Friday, 2014-03-14

*** leseb has joined #openstack-keystone00:01
*** Fin1te has quit IRC00:01
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: document that --pass can be required
*** leseb has quit IRC00:05
*** nkinder has quit IRC00:13
*** dolphm has quit IRC00:14
*** dolphm has joined #openstack-keystone00:15
*** bobt has joined #openstack-keystone00:19
jamielennoxbknudson: re: - the module docs seem to be generated for me on master without this patch00:27
jamielennoxis that trying to link it into an automated process upstream/00:27
jamielennoxdstanek: you might know as well as you are listed as co-author00:27
jamielennoxrm -rf doc/build/ && python build_sphinx && firefox doc/build/html/py-modindex.html00:27
bknudsonjamielennox: do you have doc/source/api<something...00:27
morganfainbergbknudson, there are a lot of cases that assume revoke_api is "just loaded"00:27
morganfainbergall over the tests00:27
jamielennoxbknudson: ah possibly - i have tried this out previously00:27
jamielennoxi just have some hanging around stuff that i didn't do a clean00:27
bknudsonmorganfainberg: the driver can be loaded for the tests... that's common00:27
bknudsonmorganfainberg: we do that with oauth for example.00:27
morganfainbergbknudson, right, and i'm trying to do that00:27
morganfainbergbknudson, it's unwinding a lot of things.00:27
morganfainbergmost of the tests were written assuming it was loaded with so there is a chunk of things that are ... odd00:27
bknudsonjamielennox: rm -r doc/source/api00:27
morganfainbergbknudson, nothing terrible just annoying :(00:27
jamielennoxyea, it's listed in .gitignore so it's not cleaned00:27
*** dstanek_afk has joined #openstack-keystone00:27
morganfainbergi might punt this over to ayoung.00:27
*** stevemar has joined #openstack-keystone00:27
*** dstanek has quit IRC00:28
*** daneyon_ has quit IRC00:30
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Generate module docs
jamielennoxbknudson: click rebase on:
jamielennoxbknudson: can you please click rebase on:
bknudsonjamielennox: what happens?00:33
jamielennoxbknudson: i assume it works, it's just out of date00:33
jamielennoxand i don't have a rebase change button for some reason00:33
bknudson"The rebase failed since conflicts occured during the merge."00:34
jamielennoxoh, ok - i guess that's why i don't have a button :)00:34
jamielennoxoh you redid the patch underneath while i was looking at it - i should wait and let you work00:36
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Fix doc build errors
*** thedodd has joined #openstack-keystone00:36
bknudsonjamielennox: rebased it the old fashioned way00:37
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Removal of test .conf files
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Move test .conf files to keystone/tests/config_files
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make LIVE Tests configurable with ENV
morganfainbergbknudson, here is the other bug report
morganfainbergto fix the "logic" for revocation_events00:40
*** gtt116 has joined #openstack-keystone00:41
bknudsonmorganfainberg: this only affects revocation events?00:41
morganfainbergno no00:41
morganfainbergif revocation events are enabled it breaks things00:42
morganfainbergif you delete a token in a chain00:42
morganfainberge.g. use horizon's "switch project" drop down00:42
bknudsonok, so you enable it, and now regular tokens aren't working as expected?00:42
morganfainbergbasically if you do a delete on a token, any token in that chain (parent or otherwise) is revoked00:42
morganfainbergso if you switch projects, horizon says "delete old token"00:43
morganfainbergnow the new token, the unscoped token, etc are all revoked00:43
bknudsonwe can't revoke a single token through revocation events?00:43
morganfainbergit revokes all tokens with the expiraiton_time00:43
bknudsonthat seems like a use case that we need to support00:44
morganfainbergwe do need to support it00:44
*** gtt116 has quit IRC00:44
morganfainbergthe idea is likely that you need to revoke by expiration and issued unless you really want to nuke the entire chain00:45
morganfainbergi'm not sure how much more complicated that is going to make the revocation code00:45
morganfainbergayoung_dad_mode, revocation event bug00:45
morganfainbergbknudson, if we can get revocation events loaded truely optional (i need to leave, but i'll look at it later unless ayoung beats me to it)00:46
ayoung_dad_modemorganfainberg, its a feature00:48
morganfainbergbknudson, then this impact is only if you enable an expirimental feature00:48
*** openstack has joined #openstack-keystone00:49 [freenode-info] channel flooding and no channel staff around to help? Please check with freenode support:
morganfainbergbecause horizon is revoking the token on switch project (not unreasonable)00:50
*** sudorandom has quit IRC00:50
ayoung_dad_modebut they don't reauthenticate.00:50
morganfainbergspecifically when you drop from "admin" like context to a non-admin like context00:50
morganfainbergthey use the current token and rescope00:50
morganfainbergthe new re-scoped token is invalid because the revoke_api has invalidated all tokens with the same expiration_time00:50
ayoung_dad_modeOh, I get it.00:50
*** ayoung_dad_mode is now known as ayoung_sad_mode00:51
morganfainbergalso which needs to be addressed before icehouse ships00:51
morganfainbergrevoke_api isn't "optional" really00:51
ayoung_sad_modeit was supposed to be.  Is it getting activated by accident?00:51 loads it00:51
morganfainbergand providers need it00:51
ayoung_sad_modewe can drop that00:51
morganfainbergand a bunch of tests are structured to assume it's auto-loaded00:51
morganfainbergyeah i got bound up trying to fix the tests00:51
morganfainbergbut i need to bail for the evening00:51
*** haneef_ has joined #openstack-keystone00:51
morganfainbergif you're up for fixing it, great! steal the bug :)00:51
morganfainbergif not, well, i'll keep poking at it when i'm back00:51
ayoung_sad_modehorizon is going to get messed up by one hour tokens, too00:51
*** openstack has quit IRC00:51
*** openstack has joined #openstack-keystone00:51
*** haneef__ has quit IRC00:51
morganfainbergbut at least that is something that a deployer can change00:51
