Friday, 2018-12-07

« Thursday, 2018-12-06 Index Saturday, 2018-12-08 »
*** shrasool has quit IRC00:16
*** shrasool has joined #openstack-keystone00:16
*** erus has quit IRC00:38
*** erus has joined #openstack-keystone00:40
*** erus has quit IRC01:05
*** erus has joined #openstack-keystone01:08
*** gyee has quit IRC01:09
*** shrasool has quit IRC01:17
*** dave-mccowan has quit IRC02:00
*** Dinesh_Bhor has joined #openstack-keystone02:12
*** imacdonn has quit IRC02:53
*** imacdonn has joined #openstack-keystone02:53
*** erus has quit IRC03:16
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role for users  https://review.openstack.org/60548503:17
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member role user test coverage  https://review.openstack.org/62331703:17
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in users API  https://review.openstack.org/62331803:17
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain reader functionality for user API  https://review.openstack.org/62331903:17
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain member functionality for user API  https://review.openstack.org/62332003:17
*** erus has joined #openstack-keystone03:19
*** raildo has joined #openstack-keystone03:30
*** erus has quit IRC03:47
*** erus has joined #openstack-keystone03:48
*** erus has quit IRC03:54
*** erus has joined #openstack-keystone04:07
*** erus has quit IRC04:13
*** erus has joined #openstack-keystone04:22
*** lbragstad has quit IRC04:23
*** erus has quit IRC04:28
*** erus has joined #openstack-keystone04:36
*** erus has quit IRC04:43
*** erus has joined #openstack-keystone04:44
*** erus has quit IRC04:46
*** erus has joined #openstack-keystone04:47
*** erus has quit IRC04:54
*** erus has joined #openstack-keystone05:03
*** erus has quit IRC05:10
*** erus has joined #openstack-keystone05:14
*** erus has quit IRC05:21
*** erus has joined #openstack-keystone05:30
*** erus has quit IRC05:36
*** erus has joined #openstack-keystone05:44
*** erus has quit IRC05:50
*** erus has joined #openstack-keystone06:02
*** Dinesh_Bhor has quit IRC06:04
openstackgerritwangxiyuan proposed openstack/keystone master: Ensure change is addressed for unified limit table  https://review.openstack.org/62149706:37
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain_id column for limit  https://review.openstack.org/62020206:37
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level limit support - Manager  https://review.openstack.org/62146806:37
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level limit support - API  https://review.openstack.org/62277306:37
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP] Add domain level support for strict-two-level-model  https://review.openstack.org/62315306:37
*** Dinesh_Bhor has joined #openstack-keystone06:53
*** rcernin has quit IRC07:01
*** dklyle has quit IRC07:09
*** dklyle has joined #openstack-keystone07:10
*** trident has quit IRC07:23
*** trident has joined #openstack-keystone07:25
*** dims has quit IRC07:44
*** dims has joined #openstack-keystone07:47
*** awalende has joined #openstack-keystone08:11
*** Dinesh_Bhor has quit IRC08:14
*** Dinesh_Bhor has joined #openstack-keystone08:19
openstackgerritwangxiyuan proposed openstack/keystone master: Add domain level limit support - API  https://review.openstack.org/62277308:28
openstackgerritwangxiyuan proposed openstack/keystone master: [WIP] Add domain level support for strict-two-level-model  https://review.openstack.org/62315308:28
*** awalende has quit IRC08:30
*** Dinesh_Bhor has quit IRC09:11
*** Dinesh_Bhor has joined #openstack-keystone09:12
*** Dinesh_Bhor has quit IRC09:40
*** trident has quit IRC10:18
*** trident has joined #openstack-keystone10:21
*** sapd1_ has joined #openstack-keystone10:50
sapd1_Hi anyone, How to use openstack command line with keystone-to-keystone config? Using user in keystone identity provider to access keystone service provider.10:51
*** trident has quit IRC11:04
cmurphysapd1_: example here https://docs.openstack.org/keystone/latest/advanced-topics/federation/federated_identity.html#testing-it-all-out11:05
*** trident has joined #openstack-keystone11:06
openstackgerritMerged openstack/ldappool master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62257111:10
