Wednesday, 2018-10-31

clarkb	but fungi likely has better info	00:00
clarkb	it was a thing that happened over the weekend and I was distracted by running a smoker	00:00
kmalloc	yeah just ran into the same issue locally	00:00
kmalloc	i'll, for now, just toss in html into our deps.	00:00
kmalloc	and we can chase out better options down the road	00:00
kmalloc	probably pysaml needs to do so as well	00:01
clarkb	++	00:01
openstackgerrit	Merged openstack/keystone master: Remove obsolete credential policies https://review.openstack.org/597187	00:02
kmalloc	huh.	00:02
kmalloc	html isn't part of stdlib	00:03
kmalloc	weird.	00:03
kmalloc	oh	00:03
kmalloc	py3	00:03
kmalloc	facepalm	00:03
clarkb	TIL python3 has an html parser in stdlib	00:04
kmalloc	yeah	00:10
kmalloc	and the pypi onew that py2 leans on is last updated in ... 2011	00:11
kmalloc	or so	00:11
kmalloc	afaict	00:11
kmalloc	this does not inspire me with a lot of confidence	00:11
kmalloc	i mean. it clearly works but...	00:11
kmalloc	ugh	00:11
prometheanfire	kmalloc: I've seen this over the last few generate-constrats things and just now narrowed it down to futures	00:15
prometheanfire	I actually expected 8601 to be the problem initially (given there were two updates recently with it	00:16
kmalloc	yeah looks like futures has changed something	00:16
kmalloc	i'm digging into how that broke import html	00:16
prometheanfire	py37 would be nice (it is shaping up nicely)	00:16
kmalloc	it's... weird.	00:17
kmalloc	py37 is NICE	00:17
kmalloc	but this futures issue is weird.	00:17
prometheanfire	only python I don't have installed is py34	00:17
kmalloc	i have py35, 36, and 27	00:17
kmalloc	all in docker containers	00:17
kmalloc	:)	00:17
prometheanfire	gentoo :P	00:17
kmalloc	and py3 whatever came with 18.04 but nothing installed locally	00:17
prometheanfire	(2.7) 2.7.14-r1{xpak:5} ~2.7.14-r2 2.7.15{xpak}	00:17
prometheanfire	(3.4) 3.4.5-r1(3.4/3.4m)^t ~3.4.6-r1(3.4/3.4m) 3.4.8(3.4/3.4m) ~3.4.8-r1(3.4/3.4m)	00:17
prometheanfire	(3.5) 3.5.4-r1(3.5/3.5m)^t{xpak:4} 3.5.5(3.5/3.5m)^t{xpak} ~3.5.5-r1(3.5/3.5m)^t	00:18
prometheanfire	(3.6) 3.6.3-r1(3.6/3.6m)^t{xpak:4} ~3.6.4(3.6/3.6m)^t 3.6.5(3.6/3.6m)^t{xpak} ~3.6.5-r1(3.6/3.6m)^t ~3.6.6(3.6/3.6m)^t	00:18
kmalloc	so i don't pollute my base OS with dependencies	00:18
prometheanfire	(3.7) (~)3.7.0(3.7/3.7m)^t{xpak}	00:18
prometheanfire	those are the versions I can have	00:18
kmalloc	and don't have to chase anything down	00:18
prometheanfire	37 isn't marked stable quite yet	00:18
kmalloc	yeah	00:18
prometheanfire	I kinda wish pipenv installed python itself as well	00:18
prometheanfire	that'd be nice for bootstraping and getting rid of the OS entirely for virtualenvs	00:19
prometheanfire	basically, I don't think we should need containers to do that I guess	00:21
clarkb	prometheanfire: pyenv?	00:24
prometheanfire	clarkb: that exists?	00:26
clarkb	ya	00:27
clarkb	it doesnt work everywhere though. I cant get it to compile properly in tumbleweed and the python packaging for duse has clues for why	00:27
prometheanfire	looks like it works with vagrant?	00:28
clarkb	it compiles locally into $dir iirc	00:30
*** gyee has quit IRC		00:36
prometheanfire	hmm	00:39
prometheanfire	at least for gentoo it's fairly easy to have multiple pythons and switch between them	00:39
clarkb	ya gentoo is sort of built around that. Most distros are not. Nix is another one that makes it easy as are fedora and debian aiui	00:40
prometheanfire	ya, iirc debian has a thing for switching default python, not sure about fedora but would not be surprised. nix, of course :P	00:43
*** markvoelker has quit IRC		00:49
*** markvoelker has joined #openstack-keystone		00:50
openstackgerrit	Adrian Turjak proposed openstack/keystone master: Implement auth receipts spec https://review.openstack.org/611230	00:52
