Thursday, 2014-02-27

« Wednesday, 2014-02-26 Index Friday, 2014-02-28 »
gyeeregion, subregion, whatever00:00
jamielennoxgyee: right, so i've been thinking on subregions and thats where it starts to feel clunky00:00
gyeejamielennox, right, the deployment options various00:01
jamielennoxgyee: ok - so what about i take service_type and endpoint= {}?00:02
gyeeregion, subregion, continent, cell, who know00:02
gyeewho knows00:02
jamielennoxi just pass endpoint as kwargs through to the catalog00:02
jamielennoxor some other way of passing kwargs to get_endpoint00:03
gyeewhatever ayoung did for the search_by_tree token revocation, you may get some inspiration there00:04
jamielennoxgyee: i like passing service_type and endpoint_type because it lets me do this: https://review.openstack.org/#/c/60752/8/keystoneclient/baseclient.py00:04
gyeethough I haven't had time to look at that code yet00:04
gyeejamielennox, service_type, endpoint_type are just attributes are an endpoint00:05
gyeethere are others00:05
jamielennoxgyee: so i'm not trying to redesign the service catalog at the moment - just allow for future expansion00:06
gyeebeing able to support a generic filter's going to give us a lot of mileage00:06
gyeejamielennox, you can have a solution without worry about the service catalog00:07
gyeejust think abstractly00:07
gyeeendpoint = url + attributes00:07
jamielennoxright, so abstract is what i'm aiming for00:07
jamielennoxand region_name feels clunky00:07
gyeeregion_name is just another attribute00:07
gyeethink of them as attributes00:08
jamielennoxwhat if i changed that whole part then to make request() take an endpoint dict00:08
gyeedon't worry the names00:08
jamielennoxif dict: pass it off to the plugin and never try to interpret it00:08
gyeesure, they may even use the policy code to do matches00:09
gyeethe code we use to do authorization check00:09
jamielennoxi think though that in general we should require supporting 'service_type' and 'endpoint_type' and then also allow kwargs00:09
gyeeI see them as attributes :)00:10
jamielennoxthe client will need to know some of this though to be able to make calls so we need to be able to fix on certain attributes00:10
gyeemake the client pass a filter00:10
gyeedictionary or whatever00:10
jamielennoxi want a keystoneclient to say it needs 'identity' service_type and never have to think about it again00:11
gyee{'serviceType': 'abc', 'attrbitue':'value'}00:11
gyeeyou just need to do the match00:11
jamielennoxis it still valid then to construct that dict from https://review.openstack.org/#/c/60752/8/keystoneclient/baseclient.py00:11
gyeeif an endpoint matches the given filter, you found it00:11
jamielennoxi can't see why not00:12
*** henrynash has quit IRC00:12
gyeeI don't think you want to hardcode service_type and endpoint_type00:12
jamielennox(and i think maybe i just ignore region_name for this patch)00:12
gyeethey are just attributes00:12
gyeeat the end, its the URL that you need00:13
jamielennoxgyee: right, but they are attributes that every client is going to want to set00:13
gyeeeverything else are there to help you find that url00:13
jamielennoxkeystoneclient is always going to want to talk to the 'identity' service00:13
gyeenot necessary, it the url00:14
gyeecall it 'identity' service or whatever, that's not important00:14
jamielennoxgyee: i'm all for keeping it flexible but unless we can define some standards for a client to follow no-one will no what to do with an auth_plugin00:15
jamielennoxthe auth_plugin in use is supposed to be kept abstract from the client00:15
*** bknudson has joined #openstack-keystone00:16
jamielennoxso it knows how to ask for certain things, and some things are left up to the plugin's interpretation to use or ignore00:16
jamielennoxand possibly endpoint_type falls into that category00:16
jamielennoxbut if i'm implementing a plugin i need to know the parameters i'm expecting to get from a client so i can make decisions00:17
gyeewhat is required?00:17
gyeeurl right00:17
gyeewhy do you care about the service_type, service_name, region_name, etc00:18
gyeeat the end of the day, you want the url can you can talk to some service to do stuff00:18
jamielennoxright00:18
*** arborism is now known as amcrn00:19
gyeeyou just need to figure out a way to find the url based on the attributes00:19
jamielennoxright, but so how do you expect a user to provide those attributes?00:19
jamielennoxif i create a client i shouldn't need to say keystoneclient.Client(endpoint={'service_type': 'identity', 'endpoint_type': 'public'})00:20
gyeeuser of the CLI/client already know that information00:20
gyeeoperating manual00:20
jamielennoxi can override that information for a client sure, but some of that should be set and known00:20
jamielennoxbecause keystoneclient should always want a very similar set of attributes00:21
jamielennoxgyee: they don't know service_type and endpoint_type00:21
gyeefor UI, that information is in the user's profile most like00:21
gyeemost likely00:21
jamielennoxthat information has always been set by the client00:21
gyeefor CLI, that information is probably sitting on a conf file00:21
gyeeright, for CLI, just a generic filter, something as simple as "attr=value;attr=value;attr=value"00:22
*** david_lyle_ has quit IRC00:23
jamielennoxgyee: so i agree for region name and some general filtering stuff it should be extensible00:23
jamielennoxbut we still need to optimize this for the keystone auth case00:23
jamielennoxand allow a plugin to ignore those attributes if it wants00:23
gyeejamielennox, sure, plugin can manipulate the filter at their discretion00:23
jamielennoxgyee: right, and i'm not saying we should ban it outright but there is no point i can see it letting people do keystoneclient.Client(endpoint={'service_type': 'compute'})00:24
jamielennoxit's just going to fail in 99% of cases00:24
gyeewhy?00:25
jamielennoxin what i'm proposing people can still force that by client.service_type = 'compute'00:25
jamielennoxbecause you've pointed a keystoneclient at a nova endpoint00:26
gyeewhat's the problem?00:26
jamielennoxgyee: alright, so i don't disagree with the theory - people can set whatever they like, but we do need the baseclient to be able to set some defaults if present00:26
jamielennoxbecause when people (probably me) implement a new client i want to say00:27
jamielennoxclass NovaClient:00:27
jamielennox    service_type = 'compute'00:27
gyeeno default, just a filter should be good enough00:27
jamielennoxand never worry about it again00:27
jamielennoxgyee: who is setting this filter though? i think it's wrong to be completely set by the user, overridable sure00:28
jamielennoxbut otherwise you are passing this filter everywhere00:28
gyeejamielennox, you hardcode the service_type, you are at the mercy of the service catalog structure00:29
gyeewhich may change on you in a hurry00:29
gyeeyou want to avoid that if you can00:29
jamielennoxno, if i hardcode the service_type then i define that a plugin should probably expect that it will receive at least the service_type parameter to a get_endpoint() call00:30
