Tuesday, 2018-08-14

« Monday, 2018-08-13 Index Wednesday, 2018-08-15 »
*** rcernin_ has joined #openstack-keystone00:02
*** rcernin has quit IRC00:03
*** orange_julius74 has joined #openstack-keystone00:14
openstackgerritNick Wilburn proposed openstack/ldappool master: fix ldappool bad password retry logic  https://review.openstack.org/59117400:26
*** rcernin has joined #openstack-keystone00:29
*** rcernin has quit IRC00:29
*** rcernin has joined #openstack-keystone00:30
*** rcernin_ has quit IRC00:32
*** zhurong has joined #openstack-keystone00:33
*** lbragstad has joined #openstack-keystone00:44
*** ChanServ sets mode: +o lbragstad00:44
*** nicolasbock has quit IRC00:45
lbragstadkmalloc: fyi - i'm planning on picking up the /polices conversion to flask after this week (i'm unable to pull patches from gerrit)00:47
lbragstadpolicies*00:47
*** gmann has quit IRC00:57
*** jdennis has quit IRC00:57
*** wxy-xiyuan has quit IRC00:57
*** hugokuo has quit IRC00:57
*** DinaBelova has quit IRC00:57
*** yankcrime has quit IRC00:57
*** nicolasbock has joined #openstack-keystone00:58
*** jdennis has joined #openstack-keystone01:00
*** gmann has joined #openstack-keystone01:04
*** wxy-xiyuan has joined #openstack-keystone01:04
*** hugokuo has joined #openstack-keystone01:04
*** DinaBelova has joined #openstack-keystone01:04
*** yankcrime has joined #openstack-keystone01:04
*** DinaBelova has quit IRC01:04
*** DinaBelova has joined #openstack-keystone01:05
kmalloclbragstad: np01:05
*** openstackgerrit has quit IRC01:06
*** Nel1x has joined #openstack-keystone01:13
*** openstackgerrit has joined #openstack-keystone01:21
openstackgerritMerged openstack/oslo.limit master: ADD i18n file  https://review.openstack.org/58675901:21
*** zhurong has quit IRC01:39
openstackgerritMerged openstack/keystone master: Allow wrap_member and wrap_collection to specify target  https://review.openstack.org/58928802:01
openstackgerritMerged openstack/keystone master: Convert regions API to flask native dispatching  https://review.openstack.org/58964002:12
*** zhurong has joined #openstack-keystone02:15
openstackgerritBi wei proposed openstack/keystone master: Fix a bug that issue token with project-scope gets error  https://review.openstack.org/58739902:43
*** orange_julius74 has quit IRC02:59
*** Nel1x has quit IRC03:12
*** zhurong has quit IRC03:14
*** dave-mccowan has quit IRC04:12
*** gyee has quit IRC05:05
*** shyamb has joined #openstack-keystone05:51
*** shyamb has quit IRC05:57
*** shyamb has joined #openstack-keystone06:03
*** odyssey4me has quit IRC06:14
*** odyssey4me has joined #openstack-keystone06:14
*** pcaruana has joined #openstack-keystone06:44
*** shyamb has quit IRC06:48
*** shyamb has joined #openstack-keystone06:53
*** rcernin has quit IRC07:02
cmurphylbragstad: you can't pull patches from gerrit? you might try switching your remotes to https https://docs.openstack.org/infra/manual/developers.html#accessing-gerrit-over-https07:19
lbragstadoh - nice07:19
lbragstadi'll try that - right now my port is getting blocked07:20
lbragstadbut i assume 443 to work07:21
lbragstadi can't access it from the office - but i might be able to from the hotel07:26
*** shyamb has quit IRC07:27
*** shyamb has joined #openstack-keystone07:27
mbuilcmurphy: I am finally at "Testing it all out" part ==> https://docs.openstack.org/keystone/latest/advanced-topics/federation/federated_identity.html#testing-it-all-out. When it creates the k2ksession, it passes a string 'mysp', what should I write there? I have an entityID which identifies the IdP but I don't remember having an id to identify the SP07:42
