Friday, 2019-05-10

« Thursday, 2019-05-09 Index Saturday, 2019-05-11 »
*** gyee has quit IRC00:01
*** jamesmcarthur has quit IRC00:01
*** lbragstad has joined #openstack-keystone00:26
*** ChanServ sets mode: +o lbragstad00:26
*** jamesmcarthur has joined #openstack-keystone00:58
*** whoami-rajat has joined #openstack-keystone01:18
*** jamesmcarthur has quit IRC01:20
*** jamesmcarthur has joined #openstack-keystone01:20
*** jamesmcarthur has quit IRC01:33
*** jamesmcarthur has joined #openstack-keystone01:40
*** jamesmcarthur has quit IRC01:45
*** jamesmcarthur has joined #openstack-keystone02:11
*** dasp has joined #openstack-keystone02:11
*** lbragstad has quit IRC02:12
*** ileixe has quit IRC02:48
*** vishalmanchanda has joined #openstack-keystone03:14
*** jamesmcarthur has quit IRC03:19
*** jamesmcarthur_ has joined #openstack-keystone03:19
*** ileixe has joined #openstack-keystone03:32
*** dasp has quit IRC04:08
*** jdwidari has quit IRC04:10
*** jamesmcarthur_ has quit IRC04:23
*** dasp has joined #openstack-keystone04:30
*** ileixe has quit IRC04:34
*** ileixe has joined #openstack-keystone04:38
*** shyamb has joined #openstack-keystone04:49
*** redrobot has quit IRC04:53
*** jamesmcarthur has joined #openstack-keystone04:54
*** tkajinam has quit IRC05:01
*** tkajinam has joined #openstack-keystone05:34
*** jamesmcarthur has quit IRC06:10
*** starborn has joined #openstack-keystone07:07
*** tesseract has joined #openstack-keystone07:19
*** shyamb has quit IRC07:38
*** jaosorior has joined #openstack-keystone07:49
*** tkajinam has quit IRC08:12
*** shyamb has joined #openstack-keystone08:39
*** pgaxatte has joined #openstack-keystone08:42
pgaxattehello08:42
pgaxattei am playing with endpoint filtering08:43
pgaxattebut i have an issue when i put return_all_endpoints_if_no_filter to False08:44
pgaxattesince i don't have any filter at first, the admin's catalog is empty08:44
pgaxatteso i cannot manipulate anything with the openstack client08:44
pgaxatteis there a way around that?08:45
pgaxatteanyone?09:08
*** dmellado has quit IRC09:09
*** dmellado has joined #openstack-keystone09:11
*** dmellado has quit IRC09:11
*** dmellado has joined #openstack-keystone09:15
*** raildo has joined #openstack-keystone10:06
*** shyamb has quit IRC10:07
*** shyamb has joined #openstack-keystone10:07
*** shyamb has quit IRC10:30
*** shyamb has joined #openstack-keystone10:38
*** aprice has quit IRC10:48
*** aprice has joined #openstack-keystone10:49
*** shyamb has quit IRC11:26
*** samueldmq has joined #openstack-keystone11:39
*** shyamb has joined #openstack-keystone11:42
*** redrobot has joined #openstack-keystone11:52
*** jamesmcarthur has joined #openstack-keystone12:19
*** jamesmcarthur has quit IRC12:33
*** mchlumsky has joined #openstack-keystone12:35
*** lbragstad has joined #openstack-keystone12:39
*** ChanServ sets mode: +o lbragstad12:39
kmallocpgaxatte: what are you trying to solve with endpoint filtering? Most of the time it just isn't worth using.12:47
*** jamesmcarthur has joined #openstack-keystone12:48
*** NM has joined #openstack-keystone12:49
pgaxattekmalloc i'm not sure I can give you a short version :)12:50
pgaxatteso please bare with me, here we go12:50
kmallocSure, take your time. :)12:51
pgaxattewe're trying to deploy new services on a k8s cluster, alongside an existing region deployed in a more legacy way12:51
pgaxattelet's say I want to deploy mistral in kubernetes12:51
pgaxattei'd like to have a production version which would appear in everyone's catalog12:52
pgaxatteand be able to test a new version of mistral before going to production12:53
kmallocFor what it is worth, endpoint filtering just hides the endpoints. Anyone can access them if they know the URI. Nothing prevents accessing the endpoints that are not visible in the catalog12:53
