Wednesday, 2019-10-09

« Tuesday, 2019-10-08 Index Thursday, 2019-10-10 »
*** markvoelker has quit IRC00:05
*** markvoelker has joined #openstack-keystone00:07
*** markvoelker has quit IRC00:14
*** markvoelker has joined #openstack-keystone00:19
*** Ben78 has joined #openstack-keystone01:03
openstackgerritColleen Murphy proposed openstack/keystone master: Import LDAP job into project  https://review.opendev.org/68743601:04
*** ayoung has quit IRC01:19
*** ayoung has joined #openstack-keystone01:20
*** tkajinam_ has joined #openstack-keystone01:26
*** tkajinam has quit IRC01:28
*** ayoung has quit IRC02:19
*** ayoung has joined #openstack-keystone02:19
*** Ben78 has quit IRC02:22
*** spatel has quit IRC02:47
openstackgerritColleen Murphy proposed openstack/keystone master: Import LDAP job into project  https://review.opendev.org/68743603:06
*** markvoelker has quit IRC03:09
*** markvoelker has joined #openstack-keystone03:10
*** markvoelker has quit IRC03:23
*** markvoelker has joined #openstack-keystone03:24
*** markvoelker has quit IRC04:35
*** markvoelker has joined #openstack-keystone04:35
*** ayoung has quit IRC04:55
*** ayoung has joined #openstack-keystone04:55
*** ayoung has quit IRC05:12
*** ayoung has joined #openstack-keystone05:13
*** vishakha has joined #openstack-keystone05:57
*** jaosorior has quit IRC06:33
openstackgerritAndrii Ostapenko proposed openstack/keystonemiddleware master: Do not audit service catalog endpoint id  https://review.opendev.org/68746306:45
*** jaosorior has joined #openstack-keystone07:04
*** xek_ has joined #openstack-keystone07:07
*** pcaruana has joined #openstack-keystone07:10
*** tesseract has joined #openstack-keystone07:13
*** ayoung has quit IRC07:24
*** ayoung has joined #openstack-keystone07:25
*** shyamb has joined #openstack-keystone07:33
*** awalende has joined #openstack-keystone07:41
*** ivve has joined #openstack-keystone07:41
*** shyamb has quit IRC07:48
*** dancn has joined #openstack-keystone07:48
*** ayoung has quit IRC07:52
*** ayoung has joined #openstack-keystone07:54
openstackgerritVishakha Agarwal proposed openstack/ldappool master: Follow the PTI for docs  https://review.opendev.org/68540208:05
*** tkajinam_ has quit IRC08:10
*** shyamb has joined #openstack-keystone08:19
*** dancn has quit IRC08:45
*** awalende has quit IRC08:47
*** dancn has joined #openstack-keystone08:47
*** jaosorior has quit IRC08:53
*** ayoung has quit IRC09:04
*** ayoung has joined #openstack-keystone09:07
openstackgerritVishakha Agarwal proposed openstack/keystone-tempest-plugin master: Follow the PTI for docs  https://review.opendev.org/68526009:08
*** xek_ has quit IRC09:11
openstackgerritVishakha Agarwal proposed openstack/pycadf master: Follow the PTI for docs  https://review.opendev.org/68543209:15
*** shyamb has quit IRC09:21
*** shyamb has joined #openstack-keystone09:22
*** jaosorior has joined #openstack-keystone09:31
*** mvkr has quit IRC09:39
*** awalende has joined #openstack-keystone09:42
*** awalende has quit IRC09:47
*** mvkr has joined #openstack-keystone09:53
*** shyamb has quit IRC09:59
openstackgerritVishakha Agarwal proposed openstack/keystone master: Fix wrong interface description  https://review.opendev.org/68752610:08
*** jamesmcarthur has joined #openstack-keystone10:15
*** jamesmcarthur has quit IRC10:19
*** shyamb has joined #openstack-keystone10:21
*** awalende has joined #openstack-keystone10:23
*** awalende_ has joined #openstack-keystone10:23
*** awalende has quit IRC10:27
*** ayoung has quit IRC10:38
*** ayoung has joined #openstack-keystone10:39
*** tesseract has quit IRC10:44
*** tesseract has joined #openstack-keystone10:46
*** rcernin has quit IRC10:48
*** raildo has joined #openstack-keystone11:30
*** shyamb has quit IRC11:35
*** jaosorior has quit IRC11:58
*** xek_ has joined #openstack-keystone12:03
*** ayoung has