jamielennoxhow the plugin relates to the service catalog is not a current problem00:30
jamielennoxand if we get rid of the service_type then we have bigger architectural problems that the service catalog00:30
jamielennoxremember plugins can deal with this information however they see fit, all i'm defining here is what they should expect to receive in a call00:31
*** lnxnut has joined #openstack-keystone00:32
jamielennoxhow they translate the parameters that i give them into a service catalog or other lookup is not this problem00:32
gyeebut you've just demanded that they must provide a service_type00:32
jamielennoxthe client?00:33
gyeeright00:33
gyeesorry, I mean whoever subclass it00:33
jamielennoxsure, if they want to use the get_endpoint of a catalog00:33
jamielennoxs/catalog/plugin00:33
jamielennoxgyee: but this is only relevant to people who are subclassing baseclient - which is going to be openstack clients - who will want to provide a service_type00:34
jamielennoxif you are dealing with the session direct then you are free to do whatever you like00:34
gyeeright, but they'll have to manipulate the filter00:34
gyeefilter + their own service_type00:35
jamielennoxsure, they can00:35
gyeeso the filter passed in is not exactly the one it will be used00:35
jamielennoxgyee: ok, i see your point and i think it's fair to split it like this:00:36
jamielennoxsession object will take a generic dict that provides the filter00:36
jamielennoxbaseclient will define a service_type and endpoint_type that are added to the filter00:36
jamielennoxthis will make development easier for the current client model00:36
jamielennoxif service_type and endpoint_type do not fit your design then you are free to leave them as None like the current impl, or simply not subclass baseclient00:37
gyeejamielennox, but there's a problem00:37
gyeewhat if an endpoint have no service_type or endpoint_type?00:37
gyeethey you can support them without code changes00:37
gyeeyou can't00:37
jamielennoxfor all current identity.* plugins then that will fail - but that is expected00:38
jamielennoxfor non-identity plugins then it will make no difference they can use or ignore as they see fit00:38
jamielennoxnon-identity plugins are under no obligation to even pay attention to the service_type and endpoint_type if it is passed00:40
jamielennoxthey should perform best effort with what they know00:40
gyeehow about this for a compromise00:40
gyeeif service_type and endpoint_type are already in the given filter, do override them?00:40
gyeedeal?00:41
gyeedon't override them I mean00:41
jamielennoxgyee: of course00:41
gyeeshake on it!00:41
jamielennoxthat's the way base client works now00:41
gyee:D00:41
gyeeU DA MAN!00:42
jamielennoxdone, i'll do it up as passing a dict and ping you with it00:42
gyeekool00:42
jamielennoxdo i still call the dict endopint_type?00:42
jamielennoxprobably endpoint_filter00:42
jamielennoxyea00:43
gyeeendpoint_filter sound more correct00:43
*** theocean154 has quit IRC00:47
*** morganfainberg is now known as morganfainberg_Z00:50
*** dolphm_503 is now known as dolphm00:53
*** morganfainberg_Z is now known as morganfainberg01:00
*** dolphm is now known as dolphm_50301:02
*** harlowja_away is now known as harlowja01:05
*** henrynash has joined #openstack-keystone01:15
*** gokrokve_ has quit IRC01:16
*** gokrokve has joined #openstack-keystone01:16
*** thedodd has joined #openstack-keystone01:19
*** gokrokve has quit IRC01:20
*** thedodd has quit IRC01:22
henrynashayoung: so maybe using a uuid for the domain_id is overkill…we could have a smaller "domain_index" portion (that was a field in the domain table so we could look it up)...01:25
*** devlaps1 has quit IRC01:26
*** lnxnut has quit IRC01:27
*** lnxnut has joined #openstack-keystone01:27
ayounghenrynash, yep01:29
*** lbragstad has joined #openstack-keystone01:29
ayounghenrynash, domain_index01:30
henrynashayoung: would still mean that the entityID portion is restricted to something less than 64 chars...01:30
ayounghenrynash, I think that is ok01:31
henrynashayoung: which is find for SQL, but I guess might be a restriction for some LDAP scenarios….but probably not many01:31
ayounguuid is 32 chars,  what do we expect from ldap?01:31
ayoungemail address>01:31
henrynashwell it depends what they chose…but yes, I'd have thought something like that01:31
henrynashraw DN is prettyyucky01:31
*** lnxnut has quit IRC01:31
henrynash(and I have seen that be more than 64 chars as customer sites anyway…so isn't a good choose today anyway)01:32
ayoungraw DN is out, I think01:33
ayoungI mean, I suggested it at one point and was pretty firmly convinced of the error in my ways01:33
henrynashayoung: I'm kind of thinking we do it this way with the restriction that LDAP entityIDs are 32 (or maybe even 48) chars…..and if it proves painful we increase the since of the user/group ID fields for Juno01:33
henrynashayoung: but the concept is the same01:33
henrynash(agreed on DN)01:34
henrynashayoung: remind me, were we ever going to put the iDP in there as well…or is that tied to the domain?01:36
ayounghenrynash, I was thinking that one IdP could potentially support multiple domains.  I want to keep the domain Id in there...but domain_index might be the way to go.01:37
henrynashayoung: I think you are right that one iDP might support multiple domains…but that would work….the problem would be the other way round if we had multiple iDPs for one domain…THEN you might need the iDP in the user ID01:38
ayoungNope...not going to support that01:38
henrynashayoung: ok, we're good in that case01:38
ayoungif a domain is split over multiple IdPs, we treat them as a virtual single IdP.01:39
ayoungjust different mechanisms for getting at the same data.  Otherwise, they are disjoint user sets, and thus separate domains.  Make sense?01:39
henrynashayuong: I guess the question is, given a user_id do you need to get back to the specific iDP…if so, not sure how this works for domain split over multiple IdPs01:40
henrynashgiven that you have a domain_id (or index)01:41
*** henrynash has quit IRC01:53
*** dolphm_503 is now known as dolphm01:55
*** marcoemorais has quit IRC01:57
*** dolphm is now known as dolphm_50302:00
*** theocean154 has joined #openstack-keystone02:01
*** gokrokve has joined #openstack-keystone02:01
ayounggyee, morganfainberg dstanek_afk should I merge the Revocation patches?02:04
ayoungjamielennox, smae question....do you think I should merge the 3 revoke patches, since sql is kindof baseline, and the matching logic is much different?02:11
*** dstanek_afk is now known as dstanek02:11
jamielennoxayoung, i haven't looked for a few days02:11
dstanekayoung: which ones are you talking about? all of them?02:11
ayoungdstanek, yeah02:12
ayoungdstanek, specifically, the "revoke by tree" patch replaces all the "matches" logic in  model.py02:12
ayoungthere were fixdes for the matches logic...but that just gets moved to the tests in revoke by tree as a check on02:12
