Monday, 2018-06-25

*** liuzz has joined #openstack-keystone01:03
*** openstack has joined #openstack-keystone01:17
*** ChanServ sets mode: +o openstack01:17
*** zhongjun__ has joined #openstack-keystone01:44
*** gongysh has joined #openstack-keystone01:50
*** annp has joined #openstack-keystone02:31
openstackgerritwangxiyuan proposed openstack/keystone master: Add auto increase primary key for unified limit
*** germs has quit IRC03:04
*** germs has joined #openstack-keystone03:04
*** germs has quit IRC03:04
*** germs has joined #openstack-keystone03:04
openstackgerritzhongshengping proposed openstack/keystone master: Fix syntax errors
*** germs has quit IRC03:06
*** liuzz_ has joined #openstack-keystone03:06
*** germs has joined #openstack-keystone03:08
*** germs has quit IRC03:08
*** germs has joined #openstack-keystone03:08
*** liuzz has quit IRC03:10
*** liuzz has joined #openstack-keystone03:13
*** liuzz_ has quit IRC03:16
openstackgerritwangxiyuan proposed openstack/keystone master: Add auto increase primary key for unified limit
*** pooja_jadhav has joined #openstack-keystone03:44
*** d0ugal_ has joined #openstack-keystone04:15
*** germs has quit IRC04:15
*** d0ugal has quit IRC04:15
*** germs has joined #openstack-keystone04:40
*** mvk has quit IRC04:52
*** gongysh has quit IRC05:15
*** nicolasbock has joined #openstack-keystone05:21
*** gongysh has joined #openstack-keystone05:41
*** germs_ has joined #openstack-keystone05:51
*** germs has quit IRC05:54
*** pcichy has quit IRC06:02
*** josecastroleon has joined #openstack-keystone06:17
*** hoonetorg has quit IRC06:20
*** hoonetorg has joined #openstack-keystone06:32
*** ispp has joined #openstack-keystone06:45
*** belmoreira has joined #openstack-keystone06:45
*** belmoreira has quit IRC06:46
*** ispp has quit IRC06:47
*** lifeless has quit IRC06:49
*** martinus__ has joined #openstack-keystone06:52
*** ispp has joined #openstack-keystone07:05
*** pcaruana has joined #openstack-keystone07:07
openstackgerritwangxiyuan proposed openstack/keystone master: Add auto increase primary key for unified limit
*** tesseract has joined #openstack-keystone07:20
*** rogeryu_ has joined #openstack-keystone07:24
rogeryu_Has anyone helped me to review this commit? thank you very much! :)07:24
*** amoralej|off is now known as amoralej07:42
*** pcichy has joined #openstack-keystone08:06
*** jistr|off is now known as jistr08:14
*** d0ugal_ has quit IRC08:16
*** d0ugal has joined #openstack-keystone08:17
*** d0ugal has quit IRC08:17
*** d0ugal has joined #openstack-keystone08:17
openstackgerritwangxiyuan proposed openstack/keystone master: Add registered_limit_id column for limit
*** jaosorior has joined #openstack-keystone08:43
*** namnh has joined #openstack-keystone08:43
*** sapd has quit IRC08:59
*** brad[] has joined #openstack-keystone09:15
*** sapd has joined #openstack-keystone09:23
*** namnh has quit IRC09:36
*** mvk has joined #openstack-keystone09:39
*** namnh has joined #openstack-keystone09:41
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP]Add registered_limit_id column for limit
*** peereb has joined #openstack-keystone09:59
*** peereb has quit IRC10:01
*** peereb has joined #openstack-keystone10:01
*** peereb has quit IRC10:02
*** peereb has joined #openstack-keystone10:03
*** ispp has quit IRC10:03
*** peereb has quit IRC10:04
*** peereb has joined #openstack-keystone10:04
*** peereb has quit IRC10:05
*** namnh_ has joined #openstack-keystone10:21
*** namnh_ has quit IRC10:21
*** namnh has quit IRC10:24
*** edmondsw has joined #openstack-keystone10:45
*** edmondsw_ has joined #openstack-keystone10:48
*** edmondsw has quit IRC10:49
*** gongysh has quit IRC11:08
*** pooja_jadhav has quit IRC11:17
*** josecastroleon has quit IRC11:25
*** ispp has joined #openstack-keystone11:25
*** tosky has joined #openstack-keystone11:28
*** josecastroleon has joined #openstack-keystone11:28
*** bhagyashris has quit IRC11:30
*** amoralej is now known as amoralej|lunch11:32
*** ispp has quit IRC11:34
*** josecastroleon has quit IRC11:38
*** ispp has joined #openstack-keystone11:40
*** rogeryu_ has quit IRC11:41
*** josecastroleon has joined #openstack-keystone11:42
*** annp has quit IRC11:44
*** ispp has quit IRC11:46
*** ispp has joined #openstack-keystone11:46
*** josecastroleon has quit IRC11:49
*** josecastroleon has joined #openstack-keystone11:52
*** edmondsw_ has quit IRC11:53
*** pooja_jadhav has joined #openstack-keystone11:54
*** raildo has joined #openstack-keystone12:03
*** ispp has quit IRC12:05
*** edmondsw has joined #openstack-keystone12:30
*** amoralej|lunch is now known as amoralej12:31
*** germs_ has quit IRC12:35
*** evrardjp_ has joined #openstack-keystone12:47
*** evrardjp has quit IRC12:50
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Create _plugins directory for enforcer drivers
