Wednesday, 2019-03-13

*** eandersson_ has joined #openstack-keystone00:07
*** jamesmcarthur has quit IRC00:10
*** jamesmcarthur has joined #openstack-keystone00:14
*** jamesmcarthur has quit IRC00:27
*** gyee has quit IRC00:30
*** lbragstad has quit IRC00:40
*** markvoelker has joined #openstack-keystone00:43
*** whoami-rajat has joined #openstack-keystone00:51
*** tkajinam_ has joined #openstack-keystone00:58
*** tkajinam has quit IRC01:01
*** markvoelker has quit IRC01:21
*** jamesmcarthur has joined #openstack-keystone01:23
*** Nel1x has joined #openstack-keystone01:25
*** lbragstad has joined #openstack-keystone01:44
*** ChanServ sets mode: +o lbragstad01:44
*** jamesmcarthur has quit IRC02:22
*** jamesmcarthur has joined #openstack-keystone02:23
*** lbragstad has quit IRC02:24
*** jamesmcarthur has quit IRC02:53
*** jamesmcarthur has joined #openstack-keystone02:53
*** Nel1x has quit IRC03:05
openstackgerritGhanshyam Mann proposed openstack/keystone master: Migrate keystone-dsvm-grenade-multinode job to Ubuntu Bionic
openstackgerritGhanshyam Mann proposed openstack/keystone master: Migrate keystone-dsvm-grenade-multinode job to Ubuntu Bionic
*** jamesmcarthur has quit IRC03:27
*** itlinux has quit IRC03:41
*** jaosorior has joined #openstack-keystone05:22
*** markvoelker has joined #openstack-keystone05:47
*** vishakha has joined #openstack-keystone06:04
*** pcaruana has joined #openstack-keystone06:19
*** masayukig[m]2 is now known as masayukig[m]06:45
*** masayukig[m] is now known as masayuki406:45
*** masayuki4 is now known as masayuki606:48
*** masayuki6 is now known as masayukig[m]06:48
*** masayukig[m] is now known as masayukig06:48
eandersson_Why would a trust show up in list, but not show?07:14
*** tonyb is now known as tonyb_gone07:20
*** tonyb_gone is now known as tonyb07:21
*** awalende has joined #openstack-keystone08:09
*** rcernin has quit IRC08:09
openstackgerritChason Chan proposed openstack/keystone master: Fix the incorrect release name of project guide
*** xek has joined #openstack-keystone08:50
*** kukacz has quit IRC09:15
*** kukacz has joined #openstack-keystone09:17
*** tkajinam__ has joined #openstack-keystone09:22
*** FlorianFa has joined #openstack-keystone09:23
*** tkajinam_ has quit IRC09:25
*** Emine has joined #openstack-keystone09:53
vishakhacmurphy: Regarding your patch We havn't compact the db migrations from long run. Is there any specific reason for it?10:37
cmurphyvishakha: we don't compact them, we keep them there in case we need to backport a migration between releases so that it would run before the next release10:40
vishakhacmurphy: We can compact till EOL releases. Cant we?10:41
cmurphyvishakha: we could but I'm not sure what the benefit is? plus EOL is subjective now that we have extended maintenance branches10:42
vishakhacmurphy: the benefit is that we can remove placeholders and empty migrations.10:45
cmurphyvishakha: but we can't change the version numbers so we still end up with empty gaps10:48
vishakhacmurphy: Could you please elaborate why we cant change version numbers10:50
cmurphyvishakha: that would break the database of running deployments, all deployments store the current migration version number and can only go up from there10:51
vishakhacmurphy:  I saw cinder do the same migrations . I am not sure whether they face the same issue as they do migrations quite often after few releases.11:24
*** raildo has joined #openstack-keystone11:37
cmurphyvishakha: looks like they control the initial version with the INIT_VERSION constant and they re-set that to the latest version before compacting11:38
cmurphywe don't have anything like that, but no reason we couldn't afaict11:38
vishakhacmurphy: ok . That means if we want we can also achieve by resetting version11:40
cmurphyvishakha: i think so11:41
vishakhacmurphy: ok thanks11:44
*** markvoelker has quit IRC12:12
*** markvoelker has joined #openstack-keystone12:13
*** mchlumsky has joined #openstack-keystone12:38
*** awalende has quit IRC12:43
*** awalende has joined #openstack-keystone12:45
*** jamesmcarthur has joined #openstack-keystone12:47
*** lbragstad has joined #openstack-keystone13:31
*** ChanServ sets mode: +o lbragstad13:31
*** jamesmcarthur has quit IRC13:41
*** Emine has quit IRC13:59
*** jamesmcarthur has joined #openstack-keystone14:00
*** jamesmcarthur has quit IRC14:00
*** jamesmcarthur has joined #openstack-keystone14:01
*** Emine has joined #openstack-keystone14:08
*** irclogbot_1 has quit IRC14:09
*** irclogbot_1 has joined #openstack-keystone14:12
*** bnemec has quit IRC14:22
*** Emine has quit IRC14:24
*** Emine has joined #openstack-keystone14:24
*** irclogbot_1 has quit IRC14:25
*** bnemec has joined #openstack-keystone14:27
*** irclogbot_1 has joined #openstack-keystone14:27
*** mloza has joined #openstack-keystone14:53
mlozaHello, how can I get the domain context menu to show up in the default domain?14:53