*** sapd1_ has quit IRC11:17
*** sapd1_ has joined #openstack-keystone11:20
*** shrasool has joined #openstack-keystone11:26
*** sapd1_ has quit IRC11:35
*** sapd1_ has joined #openstack-keystone11:51
*** sapd1_ has quit IRC11:56
*** shrasool has quit IRC12:03
*** shrasool has joined #openstack-keystone12:07
openstackgerritMerged openstack/python-keystoneclient master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62192612:09
openstackgerritMerged openstack/oslo.limit master: Update mailinglist from dev to discuss  https://review.openstack.org/62179512:15
*** shrasool has quit IRC12:16
openstackgerritMerged openstack/keystonemiddleware master: Change openstack-dev to openstack-discuss  https://review.openstack.org/62276412:31
*** trident has quit IRC12:39
*** trident has joined #openstack-keystone12:41
*** shrasool has joined #openstack-keystone12:42
*** shrasool has quit IRC12:45
*** sapd1_ has joined #openstack-keystone13:02
*** sapd1_ has quit IRC13:07
*** cenekzach has joined #openstack-keystone13:18
*** mhen has joined #openstack-keystone13:25
mhenKeystone API v3 provides a "/policies" endpoint. I struggle to find information on what this is actually used for. How does this relate to the "policy.json" file used in Keystone and other services?13:32
cenekzachHello, question about keystone-ldap integration. Keystone uses 2 methods [1] from python ldap module for LDAP queries 'search_s' and 'search_ext'. While the former is 'synchronous' (as the ldap module calls it) the latter is not (it has synchronous variant called 'search_ext_s' [2]). It there a reason why the 'ext' variant is not synchchronous? The ldap module implements reconnect in case of connection failure only for the sy13:35
cenekzachnchronous methods. Our ldap connections get dropped (RST from the server side) and keystone reconnects after several minutes, all requests fail till then.13:35
cenekzach[1] keystone/keystone/identity/backends/ldap/common.py13:35
cenekzach[2] https://github.com/python-ldap/python-ldap/blob/master/Lib/ldap/ldapobject.py13:35
*** jdennis has quit IRC13:36
*** edmondsw has quit IRC13:42
cmurphymhen: it's a partially baked API that we've deprecated, we don't really refer to it anywhere because we don't encourage anyone to use it13:43
cmurphycenekzach: I'm not totally sure but I think these comments give a hint that it was intentional http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/common.py#n772 http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap/common.py#n79813:45
openstackgerritMerged openstack/keystone master: Update role policies for system reader  https://review.openstack.org/62252413:45
mhencmurphy, thanks for your response! So essentially the API is not actually used anywhere in OpenStack?13:46
cmurphymhen: correct13:46
*** alexchadin has joined #openstack-keystone13:47
mhenok, thanks13:51
*** dave-mccowan has joined #openstack-keystone14:05
*** lbragstad has joined #openstack-keystone14:06
*** ChanServ sets mode: +o lbragstad14:06
*** dave-mccowan has quit IRC14:10
*** edmondsw has joined #openstack-keystone14:12
openstackgerritColleen Murphy proposed openstack/keystone master: Consolidate Keystone docs: admin/identity-external-authentication.rst  https://review.openstack.org/54708714:13
*** lbragstad has quit IRC14:25
*** lbragstad has joined #openstack-keystone14:29
*** ChanServ sets mode: +o lbragstad14:29
*** raildo has joined #openstack-keystone14:32
lbragstado/14:33
openstackgerritColleen Murphy proposed openstack/keystone master: Consolidate catalog management guide  https://review.openstack.org/62350114:33
cmurphylbragstad: o/14:33
*** jdennis has joined #openstack-keystone14:33
cmurphylbragstad: easy review plz https://review.openstack.org/62297714:33
* lbragstad loves easy reviews on friday morning14:34
lbragstadi don't think we really need to wait for another core there?14:35
cmurphyi wouldn't14:35
*** Dinesh_Bhor has joined #openstack-keystone14:42
*** mvkr has quit IRC14:42
*** takamatsu has joined #openstack-keystone14:43
*** alexchadin has quit IRC14:43
*** jdennis has quit IRC14:45
*** shrasool has joined #openstack-keystone14:54
*** Dinesh_Bhor has quit IRC14:56
openstackgerritMerged openstack/ldappool master: Fix releasenotes build  https://review.openstack.org/62297714:59
*** jdennis has joined #openstack-keystone15:03
*** trident has quit IRC15:25
*** trident has joined #openstack-keystone15:27
openstackgerritMerged openstack/ldappool master: Add py36 tox environment  https://review.openstack.org/61584715:31
