Wednesday, 2018-10-31

clarkbbut fungi likely has better info00:00
clarkbit was a thing that happened over the weekend and I was distracted by running a smoker00:00
kmallocyeah just ran into the same issue locally00:00
kmalloci'll, for now, just toss in html into our deps.00:00
kmallocand we can chase out better options down the road00:00
kmallocprobably pysaml needs to do so as well00:01
openstackgerritMerged openstack/keystone master: Remove obsolete credential policies
kmallochtml isn't part of stdlib00:03
clarkbTIL python3 has an html parser in stdlib00:04
kmallocand the pypi onew that py2 leans on is last updated in ... 201100:11
kmallocor so00:11
kmallocthis does not inspire me with a lot of confidence00:11
kmalloci mean. it clearly works but...00:11
prometheanfirekmalloc: I've seen this over the last few generate-constrats things and just now narrowed it down to futures00:15
prometheanfireI actually expected 8601 to be the problem initially (given there were two updates recently with it00:16
kmallocyeah looks like futures has changed something00:16
kmalloci'm digging into how that broke import html00:16
prometheanfirepy37 would be nice (it is shaping up nicely)00:16
kmallocit's... weird.00:17
kmallocpy37 is NICE00:17
kmallocbut this futures issue is weird.00:17
prometheanfireonly python I don't have installed is py3400:17
kmalloci have py35, 36, and 2700:17
kmallocall in docker containers00:17
prometheanfiregentoo :P00:17
kmallocand py3 whatever came with 18.04 but nothing installed locally00:17
prometheanfire     (2.7)  2.7.14-r1{xpak:5} ~2.7.14-r2 2.7.15{xpak}00:17
prometheanfire     (3.4)  3.4.5-r1(3.4/3.4m)^t ~3.4.6-r1(3.4/3.4m) 3.4.8(3.4/3.4m) ~3.4.8-r1(3.4/3.4m)00:17
prometheanfire     (3.5)  3.5.4-r1(3.5/3.5m)^t{xpak:4} 3.5.5(3.5/3.5m)^t{xpak} ~3.5.5-r1(3.5/3.5m)^t00:18
prometheanfire     (3.6)  3.6.3-r1(3.6/3.6m)^t{xpak:4} ~3.6.4(3.6/3.6m)^t 3.6.5(3.6/3.6m)^t{xpak} ~3.6.5-r1(3.6/3.6m)^t ~3.6.6(3.6/3.6m)^t00:18
kmallocso i don't pollute my base OS with dependencies00:18
prometheanfire     (3.7)  (~)3.7.0(3.7/3.7m)^t{xpak}00:18
prometheanfirethose are the versions I can have00:18
kmallocand don't have to chase anything down00:18
prometheanfire37 isn't marked stable quite yet00:18
prometheanfireI kinda wish pipenv installed python itself as well00:18
prometheanfirethat'd be nice for bootstraping and getting rid of the OS entirely for virtualenvs00:19
prometheanfirebasically, I don't think we should need containers to do that I guess00:21
clarkbprometheanfire: pyenv?00:24
prometheanfireclarkb: that exists?00:26
clarkbit doesnt work everywhere though. I cant get it to compile properly in tumbleweed and the python packaging for duse has clues for why00:27
prometheanfirelooks like it works with vagrant?00:28
clarkbit compiles locally into $dir iirc00:30
*** gyee has quit IRC00:36
prometheanfireat least for gentoo it's fairly easy to have multiple pythons and switch between them00:39
clarkbya gentoo is sort of built around that. Most distros are not. Nix is another one that makes it easy as are fedora and debian aiui00:40
prometheanfireya, iirc debian has a thing for switching default python, not sure about fedora but would not be surprised. nix, of course :P00:43
*** markvoelker has quit IRC00:49
*** markvoelker has joined #openstack-keystone00:50
openstackgerritAdrian Turjak proposed openstack/keystone master: Implement auth receipts spec
adriantwoo! I think/hope that's now pretty much almost there other than discussions about code duplication!00:53
*** markvoelker has quit IRC00:55
openstackgerritAdrian Turjak proposed openstack/keystone master: [WIP] Add documentation for Auth Receipts and MFA
*** mchlumsky has joined #openstack-keystone01:04
*** mchlumsky has quit IRC01:07
fungiclarkb: kmalloc: yes, see the discussion on earlier patchsets of
*** mchlumsky has joined #openstack-keystone01:09
fungiwas a regression in readme_renderer (a dep of twine)01:09