ayoung_sad_modewho is wrong here?00:51
jamielennoxbknudson: when you say the hash_algorithm is used for the revocation list do you mean the new revocation list or what exists now?00:51
*** thedodd has joined #openstack-keystone00:51
*** openstack has quit IRC00:52
*** openstack has joined #openstack-keystone00:52
ayoung_sad_modemorganfainberg, so, I am assuming that they don't want to keep the password in memory, which is why they keep the token00:52
*** ayoung_sad_mode is now known as ayoung00:52
ayoungjamielennox, yes it does00:52
morganfainbergayoung_sad_mode, *shrug* not sure on that.00:52
morganfainbergayoung, i think they keep token in session cookie00:53
*** richm has joined #openstack-keystone00:53
bknudsonjamielennox: {"revoked": [{"expires": "2014-03-13T23:14:26Z", "id": "af217e158e0d1c95ac9e06ab052e5c3343578c9f93cea7cbf699f01448255012"}]}00:53
bknudsonthat's the revocation list that's returned00:53
morganfainbergdunno if you really want a password in there00:53
ayoungmorganfainberg, well, for the moment, can let disable the change in service00:53
morganfainbergayoung, aye.00:53
*** dims_ has joined #openstack-keystone00:53
morganfainbergayoung, that is the important stuff to fix, making revoke actually optional for Icehouse.00:53
morganfainbergtoken TTL we can discuss next week00:54
morganfainbergwe can rush a change back to something higher if needed00:54
morganfainbergand the revoke logic to support more specific token revocaiton can happen in Juno00:54
* morganfainberg is just thinking timelines.00:54
jamielennoxbknudson: ok then i think you got the wrong method:
morganfainberganyway.  catch ya later on man00:55
*** sudorandom has joined #openstack-keystone00:55
*** openstack has joined #openstack-keystone00:56 [freenode-info] channel trolls and no channel staff around to help? please check with freenode support:
*** dstanek_afk is now known as dstanek00:56
bknudsonjamielennox: but keystone server calls cms_hash_token00:57
jamielennoxbknudson: yep, i realize we need it for server side, i was just thinking of auth_token00:57
jamielennoxbknudson: is it possible that we could put the hash algorithm in the revoke list data?00:57
bknudsonjamielennox: I think it's possible to do that.00:57
*** openstack has quit IRC00:57
*** openstack has joined #openstack-keystone00:58
jamielennoxauth_token isn't going to handle that change yet anyway so it should be no different for backwards compat00:58
bknudsonjamielennox: well, we still need to not use md5.00:59
bknudsonso cms_hash_token has to not use md500:59
jamielennoxbknudson: sure, i don't mind that part, it's just auth_token i'm thinking atm01:02
bknudsonjamielennox: auth_token calls cms_hash_token .. so maybe it can always do sha256 there?01:02
jamielennoxbknudson: yea that would be ok. the way it's used in that function (as i said in a comment) is just for memcache so if we change that no big deal you just lose the cache01:02
bknudsonjamielennox: ok, hash_signed_token is also using md5, and we've got the revocation list... so should be able to change hash_signed_token to optionally use sha256 and get the algorithm from the revocation list response...01:03
bknudsonjamielennox: thanks!01:03
*** YorikSar_ has quit IRC01:03
*** topol has joined #openstack-keystone01:06
*** dolphm has quit IRC01:07
bknudsonjamielennox: so maybe keystone should be calling hash_signed_token rather than cms_hash_token.01:08
jamielennoxyea, i'm not sure why those two functions are in different modules like that01:08
*** YorikSar has joined #openstack-keystone01:08
bknudsoncms_hash_token passes through uuids01:08
bknudsonbut cms_hash_token could call hash_signed_token.01:08
jamielennoxbut from the server side it doesn't need to check UUID it should know that already01:08
jamielennoxor can you revoke a UUID token?01:08
bknudsonjamielennox: you can revoke a uuid token01:08
bknudsonyou don't have to hash it01:08
jamielennoxok so that makes sense then01:08
openstackgerritA change was merged to openstack/keystone: Fix db_version failed with wrong arguments
jamielennoxthat won't affect the hash_algorithm being in there though, because you still won't get a collision with the UUID01:08
*** dolphm_ has joined #openstack-keystone01:08
*** thedodd has quit IRC01:08
*** dolphm_ is now known as dolphm01:08
*** amcrn has quit IRC01:08
ayoungjamielennox, bknudson is this the whole "why are you using md5 thing?"  Cuz that is a red herring01:08
bknudsonayoung: I agree, but it's a checkbox for FIPS01:08
jamielennoxayoung: yes and yes01:10
ayoungyeah, put the algorithm in the revocation list01:10
ayoungwith a big warning that if you change the config value, all of your token revocations will be dropped01:12
*** openstack has joined #openstack-keystone01:14
*** morganfainberg is now known as morganfainberg_Z01:14
bknudsonayoung: that sounds reasonable... they're not going to match anymore01:14
bknudsonmakes this change kind of scary01:14
ayoungbknudson, it is scary01:14
ayoungunless we go through and rehash all the old tokens....which means that ugh.....01:14
jamielennoxwell you can do a global has_algoirithm and a local overrid01:14
*** wchrisj has joined #openstack-keystone01:14 if the algorithm changes, you should go reindex all tokens in the backend01:14
jamielennoxat root say anything that doesn't have a hash_algorithm in the per token part has algo sha256 and then put an md4 in all the old stuff01:14
jamielennox5! md5!01:14
*** gtt116 has joined #openstack-keystone01:14
*** openstack has joined #openstack-keystone01:19
ayoungand we can put FIPS=True  to deny any MD501:19
*** wchrisj has quit IRC01:19
jamielennoxi *think* we're saying the same thing01:19
ayoungjamielennox, probably01:19
ayoungif you switch algo...all tokens should be revoked any way01:20
*** openstack has quit IRC01:24
*** openstack has joined #openstack-keystone01:25
*** sudorandom has quit IRC01:25
*** sudorandom has joined #openstack-keystone01:25
*** openstack has joined #openstack-keystone15:08 [freenode-info] please register your nickname...don't forget to auto-identify!
