Thursday, 2014-03-13

jamielennox	bknudson: so essentially just start putting a *ignore into function definitions?	00:00
*** david_lyle_ has quit IRC		00:00
jamielennox	bknudson: not really, i don't know how we do that with inspect	00:00
bknudson	jamielennox: well, their example has *ignore, and then if ignore: raise TypeError	00:00
jamielennox	the only thing i see that we can do with positional that we can't do with that is required kwargs	00:01
bknudson	required kwargs? fancy	00:01
jamielennox	@positional(1) def f(a, b,c) will end up meaning that b and c MUST be passed and must be kwargs	00:01
jamielennox	(i don't know if we need that but i thought it was cool)	00:02
jamielennox	that and we would still need to put *ignore in the parameters for all the functions right?	00:04
*** nkinder has quit IRC		00:04
bknudson	jamielennox: yes, but that matches essentially what you'd have to do with py3.	00:04
bknudson	jamielennox: I assume if we had pep 3102 in python2 then we wouldn't implement this decorator?	00:05
jamielennox	it would solve the problem enough that i wouldn't worry about it	00:05
jamielennox	i haven't used ,*, much so i don't know exactly where it fails	00:06
jamielennox	so def a(b, c, *, d): means d is a required kwarg	00:07
jamielennox	a(1, 2, 3, 4, e=5) TypeError: a() takes 2 positional arguments but 4 positional arguments (and 1 keyword-only argument) were given	00:08
jamielennox	so it's making sure you don't pass extra *args	00:08
jamielennox	so yes - if we had pep3102 we wouldn't need the decorator	00:09
bknudson	jamielennox: I don't think you could do a(b, c, *, d) ... d would have to be a kwarg -- d=None	00:09
bknudson	d would have to be optional	00:10
jamielennox	bknudson: nope, trying it as i write it here	00:10
jamielennox	>>> def a(b, c, *, e):	00:11
jamielennox	... print("%s, %s, %s" %(b, c, e))	00:11
bknudson	jamielennox: weird, so d is a required kwarg in that case?	00:11
jamielennox	(not sure why i switched from d to e there)	00:11
jamielennox	but yes e is a required kwarg	00:11
bknudson	this is why we should drop python 2 support	00:11
jamielennox	>>> a(1,2, e=3) = 1, 2, 3	00:11
jamielennox	which is EXACTLY what i've been wanting for a while	00:12
jamielennox	this is my favourite thing of py3 so far	00:12
*** nkinder has joined #openstack-keystone		00:12
jamielennox	i think @positional is easier/better than doing *ignore everywhere, but we can ditch in when we go to py3 only	00:13
*** browne has quit IRC		00:14
*** gokrokve has joined #openstack-keystone		00:24
*** gokrokve_ has joined #openstack-keystone		00:25
bknudson	now on to my favorite thing to do... rechecking	00:25
*** gokrokve has quit IRC		00:29
bknudson	jamielennox: can you explain https://review.openstack.org/#/c/74930/ to me?	00:30
bknudson	jamielennox: I don't see how it makes anything easier.	00:31
jamielennox	bknudson: so when you used to run get_pki it would generate a new set of keys/certs and then reparse all the .json files to generate new CMS files	00:32
jamielennox	by splitting the functions and the generator you can just regenerate the CMS with the same keys - so smaller reviews	00:32
jamielennox	eg	00:32
*** gordc has joined #openstack-keystone		00:32
jamielennox	https://review.openstack.org/#/c/74955/	00:32
bknudson	that sounds good, but how to I generate only a few keys?	00:32
jamielennox	only a few keys?	00:33
bknudson	jamielennox: how did you regenerate just the 4 files and not all of them?	00:33
jamielennox	with that at moment to just redo the CMS you'd do source gen_pki.sh; gen_sample_cms	00:34
bknudson	is that how you did it?	00:34
bknudson	how did you know to do that? is there documentation somewhere?	00:34
jamielennox	so that review is the one that ayoung did the split for	00:34
*** henrynash has quit IRC		00:35
bknudson	well, maybe it will make sense to someone else and they'll merge it.	00:36
morganfainberg	jamielennox, ping	00:36
morganfainberg	jamielennox, how is "enforcement" being assigned to in the inner()?	00:36
jamielennox	bknudson: i know it only because i was talking with ayoung when he presented it	00:37
jamielennox	i'm not sure if it's worth doing a regenerate.sh script that only redoes the CMS	00:37
*** wchrisj has quit IRC		00:37
*** devlaps1 has quit IRC		00:37
morganfainberg	jamielennox, or are you saying that enforcement is global?	00:37
jamielennox	morganfainberg: pulling it up	00:38
openstackgerrit	A change was merged to openstack/keystone: Fixup region description uniqueness https://review.openstack.org/79159	00:38
morganfainberg	because if "positional_enforcement" is meant to be mutable, it looks wrong to me	00:38
jamielennox	morganfainberg: so not sure what you mean	00:39
morganfainberg	ok	00:39
morganfainberg	your comment: It will depend on when you expect the value of positional_enforcement to be set.	00:39
jamielennox	so if i define a function with @positional(enforcement=POSITIONAL_EXCEPT) then it will always throw an exception regardless of the positional_enforcement value	00:39
morganfainberg	i think you're doing it wrong if you're changing positional_enforcement at the module level like that	00:39
morganfainberg	right	00:40
morganfainberg	which can still be exclusive to the wrapper method	00:40
morganfainberg	it still wont change at runtime	00:40
jamielennox	my use case for positional_except was applications that want to set POSITIONAL_EXCEPT as the default rther than WARN	00:40
morganfainberg	ok	00:41
jamielennox	for example all keystoneclient unit tests run with POSITIONAL_EXCEPT	00:41
morganfainberg	wouldn't this be a CONF deal instead of a mutable value?	00:41
jamielennox	we don't have CONF in client	00:41
morganfainberg	ugh,	00:41
morganfainberg	i really don't like this setup	00:42
jamielennox	well not having CONF makes sense - you shouldn't allow a library access to a global state object	00:42
jamielennox	this was the next best way i could think of doing it	00:43
morganfainberg	no no i mean i don't like the mutable module thing	00:43
jamielennox	also i copied a lot of the ideas from a google client i found	00:43
jamielennox	bknudson: ^ which is why the docs are off	00:43
morganfainberg	still doesn't change that it leaves a bad taste in my mouth	00:43
morganfainberg	tbh, i'd remove the warn.	00:43
jamielennox	morganfainberg: would love to - that would break compatibilty for existing functions	00:44
morganfainberg	how does py33 handle it?	00:44
morganfainberg	hard exception each time right?	00:44
bknudson	jamielennox: the docs haven't been generated for over a year anyways!	00:44
jamielennox	bknudson: yea, i've no idea what valid rst is - i just do something that looks like everything else	00:45
*** gordc has left #openstack-keystone		00:45
jamielennox	morganfainberg: yea, you can do a hard exception there	00:45
morganfainberg	i mean python33 doesn't have the soft "Warning" mechanism	00:45
morganfainberg	with that syntax	00:45
jamielennox	morganfainberg: no, because it builds it into the language	00:45
morganfainberg	i'd call this py33 compatibility and still strip the warning	00:46
bknudson	http://docs.openstack.org/developer/python-keystoneclient/py-modindex.html -- Last updated on Mon Mar 18 19:40:00 2013	00:46
jamielennox	we could do only exceptions and then only use the decorator for new code	00:46
bknudson	so not quite a year yet but getting close	00:46
jamielennox	heh, 5 days	00:46
bknudson	we can have a birthday party for it	00:46
jamielennox	morganfainberg: i figured the warning mode was good for existing functions to at least tell people they are doing it wrong	00:47
morganfainberg	so explain to me where we're broken with old code and hard exceptions?	00:47
morganfainberg	i'm just not seeing it atm	00:47
morganfainberg	so point me to an example :)	00:47
jamielennox	def f(a, b=None)	00:47
morganfainberg	where we use **kwargs?	00:47
bknudson	btw - https://review.openstack.org/#/c/72515/	00:48
jamielennox	f(1, 2) is valid, if i wrap a @postiional around it it won't be	00:48
jamielennox	morganfainberg: **kwargs won't be affected	00:48
morganfainberg	oh i see people _might_ call it as f(1, 2)	00:48
morganfainberg	not f(1, b=2)	00:48
jamielennox	morganfainberg: right	00:48
jamielennox	and if i want to put a new positional argument in there between a and b i can't because of backwards compat	00:49
*** dolphm has quit IRC		00:49
morganfainberg	jamielennox, ok...	00:50
morganfainberg	jamielennox, i still don't like it.	00:50
jamielennox	its drawing the distinction between keyword arguments and optional positional arguments which python2 can't do	00:50
morganfainberg	jamielennox, really this mutable module level thing you evaluate everytime feels wrong	00:50
morganfainberg	also plural can be evaluated in wrapper	00:51
jamielennox	right, so the only reason to do that everytime is the order of operations, if you evaluate the function code before you set the postiional_enforcement variable then you are fixed	00:51
morganfainberg	jamielennox, it's a NIT.	00:51
*** wchrisj has joined #openstack-keystone		00:51
jamielennox	morganfainberg: can, i tend to fall on CPU rather than memory for that sort of stuff but i don't care	00:52
morganfainberg	this is bike shedding, i just don't like it :P	00:52
morganfainberg	paint it green	00:52
*** sudorandom has quit IRC		00:53
jamielennox	i have at least two or three places in client where i've got frequently used variables that should be positional tucked at the end of a giant list of kwargs because i'm not allowed to change the order of them	00:54
*** dolphm has joined #openstack-keystone		00:54
morganfainberg	jamielennox, ok i know what i dislike	00:54
*** sudorandom has joined #openstack-keystone		00:54
morganfainberg	actually, i finally put my finger on it	00:54
jamielennox	if you call Client(with username=, password=, user_domain_id= and all that crap as positional, you are an idiot, but i still have to support you	00:55
morganfainberg	it's not relevant so i wont complain about this.	00:55
morganfainberg	also 0 arguments is plural	00:55
*** wchrisj has quit IRC		00:56
morganfainberg	;)	00:56
morganfainberg	another NIT	00:56
jamielennox	but if i can wrap a @positional around that i don't have to	00:56
jamielennox	true	00:56
morganfainberg	yah don't worry i know what's bugging me about this now - the mutable module thing	00:56
jamielennox	you may as well tell me the the problem	00:56
morganfainberg	i'd invert plural to be '' if arg len() == 1 else 's'	00:56
morganfainberg	jamielennox, the issue is a python-ism.	00:57
jamielennox	i'm looking through bknudson's comments now, if i wrap the decorator into a class rather than a function then i can put the warning as a class level variable	00:57
morganfainberg	and my aversion to module level mutables, plus that i want switch/case :P	00:57
morganfainberg	i wouldn't complain if the language had a real switch/case construct	00:58
morganfainberg	because you could do the eval and switch on the result	00:58
morganfainberg	no a dict is not a more elegant choice (nor more readable)	00:58
bknudson	morganfainberg: no need for switch/case when you've got dynamic dispatch	00:58
jamielennox	heh, yea - i'm pretty sure that's never coming	00:58
