Monday, 2018-07-16

openstackgerritwangxiyuan proposed openstack/keystone master: Strict two level limit model
openstackgerritwangxiyuan proposed openstack/keystone master: Add project_id filter for listing limit
openstackgerritwangxiyuan proposed openstack/keystone master: Add include_limits filter
openstackgerritwangxiyuan proposed openstack/keystone master: Update project depth check
openstackgerritwangxiyuan proposed openstack/keystone master: Add project hierarchical tree check when Keystone start
*** annp has joined #openstack-keystone02:16
*** annp has quit IRC02:20
openstackgerritMerged openstack/keystone master: Update pypi url to new url
*** annp has joined #openstack-keystone02:34
*** idlemind has quit IRC03:20
wxylbragstad[m]: cmurphy : the interface has been updated.03:29
*** annp has quit IRC03:41
*** annp has joined #openstack-keystone03:53
*** dklyle has joined #openstack-keystone04:05
*** pooja_jadhav has joined #openstack-keystone04:06
*** sapd has quit IRC04:40
*** pcichy has joined #openstack-keystone04:41
*** bzhao__ has quit IRC04:51
*** pooja_jadhav has quit IRC05:31
*** links has joined #openstack-keystone05:50
openstackgerritMerged openstack/keystone master: Refactor _handle_shadow_and_local_users
*** martinus__ has joined #openstack-keystone06:29
cmurphythanks wxy I'll look today06:35
*** pcaruana has joined #openstack-keystone06:36
*** amoralej|off is now known as amoralej07:02
*** pooja_jadhav has joined #openstack-keystone07:03
*** ispp has joined #openstack-keystone07:12
*** annp has quit IRC07:16
*** peereb has joined #openstack-keystone07:17
*** tesseract has joined #openstack-keystone07:19
*** ispp has quit IRC07:20
*** ispp has joined #openstack-keystone07:21
*** tosky has joined #openstack-keystone07:40
*** ispp has quit IRC07:46
openstackgerritTuan Do Anh proposed openstack/keystone master: Change "a SQL" to "an SQL"
*** annp has joined #openstack-keystone07:51
*** sonuk_ has joined #openstack-keystone07:59
*** sonuk has quit IRC08:02
*** AlexeyAbashkin has joined #openstack-keystone08:03
*** ispp has joined #openstack-keystone08:18
*** bzhao__ has joined #openstack-keystone08:36
*** s10 has joined #openstack-keystone08:43
*** edmondsw has joined #openstack-keystone09:10
*** edmondsw has quit IRC09:15
*** peereb has quit IRC09:19
*** zzzeek has quit IRC09:38
*** zzzeek has joined #openstack-keystone09:38
*** ispp has quit IRC10:20
*** ispp has joined #openstack-keystone10:22
*** ispp has quit IRC10:25
*** edmondsw has joined #openstack-keystone10:58
*** mvk_ has quit IRC11:02
*** edmondsw has quit IRC11:03
s10 should this be fixed before R-6 (Final release for non-client libraries) and could be fixed after, but before final release?11:07
openstackLaunchpad bug 1733052 in keystoneauth "Usage of internal URL in clouds.yaml causes a 404" [High,Triaged]11:07
*** ispp has joined #openstack-keystone11:15
*** mvk_ has joined #openstack-keystone11:27
*** pcichy has quit IRC11:28
*** aloga has quit IRC11:28
*** aloga has joined #openstack-keystone11:29
*** ispp has quit IRC11:33
*** amoralej is now known as amoralej|lunch11:35
*** ispp has joined #openstack-keystone11:35
*** raildo has joined #openstack-keystone11:44
*** rcernin has quit IRC11:45
*** edmondsw has joined #openstack-keystone11:53
*** edmondsw has quit IRC11:56
*** loicgouarin has quit IRC12:02
*** ispp has quit IRC12:13
wxys10: just notice that one. I'd like to pick it up tomorrow if it's still unassigned. (Have to go home now). According to kmalloc and others comment, I totally agree that it's not easy to fix it at server side. what we should do is to make "_combine_relative_url" smarter in keystoneauth.12:19