*** mchlumsky has quit IRC01:11
openstackgerritwangxiyuan proposed openstack/keystone master: Deprecate eventlet related configuration
*** aojea_ has joined #openstack-keystone01:23
*** aojea_ has quit IRC01:28
*** Dinesh_Bhor has joined #openstack-keystone01:48
*** Dinesh_Bhor has quit IRC02:20
openstackgerritNathan Kinder proposed openstack/ldappool master: Improve connection retry logging
*** Dinesh_Bhor has joined #openstack-keystone02:24
*** itlinux has joined #openstack-keystone02:45
*** markvoelker has joined #openstack-keystone02:51
*** itlinux has quit IRC02:56
*** Nel1x has joined #openstack-keystone03:23
*** markvoelker has quit IRC03:24
openstackgerritwangxiyuan proposed openstack/keystone master: Add release note for unified limit APIs changing
*** Nel1x has quit IRC03:52
*** dave-mccowan has quit IRC04:18
*** markvoelker has joined #openstack-keystone04:21
*** sapd1 has quit IRC04:22
*** Dinesh_Bhor has quit IRC04:33
*** sapd1 has joined #openstack-keystone04:49
*** markvoelker has quit IRC04:54
*** Dinesh_Bhor has joined #openstack-keystone04:59
*** itlinux has joined #openstack-keystone05:05
*** pcaruana|elisa| has joined #openstack-keystone05:29
*** pcaruana|elisa| has quit IRC05:37
*** markvoelker has joined #openstack-keystone05:51
*** itlinux has quit IRC06:04
*** Dinesh_Bhor has quit IRC06:13
*** Dinesh_Bhor has joined #openstack-keystone06:25
*** markvoelker has quit IRC06:26
*** cabledude has quit IRC06:31
openstackgerritwangxiyuan proposed openstack/oslo.limit master: Add limit check func
openstackgerritwangxiyuan proposed openstack/oslo.limit master: Add limit check func
*** Dinesh_Bhor has quit IRC07:10
*** Dinesh_Bhor has joined #openstack-keystone07:11
*** markvoelker has joined #openstack-keystone07:24
openstackgerritwangxiyuan proposed openstack/keystone-specs master: Add domain level limit support
*** xek has joined #openstack-keystone07:38
*** pcaruana|elisa| has joined #openstack-keystone07:45
*** Dinesh_Bhor has quit IRC07:55
*** markvoelker has quit IRC07:57
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Unit test for CLI
*** markvoelker has joined #openstack-keystone08:54
openstackgerritwangxiyuan proposed openstack/oslo.limit master: Add limit check func
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Pass in policy name as part of the oslopolicy-check check call
*** Dinesh_Bhor has joined #openstack-keystone09:05
*** nels has quit IRC09:11
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Add ability to pass in target data for the oslopolicy-checker
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Create OPA check
*** pcaruana|elisa| has quit IRC09:13
*** nelsnelson has joined #openstack-keystone09:13
*** pcaruana|elisa| has joined #openstack-keystone09:15
*** NikitaKonovalov has quit IRC09:16
*** NikitaKonovalov has joined #openstack-keystone09:18
openstackgerritwangxiyuan proposed openstack/oslo.policy master: Add policy-upgrade tool
*** markvoelker has quit IRC09:27
openstackgerritwangqi proposed openstack/keystone master: EOL while scanning string literal
*** zul has joined #openstack-keystone09:55
*** markvoelker has joined #openstack-keystone10:24
*** mvkr has quit IRC10:25
*** Dinesh_Bhor has quit IRC10:29
*** markvoelker has quit IRC10:58
*** mvkr has joined #openstack-keystone11:40
*** raildo has joined #openstack-keystone11:51
*** markvoelker has joined #openstack-keystone11:54
*** markvoelker has quit IRC12:13
*** markvoelker has joined #openstack-keystone12:13
*** markvoelker has quit IRC12:15
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Make upgrades more robust with policy overrides
*** imus has joined #openstack-keystone12:27
*** imus has quit IRC12:51
*** imus has joined #openstack-keystone12:51
*** imus_ has joined #openstack-keystone12:55
*** imus has quit IRC12:57
openstackgerritMerged openstack/ldappool master: Improve connection retry logging
