Friday, 2019-06-21

« Thursday, 2019-06-20 Index Saturday, 2019-06-22 »
*** raildo has quit IRC00:17
*** markvoelker has joined #openstack-keystone00:40
*** markvoelker has quit IRC00:59
openstackgerritMerged openstack/keystone master: Drop use opendev.org for tox deps  https://review.opendev.org/66531301:52
*** markvoelker has joined #openstack-keystone01:56
*** markvoelker has quit IRC02:01
openstackgerritzhenmei proposed openstack/keystone master: Fix create nonlocal user issue  https://review.opendev.org/66118302:05
openstackgerritzhenmei proposed openstack/keystone master: Fix create nonlocal user issue  https://review.opendev.org/66118302:07
*** liushuobj__ has joined #openstack-keystone02:24
*** liushuo_ has quit IRC02:27
*** kevinluuuuu has quit IRC02:32
*** markvoelker has joined #openstack-keystone02:57
*** markvoelker has quit IRC03:02
*** liushuo has joined #openstack-keystone03:19
*** liushuobj__ has quit IRC03:20
*** liushuo has quit IRC03:44
*** liushuo has joined #openstack-keystone03:44
*** ayoung has joined #openstack-keystone03:49
*** markvoelker has joined #openstack-keystone03:58
*** joshualyle has joined #openstack-keystone04:02
*** markvoelker has quit IRC04:02
*** dave-mccowan has quit IRC04:09
*** whoami-rajat has joined #openstack-keystone04:35
*** liushuo_ has joined #openstack-keystone04:35
*** liushuo has quit IRC04:39
*** ianw is now known as ianw_pto04:44
*** pcaruana has joined #openstack-keystone04:45
*** markvoelker has joined #openstack-keystone04:59
*** markvoelker has quit IRC05:04
openstackgerritzhenmei proposed openstack/keystone master: Fix create nonlocal user issue  https://review.opendev.org/66118305:15
*** liushuobj__ has joined #openstack-keystone05:40
*** liushuo_ has quit IRC05:43
*** liushuo_ has joined #openstack-keystone05:49
*** liushuobj__ has quit IRC05:53
*** rcernin has quit IRC05:59
*** markvoelker has joined #openstack-keystone06:00
*** markvoelker has quit IRC06:04
*** vishalmanchanda has joined #openstack-keystone06:05
*** eivis has joined #openstack-keystone06:21
eivisHello there, is there any people alive whom might help me to get on my way with keystone and LDAP users policies ?06:22
eivisbasically i have a problem, that I created domain where users are authenticated using LDAP. I gave my user Admin role on that domain and admin role on project which is on that domain, but still i can not update users as keystone says "WARNING You are not authorized to perform the requested action."06:25
openstackgerritVishakha Agarwal proposed openstack/keystone master: Remove [signing] config  https://review.opendev.org/65943406:36
*** dancn has joined #openstack-keystone06:48
*** markvoelker has joined #openstack-keystone07:01
*** tesseract has joined #openstack-keystone07:19
*** Krenair has quit IRC07:22
*** markvoelker has quit IRC07:28
*** tkajinam has quit IRC07:31
*** Krenair has joined #openstack-keystone07:31
*** liushuobj__ has joined #openstack-keystone07:40
*** liushuo_ has quit IRC07:44
*** tkajinam has joined #openstack-keystone07:44
*** liushuo_ has joined #openstack-keystone08:18
*** liushuobj__ has quit IRC08:22
*** tkajinam_ has joined #openstack-keystone08:30
*** tkajinam has quit IRC08:33
*** tkajinam_ has quit IRC08:35
*** imacdonn has quit IRC08:41
*** imacdonn has joined #openstack-keystone08:41
*** Krenair has quit IRC08:42
*** liushuobj__ has joined #openstack-keystone08:48
*** liushuo_ has quit IRC08:52
*** joshualyle has quit IRC09:03
*** dancn has quit IRC09:51
openstackgerritMerged openstack/keystone master: Update misleading comment about fernet credential encryption  https://review.opendev.org/66660009:59