*** evrardjp_ has quit IRC12:53
*** efried_pto is now known as efried12:56
*** efried has left #openstack-keystone12:57
*** evrardjp_ has joined #openstack-keystone13:07
*** evrardjp_ has quit IRC13:16
*** evrardjp_ has joined #openstack-keystone13:17
*** itlinux has quit IRC13:22
*** ispp has joined #openstack-keystone13:30
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers
*** germs has joined #openstack-keystone13:45
*** germs has quit IRC13:45
*** germs has joined #openstack-keystone13:45
*** felipemonteiro__ has joined #openstack-keystone14:07
*** felipemonteiro_ has joined #openstack-keystone14:10
*** blake has joined #openstack-keystone14:11
*** felipemonteiro__ has quit IRC14:14
*** germs has quit IRC14:22
*** felipemonteiro_ has quit IRC14:39
*** felipemonteiro__ has joined #openstack-keystone14:39
*** itlinux has joined #openstack-keystone14:39
*** felipemonteiro__ has quit IRC14:59
*** kukacz_ has quit IRC15:09
*** kukacz_ has joined #openstack-keystone15:10
*** pcaruana has quit IRC15:13
*** blake has quit IRC15:35
*** fiddletwix has joined #openstack-keystone15:36
*** spilla has joined #openstack-keystone15:48
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Implement base for pluggable policy drivers
*** ispp has quit IRC16:01
*** tesseract has quit IRC16:18
*** AlexeyAbashkin has joined #openstack-keystone16:28
*** gyee has joined #openstack-keystone16:55
*** amoralej is now known as amoralej|off16:56
*** pcichy has quit IRC16:59
*** jmlowe has quit IRC16:59
kmallocknikolla, hrybacki: thoughts on that and ?17:04
*** Alexey_Abashkin has joined #openstack-keystone17:04
kmallocknikolla: also could use some eyes [tests are still WIP, but just make sure it is all making sense now that everything is being fleshed out]17:06
*** AlexeyAbashkin has quit IRC17:07
*** AlexeyAbashkin has joined #openstack-keystone17:07
*** Alexey_Abashkin has quit IRC17:09
*** ChanServ changes topic to "Rocky release schedule: | Meeting agenda: | Bugs that need triaging: | Trello: !!NOTE!!: This Channel is Logged (logs at )"17:14
*** ChanServ changes topic to "Rocky release schedule: | Meeting agenda: | Bugs that need triaging: | Trello: !!NOTE!! This Channel is Logged ( )"17:15
elbragstadkmalloc: i figured out the issue with context+policy+authorization enforcement checks17:16
*** elbragstad is now known as lbragstad17:16
lbragstadthere's a recursive method in oslo policy that ends us spinning on the KeystoneToken object we pass in17:17
kmalloclbragstad: yep17:21
kmallocit's fun17:21
lbragstadi assume we don't want oslo.policy to be parsing keystone object only meant to be used internally17:24
lbragstadbecause it just happens to inherit from `dict` type17:24
lbragstadso - when we're in middleware17:27
lbragstadwe build this auth_context dictionary and we store a KeystoneToken in 'token'17:28
lbragstadin that dictionary17:28
lbragstadwhich makes its way into oslo.policy's enforce() check17:28
lbragstadbecause auth_context is where we pull the credentials from17:28
lbragstadand since KeystoneToken inherit from dict, it actually get's processed by oslo.policy17:29
lbragstadthough i'm not sure if that was what we intended to do17:29
lbragstadi broke that when i created TokenModel, which doesn't inherit from dict and inherits from object instead17:29
lbragstadso - maybe what we do instead is translate the TokenModel to a dictionary form - e.g. the v3 API contract representation and populate that in credentials['token'] instead of the internal object we're using within keystone17:30
kmalloclbragstad: hold on.17:30
kmallocunless oslo-policy exposes the object interface17:30