cmurphymbuil: that should be the name of the service provider entry you created on the identity provider in this step https://docs.openstack.org/keystone/latest/advanced-topics/federation/federated_identity.html#create-a-service-provider-sp07:43
*** shyamb has quit IRC07:48
mbuilcmurphy: Oh, I missed that step. That should be executed in the IdP part?07:48
cmurphymbuil: yes07:48
mbuilRegarding the sp_url, when creating the SP, I added in /etc/shibboleth/shibboleth2.xml the following ==> <ApplicationDefaults entityID="http://mysp.example.com/shibboleth">. However, the example sp_url is 'http://mysp.example.com/Shibboleth.sso/SAML2/ECP'. Is that ok?07:54
mbuilcmurphy: I actually haven't written anywhere in the SP config 'http://mysp.example.com/Shibboleth.sso/SAML2/ECP'07:55
cmurphymbuil: the entityID is just an identifier string, it doesn't route to anything07:59
cmurphythe /Shibboleth.sso/SAML2/ECP is provided by the shibboleth mod, you can query /Shibboleth.sso/Metadata or something like that to get all the endpoints it provides08:00
cmurphyso yes you're all good08:00
mbuilcmurphy: good. Let's try. Fingers crossed08:04
mbuilcmurphy: one extra thing. From Keystone IdP I should be able to wget http://mysp.example.com:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/saml2/auth, right?08:04
*** mchlumsky has quit IRC08:12
*** openstackstatus has quit IRC08:12
*** mchlumsky has joined #openstack-keystone08:13
*** mvkr has quit IRC08:20
cmurphymbuil: sort of, you'd have to POST the ECP assertion with the request, it would be easier to just let keystoneauth handle it (and openstackclient supports it now too)08:23
*** shyamb has joined #openstack-keystone08:28
openstackgerritColleen Murphy proposed openstack/keystone master: Use osc in k2k example  https://review.openstack.org/59158708:30
cmurphymbuil: ^08:30
mbuilcmurphy: something must be wrong. This line returns None :( https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/identity/v3/k2k.py#L16608:32
mbuilcmurphy: let me check that patch08:32
*** mvkr has joined #openstack-keystone08:52
*** jaosorior has quit IRC08:53
*** shyamb has quit IRC09:24
*** markvoelker has joined #openstack-keystone09:33
*** shyamb has joined #openstack-keystone09:34
*** openstackstatus has joined #openstack-keystone09:41
*** ChanServ sets mode: +v openstackstatus09:41
*** hoonetorg has quit IRC09:43
mbuilcmurphy: I need a bit of help debugging. It seems everything goes ok between "User Agent" and IdP. However, when "User Agent" accesses SP, I see in the logs of SP_Apache2:09:48
mbuil172.29.236.11 - - [14/Aug/2018:09:33:05 +0000] "POST /Shibboleth.sso/SAML2/ECP HTTP/1.1" 500 915 "-" "osc-lib/1.9.0 keystoneauth1/3.4.0 python-requests/2.18.4 CPython/2.7.13"09:48
mbuilcmurphy: /var/log/apache2/keystone.log says ==> 2018-08-14 09:33:43.538256 Issuer must have TextContent.09:48
mbuilcmurphy: any idea what is referring to with TextContent?09:49
*** hoonetorg has joined #openstack-keystone09:57
cmurphymbuil: it's saying that the assertion is invalid, it's referring to a field called Issuer and saying it's empty09:58
cmurphyI'm not sure why it would be empty, that should be the [saml]/idp_entity_id set in keystone.conf on the IdP09:58
cmurphyyou might try regenerating the metadata on the IdP and restarting keystone/apache09:59
mbuilcmurphy: aaah ok, thanks. I guess the problem seems to be in the IdP then09:59
mbuilcmurphy: the shibboleth log in SP supports your guess:10:00
mbuil2018-08-14 09:33:43 INFO Shibboleth-TRANSACTION [3]: New session (ID: ) with (applicationId: default) for principal from (IdP: none) at (ClientAddress: 172.29.236.11) with (NameIdentifier: none) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: )10:00
