Wednesday, 2018-12-05

*** aojea has quit IRC00:15
*** blake has quit IRC00:30
*** gyee has quit IRC00:33
*** aojea has joined #openstack-keystone00:56
*** aojea has quit IRC01:00
*** aojea has joined #openstack-keystone01:08
*** aojea has quit IRC01:13
*** Nel1x has joined #openstack-keystone01:16
openstackgerritzhongshengping proposed openstack/oslo.limit master: Update mailinglist from dev to discuss
*** erus has quit IRC01:43
*** erus has joined #openstack-keystone01:44
*** aojea has joined #openstack-keystone01:56
*** dklyle has quit IRC02:12
*** dklyle has joined #openstack-keystone02:13
*** Dinesh_Bhor has joined #openstack-keystone02:13
*** aojea has quit IRC02:19
*** Dinesh_Bhor has quit IRC02:39
*** Dinesh_Bhor has joined #openstack-keystone02:48
*** imacdonn has quit IRC02:52
*** imacdonn has joined #openstack-keystone02:53
*** aojea has joined #openstack-keystone03:11
*** Nel1x has quit IRC03:16
*** nehaalhat has quit IRC03:32
openstackgerritVieri proposed openstack/keystonemiddleware master: Change openstack-dev to openstack-discuss
*** aojea has quit IRC03:37
openstackgerritVieri proposed openstack/keystoneauth master: Change openstack-dev to openstack-discuss
openstackgerritVieri proposed openstack/keystone-tempest-plugin master: Change openstack-dev to openstack-discuss
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level limit support - Manager
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP]Add domain level limit support - API
*** Dinesh_Bhor has quit IRC03:56
openstackgerritMerged openstack/keystone-specs master: Change openstack-dev to openstack-discuss
*** itlinux has joined #openstack-keystone04:12
*** mordred has quit IRC04:57
*** mordred has joined #openstack-keystone04:57
*** Dinesh_Bhor has joined #openstack-keystone05:02
*** aojea has joined #openstack-keystone05:22
*** aojea has quit IRC05:27
*** dmellado has quit IRC05:46
*** dmellado has joined #openstack-keystone05:48
cosss_Thanks @kmalloc will take a look into the code.05:48
cosss_I think this could be it:
*** dmellado has quit IRC05:55
*** dmellado has joined #openstack-keystone05:57
*** dmellado has quit IRC06:02
*** dmellado has joined #openstack-keystone06:14
*** nehaalhat has joined #openstack-keystone06:18
kmalloccosss_: it works for a lot of bits06:27
*** Dinesh_Bhor has quit IRC06:57
*** pcaruana has joined #openstack-keystone07:10
*** Dinesh_Bhor has joined #openstack-keystone07:16
*** takamatsu has joined #openstack-keystone07:21
*** amoralej|off is now known as amoralej08:14
*** awalende has joined #openstack-keystone08:20
*** awalende_ has joined #openstack-keystone08:33
*** awalende has quit IRC08:35
*** jmlowe has quit IRC08:35
*** aojea_ has joined #openstack-keystone09:03
*** aojea_ has quit IRC09:07
*** xek has joined #openstack-keystone09:21
*** Dinesh_Bhor has quit IRC09:25
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP]Add domain level limit support - API
*** trident has quit IRC09:29
*** Dinesh_Bhor has joined #openstack-keystone09:30
*** trident has joined #openstack-keystone09:31
*** rcernin has quit IRC09:38
openstackgerritwangqiang-bj proposed openstack/python-keystoneclient master: fix typos
*** Dinesh_Bhor has quit IRC10:31
*** shrasool has joined #openstack-keystone10:48
*** Dinesh_Bhor has joined #openstack-keystone10:54
*** Dinesh_Bhor has quit IRC10:59
*** xek has quit IRC11:12
*** xek has joined #openstack-keystone11:26
*** xek has quit IRC11:38
*** sayalilunkad has quit IRC12:11
*** sayalilunkad has joined #openstack-keystone12:37
*** raildo has joined #openstack-keystone12:42
*** shrasool has quit IRC12:47
*** jdennis has quit IRC13:20
*** amoralej is now known as amoralej|lunch13:23
*** raildo has quit IRC13:24
*** raildo has joined #openstack-keystone13:24
nehaalhatHi, Ia any one aware about how to run tempest test cases for python-keystoneclient13:28
*** aojea has joined #openstack-keystone13:45
*** raildo has quit IRC13:54
*** raildo has joined #openstack-keystone13:55
cmurphynehaalhat: keystoneclient doesn't have tempest tests since it's not a service, do you want to run the functional tests?13:57