quit IRC12:12
*** ayoung has joined #openstack-keystone12:15
*** jaosorior has joined #openstack-keystone12:28
*** ayoung has quit IRC12:38
*** awalende has joined #openstack-keystone12:39
*** ayoung has joined #openstack-keystone12:41
*** awalende_ has quit IRC12:43
*** markvoelker has quit IRC13:10
*** markvoelker has joined #openstack-keystone13:11
*** markvoelker has quit IRC13:11
*** markvoelker has joined #openstack-keystone13:11
*** ayoung has quit IRC13:12
*** ayoung has joined #openstack-keystone13:14
openstackgerritColleen Murphy proposed openstack/ldappool master: Follow the PTI for docs  https://review.opendev.org/68540213:17
*** awalende has quit IRC13:26
*** ayoung has quit IRC13:26
*** awalende has joined #openstack-keystone13:27
*** ayoung has joined #openstack-keystone13:27
*** jawad_axd has joined #openstack-keystone13:28
*** bnemec has quit IRC13:29
*** awalende has quit IRC13:30
*** awalende has joined #openstack-keystone13:31
*** bnemec has joined #openstack-keystone13:31
*** pcaruana has quit IRC13:31
*** jaosorior has quit IRC13:33
*** pcaruana has joined #openstack-keystone13:33
*** efried has joined #openstack-keystone13:38
efriedo/ keystoners13:38
efriedTo your knowledge, does any keystone component (particularly -middleware) ever inject a project ID into any part of the req (.url, .environ['SCRIPT_NAME'], .environ['PATH_INFO'], etc)?13:40
efriedmordred, lbragstad, kmalloc, cmurphy: ^13:41
lbragstadmmm13:44
lbragstadkeystonemiddleware will set request headers based on the token13:44
lbragstad(e.g., your project comes from the token and gets set on the request as HTTP_X_PROJECT_ID)13:45
*** spatel has joined #openstack-keystone13:45
lbragstadhttps://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L8813:45
efriedk, headers don't bother me.13:45
efriedI'm trying to rip NoAuthMiddleware out of nova's tests, and one thing it was doing was injecting project_id into the URL.13:45
lbragstaddepending on how you have service catalog endpoints setup, project ids can end up in the path13:45
lbragstadfor example, /v2.1/{tenant_id}/servers13:46
efriedright, and ksa will rip that out when doing version discovery13:46
lbragstadyeah - oslo.context also uses the request environment to inflate context objects for services13:46
lbragstadfor service == in services using oslo.context13:46
efriedbut if the service catalog has http://foo.com/{proj_id}/ -- or you in any other way request a non-discovery thing without a version -- I'm pretty sure nova will kick you a 300 asking you to use a versioned endpoint.13:47
lbragstadhttps://docs.openstack.org/keystone/latest/contributor/service-catalog.html#endpoints describes how endpoints can inject project ids into the path - but i don't recommend that13:48
lbragstad^ specifically, the last paragraph there is what you're seeing i think13:49
efriedYeah, I'm not really worried about if it's in the service catalog. (Which, right, is not recommended, but we have to continue to support because it exists in legacy deployments, sad-face.)13:49
efriedIt's that I'm having to adjust a test that was expecting the proj ID to be absent because it was testing a piece of the paste pipeline that was *before* NoAuthMiddleware injected that proj ID.13:49
*** spatel has quit IRC13:50
efriednow that NoAuthMiddleware is out of the picture, I have to make it expect that proj ID to be present, which changes the response (200->300 as noted above)13:50
lbragstadso - what is NoAuthMiddleware injecting for a project ID value?13:50
efriedso I wanted to make sure that was still realistic13:50
efriedoh, just a dummy proj ID value.13:50
efriedwhatever you set up your fixture with.13:51
lbragstadmm13:51
efriedso my educated guess is:13:51
efriedWe need our API tests to make sure they will work with the legacy proj-id-in-URL as well as the more modern not-that13:51
