41
*** felipemonteiro has quit IRC		16:43
*** pcichy has quit IRC		16:46
*** pcichy has joined #openstack-keystone		16:46
*** edmondsw has joined #openstack-keystone		16:46
*** felipemonteiro has joined #openstack-keystone		16:48
*** pcaruana\|worksho has joined #openstack-keystone		16:51
*** jmlowe has joined #openstack-keystone		16:59
*** harlowja has quit IRC		17:10
*** bigdogstl has joined #openstack-keystone		17:14
*** bigdogstl has quit IRC		17:18
*** pcaruana\|worksho is now known as pcaruana		17:18
lbragstad	kmalloc: i suppose	17:20
lbragstad	if we offer a way for people to load customizations in via config, then there is an upgrade path	17:20
kmalloc	so 2 things	17:20
kmalloc	1) if it is adding middleware, i am happy to allow them to load the middleware prior to the pipeline	17:21
kmalloc	via config	17:21
kmalloc	if they are loading in API "extensions" they could verywell do the exact same thing with it's own WSGI app	17:21
kmalloc	and i think we should not allow that	17:21
kmalloc	i also am going to say, in as many words, you can no longer remove parts of keystone's api	17:21
kmalloc	via "config"	17:21
*** germs has joined #openstack-keystone		17:21
*** germs has quit IRC		17:21
*** germs has joined #openstack-keystone		17:21
kmalloc	we're just closing that loop	17:21
kmalloc	if we need to support "vendor" addons, i'm fine with also writing that	17:22
kmalloc	but i'm against that in general	17:22
kmalloc	however, i'm inclined to say they may have addons but we'll carve out some specific restrictions, e.g. "/catalog, /auth, /v[\d+][\.\d+]?, /, and a few others will become restricted	17:23
kmalloc	if you're loading in an "extension" [aka, wsgi app, but dispatched from internal to keystone past our auth middleware], it can't live in our owned namespaces.	17:23
kmalloc	lbragstad: ^ tell me if you need/want/feel like I should go down either of those two things.	17:24
kmalloc	it's a bit more work, but ultimately doable, the latter on is much more work.	17:24
*** AlexeyAbashkin has joined #openstack-keystone		17:33
lbragstad	ok - checking	17:36
*** Alexey_Abashkin has joined #openstack-keystone		17:36
*** bigdogstl has joined #openstack-keystone		17:36
kmalloc	lbragstad: responsed to your comments on the initial flaskification patch	17:36
kmalloc	lbragstad: but the TODOs are going to go away in one or two patches i'm about to write, i just didn't want to get too deep into the chain if it all needed massive reworking	17:37
*** AlexeyAbashkin has quit IRC		17:37
*** Alexey_Abashkin is now known as AlexeyAbashkin		17:37
kmalloc	lbragstad: and when you have a moment i want to discuss the actual subsystem->flask move, as its more invasive but i want to have a pattern we can move forward on and make keystone consistent	17:38
kmalloc	in structure with the new "form"	17:38
*** bigdogstl has quit IRC		17:41
lbragstad	ok - i just went through the flaskification patch again	17:49
lbragstad	what about the subsystem->flask move?	17:49
*** harlowja has joined #openstack-keystone		17:49
kmalloc	so, with flask typically you do blueprints	17:52
kmalloc	think of blueprints like our routers	17:52
kmalloc	but a lot easier to work with	17:52
kmalloc	set it as a "prefix" then @bp.route(xxxxX)	17:52
kmalloc	for the method (or a bp.add_route())	17:53
kmalloc	but concept is the same	17:53
kmalloc	however, flask tends to organize differently	17:53
kmalloc	you tend to have a top-level "app" which is where things like common, tests, etc live	17:53
kmalloc	i was thinking of making it keystone.subsystem.application_credential	17:53
kmalloc	for example	17:53
* lbragstad nods		17:53
kmalloc	move each routable subsystem into it's own s	17:53
kmalloc	namespace, but also move it out of the tree root	17:54
kmalloc	so keystone.subsystem is where things like identity, assiignment, resource etc live	17:54
lbragstad	what's the advantage of having that versus keystone.application_credential?	17:54
kmalloc	clean understanding of what is routable and what isn't	17:54
kmalloc	right now looking at the code, do you know what is an API and what is not	17:54
lbragstad	oh	17:55
lbragstad	so what about revocation events?	17:55
kmalloc	also, future looking, if we have rendering, we cna have static assets in say keystone.subsystem.application_credential	17:55
kmalloc	rev events should be killed/merged into tokens	17:55
kmalloc	as appropriate	17:55
lbragstad	revocation events are an internal API to keystone, but i don't think we expose them to the public	17:55
lbragstad	so would they be put into subsystems?	17:56
kmalloc	yeah, but likely merged into token	17:56
kmalloc	since it is tied explicitly to token	17:56
kmalloc	if it is RESTFuL it goes into subsystem	17:56
kmalloc	or "blueprint"	17:56
kmalloc	but i wanted to avoid the name "blueprint" it seems loaded	17:56
lbragstad	ok - so the only non-routable bits left in keystone would be things like common, conf, policies, etc..	17:56
kmalloc	exactly	17:56
kmalloc	it would be done as a 2-step per subsystem:	17:57