ayoungdstanek, and the model.py file gets some changes due to the SQL driver using the same set of properties...02:14
ayoungI origianlly split them up thinking that the revoke extension would go in long before the others...that has not happend02:14
*** henrynash has joined #openstack-keystone02:14
dstanekayoung: i'll take a look; why are you thinking of merging?02:16
ayoungdstanek, due to the things that will change in the first (extension) patch02:16
ayoungdstanek, mostly it is changes to model.py02:16
ayoungdstanek, it might not make much sense to merge now, but the second two patches haven't seen much review since YorikSar joind the revoke by tree (now a coauthor) and lbragstad went over them both02:19
gyeeayoung, I don't have any major objections02:20
gyeewill take another look after dinner02:20
ayounggyee, it will make the rebasing (constant) much simpler, too02:20
lbragstadayoung: am I +1 on those?02:20
lbragstadI can give it another once over tonight to if it helps02:20
ayounggyee, BTW< on the "domain_id"  it is covered by project_domain_id...I probably should have called it assignment_domain_id02:20
ayounglbragstad, sure...I don't think you +1ed either02:21
ayoungboth have been adjusted since your last review02:21
lbragstadayoung: ok, I'll give them another pass02:21
lbragstadayoung:  this one https://review.openstack.org/#/c/47441/ and ....02:22
ayoungmuch obliged....sql and revoke tree should show that they are out of sync due to a repost of the base patch...02:22
lbragstadhttps://review.openstack.org/#/c/55908/02:22
lbragstad?02:22
ayounglbragstad, no not remember the dn...I think I need to fix that one too02:23
lbragstadok02:23
ayounglbragstad, yeah, that one02:23
dstanekayoung: i don't think it would be bad to merge02:23
ayoungdstanek, ok...I'm going to do it...I'll keep the base commit number02:23
lbragstadit's all the efficient-revocation-check stuff isn't it02:25
lbragstadbp I mean02:25
*** richm has quit IRC02:25
ayounglbragstad, yeah02:34
ayoungbut..they really go together. the revoke check in the base patch is hopelessly naive02:35
ayoungnkinder_, are you still working on https://review.openstack.org/#/c/47441/  Remember the DN?  If not, I can take it back and close out on it02:39
*** achampion has joined #openstack-keystone02:40
jamielennoxgyee: ok, done: https://review.openstack.org/#/c/60752/02:50
jamielennox(going for food)02:50
nkinder_ayoung: I thought you said you were taking it.02:53
ayoungnkinder_, didn't remember...I will02:53
nkinder_ayoung: ok, I saw you submitted some further patches, but haven't looked at the inline comments02:55
ayoungnkinder_, still working on the revocation events...just merged the 3 patches into one02:55
*** david-lyle has joined #openstack-keystone03:36
ayounghttp://blogs.gnome.org/markmc/2014/02/20/naked-pings/  Oh yes....03:36
*** ayoung has quit IRC03:57
gyeejamielennox, will take a look later, babysitting right now, can barely type with one hand04:00
jamielennoxgyee: no problem - just letting you know04:00
*** lnxnut has joined #openstack-keystone04:29
*** lnxnut has quit IRC05:02
*** ved_ has joined #openstack-keystone05:17
*** ved_ has quit IRC05:40
*** KanagarajM_ has joined #openstack-keystone05:57
*** andreaf has joined #openstack-keystone06:23
*** saju_m has joined #openstack-keystone06:48
*** marcoemorais has joined #openstack-keystone06:48
*** marcoemorais1 has joined #openstack-keystone06:51
*** dstanek has quit IRC06:51
*** gokrokve has quit IRC06:53
*** marcoemorais has quit IRC06:53
*** chandan_kumar has joined #openstack-keystone06:54
*** gyee has quit IRC07:00
*** theocean154 has quit IRC07:01
*** theocean154 has joined #openstack-keystone07:06
*** topol has quit IRC07:17
*** harlowja is now known as harlowja_away07:23
*** gokrokve has joined #openstack-keystone07:23
*** _ved has joined #openstack-keystone07:24
*** gokrokve_ has joined #openstack-keystone07:25
_vedQuestion: In Havana, do other services like nova, neutron & cinder work with Keystone's V3 API?07:26
_vedIn other words, can they be configured to use Keystone's V3 API?07:26
*** gokrokve has quit IRC07:28
*** theocean154 is now known as tim_07:29
*** tim_ is now known as tim_p07:29
*** gokrokve_ has quit IRC07:30
*** _ved is now known as ved_07:42
*** jamielennox is now known as jamielennox|away07:43
*** tim_p has quit IRC07:58
*** ved_ has quit IRC08:03
*** saju_m has quit IRC08:10
*** saju_m has joined #openstack-keystone08:11
*** chandan_kumar has quit IRC08:16
*** jamielennox|away has quit IRC08:18
*** jamielennox|away has joined #openstack-keystone08:21
*** saju_m has quit IRC08:25
*** gokrokve has joined #openstack-keystone08:26
*** saju_m has joined #openstack-keystone08:26
*** chandan_kumar has joined #openstack-keystone08:29
*** gokrokve has quit IRC08:30
*** chandankumar_ has joined #openstack-keystone08:32
*** chandan_kumar has quit IRC08:35
*** amcrn has quit IRC08:48
*** saju_m has quit IRC08:52
*** marekd|away is now known as marekd08:56
*** tim_p has joined #openstack-keystone09:15
*** tim_p has quit IRC09:20
*** gokrokve has joined #openstack-keystone09:26
*** gokrokve has quit IRC09:31
*** andreaf has quit IRC09:34
*** morganfainberg is now known as morganfainberg_Z09:43
*** gokrokve has joined #openstack-keystone10:26
*** gokrokve_ has joined #openstack-keystone10:28
*** gokrokve has quit IRC10:31
*** gokrokve_ has quit IRC10:32
*** saju_m has joined #openstack-keystone10:35
*** tim_p has joined #openstack-keystone11:03
*** marcoemorais has joined #openstack-keystone11:04
*** marcoemorais1 has quit IRC11:07
*** tim_p has quit IRC11:08
*** marcoemorais has quit IRC11:09
*** henrynash has quit IRC11:10
*** KanagarajM_ has quit IRC11:17
*** gokrokve has joined #openstack-keystone11:26
*** gokrokve has quit IRC11:31
*** marcoemorais has joined #openstack-keystone11:34
*** henrynash has joined #openstack-keystone11:35
*** marcoemorais1 has joined #openstack-keystone11:35
*** marcoemorais has quit IRC11:36
*** marcoemorais1 has quit IRC11:40
*** gokrokve has joined #openstack-keystone12:26
*** gokrokve has quit IRC12:30
*** marcoemorais has joined #openstack-keystone12:36
*** marcoemorais has quit IRC12:40
*** tim_p has joined #openstack-keystone12:52
*** saju_m has quit IRC12:53
*** tim_p has quit IRC12:57
*** dstanek has joined #openstack-keystone13:05
*** ChanServ sets mode: +v dstanek13:05
*** dolphm_503 is now known as dolphm13:06
*** david-lyle has quit IRC13:16
*** achampion has quit IRC13:20
*** gokrokve has joined #openstack-keystone13:26
*** dolphm is now known as dolphm_50313:27
*** gokrokve has quit IRC13:30
*** dolphm_503 is now known as dolphm13:31
*** marcoemorais has joined #openstack-keystone13:37
*** browne has joined #openstack-keystone13:37
*** orion195 has joined #openstack-keystone13:40
orion195hy guys13:41
orion195anyone online for some keystone vs AD integration question?13:41
dolphmorion195: ask away! no promises on useful answers though :P13:41
orion195dolphm: :)13:41
*** marcoemorais has quit IRC13:42
orion195I have keystone serving identities13:42
orion195trough a AD13:42