*** jawad_axd has quit IRC13:51
efriedso we have tests with a testscenarios framework that runs identical tests with and without that13:52
lbragstadwith and without the middleware?13:52
efriedwith and without a proj ID in all the request URLs for all the tests.13:52
*** jawad_axd has joined #openstack-keystone13:52
lbragstadahh13:52
efriedSo my guess is that they stuffed it into NoAuthMiddleware because it was convenient, not because it was in any way equivalent to what actual auth middleware would do.13:53
*** sapd1_ has joined #openstack-keystone13:53
efriedThis is further supported by the fact that NoAuthMiddleware was *also* injecting RequestContext into the req.13:53
lbragstadoh...13:54
efriedThat would normally come from another piece of middleware that the noauth2 pipeline didn't have in it.13:54
*** gagehugo has quit IRC13:56
*** jenglisch has quit IRC13:56
*** johanssone has quit IRC13:56
*** ivve has quit IRC13:56
*** sapd1 has quit IRC13:56
*** jmccrory has quit IRC13:56
*** aning__ has quit IRC13:56
*** cwright has quit IRC13:56
lbragstadnova.api.auth:NovaKeystoneContext.factory i assume13:56
efriedyup13:56
*** ivve has joined #openstack-keystone13:56
*** aning_ has joined #openstack-keystone13:56
lbragstadok - looking at nova's paste file13:56
efriedSo my change is going through the `keystone` pipeline, and therefore hitting that middleware. I'm just mocking out the part that builds the actual context.13:56
efried...to build the same context that NoAuthMiddleware used to build.13:56
lbragstadgot it - i see the noauth2 pipeline, but that must be what you're removing13:56
efriedexactly13:56
efriedI can't remove the pipeline yet (that's coming in a different change) but I can stop our tests using it.13:57
*** jawad_axd has quit IRC13:57
efriedmy current change is also stubbing the ksm middleware entirely, with a TODO to use the AuthTokenFixture we talked about yesterday.13:57
*** openstackstatus has quit IRC13:58
*** johanssone has joined #openstack-keystone13:58
efriedanyway, current task was just to make sure that it actually was a bogus thing for NoAuthMiddleware to have been the thing injecting the proj ID.13:58
efriedI'm now doing it up front.13:58
efried...when creating what is effectively the "endpoint" the fixture would have gotten from the "service catalog" if such a thing existed.13:59
lbragstadso - the endpoint your creating has the project id hard coded... right?13:59
*** cwright has joined #openstack-keystone14:00
*** jaosorior has joined #openstack-keystone14:03
efriedlbragstad: yes14:07
efriedfor a subset of the scenarios14:07
lbragstadi think you're on the right track...14:07
lbragstadhttps://opendev.org/openstack/keystone/src/branch/master/keystone/catalog/backends/sql.py#L363-L36414:07
efriedthe validation stuffs the same proj ID into the sample templates. The point is just to make sure that things get called with the URLs we expect, and that calling them with and without proj IDs in the URLs works.14:08
lbragstadhttps://opendev.org/openstack/keystone/src/branch/master/keystone/common/utils.py#L400-L43714:08
lbragstadkeystone is doing all the substitution in the server, before we give the catalog back to the end user14:09
lbragstadso - i don't think there is anything substitution-wise happening in middleware at all...14:09
efriedokay, nice. So I'm right in saying that the proj ID will either be there from the start, or not be there at all.14:09
efriedgood14:09
lbragstadyeah - it should be there from the start...14:09
efriedThanks as always lbragstad :)14:09
lbragstadit looks like ksa and keystonemiddleware just treat endpoint['url'] as a url...14:10
lbragstadand they don't actually inspect it to see if it has a project id in it... so if you set something up to exercise a dummy url with a project id in it (the legacy way) and run your tests... you should be good?14:10