kmalloc	move to subsystem namespace, convert to flask	17:57
kmalloc	so the move is "just move code" then "re-write to use blueprint.	17:57
lbragstad	ok - so far i'm in favor of the term subsystem only because we've unofficially used that to describe the various parts of keystone for a while	17:57
kmalloc	that was why i picked it in the first place	17:57
kmalloc	(also, i might be guilty of coining that phrase 4 yrs ago or so to talk about keystone bits)	17:58
*** r-daneel has quit IRC		17:58
lbragstad	so - does the rest of the subsystem tree now live there?	17:58
kmalloc	yes.	17:59
lbragstad	so keystone.subsystem.token.providers.fernet would be a thing?	17:59
kmalloc	yep	17:59
lbragstad	ok	17:59
*** markvoelker has quit IRC		17:59
kmalloc	i want to keep the entire subsystem together	17:59
kmalloc	if it's truely common code, it goes in common or keystone.XXXX	17:59
lbragstad	that's going to be a huge refactor, but i think it makes sense	18:00
kmalloc	if it's tied to a subsystem (aka, token providers to token) it goes in that subsystem	18:00
*** markvoelker has joined #openstack-keystone		18:00
kmalloc	it is, flask in itself is a big refactor	18:00
lbragstad	so - can we have keystone running with both architectures?	18:00
lbragstad	part of the subsystem work done and part of it the old way?	18:00
kmalloc	i'm willing ot take on some more of that work, and since i've constructed it to be each subsystem (well prefix, e.g. /users) will be converted to flask in one patch you will have both things	18:01
kmalloc	during the transition	18:01
kmalloc	in flask, we will need to move a whole path (/users, /auth, etc) to flask in one shot	18:01
kmalloc	but anything outside of that path prefix can stay how it is	18:01
kmalloc	the only exception is version/root discovery MuST be first	18:01
kmalloc	otherwise the dispatcher middleware will be weird.	18:02
kmalloc	since /v3 is explicitly matched in some cases.	18:02
kmalloc	during the transition, i was going to move smaller subsystems first (e.g. app-creds)	18:03
lbragstad	that makes sense	18:03
kmalloc	or more to the point, more constrained systems	18:03
kmalloc	/users is BIG	18:03
kmalloc	and is far reaching.	18:03
lbragstad	right	18:03
kmalloc	in keystone.subsystem.identity you'll now also have a blueprint for /users and /groups	18:04
*** xinran__ has quit IRC		18:04
kmalloc	and if you need to add/extend to those, you'll just use that router and apply a route to it	18:04
kmalloc	rather than keeping the route local [e.g. ec2]	18:04
kmalloc	you do @bp.route(<path>)	18:04
kmalloc	and it constructs the route for you on the controller method	18:04
kmalloc	[other ways to do it as well]	18:05
kmalloc	lbragstad: take a look at http://flask.pocoo.org/docs/1.0/blueprints/#my-first-blueprint	18:05
kmalloc	for example	18:05
kmalloc	and i'll be using Restful with an eye to move to flask-restplus (restful example: https://flask-restful.readthedocs.io/en/latest/intermediate-usage.html#use-with-blueprints )	18:06
kmalloc	restplus just gives us swagger docs, which, is nice needs more thought but is super easy to convert	18:06
kmalloc	[also restplus isn't in g-r yet, i'll skin that horse later]	18:07
kmalloc	and finally, i'll rip out our "internal" notification system and move to blinker [once the rest of this refactor is done]	18:08
lbragstad	ok - so each subsystem is going to be a blueprint	18:08
kmalloc	each prefix	18:08
kmalloc	is a blueprint	18:08
kmalloc	identity owns /user and /groups	18:08
kmalloc	and there is a bp for /users and a bp for /groups	18:09
kmalloc	think of it in terms of uri-routing matching	18:09
kmalloc	and url tokenization	18:09
*** AlexeyAbashkin has quit IRC		18:09
*** r-daneel has joined #openstack-keystone		18:09
lbragstad	ahh	18:09
kmalloc	see why i like the flask-isms?	18:10
kmalloc	:)	18:10
lbragstad	it would be nice to be on a framework	18:10
lbragstad	versus something we rolled ourselves	18:10
kmalloc	yeah exactly	18:10
kmalloc	the next steps to isolate say idenitty from the rest of keystone [and maybe auth]	18:11
kmalloc	becomes very easy	18:11
kmalloc	esp. with the state-sharing managers	18:11
kmalloc	oh, make sure you review that state-sharing providerAPI change,it's super straightforward	18:12
kmalloc	lbragstad: asked in -rc	18:15
kmalloc	-tc*	18:15
kmalloc	i'll wire up v2.0 if needed	18:15
kmalloc	lbragstad: ok, so i'll spin a patch to remove that v2.0 stuff in isolation so i can reconsitute it if needed	18:32
kmalloc	lbragstad: i'll send an email either today or tomorrow before we land it	18:32
*** cwright_ has joined #openstack-keystone		18:46
*** mvenesio has quit IRC		18:47
cwright_	Hi, I'm struggling to find an example configuration for sending keystone metrics to ceilometer. Does anyone have a working config that they can share?	18:49
*** spilla has quit IRC		18:49
*** cwright_ is now known as cwright		18:49
*** spilla has joined #openstack-keystone		18:52
lbragstad	kmalloc: nice - thanks for checking on that	18:55
