| *** wxy-xiyuan has joined #openstack-keystone | 01:08 | |
| *** rcernin has quit IRC | 01:48 | |
| *** rcernin has joined #openstack-keystone | 01:48 | |
| *** whoami-rajat has joined #openstack-keystone | 02:07 | |
| *** rcernin has quit IRC | 02:42 | |
| *** rcernin has joined #openstack-keystone | 02:42 | |
| *** rcernin has quit IRC | 03:04 | |
| *** rcernin has joined #openstack-keystone | 03:04 | |
| *** lbragstad has joined #openstack-keystone | 03:18 | |
| *** mnaser has quit IRC | 03:19 | |
| *** mnaser has joined #openstack-keystone | 03:20 | |
| *** gagehugo has quit IRC | 03:22 | |
| *** gagehugo has joined #openstack-keystone | 03:22 | |
| *** gagehugo has quit IRC | 03:25 | |
| *** gagehugo has joined #openstack-keystone | 03:28 | |
| *** rcernin has quit IRC | 03:30 | |
| *** rcernin has joined #openstack-keystone | 03:31 | |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.limit master: WIP put together example and smooth out issues https://review.opendev.org/667242 | 03:53 |
|---|---|---|
| lbragstad | johnthetubaguy those docs should render with the example ^ | 03:54 |
| *** lbragstad has quit IRC | 03:59 | |
| *** pcaruana has joined #openstack-keystone | 05:56 | |
| *** pcaruana has quit IRC | 05:57 | |
| *** pcaruana has joined #openstack-keystone | 05:57 | |
| *** eivis has joined #openstack-keystone | 06:14 | |
| eivis | Yo! Do we have here alive people ? | 06:15 |
| openstackgerrit | Vishakha Agarwal proposed openstack/keystone master: Remove [signing] config https://review.opendev.org/659434 | 06:19 |
| *** rcernin has quit IRC | 06:41 | |
| *** altlogbot_2 has quit IRC | 06:46 | |
| *** dancn has joined #openstack-keystone | 06:48 | |
| *** altlogbot_1 has joined #openstack-keystone | 06:49 | |
| *** altlogbot_1 has quit IRC | 06:50 | |
| *** altlogbot_0 has joined #openstack-keystone | 06:55 | |
| *** tesseract has joined #openstack-keystone | 07:11 | |
| *** xek has joined #openstack-keystone | 07:22 | |
| *** Emine has joined #openstack-keystone | 07:33 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/python-keystoneclient master: Blacklist bandit 1.6.0 & cap sphinx for 2.7 https://review.opendev.org/660609 | 08:22 |
| *** tkajinam has quit IRC | 08:27 | |
| *** tkajinam has joined #openstack-keystone | 08:28 | |
| *** Dinesh_Bhor has quit IRC | 08:29 | |
| *** tkajinam has quit IRC | 08:29 | |
| *** imacdonn has quit IRC | 08:42 | |
| *** imacdonn has joined #openstack-keystone | 08:42 | |
| *** Dinesh_Bhor has joined #openstack-keystone | 09:01 | |
| *** jaosorior has joined #openstack-keystone | 09:03 | |
| *** jaosorior has quit IRC | 09:11 | |
| openstackgerrit | Vishakha Agarwal proposed openstack/python-keystoneclient master: Follow bandit B105: hardcoded_password_string https://review.opendev.org/667304 | 09:39 |
| openstackgerrit | Vishakha Agarwal proposed openstack/python-keystoneclient master: Blacklist bandit 1.6.0 & cap sphinx for 2.7 https://review.opendev.org/660609 | 09:41 |
| *** gmann has quit IRC | 09:57 | |
| *** Dinesh_Bhor has quit IRC | 10:16 | |
| eivis | Hello | 10:55 |
| eivis | It would be great to discuss about keystone ldap | 10:56 |
| eivis | anyone ? | 10:56 |
| *** gmann has joined #openstack-keystone | 10:58 | |
| eivis | gmann | 10:58 |
| eivis | be a man and discuss with me | 10:58 |
| *** jaosorior has joined #openstack-keystone | 10:59 | |
| *** jaosorior has quit IRC | 11:02 | |
| *** jaosorior has joined #openstack-keystone | 11:03 | |
| *** lbragstad has joined #openstack-keystone | 11:33 | |
| *** raildo has joined #openstack-keystone | 12:07 | |
| *** dave-mccowan has joined #openstack-keystone | 13:06 | |
| *** dancn has quit IRC | 13:09 | |
| *** whoami-rajat has quit IRC | 13:16 | |
| *** dave-mccowan has quit IRC | 13:18 | |
| *** dave-mccowan has joined #openstack-keystone | 13:31 | |
| *** openstackgerrit has quit IRC | 13:48 | |
| kmalloc | eivis: sometimes folks are on different time zones, most folks here tend to be US time zones. Please be patient. What issues are you having with keystone/ldap? | 14:07 |