*** shrasool has quit IRC15:37
*** shrasool has joined #openstack-keystone15:49
*** shrasool has quit IRC15:52
lbragstadcmurphy i like the federation introduction doc15:57
cmurphy\o/15:58
*** shrasool has joined #openstack-keystone15:59
*** shrasool has quit IRC16:05
*** erus has quit IRC16:11
lbragstadso - it looks like the old policy.v3cloudsample.json file allowed project and domain admins to list all roles in the deployment16:12
lbragstadwith how we're doing things moving forward16:13
lbragstadi'm not sure i see the value in allowing project admins to call GET /v3/roles ?16:13
lbragstadit might make sense for a domain admin, if they're looking to add role assignments to users and projects within their domain16:14
lbragstadbut we also have domain-specific roles...16:14
lbragstadwondering if people have an opinion here16:14
*** erus has joined #openstack-keystone16:17
*** gyee has joined #openstack-keystone16:25
lbragstadi guess a deployment could have global roles that are specific to other users16:26
*** mvkr has joined #openstack-keystone16:27
lbragstaddomain and project users would be able to see those and that might not be right?16:27
lbragstadi guess a safer alternative would be to block all access to global roles for domain and project users16:27
lbragstadand domain admins can create domain specific roles, which they do have access to16:27
knikollao/16:31
knikollalbragstad: cmurphy: thanks for reviewing the renewable application credentials spec16:32
knikollai'll wait for kmalloc as well and then incorporate the feedback.16:32
lbragstadack16:33
lbragstadidk - the second path feels more inline with the actual defaults we have today and safer in general16:34
lbragstadthe policy.v3cloudsample.json was the official defaults anyway16:34
lbragstadwasn't*16:34
lbragstadi'll write things up for the second approach and document why in the commit messages... then we can just iterate in review16:35
*** raildo has quit IRC16:36
*** shrasool has joined #openstack-keystone16:44
kmallocLet me get coffee16:46
lbragstadgrab me some, too kthx16:47
kmalloclbragstad: FYI, vacation for me will be starting Dec 18, and I'll be back jan 1416:47
lbragstadsounds good16:47
kmallocI might check in some, but the goal is to be mostly offline from work.16:48
lbragstadas it should be16:48
kmallocYup16:48
*** shrasool has quit IRC16:49
*** erus has quit IRC17:00
openstackgerritLance Bragstad proposed openstack/keystone master: Add role tests for system member role  https://review.openstack.org/62252517:02
openstackgerritLance Bragstad proposed openstack/keystone master: Update role policies for system admin  https://review.openstack.org/62252617:02
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with roles  https://review.openstack.org/62252717:02
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with roles  https://review.openstack.org/62252817:02
openstackgerritLance Bragstad proposed openstack/keystone master: Remove role policies from policy.v3cloudsample.json  https://review.openstack.org/62252917:02
*** erus has joined #openstack-keystone17:04
*** shrasool has joined #openstack-keystone17:10
openstackgerritLance Bragstad proposed openstack/keystone master: Update endpoint  policies for system admin  https://review.openstack.org/61933117:13
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with endpoints  https://review.openstack.org/61933217:13
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with endpoints  https://review.openstack.org/61928117:13
openstackgerritLance Bragstad proposed openstack/keystone master: Remove endpoint policies from policy.v3cloudsample.json  https://review.openstack.org/61933317:13
*** dims has quit IRC17:21
cenekzachcmurphy thanks, I will dig deeper17:36
openstackgerritLance Bragstad proposed openstack/keystone master: Update registered limit policies for system admin  https://review.openstack.org/62101617:55
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with registered limits  https://review.openstack.org/62101717:55
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with registered limits  https://review.openstack.org/62101817:55
openstackgerritLance Bragstad proposed openstack/keystone master: Remove registered limit policies from policy.v3cloudsample.json  https://review.openstack.org/62101917:55
openstackgerritLance Bragstad proposed openstack/keystone master: Add limit protection tests  https://review.openstack.org/62102017:55