pgaxattesure12:53
pgaxattebut the test is supposed to be temporary12:53
pgaxatterun by a CI/CD soft and destroyed if everything is ok12:54
kmallocYou can also solve the same problem with policy, blocking access with roles on the new service until it is ready.12:54
pgaxatteand if a full functional test is OK, we upgrade the mistral production12:54
pgaxattehmmm that's interesting12:54
kmallocAnd also, finally, you could just override the endpoint when testing it and not add it to the catalog at all until it is ready12:55
pgaxattei need normal user to see a catalog without the test misrtal and a test user/project to see the same catalog but with the test mistral instead of the production12:55
kmallocIn general you can make it work, but the endpoint filtering API is kind of a trainwreck12:56
pgaxatteyeah it seems complicated12:57
kmallocOverly so, and it shouldn't have ever been added how it is implemented.12:57
kmallocSo, back to using it. I know josecastroleon uses it at cern for pivoting and updating deployments.12:58
kmallocHe might be able to provide insight. I unfortunately haven't had coffee yet (it's not even 6am here yet). So my brain is only somewhat alive ;)12:59
pgaxattehaha I realllly need to talk to José then. I'm planning to visit him and his team on the CERN days soon :D12:59
kmallocHowever, if I remember correctly you need to create a filter before flipping that option13:00
pgaxattekmalloc yeah it appears so13:00
kmallocThe return_all_.... One but I admit it has been years since I used the API for anything. (I worked at HP when we used it)13:00
kmallocI am a bit jealous, I want to go to the CERN days.13:01
kmallocBut I think I am on vacation when it is happening. Also, I live west coast US, it's a long flight :P13:02
pgaxattehaha i live 2h away from CERN so it's easy for me :D13:03
pgaxatteok so maybe the endpoint filtering is bumpy road but it would fit my needs13:04
pgaxattei don't know much about keystone so I need to get more info on policies and ACL13:05
kmallocWell, def enjoy the CERN days, should be fun! I can try and help later today, but timezone offset, I am guessing you'll be asleep by the time I'm moving (have an early errand to also take care of).13:08
pgaxatteyeah i guess i'll be off when you start your day :)13:08
kmallocI hope josecastroleon can help you out in more real-time. Ill check in on stuff and make sure there isn't some wonky bug if I can.13:08
pgaxattealright thanks kmalloc for your early morning insight ;)13:09
kmallocHappy to help!13:09
pgaxattekmalloc I'm taking a look at policies, and they seem deprecated?13:11
pgaxatteas of queens apparently13:12
*** shyamb has quit IRC13:14
*** NM has quit IRC13:18
*** shyamb has joined #openstack-keystone13:22
openstackgerritJose Castro Leon proposed openstack/keystone master: Allow to filter endpoint groups by name  https://review.opendev.org/65835913:24
*** NM has joined #openstack-keystone13:32
*** NM has left #openstack-keystone13:33
*** vishalmanchanda has quit IRC13:34
*** jdwidari has joined #openstack-keystone13:39
*** shyamb has quit IRC13:54
josecastroleonJust realized that you mentioned me :D13:56
josecastroleonhappy to help with endpoint filtering :D13:59
pgaxattejosecastroleon: I understand you have a use case close to what I want to achieve14:21
josecastroleonyes14:21
pgaxattei'd like to expose a specific catalog to a project where rally/tempest will be doing tests14:21
pgaxatteand this catalog would contain some endpoints that should not be exposed to the rest of the users14:22
josecastroleonwe have a base set of services that we offer and on-demand we enable some endpoints to more services to the users14:22