*** jimbaker has joined #openstack-keystone15:48
*** gyee has joined #openstack-keystone15:49
*** raildo has quit IRC16:04
*** raildo has joined #openstack-keystone16:05
*** gokrokve_ has quit IRC16:05
ayoungbknudson, what class or file gives us  the function that is the underscore used for I18N   like  _("Expecting to find %(attribute)s in %(target)s.")16:11
bknudsonayoung: gettextutils.install does "moves.builtins.__dict__['_'] = _lazy_gettext"16:12
bknudsonor it could call regular gettext.install16:13
ayoungbknudson, its OK.  I need to add that to keystone.exceptions16:13
ayoungjust doing an import seems OK16:13
bknudsonayoung: there's a WIP to change it:
ayoungis there any drawbacks to just importing it in a single file?16:14
*** chandan_kumar has quit IRC16:14
ayoungOK, so if I add it to my commit, it will get rebased in anyway16:14
bknudsonayoung: the problem is with _() that are created on import... we need to ensure that _ is set up before the import is done.16:15
bknudsonbecause otherwise the messages in the exception aren't going to be translated16:15
bknudsonayoung: keystone-all does it early:
bknudsonayoung: tests do it in __init__ --
bknudsonand http:
ayoungbknudson, add it to the review, please16:19
ayoungupdate the review16:19
bknudsonayoung: which review?16:19
dstanekbknudson: that's why we are setting it use use lazy to the messages do get translated16:20
ayoungdon't just -1 and leave it16:20
bknudsondstanek:  doesn't need the change?16:20
bknudsonayoung: is a work in progress... can't merge it anyways.16:21
bknudsonunless someone wanted to pick it up... not sure why it's a wip.16:22
bknudsonmaybe some new parts were added16:22
bknudsondstanek: do you want to get up to date? otherwise I can get to it this aft.16:23
dstanekbknudson: i'll have to look at again because there are definitely some issues with it16:24
dstanekbknudson: some stuff that i thought i added is now missing16:24
bknudsondstanek: oh... thanks for looking.16:25
dstanekbknudson: you didn't like what i did in so Ilya removed it16:27
dstanekbut didn't add the equivalent anywhere16:27
bknudsondstanek: it was in a separate commit16:27
dstanekbknudson: ah, i see - that commit should have also deleted the logic from keystone.tests.core16:28
bknudsondstanek: maybe that's why it's a WIP16:28
dstanekbknudson: it's also unfinished; it looks like new uses of _() were added to files that don't explicitly do the import16:30
*** gokrokve has joined #openstack-keystone16:30
dstanekbknudson: i'll revisit and see if there are any other issues16:31
bknudsondstanek: does missing _() cause a pep8 or test failure now?16:31
dstanekbknudson: no16:32
*** marcoemorais has joined #openstack-keystone16:32
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync test_migrations
*** openstackstatus has joined #openstack-keystone16:38
*** henrynash has joined #openstack-keystone16:48
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.
*** dims has joined #openstack-keystone16:54
*** petertoft has quit IRC16:57
*** dims has quit IRC17:00
*** harlowja_away is now known as harlowja17:02
*** marekd is now known as marekd|away17:02
openstackgerritMarek Denis proposed a change to openstack/keystone: Filter out nonstring environment variables before rules mapping.