openstackgerritLance Bragstad proposed openstack/keystone master: Add limit tests for system member role  https://review.openstack.org/62102117:55
openstackgerritLance Bragstad proposed openstack/keystone master: Update limit policies for system admin  https://review.openstack.org/62102217:55
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with limits  https://review.openstack.org/62102317:55
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with limits  https://review.openstack.org/62102417:55
openstackgerritLance Bragstad proposed openstack/keystone master: Remove limit policies from policy.v3cloudsample.json  https://review.openstack.org/62102517:55
openstackgerritLance Bragstad proposed openstack/keystone master: Add region protection tests for system readers  https://review.openstack.org/61908518:16
openstackgerritLance Bragstad proposed openstack/keystone master: Add region tests for system member role  https://review.openstack.org/61908618:16
openstackgerritLance Bragstad proposed openstack/keystone master: Update region policies to use system admin  https://review.openstack.org/61924118:16
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for domain users interacting with regions  https://review.openstack.org/61924218:16
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with regions  https://review.openstack.org/61924318:16
openstackgerritLance Bragstad proposed openstack/keystone master: Remove region policies from policy.v3cloudsample.json  https://review.openstack.org/61924418:16
* lbragstad goes to make coffee18:41
*** shrasool has quit IRC18:46
*** dims has joined #openstack-keystone18:50
kmallocknikolla: commented on the app-cred spec19:14
kmalloclbragstad: onto my 4th cup now. :P19:15
lbragstadnice19:16
lbragstadsounds to me like you're "review ready"19:16
lbragstadat least that's what i'm hearing ;)19:16
kmalloc"review ready" is such a loaded term19:17
lbragstadready to review all the things *19:17
kmallocon the plus side, i got my office almost all cleaned up and my desk is almost all setup like it was supposed to be19:17
*** shrasool has joined #openstack-keystone19:20
*** shrasool has quit IRC19:22
kmalloclbragstad: i already reviewed the app creds thing19:24
knikollakmalloc: thanks! responded.19:28
knikollai like the renew on login.19:28
knikollakmalloc: with regards to the conversation we had during the keystone meeting, do you want to the idp associated with an app cred to be immutable?19:29
kmallocyes.19:35
kmallocplease19:35
knikollawill do.19:35
knikollayou also think that we should not force a ttl on app creds created through a federated login that only have concrete roles?19:36
kmallocno19:37
kmallocexplicitly not force a ttl in that case19:37
kmallocsorry if i wasn't clear19:38
kmalloca user may set a TTL in that case.19:38
kmalloca user is not forced into a TTL because the roles exist explicitly within keystone19:38
kmallocvs. conveyed by the IDP Auth19:38
knikollawhat about the case of a disabled user still having access?19:39
kmallocif a user has concrete roles in keystone19:40
kmallocchances are they can login locally to keystone anyway19:40
kmallocthis is the side-band "go disable the user in keystone" problem19:40
kmallocoath was already looking into19:40
kmallocand we should make that an explicit case.19:40
kmallocmaybe not?19:41
kmalloci tend to err to the side of only roles that require refreshing are forced into the IDP ttl19:41
kmallocas long as the behavior is clearly outlined and documented i think we're ok19:41
knikollanot if they only rely on the idp for authN rather than authZ19:42
knikollathey may have concrete roles, but no account locally19:42
knikolla(the MOC case)19:42
knikollaalso I think autoprovisioning actually creates the concrete role assignments according to this snippet https://github.com/openstack/keystone/blob/b25a655793db0859f9c3e77a013fa26346ec8435/keystone/auth/plugins/mapped.py#L173-L17619:44
kmallocright.19:44
kmalloci'm ok with that going either way19:45
kmallocas long as the behavior is clearly outlined19:45
kmallocand documented19:45
knikollai could provide a config option to toggle it on or off19:45
kmallocugh. no.19:45
kmallocwe can add a toggle later if needed19:45
knikollaas forcing ttl on app creds created through federation changes the behavior of current app creds19:46
knikollacurrent behavior of creating app creds*19:46
kmallocdo we allow app creds with federated logins?19:46
knikollafor concrete roles yes19:46