*** markvoelker has quit IRC10:07
*** lbragstad has quit IRC10:12
*** shyamb has quit IRC10:14
*** mvkr has quit IRC10:22
*** shyamb has joined #openstack-keystone10:45
*** jaosorior has joined #openstack-keystone10:51
*** markvoelker has joined #openstack-keystone11:04
*** jaosorior has quit IRC11:17
mbuilcmurphy: I am again stuck but I feel I am close to the final line! Now I get in /var/log/keystone/keystone.log: "Could not map any federated user properties to identity values. Check debug logs or the mapping used for additional details.". I added some logs to the code and I realized that it never this line never returns anything: https://github.com/openstack/keystone/blob/master/keystone/federation/utils.py#L77611:17
*** jaosorior has joined #openstack-keystone11:17
mbuilcmurphy: it compares the rules, which in my case are: https://hastebin.com/itetericiy.py with the assertion which in my case is: https://hastebin.com/gulimuwiye.py11:18
mbuilcmurphy: so, it searches for a key "openstack_user" in the assertion but there is nothing like that. Do you think the problem is that the assertion is wrong?11:19
cmurphymbuil: did you modify attribute-map.xml like in this step? https://docs.openstack.org/keystone/latest/advanced-topics/federation/federated_identity.html#keystone-to-keystone11:23
*** s10 has joined #openstack-keystone11:27
*** josecastroleon has quit IRC11:28
*** josecastroleon has joined #openstack-keystone11:28
mbuilcmurphy: not exactly, I did this mapping ==> https://docs.openstack.org/keystone/latest/advanced-topics/federation/configure_federation.html#mapping11:31
*** shyamb has quit IRC11:31
*** shyamb has joined #openstack-keystone11:32
mbuiland this one https://docs.openstack.org/keystone/latest/advanced-topics/federation/shibboleth.html11:32
cmurphymbuil: you need to edit /etc/shibboleth/attribute-map.xml too, it's a quirk of the shibboleth SP that by default it won't pass through attributes it doesn't understand11:32
mbuilcmurphy: I edited it and added https://hastebin.com/olutuhevaz.xml11:35
cmurphymbuil: ah you need to keep id="openstack_user" etc, the id parameter in that xml node doesn't refer to the actual ID of the user, it's an internal identifier that needs to be unique11:36
mbuilcmurphy: aaaah ok, thanks!11:37
*** markvoelker has quit IRC11:37
mbuilcmurphy: look at this ==> https://hastebin.com/mutetusabe.rb, success??11:39
cmurphymbuil: looks like it!!!11:40
mbuilole!11:40
*** nicolasbock has quit IRC11:49
*** shyamb has quit IRC12:02
*** shyamb has joined #openstack-keystone12:06
*** raildo has joined #openstack-keystone12:33
*** shyamb has quit IRC12:34
*** shyamb has joined #openstack-keystone12:34
openstackgerritMerged openstack/keystone master: Fix a bug that issue token with project-scope gets error  https://review.openstack.org/58739912:35
*** josecastroleon has quit IRC12:39
*** jaosorior has quit IRC12:39
*** shyamb has quit IRC12:40
*** dave-mccowan has joined #openstack-keystone12:43
*** josecastroleon has joined #openstack-keystone12:46
*** raildo_ has joined #openstack-keystone13:09
*** raildo has quit IRC13:10
*** _ix has joined #openstack-keystone13:26
*** _ix has quit IRC13:34
*** lbragstad has joined #openstack-keystone13:37
*** ChanServ sets mode: +o lbragstad13:37
*** josecastroleon has quit IRC13:40
*** jaosorior has joined #openstack-keystone13:44
*** wxy| has joined #openstack-keystone13:48
*** _ix has joined #openstack-keystone13:51
*** _ix has quit IRC13:57
*** josecastroleon has joined #openstack-keystone14:08
*** _ix has joined #openstack-keystone14:40
knikollao/14:55
lbragstado/14:57
knikollaschedule for berlin is live15:01