| *** Dinesh_Bhor has joined #openstack-keystone | 14:25 | |
| *** Dinesh_Bhor has quit IRC | 14:40 | |
| eivis | I understand it ;) | 14:55 |
| lbragstad | johnthetubaguy so - i think i have a working example for oslo.limit | 14:56 |
| eivis | well I have pretty big count of users in AD and i would like to add two diffrent tree in same domain | 15:02 |
| eivis | is it possible ? | 15:02 |
| eivis | and on one tree i have around 14k users, is there any chances that keyston would handle it? | 15:03 |
| eivis | Or is there any way to integrate LDAP, but users on keystone would appear only after first login ? | 15:04 |
| eivis | I tried to increase max_request_body_size = 114688 on keystone.conf but still no luck InternalServerError: Number of User/Group entities returned by LDAP exceeded size limit. Contact your LDAP administrator. (HTTP 500) | 15:07 |
| eivis | LDAP has right limit | 15:08 |
| kmalloc | eivis: for appearing after the first login, using ADFS and federation via SAML would do that, but it would require ECP SAML each login | 15:19 |
| kmalloc | eivis: that is a large number of users, at HPE we had at one point ~100k users in AD/LDAP that hooked into keystone, the only place we really had issues was when listing the users. | 15:20 |
| kmalloc | eivis: you can add an explicit filter that would allow access for two different trees, though typically deployers use a tree per domain. | 15:21 |
| *** vishakha has joined #openstack-keystone | 15:25 | |
| *** xek has quit IRC | 15:26 | |
| *** yan0s has joined #openstack-keystone | 15:30 | |
| knikolla | have to miss the keystone meeting. have a scheduling conflict. | 15:31 |
| cmurphy | okay thanks knikolla | 15:33 |
| *** xek has joined #openstack-keystone | 15:34 | |
| *** jaosorior has quit IRC | 15:38 | |
| *** jaosorior has joined #openstack-keystone | 15:38 | |
| *** Emine has quit IRC | 15:39 | |
| *** openstackgerrit has joined #openstack-keystone | 15:39 | |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.limit master: WIP put together example and smooth out issues https://review.opendev.org/667242 | 15:39 |
| *** xek has quit IRC | 15:43 | |
| kmalloc | cmurphy: if you didn't see earlier, the resource-options changes are next on my list todo | 15:43 |
| kmalloc | now that i am home, no more dr. appt craziness, etc. | 15:43 |
| kmalloc | eivis: ldap trees that big are somewhat unwieldy an to work with within keystone. | 15:44 |
| cmurphy | thanks kmalloc | 15:45 |
| cmurphy | meeting in 15 minutes in #openstack-meeting-alt | 15:45 |
| kmalloc | cmurphy: mostly it's a sql migration (new table, data migrate) and then we just link in the code in the other subsystems we want to add ROs for | 15:46 |
| kmalloc | should become a fairly easy pattern to follow. | 15:46 |
| cmurphy | kmalloc: are you going to do new tables for all drivers, like we have with user_option? or one table for all? | 15:46 |
| kmalloc | one table for all | 15:47 |
| cmurphy | coolbeans | 15:47 |
| kmalloc | as we discussed earlier, unless we changed our minds | 15:47 |
| cmurphy | no i just forgot | 15:47 |
| kmalloc | the sql migration will be user-ROs -> new table, and then we can replicate the pattern. | 15:47 |
| cmurphy | sounds good | 15:48 |
| kmalloc | each resource will need a unique identifier that can be referenced to load the options | 15:48 |
| kmalloc | so, the way I see it is a resource option will become somewhat generic e.g. "immutable" and then each resource that can support it will be in a whitelist | 15:49 |
| kmalloc | so the load from DB code will check to make sure the option is allowed for say, users before populating the element into the data structure when returned | 15:50 |
| kmalloc | i'll add a keystone-manage command to "cleanup" any invalid options in the case we remove support for an option in the future | 15:50 |
| kmalloc | or a bug mis-attributes an option to a resource that is not allowed. | 15:50 |