*** ispp has joined #openstack-keystone12:32
*** edmondsw has joined #openstack-keystone12:34
*** jistr is now known as jistr|mtg12:38
*** edmondsw has quit IRC12:39
*** jistr|mtg is now known as jistr12:39
*** mvk_ has quit IRC12:40
*** mvk_ has joined #openstack-keystone12:52
*** raildo has quit IRC12:57
*** raildo has joined #openstack-keystone13:00
*** edmondsw has joined #openstack-keystone13:04
*** mchlumsky has joined #openstack-keystone13:07
*** jmlowe has quit IRC13:10
*** ispp has quit IRC13:15
*** ispp has joined #openstack-keystone13:21
*** amoralej|lunch is now known as amoralej13:24
*** ispp has quit IRC13:28
*** alex_xu has quit IRC13:29
*** ispp has joined #openstack-keystone13:30
*** r-daneel has joined #openstack-keystone13:32
*** alex_xu has joined #openstack-keystone13:32
*** r-daneel has quit IRC13:32
*** dave-mccowan has joined #openstack-keystone13:39
*** r-daneel has joined #openstack-keystone13:52
*** links has quit IRC14:03
*** openstackgerrit has quit IRC14:04
*** lbragstad has joined #openstack-keystone14:20
*** ChanServ sets mode: +o lbragstad14:20
*** r-daneel has quit IRC14:33
*** raildo_ has joined #openstack-keystone14:34
*** david-lyle has joined #openstack-keystone14:35
*** dklyle has quit IRC14:35
*** ispp has quit IRC14:36
*** raildo has quit IRC14:36
*** raildo_ is now known as raildo14:36
*** openstackgerrit has joined #openstack-keystone14:40
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Update the default roles spec to include Rocky details
*** ispp has joined #openstack-keystone14:40
lbragstadhrybacki: new patch up ^14:40
lbragstadkmalloc: i'm going through all your flask patches today agian14:47
*** links has joined #openstack-keystone14:47
hrybackithanks lbragstad ! +1'd14:47
lbragstadty sir14:47
kmalloclbragstad: I need to figure out the credentials error.. it is weird.14:48
kmallocIt should work.14:48
kmallocBut it isn't.14:48
*** spilla has joined #openstack-keystone14:48
lbragstadthat must be in a later patch... i'm starting here
kmallocIt is like an old version of keystone is installed..14:49
kmallocYeah it is the end of the current  series where i.move.crednetials to keystone.api14:49
lbragstadlemme reviews some of the prerequisite patches and work my way up to that14:51
*** AlexeyAbashkin has quit IRC14:53
*** felipemonteiro_ has joined #openstack-keystone14:56
*** fiddletwix has joined #openstack-keystone14:59
*** dklyle has joined #openstack-keystone15:00
*** felipemonteiro_ has quit IRC15:01
*** david-lyle has quit IRC15:02
*** pcaruana has quit IRC15:02
*** felipemonteiro_ has joined #openstack-keystone15:05
*** jmlowe has joined #openstack-keystone15:05
*** AlexeyAbashkin has joined #openstack-keystone15:11
*** ayoung has joined #openstack-keystone15:14
openstackgerritDirk Mueller proposed openstack/keystone master: Switch to python-ldap
*** r-daneel has joined #openstack-keystone15:39
*** d0ugal has quit IRC15:41
*** d0ugal has joined #openstack-keystone15:41
*** d0ugal has quit IRC15:41
*** d0ugal has joined #openstack-keystone15:41
*** ispp has quit IRC15:56
*** jmlowe has quit IRC16:00
*** links has quit IRC16:00
*** felipemonteiro__ has joined #openstack-keystone16:00
*** d0ugal has quit IRC16:03
*** felipemonteiro_ has quit IRC16:04
*** felipemonteiro_ has joined #openstack-keystone16:10
*** felipemonteiro__ has quit IRC16:10
*** d0ugal has joined #openstack-keystone16:11
*** AlexeyAbashkin has quit IRC16:15
kmalloclbragstad: it is doing something very strange16:18
kmallocnot finding a class i explicitly import16:18
*** pcichy has joined #openstack-keystone16:28
* lbragstad grabbing lunch quick16:29
*** lbragstad has quit IRC16:33
*** tesseract has quit IRC16:43
*** d0ugal has quit IRC16:52
*** mvk_ has quit IRC16:54
*** jmlowe has joined #openstack-keystone16:58
*** amoralej is now known as amoralej|off17:00
*** jmlowe has quit IRC17:03
*** d0ugal has joined #openstack-keystone17:05
kmallocit is weirdl.17:21
*** lbragstad has joined #openstack-keystone17:24
*** ChanServ sets mode: +o lbragstad17:24
*** flwang1 has joined #openstack-keystone17:27
*** stewie925 has joined #openstack-keystone17:30
*** r-daneel_ has joined #openstack-keystone17:34
*** s10 has quit IRC17:34
*** r-daneel has quit IRC17:35
*** r-daneel_ is now known as r-daneel17:35
*** quackrabbit has joined #openstack-keystone17:38
quackrabbitPoking around in the keystone source under ~stable/queens~. Can't find the keystone.common.fernet_utils package? Am I missing something?17:39
*** r-daneel has quit IRC17:40
*** mvk_ has joined #openstack-keystone17:45
*** r-daneel has joined #openstack-keystone17:46
*** r-daneel has quit IRC17:50
*** felipemonteiro__ has joined #openstack-keystone17:51
kmallocquackrabbit: it was moved around... i guess a couple times now. it might have been token-specific in queens17:52