*** jdennis has quit IRC15:20
*** jdennis has joined #openstack-keystone15:31
*** fiddletwix has joined #openstack-keystone15:39
openstackgerritDoug Hellmann proposed openstack/oslo.limit master: fix gate  https://review.openstack.org/59116215:49
openstackgerritDoug Hellmann proposed openstack/oslo.limit master: import zuul job settings from project-config  https://review.openstack.org/58869715:49
openstackgerritDoug Hellmann proposed openstack/oslo.limit master: add python 3.6 unit test job  https://review.openstack.org/58959915:49
openstackgerritDoug Hellmann proposed openstack/oslo.limit master: add lib-forward-testing-python3 test job  https://review.openstack.org/59118515:49
openstackgerritDoug Hellmann proposed openstack/oslo.limit master: fix doc gate  https://review.openstack.org/59116215:50
openstackgerritDoug Hellmann proposed openstack/oslo.limit master: import zuul job settings from project-config  https://review.openstack.org/58869715:50
openstackgerritDoug Hellmann proposed openstack/oslo.limit master: add python 3.6 unit test job  https://review.openstack.org/58959915:50
openstackgerritDoug Hellmann proposed openstack/oslo.limit master: add lib-forward-testing-python3 test job  https://review.openstack.org/59118515:50
*** itlinux has joined #openstack-keystone15:54
lbragstadkmalloc: i fixed up a bunch of the failures in the policy conversion patch, i should be able to clean up the last couple bits and get a new version up earlier than i thought15:59
*** gyee has joined #openstack-keystone16:02
*** pcaruana has quit IRC16:02
*** ayoung has joined #openstack-keystone16:03
kmallocCool16:09
*** jrist has quit IRC16:12
*** s10 has quit IRC16:28
*** d0ugal has quit IRC16:28
*** shyamb has joined #openstack-keystone16:29
*** jrist has joined #openstack-keystone16:38
*** wxy| has quit IRC16:39
*** lbragstad has quit IRC16:41
*** shyamb has quit IRC17:05
kmallocknikolla: i think i have a fix for OS-FEDERATION now17:44
kmallocknikolla: almost there.17:44
kmallocknikolla: running local tests to make sure it is working at least in unit.17:45
knikollakmalloc: awesome!17:45
kmallocknikolla: also, running unit tests on a threadripper is nice. 32 threads of unit tests, <100s for full run17:46
knikollakmalloc: cool!17:47
knikollai usually run mine on a 16 vcpu vm17:47
kmallocnotmorgan@tardis:~/Documents/openstack_dev/keystone$ docker-tox -epep8,py35 ->17:48
kmallochttps://www.irccloud.com/pastebin/sKuIKFqp/17:48
knikollakmalloc: 94 seconds, yup. impressive!17:49
knikollai think best i've got is about 3 minutes.17:49
kmallocdocker-tox is an alias to `docker run --rm -v `pwd`:/opt/src keystone-dev:16.04 tox17:49
kmallocDocker File for keystone-dev (16.04) https://www.irccloud.com/pastebin/BtGV79Dq/Dockerfile17:50
kmallocknikolla: ^ if you want to use my dockerfile.17:51
kmallocthat'll build a keystone dev docker image, assuming your PWD is one level outside of the keystone drectory17:51
kmallocand it'll do the bindep work for you.17:51
kmallocso you get all the bindeps needed.17:51
kmallocit could even work for non-keystone things with an env for OS_PROJ17:52
kmallocOS_PROJECT*17:52
knikollakmalloc: i only have a lowly dual core laptop17:52
knikollauntil then i have this https://gist.github.com/knikolla/a921573ded94538796ee5ce1383eb1fb17:52
kmallocright, but this means i don't need to install all the deps17:53
kmallocand i could mod the dockerfile to use centos, fedora, etc17:53
kmalloci'd need to modify the explicit apt-get bit, i think i could do it 100$ with bindep17:53
kmalloc100%*17:53
kmallocmy system has basic IDE support, but i run all the code [inc dependencies] in docker, even for the IDE inspections.17:54
knikollatrue17:54
knikollainteresting17:54
kmalloci also don't have py27 installed17:54
kmalloclocally, just in docker17:54