lbragstadanytime efried14:12
efriedlbragstad: yes, we run all of our tests both with and without proj ID in the url, which is how I ended up here :)14:17
* lbragstad nods14:17
*** jamesmcarthur has joined #openstack-keystone14:19
*** jdwidari has joined #openstack-keystone14:35
*** ayoung has quit IRC14:36
*** ayoung has joined #openstack-keystone14:38
*** ayoung has quit IRC14:49
*** ayoung has joined #openstack-keystone14:51
*** awalende has quit IRC14:51
*** awalende has joined #openstack-keystone14:52
*** jawad_axd has joined #openstack-keystone14:53
*** awalende has quit IRC14:57
*** ivve has quit IRC15:03
*** jaosorior has quit IRC15:11
*** ayoung has quit IRC15:12
*** ayoung has joined #openstack-keystone15:13
*** jdwidari has quit IRC15:13
*** Ben78 has joined #openstack-keystone15:21
*** jdwidari has joined #openstack-keystone15:26
gregworkdoes a cloud operator require a user in a project to issue a project scoped token15:39
gregworkfor themselves?15:39
*** jdwidari has quit IRC15:42
lbragstadgregwork yes15:44
lbragstadgregwork https://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes describes some of that15:45
lbragstadgregwork we also have a patch up that describes what operators get out of the box with Train15:46
lbragstadhttps://657b14bfa6092f8bf722-e48c4084f6218ce55719e5f9f078d786.ssl.cf1.rackcdn.com/686828/1/check/openstack-tox-docs/94b6bde/docs/admin/service-api-protection.html15:46
lbragstadhttps://review.opendev.org/#/c/686828/15:46
lbragstadstill looking for some reviews/feedback on ^15:47
*** jdwidari has joined #openstack-keystone15:47
lbragstadhttps://review.opendev.org/#/c/676648/ is also ready for some reviews15:48
lbragstadthanks mordred for the reviews there15:48
*** jdwidari has quit IRC15:50
cmurphysorry meant to look at those yesterday, they're on my list for today15:50
*** openstackgerrit has quit IRC15:52
lbragstadthanks!15:54
*** ayoung has quit IRC16:01
*** ayoung has joined #openstack-keystone16:02
*** spatel has joined #openstack-keystone16:07
*** ayoung has quit IRC16:09
*** ayoung has joined #openstack-keystone16:10
*** spatel has quit IRC16:12
*** ayoung has quit IRC16:14
*** ayoung has joined #openstack-keystone16:17
*** jamesmcarthur has quit IRC16:22
*** jamesmcarthur has joined #openstack-keystone16:30
*** dancn has quit IRC16:31
*** jamesmcarthur has quit IRC16:35
*** jamesmcarthur has joined #openstack-keystone16:39
*** bnemec has quit IRC16:45
*** bnemec has joined #openstack-keystone16:47
*** markvoelker has quit IRC16:53
*** markvoelker has joined #openstack-keystone16:54
*** gyee has joined #openstack-keystone16:58
*** jawad_ax_ has joined #openstack-keystone17:02
*** jawad_axd has quit IRC17:02
*** ayoung has quit IRC17:37
*** ayoung has joined #openstack-keystone17:38
*** gagehugo has joined #openstack-keystone17:49
lbragstadstable/train backports of the removal of the sample policy file https://review.opendev.org/#/c/687639/17:50
lbragstadstarting ^17:50
cmurphylbragstad: i thought we weren't going to backport that?17:50
cmurphythe final rc is due like today17:51
lbragstadthe policy file removal?17:51
lbragstadoh - nevermind then17:51
lbragstadi thought we discussed that here - http://eavesdrop.openstack.org/meetings/keystone/2019/keystone.2019-10-01-16.01.log.html#l-1717:52
cmurphyhmm i guess we didn't exactly come down on a hard decision17:54
cmurphyi don't mind backporting it but we'll have to get the stable team to merge it today so we can request an rc217:54
cmurphyso that packagers have time to handle it17:54
lbragstadsure - it's up to you, my rationale behind backporting it was so that we had a unified front with the release of train17:55
lbragstade.g., we don't ship the sample policy file anymore because we completed addressed what it was providing17:55
cmurphyyeah that makes sense17:56
lbragstadwant me to head over to -release and request and rc2?17:56