kmallocwe should not be leaning on an internal "object" generated by keystone17:31
lbragstadright - i'm saying we should not do that17:31
lbragstadinstead we should pass something else, more along the lines of something that follows an API contract instead of an internal object17:31
kmallocright, so we need to do a .render_to_dict in the pre-enforcer logic in keystone17:31
kmallocideally we should not be dumping the whole token in17:32
kmallocif we can avoid that.17:32
kmalloci'd rather make a strong contract on waht is expected17:32
lbragstadi agree17:32
kmallocoslo.policy side.17:32
lbragstadbecause otherwise we just opened up the entire keystone token reference for people to key off of in their policy files 0.017:33
kmallocthat is an ugly hack17:33
kmallocbut that is fine.17:33
kmallocfor now17:33
*** brandor5 has joined #openstack-keystone17:33
kmallocwell.. we've been doing that for *ages*17:33
brandor5hello everyone: I'm getting the following error when trying to view what assignments I have for a particular project... "Could not find group: 6 (HTTP 404) (Request-ID: req-e50b064b-6e23-4fb3-860a-a8ff791fbe58)"17:33
brandor5I'm pretty sure that it's because that group can't be seen in LDAP by keystone anymore... but how can I find out what group it is?17:33
kmallocbrandor5: there should be debug info on the LDAP query if debugging is enabled17:34
kmalloc(in the logs)17:34
brandor5kmalloc: ah, yeah I need to enable debug then17:35
kmallocbrandor5: np!17:36
*** pcichy has joined #openstack-keystone17:36
lbragstadkmalloc: for now - are you ok with that hack and reworking that logic to be explicit in a different patch?17:37
kmallocbecause it's the same(ish) thing we do today17:38
lbragstadthe KeystoneToken instance is essetially the v3 API contract represented as a more pythonic object17:39
kmalloctotally unrelated [but related to all those 404 fixes I did earlier in the flask stack], make the flask app [in test] issue a 418 instead of a 404 for un-routed paths. meaning we should never mis-interpret a 404 "e.g. XxxNotFound" for a "this path is unrouted"17:40
knikollakmalloc: 418 I'm a teapot? haha17:40
kmallocknikolla: yep.17:40
kmallocknikolla: it's only for test cases.17:40
kmallocbut it is something we can be sure we should never use in prod ;)17:40
knikollakmalloc: we need at least proper support for the BREW method. lol17:41
kmallocknikolla: oh don't get me started. I want to implement HTCPCP in keystone17:42
kmallocand i do mean full HTCPCP.17:42
knikollakmalloc: I was just going through the RFC now17:42
knikollaseems genius17:42
kmallocit's a great RFC :)17:42
kmallocit is one of my favorites. better than IPoAC17:43
kmalloclbragstad: do you know of anyone running audit middleware in the keystone pipeline?17:46
lbragstadnot to my knowledge17:46
lbragstadwe could ping the op ML though?17:47
kmalloclbragstad: i want to chat with them to make sure i'm getting things right if we're supporting loading it with the flask-model of things17:47
kmallocmaybe. i was hoping to just get a quick convo.17:47
* kmalloc shrugs.17:47
kmallocwe can poke at it in a week or so17:47
kmallocno rush.17:47
*** AlexeyAbashkin has quit IRC17:49
brandor5kmalloc: thanks for the pointer... that gave me the info I needed :)17:51
kmallocbrandor5: fantastic, happy to help!17:52
* knikolla struggling with being productive versus reading all the april fools RFCs17:52
kmallocknikolla: i knew that was a risk using 418 ;)17:53
kmallocknikolla: i almost used "HTTP 420 [Enhance your calm]17:54
kmallocbut figured 420 was more fringe than 418.17:54
knikollakmalloc: it's funny cause the other day i was having a discussion with a cowerker about TCP over carrier pigeons17:54
*** felipemonteiro has joined #openstack-keystone17:54
knikollaand lo and behold, there's an RFC17:54
*** harlowja has joined #openstack-keystone17:55
*** felipemonteiro_ has joined #openstack-keystone17:56
kmalloclbragstad: ^ note I added a "this channel is logged" to the topic17:56
*** felipemonteiro has quit IRC18:00
*** jmlowe has joined #openstack-keystone18:01
*** felipemonteiro_ has quit IRC18:06
*** felipemonteiro_ has joined #openstack-keystone18:06
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Remove KeystoneToken object