*** Krenair has joined #openstack-keystone10:04
*** spsurya has joined #openstack-keystone10:07
*** liushuo_ has joined #openstack-keystone10:07
*** liushuobj__ has quit IRC10:11
*** chandra_keystone has quit IRC10:24
*** liushuobj__ has joined #openstack-keystone10:50
*** liushuo_ has quit IRC10:53
*** raildo has joined #openstack-keystone11:40
*** ab-a has quit IRC12:18
*** ab-a has joined #openstack-keystone12:24
*** liushuobj__ has quit IRC12:33
*** liushuobj__ has joined #openstack-keystone12:33
*** vkmc has quit IRC12:40
*** jamielennox has quit IRC12:41
*** Krenair has quit IRC12:42
*** liushuobj__ has quit IRC12:50
*** liushuobj__ has joined #openstack-keystone12:50
openstackgerritMerged openstack/keystone master: Fix E731 flake8  https://review.opendev.org/66626412:53
knikollao/13:25
*** vishalmanchanda has quit IRC13:28
*** lbragstad has joined #openstack-keystone13:28
*** markvoelker has joined #openstack-keystone13:29
*** dave-mccowan has joined #openstack-keystone13:30
*** FlorianFa has joined #openstack-keystone13:30
lbragstado/13:35
*** liushuo_ has joined #openstack-keystone13:42
lbragstadthe first 4 patches starting at https://review.opendev.org/#/c/665708/2 are ready for some eyes13:44
lbragstad(they're pretty trivial)13:45
*** liushuobj__ has quit IRC13:46
brtknrhello, just wondering what happens when a user who created an application credential disappears from a project13:54
*** markvoelker has quit IRC13:57
*** jamesmcarthur has joined #openstack-keystone13:58
*** ormandj has joined #openstack-keystone13:59
ormandjheya folks, i've got a fun one today. we've discovered when creating new credentials (ec2 in this case) with keystone stein on ubuntu 18.04LTS, py3/psql, the encrypted_blob is being stored in the database as hex14:00
ormandji've added debugging code into various sections of code and determined it gets all the way to the session/db write just fine, even stored in the sqlalchemy model just fine14:01
ormandjbut somewhere after that, hex into db. database is utf814:01
ormandjdecode the hex, and it's the encrypted_blob i'd expect14:01
ormandjit's causing keystone to fail to decrypt the credential/breaking keystone after any new credential is created14:02
*** joshualyle has joined #openstack-keystone14:02
ormandj(ops start 500ing when it can't decrypt that one cred)14:02
ormandjfor more clarity, everything else aside from gnocchi and ceilometer is stein, and rocky keystone works just fine, as soon as we move to stein keystone, bam.14:07
*** jamesmcarthur has quit IRC14:18
lbragstadormandj did anything else besides the version of keystone change?14:26
lbragstadmysql version?14:27
ormandjno, same postgresql14:27
ormandjwe don't use mysql14:27
lbragstadsqla versions are the same, too?14:28
ormandjfor clarity, we have two keystone nodes. one we have upgraded to stein, one is rocky. without changing anything else in env, if we use the rocky version, works, if we use the stein version, it breaks14:28
ormandjone sec, will get you versions/etc14:31
ormandjhttps://gist.github.com/ormandj/cabec3c9b07f4672d53c16b9a5a7c0eb14:31
lbragstadthe encrypted blob makes it through all of keystone's code path normally?14:31
ormandjyeah let me share my debug code/output14:32
ormandjone sec14:32
lbragstadit looks like sqla packages only changed by three patch versions14:32
lbragstad1.2.15 -> 1.2.1814:32
lbragstad1.2.8 -> 1.2.1814:32
lbragstad1.2.8 -> 1.2.15 *14:33
lbragstadsorry - more than three, but..14:33
*** whoami-rajat has quit IRC14:34
ormandjhttps://gist.github.com/ormandj/269c2b6a5baaa6ca79c04e31f6100ffa14:35
ormandjlog line below the area i inserted code14:36
ormandj(have plenty more logs from debug logging i added above, but that's the last place i checked to see if the data was as expected)14:36
ormandjthat starts at line 44 in keystone/credential/backends/sql.py14:37
ormandjin stein14:37
*** dklyle has joined #openstack-keystone14:37
*** joshualyle has quit IRC14:39
lbragstadok - so when the credential comes into create_credential, everything is good14:39
lbragstadhttps://opendev.org/openstack/keystone/src/branch/master/keystone/credential/backends/sql.py#L4114:39
lbragstadbut when it's converted to a ref, it becomes hex? https://opendev.org/openstack/keystone/src/branch/master/keystone/credential/backends/sql.py#L4314:40