morganfainberg	jamielennox, exactly	00:58
morganfainberg	bknudson, hah	00:58
morganfainberg	anyway	00:58
jamielennox	if nothing else it kind of makes sense when you consider the indenting you would have to do	00:59
jamielennox	switch x	00:59
jamielennox	case 5	00:59
jamielennox	start doing stuff	00:59
morganfainberg	bknudson, i would like the syntactic sugar of a switch-case style syntax even if it;'s not needed	00:59
morganfainberg	jamielennox, so ignore my complaint on the module mutable thing	00:59
*** richm has quit IRC		00:59
*** wchrisj has joined #openstack-keystone		01:00
jamielennox	morganfainberg: well i'm going to do the class anyway so it probably makes more sense there	01:00
bknudson	switch(x, (5, lambda: do_something))	01:00
morganfainberg	bknudson, shudder	01:00
morganfainberg	nooooooo	01:00
morganfainberg	jamielennox, yeah as a class this makes it easier	01:00
morganfainberg	jamielennox, and you can just do @property stuff. or some such	01:00
bknudson	or just write a factory	01:01
jamielennox	nah, property on a class requires metaprogramming and it's just not worth it	01:01
morganfainberg	jamielennox, does it?	01:01
morganfainberg	shrug	01:02
jamielennox	yea, a property is defined on an instance	01:02
*** derek_c has joined #openstack-keystone		01:02
jamielennox	you have to do a metaclass to define a class property	01:02
jamielennox	though i do wish they had a different way of doing that	01:02
morganfainberg	jamielennox, iirc you can do @property and then in __init__ just setattr() over the top of the @property	01:03
morganfainberg	the setattr puts the new property in the __dict__	01:03
morganfainberg	which overrides the MRO inheritence	01:03
morganfainberg	and wont call the defined @property	01:03
jamielennox	that sounds... interesting	01:04
* morganfainberg checks this.		01:04
jamielennox	now i have to figure out how to do a class based decorator with arguments - i've always prefered the function approach	01:04
morganfainberg	jamielennox, doh i was wrong	01:05
*** theocean154 has joined #openstack-keystone		01:05
morganfainberg	jamielennox, now let me figure out how i did this in the past	01:05
morganfainberg	because i _know_ i've done this	01:06
bknudson	jamielennox: the class is going to get created and then it's going to be called with the function and it returns the new function	01:09
bknudson	so implement __call__(self, f), I guess.	01:10
jamielennox	bknudson: yep	01:11
morganfainberg	jamielennox, oh i see how i did this	01:12
jamielennox	bknudson: it just means that you still end up returning a new function rather than returning the class	01:12
morganfainberg	jamielennox, i used a re-implemented @property that didn't do the @property magic.	01:12
*** wchrisj has quit IRC		01:12
morganfainberg	jamielennox, don't worry about it ignore my complaint	01:12
jamielennox	morganfainberg: i'll show you the class one in a minute, it does look better for the variable	01:13
morganfainberg	jamielennox, yeah i'm sure it's a bit more straightforward	01:13
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Remove unnecessary oauth1.Manager constructions https://review.openstack.org/79213	01:14
*** wchrisj has joined #openstack-keystone		01:18
*** dstanek has quit IRC		01:19
*** marcoemorais has quit IRC		01:21
lbragstad	bknudson: thanks for submitting a bug	01:27
lbragstad	+1	01:27
bknudson	lbragstad: just doing my job	01:28
*** nkinder has quit IRC		01:29
openstackgerrit	Nathan Kinder proposed a change to openstack/keystone: Filter LDAP dumb member when listing role assignments https://review.openstack.org/73935	01:30
jamielennox	bknudson: how do i generate the module docs again? build_sphinx will only do the docs	01:33
jamielennox	ah, that's one of your patches that i haven't yet approved isn't it	01:33
*** ChanServ sets mode: +o dolphm		01:34
bknudson	jamielennox: I submitted a patch to make it the same as keystone...	01:34
bknudson	jamielennox: https://review.openstack.org/#/c/72515/	01:34
jamielennox	bknudson: yea, i did a pass of them a while ago but i don't think they got merged	01:34
bknudson	jamielennox: you know how hard it is to get anything merged into keystoneclient.	01:35
jamielennox	yes i do	01:35
openstackgerrit	ldbragst proposed a change to openstack/keystone: Allow 'description' in V3 Regions to be optional https://review.openstack.org/78658	01:35
openstackgerrit	ldbragst proposed a change to openstack/keystone: Enforce required parameters for V3 Regions https://review.openstack.org/76444	01:35
*** vhoward- has left #openstack-keystone		01:35
*** wchrisj has quit IRC		01:36
*** wchrisj has joined #openstack-keystone		01:43
*** nkinder has joined #openstack-keystone		01:44
openstackgerrit	Jenkins proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/76691	01:49
*** amcrn has quit IRC		01:56
*** wchrisj has quit IRC		02:01
ayoung	jamielennox, so to assign a role, I use admin_client.roles.grant(role=role,user=user, project=project) ... we'll ignore that it should be assign. To delete the role assignement, do I do	02:05
ayoung	for roles in admin_client.roles.list(user):	02:05
ayoung	admin_client.roles.delete(role)	02:05
ayoung	well, to delete role assignements, that is?	02:06
*** mberlin1 has joined #openstack-keystone		02:06
jamielennox	ayoung: off the top of my head it looks fine	02:06
jamielennox	we don't have any bulk delete or anything	02:06
ayoung	jamielennox, but the same command deletes a role definition, no?	02:07
jamielennox	oh, sorry delete the assignment	02:07
jamielennox	umm	02:07
*** mberlin has quit IRC		02:08
jamielennox	admin_client.roles.revoke(role, user)	02:08
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add a positional decorator https://review.openstack.org/77026	02:11
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Start using positional decorator https://review.openstack.org/77055	02:11
*** wchrisj has joined #openstack-keystone		02:11
ayoung	ah, ok...revoke makes more sense. I missed that	02:11
jamielennox	morganfainberg: ^, so i switched the default from WARN to EXCEPT which i think makes sense and i ditched the default altogether	02:11
jamielennox	so not more module variable (although it looked much nicer when it was on a class)	02:12
morganfainberg	jamielennox, ah so must be specified	02:12
morganfainberg	jamielennox, well specified if you want non-exception behavior?	02:12
jamielennox	morganfainberg: right	02:12
jamielennox	means we don't get enforcing in tests but that's not a big loss	02:12
morganfainberg	jamielennox, i like that better, but i was willing to let ya go w/ the module level stuff. it was in the depths of bike shedding whcih is why i backed off.	02:13
jamielennox	and from now on we will pretty much always want except behaviour so it makes sense to specify WARN only for the existing things	02:13
morganfainberg	makes sense to me	02:13
jamielennox	we can rely on reviewers to make sure you only specify things via kwargs internally, if someone wants to put an override on it later then they can	02:14
morganfainberg	jamielennox, ++ i like it	02:15
ayoung	jamielennox, what is the "right" way to request a token using the client.	02:21
ayoung	jamielennox, this might be artificial	02:22
ayoung	but I want to create a bunch of tokens and then do things that revoke them and test the revocation	02:22
ayoung	is it just	02:22
jamielennox	there's no way to force request something new	02:22
jamielennox	but if you create a client then you can just retrieve it from that	02:23
ayoung	so create a new client for each	02:23
ayoung	how do I get the token out of the client?	02:23
jamielennox	client.auth_ref is the accessinfo object	02:24
jamielennox	.auth_token is just the token	02:24
jamielennox	up to 7 failing reverifies	02:31
jamielennox	https://review.openstack.org/#/c/79474/	02:31
ayoung	wow. that is suboptimal	02:32
jamielennox	great and the log file is actually missing so i can't figure out the error	02:33
openstackgerrit	Nathan Kinder proposed a change to openstack/keystone: Filter LDAP dumb member when listing role assignments https://review.openstack.org/73935	02:33
jamielennox	any idea if there is a recheck for unstable where there is no grenade log?	02:34
*** zhiyan_ is now known as zhiyan		03:06
nkinder	jamielennox: I haven't had to deal with rechecks. Is it just that there was some spurious failure (hopefully test environment related), and you need to tell it to run the tests again?	03:08
jamielennox	nkinder: pretty much, it's for failures that aren't your fault essentially	03:08
jamielennox	apparently zuul is a bit unstable at the moment so i should just keep reverifying until it works	03:08
nkinder	jamielennox: I wonder if the patch I submitted a little bit ago is going to encounter that too...	03:09
nkinder	my luck hasn't been good today, so it will probably hit problems	03:09
nkinder	my network connection had a 80% packet loss rate for about 5 hours this afternoon... lots of fun	03:10
jamielennox	heh, i was going to say luck of the draw	03:10
jamielennox	nkinder: ouch... personal or work?	03:10
nkinder	jamielennox: personal. I worked from home today	03:11
jamielennox	nkinder: bugger, at least at work someone else will fix it :)	03:11
nkinder	luckily it was my ISP and not my network equipment	03:11
nkinder	some outage for my whole area	03:12
ayoung	jamielennox, when creating a v3 client, if they only supply username, or only supply project name, we should throw a client side error saying domain is required	03:16
jamielennox	yea,	03:17
ayoung	the error you get otherwise is "project not found" which is counter-intuitive	03:17
jamielennox	i was looking at that for the v3 plugin the other day	03:17
ayoung	or we should return a better error from POST /auth/tokens	03:17
jamielennox	not sure if it's considered backwards compat	03:17
ayoung	400 "user.name requires user.domain.name	03:18
ayoung	it fails either way, just a better error code	03:18
jamielennox	ok, cool i didn't test it at the time	03:19
openstackgerrit	Tim Potter proposed a change to openstack/python-keystoneclient: Convert keyring password to str before pickle.loads() https://review.openstack.org/80166	03:27
*** stevemar has joined #openstack-keystone		03:33
*** wchrisj has quit IRC		03:48
*** topol has joined #openstack-keystone		03:50
*** gokrokve_ has quit IRC		03:51
*** stevemar has quit IRC		03:53
*** stevemar has joined #openstack-keystone		03:55
*** lbragstad1 has joined #openstack-keystone		03:57
*** lbragstad has quit IRC		03:59
*** wchrisj has joined #openstack-keystone		04:00
openstackgerrit	ldbragst proposed a change to openstack/keystone: Enforce required parameters for trusts https://review.openstack.org/72582	04:04
*** lbragstad1 is now known as lbragstad		04:07
*** lbragstad is now known as lbragstad__		04:16
*** harlowja is now known as harlowja_away		04:20
*** harlowja_away is now known as harlowja		04:24
*** dstanek has joined #openstack-keystone		04:25
ayoung	nkinder, jamielennox I was lying in bed, and it struck me that the approach we need for user ids is this: take one part from LDAP or IdP, one part from the Keystone (domain id or domain name) and do the SHA256 hash of it.	04:26