openstackgerritColleen Murphy proposed openstack/keystone-tempest-plugin master: Add python3 functional test job
cmurphyI think that ^ is the last thing we need for the python3-first goal13:08
*** raildo has quit IRC13:09
*** raildo_ has joined #openstack-keystone13:09
* lbragstad gets his spirit fingers ready 13:24
cmurphyknikolla: i think testshib has been broken for a while, and I just found I think we're gonna have to migrate off sooner rather than later13:42
*** raildo_ has quit IRC14:00
knikollacmurphy: i see. bumping it up on my priority list. thanks.14:01
*** lbudai has joined #openstack-keystone14:02
knikollacmurphy: do you wanna sync up on the outreachy stuff?14:02
openstackgerritMerged openstack/keystone master: Allow registered limit's region_id to be None
openstackgerritMerged openstack/keystone master: Add release note for unified limit APIs changing
openstackgerritMerged openstack/keystone master: Remove check for disabled v3
cmurphyknikolla: sure14:15
knikollacmurphy: awesome.14:21
knikollahow many people have gone through the initial steps?14:21
cmurphyfor the federation one, we have one person who has completed an application, three people who have set up gerrit and have been given a doc fix task, one not yet done setting up gerrit14:25
cmurphythe application period is open until november 6 so they have until then to register a contribution and submit their application14:26
cmurphyi unchecked the "needs more applicants" checkbox so it won't be promoted so much on the website but we still might get more inquiries anyway14:27
knikollacool. do we want to set up an etherpad to keep track of this?14:28
cmurphyknikolla: maybe a private google doc instead? i wouldn't want to disclose applicant names in a public etherpad14:29
knikollacmurphy: true, i realized that as soon as i finished typing it.14:29
*** raildo has joined #openstack-keystone14:30
*** mchlumsky has joined #openstack-keystone14:44
*** aojea_ has joined #openstack-keystone14:57
*** gyee has joined #openstack-keystone15:01
*** nels has joined #openstack-keystone15:03
*** nelsnelson has quit IRC15:04
*** aojea_ has quit IRC15:04
*** jistr is now known as jistr|call15:05
*** nels has quit IRC15:09
*** nelsnelson has joined #openstack-keystone15:11
*** dave-mccowan has joined #openstack-keystone15:19
*** dave-mccowan has quit IRC15:25
openstackgerritLance Bragstad proposed openstack/keystone master: Add test fixture for JWT key repository
openstackgerritLance Bragstad proposed openstack/keystone master: Add PyJWT as a requirement
openstackgerritLance Bragstad proposed openstack/keystone master: Implement scaffolding for JWT provider
openstackgerritLance Bragstad proposed openstack/keystone master: Create configuration options to use JWT
*** aojea_ has joined #openstack-keystone15:33
*** jistr|call is now known as jistr15:35
*** itlinux has joined #openstack-keystone15:47
*** markvoelker has joined #openstack-keystone15:52
hogepodgeHow many releases have application credentials been in Keystone?16:01
cmurphyhogepodge: since queens16:02
prometheanfirekmalloc: does there need to be a keystone bug opened for future/pysaml?16:03
hogepodgecmurphy: thanks16:03
kmallocprometheanfire: i am not sure16:03
kmalloci ahve a meeting first16:03
kmalloci was going to chase that down16:03
hogepodgeThat makes it eligible for interop in U-release I think.16:03
prometheanfirekmalloc: kk16:04
kmallochogepodge: that is a crazy lead time.16:04
kmallocnot a bad thing16:05
kmallocjust wow, didn't realize we were dealing with that level of lead time16:05
hogepodgekmalloc: we need two years to let downstream clouds get the latest code16:05
kmallocyeah i know16:05
kmallocjust wow :)16:05
prometheanfirethere was a new release of future, we'll see if it fixed it (rebased a couple of hours ago, don't know current gate times)16:13
openstackgerritLance Bragstad proposed openstack/keystone master: Implement scaffolding for JWT provider