kmalloc	cwright: i.. don't know of one off the top of my head, lbragstad, cmurphy ^	18:56
kmalloc	gyee: ^	18:56
* cmurphy doesn't		18:59
*** pcichy has quit IRC		19:01
*** knasim-wrs has joined #openstack-keystone		19:03
cwright	kmalloc: cmurphy: thanks. Yea, I am quite surprised I've not found any example configs at all about this when searching	19:03
knasim-wrs	hey guys, quick question on Endpoint filter groups	19:03
gyee	kmalloc, keystone metrics?	19:04
knasim-wrs	I'm using endpoint filter groups to restrict endpoints for other regions	19:04
cwright	gyee: yes	19:04
gyee	we are using monasca agent plugin	19:04
knasim-wrs	and I want to specify a single filter for 2 regions:	19:04
knasim-wrs	openstack endpoint group create distributed_cloud_RegionOne ./m.conf	19:04
knasim-wrs	+-------------+-----------------------------------------------------+	19:04
knasim-wrs	\| Field \| Value \|	19:04
knasim-wrs	+-------------+-----------------------------------------------------+	19:04
knasim-wrs	\| description \| None \|	19:04
knasim-wrs	\| filters \| {u'region_id': [u'SystemController', u'RegionOne']} \|	19:04
knasim-wrs	\| id \| 7df1295c31af42cda84c3b030e043c52 \|	19:04
knasim-wrs	\| name \| distributed_cloud_RegionOne \|	19:04
knasim-wrs	+-------------+-----------------------------------------------------+	19:04
gyee	for monasca, you can use dimensions/expressions to filter the metrics	19:04
gyee	I don't know how ceilometer works	19:05
knasim-wrs	and it returns to me an empty endpoint list.... so I'm guessing it takes it as an AND op instead of an OR op]	19:05
knasim-wrs	does anybody know how to specify multiple region_id filter values in an endpoint group? @lbragstad?	19:05
*** oikiki has joined #openstack-keystone		19:06
cwright	gyee: ah ok, we already have ceilometer integrated with all of our services so we are looking for a way to have keystone publish there: https://docs.openstack.org/ceilometer/pike/admin/telemetry-measurements.html#openstack-identity	19:06
*** mvk has quit IRC		19:08
lbragstad	knasim-wrs: i'm not quite sure - it's been a while since i've dug into that part of the code	19:09
gyee	cwright, looks like its using audit middleware for this	19:11
gyee	https://docs.openstack.org/ceilometer/pike/install/install-controller.html#keystone	19:11
gyee	cwright, https://docs.openstack.org/keystonemiddleware/latest/audit.html	19:11
*** mvenesio has joined #openstack-keystone		19:14
kmalloc	aha it was the audit-middleware, i knew it was something we owned	19:14
cwright	gyee: yea, i've read those a few times, can't quite wrap my head around the missing pieces. I don't know what a audit map would look like for keystone and can't find an example	19:14
lbragstad	in case anyone is interested in tinkering with a test migration of all keystone LP data in storyboard - https://storyboard-dev.openstack.org/#!/project_group/46 is live	19:17
*** jaosorior has quit IRC		19:19
*** bigdogstl has joined #openstack-keystone		19:21
*** mvenesio has quit IRC		19:24
gyee	cwright, try this http://paste.openstack.org/show/722670/ for audit map	19:25
*** bigdogstl has quit IRC		19:26
cwright	gyee: ok thanks, let me see if I can put this together	19:27
*** rmascena__ has joined #openstack-keystone		19:29
*** harlowja has quit IRC		19:29
*** bigdogstl has joined #openstack-keystone		19:30
*** rmascena has quit IRC		19:31
gagehugo	chrome says the cert for storyboard is invalid	19:32
lbragstad	gagehugo: sounds like that's something they have on the TODO list for the staging environment	19:34
gagehugo	ah ok	19:34
*** lifeless has joined #openstack-keystone		19:34
lbragstad	yeah - i asked the same thing	19:35
lbragstad	:)	19:35
*** bigdogstl has quit IRC		19:35
gagehugo	storyboard hacking my ip	19:47
*** knasim-wrs has quit IRC		19:55
*** harlowja has joined #openstack-keystone		19:59
*** felipemonteiro has quit IRC		20:17
*** sapd_ has quit IRC		20:17
openstackgerrit	Lance Bragstad proposed openstack/python-keystoneclient master: WIP: functionality for registered limits https://review.openstack.org/537668	20:20
*** felipemonteiro has joined #openstack-keystone		20:21
*** sapd has joined #openstack-keystone		20:40
empty_cup	how come when i make a direct assignment of a role to a user on a domain or project it is not shown in the effective listing?	20:40
lbragstad	empty_cup: i need to double check the docs, but that could because it's a direct assignment	20:46
lbragstad	an effective assignment is typically done with groups	20:46
lbragstad	if you're in the admin group and that group has a role assignment on the production project, you have an effective role assignment on the production project via the admin group	20:47
*** lifeless_ has joined #openstack-keystone		20:49
*** lifeless has quit IRC		20:50
empty_cup	lbragstad: yes, per docs effective is meant for displaying roles applied through groups, it will also show roles which will be returned in the token	20:51
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Clarify scope responses in authentication api ref https://review.openstack.org/571309	20:51