ayoung	the reason why the hash, aside from fitting into the size field is this:	04:27
ayoung	when I was looking at the revocation events, I realized how much information was leaking	04:27
jamielennox	ayoung: i'm sure we discussed this once before	04:27
ayoung	if a user changes their password, anyone looking at the events sees the userid	04:27
*** theocean154 has quit IRC		04:27
ayoung	yeah...I think I needed to let it bake for a while	04:27
jamielennox	when we were talking about whether we needed a global user_id field and it was rejected in favour of putting @@idp_Id	04:28
ayoung	jamielennox, it was the revocation events that made me realize the leakage	04:28
ayoung	I don't think we need to be able to map from the userid back to the identity provider	04:28
ayoung	we need to be able to reproduce the ids.	04:28
jamielennox	oh? what about change password, change roles whatever	04:28
jamielennox	they are all user_id functions	04:29
jamielennox	if you need to store the parts to the hash there is no difference to using a uuid	04:29
ayoung	so change passwrod can say "you need to provide all the pieces"	04:31
ayoung	no big deal there	04:31
jamielennox	that's an api change though	04:31
ayoung	I think that so long as we always go from "what we know" to "what we can do" we are ok. It is audit that I am worried about	04:31
ayoung	it might well require API changes...if so, it is an extension	04:32
*** wchrisj has quit IRC		04:33
jamielennox	if it's an extension it doesn't solve the overall problem though	04:33
*** marcoemorais has joined #openstack-keystone		04:42
*** marcoemorais1 has joined #openstack-keystone		04:44
*** marcoemorais has quit IRC		04:47
*** gokrokve has joined #openstack-keystone		04:55
*** derek_c has quit IRC		05:20
openstackgerrit	A change was merged to openstack/keystone: Add OS-OAUTH1 to consumers links section https://review.openstack.org/73031	05:36
*** derek_c has joined #openstack-keystone		05:46
*** gyee has quit IRC		05:51
*** harlowja is now known as harlowja_away		05:53
*** gokrokve has quit IRC		05:57
*** david-lyle has joined #openstack-keystone		05:57
*** dstanek has quit IRC		06:01
openstackgerrit	Jenkins proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/78525	06:01
*** david-lyle has quit IRC		06:02
*** dstanek has joined #openstack-keystone		06:03
*** abhishek has joined #openstack-keystone		06:12
*** derek_c has quit IRC		06:17
*** derek_c has joined #openstack-keystone		06:32
*** abhishek has quit IRC		06:42
morganfainberg	hehe	07:00
jamielennox	stevemar: what are you trying to do?	07:00
morganfainberg	blech i need to go sleep =/	07:00
stevemar	jamielennox, just trying to exercise the auth plugin works	07:00
jamielennox	i had session.get_token() there if you have to get it	07:00
jamielennox	it should be sufficient to make an authenticated call and have the token added for you	07:01
*** topol has quit IRC		07:01
stevemar	yeah, it does that, but i was hoping to verify the authorizing user and roles/project are all there	07:01
jamielennox	if you call get_token() it should force the call for you	07:01
stevemar	it does, but it only returns back the PKI string	07:02
jamielennox	yea	07:02
jamielennox	so an auth plugin doesn't have to be keystone based, so you can't assume that it will have an auth_ref	07:02
stevemar	ah i see what you mean	07:03
jamielennox	if you do auth_plugin.get_auth_ref() i think it will do what you want	07:03
jamielennox	i think fetch_auth_ref does the call and get_ does it if the current one is expired	07:03
*** henrynash has joined #openstack-keystone		07:04
stevemar	jamielennox, wonderful!	07:04
*** chandan_kumar has joined #openstack-keystone		07:10
*** morganfainberg is now known as morganfainberg_Z		07:18
openstackgerrit	Steve Martinelli proposed a change to openstack/python-keystoneclient: Add example script for oauth1 functions https://review.openstack.org/80193	07:22
*** stevemar has quit IRC		07:33
*** derek_c has quit IRC		07:52
*** saju_m has joined #openstack-keystone		08:12
*** marekd\|away is now known as marekd		08:13
marekd	morning all.	08:22
*** henrynash has quit IRC		08:28
*** andreaf has joined #openstack-keystone		08:30
*** henrynash has joined #openstack-keystone		08:51
*** petertoft has joined #openstack-keystone		08:52
*** leseb has joined #openstack-keystone		08:55
*** leseb has quit IRC		09:01
*** marcoemorais1 has quit IRC		09:08
*** chandan_kumar has quit IRC		09:30
*** marcoemorais has joined #openstack-keystone		09:35
*** marcoemorais1 has joined #openstack-keystone		09:36
*** marcoemorais has quit IRC		09:36
*** marcoemorais1 has quit IRC		09:40
*** chandan_kumar has joined #openstack-keystone		09:46
marekd	mhu: ok, let me try reproducing this behaviour...	09:47
mhu	marekd, I am in a meeting but ping me if I can help	09:51
marekd	mhu: no problem!	09:53
*** henrynash has quit IRC		10:20
*** marcoemorais has joined #openstack-keystone		10:37
*** marcoemorais has quit IRC		10:41
*** topol has joined #openstack-keystone		10:53
*** henrynash has joined #openstack-keystone		11:01
marekd	mhu: replied!	11:07
mhu	marekd, thanks ! I'll give it a look	11:09
marekd	mhu: emailing stevemar and dolphm at the moment.	11:09
mhu	marekd, thanks for the explanation, I can write the bug report	11:19
mhu	but as you mention, since it is tricky to test the HTTP layer, we might miss other problems ...	11:19
marekd	mhu: yes :(	11:19
mhu	marekd, leaving for lunch now, I'll write the bug report when I am back	11:20
marekd	mhu: that's why i am working on configs for apache/keystone/shibboleth2.xml so one can reuse them and setup 'real' instance.	11:21
marekd	mhu: don't remember if I mentioned it when we were talking couple of nights ago: https://github.com/zaccone/keystone-federation	11:21
marekd	mhu: ok, bon app!	11:21
marekd	mhu: feel free to assign the bug to mysefl.	11:22
*** jamielennox is now known as jamielennox\|away		11:22
*** amcrn has joined #openstack-keystone		11:31
*** marcoemorais has joined #openstack-keystone		11:38
*** marcoemorais has quit IRC		11:42
*** henrynash has quit IRC		11:43
*** henrynash has joined #openstack-keystone		11:49
*** henrynash has quit IRC		12:00
*** Ramakrishna has joined #openstack-keystone		12:10
*** leseb has joined #openstack-keystone		12:22
*** dims_ has quit IRC		12:30
*** dims_ has joined #openstack-keystone		12:34
marekd	mhu: back from the lunch ?	12:35
*** raildo has joined #openstack-keystone		12:37
*** marcoemorais has joined #openstack-keystone		12:39
*** marcoemorais has quit IRC		12:43
*** andreaf has quit IRC		12:44
mhu	marekd, yes	12:47
marekd	mhu: cool, fire away the bug report, i shoul be done with the fix in few minutes :-)	12:48
mhu	marekd, will do	12:53
mhu	marekd: https://bugs.launchpad.net/keystone/+bug/1291981	13:05
mhu	I tried to assign the bug to you but the search engine doesn't seem to work	13:05
*** leseb has quit IRC		13:10
*** nkinder has quit IRC		13:13
*** browne has joined #openstack-keystone		13:17
*** lbragstad__ has quit IRC		13:19
marekd	mhu: what's the link?	13:23
mhu	marekd, that's the bug I reported: https://bugs.launchpad.net/keystone/+bug/1291981	13:23
*** Ramakrishna has quit IRC		13:23
marekd	mhu: assigned.	13:24
*** henrynash has joined #openstack-keystone		13:26
*** YorikSar_ has quit IRC		13:45
*** lbragstad has joined #openstack-keystone		13:47
*** YorikSar has joined #openstack-keystone		13:49
*** stevemar has joined #openstack-keystone		13:51
*** gtt116 has joined #openstack-keystone		13:52
gtt116	any body using memcache backend for tokens?	13:53
gtt116	I found it become slow when a user has lots of token ( about 10,000 tokens)	13:54
*** wchrisj has joined #openstack-keystone		13:57
*** nkinder has joined #openstack-keystone		14:03
stevemar	gtt116, what keystone release / version are you using?	14:04
gtt116	The stable/havana	14:04
stevemar	gtt116, also, morganfainberg_Z is your guy for all memcache related queries	14:04
*** YorikSar has quit IRC		14:04
*** YorikSar has joined #openstack-keystone		14:05
stevemar	gtt116, so you're likely not hitting: https://bugs.launchpad.net/keystone/+bug/1221087 since you're using havana	14:06
gtt116	stevemar, thanks for the information, but morganfainberg_Z is away now.	14:07
gtt116	stevemar, actually timezone is not the issue for us, I found a relatives bug here: https://bugs.launchpad.net/keystone/+bug/1251123	14:08
gtt116	stevemar, I merged the patch for the bug, but thing does't go well	14:10
*** topol has quit IRC		14:11
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Filter environment before mapping the federation rules. https://review.openstack.org/80293	14:13
marekd	stevemar: dolphm mhu: ^^	14:14
stevemar	thanks marekd	14:15
stevemar	gtt116, the bug wasn't backported to havana	14:16
stevemar	the patch*	14:16
*** vhoward- has joined #openstack-keystone		14:19
gtt116	stevemar, the status show "Fix released" in branch havana. Do I miss something?	14:19
gtt116	stevemar, the backport patch is here: https://review.openstack.org/66149	14:20
*** leseb has joined #openstack-keystone		14:21
stevemar	gtt116, my mistake, it didn't come up in my query, but the fix should be in havana	14:22
*** saju_m has quit IRC		14:22
gtt116	stevemar: :), I afraid the fix not work very well in real environment.	14:24
*** leseb has quit IRC		14:25
gtt116	stevemar, I am thinking about can we prune token list when call list_tokens(), rather than each time we create a new token.	14:28
marekd	mhu: for a quick fix you can try patching your keystone with this diff and carry on with your tests: http://pasteraw.com/q2uq905nsd2uc2n3m279hq1cxr0xqls	14:30
marekd	mhu: (this is a diff from a patchset i uploaded as a fix to the bug you submitted)	14:30
mhu	marekd, it's a devstack keystone, so I can point the repo in the gerrit review :)	14:31
mhu	to restack at will	14:31
marekd	mhu: a, okay then :-)	14:31
marekd	mhu: didn't know what you are using actually.	14:31
*** flaper87 has joined #openstack-keystone		14:31
marekd	ok, be back in 5 minutes	14:31
*** richm has joined #openstack-keystone		14:35
marekd	mhu: thanks for the comments, answering them!	14:35
mhu	marekd, happy to hel	14:35
mhu	help	14:35
*** gokrokve has joined #openstack-keystone		14:37
*** andreaf has joined #openstack-keystone		14:37
*** marcoemorais has joined #openstack-keystone		14:40
*** marcoemorais has quit IRC		14:45
stevemar	mhu, if you are at atlanta summit, i owe you like 6 beers	14:49
mhu	stevemar, hold on these 6 beers until the Paris summit :)	14:49
marekd	mhu, stevemar responded	14:52
stevemar	mhu, with inflation, it'll be 7 or 8 by that time	14:52
marekd	haha, mhu, you should be happy you dont live in switzerland. They now have deflation, so it could be you to buy beer for stevemar D	14:54
marekd	stevemar: you can help me making commit message more english-pro	14:55
*** thedodd has joined #openstack-keystone		14:57
ayoung	dolphm, I hate this patch https://review.openstack.org/#/c/78068/6	15:00
ayoung	there has got to be a better way	15:00
stevemar	marekd, responded	15:02
*** chandan_kumar has quit IRC		15:02
stevemar	ayoung, why the hate?	15:02