lbragstadref.encrypted_blob is hex and credential['encrypted_blob'] is not14:41
lbragstadright?14:41
ormandjno, ref.encrypted_blob is still fine14:42
lbragstadoh - actually14:42
lbragstadyeah - you're right14:42
ormandji stopped debugging when i saw it hit the oslo_db layer14:42
lbragstadi missed the method call out in https://gist.github.com/ormandj/269c2b6a5baaa6ca79c04e31f6100ffa#file-gistfile1-txt-L1614:43
lbragstadright14:43
lbragstadi mean, that's the last spot keystone touches that reference14:43
ormandjthat was my impression14:43
ormandjso i found one stackoverflow which at least pointed me in some sort of direction14:43
lbragstadi wonder if bnemec or zzzeek have seen anything like this14:43
ormandjhttps://stackoverflow.com/questions/45613672/why-does-my-text-field-get-hex-encoded-when-storing-a-string-to-postgresql-with14:43
*** bnemec is now known as beekneemech14:44
*** liushuo_ has quit IRC14:44
ormandjbut i have no idea what's going on with oslo_db or anything else at that layer or below14:44
ormandjand it may be a completely different issue14:44
*** liushuo_ has joined #openstack-keystone14:44
zzzeeklbragstad: I've observed that keystone has some custom SQL data processesors in use14:44
zzzeeklbragstad: for example there's a bug in one that deals with JSON I need to report for14:45
*** liushuo_ has quit IRC14:45
lbragstadormandj both rocky and stein are using python3 though?14:45
*** TheJulia is now known as needssleep14:46
*** liushuo_ has joined #openstack-keystone14:46
zzzeeklooks like just dates and json though, no hex14:46
lbragstadyou mean these? https://opendev.org/openstack/keystone/src/branch/master/keystone/common/sql/core.py14:46
zzzeeklbragstad: yah they dont look suspicious14:47
ormandjfwiw, dbs are utf-8, and let me get you psql version14:47
lbragstadwe don't do anything with text either14:47
lbragstadhttps://opendev.org/openstack/keystone/src/branch/master/keystone/common/sql/core.py#L6814:47
lbragstadlooks like we just alias to sqla directly14:47
zzzeeklbragstad: is this MySQL and "encrypted blob" contains binary data ?14:48
zzzeeklbragstad: that would be where this starts to go wrong perhaps14:48
lbragstadpostgres14:48
beekneemechEncoding already unicode data results in a hex value? That's...unintuitive.14:48
lbragstadexample debug data14:49
lbragstadhttps://gist.github.com/ormandj/269c2b6a5baaa6ca79c04e31f6100ffa#file-gistfile1-txt-L1614:49
zzzeeklbragstad: issue is only on PG and not mysql?14:49
lbragstadi haven't seen anything like this with mysql, but i haven't tried directly14:49
ormandjhttps://gist.github.com/ormandj/269c2b6a5baaa6ca79c04e31f6100ffa has more db info at the bottom14:49
ormandjjust added14:49
lbragstadso - when we're here https://opendev.org/openstack/keystone/src/branch/master/keystone/credential/backends/sql.py#L4314:49
lbragstadthe ref.encrypted_blob is what we (as in keystone) want it to be14:50
lbragstadand that's shown here, too https://gist.github.com/ormandj/269c2b6a5baaa6ca79c04e31f6100ffa#file-gistfile1-txt-L1614:50
ormandjrocky is python2, stein is python314:51
ormandjre: keystone14:51
lbragstadoh - so keystone is running under python2 https://gist.github.com/ormandj/cabec3c9b07f4672d53c16b9a5a7c0eb#file-gistfile1-txt-L2014:52
lbragstadand you have python3 sqla packages on rocky? https://gist.github.com/ormandj/cabec3c9b07f4672d53c16b9a5a7c0eb#file-gistfile1-txt-L11-L1514:52
*** liushuo_ has quit IRC14:53
ormandji'm sure related to some deps for something somewhere14:53
zzzeeklbragstad: uh yeah can you let me know which python version this is happening under14:53
ormandjzzzeek: python314:53
*** liushuo_ has joined #openstack-keystone14:53
zzzeekormandj: python3 only right14:53
ormandjrocky/working is running in py214:53
ormandjstein/not-working is running in py314:53
*** markvoelker has joined #openstack-keystone14:54
*** liushuo_ has quit IRC14:54
*** liushuo_ has joined #openstack-keystone14:55
ormandjto be clear, we are using the ubuntu cloud archive packaged versions re: gist with dpkg output14:55