orion195I can list users13:42
orion195I can upload images to glance13:42
orion195I see the instances and network13:42
orion195the only think I cannot do is: listing the projects13:42
orion195in horizon13:42
dolphmorion195: grizzly / havana / master?13:43
orion195havana, sorry13:43
dolphmorion195: do you have any need to store projects in AD? (you can also store them in SQL)13:43
orion195sure13:43
orion195no problem13:43
orion195just wondering what am I missing13:44
orion195I sure something is missing from my config13:44
dolphmorion195: i'm guessing there's something wrong with the [ldap] tenant_* config options in your keystone.conf, but...13:44
dolphmorion195: you can also set [assignment] driver to SQL, and then those variables no longer apply13:44
orion195with my username, I can issue: keystone tenant-list13:44
dolphmorion195: so keystone will use AD for users (and user groups), but that's it13:45
orion195I do see all the tenants13:45
dolphmorion195: oh okay... but not in horizon?13:45
orion195no13:45
dolphmorion195: how are you authenticating on the command line?13:45
orion195I generetad the rc file13:45
orion195from the dashboard13:45
orion195I source the .rc13:45
orion195with OS_USERNAME, OS_PASSWORD13:46
dolphmorion195: what other variables does it set?13:47
orion195OS_AUTH_URL13:47
orion195OS_TENANT_ID13:47
orion195OS_TENANT_NAME13:48
orion195(IMHO< I should not set OS_TENANT...)13:48
dolphmorion195: you must set either OS_TENANT_ID or _NAME to get authorization13:51
dolphmorion195: or ideally OS_PROJECT_ID / OS_PROJECT_NAME as those _TENANT_ is deprecated13:51
dolphm_TENANT_ variables*13:51
orion195ok13:51
orion195cool13:51
orion195this for the CLI13:52
orion195what should I set in the horizon then?13:52
orion195is this: OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member" correct?13:52
dolphmorion195: i'm not sure how horizon uses that13:52
orion195do you have any ideas on why I cannot list the projects?13:53
*** bknudson has quit IRC13:57
orion195dolphm: ? :)13:59
*** nkinder_ has quit IRC13:59
dstanekorion195: you can list them throuh the keystone cli, but not through horizon?14:05
orion195yes14:15
orion195right14:15
*** lbragstad has quit IRC14:15
dstanekorion195: it sounds like maybe a misconfiguration in horizon? i don't know much about horizon though14:16
*** bknudson has joined #openstack-keystone14:19
*** gokrokve has joined #openstack-keystone14:26
*** gokrokve has quit IRC14:31
*** marcoemorais has joined #openstack-keystone14:38
*** lbragstad has joined #openstack-keystone14:39
*** tim_p has joined #openstack-keystone14:40
*** marcoemorais has quit IRC14:42
*** tim_p has quit IRC14:45
marekddolphm: https://review.openstack.org/#/c/71353/43/keystone/common/authorization.py wasn't creds['group_ids'] something that might be used in a non-federated use-case in the near future?14:48
dolphmmarekd: yeah, i'll reply14:51
marekddolphm: thanks.14:52
dolphmmarekd: done14:54
marekddolphm: cool!14:55
dolphmmarekd: i'm setting up a federated apache server today to test your patch -- any config you can share would be helpful!14:55
marekddolphm: sure.14:55
dstanekFederated Apache!14:55
marekdBTW - did you have a chance to read my e-mail about securing /auth/tokens with mod_shib ?14:55
dolphmmarekd: it sounds like we have to use the original design?14:57
*** nkinder_ has joined #openstack-keystone14:57
marekddolphm: something like that...at least not /auth/tokens14:57
dolphmmarekd: unless ayoung can demonstrate what he's talking about, he doesn't have much of an argument14:58
dolphmmarekd: both solutions provide for the same end-user experience AFAICT, so I don't care which we choose as long as it's technically viable... which is why i want to stand up an apache instance today14:59
bknudsoneven trying to use REMOTE_USER with regular http auth doesn't work with /auth/tokens14:59
bknudsonbecause /auth/tokens is used for more than just getting a token15:00
marekddolphm: i will look for some configs i was using to setup websso apache.15:00
marekddolphm: are you  going to setup something accessible from the internet or a local apache instance?15:01
*** ayoung has joined #openstack-keystone15:02
dolphmmarekd: i'm writing an ansible playbook to deploy to vagrant, so you'll be able to reproduce locally15:02
marekddolphm: fantastic!15:03
*** gokrokve has joined #openstack-keystone15:11
*** gokrokve_ has joined #openstack-keystone15:12
dstanekdolphm: does this just happen every night? https://review.openstack.org/#/c/64347/15:12
*** browne1 has joined #openstack-keystone15:12
*** lnxnut has joined #openstack-keystone15:14
*** gokrokve has quit IRC15:15
*** dstanek has quit IRC15:19
*** dstanek has joined #openstack-keystone15:20
*** ChanServ sets mode: +v dstanek15:20
*** browne has quit IRC15:21
*** chandankumar_ has quit IRC15:21
*** achampion has joined #openstack-keystone15:22
*** stevemar has joined #openstack-keystone15:23
*** ChanServ sets mode: +v stevemar15:23
*** david-lyle has joined #openstack-keystone15:29
*** chandankumar_ has joined #openstack-keystone15:29
*** richm has joined #openstack-keystone15:32
*** topol has joined #openstack-keystone15:35
orion195dolphm: ping15:40
orion195ping *15:40
orion195I'm having trouble gettin the corresponding roles out of AD15:40
orion195my user is admin on the tenant15:41
orion195and in the AD is also added to the role= _member_15:41
orion195unfortunately, once I query the keystone with: keystone user-role-list, I only see the admin account there and not the _member_15:41
richmhelp - I keep getting strange db errors from my jenkins run for my commit submission15:43
richmhttp://logs.openstack.org/02/76002/2/check/gate-keystone-python27/f81a9c8/console.html15:43
*** zhiyan has joined #openstack-keystone15:43
richm2014-02-27 01:59:42.888 | OperationalError: (OperationalError) unable to open database file None None15:43
richmThese errors don't seem to have anything to do with my commit, so I am confused about how to proceed15:43
bknudsonrichm: for some reason your commit removed keystone/tests/tmp/.gitkeep15:45
richmarg15:45
bknudsonwhich probably causes the tmp directory to not be there15:45
richmbecause I mounted it as a ramdisk for testing purposes15:45
richmok15:45
richmso this is another one of those git update-index --assume-unchanged things I need to do15:48
bknudsonI usually revert the change after doing the ramdisk15:48
richmI don't suppose there is some way to change the tmp dir without having git involved . . .15:49
dolphmrichm: sounds like you used git commit -a and included changes irrelevant to your patch15:56
richmdolphm: probably, yes15:56
richmhmm - doesn't rm automatically stage the deletion?15:57
dolphmrichm: git rm or rm?15:58
richmrm15:58
dolphmno15:58
richmok15:58
richmthen I must have done a git commit -a, and will not be so careless in the future15:58
bknudsonI usually do a git reset --hard after the ramdisk setup15:58
* richm would rather not have to touch any unnecessary files in git . . .15:59
bknudsonour tmp directory should really be /tmp15:59