knikollai think19:46
kmallochm.19:47
kmalloclets confirm19:47
kmallocif we do, then the behavior has to remain the same =/19:47
knikollaa quick look a the code makes me think we do19:49
knikollaas we only check that the user has the roles in the project19:49
knikollahttps://github.com/openstack/keystone/blob/b25a655793db0859f9c3e77a013fa26346ec8435/keystone/application_credential/core.py#L13219:49
kmallocbah19:51
lbragstadis it just me or is this test asserting the exact opposite of what we want? https://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_protection.py#n96119:53
kmalloclbragstad: that a non-domain admin shouldn't be able to do things?20:05
kmallocit's asserting a non-domain-admin can't do management and then a domain admin can20:05
lbragstadis it? https://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_protection.py#n97020:06
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_protection.py#n97920:06
nsmedsI know this isn't exactly correct channel - but you guys appear to be most active with the policy.json work20:09
nsmedsI've managed to get some good overrides working for keystone and cinder. But neutron completely ignored the policy.json changes.20:09
nsmedsanyone aware of issue?20:09
nsmeds(posted in their channel but tis a Friday)20:09
kmalloclbragstad: _test_user_management20:10
kmalloclbragstad:  not "test_user_management"20:10
kmalloclbragstad: https://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_protection.py#n79720:10
kmallocso we pass in the user data. it does appear to be testing the right thing.20:11
kmallocor at least we're getting a forbidden20:11
kmallochttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/unit/test_v3_protection.py#n80220:11
lbragstadoh ... wtf20:11
kmallocwe use self.auth20:11
* lbragstad shakes head20:12
kmallocwe don't re-auth in _Test_user_management20:12
kmallocwe auth with "just a user" and set that to self.auth20:12
kmallocit's not straightforward.20:12
lbragstadno at all20:12
lbragstadnot*20:12
kmallocbut it does work and is asserting the correct behavior20:12
lbragstadbah - oik20:12
kmallocalso git.openstack.org is way harder to read than github20:12
kmallocit takes me ~10x as long because of lack of syntax highlighing20:13
*** shrasool has joined #openstack-keystone20:22
*** cenekzach has left #openstack-keystone20:26
*** shrasool has quit IRC21:13
*** shrasool has joined #openstack-keystone21:15
*** shrasool_ has joined #openstack-keystone21:23
*** shrasool has quit IRC21:23
*** shrasool_ is now known as shrasool21:23
*** jdennis has quit IRC21:27
*** shrasool has quit IRC21:30
*** jdennis has joined #openstack-keystone21:44
lbragstadkmalloc the domain-id/domain_id normalization stuff made it into the flask refactor?21:47
lbragstadi'm noticing something odd with query strings and the user API21:48
lbragstadbut i could just be uneducated21:48
lbragstadfor example -this is what i have locally21:49
lbragstadhttps://pasted.tech/pastes/980db6c1c3111b1358f4149c136ab76f190beec521:49
lbragstadand this is the failure i'm seeing https://pasted.tech/pastes/a976b0a0350601826aa90f43e20330d99b0f2c46.raw21:49
*** imus has quit IRC21:52
*** jdennis has quit IRC21:53
*** shrasool has joined #openstack-keystone22:09
kmalloclbragstad: uhm.22:14
kmallocthe normalization stuff might have made it in22:15
kmalloci mean... i don't remember specifically22:15
lbragstadi see bits of it22:15
kmallocwe have SOME normalization bits22:15
kmalloci don't think i changed anything behavior wise with body-key normalization22:16
lbragstadwe have normalization on the body and on query parameters22:17
*** erus has quit IRC22:17
*** erus has joined #openstack-keystone22:18
kmalloci don't see explicitly where that is happening atm.22:18
kmallocbut doesn't mean it didn't land in the flask refactor22:18
lbragstadsure - it was a lot of code22:21
kmallocoh i see22:21
lbragstadi'm trying to maintain the behavior we have in these tests22:21
kmallocany and all calls for "._normalize_dict" does it22:21
kmallocbecause normalize_dict -> normalize_arg22:21
kmallocwhich does `-` -> `_`22:21
*** trident has quit IRC22:22
kmallochttps://github.com/openstack/keystone/blob/6dd1c7dae82b55d9d7126da7f4356eac2cc494c1/keystone/server/flask/common.py#L902-L90822:22
kmallocthere used to be other normalization mechanisms22:22
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_protection.py#L981-L105622:22