*** browne has left #openstack-keystone		15:02
*** chandan_kumar has joined #openstack-keystone		15:03
ayoung	stevemar, because, as invasive as it is, it still doesn't solve the problem	15:03
*** YorikSar has quit IRC		15:03
*** prad_ has joined #openstack-keystone		15:03
ayoung	and I don't like being forced into a bad solution	15:03
stevemar	nobody puts ayoung in a corner	15:04
ayoung	stevemar, um... I think that quote puts me in a far less active role than I am ever willing to take	15:04
ayoung	I'm the Angry Young Man . I'm always at home with my back to the wall.	15:05
stevemar	ayoung, i like that it fixes the base_url inconsistencies	15:05
ayoung	stevemar, Oh, I agree we want to do that....just that host_url doesn	15:05
*** YorikSar has joined #openstack-keystone		15:05
*** henrynash has quit IRC		15:05
ayoung	''t do it to the elvel that we want	15:05
ayoung	and that it is so invasive at the same time	15:06
stevemar	it is	15:06
ayoung	worked hard to rip context out of all those locations	15:06
*** dstanek has quit IRC		15:06
*** gtt116 has left #openstack-keystone		15:12
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Filter environment before mapping the federation rules. https://review.openstack.org/80293	15:13
openstackgerrit	A change was merged to openstack/keystone: Cleanup backends after each test https://review.openstack.org/79726	15:15
openstackgerrit	A change was merged to openstack/keystone: Cleanup of instance attrs in core tests https://review.openstack.org/79727	15:16
openstackgerrit	A change was merged to openstack/keystone: Cleans up test data from limit tests https://review.openstack.org/79728	15:21
openstackgerrit	A change was merged to openstack/keystone: Cleanup fixture data added to test instances https://review.openstack.org/79729	15:21
openstackgerrit	A change was merged to openstack/keystone: Cleanup keystoneclient tests https://review.openstack.org/79730	15:21
openstackgerrit	A change was merged to openstack/keystone: Very minor cleanup to default_fixtures https://review.openstack.org/80040	15:21
openstackgerrit	Steve Martinelli proposed a change to openstack/python-keystoneclient: Add example script for oauth1 functions https://review.openstack.org/80193	15:21
bknudson	I thought that if I created a user with default_project_id set to a project then the user would automatically be given a role on the project.	15:22
*** topol has joined #openstack-keystone		15:23
bknudson	oh, that's only the v2 api.	15:33
*** leseb has joined #openstack-keystone		15:36
*** daneyon has joined #openstack-keystone		15:38
*** david-lyle has joined #openstack-keystone		15:44
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Filter environment before mapping the federation rules. https://review.openstack.org/80293	15:53
*** marekd is now known as marekd\|away		16:19
*** devlaps has joined #openstack-keystone		16:19
ayoung	This is going to be my new -2 response comment. (╯°□°）╯︵ ┻━┻	16:19
flaper87	hey guys, what would be the best way to verify from cinder if a project exists ?	16:20
flaper87	i guess my question is: What's the keystoneclient method that I should be using ?	16:21
flaper87	:D	16:21
flaper87	ayoung: LOL at the -2 response	16:21
ayoung	flaper87, um...that is a good question	16:21
ayoung	flaper87, we can tell you if it exists, but not if it does not exist	16:22
ayoung	why? cuz cinder might not have access	16:22
ayoung	so we return a 404 if you try to get something that you don't have access to.	16:22
ayoung	flaper87, is that sufficient? It would be a GET /v3/projects/<projectid>	16:23
flaper87	ayoung: i think that's sufficient in this case	16:26
flaper87	thing is that the quota handling is not considering whether the project exists or not	16:26
flaper87	nor whether the id is correct	16:26
flaper87	or if it's a project name	16:26
ayoung	flaper87, you can also do a list name=? and check the number of results if that works better. But you should include the domain on the query if you do that	16:27
flaper87	ayoung: mmh, ok, I'll keep that in mind, although I think doing a get is enough	16:28
ayoung	++	16:28
flaper87	ayoung: would you mind pointing me to the right client code ?	16:28
ayoung	Heh.	16:28
ayoung	flaper87, I'm writing the example as we speak....	16:29
ayoung	start with	16:29
flaper87	ayoung: awesome, awesome, awesome! thanks a lot!	16:29
ayoung	http://www.jamielennox.net/blog/2014/02/24/client-session-objects/	16:29
ayoung	I have an example in one of my reviews, too	16:29
ayoung	https://review.openstack.org/#/c/79096/1/examples/scripts/exercise_v3_regions.py	16:30
ayoung	that is for the regions API	16:30
ayoung	for a project it would be	16:30
*** gokrokve has quit IRC		16:30
ayoung	admin_client = client.Client ....	16:31
ayoung	and then	16:31
ayoung	admin_client.projects.get(project_id)	16:31
ayoung	or	16:31
ayoung	admin_client.projects.list(name=proejct_name, domain_name=domain_name)	16:31
flaper87	ayoung: awesome, thanks!	16:32
flaper87	and IIRC, the keystone_url should already be in the headers	16:32
flaper87	right ?	16:32
flaper87	or at least I remember seeing it somewhere	16:32
flaper87	:D	16:32
ayoung	flaper87, hmmm. You need the url when you create the client, but then it gets the endpoint for the service catalog	16:32
*** YorikSar_ has joined #openstack-keystone		16:32
ayoung	play around with the client call, find what actually works for you	16:33
flaper87	ayoung: sounds good! thanks for the hints	16:33
ayoung	the regions example might have more params than strictly necessary	16:33
ayoung	ideally, we will use X509s for services to talk to Keystone and make these calls directly, without a token, in the future	16:33
*** gyee has joined #openstack-keystone		16:33
ayoung	you probably should be using the endpoint in the service catalog that came from the token used to make the request	16:34
ayoung	but that is advanced stuff, requires higher math and imaginary numbers	16:34
ayoung	like thirty-twelve and such	16:34
flaper87	ayoung: lol, too much for what I need to do here :D	16:35
flaper87	let's keep it stupid simple	16:35
flaper87	:D	16:35
*** YorikSar has quit IRC		16:36
openstackgerrit	A change was merged to openstack/keystone: Enforce groups presence for federated authn https://review.openstack.org/79284	16:37
*** gokrokve has joined #openstack-keystone		16:37
*** dstanek has joined #openstack-keystone		16:52
*** marcoemorais has joined #openstack-keystone		16:55
*** afaranha has joined #openstack-keystone		16:56
stevemar	dtroyer, i was expecting some failures, but yeesh https://review.openstack.org/#/c/80320/1	16:58
dtroyer	stevemar: yeah, that's not a trivial change	16:59
ayoung	http://tools.ietf.org/html/draft-ietf-scim-core-schema-03 Cross Domain Identity Management....yay! Er... time to read	17:00
*** marcoemorais has quit IRC		17:01
*** marcoemorais has joined #openstack-keystone		17:02
*** gokrokve has quit IRC		17:06
*** morganfainberg_Z is now known as morganfainberg		17:09
*** harlowja_away is now known as harlowja		17:10
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Do not use keystone.conf.sample in tests https://review.openstack.org/79524	17:12
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Removal of test .conf files https://review.openstack.org/79525	17:12
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Move test .conf files to keystone/tests/config_files https://review.openstack.org/79526	17:12
morganfainberg	mornin	17:13
*** lbragstad has quit IRC		17:17
*** petertoft has quit IRC		17:18
*** dstanek has quit IRC		17:19
*** lbragstad has joined #openstack-keystone		17:23
*** gokrokve has joined #openstack-keystone		17:26
morganfainberg	yay test cleanup landed (should mean tests require less memory)	17:33
*** browne has joined #openstack-keystone		17:52
*** gyee has quit IRC		17:53
*** YorikSar_ is now known as YorikSar		17:55
*** YorikSar has joined #openstack-keystone		17:57
*** linuxgeek_ has joined #openstack-keystone		18:00
linuxgeek_	on a i3 install, the ip in public endpoint url has changed after the node reboot. is there a way i can update the endpoint table in the keystone db?	18:02
stevemar	morganfainberg, there was a memcached question here earlier	18:03
stevemar	morganfainberg, gtt116 (irc handle) thinks he was hitting https://bugs.launchpad.net/keystone/+bug/1251123 in stable/havana	18:04
stevemar	just a heads up	18:04
*** flaper87 is now known as flaper87IsNotAwa		18:04
*** flaper87IsNotAwa is now known as flaper87DoesNotK		18:04
*** flaper87DoesNotK is now known as flaper87WTF		18:05
*** flaper87WTF is now known as flaper87		18:05
stevemar	flaper87 is having some trouble	18:05
morganfainberg	stevemar, hi	18:06
morganfainberg	stevemar, let me see	18:06
*** zhiyan is now known as zhiyan_		18:10
morganfainberg	stevemar, responded it looks like this is an issue w/o the fix	18:12
morganfainberg	stevemar, which yes, you will hit 100% cpu.	18:13
morganfainberg	we have independant confirmation the fix solved the majority of the issue(s) because it doesn't have the endless memcache io	18:13
morganfainberg	stevemar and if they are still having an issue, the answer legitimately is "memcache shouldn't be used for token persistent"	18:15
stevemar	morganfainberg, cool it did sound like the fix was probably not being included	18:15
morganfainberg	it has security ramifications among other things.	18:15
morganfainberg	yerah	18:15
morganfainberg	that was my take	18:15
stevemar	just wanted to give you a heads up in case you see pings/emails	18:16
morganfainberg	yep	18:16
morganfainberg	i try and circle back on LP bugs and respond.	18:16
morganfainberg	i really look forward to storyboard, LP is kindof a pain to use.	18:16
morganfainberg	stevemar, psst https://review.openstack.org/#/c/79524/ :)	18:16
morganfainberg	since we got dstanek's test cleanup in	18:17
morganfainberg	;)	18:17
morganfainberg	moar.	18:17
* morganfainberg is generating a sample confighttps://review.openstack.org/#/c/80293/ for		18:17
morganfainberg	whoa copy/paste error	18:18
stevemar	morganfainberg, i'll quickly add the change for that one	18:19
morganfainberg	i can't build my venv...	18:19
morganfainberg	wtf.	18:19
morganfainberg	greenlet issues	18:19
morganfainberg	otherwise i'd post a fix w/ the sample config	18:19
morganfainberg	oh .	18:20
morganfainberg	oh	18:20
morganfainberg	not in a vm	18:20
morganfainberg	thats why	18:20
bknudson	morganfainberg: you set up a repo recently? for kite or something?	18:20
morganfainberg	bknudson, jamie was working on getting that together	18:21
morganfainberg	let me fix the review if it hasn't been fixed	18:21
morganfainberg	the repo should go in on Friday	18:21
morganfainberg	if the review is good	18:21
bknudson	morganfainberg: nkinder was looking at setting up a repo.	18:21
morganfainberg	https://review.openstack.org/#/c/73074/	18:21
morganfainberg	review is passing, should go in on friday, thats when they do new repos	18:21
morganfainberg	irc friday that is	18:22
stevemar	morganfainberg, it needs a rebase anyway	18:23
morganfainberg	want me to do that	18:23
morganfainberg	have the revierw ready	18:23
morganfainberg	stevemar, ?	18:24
stevemar	morganfainberg, uh, sure, it's conflicting with another federation related bug	18:24
morganfainberg	yeah i see the files	18:24