bknudsonnot keystone/tests/tmp15:59
richmshould be configurable15:59
richme.g. /dev/shm/keystone-tmp15:59
bknudsonan env var or whatever for the directory would work for me.16:00
bknudsonthe file might be read out of a config file...16:01
bknudsonwhich we shouldn't have all these test config files either.16:01
*** nkinder_ has quit IRC16:01
dolphmi only got as far as wsgi & paste config yesterday, but i'll eventually have a federation branch here https://github.com/dolph/keystone-deploy16:03
dolphmmarekd: ^16:03
ayoungorion195, dolphm is not the LDAP go-to-guy16:03
*** nkinder_ has joined #openstack-keystone16:03
ayoungbut I might be able to help, although my AD know-how is limited16:03
dolphmayoung: ++16:04
orion195ayoung: :)16:04
orion195this is what I followed: http://behindtheracks.com/2014/02/openstack-active-directory-integration/16:04
marekddolphm: ack16:04
ayoungorion195, looking16:04
orion195ayoung: thank you16:05
ayoungorion195, so are you using LDAP for the assignment backend, or are you using SQL?  And, if you are Using LDAP, would you be OK with switching over to SQL?16:06
ayoungnote...I am talking about leaving users and groups in AD, just the Assignments16:07
orion195I'm fine using AD only for user/group auth16:07
ayoungcuz...if you are talking to AD, you probably want it in REad only mode16:07
orion195and I don't want to generate a lot of load on it16:08
ayoungexcelleent...so do you have  the assignments driver explcictly set to sql?16:08
ayoung [assignment]16:08
ayoung167 driver = keystone.assignment.backends.sql.Assignment16:08
orion195mmm ok16:09
*** tim_p has joined #openstack-keystone16:09
orion195do I have to comment the lines about tenant_tree and role_ ?16:09
*** zhiyan has quit IRC16:09
orion195ayoung: I have to comment out the sql driver for assignment as now it is comment16:09
orion195ed16:09
ayoungorion195, ok, once yiou do that, none of the role assignments you set up in LDAP will be in effect.  You probably need to use a service token to add a role to your Admin user before you can do anything16:10
ayoungso16:10
ayoungat the top of your comnfig file, you see:16:11
*** zhiyan has joined #openstack-keystone16:11
ayoung [DEFAULT]16:11
ayoung  2 admin_token = freeipa4all16:11
ayounger16:11
ayoungadmin_token = freeipa4all16:11
*** tim_p has left #openstack-keystone16:11
ayoungthe freeipa4all  is my stock throwaway password16:11
ayoungbut usually it is set to a uuid, and then commented out16:11
orion195I do have the token16:11
orion195ayoung: just a confirmation: I do have to comment the tenant_tree and role_tree right?16:12
ayoungcool, use that token to assign the admin role to your admin user in some project, and then comment it back out, restart keystone, and restart16:12
orion195I need to leave commented out only the user_tree16:12
ayoungyou do not need to comment the tenete etc data16:12
ayoungit is just ignored16:12
orion195ah ok16:12
ayoungHTH16:12
orion195ok doing what you said16:12
orion195just a sec16:12
orion195ayoung: ImportError: No module named driver = keystone.assignment.backends.sql16:16
orion195ah16:16
orion195mistake, I mispelled it16:16
orion195ayoung: I didn't mispelled anything, it was correct16:17
ayoungdriver = keystone.assignment.backends.sql.Assignment16:17
ayoungorion195, ^^16:17
orion195cool16:17
orion195ok16:18
orion195I do see now my tenant admin and service admin16:18
ayoungorion195, good to go?16:18
orion195ayoung: keystone user-role-list returns: 'Client' object has no attribute 'auth_tenant_id'16:19
ayoungorion195, what versions are you running with?16:19
orion195openstack-keystone-2013.2.2-1.fc20.noarch16:20
*** zhiyan has quit IRC16:20
orion195just a sec16:20
ayoungorion195, comment out the service token and user username and password like I said earlier:   https://lists.launchpad.net/openstack/msg17047.html16:20
orion195keystone user-role-add --user=myuser --tenant=admin --role=admin16:23
orion195returned ok16:23
orion195but: keystone user-role-list, returns: 'Client' object has no attribute 'auth_tenant_id'16:23
dolphmorion195: user-role-list --user=myuser ?16:23
orion195the same16:24
dolphmall i remember is that call has very strange semantics about what you're asking for, and what it does to get that info16:25
dolphmit's overloaded as both an end-user call and an admin call, and tries to figure out what you actually wanted16:25
bknudsondolphm: got a minute to discuss enabled atttibute in /v3/endpoints?16:26
dolphmbknudson: sure16:26
bknudsondolphm: so my first stab was to do what I thought was the "right" thing to do16:26
bknudsonwhich is, make enabled a real attribute in the model16:27
bknudsonrather than storing it in the "extras"16:27
dolphmbknudson: ++16:27
bknudsonok, so that makes sense, but now we've introduced an incompatibility16:27
dolphmbknudson: ?16:27
bknudsonbecause you could store anything in "enabled" before...16:27
bknudsonyou could set it to "puppies" if you wanted16:27
dolphmbknudson: ah16:27
bknudsonwhereas it would be a boolean in db16:28
dolphmbknudson: there's some terrible "guess if this is a boolean or not" code in some migration16:28
ayoungorion195, if yousend in the ENV vars for Service token, I think they take preference.  Make sure you unset them, and have it commented out of the config file, so you can't be possibly using the service token by accident16:28
*** henrynash has quit IRC16:28
bknudsondolphm: so one thing I could try -- haven't done this yet -- is do the translation in the controller.16:28
dolphmbknudson: if s.lower()[:1] in ['y', '1', 't'] then endpoint.enabled=True16:29
bknudsondo the "guess if it's a boolean" in the controller.16:29
dolphmbknudson: do it in a migration16:29
bknudsondolphm: that's in the migration -- https://review.openstack.org/#/c/75727/3/keystone/common/sql/migrate_repo/versions/041_endpoint_enabled.py16:29
orion195ayoung: after I assigned the user to admin role16:29
bknudsondolphm: used strutils.bool_from_string(enabled, default=True)16:29
orion195I have to comment out the ENV var pointing to the SERVICE TOKEN?16:29
dolphmbknudson: there you go16:29
bknudsondolphm: apparently there are tempest tests that pass in different values.16:29
dolphmbknudson: ugh.. like what?16:30
bknudsondolphm: I'll check the logs. I haven't taken a close look yet.16:30
dolphmbknudson: are they actually asserting they can store strings in 'enabled' ?16:30
lbragstadbknudson: this could be another things we could use the jsonschema Validator for... It might take some time to get that working but I suppose we could not your translation so we don't forget to switch it over to validating with jsonschema if that is the route we go? I did some playing with it last night but still have some work to do16:31
lbragstads/not/note/16:31
bknudsondolphm: alright, I'm going to look into this more.16:32
bknudsonI thought they were passing some different values but maybe not.16:32
*** thedodd has joined #openstack-keystone16:32
dolphmlbragstad: ++16:33
bknudsonso looks like in this case they passed u'True'16:33
bknudsonso maybe all we need to do is translate in controller.16:33