*** raildo has quit IRC14:00
*** amoralej|lunch is now known as amoralej14:04
*** bzhao__ has quit IRC14:18
openstackgerritColleen Murphy proposed openstack/ldappool master: Fix releasenotes build
*** jdennis has joined #openstack-keystone14:53
cmurphyerus: from our discussion yesterday I went and distilled the first few tasks into a list of goals and minitasks in this etherpad, easier than trying to use trello i think let me know if that is helpful (cc kmalloc and knikolla )15:09
cmurphyimus: i went ahead and did the same for you
erusHi cmurphy how are you? I created the account in trello, it's erus :) I will check the etherpad thanks15:12
lbragstaderus is your trello id @erus8?15:13
erusSip sorry15:13
erusI was changing it15:13
erusErus is already taken15:14
lbragstadoh - that's fine, i was just searching for you so i could add you to the keystone team15:14
lbragstad(in trello)15:14
imushi cmurphy. Ok sounds good I will take a look15:15
*** jdennis has quit IRC15:15
*** kklimonda has joined #openstack-keystone15:15
erusI changed it to erudyn instead of erus815:17
lbragstadinvite is on the way15:18
cmurphythanks lbragstad15:19
lbragstadyup - does imus have an account?15:19
kklimondais there a way to refresh token without user credentials?15:20
cmurphylbragstad: i added imus already15:20
lbragstadoh - perfect15:20
erusThanks o/15:22
*** shrasool has joined #openstack-keystone15:22
*** itlinux has quit IRC15:22
cmurphykklimonda: you can use token auth to get a new token using your current token but if you're using something like keystoneauth that should all be taken care of under the hood15:27
kklimondacmurphy: but the new token has the same expiration date from little testing I've done15:28
kklimondaso the new token isn't really of much use, the only use case I see for that is generating tokens with a tighter scope15:29
*** jdennis has joined #openstack-keystone15:32
*** raildo has joined #openstack-keystone15:33
cmurphykklimonda: hmm you're right, i didn't expect that15:34
*** awalende_ has quit IRC15:35
erusI was reading the etherpad thanks it's very detailed :)15:35
erusWhy do I need to use the vnc to log into the vm?15:43
cmurphyerus: horizon has a vnc console built into it15:43
cmurphyit's just a useful way to get into the vm in case networking isn't working15:44
erusAnd what's the main difference of using vnc instead of ssh?15:54
cmurphyerus: vnc is graphical, ssh is text-only16:02
erusI see, I thought there was another difference thanks.16:05
*** awalende has joined #openstack-keystone16:08
*** jmlowe has joined #openstack-keystone16:12
*** awalende has quit IRC16:12
*** aojea has quit IRC16:14
*** pcaruana has quit IRC16:18
*** aojea has joined #openstack-keystone16:19
*** aojea has quit IRC16:20
*** raildo has quit IRC16:24
*** aojea has joined #openstack-keystone16:25
*** jdennis has quit IRC16:26
*** aojea has quit IRC16:30
*** gyee has joined #openstack-keystone16:34
*** itlinux has joined #openstack-keystone16:37
*** aojea has joined #openstack-keystone16:37
*** raildo has joined #openstack-keystone16:38
*** jdennis has joined #openstack-keystone16:44
*** awalende has joined #openstack-keystone16:55
*** awalende has quit IRC16:56
*** erus has quit IRC16:56
*** jdennis has quit IRC16:57
*** erus has joined #openstack-keystone16:59
*** jdennis has joined #openstack-keystone17:23
*** shrasool has quit IRC17:27
lbragstad^ that should include the patch you wrote for logging RBAC enforcement data17:39
*** shrasool has joined #openstack-keystone17:40
lbragstaddoes anyone happen to know the author of or their IRC nic?17:41
lbragstadjust out of curiosity17:41
*** zioproto has quit IRC17:51
*** zioproto has joined #openstack-keystone17:52
*** aojea has quit IRC17:53
*** aojea has joined #openstack-keystone17:53
*** aojea has quit IRC17:59
*** dnguyen has joined #openstack-keystone18:00
*** shrasool_ has joined #openstack-keystone18:03
*** shrasool has quit IRC18:04
*** shrasool_ is now known as shrasool18:04
*** dave-mccowan has joined #openstack-keystone18:09
*** shrasool has quit IRC18:13
kmalloci don't lbragstad18:13
kmalloclbragstad: doh, i need to move my desk....18:31
kmalloclike 2 feet over.18:31
kmalloc... the desk weighs like 300lbs w/ nothing on it :P18:31