lbragstadi should be able to just start cleaning up that chain now ^18:09
lbragstadsome changes aren't grouped logically imo18:10
kmalloclbragstad: i hope i can get the rest of the new enforcer tests done today18:10
lbragstadbefore i make you go refactor it all :)18:10
kmallocit's going to be a followup patch because i want to implement a test-only API.18:10
kmallocrather than leaning on "/" or something else.18:11
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Remove KeystoneToken object
kmallocgoing to need a followup, not be a followup18:11
lbragstadknikolla: did you attend the edge computing wg meeting on the 13th?18:21
knikollalbragstad: i did not18:21
lbragstadi'm reading the note from cmurphy and it sounds like she mentioned that we could use resource to help implementing the testing18:21
lbragstadi was curious if anyone on the call said anything about working on that, or helping with it18:22
lbragstadversus just donating resources18:22
lbragstadcc ildikov might know?18:22
ildikovlbragstad: hi18:22
ildikovlbragstad: I'm recruiting people for testing right now:
lbragstad i was just reading this18:23
lbragstadand noticed cmurphy mentioned the need for additional resources18:24
ildikovlbragstad: the story for that is hat the OPNFV team would like to help, but they don't have resources to write up tempest tests18:24
ildikovlbragstad: however they can help with environment and setup automation18:24
lbragstadso the involvement would be strictly hardware donations?18:24
ildikovlbragstad: and setting up the environment in an automated way, etc18:24
ildikovlbragstad: I talked to knikolla about this last week and we got to the conclusion that the basic testing can be done in our gate already18:25
ildikovlbragstad: it's partially there and we can add some tests to that and finish up the gate jobs18:25
kmallocyeah it should totally work (mostly) in our current gate18:26
kmallocextensive testing will require hardware.18:26
ildikovlbragstad: and he will join the Edge Cloud call this week to see how we could setup the basic env in OPNFV and get to the next steps from there to test some more advanced configurations18:26
kmallocbut that is outside of scope of "does this function"18:26
ildikovkmalloc: +118:26
lbragstadi was mostly curious if anyone from the opnfv community bit on helping write tests (since that's probably the most needed thing)18:26
ildikovkmalloc: in my view the "does this function" part should be finished on our side and I would like us to collaborate with the OPNFV team on more advanced testing18:26
ildikovthe tiny issue is that neither them nor me is a Keystone expert, so we will come with questions :)18:27
ildikovknikolla will join on Wednesday to start brainstorming on what would be useful to do18:27
lbragstadyeah - that's fair.. i assume several members of this team would spend cycles helping people get up to speed if it means we can distribute the knowledge a bit more18:28
ildikovlbragstad: kmalloc: knikolla: BTW as we're chatting about this already, there's a thread on the Edge ML about Keystone architecture options for Edge, like federation or not, etc.18:28
lbragstadyeah - someone pinged be about it, hence my digging into the meetings notes from the 13th :)18:28
lbragstadi'm subscribing to the ml now18:29
ildikovlbragstad: kmalloc: knikolla: would you be available tomorrow to revisit and continue the Forum discussion on this? as not everyone could attend and it's a longer chat to get to the same page18:29
ildikovlbragstad: kmalloc: knikolla:tomorrow's call is the Edge Computing Group call18:29
lbragstadwhat time is the call? same time as before?18:29
lbragstadis it a video call?18:29
ildikovlbragstad: it's 9am US Central time on Zoom18:30
lbragstadi can most likely attend - but i should be able to give you a better answer by EOD18:30
knikollai'll attend18:30
ildikovlbragstad: we are taking notes on IRC, but not everyone is able to join IRC from the call, so that's really more notes18:30
ildikovlbragstad: knikolla: great, thank you, I will forward you the meeting invite I have18:31
kmallocildikov: i still have issues with working18:33
ildikovlbragstad: knikolla: I will see what's the best way to keep this discussion going without causing too much extra pain, but have everyone involved18:33