adriant	woo! I think/hope that's now pretty much almost there other than discussions about code duplication!	00:53
*** markvoelker has quit IRC		00:55
openstackgerrit	Adrian Turjak proposed openstack/keystone master: [WIP] Add documentation for Auth Receipts and MFA https://review.openstack.org/580535	00:56
*** mchlumsky has joined #openstack-keystone		01:04
*** mchlumsky has quit IRC		01:07
fungi	clarkb: kmalloc: yes, see the discussion on earlier patchsets of https://review.openstack.org/613726	01:08
*** mchlumsky has joined #openstack-keystone		01:09
fungi	was a regression in readme_renderer (a dep of twine)	01:09
*** mchlumsky has quit IRC		01:11
openstackgerrit	wangxiyuan proposed openstack/keystone master: Deprecate eventlet related configuration https://review.openstack.org/568764	01:13
*** aojea_ has joined #openstack-keystone		01:23
*** aojea_ has quit IRC		01:28
*** Dinesh_Bhor has joined #openstack-keystone		01:48
*** Dinesh_Bhor has quit IRC		02:20
openstackgerrit	Nathan Kinder proposed openstack/ldappool master: Improve connection retry logging https://review.openstack.org/614383	02:21
*** Dinesh_Bhor has joined #openstack-keystone		02:24
*** itlinux has joined #openstack-keystone		02:45
*** markvoelker has joined #openstack-keystone		02:51
*** itlinux has quit IRC		02:56
*** Nel1x has joined #openstack-keystone		03:23
*** markvoelker has quit IRC		03:24
openstackgerrit	wangxiyuan proposed openstack/keystone master: Add release note for unified limit APIs changing https://review.openstack.org/611763	03:29
*** Nel1x has quit IRC		03:52
*** dave-mccowan has quit IRC		04:18
*** markvoelker has joined #openstack-keystone		04:21
*** sapd1 has quit IRC		04:22
*** Dinesh_Bhor has quit IRC		04:33
*** sapd1 has joined #openstack-keystone		04:49
*** markvoelker has quit IRC		04:54
*** Dinesh_Bhor has joined #openstack-keystone		04:59
*** itlinux has joined #openstack-keystone		05:05
*** pcaruana\|elisa\| has joined #openstack-keystone		05:29
*** pcaruana\|elisa\| has quit IRC		05:37
*** markvoelker has joined #openstack-keystone		05:51
*** itlinux has quit IRC		06:04
*** Dinesh_Bhor has quit IRC		06:13
*** Dinesh_Bhor has joined #openstack-keystone		06:25
*** markvoelker has quit IRC		06:26
*** cabledude has quit IRC		06:31
openstackgerrit	wangxiyuan proposed openstack/oslo.limit master: Add limit check func https://review.openstack.org/596520	06:54
openstackgerrit	wangxiyuan proposed openstack/oslo.limit master: Add limit check func https://review.openstack.org/596520	07:01
*** Dinesh_Bhor has quit IRC		07:10
*** Dinesh_Bhor has joined #openstack-keystone		07:11
*** markvoelker has joined #openstack-keystone		07:24
openstackgerrit	wangxiyuan proposed openstack/keystone-specs master: Add domain level limit support https://review.openstack.org/599491	07:31
*** xek has joined #openstack-keystone		07:38
*** pcaruana\|elisa\| has joined #openstack-keystone		07:45
*** Dinesh_Bhor has quit IRC		07:55
*** markvoelker has quit IRC		07:57
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Unit test for CLI https://review.openstack.org/614356	08:32
*** markvoelker has joined #openstack-keystone		08:54
openstackgerrit	wangxiyuan proposed openstack/oslo.limit master: Add limit check func https://review.openstack.org/596520	08:56
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Pass in policy name as part of the oslopolicy-check check call https://review.openstack.org/614223	09:03
*** Dinesh_Bhor has joined #openstack-keystone		09:05
*** nels has quit IRC		09:11
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: Add ability to pass in target data for the oslopolicy-checker https://review.openstack.org/613313	09:12
openstackgerrit	Juan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Create OPA check https://review.openstack.org/614224	09:12