lbragstadcall in some reinforcements...18:34
*** aojea has joined #openstack-keystone18:35
*** amoralej is now known as amoralej|off18:58
*** aojea has quit IRC19:07
kmalloclbragstad: so... when are you going to be in seattle to help? :P19:13
kmallocblah. hopefully the nouveau driver in 4.17? is less crashy than the one in 4.1519:13
* kmalloc does do-dist-upgrade and holds on19:14
gagehugokmalloc: it's buggy af19:14
kmallocif this doesn't work... time to download fedora and maybe it will be slightly better19:14
kmallocgagehugo: i can't get past the login screen now19:14
kmallocgagehugo: nouveau crashes and the machine needs a hard-reset to continue working19:14
kmallocas in... reset button or sysrq. can't issue reboot/shutdown19:15
gagehugoI had to add nouveau.modeset=0 in grub19:15
gagehugoand then install nvidia's drivers19:15
kmallocgagehugo: hmm what does that do? i would like to use the real nvidia driver... but i it's a real pita to install.19:15
lbragstadman - tough week for the home team19:15
kmallocyeah i would rather not.19:16
kmallocthe real nvidia driver is kindof awful to deal with in linux19:16
gagehugo^ fedora anyway19:16
kmallocespecially with secure boot19:16
gagehugoit works though :p19:16
gagehugobut yes19:16
kmalloci really didn't want to run fedora on this machine19:16
kmallocmaybe 4.17/4.18 will be less crashy19:17
gagehugoI used the same process for ubuntu19:17
kmallocand this isn't even on a new GPU... it's just a 1080 series19:17
kmalloca 2+ year old GPU should not be this crashy.19:17
kmalloci loathe to think what a 2080 would be like.19:17
gagehugobut yeah I fought nouvaeu last week19:20
lbragstadgagehugo you're running fedora?19:22
gagehugolbragstad: yeah 29, switched over from ubuntu 18.0419:22
* lbragstad nods19:22
lbragstadkmalloc you're still on 18.04?19:22
gagehugowhich I went to 18.04 when I had issues with 28 graphics19:22
kmalloclbragstad: workstation/virt target19:23
kmalloclbragstad: i tend to roll that and home servers slower than laptop19:23
kmalloclbragstad: specifically because i don't want a "new bleeding edge thing" to break the workflow.19:24
lbragstadso this is on your x1c?19:24
kmallocon the threadripper19:24
gagehugo18.04 was pretty stable imo with the nvidia drivers19:24
kmallocthe x1c is 18.1019:24
kmallocgagehugo: i plugged 2 monitors in and can never login again, even clearing configs, etc. the module just crashes19:24
lbragstadkmalloc you have a 6th gen or a 5th gen?19:24
kmallocgagehugo: even with updates.19:25
kmalloclbragstad: x1c619:25
kmallocgagehugo: and reinstall(s).19:25
kmallocgagehugo: it might be the GPU, but i doubt it, the GPU was just fine until the second monitor was plugged in, and the monitors were confirmed working prior to that.19:25
kmalloclbragstad: with the 1080p screen and like 256GB storage. it's the issued laptop i got from red hat.19:26
kmallocits the one i had at the summit. its not bad.19:26
lbragstadthe x1c6 you mean?19:26
kmalloc18.10 made it much much more usable19:26
kmallocthe x1c619:26
lbragstadmine died this week19:26
kmallocthere is one oddity, you need to disable "wake from sleep when lid opens"19:27
kmallocotherwise it burns like 2W of power when sleeping19:27
kmallocso when you open the lid, you have to press the power button to wake it19:27
lbragstadyeah - i've heard of that one in some other reports19:27
kmallocit's not terrible19:27
kmallocotherwise the laptop is solid.19:27
kmallocit's my only complaint19:27
kmallocthough if i was buying myself a computer, i'd be comparing x1c6 vs x1extreme19:28
kmallocdepending on use-cases19:28
*** shrasool has joined #openstack-keystone19:28
gagehugoI like my t480s19:28
gagehugothe x1extreme looks cool19:29
lbragstadi'm hesitant about another x1 at this point19:29
kmallocas long as i get the next business-day-on-site warranty (3yrs) i don't view then x1 as a liability19:30
kmalloci don't like the xps1319:30
lbragstadi have to dig into it over the weekend, but it sounds like the x1c5 had a bunch of people had to have motherboards replaced due to design issues19:30
gagehugoI assume they will announce the new thinkpads next month-ish?19:30
kmallocwell then.19:31