kmallocildikov: it's why i've missed the meetings18:33
ildikovkmalloc: what is the issue?18:33
ildikovkmalloc: I'm not a huge expert, but happy to help if I can18:33
ildikovkmalloc: I see Zoom being used in several communities, so it got very popular lately, not just on our end18:34
knikollalbragstad: kmalloc: added an item to tomorrow's keystone meeting on federation testing18:34
ildikovkmalloc: I understand the feeling of installing yet another tool, my phone is full of meeting apps and I hate it, but didn't really have a choice... :/18:34
kmallocildikov: it doesn't really work on my laptop.18:35
kmallocfailure to run client installed or not18:35
kmallocUbuntu 18.0418:35
*** jmlowe has quit IRC18:36
ildikovkmalloc: hmm, let me ask around if anyone got that18:39
lbragstadildikov: dumb question: does mailman support getting an old message from the list right after you've subscribed?18:39
ildikovkmalloc: my colleagues told me they either had issues with Ubuntu 18.04 or they didn't even try just used the dial-in number18:44
lbragstadi suppose i could just use the In-Reply-To header?18:44
brandor5OK, so here's a tricky one (I think) a group in LDAP has had it's UID changed... how do I remove the mapping to the old uid from keystone?18:44
brandor5I have a feeling I'm going to need to hand edit the DB?18:45
kmallocbrandor5: there is a keystone-manage command that lets you purge the mapping18:45
lbragstad``keystone-manage mapping_purge --help``18:45
brandor5kmalloc: do you have any documentation for that?18:45
kmallocthat said, if you want to purge just one mapping, yeah direct sql is the most surgical18:45
kmallocbrandor5: ^ see lbragstad's comment18:45
ildikovlbragstad: hmm, I don't know, I wouldn't think so, but I'm not an expert of it18:45
brandor5ha there we go... thanks  lbragstad18:45
lbragstadno problem18:45
kmallocbrandor5: that being said.. Keystone does not handle changes in LDAP very well like that18:46
brandor5kmalloc: I've noticed :)18:46
lbragstadyou can purge based on a few different combinations18:46
kmallocbrandor5: and it's because we are limited in how much we can deal with "well the backing store changed data on us"18:46
lbragstade.g. you can pass in a specific user (--user) or group (--group) along with a domain18:46
ildikovkmalloc: there should be a no-toll number you can use, painful, but at least a solution, or you can try to install the Zoom app on your phone18:47
kmallocbrandor5: fwiw, I had a very similar request [recently] get passed up along from a customer.18:47
ildikovkmalloc: I actually like the phone version, at least on iPhone it works well18:47
brandor5so to make sure I understand... I can run `keystone-manage mapping_purge --group updatedGroup --domain MyDomain` and taht should clear it?18:47
lbragstadyes - it should18:48
lbragstadotherwise - if you just use ``keystone-manage mapping_purge`` it will purge everything18:49
lbragstadwhich just means the ids will get regenerated on next auth18:49
kmallocildikov: i might give the android one a whack, but honestly, i just default to not using zoom video bits because extra clients / not webbrowser based/noplugins18:49
brandor5define purge for me :)18:49
brandor5so not destructive18:49
lbragstadwell.. yes and no18:49
kmallocbrandor5: purge deletes the data in the mapping tables, but it is re-created18:49
kmallocas needed18:49
lbragstadyes in that purge will remove the entry from the id_mapping table18:49
kmallocif you specify no args, it purges the entire table18:49
lbragstadno in that it is regenerated to the same value via a hash18:50
ildikovkmalloc: I don't like video calls, so I don't use the camera most often, I only use the app and not just dial-in as if there's screen sharing I can see that18:50
kmallockeystone uses data from the backend and the domain_id to hash18:50
brandor5ok, much thanks to both of you, I'll give the specific group a try and let you know how it goes18:50
kmallocso the hash should be recreated unless something in the backend or the domain_id changes18:50
*** felipemonteiro_ has quit IRC18:52
*** felipemonteiro_ has joined #openstack-keystone18:53
*** pcaruana has joined #openstack-keystone19:27
brandor5so I'm getting this error now when trying to do role assignment list...