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert OS-FEDERATION to flask native dispatching  https://review.openstack.org/59108217:55
knikollahmmm... i never thought of installing the dependencies in docker and running IDE inspection from that17:56
kmallocknikolla: it works explicitly with pycharm17:56
kmalloci think vscode will support "Remote interpreter" soon too17:56
kmallocand as soon as it does, i'll move to vscode17:56
kmallocI can never get atom.io to do what i want it to17:56
kmalloc=/ i want to like it17:56
kmalloci really do.17:56
knikollai tried vs code, but there were some annoyances17:57
knikollapycharm works best for me17:57
knikollaatom is sluggish17:57
kmallocbut pycharm supporting remote environments is huge17:57
kmalloci spent yesterday setting it all up17:57
kmalloccurrently in my living room, coding on my  65" TV 4k TV ;)17:58
knikollasweet17:58
kmallocand my workstation is a TR4 (threadripper, 1950x) with 128GB of ram, running on mirrored NVMe (full encryption) drives, 2x WD RED [slow] rust, and boot/EFI on a usb-stick.17:59
kmallocencryption keys in the dTPM chip, so i can walk off with the USB stick and the machine is about as secure as you can get.17:59
knikollawhoa, that's a beast.17:59
kmallocit has a 1080ti in it, and will have an AMD 9100wx tomorrow17:59
kmallocso VMs will get VT-D, sr-iov slice of a gpu.18:00
kmallocthe machine also has a 10G (SFP+) intel nic in it, with a DAC to my switch18:00
kmallocand my new keyboard is a WASD cherry-mx clear 10keyless :)18:01
knikollaoverkill18:01
kmallocthough i really want a speed silver keyboard for my gaming PC18:01
kmalloc(which is, being built now), Watercooled, 8086K i7, 32GB of ram, GTX 1080ti18:01
kmallocon mirrored NVME drives.18:02
knikollayour screen alone is as big as my entire apartment, lol.18:02
kmalloci have 3 (soon to be 4) monitors at my desk.18:02
kmallocgoing to be replacing my broken 4k monitor with dual ultra-wide monitors18:02
orange_juliusYea well I am getting a desk this week so that I don't have to sit on the floor anymore. So there!18:02
kmallocorange_julius: ++ don't sit on the floor! it hurts after too long18:03
kmalloc:)18:03
kmallocknikolla: and i think i got my RH issued X1C6 to work... it at least suspends to s0i3 now.18:03
kmallocso battery lasts longer than ... 3 hrs sleeping18:03
kmalloc(5-8 days suspend now)18:03
knikollakmalloc: didn't they issue you a p52?18:03
kmallocnope.18:04
kmallocit was denied18:04
kmalloclike out of hand, even though my manager approved it18:04
kmallocso i settled on an X1C618:04
kmallocand it's "ok" but not great.18:04
knikollathat's what i asked them for, but they gave me a used x270.18:05
kmallocnext step is install my NUC for my openstack control plane, stand up a FreeIPA server, and get all my virtualization under management18:05
kmallocxick on the x27018:05
kmalloci was issued a useless t460 or whatever the last gen was18:05
kmallocwith like 8GB of ram18:05
kmallocand 256GB hdd18:06
knikollahdd?? in 2018?18:06
kmallocit was m.2 SSD18:06
kmallocbut not even nvme18:06
kmallocor maybe it was 2.5" ssd18:06
kmallocwhatever, it was not usable. it's why i used my X1C4 for the last 2 years (even with it being a lemon of a laptop)18:07
openstackgerritMorgan Fainberg proposed openstack/keystone master: Fix a translation of log  https://review.openstack.org/59116418:07
knikollakmalloc: how's the screen on the X1C6?18:08
openstackgerritMorgan Fainberg proposed openstack/keystone master: Refactor ProviderAPIs object to better design pattern  https://review.openstack.org/57195518:08
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert OS-INHERIT API to flask native dispatching  https://review.openstack.org/59116518:08