kmallocI guess it is time to re-install... and possibly try the actual nvidia drivers.19:32
lbragstadhave fun19:32
kmallocthis is stupid annoying.19:32
gagehugokmalloc: yup :(19:32
*** shrasool has quit IRC19:33
*** shrasool has joined #openstack-keystone19:34
kmallocgagehugo: that was similar to what you were seing, eys?19:34
gagehugokmalloc: yup, it would hard lock sometime around the login screen19:34
kmallocoh interesting... so now it works. i guess 2 monitors is too much for the nouveau driver *eyeroll*19:35
gagehugolbragstad: I got arch booting on my tiny second ssd, but that's as far as I got19:35
gagehugokmalloc: lol19:36
lbragstadkmalloc rbac enforcer question for you19:40
lbragstadhere -
lbragstadi can do that in the actual enforcer, can't i?19:41
lbragstadbecause i think it's tripping on a programming error19:41
lbragstadbecuase it'19:42
lbragstadbecause tempest is calling GET /v3/domains/Default19:42
openstackgerritGage Hugo proposed openstack/keystone master: Only run pep8 job when changing python files
kmallocyou can do it with the build_target function19:45
kmallocsame as we did other places19:45
kmallocand you can just let it 404 directly, should raise up the appropriate 403 that way19:46
kmallocthe RBACEnforcer is pretty safe when it deals with the build_target function passed to it19:46
*** aojea has joined #openstack-keystone19:52
kmallocwell... more likely19:56
kmallocoh yeah19:56
kmallocit's not found the domain because we're erroring before enforcement is done19:56
kmallocthat is expected "fail safe" behavior19:56
*** jaosorior has joined #openstack-keystone20:03
lbragstadok - i built a new enforcement method20:10
lbragstadbut yeah - i see what you mean20:10
lbragstadi think i got it working20:10
*** shrasool has quit IRC20:10
lbragstadnew build_enforcement_target method*20:10
*** shrasool has joined #openstack-keystone20:27
kmallocbasically that sanity check always ensures we don't have 1) unenforced apis (except where explicitly designated) and 2) don't leak information unless explicitly intended20:52
*** dnguyen has quit IRC21:02
*** dnguyen has joined #openstack-keystone21:03
*** shrasool has quit IRC21:22
lbragstadjdennis kmalloc i think we have a regression in the new oslo.policy version?21:46
kmallocdo we?21:46
lbragstad fails when we use oslo.policy 1.43.021:47
kmallocno we don't have a regression21:47
kmallocoslo.policy is explicitly logging all details now.21:47
lbragstadabout the target21:47
lbragstadand since users have password entries...21:47
kmallocwe place all values from the params into the target dict21:48
kmallocoslo.policy now logs the target dict, possibly w/o masking21:48
kmallocso it's not really a regression21:48
kmallocit's oslo.policy has added a new feature, and our test assumed oslo.policy doesn't log21:49
kmallocit might show masking is not working 100%.21:49
lbragstadwhat i meant was a regression in behavior based on the tests21:49
lbragstadwhich is just checking if a string of output contains a specific subset21:50
kmallocah we just need to mask the target dict21:50
kmallocwe only mask creds21:50
lbragstadso - this seems like a one off case21:51
lbragstadthat's only really applicable to keystone?21:51
kmallocwe're the only one who tests for things like "secrets aren't logged"21:51
lbragstadtest out put
kmallocif we just add a mask line for the target dict before logging, we're good21:52
lbragstadin oslo.policy?21:52
lbragstador in keystone?21:53
kmallocin oslo.policy21:53
kmallocsee the link ^ github21:53
kmallocthat was jdennis' patch21:53
lbragstadyeah - i saw21:53
kmallocand it misses masking the target dict21:53
kmallocalso... we might be mangling the creds dict now that i look at it21:53
kmallocnot that password should *ever* be in the dicts....21:53
kmallocbut it happens.21:54
kmalloci can roll up a patch shortly to fix this.21:54
kmalloci have a phone call i need to hop on, and then need to go pick up car. but i should have a full fix posted by tomorrow.21:54
kmallocand we can do a ban of the current (latest) release and issue a bug fix release that covers our bases.21:55
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Prevent sensitive target data from being logged