lbragstadan rc2*17:56
cmurphyi was going to head to -stable first to beg for reviews17:57
lbragstadaha17:57
* lbragstad tags along17:57
lbragstadi think i'm the only stable core within keystone now that kmalloc is out17:58
lbragstad=/17:58
cmurphyyeah17:58
*** ayoung has quit IRC18:12
*** ayoung has joined #openstack-keystone18:13
*** openstackgerrit has joined #openstack-keystone18:16
openstackgerritLance Bragstad proposed openstack/keystone master: Overhaul the RBAC documentation for administrators  https://review.opendev.org/68682818:16
*** raildo has quit IRC18:27
lbragstadgagehugo knikolla would either of you be interested in taking a peek at https://review.opendev.org/#/c/686828/18:34
*** jamesmcarthur has quit IRC18:45
knikollalbragstad: looking19:02
lbragstadawesome - ty knikolla19:02
*** pcaruana has quit IRC19:07
*** mgagne has quit IRC19:11
*** tesseract has quit IRC19:20
cmurphyknikolla: gagehugo can you review https://review.opendev.org/677585 as well?19:36
knikollasure :)19:36
lbragstadlol - while we have you here!19:44
knikollacmurphy: so just making sure I understand correctly. listing for access rules without any arguments will list all access rules across all application credentials, and if you want to list access rules of a specific credential you should use list(id=app_cred_id) ?19:48
knikollaactually, not, id is the access rule id as opposed to the application credential id.19:50
cmurphyknikolla: no you can't filter access rules by app cred, but you could just look up the app cred itself19:50
knikollaah, okay.19:51
knikollathat answered my question, +2/A19:51
cmurphythanks knikolla19:51
knikollaweren't we going to kill python-keystoneclient though? /shrug19:59
cmurphywe're a long way from that20:00
cmurphywe need this for openstackclient and horizon20:00
knikollaso openstacksdk is not there yet :(20:00
cmurphyi haven't evaluated feature parity in sdk but it's not a drop-in replacement for keystoneclient in osc and horizon20:01
knikollathat is true20:03
*** ayoung has quit IRC20:06
*** ayoung has joined #openstack-keystone20:08
openstackgerritMerged openstack/keystoneauth master: Allow initializing session with connection retries  https://review.opendev.org/67664820:23
*** pcaruana has joined #openstack-keystone20:33
*** pcaruana has quit IRC20:40
*** awalende has joined #openstack-keystone21:01
*** xek_ has quit IRC21:04
*** awalende has quit IRC21:05
*** ayoung has quit IRC21:07
*** ayoung has joined #openstack-keystone21:08
*** ayoung has quit IRC21:21
*** ayoung has joined #openstack-keystone21:24
*** ayoung has quit IRC21:43
*** ayoung has joined #openstack-keystone21:44
*** rcernin has joined #openstack-keystone22:14
*** efried has quit IRC22:26
*** markvoelker has quit IRC22:28
cmurphyargh i forgot db placeholders22:42
*** jamesmcarthur has joined #openstack-keystone22:42
*** efried has joined #openstack-keystone22:45
openstackgerritColleen Murphy proposed openstack/keystone master: Add schema placeholders for Train  https://review.opendev.org/68769122:46
cmurphycan i get a quick review on that ^ lbragstad knikolla gagehugo22:46
openstackgerritMerged openstack/keystone master: Overhaul the RBAC documentation for administrators  https://review.opendev.org/68682822:49
*** spatel has joined #openstack-keystone22:54
*** spatel has quit IRC22:58
*** tkajinam has joined #openstack-keystone23:02
*** Ben78 has quit IRC23:05
*** openstackstatus has joined #openstack-keystone23:18
*** ChanServ sets mode: +v openstackstatus23:18
*** gyee has quit IRC23:27
*** jamesmcarthur has quit IRC23:43
*** dklyle has quit IRC23:47
*** david-lyle has joined #openstack-keystone23:47
*** markvoelker has joined #openstack-keystone23:48
*** markvoelker has quit IRC23:59
« Tuesday, 2019-10-08 Index Thursday, 2019-10-10 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!