stevemar	but if you already fixed that, then go ahead	18:24
stevemar	i'm in the process of doing it too, but i think you're a few steps ahead	18:25
morganfainberg	stevemar, your call	18:25
morganfainberg	let me do it	18:25
stevemar	sure	18:25
morganfainberg	so you can re +2	18:25
stevemar	i'll assign the bug back to marek, sounds good	18:25
ayoung	linuxgeek_, yep. But that is really why you should probably use hostnames not ipaddress. To update the endpoint, delete the old and create the new. You can do that with the CLI and the admin_token	18:26
*** vhoward- has left #openstack-keystone		18:27
linuxgeek_	ayoung, i updated the endpoints with the new ip using the db. checking now if it works. yes i agree hostname is the way to go rather than ip's	18:27
ayoung	linuxgeek_, good to hear it.	18:28
ayoung	you could do it multple ways, but DB is fine if you know what you are doing	18:28
ayoung	linuxgeek_, I've been messing with the python client API	18:29
ayoung	http://paste.openstack.org/show/73446/	18:29
ayoung	you'd create a client with	18:29
ayoung	admin_client = client.Client(endpoint='http://localhost:35357/v3', token='your-admin-token-goes-here')	18:30
morganfainberg	stevemar, so it looks like we're supplanting the "BAD_TESTER_ASSERTION" test with the new one?	18:30
morganfainberg	stevemar, oh wait nvm	18:30
morganfainberg	derop	18:30
ayoung	morganfainberg, I always raise "BAD_TESTER_ASSERTION" I guess because I am just a bad tester	18:30
*** thiagop has joined #openstack-keystone		18:32
*** dstanek has joined #openstack-keystone		18:32
morganfainberg	ayoung, hehe	18:33
*** zagranred has joined #openstack-keystone		18:33
morganfainberg	stevemar, just running tests to make sure i didn't cause issues and i'll be uploading a revised patchset	18:33
*** zagranred has quit IRC		18:33
stevemar	cooliop	18:33
morganfainberg	ayoung, the janitorial / custodial reviews look like they may be good to go (conf cleanup)	18:35
morganfainberg	ayoung, at elast good for review.	18:35
ayoung	morganfainberg, I'm still doing unspeakable things with the client	18:35
morganfainberg	ayoung, LOL	18:35
morganfainberg	ayoung, i figured	18:35
morganfainberg	did you get the py33 stuff working?	18:35
morganfainberg	it was universal newlines, right?	18:35
ayoung	morganfainberg, but I should have, fairly shortly, a way to verify tokens from the client, using the events and CMS	18:36
ayoung	I did not get it working yet	18:36
ayoung	the py33	18:36
morganfainberg	ayoung, ++	18:36
morganfainberg	events and cms verify == cool	18:36
ayoung	I'm going to get this posted at least enough for a WIP and then go back to the py33/compressed thing	18:36
*** amcrn has quit IRC		18:37
morganfainberg	ayoung, sounds good, let me know if you need any help	18:38
*** thiagop has quit IRC		18:40
*** thiagop has joined #openstack-keystone		18:41
*** leseb has quit IRC		18:43
*** leseb has joined #openstack-keystone		18:43
*** leseb has quit IRC		18:48
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Filter environment before mapping the federation rules. https://review.openstack.org/80293	18:48
morganfainberg	stevemar, ^	18:49
morganfainberg	stevemar and i reassigned the LP bug already back	18:49
stevemar	woo hoo	18:50
*** stevemar is now known as stevemar-afk		18:53
morganfainberg	dstanek, https://review.openstack.org/#/c/75816/4/keystone/catalog/backends/kvs.py String Freeze issue right? this needs to be held till Juno	18:56
bknudson	morganfainberg: I think that same message was used elsewhere already	18:59
morganfainberg	bknudson, hmm ok	18:59
bknudson	so it'll be in the catalog	18:59
morganfainberg	bknudson, that was what i was wondering.	18:59
dstanek	bknudson, morganfainberg: yes it's used in assignment kvs	18:59
morganfainberg	bknudson, didn't want to -2 if it legitimately wasn't a SF issue	18:59
openstackgerrit	Pablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager https://review.openstack.org/80368	19:01
openstackgerrit	A change was merged to openstack/keystone: Add unit tests for disabled endpoints in catalog https://review.openstack.org/77375	19:08
*** linuxgeek_ has left #openstack-keystone		19:08
openstackgerrit	A change was merged to openstack/keystone: Fix include only enabled endpoints in catalog https://review.openstack.org/77441	19:12
dstanek	morganfainberg: had a quick question on https://review.openstack.org/#/c/79525/3/keystone/tests/core.py	19:12
morganfainberg	sure	19:13
morganfainberg	whoa	19:13
morganfainberg	how did that one get added.	19:13
morganfainberg	oh	19:14
morganfainberg	oh	19:14
morganfainberg	there is some issue with the cache fixture not getting setup correctly	19:14
morganfainberg	if you don't call setup directly you get a nasty exception	19:14
morganfainberg	it's about the lack of some property let me 2x check that. and see if i can chase down the specifics.	19:15
morganfainberg	that might have been a stub that got left in	19:15
dstanek	morganfainberg: really? hmmm...that sucks because if we ever add cleanup we'll have to manually call that too	19:15
morganfainberg	no the cleanup works, it was an issue with _details not being populated	19:15
morganfainberg	i think it was a workaround not needed sec.	19:15
morganfainberg	i think it was a stub i had to work around	19:17
morganfainberg	running tests now w/o it and it seems to be passing	19:17
ayoung	topol, question for you. In your proposal for audit, are you going to log username, or just userid?	19:21
*** leseb has joined #openstack-keystone		19:23
ayoung	morganfainberg, dstanek check me on this: if we somehow "anonymize" the user ids (henrynash's user id thing) if we can always get the userid from the username/domainid, then we can probably just record tusername/domain id in audit events.	19:24
ayoung	so "change password" and any identity API calls that need to find a specific backend would be broken	19:24
ayoung	but, hey, its Federation	19:24
ayoung	those probably shouldn't be in Keystone's control anyway	19:24
ayoung	and we could do userid = sha256('username@@domainname") or something	19:25
*** petertoft has joined #openstack-keystone		19:25
*** leseb has quit IRC		19:25
dstanek	ayoung: would you log that sha256 or the source data for it?	19:31
ayoung	dstanek, "log" ?	19:31
ayoung	meaning audit log? I don't think so...least it wouldn't mean much	19:31
topol	ayoung username	19:34
ayoung	dstanek, the audit log would be expected to have something that could uniquely identify the user. If userid is generated from username and domain id, but it was not a reversable lookup, you'd need the source material	19:34
ayoung	topol, so thinking of henrynash's problem	19:34
ayoung	and I think that audit is my major concern	19:35
* topol topol needs some context. whic problem		19:35
ayoung	if we anonymize, we break audit	19:35
ayoung	ids fro multiple LDAP	19:35
topol	ayoung whatw as he going to anonymize???	19:35
ayoung	and for multiple IdPs in the future as well	19:35
ayoung	topol, remember the "ephemeral users" issue? Assign each user an ID based on some entry in either a mapping table or something?	19:36
topol	we would have to have a an audit record of what the ids were mapped to to keep from breaking	19:36
ayoung	yeah, but It seems fragile	19:36
topol	would nt we do an audit record that captures the mapping???	19:36
ayoung	topol, so, say a user came in to two different keystone servers, and got two different Ids?	19:37
topol	ayoung so we need to come up with a solution that hoepfully does not break auditing. I believe henrynash wants to make sure audit still works. Havent check on what he thinks is a feasible solution	19:37
*** devlaps has quit IRC		19:38
ayoung	Or, if somehow the mapping table gets out of sync	19:38
ayoung	topol, this is a topic for the summit.	19:38
topol	ayoung, I agree we need to discuss and vet	19:38
ayoung	I just had an "ok, we can do this if..." moment last night	19:38
*** devlaps has joined #openstack-keystone		19:39
topol	ayoung, yes I was planniong on submitting this as a summit topic (audit + federation). I can go ahead an get that submitted	19:39
topol	(joint with martinelli)	19:39
topol	ayoung, make sense?	19:40
ayoung	so if an audit event records the username, not just the userid, then I think we'll be set. dolphm was concerned that we were going to "leak" data out of Keystone, such as what users are actively working in there, and that we shouldn't be using anything other than uuids. But I don;t trust the idea of the mapping table, so I want something that is consistant regardless of whether there is an entyr in the usertable before th	19:40
ayoung	e user visits or not	19:40
*** amcrn has joined #openstack-keystone		19:41
ayoung	sha256 ("%s@@%", [username, domainname]) or something	19:41
ayoung	it is not perfect	19:41
topol	ayoung for compliance requirments I think it is Ok and required to leak	19:41
ayoung	with revocation events, you are going to see one event per, say, password change, and if that is not a tightly controlled call, there will be a lot of data leaking	19:41
topol	ayoung, why?	19:42
ayoung	so I agree some degree of anonymization is called for. That was the real epiphany	19:42
ayoung	topol, reread it. I just explained	19:42
ayoung	you are going to see one event per, say, password change. event will have the userid in it	19:42
ayoung	anyone can read all of the evetns	19:42
ayoung	events	19:42
topol	that would be bad	19:42
*** devlaps has quit IRC		19:43
topol	perhaps for certain audit events we filter out the values if leaking too much	19:44
topol	for a password change it would just say so and so's password changed. it wouldnt have the values in it	19:45
topol	ayoung	19:45
ayoung	topol, so if you change your password, a revocation event is generated with your userid	19:46
*** henrynash has joined #openstack-keystone		19:46
ayoung	henrynash, were your ears buring?	19:46
topol	yay, henrynash!	19:46
ayoung	burning	19:46
henrynash	topol: hi	19:46
topol	my mental telapathy still works	19:47
topol	ayoung, please recap	19:47
ayoung	topol, I can do better	19:47
*** andreaf has quit IRC		19:47
ayoung	2014-03-13T19:24:04 on http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2014-03-13.log	19:48
ayoung	henrynash, ^^	19:48
topol	ayoung, you gonna make him read the whole log????	19:49
ayoung	topol, nope, but the datatime I posted shows the start of the conversation	19:50
*** gokrokve has quit IRC		19:50
*** gokrokve has joined #openstack-keystone		19:50
henrynash	reading…reading…reading...	19:51
topol	so henrynash net is ayoung is worried about ephemeral ids need for LDAP federation breaking audit support	19:51
henrynash	topol: ok	19:52
ayoung	henrynash, I was saying that it is ok to do userid = sha256( "username@@domainname") if we don;t break audit	19:52
henrynash	(fyi, I did post a design summit session on this…."Entity IDs in a multi-backend or Federated World"	19:52
ayoung	the problem with audit is it needs to do a backwards mapping from userid to original subject	19:52
*** gokrokve has quit IRC		19:52
ayoung	henrynash, 1 posted one too	19:53
henrynash	ayoung: (to play devil's advocate) so audit could of course use the mapping to decode the real user and log that event	19:54