brandor5The error returned on the command line is : Could not find group: 0e8e5f63b7ae647f7fdd7e7904c8c0dbf27bd8f5ce074c98b2eacd4089d47f56 (HTTP 404) (Request-ID: req-4babd5a8-b767-4054-9cd0-283ed1d02a9d)19:29
kmallocbrandor5: so, i think the user or a user with that group needs to login again to recreate the hash19:38
kmallocwithout a login keystone can't know how that hash -> backend maps19:39
kmallockeystone just doens't have insight into it19:39
kmallocwe have talked about a keystone-manage command to force a hash generation19:42
kmallocbut... i don't think we;ve gotten there yet19:42
*** blake has joined #openstack-keystone19:45
brandor5i dont even recognize that group19:46
brandor5and would mapping_populate on my domain work to fix that? or should19:55
kmallocwell it sounds like the group_id [mapping] has changed because something in LDAP changed.19:58
kmallocbased upon that error19:58
openstackgerritMorgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer
kmalloclbragstad: so.. on to the last tests... should i just mock out the enforcer to do an assert on what the values should look like?19:59
kmalloclbragstad: ooooor...19:59
kmalloclbragstad: i kindof want to drop all the way to the oslo_policy enforcer, but i need to create a policy enforcment i can muck with to validate the data is passed through20:00
kmalloc[god, we don't even have this level of testing on our current policy code[20:00
kmallocbrandor5: or somehow you're getting a hashed group id that doesn't make sense...20:01
kmallocbrandor5: i apologize, i'm having a hard time context switching to LDAP-isms when I'm thinking about keystone RBAC policy stuff20:02
brandor5kmalloc: no problem :) i'm doing a lot of switching myself20:03
lbragstadbrandor5: try listing all the groups in that domain after you purge the mappings20:03
lbragstadthat should repopulate the list20:03
brandor5lbragstad: k20:03
brandor515000+ groups will take a little bit heh20:05
brandor5need to get memcached setup20:05
lbragstadbrandor5: you're backing everything to ldap, yeah?20:05
lbragstads/everything/users and groups/20:05
brandor5lbragstad: yep, with the exception of a handful of 'service accounts' that live in sql20:06
lbragstadin can you haven't seen it yet - this might be something that is useful for you
brandor5yep, i have, i'm sad I missed it... was in a different pres20:07
lbragstadoh - good deal20:07
brandor5hmm still missing a group :(20:09
brandor5actually 1 secodn20:09
brandor5nevermind :|20:11
brandor5still missing a group20:11
*** felipemonteiro_ has quit IRC20:15
*** felipemonteiro_ has joined #openstack-keystone20:15
lbragstadbrandor5: did that group change?20:17
lbragstadkmalloc: when i look at that code, it seems like we have a couple different layers in indirection20:17 calls keystone.policy.backends.rules which calls keystone.common.policy20:17
lbragstadif that's the code you're talking about?20:18
kmalloclbragstad: no, just to test the .enforce_call functionality directly20:18
kmalloci am debating if I should mock the oslo_policy enforcer object20:18
kmallocand introspect the passed in args... *or* if I should create a dummy policy for testing and let the entire enforcement chain fire20:19
brandor5lbragstad: we've had several groups change20:19
brandor5for some reason many years ago when this directory was first spun up they used UIDs and GIDs that were very low (<1000)20:20
lbragstadkmalloc: oh - i see what you mean...20:20
brandor5when you're trying to connect a linux system to the directory for authentication that gets in the way and we asked them to re-ID them... so that's what has happened20:20
brandor5I'm wondering if there is someway for me to delete the mapping manually?20:21
brandor5mapping probably isnt the right word there20:21
brandor5the old group was added as a _member_ to the project... that's what I need to remove20:21
brandor5i think20:21