| kmalloc | unfortunately, FKs wont work because you can't FK to multiple tables (as far as i know) | 15:51 |
| kmalloc | so we'll need an in-line cleanup | 15:52 |
| kmalloc | so deleiting a user will need to signal to cleanup the ROs for the user. | 15:52 |
| * kmalloc wonders if there is a better way to handle that | 15:52 | |
| openstackgerrit | Colleen Murphy proposed openstack/keystone master: Switch order of precedence for unit test deps https://review.opendev.org/664712 | 15:53 |
| cmurphy | meeting now in #openstack-meeting-alt | 16:02 |
| *** yan0s has quit IRC | 16:05 | |
| *** tesseract has quit IRC | 16:35 | |
| *** tesseract has joined #openstack-keystone | 16:36 | |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.limit master: WIP put together example and smooth out issues https://review.opendev.org/667242 | 16:57 |
| *** tesseract has quit IRC | 16:59 | |
| *** efried has joined #openstack-keystone | 18:02 | |
| efried | lbragstad: Hey mon, is https://review.opendev.org/#/c/602201/ (unified limits in nova) looking sane? | 18:03 |
| efried | was this discussed at the PTG? (I would have been pretty checked out during the keystone xproj, recovering some brain) | 18:04 |
| openstackgerrit | Merged openstack/oslo.limit master: Remove ProjectClaim object from oslo.limit https://review.opendev.org/665708 | 18:12 |
| openstackgerrit | Merged openstack/oslo.limit master: Remove verification functionality https://review.opendev.org/665709 | 18:12 |
| openstackgerrit | Merged openstack/oslo.limit master: Remove __enter__ and __exit__ methods from Enforcer https://review.opendev.org/665710 | 18:12 |
| lbragstad | efried i can take a look | 18:14 |
| lbragstad | efried we were just talking about an example - it's tailored for nova | 18:16 |
| lbragstad | https://review.opendev.org/#/c/667242/4/doc/source/user/example.py | 18:17 |
| lbragstad | ^ that's a best guess at what a service, like nova, might do to start using all this stuff | 18:19 |
| openstackgerrit | Merged openstack/oslo.limit master: Add skeleton enforce() method to Enforcer https://review.opendev.org/665711 | 18:27 |
| *** jdennis has quit IRC | 18:35 | |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.limit master: Add ksa connection logic https://review.opendev.org/666085 | 18:53 |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.limit master: Add ksa connection logic https://review.opendev.org/666085 | 19:24 |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.limit master: Flush out basic enforcer and model relationship https://review.opendev.org/666444 | 19:24 |
| *** pcaruana has quit IRC | 19:38 | |
| openstackgerrit | Raildo Mascena proposed openstack/keystone master: Fixing dn_to_id function for cases were id is not in the DN https://review.opendev.org/649177 | 19:45 |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.limit master: Add usage example https://review.opendev.org/667242 | 19:54 |
| openstackgerrit | Lance Bragstad proposed openstack/oslo.limit master: Implement flat enforcement model https://review.opendev.org/667452 | 19:54 |
| *** vishakha has quit IRC | 19:55 | |
| cmurphy | midcycle details and doodle poll http://lists.openstack.org/pipermail/openstack-discuss/2019-June/007344.html | 20:44 |
| *** openstackgerrit has quit IRC | 21:18 | |
| *** jdennis has joined #openstack-keystone | 21:20 | |
| *** Emine has joined #openstack-keystone | 21:45 | |
| *** tobberydberg has quit IRC | 21:49 | |
| *** tobberydberg has joined #openstack-keystone | 21:51 | |
| *** eivis has quit IRC | 21:51 | |
| efried | Thanks for the nod lbragstad | 21:54 |
| *** raildo has quit IRC | 22:03 | |
| *** Emine has quit IRC | 22:07 | |
| lbragstad | efried yessir | 22:17 |
| *** tkajinam has joined #openstack-keystone | 22:56 | |
| *** rcernin has joined #openstack-keystone | 23:05 | |
| *** brett-soric has joined #openstack-keystone | 23:10 | |
| *** brett-soric has left #openstack-keystone | 23:56 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!