empty_cup	i found that in the case of the default admin, which belongs to no groups, it will also list roles that are 'in force'	20:51
empty_cup	using the default admin as an example the list of roles returned with and without effective are different	20:53
empty_cup	and the default admin is not in nonadmins or admins to start, yet the effective roles are a subset of the roles returned	20:55
empty_cup	i've noticed the same behavior when applying roles to other users where effective acts as a verification of roles returned with a token	20:57
empty_cup	and in my exploration i have avoided groups as i'm trying to come up with the most minimal use case of roles	20:57
lbragstad	do you happen to have a trace or paste of the behavior you're seeing and what you expect it to be?	20:57
lbragstad	you've avoided groups to minimize roles?	20:58
empty_cup	sure i can put something together, where can i paste? i remember it was an openstack pastebin thing	20:58
lbragstad	you can use any paste service you like, but there is an openstack specific one http://paste.openstack.org/	20:58
*** pcaruana has quit IRC		20:59
*** bigdogstl has joined #openstack-keystone		21:01
empty_cup	lbragstad: i've avoided groups to leave out a variable, i'm completely focused on users, domains, and roles	21:01
*** harlowja has quit IRC		21:04
*** bigdogstl has quit IRC		21:06
*** jmlowe has quit IRC		21:08
*** felipemonteiro has quit IRC		21:10
*** rmascena__ has quit IRC		21:10
empty_cup	here we go: http://paste.openstack.org/show/722677/	21:19
empty_cup	lbragstad: thanks for responding	21:22
empty_cup	above has the output of the openstack cli commands i've run with the results	21:22
empty_cup	for context, i was able to create the newyorker user and perform the role assignment with a void_admin user	21:24
*** felipemonteiro has joined #openstack-keystone		21:27
lbragstad	is line 41 of your paste describing the behavior you were expecting	21:27
lbragstad	?	21:27
*** spilla has quit IRC		21:28
empty_cup	lbragstad: yep, it's broken into two parts by the ###, the first part is to show the difference between the use of effective and not effective on a boostrapped user	21:28
lbragstad	so - walk me through the first part	21:28
empty_cup	ok	21:29
lbragstad	lines 1 - 40	21:29
lbragstad	looks like you're just asking for all assignments with --names	21:29
lbragstad	and that looks sane to me?	21:29
empty_cup	should it not be the same as effective?	21:30
empty_cup	the admin is not in any groups	21:30
empty_cup	which means all of those roles are directly applied to the admin	21:30
empty_cup	if effective only aggegrated roles from groups than effective should be a superset not a subset	21:30
empty_cup	the first table has 12 rows the second table has 10 rows	21:31
lbragstad	12 and 10?	21:31
lbragstad	the first listing returns 8?	21:32
empty_cup	sorry i was counting lines	21:32
lbragstad	no worries - i did that too	21:32
lbragstad	had a double take	21:32
lbragstad	the entry at line 14 is not a domain or project assignment	21:32
lbragstad	it's actually a system role assignment, and that should be more apparent once https://review.openstack.org/#/c/524416/ merges	21:33
empty_cup	ok	21:33
empty_cup	what about line 9?	21:34
*** edmondsw has quit IRC		21:35
empty_cup	the admin project from the plutos domain	21:35
*** bigdogstl has joined #openstack-keystone		21:35
lbragstad	so - that's saying admin@Default has the admin role on a project called admin in the plutos domain	21:35
lbragstad	and it appears to be a direct assignment?	21:35
empty_cup	correct	21:36
*** felipemonteiro has quit IRC		21:36
*** harlowja has joined #openstack-keystone		21:36
*** martinus__ has quit IRC		21:37
lbragstad	is that one not supposed to be there?	21:38
empty_cup	i issued the assignment command on the user and it succeed	21:40
empty_cup	i would have expected it to show in the effective as well	21:40
lbragstad	did you just do an `openstack role add --user admin --user-domain Default --project admin --project-domain plutos admin	21:41
empty_cup	yes that's the command	21:42
lbragstad	so - that would be a direct role assignment, but if i understand the --effective argument correctly, it's a subset operation	21:43
lbragstad	where as the command you're using on line 3 is asking for all role assignments, direct and effective	21:44
*** bigdogstl has quit IRC		21:44
*** felipemonteiro has joined #openstack-keystone		21:45
empty_cup	the default admin is not a member of any groups	21:45
empty_cup	why are there any entries in the effective table if that is the case?	21:45
empty_cup	that's lines 28-39	21:45
lbragstad	hmm - i actually don't even see --effective documented via python-openstackclient	21:48
lbragstad	slightly unrelated, but that's probably a bug	21:48
empty_cup	the lack of documentation is a bug, or the discrepancy between the two tables?	21:49
lbragstad	the lack of documentation for sure	21:49
empty_cup	ok	21:49