*** liushuo_ has quit IRC14:56
*** liushuo_ has joined #openstack-keystone14:57
ormandjconsolidated everything into last gist: https://gist.github.com/ormandj/269c2b6a5baaa6ca79c04e31f6100ffa, deleting the other one14:58
*** markvoelker has quit IRC14:58
zzzeekormandj / lbragstad it would seem likely the data you are putting in the model is a Python bytes object is that possible ?  https://gist.github.com/ormandj/269c2b6a5baaa6ca79c04e31f6100ffa#gistcomment-295028514:59
zzzeekthe column is created as TEXT so should not be passed a Python bytes object15:00
*** hoonetorg has quit IRC15:01
lbragstadhttps://opendev.org/openstack/keystone/src/branch/master/keystone/credential/backends/sql.py#L30 appears to be the only TEXT field in that model15:01
ormandji'll check for you :)15:02
ormandj('cred in sql function model type: ', <class 'bytes'>)15:04
ormandjadded these lines:15:04
ormandj            testout3 = ("cred in sql function model type: ", type(ref['encrypted_blob']))15:04
ormandj            LOG.error(testout3)15:04
lbragstadso - looks like we need patch to make sure we convert from bytes15:04
lbragstadbefore session.add(ref)15:05
ormandjwonder what that from_dict() function is defined as, could mutate it to handle python315:05
ormandjso it'll do the conversion appropriately when building out the model from a dictionary15:06
lbragstadi think session.add(ref) is what persists the credential/model to the actual database15:06
lbragstadi think to_dict() just converts from sqla models to python dictionaries15:06
ormandjit is, but i would assume you'd want the conversion to occur when you populate the model, ie: from_dict() sees a python3 byte class to populate a TEXT type, convert to not-byte15:07
ormandjwell, this is the opposite i think, the from_dict is creating the sqla model from a py dict15:07
ormandjhttps://github.com/openstack/keystone/blob/stable/stein/keystone/credential/backends/sql.py#L4315:08
lbragstadoh - nvm15:09
lbragstadi thought you were talking about https://github.com/openstack/keystone/blob/stable/stein/keystone/credential/backends/sql.py#L4515:09
lbragstadyeah - i suppose we can do this one of two ways15:10
ormandjjust trying to think what will solve most problems in most code with least lines without being obfuscated15:10
lbragstadsee if from_dict() can handle it, or handle it after we have an instance of the model and override what ref.encrypted_blob is to make sure it's not bytes15:10
ormandjyeah, i'd just be worried that everywhere you use sqla in the future you'd have to account for it15:11
ormandjvs. updating the way you populate models so it applies globally now and in future without having to keep in mind that case everywhere15:11
lbragstadhttps://pasted.tech/pastes/22c35846c1c216495f19d101bc745068ca73263a.raw15:12
lbragstadwe'd have to possibly blacklist a version of sqla15:12
* lbragstad waits for zzzeek's opinion15:13
zzzeeklooking15:13
ormandji'll let you two fine folks figure out the best way to skin this cat :)15:13
zzzeeklbragstad: not following, what version of sqlalchemy has a problem ?15:14
lbragstadwell - i'm not entirely sure15:15
lbragstadbut keystone passes a dictionary into https://opendev.org/openstack/keystone/src/branch/master/keystone/credential/backends/sql.py#L4315:15
lbragstadand ref comes back with ref.encrypted_blob as bytes15:15
ormandjthe dictionary it passes in i assume that encrypted_blob data is also bytes15:16
ormandji can also check the type on that if you'd like15:16
lbragstadbah...15:16
lbragstadone sec15:17
lbragstadthe fix probably needs to go here https://opendev.org/openstack/keystone/src/branch/master/keystone/common/sql/core.py#L191-L20315:18
lbragstadi don't think it's a sqla issue15:18
lbragstadkeystone implements the from_dict and to_dict functionality15:19
lbragstadso we could put the fix there?15:19
zzzeeklbragstad: just the other day someone was complaining why SQLA can't implement various to_dict() schemes15:19