lbragstadhttps://github.com/openstack/nova/blob/master/nova/api/validation/parameter_types.py#L19-L2316:34
*** devlaps has joined #openstack-keystone16:34
bknudsonI don't know how we're going to do input validation in a backwards compatible way16:34
bknudsonor how we're going to do input validation when we've got an "extras" column.16:34
dolphmbknudson: fix tempest and return a 400- it's not part of our spec, and our client does the right thing. they shouldn't be asserting misbehavior16:35
bknudsondolphm: alright.16:36
orion195ayoung: ping16:36
ayoungorion195, http://blogs.gnome.org/markmc/2014/02/20/naked-pings/16:37
orion195:) sorry16:37
orion195I think I'm lost after what you told me16:38
ayoungorion19516:38
ayoungcan you talk to the keystone server using userid/password?16:38
orion195is unauthorized for tenant admin16:40
*** henrynash has joined #openstack-keystone16:41
dolphmayoung: need a znc filter for "ping"16:42
ayoungdolphm, nah, we just need to teach people to just say what they want on their first message16:43
orion195ayoung: you're right :)16:43
ayoungorion195, I could get used to hearing that.16:43
orion195do you have anything in mind that I should check for this: unauthorized ?16:44
dolphmayoung: ping16:45
dolphmayoung: can I ask you a question16:45
dolphmayoung: can you help with my question?16:45
ayoungdolphm, its twice as annoying as I now have my headphones in, and each "opin" makes a sound effect16:46
ayoungping: unknown host ayoung16:46
orion195uhm, I apologized for that, but it seems to be still funny :)16:46
dolphmayoung: that would be a fun script16:47
ayoungorion195, are you tracking, or are you still stuck?  Do you have SERVICE_TOKEN clearly disabled?16:48
orion195yes, I have it disabled16:48
orion195the ENV var I have are: OS_TENANT_ID, OS_PASSWORD, OS_AUTH_URL, OS_USERNAME, OS_TENANT_NAME16:49
ayoungand keystont token-get works fine, right?16:49
ayoungkeystone token-get works fine, right?16:50
orion195is unauthorized for tenant admin (HTTP 401)16:51
ayoungorion195, well there you go16:53
ayoungwith  SERVICE_TOKEN once more enabled, add the admin role to the admin user.16:54
orion195ok16:55
orion195I try it16:55
orion195already has role 830a8384808745599983d34047c86dc4 in tenant 32b45a4fdf5c471a86bd50d27e3278ac (HTTP 409)16:56
ayoungdolphm, so I am discussing with our internal QA how to get them more involved upstream.  One thing that has come up is that we use Nitrate for Test planning.  https://fedoraproject.org/wiki/Nitrate  There doesn't seem to be a way to take what they are doing and make it public without losing a lot of functionality.16:58
ayoungThere are some screenshots buried on the fedorahosted site16:58
ayounghttps://fedorahosted.org/nitrate/raw-attachment/wiki/WikiStart/Screen%20Shot-Test%20Run.png16:59
ayounghttps://fedorahosted.org/nitrate/raw-attachment/wiki/WikiStart/Screen%20Shot-Test%20Plan.png16:59
orion195ayoung: if you're online tomorrow, we can keep debugging the problem, it's time to leave the office now :) thank you16:59
ayoungorion195, I think you can solve this one yourself.  You have the tools now.  But feel free to bug me if you are stuck.17:00
dolphmayoung: rackspace had the same challenge - our QA used their own tooling instead of tempest... the answer was just to contribute to tempest17:00
ayoungdolphm, but tempest is the end product17:01
ayoungbefore writing the test, they want to make sure they are testing the right thing.17:01
ayoungthen end result is that they know exactly what to write when they get there...I had that discussion with them17:01
dolphmayoung: how does 'nitrate' address that?17:02
dolphmayoung: that doesn't seem like a problem for more tooling17:02
ayoungdolphm, yeah, I'm not certain that I would have jumped to Nitrate myself, especially for an Open Source proejct,  more that the question is "how do we write up test plans"17:03
ayoungthey want to say "we are going to run through these steps"  to test , say a new blueprint17:03
ayounggoing so far as writing code is too much of a commitment17:03
ayounglet me see if I can find a good example17:03
ayoungI'd almost thinkg that they should be blueprints themselves...but the UI there is clunky and also...they would want to link to an existing blueprint17:04
ayoungI have a QA guy working on an RBAC based test case17:06
dolphmayoung: i know what you mean - it seems fair for tempest blueprints to just cite blueprints in other projects17:06
ayoungyeah.17:06
dolphmayoung: or write the test plan in a commit message to tempest or something17:06
ayoungdolphm, this has destroyed the formatting, but https://etherpad.openstack.org/p/RBAC_TEST17:07
dolphmayoung: right, that would be a great docstr in a tempest test17:07
dolphmayoung: commit message would be less useful in the long run, i take that back17:08
ayoungI would love to be able to link this off the blueprint.17:08
ayoungthe blueprint should have a testplan link17:08
dolphmayoung: blueprints link to commits already17:08
ayoungright...the testplan would be implemented in tempest, though,17:09
ayoungand this would be the planning for the testing...so...maybe we could do it in the spec document?17:09
ayoungOr in the whiteboard?  Yuck17:09
dolphmayoung: right, so write an empty test method (pass) with a test plan in the docstr and keep it as WIP until it's verified as 'the right thing to test'17:09
richmok - now jenkins pep8 is complaining that I have missing help strings for several config attributes that I didn't touch . . .17:10
henrynashdolphm: see my comment to the dev list on the multi-domain…interested in your view of a 64-bit composite ID (i.e. don't increase the size of the field) vs the mapping table approach17:10
ayoungdolphm, but these are not written by the developer17:10
henrynashdolphmL…err I meant 64-char17:10
ayoungits a different person coming up with the test than the code17:11
bknudsonrichm: tox -e sample_config17:11
henrynashayoung: this expands on what we were discussing yesterday17:11
dolphmhenrynash: that just seems to be regressing to the same idea we just rejected -- it's fragile and impacts other projects17:11
*** marcoemorais has joined #openstack-keystone17:12
henrynashdolphm: why does it affect other projects17:12
dolphmayoung: okay.. so?17:12
dolphmhenrynash: you're making id's longer, right?17:12
ayoungdolphm, not certain the solution...but if I can fingure it out, I can get out QE much more engaged.17:12
henrynashdolphm: nope17:12
ayounghenrynash, well, yes you are17:13
ayoungeven if it still fits in 64 chars, right now they are 32 chars17:13
henrynashayoung: not if you use the LDAP driver17:13
ayoungbut...we never told Nova that they would be 32 chars, and LDAP has already borken that as henrynash17:13
ayoungyes17:13
dolphmhenrynash: so morganfainberg_Z's proposal that follow jaypipe's suggestion was to always use UUID's for externally exposed ID's -- the mapping table approach17:14
henrynashayoung: can't the user chose the ID they want (e.g. email address, CN)17:14