henrynash	(log that in the event)	19:54
ayoung	henrynash, what if there are multiple keystone servers in play?	19:54
topol	henrynash, good idea	19:54
*** eglynn_ has joined #openstack-keystone		19:54
ayoung	henrynash, so, yeah, the mapping table is essential if there is no other way to map users for, say, audit	19:55
henrynash	ayoung: and the issue tat would cause is….	19:55
ayoung	henrynash, I'm trying to avoid a data duplication and sync setup with Keystone	19:55
eglynn_	good evening folks	19:56
ayoung	henrynash, so...lets treat the mapping table as a last resort	19:56
ayoung	and...if we make it possible to go from audit events to userid, I think we can do that	19:56
henrynash	ayoung: oh, so I'm with you on that one…my view is that we only allow ourselves to be forced into storing some kind of independent mapping if we prove to ourselves that encoding the info within the identifier itself cannot be the right solution	19:56
henrynash	:-)	19:57
eglynn_	I'm wondering whether the --os-cacert keystoneclient option is expected to be propogated?	19:57
ayoung	henrynash, so, lets start with sha256("username@@domainname")	19:57
topol	why must we do sha256?	19:57
henrynash	ayoungL but given the output of that, can I get the domain name?	19:57
ayoung	it will look just like UUIDs do, and won't be backward's mappable, which, to some amount, addresses dolphm 's concern on leaking information	19:57
henrynash	ayoung: I.e. can i reverse it	19:58
eglynn_	this seems to imply that it allows the cacert to be specified when verifying the service side cert when doing https	19:58
eglynn_	https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/shell.py#L187	19:58
ayoung	henrynash, no, from userid, you would not be able to get domain name	19:58
ayoung	and I think I am OK with that as it means we can't go from, say, assignments to identity, but we can go the other way	19:58
henrynash	ayoung: errrr, so how does this help the problem we started out to solve	19:58
henrynash	?	19:58
ayoung	henrynash, it means the userids are naturally deconflicted between IdPs (LDAP included)	19:59
ayoung	it means that they look like and act like UUIDs	19:59
ayoung	and it means we don't need a shadow table	19:59
henrynash	ayoung: the problem we started with was "given this user_id, I need to route it to the right backend"	19:59
ayoung	so, yeah, you can't change a password with just a sha256 based id	19:59
ayoung	henrynash, but I don't think that is a real problem	19:59
eglynn_	folks, anyone know if say "keystone --os-cacert /etc/keystone/ssl/certs/ca.pem endpoint-list" should cause ca.pem to be used to verify the CA for the keystone service's cert?	19:59
topol	why isnt this just another column in the routing table???	20:00
ayoung	eglynn_, the question is whether that is necessary or sufficient	20:00
morganfainberg	ayoung, do we want anonymous or deconstructible ids? I am all for doing a sha of the combo.	20:00
ayoung	if should be necessary, not sure if it is sufficient	20:00
morganfainberg	ayoung, sorry reading scrollback	20:00
ayoung	topol, "routing" I think you have neutron on the mind	20:00
eglynn_	ayoung: sufficient in the sense of allowing the client access?	20:01
henrynash	ayoung: but that IS the problem we have right now….e.g. get_user(user_id)……which backend is that for?	20:01
topol	if we start out knowing the user name and domain we should be to deconstruct and get back the knowledge we used to have	20:01
ayoung	henrynash, I am OK for breaking "identity calls work for all backends with just userid"	20:01
eglynn_	ayoung: ... well the equivalent curl -k option works for me	20:01
henrynash	ayoung: wow, well if you're ok breaking that, then sure anything is possible….I don't know if we can break that	20:02
eglynn_	i.e. this works: curl -k /etc/keystone/ssl/certs/ca.pem -i -X POST https://172.16.12.49:35357/v2.0/tokens ...	20:02
ayoung	eglynn_, I need to try an SSL ified keystone setup and see what happens.	20:02
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Removal of test .conf files https://review.openstack.org/79525	20:02
ayoung	henrynash, what calls is that really breaking?	20:02
topol	ideally there should be a breadc crumb in the user id to help you work backwards	20:02
ayoung	really just stuff to identity	20:02
morganfainberg	dstanek, removed that one line from the test cleanup you had a question about, looks like it was a stub i needed while working through everything	20:02
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Move test .conf files to keystone/tests/config_files https://review.openstack.org/79526	20:02
ayoung	topol, or we could say that , in a federated case, for those apis, you need to provide domainid	20:02
henrynash	ayoung, so authenticate with user_id, get/delete of user, group	20:02
eglynn_	ayoung: OK, I'm gonna go raise it in LP, it smells bug-like to me	20:03
henrynash	ayoung: also, add/check/remove user from group	20:03
topol	could the last for digits of the user id be a code that tells you which domain to use :-)?	20:04
henrynash	ayoung: to name the ones of the top of my head :-)	20:04
morganfainberg	ayoung, we could use uuid5 vs sha256	20:04
ayoung	henrynash, ok, so authenticate with userid...for Federated is not an issue	20:04
ayoung	you provided a SAML doc	20:04
morganfainberg	topol, ^	20:04
ayoung	for LDAP....you are going to use username and password	20:04
henrynash	ayoung: it is for multi-backend	20:04
ayoung	or Kerberos	20:04
topol	morganfainberg, i saw that	20:05
ayoung	henrynash, I guess that someone could cache their userid and pass it back for authentication, but, is anyone really going to do that?	20:05
henrynash	topol: so , yes, there are such schemes….ayoung suggested we do something like git does with the first 8 chars	20:05
morganfainberg	topol, i don't see a need to use a sha256 but eh.	20:05
topol	morganfainberg, I agree	20:06
ayoung	morganfainberg, just the currrent "best practice"	20:06
ayoung	we can use md5, IDRC	20:06
morganfainberg	if we used a UUID (real uuid) uuid5 (takes namespace + other data)	20:06
henrynash	ayoung: I agree that authenticate with user-Id is the least of our problems	20:06
morganfainberg	the downstream consumers can compress the data to 16 bytes if they are concerned about space	20:06
morganfainberg	which was one reason other people like uuids	20:06
ayoung	henrynash, so we make the assumption that, for multi backend, the data is only going to flow one wa: from identity to assignment. You need to start with the key for identity, which is the username	20:07
morganfainberg	"real uuid" just means hex 32bytes	20:07
ayoung	morganfainberg, it would not be reversable, right?	20:07
morganfainberg	ayoung, no it isn't reversible	20:07
ayoung	I mean, I can't see how it possibly could be , but I had to ask	20:07
morganfainberg	ayoung, i do have that b64 magic code that gets us 64byte ids	20:08
morganfainberg	that is reversible	20:08
morganfainberg	ayoung, not that it's a "good idea"	20:08
ayoung	morganfainberg, so I think I'm ok with that scheme so long as audit emest the username and domainname or domainid on events	20:08
ayoung	emits	20:08
morganfainberg	ayoung, audit could deconstruct the data easily	20:08
topol	morganfainberg, thats a critical designcontraint	20:09
morganfainberg	the biggest downside is that it _requires_ no more than 32 bytes of "user_id"	20:09
morganfainberg	or we need 16 bytes or less of domain_id	20:09
*** devlaps has joined #openstack-keystone		20:09
morganfainberg	i was doing uuid magic to use binary form	20:09
morganfainberg	we got 48 bytes of data, or we go with the <user_component>@@<partial domain>	20:10
morganfainberg	and get more space	20:10
morganfainberg	as a raw string	20:10
ayoung	morganfainberg, but that approach was sem reversable, right? We would actually be able to extract the domain id out of the userid?	20:11
*** petertoft has quit IRC		20:11
morganfainberg	ayoung, corred.	20:11
morganfainberg	ayoung, correct* let me find that example i had	20:11
ayoung	cor, chief!	20:11
henrynash	so for me it is pretty simple, we need to ask ourselves teh following questions:	20:11
ayoung	morganfainberg, so, lets table that for a moment	20:12
henrynash	1) To we need to hide true identity in IDs	20:12
*** leseb has joined #openstack-keystone		20:12
ayoung	morganfainberg, cux, while it is cool, it also puts some restrictions on length that we might want to avoid	20:12
morganfainberg	ayoung, i agree	20:12
henrynash	2) IS it our job to scrunch down the format of an ID so that keystone clients can efficiently store/refer to it?	20:12
morganfainberg	ayoung, the only real limit we have is 64 bytes, and i don't want to go over that.	20:12
ayoung	morganfainberg, ++	20:12
morganfainberg	henrynash, i do like a consistent format for ids	20:13
morganfainberg	henrynash, regardless of the choice on format	20:13
morganfainberg	as long as all ids (new, ignoring old) can conform, i'm happy	20:13
ayoung	henrynash, so 1) is a design goal. We don't do that now, but I would like to	20:13
ayoung	2) I would say is a short term requirement, otherwise we break other projects DBs	20:14
*** devlaps has quit IRC		20:14
morganfainberg	and 64bytes is the limit, though if we used a raw uuid, clients would be happier since it is smaller	20:14
morganfainberg	ayoung, ++ on 2	20:14
henrynash	morganfainberg: so if you make that a requirement, then a mapping table is the only answer, since we cannot control the ID format of ReadOnly LDAPs	20:14
morganfainberg	but we've had 64 bytes accepted as the maximum, so we can consume up to that for ID (in any form)	20:14
ayoung	morganfainberg, so if we do sha2 appraoch, we need such that base64(sha2(useridscheme)) <= 32 chars for current nova approach and <=64 chars for the rest of the world	20:15
ayoung	henrynash, mapping is required, but not in a table	20:15
morganfainberg	ayoung, nova will get fixed.	20:15
morganfainberg	ayoung, we need to make sure whatever = max of 64bytes	20:16
morganfainberg	i have a review in to fix nova, so we can press that issue if needed	20:16
henrynash	ayoung: I'm open to how we do it without it in a way that is reversable	20:16
ayoung	henrynash, so if the userid is calculated from an LDAP portion and a domain portion assigned by keystone, we have a mapping as well, just not one we need to explicitly record	20:16
ayoung	the reversable is, I think the part that is negotiable	20:16
morganfainberg	ayoung, if reversible is negotiable, lets go w/ uuid5, 32 bytes, everyone is happy and we can make sure it's 100% consistent	20:17
ayoung	OK, I've had my say....we are all in sync on the issues, just not the solution yet	20:17
henrynash	ayoung:++ this is a nice summit topic if I ever saw one!	20:17
morganfainberg	henrynash, ++	20:18
morganfainberg	ayoung, anyway.	20:18
ayoung	morganfainberg, uuid5 limits the length of the ids...lets keep it on the table as one of the approaches.	20:18
henrynash	ayoungL agreed	20:18
ayoung	henrynash, I'll try to have some reading material produced prior to the summit to summarize	20:18
eglynn_	ayoung: here's a detailed description of that --os-cacert issue https://bugs.launchpad.net/python-keystoneclient/+bug/1292202	20:18