lbragstad	this is what i have to help test	21:50
lbragstad	text*	21:50
lbragstad	http://paste.openstack.org/show/722678/	21:50
*** dave-mccowan has quit IRC		21:50
lbragstad	and if i use --effective	21:50
lbragstad	i get this with debugging	21:50
lbragstad	http://paste.openstack.org/show/722679/	21:50
lbragstad	notice line number 3	21:51
*** itlinux has quit IRC		21:51
empty_cup	ok include_names=True&effective=True	21:52
lbragstad	the --effective tag apparently is passed through	21:52
lbragstad	but it's not documented... so there must be logic in osc to handle it	21:52
kmalloc	hm.	21:53
empty_cup	interesting, in my version of the command there is a line for --effective	21:53
kmalloc	--effective... now what does that actually do.	21:53
empty_cup	--effective Returns only effective role assignments	21:53
kmalloc	that sounds like an old-school v2 thing	21:53
kmalloc	now that i think about it more	21:53
empty_cup	i do have export OS_IDENTITY_API_VERSION=3 set	21:54
lbragstad	strange	21:54
kmalloc	oh no thats a v3... oh.	21:54
lbragstad	https://developer.openstack.org/api-ref/identity/v3/index.html#roles	21:54
kmalloc	wait.	21:54
kmalloc	that is implied roles things	21:54
kmalloc	right?	21:54
lbragstad	well	21:54
lbragstad	there are implied roles and there are effective roles	21:54
lbragstad	effective are role assignments via a group membership	21:54
lbragstad	implied roles are used to expand roles	21:55
kmalloc	yep that is implied roles magic	21:55
kmalloc	effective does the expansion	21:55
kmalloc	sounds like we have a bug in our api	21:55
lbragstad	if you look at that api ref link	21:55
lbragstad	GET /role_assignments?user.id={user_id}&effective	21:55
lbragstad	but the client treats it as a boolean, which isn't consistent	21:56
kmalloc	ok hold on. let me go poke at our end.	21:56
lbragstad	don't forget we also have "inherited" roles	21:56
lbragstad	which deal with project hierarchies	21:57
lbragstad	so that roles on a project can get propagated down the tree	21:57
kmalloc	https://www.irccloud.com/pastebin/y8injDAz/	21:57
empty_cup	i stayed away from implied roles and project hierarchies, as my end goal is to have a domain, flat projects inside, have users that can have a project scoped token	21:58
kmalloc	effective seems to be related to inherited roles and group roles	21:58
* lbragstad shakes head		21:58
lbragstad	empty_cup: that seems like a completely reasonable use case	21:58
* kmalloc grumps about some of these API things.		21:58
kmalloc	empty_cup: your use case is fine, we have a wonky/non-descriptive api here :P	21:59
kmalloc	effective is ... weird.	21:59
empty_cup	ok, i can provide more details if necessary	21:59
lbragstad	https://developer.openstack.org/api-ref/identity/v3/index.html#id594	22:00
empty_cup	for my sanity though, can we walk through the second example?	22:00
*** felipemonteiro has quit IRC		22:00
lbragstad	starting at line 41 here - http://paste.openstack.org/show/722677/ ?	22:00
empty_cup	yes	22:00
*** felipemonteiro has joined #openstack-keystone		22:00
lbragstad	empty_cup: go for it	22:00
empty_cup	i'll provide some context	22:00
*** itlinux has joined #openstack-keystone		22:01
*** itlinux has quit IRC		22:01
empty_cup	i used the default admin user to create the void domain, created the void_admin, assigned the default admin role to it, as that was the only way for the role to become "effective"	22:01
empty_cup	i also had to add the void_admin user to an admin project	22:02
lbragstad	what is void_admin?	22:02
empty_cup	the admin for the void_domain	22:02
lbragstad	so a user?	22:02
lbragstad	or a group?	22:02
empty_cup	a user	22:02
empty_cup	never touched groups	22:02
lbragstad	ok	22:02
empty_cup	i now login and receive a token for void_admin, i then can create projects, users, and roles	22:03
empty_cup	i can apply roles to users	22:03
empty_cup	but they are not shown as effective	22:03
empty_cup	and i can only receive an unscoped token as newyorker who is a regular user within the void domain	22:03
lbragstad	so - like the newyorker user having the Member role on the reporter_portal project?	22:03
*** rcernin has joined #openstack-keystone		22:03
empty_cup	yes	22:04
lbragstad	i would imagine they are not showing up as effective because there isn't a group involved	22:04
kmalloc	lbragstad: wow effective is ... a super dense filtering method	22:05
empty_cup	ok, i should be able to receive a domain scoped token then since i have a role assignment on the domain?	22:05
kmalloc	https://www.irccloud.com/pastebin/kTMeptQQ/	22:05
lbragstad	empty_cup: yes	22:05
kmalloc	^ that is painful to read [code snippet]	22:05
empty_cup	likewise if i have a role on a project i can receive a project scoped token	22:05
empty_cup	?	22:05
lbragstad	empty_cup: yes	22:05
lbragstad	how are you asking for those tokens?	22:05
empty_cup	cool, i can provide another paste, with the use case	22:06
lbragstad	kmalloc: ++ yeah - it's ridiculous	22:06
lbragstad	i spent a long time groking at that last release when i had to deal with the system role assignment stuff	22:06