*** morganfainberg_Z is now known as morganfainberg17:21
morganfainbergayoung, i saw a patch to make revoke really optional via email, i assume thats somewhere in gerrit?17:22
*** stevemar has quit IRC17:25
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Uses explicit imports for _
*** topol has quit IRC17:33
morganfainberghow is everyone's friday?17:33
vhoward-great thanks17:35
*** dims has joined #openstack-keystone17:40
*** amcrn has joined #openstack-keystone17:40
bknudsonmorganfainberg: ?17:41
bknudsoncommit message says "revoke.model"17:42
*** leseb has quit IRC17:42
morganfainbergbknudson, yeah found it17:48
morganfainbergjamielennox|away, looks like we have a couple +2s on the kite repos17:59
*** marcoemorais has quit IRC18:01
*** marcoemorais has joined #openstack-keystone18:01
*** amcrn has quit IRC18:03
*** amcrn has joined #openstack-keystone18:10
*** stevemar has joined #openstack-keystone18:17
*** rwsu has quit IRC18:30
ayoungmorganfainberg, WIP18:30
morganfainbergayoung, *nod*18:30
morganfainbergayoung, let me know if you need to jump in and help18:30
ayoungIt works (sans a random check failure)18:31
morganfainbergayoung, cool.18:31
*** YorikSar has quit IRC18:32
morganfainbergayoung, awesome. i'll do a quick verify and then +2 for closing out the rc-blocking issue whenever you want to move it from WIP18:33
ayoungmorganfainberg,'s the deal18:37
ayoungmorganfainberg, the patch "works" in that it does not activate the revoke_api18:37
ayoungand, if I am right, cannot *ever* activate the revoke_api18:37
ayoungwhich is suboptimal18:37
ayoungI want to *activate* an optional dependency based on the fact that it is registered (not actively created, like we do now)18:38
ayoungand...still figuring out the sequence18:38
morganfainbergayoung, ++ ok18:38
morganfainbergayoung, sounds good to me18:39
ayoungmorganfainberg, I seem to have it implemented, but for some reason, the revoke_api (which is getting created) is not getting set on a test that has @dependency.requires('revoke_api')18:39
morganfainbergayoung, yeah that was what i ran into last night when trying to propose a quick fix18:40
morganfainbergayoung, and i had to leave vs. working late on it18:40
*** thiagop has joined #openstack-keystone18:42
thiagopHi everyone, I'm taking a look a this bug:
thiagopI was unable to replicate the error reported18:43
thiagophere is what I tryied (I'm new to OpenStack):18:43
thiagop1 - Created a new user 'test'18:44
thiagop2 - Created domain 'domain1'18:44
thiagop3 - Created domain 'domain2'18:44
thiagop4 - Assigned 'admin' role to 'test' user in 'domain1'18:45
thiagop5 - Assigned 'Member' role to 'test' in 'domain2'18:45
thiagop6 - Got a domain scoped token to 'domain1', it says that I have 'admin' role18:45
thiagop7 - Got a domain scoped token to 'domain2', it says that I have 'Member' role18:46
thiagopBy the description of the bug, I was unable to identify if it was reproduced with a domain-scoped or project-scoped token, and if it was with a project-scoped18:47
thiagopI think it is with the appropriate behaviour18:48
thiagopit HAS the appropriate behaviour**18:48
openstackgerritDavid Stanek proposed a change to openstack/keystone: Use assertIsNone when comparing against None
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds style checks to ease reviewer burden
openstackgerritDavid Stanek proposed a change to openstack/keystone: Add a space after the hash for block comments
openstackgerritDavid Stanek proposed a change to openstack/keystone: Removes the use of mutables as default args
dstaneklbragstad: i updated based on your comments. when you get a chance see if the docs make sense. thanks!18:52
lbragstaddstanek: cool, I'll check it out, thanks for the heads up!18:53
*** leseb has joined #openstack-keystone18:53
bknudsonayoung: here's how the oauth1.Manager gets instantiated when it's in the pipeline:
*** leseb has quit IRC18:58
ayoungbknudson, heh, I think I wrote that origianlly19:01
ayoungbknudson, I'll probably end up doing that.  But, dagnabit, I want proper component activation and I am so close!19:02
bknudsonayoung: did oauth1 do it wrong?19:02
*** tstevenson has joined #openstack-keystone19:02
ayoungbknudson, no, its finme19:03
ayoungbknudson, I want lazy activation of components, and I was going to use this to actually implement it19:04
ayoungits probably too big for a bug fix19:04
bknudsonayoung: you'd have to call dependency.resolve_future_dependencies when it's created.19:05
ayoungbknudson, its not that oauth did it wrong, it is that by doing it that way, our tests don't really mirror the server19:05
ayoungbknudson, let me post a fixed version of the patch above, and then I'll revisit19:05
*** nkinder has quit IRC19:06
*** tstevenson has quit IRC19:08
*** YorikSar has joined #openstack-keystone19:10
ayoungbknudson, this is what I am trying to fix19:11
bknudsonayoung: the way the startup there does mirror what the server does... it calls load_backends, then initializes the paste pipeline which creates the oauth1.Manager and federation.Manager, and then calls resolve_future_dependencies.19:14
ayoungbknudson, but the fact that we do the import and actively create those services separate from the others bothers me19:15
bknudsonayoung: I agree it's not perfect.19:15
ayoungbknudson, one of the things I want to hammer out in the dev loungd19:16
bknudsonmaybe we need to essentially do the config & paste pipeline startup in the tests.19:16
bknudsonsomething might be doable if we move code out of keystone-all --
bknudsonbut I haven't had time to work on that one.19:17
openstackgerritPablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager
ayoungbknudson, that is a good devlounge hack effort .19:36
ayoungWe can have that done on Monday19:36
*** leseb has joined #openstack-keystone19:47
morganfainbergayoung, ++19:48
morganfainbergsounds like a great devloung quick hack19:48
ayoungmorganfainberg, RuntimeError: KVS region os-revoke-synchonize is already configured. Cannot reconfigure.19:48
ayoungdo we rally need that?19:48
ayoungcan't we just say "oh, yeah, uits already configured dude.":19:49
ayoungand let it pass?19:49
morganfainbergwell, ideally you shouldn't ever reconfigure19:49
morganfainbergare you passing the same exact config object through?19:49
ayoungbut it means you need to manage the order that different components do things19:49
ayoungit should be done on demand19:49
ayoungand done once and other things get the thing and the thing and the other thing thing19:50
* ayoung gone off the deepend finally19:50
morganfainbergif you are 100% sure you are passing the same config through, then it can be removed19:50
morganfainbergi don't think that is the case19:50
morganfainbergmost of the time a reconfigure is done it's done w/ different data19:50
morganfainbergand i don't like silent "oh we didn't do anything and you have somehting you don't expect"19:51
morganfainbergperhaps the .configure could have a pass_on_reconfig boolean option?19:51
morganfainbergayoung, eh, it's not the deepend, more the middle, i think you're a long way from off the deep end19:52
ayoungmorganfainberg, I'm playing a penny whistle19:52
ayoungright now19:52
morganfainbergayoung, heh19:52
ayoungLots of fun at Finnegan's Wake19:54
*** kfox1111 has joined #openstack-keystone19:57
ayoungwouldna mind a "Drop o' the Craythur" meself.  Keystone code is driving me to drink19:57
kfox1111Is there a reason mysql would be spinning on keystone tokens table while using openstack-dashboard for viewing the instance list, volume list, etc?19:58
lbragstaddstanek: any thoughts on these? Just out of curiosity?