*** dmellado has quit IRC22:22
kmallocthey were all collapsed22:22
*** trident has joined #openstack-keystone22:22
kmallocquery args, that one i am not seeingf22:22
kmallocyet.22:22
kmallocbut it might be a flask-ism22:22
lbragstadi think we get that with22:23
lbragstadflask.requests.args.get('domain_id')22:23
kmallocyeah.22:23
kmallocso we might be more normalized now...22:24
lbragstadwhich might work with ?domain-id=$domain-id and ?domain_id=$domain-id22:24
kmallocthough that is odd22:24
kmalloc?domain-id afaict is ... never supposed to work?22:24
kmallocalso... extras still suck22:24
kmalloca lot22:24
lbragstadwell - yeah.. actually that's the part that tripping me up i think22:25
lbragstadbecause we actually use it in policy enforcement if domain-id is a qs22:25
kmallocwell thats broken22:25
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_protection.py#L1018-L102522:25
lbragstad^ right?22:25
kmallocso my view is pretty straightforward22:25
kmallocif the *code* says domain_id is the way we enforce22:26
kmallocpolicy is wrong22:26
kmallocand we fix it. policy is config22:26
kmallocnot API contract22:26
lbragstadpolicy.v3cloudsample.json you mean22:26
lbragstadyeah22:26
kmallocyeah.22:26
lbragstaddomain_id is a proper filter, i think22:26
kmallocdoesn't matter what policy file.22:26
kmallocdomain_id is the filter22:26
kmalloci'd -2 code to add domain-id as a filter22:26
kmallocto fix policy.json-isms that were wrong22:26
lbragstaddomain-id should be ignored to be consistent with the rest of the keystone22:26
kmallocyes.22:27
lbragstadok22:27
lbragstadso if that's the case...22:27
kmallocin v4 we can consider not ignoreing query params22:27
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_protection.py#L1018-L1025 shoudl assert empty lists?22:27
kmallocand i am still seirous a v4 should happen22:27
lbragstadand not 403s22:27
kmallochmmmmm.22:27
kmallocyes.22:27
kmallocfix the policy file to be not stupid, assert on that behavior22:27
lbragstadright? because if i'm a domain admin ask for users in another domain that i'm not an admin of, an empty list should be what the filter returns22:28
kmallocyep22:29
kmalloc100%22:29
lbragstadok - i'll have to rework these tests22:29
kmallocsorry22:29
lbragstadno worriesy22:29
lbragstadthis stuff looks old anyway22:29
lbragstadother stuff probably evolved around it without us knowing22:30
kmallocyeh22:30
kmallocit's annoying22:30
lbragstadwell - we have some better organization now, so hopefully it'll happen less in the future22:31
kmallocthis is part of why the endless pluggability is so bad.22:31
kmallocweird things happen and grow around it.22:31
*** dmellado has joined #openstack-keystone23:11
*** shrasool has quit IRC23:29
openstackgerritLance Bragstad proposed openstack/keystone master: Bump oslo.policy and oslo.context versions  https://review.openstack.org/62324823:42
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system reader role for users  https://review.openstack.org/60548523:42
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system member role user test coverage  https://review.openstack.org/62331723:42
openstackgerritLance Bragstad proposed openstack/keystone master: Implement system admin role in users API  https://review.openstack.org/62331823:42
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain reader functionality for user API  https://review.openstack.org/62331923:42
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain member functionality for user API  https://review.openstack.org/62332023:42
openstackgerritLance Bragstad proposed openstack/keystone master: Implement domain admin functionality for user API  https://review.openstack.org/62332123:42
openstackgerritLance Bragstad proposed openstack/keystone master: Add explicit testing for project users and the user API  https://review.openstack.org/62332223:42
openstackgerritLance Bragstad proposed openstack/keystone master: Remove user policies from policy.v3cloudsample.json  https://review.openstack.org/62332323:42
lbragstadkmalloc should be all fixed now ^23:42
lbragstadmost of the changes we talked about are in the last patch in that series, where i remove the tests from test_v3_protection and add them to keystone.tests.unit.protection.v3.test_users23:42
lbragstadported your original comments, too23:43
lbragstadwhere applicable23:43
« Thursday, 2018-12-06 Index Saturday, 2018-12-08 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!