*** r-daneel has joined #openstack-keystone17:52
*** felipemonteiro_ has quit IRC17:55
openstackgerritMorgan Fainberg proposed openstack/keystone master: Move Credentials API to Flask Native
openstackgerritMorgan Fainberg proposed openstack/keystone master: Allow class-level definition of API URL Prefix
*** d0ugal has quit IRC18:04
*** abhi89 has joined #openstack-keystone18:05
kmallocwxy, lbragstad: ^ rebased/fixed circular import weird that the circular import didn't affect unit tests.18:06
*** r-daneel_ has joined #openstack-keystone18:12
*** r-daneel has quit IRC18:14
*** r-daneel_ is now known as r-daneel18:14
*** d0ugal has joined #openstack-keystone18:16
abhi89hey guys.. i have 2 questions.. might look trivial but i am kind of stuck..18:22
abhi89A user gets the token from keystone (lets call it user token)..let's say the user wants to deploy a vm..18:22
abhi89so the call goes to nova service initially.. this REST api call contains the user token..18:22
abhi89now nova service uses credentials from nova.conf file, keystone_authtoken section & uses calls /v3/auth/tokens to validate the user token..18:22
abhi89so the user_auth_ref object at
abhi89which is created from request.user_token, here request.user_token is the token we are looking to get validated (i.e., user token).. and18:22
abhi89user_auth_ref.username is the user name of the user who has requested vm deploy.. right? (1st question)18:22
abhi89after user token is validated, and all nova related functions are done, nova calls /v3/<proj-id>/volumes to create a volume..18:22
abhi89my 2nd question is, this create volume cinder call is made from nova credentials/token or user credentials/token?18:22
*** quackrabbit has quit IRC18:27
kmallocabhi89: user's token, there is the concept of a service token, indicating that nova sent the request vs. a user18:31
kmallocabhi89: but in short, nova sends the user's token along as the primary auth to cinder18:31
kmallocabhi89: for the first question, user_auth_ref.username should be the authenticated user's name afaik, but i'd have to 2x check18:32
abhi89kmalloc: so for the second question, you mean to say that nova will call create volume api using the user token & not the service token18:37
*** pcichy has quit IRC18:37
*** spilla has quit IRC18:41
kmalloccan carry on convo later in a meeting now :)18:42
kmallocwill be back in an hour or so18:42
abhi89kmalloc: sure.. thanks for the info..18:44
*** d0ugal has quit IRC18:46
*** spilla has joined #openstack-keystone18:49
*** d0ugal has joined #openstack-keystone18:49
*** abhi89 has quit IRC18:49
*** d0ugal has quit IRC19:02
*** d0ugal has joined #openstack-keystone19:04
*** jmlowe has joined #openstack-keystone19:16
*** fiddletwix has quit IRC19:34
*** flwang1 has quit IRC19:37
lbragstadkmalloc: up to your credential API patch now19:44
lbragstadhmm - i ran all the tests on and they passed for me locally19:47
kmalloclbragstad: yep. welcome to the weirdness19:50
kmalloci fixed the circular import that apparantly only was hit in non-unit-test cases19:50
kmallocso patchset2 was bad for tempest19:50
lbragstadoh - so ps 3 is fine then?19:50
kmallocps3 should be 100% fixed19:50
lbragstadgot it19:50
lbragstadit's nice seeing how this will work with an actual API19:50
kmallocps3 also fixes the circular import(s)19:51
kmallocsorry to lump it together19:51
kmallocbut was easier to see what the heck needed to be changed19:51
kmallocalso, note that none of the credential tests had to be touched19:51
kmallocthat was the BIG goal of all this code19:51
lbragstadso - each method19:51
lbragstad(e.g. get, post, patch, delete)19:52
lbragstadneeds a decorator *and* ENFORCER.enforce_call()?19:52
kmallocthe decorator may be used.19:52
kmallocENFORCER.enforce_call(action=<what is in the decorator>) is the other option19:53
kmallocthe decorator is strictly syntactic sugar.19:53
kmalloci can respin without the decorator if you'd prefer19:53
lbragstad,unified@85 for example19:53
lbragstadi was just under the assumption we'd be doing one or the other...19:53
kmallocthe decorator does not replace enforce_call, it never will19:54
lbragstadand ultimately moving away from the decorator since it obfuscates things19:54