kfox1111shouldn't the pki token type make it avoid that table?19:58
lbragstaddstanek: since all_locales wouldn't be optional anymore would it?19:58
ayoungkfox1111, there are too many tokens and you are runing the token delete and there is lock conetition?20:00
ayoungkfox1111, probably cuz ther revoation list fetch parameter in the client is set to 020:01
ayoungand it is refetching the revocation list on every token20:01
ayoungand that is unnecessary20:01
kfox1111we're clearing out the tokens daily now.20:01
kfox1111hmmm... what is the default? 0?20:01
ayoungkfox1111, maybe, depends on the version20:02
ayoungbut you can set it explicitly20:02
kfox1111havana from rdo20:02
kfox1111so I need to specify it on every service?20:02
ayoungkfox1111, its client, so synced on a differen schedule20:02
ayoungtry setting that value in, say, nova or glance's config file20:03
kfox1111ah. so in havana, the default is 1.20:03
kfox1111in trunk, its 300.20:04
kfox1111I'm assuming thats seconds?20:04
ayoungkfox1111, yep20:04
ayoungkfox1111, or something is forcing you to fall back to UUID token evaluation20:05
kfox1111there is a token_cache_time listed too. is that just the validation part?20:05
kfox1111It took me a while, but I validated the middleware is executing the openssl cms command to validate tokens.20:05
ayoungonce it is validated it is held in memcached and not refeteched from the server (uuid tokens) or the signature rechecked (PKI tokens)20:05
kfox1111but I'm seeing mysql lookup the user in the tokens table all the time, taking about 2.5 seconds per lookup.20:05
ayoungprobably for revocations20:06
ayoungup the revocation time out and that should settle down20:06
kfox1111k. thanks.20:06
*** raildo has quit IRC20:07
openstackgerritPablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager
kfox1111So... the middleware pulls the cert revocation list for a given token on first access, and caches for the revocation timeout number of seconds?20:16
ayoungOK  bknudson so the reason why what I was doing was failing (and this is pretty dumb) is because we call  dependency.reset()  explicitly...I'm thinkg that all of this stuff needs to die a horrible death.20:16
kfox1111rather then having a thread update a global revocation list every timeout number of seconds?20:16
ayoungbut now, if revoke does what oauth was doing, we ended up calling manager twice20:16
ayoungand that causes a re-init of the KVS backend used as the storage20:17
ayoungI don't like this, not one...leeeeettle....bit20:17
bknudsonayoung: we don't want to keep the backends from the previous tests.20:17
ayoungbknudson, OK...I'm trying to keep from getting too theoretical here, but....we need a to separate component consumption from defintioin, and components definition from class definition20:20
ayoungwe jumble them all together and it is a mess20:21
ayounga class is not a component.  A component is a class that has a specific lifespan and a specific configuration20:21
ayounga test should be the lifespan of all of the componentns that it consumes20:21
ayoungwhich makes tests different from the live server20:21
bknudsonthat's what dependency code is supposed to take care of for you... there might be a python library for it.20:21
ayoungon a live server,  the lifespans are global, applications (wsgi), session, and request20:22
ayoungnot that I've seen20:22
bknudsonwe should fix the server so that lifespans aren't global.20:22
ayoungbknudson, we should also address how much is done at startup time per controller for the case where we are running in apache20:22
ayoungbut just need to solve this....20:23
ayoungthe problem with testing in Python is that setUp is different from __init__ and that really is wrong20:23
ayoungbut __init__ doesn't have a partner for teardown.20:23
ayoungWhich is the problem with garbage collection in general20:24
ayoungyou never know when you are done with your resources20:24
ayoungbah...I'm going back to C++20:24
bknudsonayoung: good idea... just use a smart_ptr20:24
ayoungI have a much better approach there20:25
ayoungclean up based on the stack20:25
*** stevemar has quit IRC20:25
ayoungbknudson, but that is a different lifetime20:26
kfox1111is there a param for caching the certificate revocation list on the keystone server?20:28
*** rwsu has joined #openstack-keystone20:28
ayoungkfox1111, um...maybe?20:28
ayoungkfox1111, it would be in the token cache20:28
ayoungsince it is the same backend20:29
kfox1111wow. we're back up to 64,000 tokens in the db...20:30
ayoungthat is from token/core.py20:31
kfox1111k. I'll try setting that too.20:31
kfox1111here's another part of the problem.20:31
kfox1111there does not look to be an index on tokens.20:31
kfox1111mysql> show index in token;20:32
kfox1111Empty set (0.00 sec)20:32
ayoungkfox1111, do you need to run the migration on your database>20:32
ayoungwhat version is the db set at?20:32
kfox1111what field should I look at for that?20:32
ayoungkeystone-manage has a subfunction for it20:33