lbragstadkmalloc: i think we currently execute oslo.policy as opposed to using mocks20:29
lbragstadbrandor5: that'd need to be done through the assignment API i think20:31
lbragstadif i'm understanding your question20:31
lbragstadyou should be able to get that list using the /role_assignment API20:31
lbragstador `openstack role assignment list --names`20:31
brandor5lbragstad: that's the command the is returning the errors20:32
lbragstadbrandor5: do you have a trace?20:35
lbragstadkmalloc: increased our overall test coverage by 2% lol20:35
*** raildo has quit IRC20:37
*** pcaruana has quit IRC20:43
*** felipemonteiro__ has joined #openstack-keystone20:45
*** felipemonteiro_ has quit IRC20:48
brandor5lbragstad: just sent you a link with the trace20:48
lbragstadare you using master?20:50
lbragstadis that ocata?20:51
lbragstadso - the issue is that the public id isn't being cleared?20:52
lbragstadafter you use keystone-manage mapping_purge?20:52
brandor5yeah, i think so20:52
brandor5that public id isn't in the id_mappings table20:59
brandor5(i'm not sure that it's supposed to be though)20:59
brandor5so I think i just need to drop them from the assignment table...21:02
*** martinus__ has quit IRC21:02
*** kukacz_ has quit IRC21:03
*** EmilienM has joined #openstack-keystone21:03
brandor5I've found that public_id in the assignment table for the expected projects21:03
*** felipemonteiro__ has quit IRC21:03
*** felipemonteiro__ has joined #openstack-keystone21:03
*** EmilienM_PTO has quit IRC21:04
*** harlowja has quit IRC21:04
*** EmilienM has quit IRC21:04
*** EmilienM has joined #openstack-keystone21:04
*** felipemonteiro_ has joined #openstack-keystone21:05
*** kukacz_ has joined #openstack-keystone21:05
lbragstadi thought we fixed but the patch for it is still in review21:06
openstackLaunchpad bug 1757022 in OpenStack Identity (keystone) ""keystone-manage mapping_purge" ignores --type option" [Undecided,In progress] - Assigned to Dai Hanada (dai-hanada)21:06
lbragstadi should pick that up or propose a follow on for my comments so that we can approve that fix21:06
brandor5did you see my previous messages?21:07
lbragstadit sounded somewhat related to what you were hitting brandor521:07
kmalloclbragstad: i might use mocks just to specify the policy DSL rule21:07
kmalloclbragstad: i'll +2 that once you address the comments21:07
brandor5lbragstad: I'm thinking I can just drop the entries from assignment table that reference that group_id21:07
brandor5would there be any adverse side-effects of doing that?21:08
lbragstadbrandor5: we have a bug open for that i think21:08
lbragstadwhich might be a different issue21:08
*** felipemonteiro__ has quit IRC21:08
brandor5so does that mean it's okay to remove it? :D21:09
lbragstadthe mapping purge should be taking care of that for you, i would think21:10
lbragstadbut i also know that we have a few bugs open in that area that might be related to it21:10
brandor5i don't have that public_id listed anywhere in id_mapping21:10
lbragstadbut it is listed in the assignment table21:11
lbragstadknikolla: were we working on that together ^21:11
lbragstadknikolla: it sounds *super* familiar and i thought we either fixed it or had a patch in review for it21:11
brandor5(It's an 'actor_id' in the assignment table)21:11
lbragstadbrandor5: that makes sense21:13
brandor5removing the entries or that it's an actor_id21:13
brandor5I understand being hesitant to telling some random person to drop entries :D21:14
lbragstadi try not advocating the usage of mysql as an implementation of keystoneclient21:15
brandor5hehe yep21:15
kmalloclbragstad: hehe21:20
lbragstadha - i think i found it21:21
openstackLaunchpad bug 1658641 in OpenStack Identity (keystone) "Moving/disabling LDAP users break Keystone queries depending on role ID" [Medium,In progress] - Assigned to Kristi Nikolla (knikolla)21:21