lbragstad	and it pushed me to be opinionated about kwargs being bad	22:07
lbragstad	empty_cup: the newyorker user should be able to generate project tokens scoped to the reporter_portal project and domain tokens scoped to the void domain	22:08
kmalloc	lbragstad: kwargs bad,mmmmkay	22:08
kmalloc	lbragstad: seriously, i hate "kwarg" passthrough	22:08
lbragstad	well - i think my main gripe is that it's super hard to follow	22:08
kmalloc	and thus, should not be the case in a well-designed thing	22:08
lbragstad	most of the /role_assignment API is literally two or three methods that accept all the cases	22:09
kmalloc	yep, it's a trainwreck	22:09
lbragstad	and return something	22:09
kmalloc	also that effective filter method is TERRIBLE	22:09
kmalloc	because of how big list_role_assignments_for_actor is defed inline	22:10
lbragstad	that api is part of the reason why i didn't mind keeping the system role assignment completely separate	22:10
kmalloc	makes it opaque as hell.	22:10
kmalloc	i appreciate you keeping system separate	22:10
kmalloc	it makes me much much happier	22:10
lbragstad	imo - it would be an interesting exercise to do that with the user+project user+domain group+project and group+domain bits	22:11
kmalloc	i think we can "fix" a lot of the role_assignment api by just expanding it and breaking out functionality [and let the ... other part that is dense be the "legacy" way of doing it]	22:11
lbragstad	that would also pull some of the business logic from the assignment sql driver into a better place	22:11
*** felipemonteiro has quit IRC		22:12
lbragstad	because, afaik, not even the manager knows if it's generating a list of role assignments for which target or actor, that's figured in the driver	22:12
*** r-daneel has quit IRC		22:12
*** idlemind has quit IRC		22:12
lbragstad	empty_cup: i can take a look at your auth requests (sans sensitive data/passwords) for the newyorker if you have them	22:12
empty_cup	http://paste.openstack.org/show/722680/	22:13
lbragstad	or if you're using openstack CLI, you can use --debug	22:13
*** jmlowe has joined #openstack-keystone		22:13
empty_cup	thanks lbragstad, it took me a moment to compile it since i'm using a script as a regular user	22:13
*** r-daneel has joined #openstack-keystone		22:13
empty_cup	it occurred to me that i should be able to use the openstack cli tool to request tokens	22:13
kmalloc	ok, so hold on	22:13
kmalloc	lbragstad, empty_cup: you're having issues with effective and domain roles? or all roles?	22:14
*** felipemonteiro has joined #openstack-keystone		22:14
empty_cup	the issue is that i create an admin inside a new domain who can create projects, users, and roles, yet the user who has been assigned a role, can only receive an unscoped token	22:15
empty_cup	for some reason, they cannot receive a project or domain token if they have a role assigned to that project or domain	22:15
kmalloc	hm.	22:17
kmalloc	looking at that paste from a bit ago.	22:18
kmalloc	do you have the cli that you used to assign the roles to the user?	22:18
kmalloc	the command that is*	22:18
lbragstad	hmm	22:19
lbragstad	is this the raw authentication request? http://paste.openstack.org/show/722681/	22:19
empty_cup	lbragstad: looking	22:19
* kmalloc kicks paste.o.o hard and hopes it loads.		22:19
*** dave-mccowan has joined #openstack-keystone		22:20
kmalloc	lbragstad: that paste 681 isn't loading for me.	22:20
empty_cup	same here	22:21
kmalloc	lbragstad: paste.o.o seems dead	22:21
* lbragstad probably broke it		22:21
kmalloc	can we repaste on like... dpaste	22:21
kmalloc	?	22:21
empty_cup	i ran the cli tool with token issue and received the following:	22:21
empty_cup	User 3f26bacf1bd948e688cb61c4dd75e513 has no access to project e90259e2a864490c8fc9688a37fd4ef4 (Disable insecure_debug mode to suppress these details.) (HTTP 401)	22:22
empty_cup	and that is with the user having the roles assigned from 47-49 in the original post	22:22
empty_cup	the Member, big_money on reporter_portal and Member on domain	22:23
*** felipemonteiro has quit IRC		22:23
lbragstad	https://paste.fedoraproject.org/paste/W-fPQ1HfQrhmJbJe9IL4Sw	22:24
empty_cup	good, ol' fedora	22:24
empty_cup	yep, that looks like the json markup i serve in the request	22:25
lbragstad	project authentication request	22:26
lbragstad	https://paste.fedoraproject.org/paste/33uZwtgOpkJZNeDzLr4~nQ	22:26
lbragstad	so - those requests look fine to me	22:26
lbragstad	so long as the role assignments exist, then that should give you back a token	22:26
empty_cup	ok, that makes me feel better	22:27
kmalloc	empty_cup: do you have an example of how you assigned the user the role?	22:27
empty_cup	sure	22:27
kmalloc	eyah the auth reqeusts/payloads are good afaict	22:27
kmalloc	i'm wondering if somehow we got some bogus role landed	22:27
kmalloc	this is really weird.	22:28
lbragstad	empty_cup: are you using master or queens?	22:28
empty_cup	i am using queens	22:29
empty_cup	stable/queens	22:29