openstackgerritMorgan Fainberg proposed openstack/keystone master: Fix RBACEnforcer get_member_from_driver mechanism  https://review.openstack.org/59114618:08
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert groups API to flask native dispatching  https://review.openstack.org/59114718:09
openstackgerritMorgan Fainberg proposed openstack/keystone master: Fix a translation of log  https://review.openstack.org/59116418:09
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert OS-INHERIT API to flask native dispatching  https://review.openstack.org/59116518:09
kmallocknikolla: the one i have is trash, since it's 1080p18:09
knikollakmalloc: right. though 1440p isn't that big of a step up.18:11
kmallocbut i'm used to 1440p and 4k monitors18:11
knikollado you run them with 2x scaling?18:12
kmallocso 1080p is pretty hard to drop down to.18:12
kmallocnope, 1x scaling18:12
knikollayou must have impressive eyesight18:12
knikollai'm running my 12.5" 1080p screen with 1.5 font scaling.18:12
kmallocthough i admit when i am on the TV, i'm almost 10' away, so i go to ~1.25x or so18:12
kmallochm.18:13
kmallocsigh.18:13
kmallocthis is ugly, going to have a ton more TRY/EXCEPt in the OS-INHERIT build_enforcement_target.18:13
kmallocmaybe i should just explicitly raise out Forbidden on the raise instead of 404*18:14
kmallocknikolla: this is dangerous18:14
kmallochttps://www.irccloud.com/pastebin/JE4eFJMG/18:14
kmallocshould i log the 404s and raise up 403s?18:14
kmallocsince this is part of the enforcement line.18:15
knikollakmalloc: hmmm... i think yes18:18
kmallocthe other option is to just leave the target/enforcement epty18:18
kmallocempty*(18:18
kmallocwhich means it's on the enforcement_str to handle if it is allowed or not.18:18
kmallocwhich is probably most correct.18:18
kmallocsince an empty target['user'] dict means we can't enforce on it, so enforcement should behave as expected.18:19
knikollathat wouldn't raise the correct 404 though, right?18:20
kmallocin both cases it should net a 40318:20
kmallocit just means the enforcement rule is responsible vs keystone saying "WHOA, NO USER! FORBIDDEN"18:20
knikollaoh, i see what you're saying. yes.18:21
kmallocok, going to LOG.INFO this and set the target empty18:21
kmallocand see what happens with testing18:21
knikolla++18:22
*** jaypipes has joined #openstack-keystone18:34
kmallocooh it's a jaypipes18:35
kmallochi jaypipes18:35
jaypipeskmalloc, cmurphy: heya. if I want to get a list of users within a project via the keystone v3 client, how would I do that? did the behaviour between the v2 and v3 client call for keystone_client.users.list(project_id) change?18:35
kmallocjaypipes: hm, i don't think it changed.18:36
kmallocbut... let me check.18:36
kmallocjaypipes: wait, you're looking for what users have access/roles on a project?18:37
kmallocjaypipes: just to confirm not something else.18:37
*** sapd1 has quit IRC18:38
jaypipeskmalloc: users that have any role in the supplied project, yes.18:39
jaypipeskmalloc: I have a report that this behaviour changed from v2 to v3.18:39
jaypipeskmalloc: and it was surprising to me.18:39
jaypipeskmalloc: the report is stating that v3 doesn't filter any more. it just returns all users in the entire keystone database, regardless of what gets passed to list(project_id)18:40
kmallocright.18:40
kmalloci'm looking at the code, and it looks like project/defauilt_project is a filter on the user's default project18:40
kmallocinstead of what you want.18:41
kmalloci think you want to hit role_assignments, let me see how that works really quickly18:41
jaypipeskmalloc: I'm more interested in whether this behaviour *changed* from v2 to v3?18:41