brandor5what table does keystone store the name of the remote groups?21:21
lbragstadand knikolla does have a patch for it in review :)
lbragstadi should add ^ to my list to review too, because that one is close and we could probably merge it tomorrow21:22
knikollalbragstad: oh, i had totally forgotten about that21:22
lbragstadi thought i was going crazy21:22
lbragstadi swear we merged that21:22
knikollalbragstad: i thought something similar21:23
knikollai know we had some discussions and there was some conclusion21:23
lbragstadi bet we could tag team that tomorrow21:23
knikolla++ i have time after the meeting21:23
lbragstadadding the office-hours tag21:24
lbragstadsame with
openstackLaunchpad bug 1757022 in OpenStack Identity (keystone) ""keystone-manage mapping_purge" ignores --type option" [Undecided,In progress] - Assigned to Dai Hanada (dai-hanada)21:24
lbragstadi bet we could get that one done, too21:25
lbragstadboth of which will help you brandor5 ^ (at least using master)21:25
knikollai like the idea of more structured office hours21:25
brandor5yep, appreciate it... going through akaris stuff now... :)21:25
knikollawe played around with the idea but never came out of it21:25
brandor5thanks again for the help lbragstad and kmalloc :)21:26
lbragstadbrandor5: hopefully it helps21:26
lbragstadknikolla: those seems like good candidates to cleanup21:26
lbragstadwe have several things in review that just need touch ups21:26
lbragstadand they close bugs21:26
lbragstadwe could also do something about while we're in the mapping code21:28
openstackLaunchpad bug 1775207 in OpenStack Identity (keystone) "Fetching all mappings may become too slow" [Undecided,In progress] - Assigned to Pavlo Shchelokovskyy (pshchelo)21:28
lbragstadsince is in review21:28
*** spilla has quit IRC21:30
brandor5just as an FYI, I made a backup of my databases and dropped those 2 entries from assignment and things seem to be working as expected now21:35
brandor5beforehand I also grepped the databases for those public_ids and only found them in the assignment table21:35
brandor5I'll be sure to get irate and come back and yell at you lbragstad when things go south overnight ;)21:36
lbragstadof course!21:36
* lbragstad hands brandor5 his personal favorite pitchfork21:37
*** nicolasbock has quit IRC21:37
lbragstadunfortunately i don't think we'll be able to backport those specific fixes to newton21:38
lbragstadaccording to
brandor5as soon as they release RHOSP13 I'll be moving to that :)21:39
brandor5which is Queens21:39
*** felipemonteiro_ has quit IRC21:42
*** jmlowe has joined #openstack-keystone21:44
*** rcernin has joined #openstack-keystone21:45
*** itlinux has quit IRC21:45
*** brandor5 has quit IRC21:55
*** jmlowe has quit IRC21:56
*** edmondsw has quit IRC21:58
lbragstadis anyone else hitting this when they run `tox -e docs`?
*** harlowja has joined #openstack-keystone22:14
*** jmlowe has joined #openstack-keystone22:15
openstackLaunchpad bug 1778603 in OpenStack Identity (keystone) "Documentation builds failing with Sphinx 1.7.5" [High,Triaged]22:19
lbragstadnot sure if anyone else can verify - but apparently other teams are hitting it too22:20
*** blake has quit IRC22:50
*** edmondsw has joined #openstack-keystone22:57
*** jmlowe has quit IRC23:19
kmalloclbragstad: so uh..23:30
kmalloclbragstad: got a sec?23:31
kmalloclbragstad: i need some help debugging where i went wrong on something23:31
kmalloclbragstad: yes, can confirm doc builds on 1.7.5 are failing23:32
*** tosky has quit IRC23:34
openstackgerritMorgan Fainberg proposed openstack/keystone master: Implement base for new RBAC Enforcer
kmalloclbragstad: afaict, this test should be passing: v23:40
kmallocany thoughts on what i've implemented incorrectly here?23:41
*** jmlowe has joined #openstack-keystone23:41
*** gyee has quit IRC23:51

Generated by 2.15.3 by Marius Gedminas - find it at!