ayoungdb_version or somthing20:33
ayoungI'm in development mode, which means nothing on my box works20:33
ayoungblame morganfainberg for telling me about the bug I am fixing right now20:33
ayoungso..the whole Manager() thing was a wrapper around the driver, and you should be able to call it whenever you need a driver, at least that was the intention when termie wrote it. We've since made it into something that needs to be run exactly once.20:34
kfox1111how do I see what version it considers "newest"?20:36
ayoungand the same damn logic that makes it magfically fetch the driver is keeping me from doing the same thing to magically fetch the cache20:36
ayoungkfox1111, that feels about like what I expect from Havana20:36
ayoungkfox1111, the migrations are listed under keystone/common/sql/migrate_repo20:37
kfox1111so /usr/lib/python2.6/site-packages/keystone/common/sql/migrate_repo/versions I see up through 3620:37
kfox1111is it inclusive or exclusive on the nubmer. ie, did 34 get applied already or not?20:38
ayoung34 was applied, 35 and 36 were not20:38
ayoungdb_sync will apply them20:38
kfox1111ah. 36 is idx = sql.Index('ix_token_valid', token.c.valid)20:39
kfox1111that may help...20:39
ayoung36 looks like it undoes 35 to my eyes20:39
ayoung36 drops ix_token_valid'20:39
ayoungix_token_expires_valid'  ah20:40
ayoungslightly different20:40
kfox1111oh. ok.20:40
ayoungmorganfainberg, help20:40
ayoungI need to use a real cache setup for revoke20:40
kfox1111shoudl I sync with keystone shutdown or can I do it live?20:40
ayoungnot the syncronize non-sense I was doing20:41
morganfainbergayoung, hi20:43
ayoungmorganfainberg, OK. How do I cache something?20:44
ayoungI guess it needs to be a function call?20:44
morganfainbergayoung, you looking to do cache (e.g. cache layer) or just KVS store?20:44
ayoungKVS store20:44
ayoungcache layer20:44
ayoungin memory20:44
morganfainbergkvs or memoize20:44
ayoungno memoize if I can help it20:44
morganfainbergok then kvs20:44
ayoungmorganfainberg,  this code20:44
morganfainbergyou're already doing a lock20:45
ayoungI'm double configuring the cache though20:45
ayoungI think because I am doing it explicitly20:45
ayoungthe other drivers don't do thjat20:45
ayoungso I chjange20:46
ayoungif self._cache.revoke_map.is_revoked(token_values):20:46
ayoungif self._get_revoke_map.is_revoked(token_values):20:46
ayoungand mark that function as cached?20:46
ayoungif self._get_revoke_map().is_revoked(token_values):20:46
ayoungcache on  self._get_revoke_map()20:46
morganfainbergi think i'm lost20:47
morganfainbergif you're looking to just use an in-memory cache, you can do the same thing you're doing in the KVS backend20:47
morganfainberg.get() and .set()20:47
ayoungmorganfainberg, I want to make it look like the other drivers20:47
kfox1111the db upgrade failed. :/20:47
kfox1111OperationalError: (OperationalError) (1091, "Can't DROP 'ix_token_valid'; check that column/key exists") '\nDROP INDEX ix_token_valid ON token' ()20:48
morganfainbergayoung, so .. a manager?20:48
ayoungmorganfainberg, like ^^20:48
morganfainbergoh ok so you do want to memoize20:48
morganfainbergthat is memoization20:49
ayoungmemoize would be a pickle20:49
morganfainbergno memoziation says take <args> and use that as a key for the returned value20:49
morganfainbergif the cache is not invalidated / current it will use the cached value first20:50
ayounghm...well that is kindof what I want20:50
kfox1111there is no ix_token_valid. :/20:50
kfox1111show indexes in token;20:50
kfox1111| Table | Non_unique | Key_name               | Seq_in_index | Column_name | Collation | Cardinality | Sub_part | Packed | Null | Index_type | Comment |20:50
morganfainbergayoung, so any @cache.on_arguments decorated functions must not contain kwargs20:51
kfox1111| token |          1 | ix_token_expires_valid |            1 | expires     | A         |       63791 |     NULL | NULL   | YES  | BTREE      |         |20:51
kfox1111| token |          1 | ix_token_expires_valid |            2 | valid       | A         |       63791 |     NULL | NULL   |      | BTREE      |         |20:51
kfox1111just those two indexes that 35 added.20:51
openstackgerritBrant Knudson proposed a change to openstack/keystone: Sync db, db.sqlalchemy from oslo-incubator 0a3436f
ayoungmorganfainberg, that I can deal with.  I only ever want one object to be cached20:51
morganfainbergayoung, so you just need to do the import of the cache stuff like token does20:51
ayoungmorganfainberg, what is +SHOULD_CACHE = cache.should_cache_fn('revoke')20:52
ayoungwell, it is 'token' in the token core20:52
morganfainbergif you want a revocation config option for TTL on the cache20:52
morganfainbergshould_cache_fn is a factory to create a "yes/no" caching decision based on config opts20:53
ayoungso I need a 'revoke' version of that call20:53
kfox1111why would 36 be broken? arrg.20:53
ayoungso I add +SHOULD_CACHE = cache.should_cache_fn('revoke')20:53
morganfainbergand then in config options you'd create in the [revoke] section a 'caching' option20:53