*** dnguyen has joined #openstack-keystone16:21
*** kencjohnston has quit IRC16:27
*** kencjohnston has joined #openstack-keystone16:29
kmallocprometheanfire: yeah16:32
kmallocprometheanfire: i am thinking this was a bug in future16:32
kmallocit is so strange16:32
kmallocprometheanfire: i'll keep my eye on it16:32
kmallocif we need to fix pysaml, i'll get an issue opened with them and push code16:32
kmallocelse, we blacklist the versiuon of future16:32
*** pcaruana|elisa| has quit IRC16:37
openstackgerritNathan Kinder proposed openstack/ldappool master: Handle retry logic for timeouts with multiple LDAP servers
*** gyee has quit IRC16:50
*** aojea_ has quit IRC17:05
*** aojea_ has joined #openstack-keystone17:05
*** aojea_ has quit IRC17:07
*** aojea_ has joined #openstack-keystone17:08
*** xek has quit IRC17:20
*** aojea_ has quit IRC17:28
*** aojea_ has joined #openstack-keystone17:29
*** aojea_ has quit IRC17:34
*** imus_ has quit IRC17:38
*** imus_ has joined #openstack-keystone17:39
*** gyee has joined #openstack-keystone17:44
*** mvkr has quit IRC17:49
prometheanfirekmalloc: looks good
kmallocprometheanfire: yay it was a bug in future17:56
kmallocprometheanfire: make sure we explicitly ban the broken version of future17:56
kmallocprometheanfire: so we're telegraphing it's busted to anyone downstream17:56
prometheanfirekmalloc: yep17:58
kmallocprometheanfire: thanks for pushing this through and keeping an eye on it17:58
kmallocmordred: commented on rate limiting17:59
kmallocmordred: it looks good, except a couple minor things and needing tests (to me)17:59
kmallocprometheanfire: ++18:01
kmalloclbragstad, cmurphy: for ldappool (esp. minor things) please just single core-approve18:02
kmallocthere are a total of 3 cores for it18:02
kmallocand i trust both of your decisions :)18:02
prometheanfiresounds like reqs lol18:02
kmallocunless we're adding all of keystone-core.18:02
kmallocwhich... kindof doesn't make sense since it moves so minimally.18:02
kmallocprometheanfire: heheh18:02
kmallocprometheanfire: i'd offer to help with reqs, but i don't think i would be that much benefit :P18:03
kmallocprometheanfire: just because well... it's fairly cut and dry [except in the cases of like this future's patch]18:03
prometheanfirejust regular reviews18:03
prometheanfirefor bot updates we are doing it so that one core can +2+W18:03
cmurphykmalloc: i usually do18:04
kmalloccmurphy: yeah i just noticed lbragstad wasn't :)18:04
cmurphyi think both of nkinder's patches today were worth more than one set of eyes imo18:04
kmallocit was more the posargs one lbragstad +2'd and didn't push through18:05
kmalloci missed ldappool when i did the "curate everything" passes18:05
kmallocbecause... well... bleh.18:05
cmurphyit's easy to forget18:05
kmalloci forgot we owned it for a bit :P since it has so little movement18:05
* cmurphy pats ldappool on the head18:05
kmalloci like that it just works(tm)18:05
kmalloci still want to re-write our driver to use ldap318:06
kmallocbut that is so far down my list of todo...18:06
* lbragstad comes up for ai18:06
kmalloclbragstad: if you're that deep in kiddo stuff you need supplemental air... :P18:07
lbragstadactually - i'm digging through pyca/cryptography documentation18:07
lbragstadwhich is just as scary ;)18:07
kmallocoh man18:08
kmalloci'm so sorry18:08
prometheanfireya, it wasn't fun, but wasn't horible either18:08
kmallocwhat are you digging through that stuff for?18:08
kmalloccmurphy: i *think* i have a test for the exception handler change in flask.18:08
kmalloccmurphy: but... i'll need your eyes on it soon. it's tough because i have to stand up a totally new test-client framework that doesn't do the 418 re-write18:09
kmallocthe 418 bit is super useful for testing... it obscured the 500 error though18:09
cmurphyyeah :(18:10
kmalloclbragstad: -- we do not rehash passwords in migrate phase18:11
kmalloclbragstad: we forklift the data into the new column if the new column is unset18:11