mlozai'm login as admin14:54
*** erus has joined #openstack-keystone15:15
*** awalende has quit IRC15:28
*** irclogbot_1 has quit IRC15:36
*** irclogbot_1 has joined #openstack-keystone15:39
*** irclogbot_1 has quit IRC15:49
*** irclogbot_1 has joined #openstack-keystone15:51
*** erus has quit IRC15:52
*** irclogbot_1 has quit IRC15:52
*** irclogbot_1 has joined #openstack-keystone15:56
*** erus has joined #openstack-keystone16:00
*** Emine has quit IRC16:20
*** irclogbot_1 has quit IRC16:24
*** erus has quit IRC16:24
*** erus has joined #openstack-keystone16:25
*** gyee has joined #openstack-keystone16:25
*** irclogbot_1 has joined #openstack-keystone16:26
erushello knikolla o/16:29
knikollahi erus!16:32
*** FlorianFa has quit IRC16:41
*** dave-mccowan has joined #openstack-keystone16:43
*** erus has quit IRC16:43
lbragstadquick update on the system-scope and default roles patches with tempest16:43
lbragstadwe need and to merge before we can get into keystone16:43
*** erus has joined #openstack-keystone16:43
erushow are you? knikolla16:45
*** dtruong has joined #openstack-keystone16:50
*** eandersson_ is now known as eandersson16:54
eanderssonWe have had a few fun issues with Trusts.16:54
*** FlorianFa has joined #openstack-keystone16:54
eanderssonThe most common issue is that a user has a trust, but it gets a role removed for some reason. This invalidates the trust permanently.16:54
eanderssonAnother issue was a role id changing (by mistake usually)16:54
eanderssonAnd this causes clusters owned by that user to be permanently broken (e.g. Senlin or Magnum).16:55
*** erus has quit IRC16:55
*** erus has joined #openstack-keystone16:56
eanderssonWhat is the intended scenario to recover from the above?16:56
eandersson1) delete and re-create the trust, but how is a service like Senlin supposed to handle this?16:56
eanderssonIs Senlin supposed to re-create it automatically, as Senlin created it in the first place.16:57
eanderssonOr is Senlin supposed to expose an api to allow the user to create a new trust for the cluster?16:57
eandersson2) Is Senlin supposed to always mimic the users exact roles? if Senlin always created a trust with only _member_, this is much less likely to happen (and maybe allows you to add additional roles on demand?)16:57
eanderssonmaybe lbragstad ^ ?17:07
lbragstadeandersson well - trusts are immutable17:09
lbragstadso updating them when roles changes isn't going to be possible17:09
eanderssonFor sure17:09
lbragstadSenlin is the thing creating the trust, right?17:09
lbragstadis Senlin the trustee or the trustor?17:10
lbragstader - the senlin user17:10
eanderssonTrustor would be my user17:12
lbragstadso the user creates the trust and gives it to senlin?17:12
eanderssonAnd for the life of that auto-scaling group that trust will be used.17:12
lbragstadand the root of the issue is that the user has a role assignment change which invalidates the trust?17:13
lbragstadso - one thing you could try, is to use a specific role in the trust that only allows senlin to do what it needs to do17:14
lbragstad(i'd need to dig into the trusts implementation - but i know application credentials will validate the role during usage)17:14
lbragstadso - if the user always have the role required for senlin to do its thing, then the application credential at least will remain valid17:15
lbragstadregardless of other assignments changing for that user17:15
eanderssonMy initial thinking would be to always only give the trust, _member_17:15
eanderssonbut how would Senlin know if the user needs SwiftOp or admin?17:16
eanderssonBecause we don't want to prevent a admin user from creating a cluster etc, but at the same time there is no garunatee that an admin will always have admin.17:16
lbragstadright - i guess that depends on what senlin is doing on behalf of the user?17:18
eanderssonProbably never anything requiring admin, or even swift (at this time).17:18
eanderssonbut apparently has the concept of network_delete, but not sure when it would ever need to do that17:19
lbragstadsure - those are also going to be dependent on whatever the policy is for those services17:19
*** gyee has quit IRC17:20
lbragstad(i'm assuming defaults, but that might not be the case and could vary per deployment)17:20
*** gyee has joined #openstack-keystone17:20
lbragstadthis might be a bit clunky... but17:21
lbragstadone option would be for a user to be notified prior to a role assignment change17:21
lbragstad(e.g., you're going to have admin removed from project X in 3 days)17:21