pgaxatteoh ok so it's not exactly the same14:22
josecastroleonit is14:22
*** bnemec is now known as beekneemech14:23
pgaxattebecause in my case i would have 2 endpoints for the same service14:23
pgaxatteone for production and one for testing14:23
josecastroleonwe have a set of endpoint groups that are offered to the users (base offering)14:23
josecastroleonnova cinder manila and so on14:24
josecastroleonand we use other filters to enable for example neutron for few users14:24
pgaxatteok14:25
pgaxattedid you set return_all_endpoints_if_no_filter = False14:25
pgaxattein keystone.conf?14:25
josecastroleonyes14:25
pgaxatteand I guess you grouped your endpoint per service_id?14:27
josecastroleonor per region14:27
pgaxattebut do you have at some point 2 endpoints for the same service on the same region?14:28
*** erus has joined #openstack-keystone14:32
eruso/14:33
josecastroleonyes, but you can use any attribute in the endpoint14:35
josecastroleonhttps://github.com/openstack/keystone/blob/06b024a2231a5a3035b1e972b45a3dbdfa584e75/keystone/catalog/core.py#L279-L29214:36
pgaxatteok I think I can make this work with filtering and grouping14:40
pgaxattenow I need to figure out how to do that in openstack-helm :D14:41
*** raildo has quit IRC14:43
*** erus has quit IRC14:48
*** erus has joined #openstack-keystone14:49
*** jaosorior has quit IRC14:49
*** cmurphy is now known as cmorpheus14:54
*** raildo has joined #openstack-keystone14:56
*** imacdonn has quit IRC15:12
*** imacdonn has joined #openstack-keystone15:12
*** gyee has joined #openstack-keystone15:17
*** pgaxatte has quit IRC15:18
*** samueldmq has quit IRC15:20
*** raildo has quit IRC15:24
*** starborn has quit IRC15:26
*** josecastroleon has quit IRC15:32
*** raildo has joined #openstack-keystone16:02
*** xek has joined #openstack-keystone16:10
mlozaHello, how can you make openstack CLI commands don't care about self-signed certs?16:15
cmorpheusmloza: with the --insecure flag16:23
*** raildo has quit IRC16:23
mlozacmorpheus: thanks16:24
*** jamesmcarthur has quit IRC16:54
*** whoami-rajat has quit IRC16:58
*** raildo has joined #openstack-keystone17:28
*** whoami-rajat has joined #openstack-keystone18:09
*** dklyle_ has joined #openstack-keystone19:02
*** david-lyle has quit IRC19:04
mlozaHello, I have default and testdomain as domain. I have testdomain pointed to an LDAP server. I login to the default domain as admin and set the domain context to testdomain. I went to create a Project under testdomain but when I Project Member it is empty.19:07
mlozaIt suppose to have the LDAP users19:07
mlozabut when I go to Project Members it is empty*19:08
mlozaAm I missing a role assignment?19:08
*** tesseract has quit IRC19:12
mlozaI can create a project under testdomain but I don't see it listed in Horizon. It shows in `openstack project list`19:25
*** jistr has quit IRC19:28
*** jistr has joined #openstack-keystone19:28
*** jistr has quit IRC19:29
*** jistr has joined #openstack-keystone19:33
*** jistr has quit IRC19:40
*** jistr has joined #openstack-keystone19:41
*** imacdonn has quit IRC19:51
rodrigodsi guess that now i have to go after this project deletion thing https://twitter.com/opensourceway/status/112684358653074637020:45
cmorpheus:)20:46
*** mchlumsky has quit IRC21:04
*** raildo has quit IRC21:57
*** rcernin has quit IRC21:58
cmorpheusmloza: the project members tab would probably be empty until you add a role assignment for a user to it, it won't contain ldap users automatically22:00
*** whoami-rajat has quit IRC22:39
*** lbragstad has quit IRC22:58
*** gyee has quit IRC23:26
*** xek has quit IRC23:36
« Thursday, 2019-05-09 Index Saturday, 2019-05-11 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!