kmalloc	cool.	22:29
kmalloc	i dont think much has changed, but yanno... good to be sure	22:29
empty_cup	https://paste.fedoraproject.org/paste/qpbkj6fmoRTH55IOeTV-QQ	22:29
kmalloc	ooh uhm	22:30
lbragstad	ahhh	22:30
kmalloc	--role-domain is that a domain-specific role thing?	22:30
lbragstad	yeah	22:30
lbragstad	it is	22:30
kmalloc	this explains a LOT	22:30
empty_cup	?	22:31
*** lifeless has joined #openstack-keystone		22:31
kmalloc	it also means we might have a bug in that code.	22:31
lbragstad	empty_cup: try this out	22:31
lbragstad	https://paste.fedoraproject.org/paste/5fvWfO69PG50~-tc8AxpXA	22:31
*** lifeless_ has quit IRC		22:31
empty_cup	ok, trying now	22:32
empty_cup	No role with a name or ID of 'big_money' exists.	22:35
kmalloc	so, i think you've created a bunch of domain-specific roles that don't expand to anything	22:35
lbragstad	do an `openstack role create big_money` should create a "global" role assignment for you	22:36
empty_cup	ok, yes, i used the --domain flag when i created the roles	22:36
lbragstad	originally, role were usable across the entire deployment	22:36
kmalloc	yep, so that role exists on the domain itself, but it must explicitly be setup to expand to a global role	22:36
lbragstad	meaning you could recycle roles across domain, project, whatever	22:36
lbragstad	domain-specific roles were an attempt to make it easier for domain admins to create role that could only be used from within their domain	22:37
kmalloc	since it expands to nothing, --effective and the role means the user can't actually get a scoped token	22:37
kmalloc	lbragstad: i think we have a bug we might need to be more explicit about the effective and what not and/or prevent assigning an empty domain-specific-role to a user	22:37
*** oikiki has quit IRC		22:37
kmalloc	though... api breaking change =/	22:37
lbragstad	ack	22:38
kmalloc	i don't think this behavior was intended	22:38
kmalloc	lbragstad: how do we add roles to the domain-specific role again	22:38
kmalloc	?	22:38
kmalloc	because that also should work.	22:38
lbragstad	i'd be inclined to agree, but i'm not super knowledgeable in that area of code	22:38
kmalloc	i'll pile that onto my backlog.	22:38
kmalloc	flask, cache fix [grump], domain-specific-roles.	22:38
*** oikiki has joined #openstack-keystone		22:39
empty_cup	ok now when listing roles with and without effective they both show the big_money role	22:39
lbragstad	at the same time, i'm not aware of any one intentionally using domain-specific role assignments	22:39
empty_cup	i would like to use domain-specific role assignments haha	22:39
empty_cup	how can i do that?	22:39
lbragstad	empty_cup: can your newyorker user authenticate to the domain and project you gave them access to?	22:40
empty_cup	yep, now i received a project token! i will assume it works the same with domain	22:40
lbragstad	yep	22:40
lbragstad	nice	22:40
kmalloc	lbragstad: https://developer.openstack.org/api-ref/identity/v3/index.html#create-role-inference-rule need the OSC version	22:40
kmalloc	lbragstad: but that is how we add an inference	22:41
lbragstad	right	22:41
lbragstad	documentation on that front is pretty sparse	22:41
kmalloc	oh look we can create implied roles	22:42
empty_cup	ok, so a domain role is essentially empty and needs to map to a global role?	22:42
lbragstad	https://bugs.launchpad.net/keystone/+bug/1737863	22:42
openstack	Launchpad bug 1737863 in OpenStack Identity (keystone) "Lack of documentation for role inheritance" [Medium,Confirmed]	22:42
kmalloc	empty_cup: yes	22:42
kmalloc	lbragstad: implied roles, not role inheritence	22:42
kmalloc	well both	22:42
kmalloc	lbragstad: this is implied roles.	22:43
lbragstad	oh - right	22:43
kmalloc	lbragstad: this isn;'t super helpful either: https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/implied_role.html	22:43
kmalloc	like. our api is ok if you dig into it, the OSC commands are downright bad.	22:44
lbragstad	nope	22:44
lbragstad	yeah - it needs work	22:44
kmalloc	i think you need to so those osc commands with the role ids	22:44
kmalloc	which makes my head explode	22:44
lbragstad	same	22:44
kmalloc	we need to make up some clear example uses, domain-specific roles are fantastic in concept	22:44
lbragstad	right	22:45
lbragstad	i should dig up the specification later	22:45
kmalloc	and would be amazing in the way empty_cup is using it, since admin X of new domain might create a bunch of domain-specific roles.	22:45
lbragstad	because i would hope they would be in there	22:45
kmalloc	https://specs.openstack.org/openstack/keystone-specs/specs/mitaka/domain-specific-roles.html	22:45
kmalloc	not really	22:45
lbragstad	hmm	22:46
kmalloc	it describes the use better in real words	22:46
kmalloc	but there is just nothing showing how it should work	22:46
kmalloc	so you need to do osc role create --domain-id, then osc implied_role <invocation that is opaque with role ids>	22:47
kmalloc	and this would work	22:47
kmalloc	really, not terrible... if we had documentation	22:47