zzzeekthis is why! :)15:19
lbragstadso - the fix should live in that method, then15:20
lbragstadi still don't know if i understand where that conversion happens15:20
ormandjhttps://gist.github.com/ormandj/269c2b6a5baaa6ca79c04e31f6100ffa#file-gistfile1-txt-L9815:20
ormandjthere is no conversion right now15:21
ormandjit's a byte class in the dictionary, and a byte class once from_dict() runs15:21
ormandjin the sqla model15:21
lbragstadaha15:21
lbragstadwhelp15:22
zzzeeklbragstad ormandj note the usual place you'd want to correct for this is in a SQLA custom type15:22
zzzeekwell, maybe not "usual", but it's the most "bulletproof"15:22
zzzeekbut having it explicit at a higher level in your from_dict() routine might be easier to debug in the future b.c. it's more visible15:23
lbragstada custom type for Credential (as in the model)15:23
zzzeeklbragstad: yes a TEXT that looks for bytes and converts to string if so15:24
lbragstadoh - sure15:24
lbragstadormandj do you know if there is a keystone bug open for this yet?15:24
ormandji didn't find one15:24
ormandj(which surprised me)15:24
lbragstadbased on this discussion, this would affect mysql, too?15:25
lbragstadi don't see a reason why this would be postgres specific15:25
ormandji don't know if you're asking me, i don't know if the different drivers would handle this differently15:28
lbragstadkeystone only has one sql driver15:28
*** cmurphy is now known as cmorpheus15:28
ormandjmysql vs. postgres i mean, the driver re: backend that sqlalchemy is using15:29
ormandj(or sqlite or w/e)15:29
lbragstadoh - wright15:32
lbragstadright*15:32
zzzeeklbragstad: this is likely somewhat PG specific but you should probably convert from bytes for all drivers regrdless15:32
lbragstadyeah - i mean we only have one keystone driver for sql, we can fix it there for sure15:33
lbragstadormandj would you be willing to open a bug report?15:33
ormandjsure, i can do that15:36
lbragstadhttps://bugs.launchpad.net/keystone/+filebug if you need it15:36
ormandjlaunchpad your place of choice?15:36
ormandjkk15:36
lbragstadyep15:36
lbragstadfor now15:37
ormandjlet's see if i even have an account :) i'll let you know when i get it posted.15:37
*** gyee has joined #openstack-keystone15:46
*** clarkb has quit IRC15:53
ormandjlbragstad: https://bugs.launchpad.net/keystone/+bug/183373915:55
openstackLaunchpad bug 1833739 in OpenStack Identity (keystone) "keystone (stein), python3, and postgresql: hex in database" [Undecided,New]15:55
ormandjsufficient for you?15:55
*** markvoelker has joined #openstack-keystone15:55
lbragstadsweet15:55
*** jamesmcarthur has joined #openstack-keystone15:56
ormandjwe're hoping for a backport into stein, this is blocking our production upgrades for obvious reasons ;)15:58
lbragstadyeah - this would be a backport potential15:59
*** markvoelker has quit IRC15:59
ormandjawesome. thanks for looking at tihngs16:01
ormandjthings, as well16:01
ormandjanything else you feel would be useful to add for you/whomever?16:01
*** spsurya has quit IRC16:24
*** jamesmcarthur has quit IRC16:44
*** dancn has joined #openstack-keystone16:46
*** markvoelker has joined #openstack-keystone16:56
*** markvoelker has quit IRC17:01
* lbragstad breaks for lunch17:04
*** hoonetorg has joined #openstack-keystone17:06
*** jamesmcarthur has joined #openstack-keystone17:07
*** lbragstad has quit IRC17:09
*** raildo has quit IRC17:09
*** whoami-rajat has joined #openstack-keystone17:09
*** raildo has joined #openstack-keystone17:16
*** jamesmcarthur has quit IRC17:23
*** tesseract has quit IRC17:50
gagehugoo/17:51