*** pcaruana\|elisa\| has quit IRC		09:13
*** nelsnelson has joined #openstack-keystone		09:13
*** pcaruana\|elisa\| has joined #openstack-keystone		09:15
*** NikitaKonovalov has quit IRC		09:16
*** NikitaKonovalov has joined #openstack-keystone		09:18
openstackgerrit	wangxiyuan proposed openstack/oslo.policy master: Add policy-upgrade tool https://review.openstack.org/613906	09:26
*** markvoelker has quit IRC		09:27
openstackgerrit	wangqi proposed openstack/keystone master: EOL while scanning string literal https://review.openstack.org/614448	09:31
*** zul has joined #openstack-keystone		09:55
*** markvoelker has joined #openstack-keystone		10:24
*** mvkr has quit IRC		10:25
*** Dinesh_Bhor has quit IRC		10:29
*** markvoelker has quit IRC		10:58
*** mvkr has joined #openstack-keystone		11:40
*** raildo has joined #openstack-keystone		11:51
*** markvoelker has joined #openstack-keystone		11:54
*** markvoelker has quit IRC		12:13
*** markvoelker has joined #openstack-keystone		12:13
*** markvoelker has quit IRC		12:15
openstackgerrit	Lance Bragstad proposed openstack/oslo.policy master: Make upgrades more robust with policy overrides https://review.openstack.org/614195	12:20
*** imus has joined #openstack-keystone		12:27
*** imus has quit IRC		12:51
*** imus has joined #openstack-keystone		12:51
*** imus_ has joined #openstack-keystone		12:55
*** imus has quit IRC		12:57
openstackgerrit	Merged openstack/ldappool master: Improve connection retry logging https://review.openstack.org/614383	13:02
openstackgerrit	Colleen Murphy proposed openstack/keystone-tempest-plugin master: Add python3 functional test job https://review.openstack.org/614492	13:06
cmurphy	I think that ^ is the last thing we need for the python3-first goal	13:08
*** raildo has quit IRC		13:09
*** raildo_ has joined #openstack-keystone		13:09
* lbragstad gets his spirit fingers ready		13:24
cmurphy	knikolla: i think testshib has been broken for a while, and I just found https://marc.info/?l=shibboleth-users&m=154056288800549&w=2 I think we're gonna have to migrate off sooner rather than later	13:42
*** raildo_ has quit IRC		14:00
knikolla	cmurphy: i see. bumping it up on my priority list. thanks.	14:01
*** lbudai has joined #openstack-keystone		14:02
knikolla	cmurphy: do you wanna sync up on the outreachy stuff?	14:02
openstackgerrit	Merged openstack/keystone master: Allow registered limit's region_id to be None https://review.openstack.org/610887	14:14
openstackgerrit	Merged openstack/keystone master: Add release note for unified limit APIs changing https://review.openstack.org/611763	14:14
openstackgerrit	Merged openstack/keystone master: Remove check for disabled v3 https://review.openstack.org/613402	14:14
cmurphy	knikolla: sure	14:15
knikolla	cmurphy: awesome.	14:21
knikolla	how many people have gone through the initial steps?	14:21
cmurphy	for the federation one, we have one person who has completed an application, three people who have set up gerrit and have been given a doc fix task, one not yet done setting up gerrit	14:25
cmurphy	the application period is open until november 6 so they have until then to register a contribution and submit their application	14:26
cmurphy	i unchecked the "needs more applicants" checkbox so it won't be promoted so much on the website but we still might get more inquiries anyway	14:27
knikolla	cool. do we want to set up an etherpad to keep track of this?	14:28
cmurphy	knikolla: maybe a private google doc instead? i wouldn't want to disclose applicant names in a public etherpad	14:29
knikolla	cmurphy: true, i realized that as soon as i finished typing it.	14:29
knikolla	:)	14:29