kmallochappy to do so19:54
lbragstadok - we're on the same page then19:54
kmallocif you'd prefer it, it's trivial to re-spin without those actions.19:54
lbragstadsure - that'd be nice19:54
kmallocthe decoracor you're seeing is trivially setting a value so you know what action will be used without needing to add it to enforce_call19:55
lbragstadso right after we call ENFORCER.enforce_call() we can start doing system scope things?19:55
kmalloci can probably just drop that whole mechanism on the floor19:55
lbragstadgot it19:55
kmallocenforce_call is what calls policy19:55
kmalloccall it wherever you want19:55
lbragstadthat's useful, but keeping it all on the same line right next to enforce_call seems like a plus, too19:55
kmallocthese cases are strictly "at entry to method"19:56
kmallocthere is no extra logic19:56
kmallocbut anything with a callback, enforce_call will be much later on19:56
kmallocso, for example19:56
kmalloc^ that is the alternative mechanism to the decorator19:57
*** r-daneel has quit IRC19:57
kmalloci don't know which is more clear19:58
kmallocalso, you may change the action in enforce_call, and ignore the decorator19:58
*** spilla has quit IRC19:58
kmallocit was about clarity, not sure if it helps at all19:58
*** r-daneel has joined #openstack-keystone19:58
lbragstadbah - wrong link19:59
kmallocthe biggest benefit to the decorator, it errors at import time vs. at enforce time if the action is bogus20:00
*** spilla has joined #openstack-keystone20:00
kmallocyep, pretty much your diff20:00
lbragstadso if we end up doing the inline approach20:00
kmallocthat would be the alternative20:01
lbragstadwould it be possible to let something slip through that breaks at run time?20:01
kmallocat test time20:01
lbragstadi guess that would require someone to implement an API that tries to enforce a bogus action20:01
lbragstadlike ENFORCER.enforce_call(action='identity:bogus')20:01
kmallocwell enforce a bogus action, not test it and/or use @unenforced_api20:01
kmallocand in that case, we 403.20:02
kmallocthere is one more edge case i think i have found.20:03
kmallocif an aPI we have doesn't support "GET", aka post only on a URL20:03
kmallocwe might need to add a special handler that raises 405 instead of a 500 error20:03
kmallocor 404, if that is expected.20:03
kmalloci think it's a 501*20:04
kmallocor a 500 today20:04
lbragstadif you call an API that doesn't implement a method?20:04
kmallocits... wonky today20:04
kmalloci think maaaaybe the only API we have like that is user-change-password20:05
lbragstad404 feels better than 40520:05
kmalloci am fairly certain flask 500s on no-get, but 405s any other non-existant method impl20:05
lbragstadoh - maybe not20:06
kmallocit's a very weird edge case to have an API that allows for post but not GET.20:06
lbragstadi was thinking if you requested some unorthodox restful method20:07
kmallocyeah 405 is most correct according to the RFC20:07
kmallocyeah no, i mean GET /user/XXXX/change-password20:07
kmallocthat is ... weird20:07
lbragstadbut if a specific reason doesn't have a reason for POST or something like that - 405 seems right20:07
kmallocright and we don't support PUT anywhere (today)20:07
kmallocPUT = wholesale replacement20:07
kmallocvs "update"20:07
lbragstadwe don't use PUT?20:08
kmallocPOST = Create20:08
kmallocPATCH = update20:08
kmallocPUT = replace.20:08
kmallocand afaik we don't do PUT20:08
lbragstadlooks like we use it in the domain config api20:09
kmallocah we do20:09
kmallocand endpoint filtering20:09
kmallocanannnnd we might be doing it wrong in those cases20:09
cmurphyand role assignment and group membership20:09
kmallocthose probably should be POSTs20:09
kmallocbased upon what they are doing20:09
kmallocnot that we'll change it now20:10
kmalloclooks like we may have mis-represented put and post.20:10
* kmalloc shrugs20:10
*** jmlowe has quit IRC20:11
kmallocdoesn't matter, we have support for all the things in flask-restful, including badly used PUT20:11
kmalloclbragstad: want me to respin cred-api to use in-line enforcement action20:11
lbragstadmy question now is if it's a backwards incompat change to use 405 now20:11
kmallocand do you think we should just drop the decorator?20:11
lbragstadkmalloc: sure20:11