dolphmhenrynash: that way nova is not affected, and you can't have 66 char id's, etc17:14
henrynashdolphm: yep, he and I discussed that at length17:14
ayoungdolphm, so nova needs to expand their ID field to 64 chars minimum, or LDAP based IDs are going to break17:14
ayoungUUIDs are...dumb17:14
henrynashdolphm: so nova is broken today, since the default LDAP driver can return more than 32 chards17:14
dolphmwhether or not nova migrates to match the length of our varchar ID's shouldn't be a blocker for us17:14
ayounglets not force that, as we already have moved beyond it in LDAP....which is fairly heavily used as is17:15
henrynashdolphm: nothing to do with multi-backends17:15
dolphmhenrynash: i understand17:15
ayoungbut...we can put a firm limit on ids at 64 chars, and do the composite approach for multi backends without breaking anything else17:15
dolphmhenrynash: fix the problem in keystone by introducing the mapping table, rather than depending on a fix in nova (and then fix nova anyway)17:16
ayoungdolphm, too late17:16
dolphmayoung: too late for what?17:16
ayoungthe userids from Keystone are already exported to Nova17:16
ayoungjust thye havn't hit the size limit\17:16
ayoungwe'd have to make everyone currrently using LDAP do a migration across all projects17:16
dolphmayoung: i understand, so stop emitting those ID's and start using new ones17:16
ayoungtell that to CERN.  I'm sure they'd be thrilled17:17
dolphm(side rant- other projects shouldn't track users, at all...)17:17
dolphm(related: keystone shouldn't emit identity information in tokens)17:18
henrynashdolphm, ayoung: IF we go with the mapping table, as dolphm says, we need to fix nova anyway…and for the default driver we would NOT do the mapping (i.e. keep this IDs as they are today)17:18
henrynashdolphm: like the backward_compatible option in the current patch17:18
dolphmhenrynash: that sounds like the safest approach17:19
ayoungdolphm, it is a mistake in another way.  THe Userid out of LDAP is something that anysystem can query.  THe Keystone admin can let the organization know , this is the LDAP query to find a user in LDAP based on their userid.  If we do a mapping table in Keystone, they need to lookup the uuid<->mapping in keystone.  You've just put keystone in the hot path.  And for the autditing of events, it is going to be even more painful.  I th17:20
ayoungink I want to kep the current approach as is.17:20
ayounglets treat the column size in Nova as a bug to fix, but focus on "64 char limit" as our design constraint17:20
dolphmayoung: keystone is supposed to be the abstraction layer between openstack and an existing identity system -- you're advocating for that abstraction to leak quite badly17:21
ayoungdolphm, yep.  And I am OK with that.  THe leak is going to be deployment specific.  Nothing we have to support directly, just something we don't want to break.17:22
dolphmayoung: it's not deployment specific, as you're forcing the leak onto openstack, and other projects naively exploit it17:23
dolphmthe leak has nothing to do with LDAP and everything to do with the token architecture17:23
ayoungNo...they don't  the leak is deplopyment specific as it comes from values specified in the LDAP mapping in the config file.  I'm all for information hiding when appropriate, but in this case, it doesn't buy us anything17:23
dolphmayoung: we're constrained by nova because we're leaking identity information to nova, period17:24
ayoungnothing about this is token architecture.  Making the ephemeral users in Keystone has always been a bad idea, and we should not be pushing to that17:24
ayoungdolphm, the API doc says only that Ids are blobs.  We've standardized on 64 character max implicitly.  Nova has assumed 342 cahr.  That is a disconnect.  I think we need to make it a hard liomit of 64 chars.17:25
*** ayoung is now known as ayoung-lunch17:27
ayoung-lunchgroups is leaving....17:27
ayoung-lunchI'll be back ina few17:27
*** gokrokve_ has quit IRC17:37
*** gokrokve has joined #openstack-keystone17:37
*** gokrokve has quit IRC17:41
bknudsonlooks like with the xml serializer you need to do <endpoint enabled='true'> rather than <endpoint><enabled>true</enabled>17:53
bknudsondeserializer17:53
*** tim_p has joined #openstack-keystone18:00
*** marekd is now known as marekd|away18:02
*** arborism has joined #openstack-keystone18:05
dstanekbknudson: looking at https://review.openstack.org/#/c/70610/2/keystone/tests/test_wsgi.py again18:05
*** arborism is now known as amcrn18:05
dstanekbknudson: what i was saying is that after the other review goes in you comment is no longer true18:05
bknudsondstanek: I'll try it with the other patch.18:06
dstanekbknudson: it looks like oslo (as we are using it) does two gettext lookups for some of our _()18:07
*** arosen has joined #openstack-keystone18:07
bknudsondstanek: I haven't seen that.18:08
dstanekbknudson: you made a test that proves it :-)18:08
bknudsondstanek: well, it has to do 1 lookup to get the message to be sent back to the user based on their accept-language18:09
bknudsonnot sure what the other is for.18:09
bknudsonI don't have a check that says it's called multiple times.18:09
dstanekbknudson: you don't check for it, but you had to implement two different classes; one for en_US and the other that you actually wanted to test18:11
*** tim_p_ has joined #openstack-keystone18:11
dstanekbknudson: http://git.openstack.org/cgit/openstack/oslo-incubator/tree/openstack/common/gettextutils.py#n16818:11
*** harlowja_away is now known as harlowja18:12
dstanekif _() is passed just a message id then it does an initial lookup for the default local or en_US (the default)18:12
*** tim_p has quit IRC18:12
dstanekeventually when the string is rendered it does a lookup for local of the user18:13
arosenHi, I was chatting with dolphm in openstack-dev but figured I should continue the conversation here.18:15
arosenWe have the need in neutron to notify nova when certain events occur in neutron for example,  something like the instance's port is ready then nova can start the instance.18:15
arosenThe problem is if we have multiple nova regions then we need to make sure we send the notification to the right region. I've added code so that nova tells neutron which region each of it's ports are in. Though what I'm trying to avoid is having neturon  query keystone for the endpoint for a specific region if i can.18:15
arosenI see that X_SERVICE_CATALOG is include in the header that neutron receives (I hear it's part of the token). I was wondering if relying on this would be okay?18:16
arosenI see that's one can disable this info from coming in which kind of concerns me a little though :/18:16
arosenWhich seems in that case we'd have to query keystone or have the nova regions manually configured in neutron or just says that's not supported.18:17
arosenjust wanted to ping the keystone guys to see if you could give me any insight on what's the best approach :)18:17
bknudsondstanek: ok, I think I see... wondering why there's an IdentityTranslator and LangTranslator.18:18