kmallocand we validate using {sha256} vs {scrypt} or {bcrypt} if the password hash indicates with it's demarcation18:12
lbragstadok - that's what i though... so that will not work for FFU, right?18:12
kmallocthey MUST run the migrate setp18:12
kmallocFFU is down time and if someone is not running migrate, i'm saying they are wrong18:12
lbragstadi'm working through pyca stuff for JWT to generate public/private key pairs18:12
kmallocif you don't run migrate steps in FFU you're doing bad things.18:12
lbragstaddo they need to run keystone to handle migrating passwords from one hash alg to another?18:13
lbragstadkeystone will support the removed hash alg?18:13
kmallocdbsync does all the work18:13
kmallockeystone still validates $sha256$18:13
kmallocwe cannot ever remove that18:13
ayoungprometheanfire, same person up loaded, reviewed, and approved a patch? Wow18:13
lbragstadok - even though we don't allow you to configure that anymore?18:13
kmallocwe don't have the original passwords, we can't re-hash to a new algo18:14
kmallocyou cannot create new passwords with sha256 hashing18:14
lbragstadright - but we always support the hash alg we're removing?18:14
kmallocwe will always validate passwords that are sha25618:14
kmallocit's explicit unless passwordlib stops supporting sha25618:14
kmallocwhich case... we have other issues18:14
kmallocyeah we will never remove support for validating older password hashes18:15
lbragstadok - i just wanted to make sure we didn't merge that patch without a note if it wasn't going to work for FFU cases18:15
prometheanfireayoung: no, we can only do that for bot patches (see )18:15
kmallocwe may remove the ability to generate with updates the old password hash18:15
kmallocwhich is a-ok18:15
kmallocsince the hash data communicates the algo, rounds, and salt18:15
prometheanfireayoung: as an example of that policy in use18:15
kmallocif you look, the hash ends up being something like $sha256$200$ACX$<hash>18:16
kmallocwhich is algo, rounds, salt18:16
kmallocand hash18:16
ayoungprometheanfire, it doesn't show as a bot review, tho18:17
kmallocayoung: owner?18:17
ayoungkmalloc, and approver18:17
ayoung+2 Matthew Thode18:17
openstackgerritMerged openstack/ldappool master: Don't quote {posargs} in tox.ini
kmallocthe update future one?18:18
kmallocthe owner was still proposal bot18:18
kmalloceven if it was fixed by prometheanfire18:18
kmallocand that is a special case. most are owned/uploaded by boty18:18
kmallocthe blacklist was not bot and scmcginnis (sp?) +2'd18:19
kmallocthe case of future was fixing the version to not break keystone/pysaml... i think this is still all on the up and up18:19
kmallocjust an edge case18:19
kmallocneeding intervention18:19
prometheanfirebasically, ya18:20
openstackgerritColleen Murphy proposed openstack/ldappool master: Add plumbing to support reno release notes
*** mvkr has joined #openstack-keystone18:36
openstackgerritHarry Rybacki proposed openstack/ldappool master: Add plumbing to support reno release notes
*** nicolasbock has joined #openstack-keystone19:19
openstackgerritTaishi Roy proposed openstack/keystone master: changed port address in argument '--bootstrap-admin-url'
openstackgerritNathan Kinder proposed openstack/ldappool master: Handle retry logic for timeouts with multiple LDAP servers
openstackgerritMorgan Fainberg proposed openstack/keystone master: Unregister "Exception" from flask handler
kmalloccmurphy: ^ unregister error fix and a test. it's a little wonky, but it does the job19:42
*** raildo has quit IRC19:53
*** raildo has joined #openstack-keystone20:22
*** raildo has quit IRC20:22
*** imacdonn has quit IRC20:34
*** imacdonn has joined #openstack-keystone20:34
*** imus_ has quit IRC21:05
openstackgerritNathan Kinder proposed openstack/ldappool master: Add plumbing to support reno release notes
*** prometheanfire has left #openstack-keystone21:19
lbragstadnice -