*** hoonetorg has quit IRC17:54
*** markvoelker has joined #openstack-keystone17:56
*** markvoelker has quit IRC18:01
*** mvkr has quit IRC18:06
*** hoonetorg has joined #openstack-keystone18:07
*** hoonetorg has quit IRC18:10
*** hoonetorg has joined #openstack-keystone18:14
*** Krenair has joined #openstack-keystone18:17
*** mchlumsky has quit IRC18:47
*** awalende has joined #openstack-keystone18:52
*** markvoelker has joined #openstack-keystone18:57
*** hyang has joined #openstack-keystone19:10
*** awalende has quit IRC19:11
*** whoami-rajat has quit IRC19:19
*** lbragstad has joined #openstack-keystone19:23
hyangHi keystone team, I'm using Rocky release and trying to configure healthcheck disable by file for keystone following this link https://docs.openstack.org/oslo.middleware/latest/reference/healthcheck_plugins.html#disable-by-files-ports  But it does not work as the healthcheck url always returns 200 even if the disable file exists19:25
hyangwondering is that a known issue or I misconfigured something?19:26
*** markvoelker has quit IRC19:26
*** dancn has quit IRC19:27
openstackgerritMerged openstack/keystonemiddleware master: Remove Diablo compatibility tests  https://review.opendev.org/66666819:37
openstackgerritMerged openstack/keystoneauth master: Limit interval between retries to 1 minute  https://review.opendev.org/66628419:55
*** ayoung has quit IRC19:55
*** ayoung has joined #openstack-keystone20:04
lbragstadlooking at https://review.opendev.org/#/c/659434/1520:06
lbragstadi'm pretty sure https://opendev.org/openstack/keystone/src/branch/master/keystone/tests/unit/test_v3_auth.py#L5460 is broken20:06
lbragstadit doesn't look like those tests get run at all..20:07
lbragstad(they inherit from object and don't actually get invoked by a test class)20:07
cmorpheus:/20:07
lbragstadif you have them inherit RestfulTestCase, they run, but they break20:08
*** mlavalle has joined #openstack-keystone20:09
lbragstadalso...20:09
lbragstadit appears we have a policy that is completely unused20:09
lbragstadhttps://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/token_revocation.py#L19 doesn't seem to be protecting anything20:10
lbragstadwhich is good an misleading for people reading the documentation for that rule :)20:12
beekneemechYou're just full of good news today. :-P20:15
*** ayoung has quit IRC20:16
lbragstadyessir20:16
lbragstadending the week on a good note20:17
mlavallehey lbragstad. my good friend hyang has a few questions about keystone. Any help is much appreciated. Thanks in advance20:17
lbragstadmlavalle hyang o/20:17
lbragstadhyang we recently refactored how we load middleware in keystone (rocky i think)20:18
hyangHi lbragstad20:18
lbragstadkmalloc did a bunch of that work as we moved to flask (and off of paste pipelines)20:19
lbragstadhyang how are you enabling the middleware currently?20:19
lbragstadi think that link still references paste?20:20
lbragstadkmalloc didn't we talk about porting those things to configuration options?20:21
kmallocUhm .. maybe20:21
lbragstadkmalloc the flask refactor landed in rocky, right?20:21
kmallocI am looking at how the middleware works20:22
kmallocRocky and stien.20:22
lbragstadyeah - https://docs.openstack.org/releasenotes/keystone/rocky.html#prelude20:22
lbragstadis when we started it20:22
kmallocHmm. Are we not pulling in the options for middleware?20:23
hyangso in keystone.conf there is an entry under [paste_deploy] `config_file = /etc/keystone/keystone-paste.ini`20:23
kmallocOslo.middleware is weird in some ways.20:23
lbragstadwell - it looks like that endpoint was previously enabled through paste20:23
*** markvoelker has joined #openstack-keystone20:23
kmallocOh yeah don't ever use paste.ini to pass config options20:23
kmallocThat was broken beyond belief to begin with20:24
lbragstadrocky doesn't actually use paste anymore i don't think20:24
kmallocWe aren't pulling in the conf options from Oslo.middleware20:24
kmallocInto keystone.conf processing.20:24
lbragstadhuh20:25
lbragstaddang...20:25
hyangok, so wondering how the /healthcheck url is still working for keystone?20:25
kmallocIt is, it just isn't handing the config options from Oslo.middleware20:25
lbragstadso - that endpoint is loaded by default, then?20:26
kmalloclbragstad: we need to pull in the options the same way we pull in options for say logging20:26
lbragstadok20:26
kmallocYeah it is explicitly enabled20:26