kmalloci think the behavior did change. but the report was probably giving incorrect information in v218:41
kmallocthe change is we don't filter on default_project anymore, in either case18:41
kmallocwhich is what the argument was doing in both cases.18:42
kmallocwhat you're looking for now, is role_assignments() https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/role_assignments.py#L64 filtering on project18:43
kmallocand that, while hitting v3 API, would return v2 assignments as well18:43
kmalloc(since v2 assignments == v3 assignments with domain(default))18:43
jaypipesack18:44
kmallocah, i am wrong, v2 did filter on tenant_id like role_assignments does18:44
kmallocv3 filtered on default_project id (terrible ux)18:44
kmallocso, behavior in ksc changed a lot between 2 and 318:45
kmallocbut i think that is because the udnerlying APIs didn't work even remotely the same18:45
kmallocand we have role_assignments which expands out implied_roles (if asked), inherited roles, etc.18:45
openstackgerritMorgan Fainberg proposed openstack/keystone master: Convert OS-INHERIT API to flask native dispatching  https://review.openstack.org/59116518:46
kmallocknikolla: ^ lets see how that ends up. I think that is the most correct option.18:46
kmallocknikolla: note the HUGE comment in the function.18:47
kmalloci need to replicate that in the groups version too18:47
jaypipeskmalloc: ack, thx for the information. appreciated.18:47
jaypipeskmalloc: to sum up, we should be using the role assignments functionality for listing users, instead of... well, listing users. :)18:47
kmallocjaypipes: if you want role assignment information. NOTE that API is very punative. it has to do a ton of work behind the scenes to map users, roles, projects, domains, and expansions18:48
kmallocjaypipes: so i wouldn't run it in a tight loop or anything.18:48
kmalloctl;dr hits the DB a lot18:49
kmallocand may be very slow if you have a ton of users.18:49
jaypipeskmalloc: k, good to know.18:49
kmallocknikolla: is it wrong i want to buy a tv-sized screen for my office now :P18:50
jaypipeskmalloc: if I just want to get a list of users in a project, why is the UX so different now?18:50
jaypipeskmalloc: not trying to bitch... just this kind of hit us HARD :)18:50
kmallocjaypipes: because users are owned by potentially many domains18:50
jaypipeskmalloc: you can imagine automation scripts that were processing a dozen user accounts in a loop now processing 6K+ users in each loop over a tenant. blew up the entire service when the v3 client patches were used.18:51
kmallocoh totally. i get it18:51
kmallocthe semantics of the scope of where users are and the types of roles are more expansive in v318:51
kmallocinherited roles notably, and implied roles.18:51
kmallocand that users live in more places (ldap, sql, etc) there is potential you have 5 sources of users18:52
jaypipeskmalloc: for some reason, I thought domains were no longer a thing... is that not the case?18:52
kmallocdomains are a specialized container that is just a project behind the scenes18:52
jaypipesoh, ok. so just the implementation of domains was changed?18:53
kmallocthat was for maintenance clarity, so we didn't need all sorts of extra magic to handle a domain role assignment18:53
jaypipesconcept is still around?18:53
kmallocyep18:53
jaypipesgotcha.18:53
kmalloci would love to ditch domains... but lets jsut say API contract hell and v4.18:53
kmallocso, we douibled down, but made domains much easier to work with18:53
kmallocdomains are just projects witha  bit flipped and can be referenced via either API18:54
jaypipessure. there seem to have been some casualties of that war, though ;P18:54
kmallocyup =/18:54