morganfainberg	ayoung, uuid5 is really sha1 of uuid + <some string>	20:18
henrynash	ayoung: I was going to write up a BP that described the approaches we have deiscussed	20:18
morganfainberg	ayoung, uuid = domain uuid	20:19
ayoung	eglynn_, I assigned to jamielennox\|away	20:19
henrynash	ayoung: weithour suggesting which is the one to chose	20:19
ayoung	henrynash, ++	20:19
morganfainberg	yay! good summit topics	20:19
henrynash	(nipping off line back later)	20:19
ayoung	12 summit sessions for keystone proposed	20:19
morganfainberg	ayoung, yeah	20:19
ayoung	I see 3 that can be combined already	20:20
morganfainberg	ayoung, ++ was about to say similar	20:20
ayoung	Support for Hierarchical administrative boundary, Discoverable and Hierarchical Catalog, and RBAC and Policy	20:20
morganfainberg	i also see one or two that probably should be Dev lounge + irc	20:20
openstackgerrit	Pablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager https://review.openstack.org/80368	20:26
*** topol has quit IRC		20:27
morganfainberg	dstanek, tests are way better now btw	20:44
morganfainberg	dstanek, glad your changes landed	20:44
morganfainberg	dstanek, i don't know if you were paying attention when i asked this before, but blinker library	20:45
dstanek	morganfainberg: i'm glad they're better for you - i wasn't able to even run them before those changes	20:45
dstanek	morganfainberg: yay, blinker :-)	20:46
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: Allow hash tokens with sha256 https://review.openstack.org/80398	20:46
morganfainberg	instead of the notificaiton callbacks, should we use that? In the case of blinker can we ensure that a given callback only is registered a single time? e.g. the version instantied first (e.g. service.py) registers first	20:46
morganfainberg	and the subsequnt ones don't register, prevents 5 managers from trying to do deletions for the same event	20:46
morganfainberg	or are we going to need to add a shim layer over the top to help limit the listeners to 1	20:47
morganfainberg	i'm all for in Juno moving to blinker (i actually think the decorator for listening is way cooler)	20:47
dstanek	morganfainberg: i think you'd need a small shim	20:47
morganfainberg	in fact, even if we don't move to blinker, i expect i'll convert over to a decorator in J1	20:48
dstanek	morganfainberg: typically with blinker you'd have multiple things looking for signals to do some logic	20:48
morganfainberg	waaaaaay better than the event callback registration	20:48
morganfainberg	right.	20:48
morganfainberg	maybe we need to "fix" managers to be more of a singleton than they are	20:48
dstanek	morganfainberg: maybe i'll whip up a prototype to see what it would look like. I'm intestested now	20:49
morganfainberg	e.g. never call __init__, call .get_manager()	20:49
morganfainberg	make __init__ tell people to go away if it's called directly	20:49
morganfainberg	if we moved to a "singleton"-like model for the managers it would solve that issue implicitly	20:49
dstanek	morganfainberg: i think it would be better to do real injection and leave the __init__s as is	20:50
dstanek	usually your injected would create the instance and all the the depencencies	20:50
morganfainberg	sure.	20:50
dstanek	it should controll the graph	20:50
morganfainberg	i'm now wondering if there is _ever_ a case we should allow multiple of a given manager to be instantiated	20:51
morganfainberg	regardless of how we handle the injection	20:51
morganfainberg	doesn't change your point nor implementation really	20:51
dstanek	probably not, but unit tested injected managers would be easier if you could just pass in the deps to it's __init__	20:51
dstanek	err...its	20:52
morganfainberg	dstanek, like i said, wouldn't make a difference on implementation if we made it so managers only were instantiated once	20:52
morganfainberg	dstanek, that would be icing to a well defined dep injection	20:52
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Configurable token hash algorithm https://review.openstack.org/80401	20:53
morganfainberg	dstanek, lets table making managers more singleton-like until later.	20:53
morganfainberg	dstanek, but i would love to move to blinker signaling wherever possible	20:53
morganfainberg	it would be waaaaay cooler for cross-manager notificaiton stuff	20:54
dstanek	morganfainberg: i'll get on that after dinner. i've been wanted to dive into our notifications code to really understand it anyway	20:54
morganfainberg	dstanek, i brought this up because https://review.openstack.org/#/c/80368/ and see my comment on it	20:55
*** jamielennox\|away is now known as jamielennox		20:55
morganfainberg	jaypipes, ping - callback stuff	20:55
morganfainberg	jaypipes, the issue is having a ton of methods you need to add to other managers. each new manager needs to be added to "identity" or some such because it has an action that occurs on user deletion	20:56
morganfainberg	jaypipes, i would much prefer the dependant manager (e.g. credential needs to act on user delete) define what it's looking for instead of the inverse	20:57
morganfainberg	jaypipes, identity shouldn't have to care what other managers need to take an action on user_delete, it should just say "hey user X is deleted"	20:57
jaypipes	morganfainberg: I'd be fine with that if the firing of the dependent hooks was explicit and not hidden away in some decorator magic.	20:57
morganfainberg	jaypipes, ^ see the discussion we're had on this just before my ping	20:58
dstanek	jaypipes: i think firing would look like 'user_deleted_signal.send(user_ref)' and then the signal library would call all registered handlers	20:58
morganfainberg	and the registered handlers would be configured via a decorator to show they are listening for these events.	20:59
morganfainberg	iirc	20:59
dstanek	registration of the handlers would be very obvious	20:59
ayoung	OK...I am really starting to think we need a set of live tests for the keystone client.	20:59
morganfainberg	dstanek, ++	20:59
morganfainberg	jaypipes, what we have is a decent first pass, but for J we will make it _way_ better	20:59
ayoung	jamielennox, eglynn_ had a question earlier about SSL and the client. Read up, but he filed a bug and I assigned to you.	21:00
ayoung	I suspect it is a documentation issue, but didn't want to say for sure	21:00
*** afaranha has quit IRC		21:00
dstanek	morganfainberg, jaypipes: i'll take a first pass at what i think it would look like and add you to the review	21:00
jaypipes	morganfainberg: how do you deal with correct ordering of callbacks?	21:00
ayoung	dstanek, morganfainberg is there some way to make testr tests conditional? Like : only run these tests if a specific environment variable is set or something?	21:01
ayoung	I'd love to be able to do	21:01
morganfainberg	ayoung, hmm. i think that would be in the test cases not testr...	21:01
ayoung	run_tests.sh --backend=mysql	21:01
morganfainberg	ayoung, i don't know though	21:01
ayoung	morganfainberg, nah, the whole suite, or class or something	21:02
morganfainberg	ayoung, in setUp()	21:02
morganfainberg	ayoung, look for os.environ['<env>']	21:02
ayoung	sometihng about the way it does discovery	21:02
morganfainberg	oh you don't even want skips	21:02
ayoung	yeah	21:02
*** marcoemorais has quit IRC		21:02
ayoung	skip the whole suite	21:02
morganfainberg	you could just make the skip say Skipped because <blah is disabled>	21:02
morganfainberg	shrug	21:02
morganfainberg	or skipped because not live test	21:02
ayoung	morganfainberg, nope	21:03
*** marcoemorais has joined #openstack-keystone		21:03
ayoung	unless I could do that from setuP	21:03
ayoung	doesn;t work ofr the live tests	21:03
bknudson	you can skip in setup	21:03
morganfainberg	ayoung, you can	21:03
ayoung	they are specified the same way regardless of the database	21:03
dstanek	ayoung: we have a decorator for some tests now to do something similar - don't know what approach it used	21:03
bknudson	ipv6 tests?	21:03
dstanek	ayoung: i don't think it's reusable though	21:03
morganfainberg	ayoung, if you issue the skiptest (is it a raise method?) if you do the skip in setUp the whole class is skipped	21:03
dstanek	yeah, i think those are them	21:03
morganfainberg	jaypipes, i'm trying to think of a way that you have an ordering issue.	21:03
morganfainberg	jaypipes, if each manager only acts on it's driver, order doesn't really matter	21:04
ayoung	morganfainberg, OK...so I could in theory make some tests in the python-keystoneclient that talked to a live server, and would only be run if I said, say "auth_url=...."	21:04
dstanek	jaypipes: if order matters then there should be 1 callback doing two things instead of trying to order two different callbacks	21:04
morganfainberg	dstanek, ++	21:05
jaypipes	morganfainberg: if I delete credentials before I delete user groups assignments, and things fail in between, is there any issue? that's what I meant by ordering issues...	21:05
morganfainberg	jaypipes, the delete would occur after the user is deleted, so they aren't relevant in either case	21:05
jaypipes	morganfainberg, dstanek: all in all, I just prefer non-magical, non-hidden coding :) I'll wait to see your PoC on this and comment after, ok?	21:06
morganfainberg	jaypipes, but in the case that something does matter order wise, it can be in a single callback (as dstanek outlined)	21:06
morganfainberg	jaypipes, ++ sounds good	21:06
jaypipes	coolio. :) thx guys!	21:06
morganfainberg	jaypipes, but the fix will be Juno because we need a new requirement addition	21:06
morganfainberg	jaypipes, the cleanup that is.	21:06
dstanek	morganfainberg, jaypipes: sounds good to me, thx	21:07
jaypipes	sure, no worries, I figured as mucjh	21:07
morganfainberg	ayoung, give me a sec, i'll dig up how to skip	21:07
ayoung	morganfainberg, thanks....I think that we should redo the _livetests with that like, now	21:08
morganfainberg	ayoung, self.skipTest('<message>')	21:08
morganfainberg	ayoung, should work in .setUp	21:08
ayoung	maybe tomorrow, certainly before Ice rc	21:08
ayoung	schweet	21:08
morganfainberg	sec	21:08
morganfainberg	2x checking	21:09
dstanek	bknudson, ayoung: hmmm...this is what i was thinking about; thought it was a decorator - http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_ssl.py#n87	21:09
morganfainberg	ayoung, yep./	21:09
morganfainberg	ayoung, :)	21:09
bknudson	dstanek: maybe testtools provides a decorator, too?	21:10
bknudson	but then you'd have to pass it a function.	21:10
morganfainberg	bknudson, there is a decorator	21:10
morganfainberg	bknudson, but just calling self.skipTest(<message>) is sufficient	21:10
*** devlaps has joined #openstack-keystone		21:10
morganfainberg	if you look at how the skip_if_no_ipv6() works	21:10
morganfainberg	well it does a raise, but .skipTest also does a raise	21:10
*** devlaps has quit IRC		21:11
*** devlaps1 has joined #openstack-keystone		21:11
morganfainberg	skip_if_no_ipv6's raise call is superfluous	21:11
morganfainberg	ayoung, livetests working on env could make things a lot easier for eliminating the last of the config files	21:12
*** thiagop has left #openstack-keystone		21:12
morganfainberg	then no more config files in tests! yay!	21:12