kmallocwe can easily add a default handler for those actions.20:12
lbragstadkmalloc: we can keep the decorator until we move over a couple more API, just in case we decide its still useful20:12
kmallocooh i need to check on a security bug... i might have a bad news(tm) bug to file.20:12
*** raildo_ has joined #openstack-keystone20:15
*** d0ugal has quit IRC20:16
*** raildo has quit IRC20:17
kmallocyay no security bugs.20:18
kmalloc(new ones)20:18
*** raildo_ is now known as raildo20:19
kmallocok i'll respin cred-apis patch to not use the decorator20:19
*** d0ugal has joined #openstack-keystone20:22
openstackgerritMorgan Fainberg proposed openstack/keystone master: Move Credentials API to Flask Native
openstackgerritMorgan Fainberg proposed openstack/keystone master: Allow class-level definition of API URL Prefix
kmalloclbragstad: ^ + rebase of the followup20:22
kmalloclbragstad: i am also about 80% of the way through moving OS-TRUST to flask20:24
kmallocI have a few TODOs added to deprecate OS-TRUST in favour of "trusts", and just wire them up to the same code.20:25
*** jmlowe has joined #openstack-keystone20:25
kmallocthe OS-XXXX prefix in our URLs should be dropped.20:25
*** raildo has quit IRC20:26
*** AlexeyAbashkin has joined #openstack-keystone20:26
kmallocugh i can type*20:26
*** raildo has joined #openstack-keystone20:29
*** s10 has joined #openstack-keystone20:30
*** d0ugal has quit IRC20:34
*** AlexeyAbashkin has quit IRC20:36
*** raildo_ has joined #openstack-keystone20:38
*** jmlowe has quit IRC20:40
*** devx has quit IRC20:40
*** raildo has quit IRC20:40
*** devx has joined #openstack-keystone20:41
*** raildo_ is now known as raildo20:43
*** d0ugal has joined #openstack-keystone20:46
lbragstadwe'd still have to support the legacy "extention" like URL though, i think21:01
lbragstadah - yeah... that's what you said21:01
*** pcichy has joined #openstack-keystone21:02
*** spilla has quit IRC21:05
*** flwang1 has joined #openstack-keystone21:06
*** jmlowe has joined #openstack-keystone21:09
gagehugokmalloc lbragstad project tags uses PUT, but that's different from the rest of keystone iirc21:11
*** raildo has quit IRC21:13
*** jmlowe has quit IRC21:22
*** martinus__ has quit IRC21:24
*** jmlowe has joined #openstack-keystone21:24
*** spilla has joined #openstack-keystone21:30
*** spilla has quit IRC21:30
*** jmlowe has quit IRC21:34
openstackgerritMerged openstack/keystone master: Flesh out and add testing for flask_RESTful scaffolding
*** ianw_pto is now known as ianw21:44
*** lbragstad has quit IRC21:47
*** jmlowe has joined #openstack-keystone21:48
openstackgerritMerged openstack/keystone master: Make keystone.server.flask more interesting for importing
*** harlowja has joined #openstack-keystone21:59
*** lbragstad has joined #openstack-keystone22:04
*** ChanServ sets mode: +o lbragstad22:04
*** breton has quit IRC22:04
*** breton has joined #openstack-keystone22:04
*** jmlowe has quit IRC22:07
*** rcernin has joined #openstack-keystone22:15
*** r-daneel_ has joined #openstack-keystone22:17
*** r-daneel has quit IRC22:18
*** r-daneel_ is now known as r-daneel22:18
*** s10 has quit IRC22:21
*** jmlowe has joined #openstack-keystone22:30
openstackgerritMerged openstack/keystone master: Fix exporting
openstackgerritMerged openstack/keystone master: Do not use flask.g imported as g
*** dave-mccowan has quit IRC22:33
*** amoralej|off has quit IRC22:34
*** edmondsw has quit IRC22:43
*** edmondsw has joined #openstack-keystone22:45
*** edmondsw has quit IRC22:50
*** rcernin has quit IRC22:54
mnaserhow well does keystoneauth deal with caching token validity23:01
mnasersay: a public cloud i know is opening a region thats ~70ms away but want to maintain still a singular keystone23:01
mnaseri was thinking running a local keystone instance that's connected to the same db (somehow would need to wire up a vpn) ... or can you run a keystone that literally just validates tokens using fernet and nothing else?23:02
*** harlowja has quit IRC23:03
*** felipemonteiro__ has quit IRC23:07
*** rcernin has joined #openstack-keystone23:08
*** r-daneel has quit IRC23:12
*** tosky has quit IRC23:15
*** jmlowe has quit IRC23:51

Generated by 2.15.3 by Marius Gedminas - find it at!