*** raildo has joined #openstack-keystone		14:30
*** mchlumsky has joined #openstack-keystone		14:44
*** aojea_ has joined #openstack-keystone		14:57
*** gyee has joined #openstack-keystone		15:01
*** nels has joined #openstack-keystone		15:03
*** nelsnelson has quit IRC		15:04
*** aojea_ has quit IRC		15:04
*** jistr is now known as jistr\|call		15:05
*** nels has quit IRC		15:09
*** nelsnelson has joined #openstack-keystone		15:11
*** dave-mccowan has joined #openstack-keystone		15:19
*** dave-mccowan has quit IRC		15:25
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add test fixture for JWT key repository https://review.openstack.org/614547	15:26
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Add PyJWT as a requirement https://review.openstack.org/614548	15:26
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement scaffolding for JWT provider https://review.openstack.org/614549	15:26
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Create configuration options to use JWT https://review.openstack.org/614550	15:26
*** aojea_ has joined #openstack-keystone		15:33
*** jistr\|call is now known as jistr		15:35
*** itlinux has joined #openstack-keystone		15:47
*** markvoelker has joined #openstack-keystone		15:52
hogepodge	How many releases have application credentials been in Keystone?	16:01
cmurphy	hogepodge: since queens	16:02
prometheanfire	kmalloc: does there need to be a keystone bug opened for future/pysaml?	16:03
hogepodge	cmurphy: thanks	16:03
kmalloc	prometheanfire: i am not sure	16:03
kmalloc	i ahve a meeting first	16:03
kmalloc	i was going to chase that down	16:03
hogepodge	That makes it eligible for interop in U-release I think.	16:03
prometheanfire	kmalloc: kk	16:04
kmalloc	hogepodge: that is a crazy lead time.	16:04
kmalloc	imo	16:04
kmalloc	:P	16:05
kmalloc	not a bad thing	16:05
kmalloc	just wow, didn't realize we were dealing with that level of lead time	16:05
hogepodge	kmalloc: we need two years to let downstream clouds get the latest code	16:05
kmalloc	yeah i know	16:05
kmalloc	just wow :)	16:05
prometheanfire	there was a new release of future, we'll see if it fixed it (rebased a couple of hours ago, don't know current gate times)	16:13
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement scaffolding for JWT provider https://review.openstack.org/614549	16:17
*** dnguyen has joined #openstack-keystone		16:21
*** kencjohnston has quit IRC		16:27
*** kencjohnston has joined #openstack-keystone		16:29
kmalloc	prometheanfire: yeah	16:32
kmalloc	prometheanfire: i am thinking this was a bug in future	16:32
kmalloc	it is so strange	16:32
kmalloc	prometheanfire: i'll keep my eye on it	16:32
kmalloc	if we need to fix pysaml, i'll get an issue opened with them and push code	16:32
kmalloc	else, we blacklist the versiuon of future	16:32
prometheanfire	yarp	16:36
*** pcaruana\|elisa\| has quit IRC		16:37
openstackgerrit	Nathan Kinder proposed openstack/ldappool master: Handle retry logic for timeouts with multiple LDAP servers https://review.openstack.org/614586	16:48
*** gyee has quit IRC		16:50
*** aojea_ has quit IRC		17:05
*** aojea_ has joined #openstack-keystone		17:05
*** aojea_ has quit IRC		17:07
*** aojea_ has joined #openstack-keystone		17:08
*** xek has quit IRC		17:20
*** aojea_ has quit IRC		17:28
*** aojea_ has joined #openstack-keystone		17:29
*** aojea_ has quit IRC		17:34
*** imus_ has quit IRC		17:38
*** imus_ has joined #openstack-keystone		17:39
*** gyee has joined #openstack-keystone		17:44
*** mvkr has quit IRC		17:49
prometheanfire	kmalloc: looks goodhttps://review.openstack.org/614408	17:53
kmalloc	prometheanfire: yay it was a bug in future	17:56
kmalloc	prometheanfire: make sure we explicitly ban the broken version of future	17:56
kmalloc	prometheanfire: so we're telegraphing it's busted to anyone downstream	17:56
prometheanfire	kmalloc: yep	17:58
kmalloc	prometheanfire: thanks for pushing this through and keeping an eye on it	17:58
kmalloc	:)	17:58
kmalloc	mordred: commented on rate limiting	17:59
kmalloc	mordred: it looks good, except a couple minor things and needing tests (to me)	17:59