lbragstad^ fix is up, probably needs a bug report though21:59
lbragstadand we'll have to release oslo.policy again22:00
*** rcernin has joined #openstack-keystone22:03
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Prevent sensitive target data from being logged
*** prometheanfire has joined #openstack-keystone22:09
prometheanfirenew olso.policy breaking tests for keystone
lbragstadprometheanfire fixed
prometheanfireshould that policy version be masked?22:10
lbragstadfor keystone, yes22:10
lbragstadit's because we pass a user reference into policy enforcement22:10
lbragstadand the user reference can contain sensitive information22:11
lbragstad(password for example)22:11
prometheanfireok, I'm open to an argument being made to reject it globally, if it's known to be very bad22:11
lbragstadi can't think of another service that would be affected22:11
lbragstadbut - don't quote me on that22:12
prometheanfirelbragstad: mind comenting so we can abandon that review?22:13
lbragstadprometheanfire done22:14
lbragstadno problem22:15
lbragstadkmalloc i updated to be more consistent the convention jdennis had in his patch22:16
kmalloclbragstad: i think we have another bug22:18
kmallocwrapping up phone call22:18
kmallocbut we need a copy/deepcopy of the creds/target dict22:19
kmallocfor masking22:19
kmallocwe are breaking data in the cred/target dict passed down to policy enforcer22:19
kmallocbecause masker changes the data22:19
kmalloci think22:20
kmalloci need to check more closely on how we usetarget_dict / creds_dict22:20
kmalloci am wrong22:21
kmallocwe're good22:21
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Prevent sensitive target data from being logged
lbragstadi deepcopied anyway22:23
kmallocwe only use creds_dict and target_dict explicitly in the logging22:23
kmallocwe explictly cast to dict() via the dict() constructor to handle the mutablemapping case22:24
kmallocbut we sitll pass mutablemapping down to the enforcer if needed.22:24
kmallocso we're good, we should comment that creds_dict and target_dict should NEVER be used outside of the logging22:24
kmallocotherwise that deepcopy isn't needed22:24
kmalloc... or.. wait22:24
kmalloclets leave the deepcopy22:24
kmallocit saves the potential referential key change in the non-mutablemapping form22:25
kmallocit slower(tm) but probably just safer22:25
lbragstadyeah - ok22:25
lbragstadin that case - it's ready for review22:25
kmalloclet me look22:26
kmallocshould be a quick +222:26
kmalloclbragstad: done. +222:27
lbragstadsweet - thanks22:27
kmallocif it passes zuul i'll happily +A as a quick "get it fixed" land22:27
lbragstadbnemec reviewed the first iteration, too22:27
lbragstadso i assume he'll be ok to revisit it as well22:27
kmallocok need to run to get car22:29
kmalloconly 6 weeks since rear end to get it fixed :P22:29
bnemecYeah, I'm good with it.22:30
bnemecI was kind of waiting to see what the final version would be. :-)22:30
*** mchlumsky has quit IRC22:30
lbragstadgood call bnemec22:30
kmallocbnemec: ++22:33
*** dave-mccowan has quit IRC22:35
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role in domains API
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member role domain test coverage
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in domains API
openstackgerritLance Bragstad proposed openstack/keystone master: Allow domain users to access the GET domain API
openstackgerritLance Bragstad proposed openstack/keystone master: Allow project users to retrieve domains
openstackgerritLance Bragstad proposed openstack/keystone master: Remove domain policies from policy.v3cloudsample.json
openstackgerritLance Bragstad proposed openstack/keystone master: Remove domain policies from policy.v3cloudsample.json
*** itlinux has quit IRC22:40
*** rcernin has quit IRC22:52
*** rcernin has joined #openstack-keystone22:52
*** aojea has quit IRC22:53
*** aojea has joined #openstack-keystone22:54
*** aojea has quit IRC22:58
*** dnguyen has quit IRC22:59
*** dnguyen has joined #openstack-keystone23:02
*** prometheanfire has left #openstack-keystone23:17

Generated by 2.15.3 by Marius Gedminas - find it at!