morganfainbergdefaulted to "on"20:54
openstackgerritBrant Knudson proposed a change to openstack/keystone: Sync db, db.sqlalchemy from oslo-incubator 0a3436f
ayoungkfox1111, I'd have to look at the git histroy20:54
ayoungOK...I can fingure that out20:54
openstackgerritBrant Knudson proposed a change to openstack/keystone: Sync db, db.sqlalchemy from oslo-incubator 0a3436f
morganfainbergayoung, and if you want a separate cache expiration time, do a lambda like
morganfainberg so you can do a decorator like this20:55
morganfainbergthen if caching is enabled, you will cache the value for <expiration_time> length20:56
morganfainbergfinally, if you have a case that the cache needs to be invalidated, you need to do something like and call <method>.invalidate20:56
kfox1111arg.... and keystone won't start. says address is already in use.20:56
morganfainbergand it'll do the magic to invalidate the cache so the next call to get will regenerate20:56
kfox1111nova-api was using the 35357 port for a bit. shut it down, and now nothing is using it, but keystone still wont start.20:57
morganfainbergayoung, it's a little unwieldy to develop, i'm working on that w/ the oslo port of dogpile stuff20:57
ayoungmorganfainberg, so...If I store the revocation events and the tree in the cache, I can just dump the tree and recreate with the current set of events20:58
kfox1111hmm.. ok. its started now...20:58
ayoungugh, but ;last_fetch20:58
ayoungah..I can just cache for internal use20:58
kfox1111so I'm stuck at 35..20:59
morganfainbergayoung, make the last_fetch work done in process20:59
morganfainbergayoung, not based on the backend20:59
morganfainbergayoung, ?20:59
morganfainbergayoung, so .get to the driver always returns all the events20:59
morganfainberglast_fetch is filtered in-memory20:59
ayoungyeah, I can do that20:59
morganfainbergCPU cost vs IO20:59
morganfainbergkeep in mind when you .invalidate() you need to pass the exact same arguments (including the proper 'self') through21:00
morganfainbergthat is again something i'm trying to solve, but it's a tough nut to crat21:00
kfox1111hmm... still no index on token.id21:01
kfox1111thats proably what's killing performance...21:01
morganfainbergkfox1111, so how did the upgrade fail?21:01
morganfainbergkfox1111, you said you had an issue with upgrading the db, what was the exact isuse?21:01
morganfainbergkfox1111, it sounds like you're wedged between schema versions21:01
morganfainbergkfox1111, what does the migrate_version table say in the keystone db?21:02
kfox1111| keystone      | /usr/lib/python2.6/site-packages/keystone/common/sql/migrate_repo |      35 |21:03
kfox1111Here's the info...21:04
kfox1111Interestingly, I had debug level logging on at the time. :)21:05
kfox1111I believe what it says. I don't think the index is there its trying to delete.21:06
dstaneklbragstad: just read your last comment, but i think i got it out of context. which review are you looking at the mutable defaults?21:09
kfox1111grepping through migrate_repo,  Ido not see an index on token id anywhere.21:09
kfox1111even from trunk.21:09
*** david-lyle has quit IRC21:09
kfox1111so I think that is one of the performance problems...21:09
ayoungmorganfainberg, OK...I think I have it.  I am going to run the tests and repost.  please look at it very carefully21:10
ayoungkfox1111, please make sure that you file it as an RDO bug21:10
*** leseb has quit IRC21:10
kfox1111You think its specific to RDO?21:11
ayoungkfox1111, no idea21:14
ayoungbut lets assume that to be the case21:14
ayoungkfox1111, but if you file it there, the RH QA will pick it up and validate it , and then they will bug me to fix it.21:15
kfox1111well, I was in the process of posting one to the openstack bugtracker. I can post another one to rdo if you think that would help. sorry.21:16
ayoungkfox1111, lets track it from RDO, since that is how you installed21:17
*** thedodd has quit IRC21:17
kfox1111have a link to their tracker?21:18
kfox1111looks liike the index was added in 25.21:18
kfox1111I'm not finding a reference to a bug tracker anymore on openstack.redhat.com21:21
*** openstackgerrit has quit IRC21:21
kfox1111Do all databases start at 1 and then get migrated through all the upgrades,21:21
*** openstackgerrit has joined #openstack-keystone21:21
kfox1111or does it create half way through an upgrade? when a new install is made?21:21
*** dstanek is now known as dstanek_afk21:30
*** openstackgerrit has quit IRC21:32
*** openstackgerrit has joined #openstack-keystone21:32
*** dims has quit IRC21:34
*** zhiyan is now known as zhiyan_21:42
morganfainbergayoung, ++ will do21:44
ayoungmorganfainberg, broken21:52
*** dims has joined #openstack-keystone21:53
morganfainbergayoung, :(21:54
*** henrynash has quit IRC21:54
ayoungmorganfainberg, something is double configuring the KVS backend21:54
morganfainbergayoung, let me take a look here in a sec21:54
ayoungI'm guessing that oauth doesn't default to the kvs backend?21:54