morganfainberg	except when we're testing config file things specifically	21:13
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Configurable token hash algorithm https://review.openstack.org/80401	21:13
*** gyee has joined #openstack-keystone		21:14
morganfainberg	actually... hmm	21:14
dstanek	it should be easy to write '@skip_if_config("opt.to.look-for", "off-value")'	21:14
dstanek	you could also have a skip_if_env that uses an environment variable	21:15
morganfainberg	skip_if_not_env	21:15
morganfainberg	:P	21:15
morganfainberg	i think the backend_ldap.conf is the only one that would be really hard to model out because of the number of variations on ldap configs.	21:16
morganfainberg	erm live_ldap	21:16
ayoung	morganfainberg, I think we could probably keep a config file for LDAP tests.	21:17
morganfainberg	ayoung, do we actually need backend_ldap.conf?	21:18
ayoung	morganfainberg, only if we don;t use the defaults	21:18
morganfainberg	are we ever testing those against a live ldap?	21:18
morganfainberg	no i mean, do we expect our test suite to run against a live ldap server?	21:18
ayoung	morganfainberg, we could easily do it using config values from inside a test	21:18
ayoung	just if someone wants to run it against their own setup, it would be nice to allow for a config file	21:18
morganfainberg	ayoung, hm.	21:19
ayoung	yeah, but that can be round 2	21:19
morganfainberg	i think we don't cleanup the ldap trees properly between tests	21:19
*** ayoung is now known as ayoung_dad_mode		21:19
ayoung_dad_mode	morganfainberg, we do, or at least we did	21:19
morganfainberg	we get away with it for fakeldap since we can nuke it in memory	21:19
morganfainberg	hmmm checks	21:19
*** dstanek is now known as dstanek_afk		21:19
dstanek_afk	i'll be back after dinner	21:19
*** petertoft has joined #openstack-keystone		21:21
nkinder	morganfainberg: I run the tests against live ldap	21:31
morganfainberg	nkinder, hm...	21:31
morganfainberg	nkinder, oooh i see how they work	21:31
morganfainberg	nkinder, i was looking in the wrong place	21:31
nkinder	morganfainberg: I use backend_liveldap.conf though	21:31
morganfainberg	yeah	21:31
nkinder	morganfainberg: I plan to try your recent patches against my live setup, but I can't do any real work like that until I get off of work and go home :P	21:32
morganfainberg	they shouldn't impact your live setup for the most part	21:32
nkinder	I don't expect them too. The changes all look fine.	21:33
morganfainberg	i kept the bulk of the ldap settigns out of the config fixture	21:33
*** petertoft has quit IRC		21:40
*** lbragstad has quit IRC		21:54
*** david-lyle has quit IRC		21:58
*** gabriel-bezerra has joined #openstack-keystone		22:02
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Make LIVE Tests configuable with ENV https://review.openstack.org/80409	22:04
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Make LIVE Tests configurable with ENV https://review.openstack.org/80409	22:04
morganfainberg	ayoung_dad_mode, ^ when you're back	22:05
*** leseb has quit IRC		22:07
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Do not use keystone.conf.sample in tests https://review.openstack.org/79524	22:08
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Removal of test .conf files https://review.openstack.org/79525	22:09
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Move test .conf files to keystone/tests/config_files https://review.openstack.org/79526	22:09
*** nkinder has quit IRC		22:14
*** leseb has joined #openstack-keystone		22:15
*** gabriel-bezerra has quit IRC		22:17
morganfainberg	bknudson, i'm baffled	22:22
morganfainberg	bknudson, your catalog disabled tests are breaking in my remove the config files chain	22:22
bknudson	morganfainberg: we all are.	22:22
morganfainberg	bknudson, and i have no idea why i'm getting numerical ids out of it	22:22
morganfainberg	instead of the uuidx	22:23
bknudson	morganfainberg: maybe the templated backend?	22:23
morganfainberg	oh .	22:23
bknudson	that obviously requires a config file.	22:23
morganfainberg	hmm.	22:23
morganfainberg	oh i see what is going on	22:23
morganfainberg	backend_sql doesn't include the config now	22:23
morganfainberg	thanks	22:23
morganfainberg	this was bugging me	22:24
bknudson	default_catalog.templates	22:24
morganfainberg	yep	22:24
morganfainberg	thanks	22:24
bknudson	morganfainberg: not so baffled anymore.	22:24
morganfainberg	bknudson, yep thanks	22:26
morganfainberg	bknudson, i obviously need more coffee	22:26
bknudson	morganfainberg: catalog.RegionOne.identity.id = 1	22:26
*** nkinder has joined #openstack-keystone		22:26
morganfainberg	yep.	22:26
morganfainberg	see it now	22:26
bknudson	the templated catalog actually seems like a good idea.	22:26
bknudson	the db lookups for the catalog must be pretty slow	22:27
bknudson	the db lookups could probably be improved	22:27
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Removal of test .conf files https://review.openstack.org/79525	22:28
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Move test .conf files to keystone/tests/config_files https://review.openstack.org/79526	22:29
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Make LIVE Tests configurable with ENV https://review.openstack.org/80409	22:29
morganfainberg	bknudson, that seems to have solved my issue	22:30
morganfainberg	bknudson, i think we could be a lot smarter abourt building the catalog in SQL	22:30
morganfainberg	bknudson, and/or add caching over the top	22:31
bknudson	morganfainberg: it's potentially different for each request...	22:31
bknudson	but it also doesn't change much	22:31
morganfainberg	bknudson, we could be smart about taking the whole catalog and process it in memory to the "correct" version	22:32
morganfainberg	bknudson, instead of relying on SQL to do that for us	22:32
bknudson	morganfainberg: essentially turn it into the kvs version.	22:32
morganfainberg	bknudson, but with a SQL back (e.g. smart about loading from the SQL)	22:32
morganfainberg	bknudson, but yes.	22:32
*** prad_ has quit IRC		22:44
*** wchrisj has quit IRC		22:46
*** leseb has quit IRC		22:50
mfisch	can someone explain why the users list returns a tenantId along with the user?	22:50
*** eglynn_ has quit IRC		22:58
*** dims_ has quit IRC		22:58
*** browne has left #openstack-keystone		23:00
*** stevemar-afk has quit IRC		23:03
openstackgerrit	A change was merged to openstack/keystone: Remove unnecessary oauth1.Manager constructions https://review.openstack.org/79213	23:05
openstackgerrit	A change was merged to openstack/keystone: Updated from global requirements https://review.openstack.org/76691	23:05
*** henrynash has quit IRC		23:09
*** dims_ has joined #openstack-keystone		23:12
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Add a space after the hash for block comments https://review.openstack.org/78116	23:13
bknudson	dstanek_afk: had to rebase ^	23:13
*** thedodd has quit IRC		23:21
*** Fin1te has joined #openstack-keystone		23:31
*** dstanek_zzz has joined #openstack-keystone		23:36
*** dstanek_zzz is now known as dstanek		23:37
dstanek	bknudson: thanks	23:37
*** daneyon_ has joined #openstack-keystone		23:37
*** flaper87 is now known as flaper87\|afk		23:37
morganfainberg	i think i just helped chase down a revoke_api API breaking change	23:38
morganfainberg	as in, a choice made on how revoke_api works breaks previously allowed API calls	23:38
bknudson	morganfainberg: I thought revoke_api was experimental and couldn't cause any problems?	23:38
morganfainberg	bknudson, well, apparently it loads by default	23:38
morganfainberg	bknudson, i thought it was not loading	23:38
dstanek	bknudson: mutables as defaults args are bugs just waiting to happen - it creates a sort of static variable and people don't expect that	23:39
bknudson	morganfainberg: really?	23:39
morganfainberg	if we fix it's optional-ish nature so it doesn't load, we will solve the issue	23:39
*** petertoft has joined #openstack-keystone		23:39
bknudson	dstanek: that sounds like it could be handy	23:39
morganfainberg	but, here is the issue: UUID tokens, on switching projects there is a token delete on the old token	23:39
dstanek	bknudson: it is sometimes, but usually it just causes bugs	23:39
morganfainberg	that delete uses the expiration_time in revoke events to revoke the specific token	23:40
morganfainberg	all tokens based on that expiration time (from the unscoped login to horizon) are now invalid	23:40
*** YorikSar_ has joined #openstack-keystone		23:40
morganfainberg	to unscoped token -> token 1 -> token 2 -> token 3, if you revoke token 1, all tokens are revoked in the revoke api	23:40
morganfainberg	since we key on expiration time	23:41
morganfainberg	https://bugs.launchpad.net/horizon/+bug/1291099	23:41
morganfainberg	just associated this to keystone	23:41
*** YorikSar has quit IRC		23:41
morganfainberg	i'm going to see what i can do to fix this	23:42
dstanek	bknudson: people don't expect this behavior - http://paste.openstack.org/show/73468/	23:42
bknudson	morganfainberg: revoke_extension isn't loaded by default as far as I can tell.	23:42
bknudson	it's not in the paste pipeline	23:42
morganfainberg	bknudson, well i have a coworker with a clean devstack showing this behavior	23:42
morganfainberg	bknudson, trying to figure out how it's getting loaded	23:43
bknudson	the bug is that revoke extension is loading by default then	23:43
morganfainberg	well it's twofold	23:43
morganfainberg	1: loading by default, 2: (related) this is broken behavior	23:43
morganfainberg	bknudson, it is loaded by default	23:44
morganfainberg	look in service.py	23:44
*** petertoft has quit IRC		23:44
bknudson	morganfainberg: it's just not in the paste pipeline?	23:44
bknudson	git revert	23:44
morganfainberg	bknudson, might be a 1 line fix	23:45
morganfainberg	checking now	23:45
morganfainberg	if that doesn't fix, yes, revert is coming	23:45
*** dstanek_afk has quit IRC		23:45
*** daneyon has quit IRC		23:45
morganfainberg	but i'd rather not revert if it's a single line that was missed when we made it optional	23:45
bknudson	morganfainberg: it's @dependency.optional.. so would just remove from service.py and create the manager when the extension is loaded.	23:46
morganfainberg	yeah that is the th...	23:47
bknudson	dstanek: you won't be thanking me for rebasing that patch when you see what happened to https://review.openstack.org/#/c/78117/ ...	23:51
bknudson	not sure what happened there.	23:51
bknudson	but now it depends on outdated and is failing to merge...	23:51
dstanek	bknudson: ha, i'll take a look	23:53
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Create a test token generator and use it https://review.openstack.org/78877	23:53
bknudson	dstanek: I tried cherry-picking the changes to rebuild the chain but got --	23:54
bknudson	! [remote rejected] HEAD -> refs/publish/master/bp/more-code-style-automation (no new changes)	23:54
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Create a V3 Token Generator https://review.openstack.org/78878	23:57
dstanek	bknudson: that's pretty strange	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!