lbragstadand it can't be disabled at all20:27
lbragstadbecause we don't honor those configuration options20:27
kmallochttps://github.com/openstack/keystone/blob/master/keystone/server/flask/application.py#L17720:27
hyangaha20:28
lbragstadah - so it's not configurable20:28
kmallocSo we just need to pull in options and then it is configured in keystone.conf20:28
*** markvoelker has quit IRC20:28
*** ayoung has joined #openstack-keystone20:28
lbragstadusing oslo_middleware?20:28
kmallocYes20:29
kmallocWe use oslo.middleware's code20:29
lbragstadoh - we need to pass a CONF object here? https://github.com/openstack/keystone/blob/master/keystone/server/flask/application.py#L17120:30
kmallocNot sure, will.need to look at it.20:30
kmallocI think we do need to pass it20:31
lbragstadyeah20:31
lbragstadwe do20:31
lbragstadjust pulled down a copy of oslo.middleware20:32
lbragstadhttps://opendev.org/openstack/oslo.middleware/src/branch/master/oslo_middleware/healthcheck/__init__.py#L42220:32
kmallocYeah.20:33
hyangthank you guys for looking at it, so seems like that would be a patch and for the config to support healthcheck disable, it will land in keystone.conf or still paste.ini?20:38
lbragstadwe don't support python-paste anymore, so we'll need to patch keystone to handle that20:39
hyangok got it, thx!20:40
lbragstadthis is an example of how ironic does it i think20:40
lbragstadhttps://opendev.org/openstack/ironic/src/branch/master/ironic/api/app.py#L107-L11320:40
* lbragstad looks at jroll 20:41
openstackgerritLance Bragstad proposed openstack/keystone master: Pass CONF to healthcheck middleware  https://review.opendev.org/66692020:46
lbragstad^ no idea if that will work hyang20:46
lbragstadbut it might be close?20:46
hyanglbragstad: going to grab some food, will brb20:48
lbragstadack20:48
jrolllbragstad: seems legit21:12
lbragstadsweet21:15
*** pcaruana has quit IRC21:16
*** joshualyle has joined #openstack-keystone21:17
*** lbragstad has quit IRC21:20
*** joshualyle has quit IRC21:21
*** markvoelker has joined #openstack-keystone21:24
*** joshualyle has joined #openstack-keystone21:27
*** markvoelker has quit IRC21:29
*** joshualyle has quit IRC21:29
*** joshualyle has joined #openstack-keystone21:29
openstackgerritMerged openstack/keystonemiddleware master: Remove PKI/PKIZ support  https://review.opendev.org/61367521:31
*** openstackgerrit has quit IRC21:33
*** joshualyle has quit IRC21:34
cmorpheuswoot ^21:38
*** joshualyle has joined #openstack-keystone21:39
*** joshualyle has quit IRC21:44
*** joshualyle has joined #openstack-keystone21:52
*** joshualyle has quit IRC21:56
*** raildo has quit IRC21:56
hyanglbragstad: thanks for the patch. I tried that in my Rocky environment and I got "ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option". Then I revert the change and just configured the [healthcheck] section in keystone.conf rather than paste.ini and I was able to disable healthcheck by file.22:05
hyanglbragstad: maybe the patch is only needed for master/stein that have the refactored code I guess22:07
cmorpheuskmalloc: i started implementing the immutable flag for roles https://review.opendev.org/666739 but it steps on some of what is planned for https://review.opendev.borg/624162 I'm wondering where that is on your priority list and whether we should rescope the immutable resources to just focus on roles so they don't depend on other work?22:23
*** markvoelker has joined #openstack-keystone22:25
*** markvoelker has quit IRC22:30
*** gyee has quit IRC22:40
*** dave-mccowan has quit IRC22:49
*** markvoelker has joined #openstack-keystone23:26
*** joshualyle has joined #openstack-keystone23:27
*** joshualyle has quit IRC23:27
*** joshualyle has joined #openstack-keystone23:27
*** ormandj has quit IRC23:29
*** markvoelker has quit IRC23:30
*** jamesmcarthur has joined #openstack-keystone23:59
« Thursday, 2019-06-20 Index Saturday, 2019-06-22 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!