ayoungmorganfainberg, I'll have to reposet the code21:55
ayoungmorganfainberg, the problem is this code21:55
morganfainbergayoung, ok21:55
ayoung    def __init__(self, **kwargs):21:55
ayoung        super(Revoke, self).__init__()21:55
ayoung        self._store = kvs.get_key_value_store('os-revoke-driver')21:55
ayoung        self._store.configure(backing_store=_KVS_BACKEND, **kwargs)21:55
ayoungif the driver gets re-initialized it gets called again21:55
ayoungoauth only has SQL backend21:55
morganfainbergayoung, hmmm.21:55
morganfainbergayoung, let me see how i did that in token?21:55
ayoungself._store = kvs.get_key_value_store('token-driver')21:56
ayoung        if backing_store is not None:21:56
ayoung            self.kvs_backend = backing_store21:56
ayoung        self._store.configure(backing_store=self.kvs_backend, **kwargs)21:56
morganfainbergi did a dirty hack to get around this.21:57
ayoungmorganfainberg,    (╯°□°)╯︵ ┻━┻21:58
morganfainbergi explicitly clear the weakref dict that is used to manage the registry21:58
morganfainbergayoung, you're hitting that error means you're instantiating the _cache multiple times.21:58
morganfainbergin theory you shouldn't be doing tha21:58
ayoungcan't I check if it is configured already and not recall the code?21:59
morganfainbergi'm fine if you want to rip out the raise exception on reconfigure of the kvs backend21:59
morganfainbergi think it's if kvs_region.is_configured21:59
ayoungmorganfainberg, but why doesn't your hack clear my cache too21:59
morganfainberglet me 2x check21:59
ayoungmorganfainberg, I create the driver on the equivalent of
morganfainbergayoung, you're initializing the cache 2 times before cleanup is called22:00
*** browne has left #openstack-keystone22:00
morganfainbergand no, i don't have a "is_configured" property22:00
ayoungmorganfainberg,  loadApp is triggering it22:01
morganfainberglike i said, if you want to remove the exception for multiple configure calls (perhaps make it a warning?)22:01
morganfainbergi'm ok with that22:01
ayoungso it gets imported, cleared, created, and then imported again via loadApp and the paste pipeline22:02
morganfainbergi erred on the side of "be obnoxious about not letting people reconfigure and get unexpected results"22:02
ayoungnot sure that would be correct.  What if we are changing the cache backend for a driver or something from default to test it?22:02
ayoungwon;t it still have the old config?22:02
morganfainbergayoung, exactly the reason i was aiming to force an exception22:02
ayoungmorganfainberg, OK,  kids are bothering me, and I need to go22:03
ayounggonna have to wait22:03
morganfainbergayoung, if you post your code i can take a swing at that bit this evening22:03
openstackgerritA change was merged to openstack/keystone: Update sample config
morganfainbergif not, i'll be around to discuss as needed.22:03
bknudsonkeystoneclient has both a and a utils.py22:11
bknudsonguess which one has tests for keystoneclient.utils?22:11
bknudsonit's neither22:11
bknudsonahh, guess I'm wrong... it's got some tests.22:12
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Allow hash tokens with sha256
*** sudorandom has quit IRC22:18
*** sudorandom_ has joined #openstack-keystone22:19
*** sudorandom_ is now known as sudorandom22:19
*** richm has quit IRC22:20
*** leseb has joined #openstack-keystone22:21
*** YorikSar has quit IRC22:22
openstackgerritBrant Knudson proposed a change to openstack/keystone: Configurable token hash algorithm
*** YorikSar has joined #openstack-keystone22:23
*** leseb has quit IRC22:26
*** flaper87 is now known as flaper87|afk23:27
*** gokrokve has quit IRC23:28
*** openstackstatus has quit IRC23:36
*** thiagop has quit IRC23:38
*** rwsu has quit IRC23:38
*** openstackgerrit has quit IRC23:39
*** marcoemorais has quit IRC23:45
*** lbragstad has quit IRC23:46
*** haneef_ has quit IRC23:46
*** bobt has quit IRC23:46
*** dolphm has quit IRC23:46
*** dstanek_afk has quit IRC23:46
*** Daviey has quit IRC23:46
*** YorikSar has quit IRC23:46
*** sudorandom has quit IRC23:46
*** marekd|away has quit IRC23:46
*** harlowja has quit IRC23:46
*** bknudson has quit IRC23:46
*** chmouel has quit IRC23:46
*** vhoward- has quit IRC23:46
*** tellesnobrega has quit IRC23:46
*** zhiyan_ has quit IRC23:46
*** jimbaker has quit IRC23:46
*** wchrisj has quit IRC23:46
*** dvorak has quit IRC23:46
*** amcrn has quit IRC23:46
*** mberlin has quit IRC23:46
*** jaypipes has quit IRC23:46
*** jamielennox|away has quit IRC23:46
*** flaper87|afk has quit IRC23:46
*** koolhead17 has quit IRC23:46
*** kfox1111 has quit IRC23:46
*** gyee has quit IRC23:46
*** dtroyer has quit IRC23:46
*** jordant has quit IRC23:46
*** zigo has quit IRC23:46
*** jraim has quit IRC23:46
*** mhu has quit IRC23:46
*** openstack has joined #openstack-keystone23:46
*** openstackstatus has joined #openstack-keystone23:47
*** dstanek_afk has joined #openstack-keystone23:54

Generated by 2.14.0 by Marius Gedminas - find it at!