lbragstadyou can copy paste that token into
*** mchlumsky has quit IRC21:36
openstackgerritLance Bragstad proposed openstack/keystone master: Implement scaffolding for JWT provider
lbragstadtokens are a bit longer...21:36
lbragstadbut i don't think we'll need all the payload complexity21:38
lbragstadwhich will be kinda nice21:38
lbragstadsince we've put most of that in the token model21:38
*** tonyb has joined #openstack-keystone21:44
tonybAre keystone API versions backwards compatible?  I'm just wondering about on a stable branch21:45
*** itlinux has quit IRC21:57
lbudaihello everyone,21:57
tonyblbudai: hi21:57
lbudaiis it possible to specify somehow the insecure option in the keystone_authtoken section of the services configurtion files?21:57
lbudaiI have an openstack kilo lab environment and the certificates are not set up properly21:58
lbudaiin the cli I can use the --insecure option, but the token validation fails21:59
lbudaiso right now I have this line: identity_uri = https://vip.mgmt-b.lab.mydomain.intra:3535722:00
lbudaiis there an option to accept any certificate from the keystone endpoint?22:01
*** aojea has joined #openstack-keystone22:13
tonyblbudai: Sorry I don't know.  In Kilo I used used http rather than https22:15
*** gyee has quit IRC22:19
lbudaitonyb: if I'm reconfiguring it to http, then it works .... but I would prefer to have it https22:21
lbudaiI think, its better if I'm fixing the certificates. as th problem is there22:22
tonyblbudai: I agree, I just can't help you22:25
lbudaiit's OK. Thank you. I'll figure out the certificates.22:26
kmalloclbragstad: i am ok with the tokens being a bit longer honestly22:37
kmalloclbragstad: we're still working to keep them as small as reasonable22:37
kmalloctonyb: all keystone APIs should be compatible as we are strictly additive with exception of "experimental" marked APIs22:38
kmalloctonyb: I would expect a modern keystone to work as far back as something that can reasonably talk V3.22:39
kmalloctonyb: the 3.11 bump there was because, afaict we missed that bump at actual release time22:39
kmalloclbudai: you should be able to use the boolean "insecurE" in the config file
kmalloclbudai: but i highly recommend fixing the certificates instead22:41
tonybkmalloc: does a client send the version in a header like nova or ironic? and expect certain results based on the version?22:42
kmallocthis isn't like microversions22:42
kmallocwe don't do microversions22:42
tonybkmalloc: To me it looks like all the code is in 14.0.0 this is just saying oh and BTW we're 3.11 not 3.1022:42
kmallocpretty much, we have release notes that indicate what was added (in some cases things like new APIs)22:43
kmallocbut that is about as far as the correlation goes22:43
tonybkmalloc: Thanks.  I'll think on it while I'm heading to my meeting and then ask more questions or +W it when I'm back22:43
kmallocyeah. i think this is again a "whoopse we missed doing this before release"22:44
kmallocand we're trying to correct that22:44
lbudaikmalloc: Thank you! Yes I'm working on the certs. Just to make sure I understood you correctly, you are suggesting to have the line something like this: identity_uri = https://vip.mgmt-b.lab.mydomain.intra:35357 and add one more line to the same section : insecure = true . is this what you meant?22:44
kmallocthat *should* do it22:44
lbudaitesting it right now ....22:45
kmallocbut also note Kilo is EOL, so if it doesn't work... I can't really propose a fix for it22:45
kmalloci can provide guidance on where to tack a fix in though if it really doesn't do the job22:45
lbudaithat did the trick. THANK YOU!22:46
kmallochappy to help22:47
lbudaiour prod env it's OK, and I've found the issue with the cert also. But now I've also learned something :)22:47
*** itlinux has joined #openstack-keystone22:50
*** dnguyen has quit IRC22:53
*** lbudai has quit IRC23:08

Generated by 2.15.3 by Marius Gedminas - find it at!