bknudsonbecause apparently it's getting called with a different language then the one we're expecting.18:19
bknudsonthere's a lot of code involved here.18:19
*** tim_p_ has quit IRC18:21
*** tim_p has joined #openstack-keystone18:22
dstanekbknudson: yeah, Message.__init__ is strange to me18:22
bknudsondstanek: it might get the english language "translation" just to cache it or something.18:23
*** bvandenh_ has quit IRC18:29
*** tim_p_ has joined #openstack-keystone18:29
*** tim_p_ has quit IRC18:29
*** gokrokve has joined #openstack-keystone18:30
*** gokrokve has quit IRC18:30
*** gokrokve_ has joined #openstack-keystone18:30
*** tim_p_ has joined #openstack-keystone18:30
*** ayoung-lunch is now known as ayoung18:32
*** tim_p has quit IRC18:32
*** chandan_kumar has joined #openstack-keystone18:35
*** saju_m has joined #openstack-keystone18:37
ayoungnkinder_, wouldn't hurt for you to re +1 this.  https://review.openstack.org/#/c/47441/18:38
nkinder_ayoung: checking...18:39
nkinder_ayoung: sure, I'll look over the changes.  What did you change since my patch?18:40
ayoungNot much.  Just made one of the suggestions that gyee made.   Put the args in a list and iterate through them... Was just outside the code you touched18:41
ayoungalso rebased, which was the big thing nkinder_18:41
*** saju_m has quit IRC18:41
*** tim_p has joined #openstack-keystone18:43
*** tim_p_ has quit IRC18:47
*** saju_m has joined #openstack-keystone18:51
henrynashdolphm: so getting back to the multi-backend and ID question, your view remains that we should use the mapping approach?…and I think your argument is that (although we will have to grandfather in our existing users), keystone should be insulating its clients from the actually underlying identifiers from foreign identity providers (and I include LDAP as such thing in this case)18:54
*** tim_p has quit IRC18:55
*** tim_p has joined #openstack-keystone18:55
*** tim_p has quit IRC18:59
*** tim_p has joined #openstack-keystone18:59
*** tim_p has quit IRC19:01
*** ved_ has joined #openstack-keystone19:22
*** chandan_kumar has quit IRC19:24
*** zhiyan_ has joined #openstack-keystone19:25
*** saju_m has quit IRC19:35
*** ved_ has quit IRC19:45
*** chandan_kumar has joined #openstack-keystone19:50
dolphmhenrynash: correct19:52
*** mriedem has joined #openstack-keystone19:52
henrynashdolphm: ok19:52
*** devlaps has quit IRC19:53
mriedemhey keystone people, new gate bug as of 2/23, hitting token fails on cinder and heat APIs, thinking it's a keystone issue if someone could take a look https://bugs.launchpad.net/heat/+bug/128583319:53
mriedemi looked at keystone/client commits on 2/23 and nothing really jumps out at me19:53
*** jog0 has joined #openstack-keystone19:54
dolphmayoung: any chance you landed something that would have caused that recently ^ ?19:55
dolphmmriedem: thanks!19:55
dolphmmriedem: that's an error i've seen before, but not as a transient (usually it's my fault!)19:55
mriedemi'm looking at oslo syncs too19:56
ayoungdolphm, the client lib change?19:58
ayoungdolphm, smells like permissions or SELinux to me20:02
*** henrynash has quit IRC20:16
*** dstanek has quit IRC20:19
*** gyee has joined #openstack-keystone20:25
*** mriedem has left #openstack-keystone20:28
*** dolphm is now known as dolphm_50320:56
*** henrynash has joined #openstack-keystone21:10
*** devlaps has joined #openstack-keystone21:13
*** bknudson has quit IRC21:14
*** dolphm_503 is now known as dolphm21:16
*** gokrokve has joined #openstack-keystone21:17
*** marekd|away is now known as marekd21:18
*** gokrokve_ has quit IRC21:20
*** stevemar has quit IRC21:23
*** bknudson has joined #openstack-keystone21:40
*** marcoemorais has quit IRC21:45
*** chandan_kumar has quit IRC21:45
ayoungbknudson, meant to send that to you here21:48
ayoung, no, it was not a mistake to merge the Revocation extension...SQL and the revoke by tree code really should go in with it.  Also, there were changes being requested in model.py that really were unnecessary, as that code was radically different in the later patches.  It was simpler just to merge the three patches into the complete solution.21:49
*** lnxnut has quit IRC21:51
*** lnxnut has joined #openstack-keystone21:53
*** lnxnut has quit IRC21:54
*** lnxnut has joined #openstack-keystone21:54
*** jog0 has left #openstack-keystone21:55
*** lnxnut_ has joined #openstack-keystone21:58
richmdid something change in jenkins recently with respect to config checking?  I'm wondering why my commit was dinged for not including help strings for use_dumb_member dumb_member user_enabled_mask etc.21:58
*** lnxnut has quit IRC21:58
*** morganfainberg_Z is now known as morganfainberg22:01
morganfainberghenrynash, ++ on that22:02
henrynashmorganfainberg: hope to post implementation tomorrow22:03
morganfainbergdolphm, i think i ran across a race in revocation_list cache22:03
*** dolphm is now known as dolphm_50322:09
bknudsonayoung: ok, I'll start reviewing it again22:11
*** ayoung has quit IRC22:17
*** lnxnut_ has quit IRC22:24
*** marcoemorais has joined #openstack-keystone22:27
*** lnxnut has joined #openstack-keystone22:29
*** lnxnut has quit IRC22:33
*** marcoemorais has quit IRC22:33
*** marcoemorais has joined #openstack-keystone22:36
*** achampion has quit IRC22:37
*** lnxnut has joined #openstack-keystone22:44
*** lnxnut has quit IRC22:48
*** dolphm_503 is now known as dolphm23:01
*** lbragstad has quit IRC23:14
richmshould I file a ticket to add the missing help strings? It seems outside the scope of bug/128267623:14
bknudsonrichm: the missing help strings doesn't cause a failure?23:15
richmit causes jenkins pep8 to fail23:15
bknudsonwhen I run pep8 I get some warnings about missing help strings but it doesn't fail23:16
richm- gate-keystone-pep8 http://logs.openstack.org/02/76002/3/check/gate-keystone-pep8/7668ff4 : FAILURE in 3m 40s23:16
bknudsonrichm: that's failing because "keystone.conf.sample is not up to date."23:17
bknudsonthe missing help strings aren't causing it to fail23:17
bknudsonthe diff output is showing what's different between this commit's sample config and the expected one.23:17
richmis it because I manually edited keystone.conf.sample?23:17
bknudsonprobably23:18
morganfainbergrichm, keystone.conf.sample is auto generated and we pep8 validate against it being in sync w/ the options23:18
bknudsonuse tox -e sample_config to regenerate it23:18
morganfainbergrichm, ^23:18
bknudsonand don't edit it by hand.23:18
richmok - thanks - new commit submitted23:19
*** topol has quit IRC23:23
*** dolphm is now known as dolphm_50323:34
*** browne1 has quit IRC23:38
nkinder_richm: looks good so far...23:45
*** richm has quit IRC23:45
*** nkinder_ has quit IRC23:45
*** jamielennox|away is now known as jamielennox23:46
*** ChanServ sets mode: +v jamielennox23:46
*** richm has joined #openstack-keystone23:47
*** nkinder_ has joined #openstack-keystone23:47
*** nkinder_ is now known as nkinder23:54
*** nkinder has quit IRC23:55
« Wednesday, 2014-02-26 Index Friday, 2014-02-28 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!