jaypipes:) no worries mate, shit happens.18:54
kmallocfunctionally we didn't change v3's semantics, we made it much easier to be consistent internally though18:54
kmallocbut v3 has always been very different (unfortunately/fortunately) from v218:55
jaypipeskmalloc: I might touch back with you later to validate some code I'll put together to get a list of users within a tenant the v3 way (efficiently that is)18:55
kmallocsure thing.18:55
jaypipesappreciated :)18:55
kmallocrole_assignments, fwiw, is on a short list of "how can we make this better"18:55
kmallocthat i want to tackle. but i'm amidst a giant refactor to drop webob on the cutting room floor :P18:55
jaypipeshehe :)18:56
kmallocand i'm down to ~5 major apis.18:56
kmallocbut it's been a beast. Flask makes this all MUCH better... but seeing it has been hard too keep in focus18:56
orange_juliusDo you mind me asking why flask makes this better?18:58
kmallocorange_julius: it's allowing us to clean up a lot of bits, mostly around enforcement in a much cleaner way; centralized access to request data, so we don't need to pass request objects around19:00
kmallocorange_julius: and flask-RESTful takes a bunch of load off us to implement rendering of the response.19:00
kmallocin a clean json-form.19:00
kmallocand we can handle things directly in the request instead of needing to process it as a middleware stack19:01
kmalloce.g. "is this a json request body"19:01
kmallocso we collapse the stack of things that have to process the request significantly. and we'll be able to more easily support things such as etags19:02
kmallocso the request jaypipes is going to make for a report could be highly cachable on the client side, with webob adding such features is a real beast.19:02
kmallocthe final benefit is.. flask is something more folks understand than Routes and our custom wsgi bits19:03
kmallocas we move forward we'll have less and less custom wrappers for flask and more and more basic flask/flask-restful code19:04
kmalloc:)19:04
orange_juliusAh nice. Thanks! I wasn't aware there was a lot of custom bits. I havn't poked my head into the Keystone code too much, and truthfully wouldn't know where to start. I am always curious though =D19:04
kmallocwe had nearly 100% custom wsgi stack in our code19:05
kmallocall webob/pastedeploy19:05
kmallocand Python Routes19:05
kmallocit was hard to work with.19:05
kmallocand our policy enforcement suffered.19:05
knikollakmalloc: what do you do with all that screen real estate?19:09
*** jaosorior has quit IRC19:45
*** jaosorior has joined #openstack-keystone19:58
*** rmascena__ has joined #openstack-keystone20:32
*** rmascena__ has quit IRC20:35
*** raildo_ has quit IRC20:35
*** rmascena__ has joined #openstack-keystone20:35
*** jaosorior has quit IRC20:56
*** rmascena__ has quit IRC20:59
*** s10 has joined #openstack-keystone21:30
*** itlinux has quit IRC21:54
*** s10 has quit IRC22:23
*** s10 has joined #openstack-keystone22:23
*** s10 has joined #openstack-keystone22:24
*** s10 has quit IRC22:24
*** s10 has joined #openstack-keystone22:25
*** s10 has quit IRC22:25
*** s10 has joined #openstack-keystone22:26
*** s10 has quit IRC22:26
*** s10 has joined #openstack-keystone22:26
*** s10 has quit IRC22:27
kmallocknikolla: watch movies, and surf the web,m what else? ;)22:32
*** imacdonn has quit IRC22:38
*** imacdonn has joined #openstack-keystone22:38
*** _ix has quit IRC22:57
*** mvkr has joined #openstack-keystone23:05
kmallocknikolla: if you have some time, eyes on the OS-FEDERATION bits would be useful23:49
kmallocknikolla: i am not sure why we're getting Role Not Found.23:49
« Monday, 2018-08-13 Index Wednesday, 2018-08-15 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!