prometheanfire	kmalloc: https://review.openstack.org/614608	18:01
kmalloc	prometheanfire: ++	18:01
kmalloc	lbragstad, cmurphy: for ldappool (esp. minor things) please just single core-approve	18:02
kmalloc	there are a total of 3 cores for it	18:02
kmalloc	and i trust both of your decisions :)	18:02
prometheanfire	sounds like reqs lol	18:02
kmalloc	unless we're adding all of keystone-core.	18:02
kmalloc	which... kindof doesn't make sense since it moves so minimally.	18:02
kmalloc	prometheanfire: heheh	18:02
kmalloc	prometheanfire: i'd offer to help with reqs, but i don't think i would be that much benefit :P	18:03
kmalloc	prometheanfire: just because well... it's fairly cut and dry [except in the cases of like this future's patch]	18:03
prometheanfire	just regular reviews	18:03
prometheanfire	for bot updates we are doing it so that one core can +2+W	18:03
kmalloc	yep.	18:03
cmurphy	kmalloc: i usually do	18:04
kmalloc	cmurphy: yeah i just noticed lbragstad wasn't :)	18:04
cmurphy	i think both of nkinder's patches today were worth more than one set of eyes imo	18:04
kmalloc	yep	18:04
kmalloc	it was more the posargs one lbragstad +2'd and didn't push through	18:05
kmalloc	i missed ldappool when i did the "curate everything" passes	18:05
kmalloc	because... well... bleh.	18:05
cmurphy	it's easy to forget	18:05
kmalloc	i forgot we owned it for a bit :P since it has so little movement	18:05
* cmurphy pats ldappool on the head		18:05
kmalloc	i like that it just works(tm)	18:05
kmalloc	i still want to re-write our driver to use ldap3	18:06
kmalloc	but that is so far down my list of todo...	18:06
* lbragstad comes up for ai		18:06
lbragstad	air*	18:06
kmalloc	lbragstad: if you're that deep in kiddo stuff you need supplemental air... :P	18:07
lbragstad	lol	18:07
lbragstad	actually - i'm digging through pyca/cryptography documentation	18:07
lbragstad	which is just as scary ;)	18:07
kmalloc	oh man	18:08
kmalloc	i'm so sorry	18:08
prometheanfire	ya, it wasn't fun, but wasn't horible either	18:08
kmalloc	what are you digging through that stuff for?	18:08
kmalloc	cmurphy: i think i have a test for the exception handler change in flask.	18:08
kmalloc	cmurphy: but... i'll need your eyes on it soon. it's tough because i have to stand up a totally new test-client framework that doesn't do the 418 re-write	18:09
kmalloc	the 418 bit is super useful for testing... it obscured the 500 error though	18:09
cmurphy	yeah :(	18:10
kmalloc	lbragstad: https://review.openstack.org/#/c/613513/3 -- we do not rehash passwords in migrate phase	18:11
kmalloc	lbragstad: we forklift the data into the new column if the new column is unset	18:11
kmalloc	and we validate using {sha256} vs {scrypt} or {bcrypt} if the password hash indicates with it's demarcation	18:12
lbragstad	ok - that's what i though... so that will not work for FFU, right?	18:12
kmalloc	they MUST run the migrate setp	18:12
kmalloc	step	18:12
kmalloc	FFU is down time and if someone is not running migrate, i'm saying they are wrong	18:12
lbragstad	i'm working through pyca stuff for JWT to generate public/private key pairs	18:12
kmalloc	if you don't run migrate steps in FFU you're doing bad things.	18:12
lbragstad	do they need to run keystone to handle migrating passwords from one hash alg to another?	18:13
kmalloc	no.	18:13
lbragstad	keystone will support the removed hash alg?	18:13
kmalloc	dbsync does all the work	18:13
kmalloc	keystone still validates $sha256$	18:13
kmalloc	we cannot ever remove that	18:13
ayoung	prometheanfire, same person up loaded, reviewed, and approved a patch? Wow	18:13
lbragstad	ok - even though we don't allow you to configure that anymore?	18:13
kmalloc	we don't have the original passwords, we can't re-hash to a new algo	18:14
kmalloc	correct	18:14
kmalloc	you cannot create new passwords with sha256 hashing	18:14