empty_cup	oh, that's the page of documentation i was missing. i was looking at the flags for the cli, and, it aligned with the use case of a role only needing to exist in a domain for a specific project in that domain	22:47
lbragstad	kmalloc: sounds like we need a doc bug	22:47
lbragstad	in keystone and in osc?	22:48
kmalloc	yep, in both	22:48
lbragstad	cool	22:48
kmalloc	but really we need clear "howto" scenarios developed for keystone	22:48
kmalloc	and some rich examples of that, esp. in light of the system roles and other stuff coming down the line	22:48
kmalloc	just a one-liner in osc that says "hey if you do this with --domain-id, make sure you add role implications"	22:49
lbragstad	so - better api ref documentation and a better introduction document explaining what implied roles + domain roles are why they're useful	22:49
kmalloc	lbragstad: yeah	22:49
lbragstad	cool	22:50
kmalloc	and probably just some "hey keystone is cool, here is all the nifty stuff you cand do"	22:50
lbragstad	that could live in the admin guide	22:50
kmalloc	if you want domain-specific/meaningful names, and here is why you'd do that.	22:50
kmalloc	probably	22:50
kmalloc	break out a section with links of "cool admin things in keystone"	22:50
kmalloc	because domain-specific roles and role-implications are badass	22:50
lbragstad	kmalloc: empty_cup do either of you have a bug report in the works yet?	22:51
kmalloc	but who in their right mind uses them... or in the case of someone like empty_cup stumbles onto it and results in opaque and siully behavior	22:51
kmalloc	no bug on my front	22:51
kmalloc	my brain was still hurting from looking at _list_effective_role_blah_blah method	22:51
empty_cup	lbragstad: i can file a bug report if shown where	22:52
kmalloc	lbragstad: refactoring all this to be better API sets in flask is going to be so much easier to do.	22:52
kmalloc	and make the sql drive less responsible for... well...	22:52
kmalloc	business logic	22:52
kmalloc	empty_cup: thanks for bearing with us on chasing this down. it really sholdn't have been this rough =/, sorry you hit this and it made things frustrating	22:54
empty_cup	what's really appealing about keystone is the user, project, role (authz) management all contained in a single domain.	22:55
lbragstad	empty_cup: kmalloc just created on e	22:55
empty_cup	i'm grateful for the help kmalloc and lbragstad	22:55
lbragstad	https://bugs.launchpad.net/keystone/+bug/1775094	22:55
openstack	Launchpad bug 1775094 in OpenStack Identity (keystone) "Lack of documentation for role permutations and possibilities" [Undecided,New]	22:55
lbragstad	^ feel free to add context to that and we can track things there	22:55
empty_cup	cool	22:55
lbragstad	if there is anything i missed that we should elaborate on in documentation, we can track it there	22:56
empty_cup	i'll add more context	22:56
lbragstad	empty_cup: thanks	22:56
* lbragstad is fried		22:56
lbragstad	stepping away for a bit	22:56
kmalloc	lbragstad: ok going to go through the flask conversion comments, and then propose a "rip out V2" change that happens before paste.deploy removal	22:56
lbragstad	ack	22:57
kmalloc	lbragstad: so we can get the email to the MLs	22:57
kmalloc	and get this ish landed	22:57
kmalloc	:)	22:57
lbragstad	cool	22:57
kmalloc	i also think the test fixes will be easy to get landed /me pokes gagehugo to get them moving	22:57
kmalloc	just so rebase chain doesn't get too icky	22:57
kmalloc	gagehugo: https://review.openstack.org/#/c/571913/1	22:58
kmalloc	gagehugo: if you don't mind, you +2'd the others	22:58
kmalloc	:)	22:58
kmalloc	lbragstad: man the gate queue is deep today	22:59
*** oikiki has quit IRC		23:03
*** r-daneel has quit IRC		23:05
*** oikiki has joined #openstack-keystone		23:07
kmalloc	lbragstad: do you need me to implement the "load external middleware"	23:13
kmalloc	in flask, and/or the additional applications	23:14
kmalloc	?	23:14
kmalloc	lbragstad: or is a release note for flask sufficient to land this patch?	23:15
kmalloc	as is and contemplate the other bits?	23:15
*** oikiki has quit IRC		23:15
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Convert Keystone to use Flask https://review.openstack.org/568377	23:15
kmalloc	lbragstad: ^ needs releasenote, but should be ready for review based upon other feedback.	23:16
kmalloc	lbragstad: i can add the release note as a followup as well unless we need the external MW/app loading bits	23:16
*** oikiki has joined #openstack-keystone		23:17
*** bigdogstl has joined #openstack-keystone		23:35
*** pooja-jadhav has joined #openstack-keystone		23:36
*** bhagyashri_s has joined #openstack-keystone		23:36
*** pooja_jadhav has quit IRC		23:39
*** bhagyashris has quit IRC		23:39
*** bigdogstl has quit IRC		23:46
*** masber has joined #openstack-keystone		23:49
*** bigdogstl has joined #openstack-keystone		23:49
*** masuberu has quit IRC		23:52
*** bigdogstl has quit IRC		23:56
*** empty_cup has quit IRC		23:58

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!