lbragstadthen they have the opportunity to create a new application credential that excludes the admin role and they can give that to senlin instead17:22
*** erus has quit IRC17:22
lbragstad(in a gracefully rotation kind-of-way)17:22
*** erus has joined #openstack-keystone17:23
*** problem_v has joined #openstack-keystone17:26
*** dave-mccowan has quit IRC17:27
lbragstadjust tried it locally and if i create a trust, then remove a role from the trustor, i can't fetch the trust anymore17:29
*** erus has quit IRC17:29
dtruongyes, that's what we encountered17:29
lbragstadactually - i can?17:29
*** erus has joined #openstack-keystone17:29
dtruongnvm, you can fetch the trust17:30
dtruongbut any operations using that trust do not work anymore17:30
lbragstadcorrect - which seems like weird UX17:31
eanderssonwe are brb =]17:33
lbragstad app creds do that automatically17:33
*** jamesmcarthur has quit IRC17:49
*** vishakha has quit IRC18:07
*** xek_ has joined #openstack-keystone18:08
*** xek has quit IRC18:10
kmalloc*cough* anyone have lots of experience with etcd?18:24
*** zaneb has joined #openstack-keystone18:25
kmallocas in, anyone know where etcd gets grumpy with data changing18:25
kmallochmm. probably the wrong tool for the job18:27
zaneblbragstad: if you have a moment, could you provide some clarification on!/story/1701498#comment-118387 ? (re: trusts with impersonation=True and allow_redelegation=True)18:27
lbragstadsure - i can take a look in a bit18:28
*** pcaruana has quit IRC18:29
kmallocok we have a security (open / public) concern i'll be filing a bug against oslo.cache, keystone, and KSM for.18:29
*** erus has quit IRC18:29
*** erus has joined #openstack-keystone18:30
kmallocit's not (directly/easily) exploitable, but potentially could cause horrible UX for everyone if caching is enabled and has security concerns18:30
kmallocthis might be the force to move to pymemcache.18:30
*** Emine has joined #openstack-keystone18:33
*** ayoung has joined #openstack-keystone18:34
kmalloclbragstad, cmurphy, ayoung, hrybacki: (ayoung/hrybacki that came from our convo yesterday)18:44
openstackLaunchpad bug 1819957 in oslo.cache "Caching with stale data when a server disconnects due to network partition and reconnects" [Undecided,New]18:44
kmalloccc bnemec ^18:44
ayoungkmalloc, ++18:45
kmallocand this is going to need stable backports.18:45
*** jamesmcarthur has joined #openstack-keystone18:47
*** gmann is now known as gmann_afk18:48
hrybackiand downstream backports kmalloc **double sigh**18:55
bnemecSounds like a job for Delegationman! ;-)18:56
bnemeckmalloc: So you're working on the fix?18:56
bnemecI just commented on the bug.18:56
*** mchlumsky_ has joined #openstack-keystone19:03
*** mchlumsky has quit IRC19:04
*** zzzeek has quit IRC19:04
*** zzzeek has joined #openstack-keystone19:07
kmallocbnemec: yeah19:10
kmallocnot sure who else can really do so.19:11
kmallocbnemec: hberaud might be able to, but really it's a small fix and i'm already going to be doing a massive amount of ... stuff for the pymemcache thing(s)19:11
*** emine__ has joined #openstack-keystone19:12
bnemeckmalloc: Yeah, works for me. We'll scrounge up some other cores to get it approved.19:13
*** Emine has quit IRC19:13
bnemecApparently that's not a co-owned library though. :-/19:13
kmallocbnemec: that is probably because no one wants to do caching work.19:16
kmallocand it gets done incorrectly a lot19:16
kmallocbnemec: a single-core approval for oslo.cache is fine IMO19:17
bnemeckmalloc: After what I saw digging into that eventlet/memcache pool bug I don't blame them. :-P19:17
bnemeckmalloc: Yeah, that's always an option. Especially if the patch submitter is a core.19:18
openstackgerritLance Bragstad proposed openstack/keystone master: trivial: fix broken link in trust API reference
lbragstadzaneb in need to do some more digging on the trust impersonation + redelegation bits19:54
lbragstadi remember seeing something somewhere (a bug perhaps) that eluded to the two not working well together - or being a massive foot gun19:54
*** dklyle has quit IRC20:09
*** dklyle has joined #openstack-keystone20:16
*** jamesmcarthur has quit IRC20:29
*** gmann_afk is now known as gmann20:41
*** whoami-rajat has quit IRC21:11
rm_workcmurphy: I think is slightly off, commented. Thanks for taking this one though :thumbsup:21:23
*** rcernin has joined #openstack-keystone21:57
*** raildo has quit IRC22:10
*** lifeless has quit IRC22:27
*** lifeless has joined #openstack-keystone22:27
*** adriant has quit IRC22:29
*** dave-mccowan has joined #openstack-keystone23:27
*** xek_ has quit IRC23:33
openstackgerritjessegler proposed openstack/oslo.policy master: Corrects tox.ini snippet to point to config file
*** dave-mccowan has quit IRC23:38

Generated by 2.15.3 by Marius Gedminas - find it at!