lbragstad	right - but we always support the hash alg we're removing?	18:14
kmalloc	we will always validate passwords that are sha256	18:14
lbragstad	ok	18:14
kmalloc	it's explicit unless passwordlib stops supporting sha256	18:14
kmalloc	which case... we have other issues	18:14
lbragstad	sure	18:14
kmalloc	yeah we will never remove support for validating older password hashes	18:15
lbragstad	ok - i just wanted to make sure we didn't merge that patch without a note if it wasn't going to work for FFU cases	18:15
prometheanfire	ayoung: no, we can only do that for bot patches (see https://review.openstack.org/614608 )	18:15
kmalloc	we may remove the ability to generate with updates the old password hash	18:15
kmalloc	which is a-ok	18:15
kmalloc	since the hash data communicates the algo, rounds, and salt	18:15
prometheanfire	ayoung: https://review.openstack.org/614519 as an example of that policy in use	18:15
lbragstad	gotcha	18:16
kmalloc	if you look, the hash ends up being something like $sha256$200$ACX$<hash>	18:16
kmalloc	which is algo, rounds, salt	18:16
kmalloc	and hash	18:16
kmalloc	:)	18:16
ayoung	prometheanfire, it doesn't show as a bot review, tho	18:17
kmalloc	ayoung: owner?	18:17
ayoung	kmalloc, and approver	18:17
ayoung	Code-Review	18:17
ayoung	+2 Matthew Thode	18:17
openstackgerrit	Merged openstack/ldappool master: Don't quote {posargs} in tox.ini https://review.openstack.org/609135	18:18
kmalloc	the update future one?	18:18
kmalloc	the owner was still proposal bot	18:18
kmalloc	even if it was fixed by prometheanfire	18:18
kmalloc	and that is a special case. most are owned/uploaded by boty	18:18
kmalloc	the blacklist was not bot and scmcginnis (sp?) +2'd	18:19
kmalloc	the case of future was fixing the version to not break keystone/pysaml... i think this is still all on the up and up	18:19
kmalloc	just an edge case	18:19
kmalloc	needing intervention	18:19
prometheanfire	basically, ya	18:20
openstackgerrit	Colleen Murphy proposed openstack/ldappool master: Add plumbing to support reno release notes https://review.openstack.org/614611	18:24
*** mvkr has joined #openstack-keystone		18:36
openstackgerrit	Harry Rybacki proposed openstack/ldappool master: Add plumbing to support reno release notes https://review.openstack.org/614611	18:37
*** nicolasbock has joined #openstack-keystone		19:19
openstackgerrit	Taishi Roy proposed openstack/keystone master: changed port address in argument '--bootstrap-admin-url' https://review.openstack.org/614620	19:31
openstackgerrit	Nathan Kinder proposed openstack/ldappool master: Handle retry logic for timeouts with multiple LDAP servers https://review.openstack.org/614586	19:40
openstackgerrit	Morgan Fainberg proposed openstack/keystone master: Unregister "Exception" from flask handler https://review.openstack.org/613961	19:41
kmalloc	cmurphy: ^ unregister error fix and a test. it's a little wonky, but it does the job	19:42
*** raildo has quit IRC		19:53
*** raildo has joined #openstack-keystone		20:22
*** raildo has quit IRC		20:22
*** imacdonn has quit IRC		20:34
*** imacdonn has joined #openstack-keystone		20:34
*** imus_ has quit IRC		21:05
openstackgerrit	Nathan Kinder proposed openstack/ldappool master: Add plumbing to support reno release notes https://review.openstack.org/614611	21:15
*** prometheanfire has left #openstack-keystone		21:19
lbragstad	nice - http://paste.openstack.org/show/733741/	21:31
lbragstad	you can copy paste that token into https://jwt.io/#libraries	21:34
*** mchlumsky has quit IRC		21:36
openstackgerrit	Lance Bragstad proposed openstack/keystone master: Implement scaffolding for JWT provider https://review.openstack.org/614549	21:36
lbragstad	tokens are a bit longer...	21:36
lbragstad	but i don't think we'll need all the payload complexity	21:38
lbragstad	which will be kinda nice	21:38
lbragstad	since we've put most of that in the token model	21:38
*** tonyb has joined #openstack-keystone		21:44
tonyb	Are keystone API versions backwards compatible? I'm just wondering about https://review.openstack.org/#/c/611300/1 on a stable branch	21:45
*** itlinux has quit IRC		21:57
lbudai	hello everyone,	21:57
tonyb	lbudai: hi	21:57
lbudai	is it possible to specify somehow the insecure option in the keystone_authtoken section of the services configurtion files?	21:57
lbudai	I have an openstack kilo lab environment and the certificates are not set up properly	21:58
lbudai	in the cli I can use the --insecure option, but the token validation fails	21:59
lbudai	so right now I have this line: identity_uri = https://vip.mgmt-b.lab.mydomain.intra:35357	22:00
lbudai	is there an option to accept any certificate from the keystone endpoint?	22:01
*** aojea has joined #openstack-keystone		22:13
tonyb	lbudai: Sorry I don't know. In Kilo I used used http rather than https	22:15
*** gyee has quit IRC		22:19
lbudai	tonyb: if I'm reconfiguring it to http, then it works .... but I would prefer to have it https	22:21
lbudai	I think, its better if I'm fixing the certificates. as th problem is there	22:22
tonyb	lbudai: I agree, I just can't help you	22:25
lbudai	it's OK. Thank you. I'll figure out the certificates.	22:26
kmalloc	lbragstad: i am ok with the tokens being a bit longer honestly	22:37
kmalloc	lbragstad: we're still working to keep them as small as reasonable	22:37
kmalloc	tonyb: all keystone APIs should be compatible as we are strictly additive with exception of "experimental" marked APIs	22:38
kmalloc	tonyb: I would expect a modern keystone to work as far back as something that can reasonably talk V3.	22:39
kmalloc	tonyb: the 3.11 bump there was because, afaict we missed that bump at actual release time	22:39
kmalloc	lbudai: you should be able to use the boolean "insecurE" in the config file https://github.com/openstack/keystonemiddleware/blob/kilo-eol/keystonemiddleware/auth_token/__init__.py#L267	22:40
kmalloc	lbudai: but i highly recommend fixing the certificates instead	22:41
tonyb	kmalloc: does a client send the version in a header like nova or ironic? and expect certain results based on the version?	22:42
kmalloc	unlikely	22:42
kmalloc	this isn't like microversions	22:42
kmalloc	we don't do microversions	22:42
tonyb	kmalloc: To me it looks like all the code is in 14.0.0 this is just saying oh and BTW we're 3.11 not 3.10	22:42
kmalloc	yeah	22:42
kmalloc	pretty much, we have release notes that indicate what was added (in some cases things like new APIs)	22:43
kmalloc	but that is about as far as the correlation goes	22:43
tonyb	kmalloc: Thanks. I'll think on it while I'm heading to my meeting and then ask more questions or +W it when I'm back	22:43
kmalloc	yeah. i think this is again a "whoopse we missed doing this before release"	22:44
kmalloc	and we're trying to correct that	22:44
lbudai	kmalloc: Thank you! Yes I'm working on the certs. Just to make sure I understood you correctly, you are suggesting to have the line something like this: identity_uri = https://vip.mgmt-b.lab.mydomain.intra:35357 and add one more line to the same section : insecure = true . is this what you meant?	22:44
kmalloc	yes	22:44
kmalloc	that should do it	22:44
lbudai	testing it right now ....	22:45
kmalloc	but also note Kilo is EOL, so if it doesn't work... I can't really propose a fix for it	22:45
kmalloc	i can provide guidance on where to tack a fix in though if it really doesn't do the job	22:45
lbudai	that did the trick. THANK YOU!	22:46
kmalloc	happy to help	22:47
lbudai	our prod env it's OK, and I've found the issue with the cert also. But now I've also learned something :)	22:47
*** itlinux has joined #openstack-keystone		22:50
*** dnguyen has quit IRC		22:53
*** lbudai has quit IRC		23:08

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!