Saturday, 2014-03-15

« Friday, 2014-03-14 Index Sunday, 2014-03-16 »
*** thiagop_ has quit IRC00:02
*** dims has quit IRC00:02
*** vhoward has joined #openstack-keystone00:04
*** dolphm has joined #openstack-keystone00:08
*** zhiyan` has joined #openstack-keystone00:08
*** Daviey has joined #openstack-keystone00:08
*** harlowja has joined #openstack-keystone00:08
*** marcoemorais1 has joined #openstack-keystone00:08
*** rwsu_ has joined #openstack-keystone00:08
*** YorikSar has joined #openstack-keystone00:08
*** sudorandom has joined #openstack-keystone00:08
*** kfox1111 has joined #openstack-keystone00:08
*** amcrn has joined #openstack-keystone00:08
*** gyee has joined #openstack-keystone00:08
*** jimbaker has joined #openstack-keystone00:08
*** vhoward- has joined #openstack-keystone00:08
*** dvorak has joined #openstack-keystone00:08
*** marekd|away has joined #openstack-keystone00:08
*** wchrisj has joined #openstack-keystone00:08
*** mberlin has joined #openstack-keystone00:08
*** lbragstad has joined #openstack-keystone00:08
*** haneef_ has joined #openstack-keystone00:08
*** bobt has joined #openstack-keystone00:08
*** flaper87|afk has joined #openstack-keystone00:08
*** bknudson has joined #openstack-keystone00:08
*** jordant has joined #openstack-keystone00:08
*** zigo has joined #openstack-keystone00:08
*** tellesnobrega has joined #openstack-keystone00:08
*** jraim has joined #openstack-keystone00:08
*** huats has joined #openstack-keystone00:08
*** zhiyan_ has joined #openstack-keystone00:08
*** mhu has joined #openstack-keystone00:08
*** ayoung has joined #openstack-keystone00:08
*** chmouel has joined #openstack-keystone00:08
*** mfisch has joined #openstack-keystone00:08
*** jaypipes has joined #openstack-keystone00:08
*** jamielennox|away has joined #openstack-keystone00:08
*** koolhead17 has joined #openstack-keystone00:08
*** luisbg has joined #openstack-keystone00:08
*** anteaya has joined #openstack-keystone00:08
*** dtroyer has joined #openstack-keystone00:08
*** morganfainberg has joined #openstack-keystone00:08
*** ChanServ has joined #openstack-keystone00:08
*** dickson.freenode.net sets mode: +o ChanServ00:08
*** dstanek_afk has quit IRC00:18
*** openstack has joined #openstack-keystone00:21
*** openstackstatus has quit IRC00:25
*** openstack has quit IRC00:26
*** openstack has joined #openstack-keystone00:31
*** dickson.freenode.net sets mode: +ns 00:31
-dickson.freenode.net- [freenode-info] channel trolls and no channel staff around to help? please check with freenode support: http://freenode.net/faq.shtml#gettinghelp00:31
*** dickson.freenode.net sets mode: -o openstack00:36
-dickson.freenode.net- *** Notice -- TS for #openstack-keystone changed from 1394843518 to 137738402400:36
*** dickson.freenode.net sets mode: +ct-s 00:36
*** derek_c has joined #openstack-keystone00:36
*** flashgordon has joined #openstack-keystone00:36
*** vhoward- has joined #openstack-keystone00:36
*** tellesnobrega has joined #openstack-keystone00:36
*** jamielennox|away has joined #openstack-keystone00:36
*** koolhead17 has joined #openstack-keystone00:36
*** luisbg has joined #openstack-keystone00:36
*** anteaya has joined #openstack-keystone00:36
*** dtroyer has joined #openstack-keystone00:36
*** morganfainberg has joined #openstack-keystone00:36
*** ChanServ has joined #openstack-keystone00:36
*** jaypipes has joined #openstack-keystone00:36
*** mfisch has joined #openstack-keystone00:36
*** chmouel has joined #openstack-keystone00:36
*** ayoung has joined #openstack-keystone00:36
*** mhu has joined #openstack-keystone00:36
*** huats has joined #openstack-keystone00:36
*** jraim has joined #openstack-keystone00:36
*** zigo has joined #openstack-keystone00:36
*** jordant has joined #openstack-keystone00:36
*** bknudson has joined #openstack-keystone00:36
*** flaper87|afk has joined #openstack-keystone00:36
*** haneef_ has joined #openstack-keystone00:36
*** lbragstad has joined #openstack-keystone00:36
*** mberlin has joined #openstack-keystone00:36
*** wchrisj has joined #openstack-keystone00:36
*** marekd|away has joined #openstack-keystone00:36
*** dvorak has joined #openstack-keystone00:36
*** jimbaker has joined #openstack-keystone00:36
*** gyee has joined #openstack-keystone00:36
*** amcrn has joined #openstack-keystone00:36
*** kfox1111 has joined #openstack-keystone00:36
*** sudorandom has joined #openstack-keystone00:36
*** YorikSar has joined #openstack-keystone00:36
*** rwsu_ has joined #openstack-keystone00:36
*** marcoemorais1 has joined #openstack-keystone00:36
*** harlowja has joined #openstack-keystone00:36
*** Daviey has joined #openstack-keystone00:36
*** zhiyan` has joined #openstack-keystone00:36
*** dolphm has joined #openstack-keystone00:36
*** openstackgerrit has joined #openstack-keystone00:36
*** thiagop_ has joined #openstack-keystone00:36
*** dims has joined #openstack-keystone00:36
*** dickson.freenode.net sets mode: +o ChanServ00:36
*** dickson.freenode.net changes topic to "[ Icehouse RC blockers https://launchpad.net/keystone/+milestone/icehouse-rc1 ][ Icehouse RC Target Date: March 27th, 2014 ]"00:36
morganfainbergjamielennox|away, bknudson, ayoung, gyee, https://review.openstack.org/#/c/80726/ could use a 2nd +2, i'll baby sit it though and get it the +A when it's though hte basic stuff00:36
morganfainbergand/or fix anything else that comes up00:36
flashgordonthanks and have agood weekend!00:37
morganfainbergflashgordon, same to you00:37
*** vhoward- has quit IRC00:44
*** tellesnobrega has quit IRC00:44
*** vhoward has joined #openstack-keystone00:44
*** derek_c has quit IRC00:48
*** tellesnobrega has joined #openstack-keystone00:48
*** rwsu_ has quit IRC00:53
ayoungmorganfainberg, ACKed00:55
ayoungflashgordon, +Aed00:56
morganfainbergayoung, cool00:56
*** derek_c has joined #openstack-keystone01:09
flashgordonthanks guys01:16
*** marcoemorais1 has quit IRC01:25
ayoung     ┻━┻ ︵ヽ(`Д´)ノ︵ ┻━┻01:39
ayoungmorganfainberg, I got it!01:39
morganfainbergayoung, gratz01:43
ayoungmorganfainberg, I still have failing tests, but I have the lazy activation working01:43
*** openstackgerrit has quit IRC01:45
*** wchrisj has quit IRC01:49
*** mberlin has quit IRC02:05
ayoungmorganfainberg, OK, so it looks like the cached timeout is killing me on the unit tests02:09
morganfainbergayoung, how so?02:10
ayoungI changed to using a KVS cached for the tree, but I need to give it no timeout for the tests02:10
ayoungI need to perform something that emits a revoke event, and immediately see the result02:10
ayoungno cache02:10
morganfainbergok so when you emit the event you need to invalidate?02:11
*** harlowja has quit IRC02:11
ayoungwell, not in the real world02:11
*** harlowja has joined #openstack-keystone02:11
morganfainbergi'm confused then02:11
ayoungin the real world, a second or two is OK02:11
ayoungits just for unit tests02:11
morganfainbergusually you want to invalidate on event02:11
ayoungOK...let me do that for now02:11
morganfainbergoh you're doing a timed cache02:11
ayoungcan always yank if there is a performance issue02:12
morganfainbergyeah for now invalidate immidiately02:12
morganfainbergideally you will only invalidate sometimes not on every call02:12
morganfainbergso the perfomance gain is still there when you cache02:12
morganfainbergnow....02:12
morganfainbergby default keystone doesn't _actually_ enable caching02:12
morganfainbergyou have to go out of your way to do so because in-memory is icky02:12
morganfainbergand i don't want to "require" memcache or redis for a default install02:13
ayoungmorganfainberg, sorry, I was coding, and dancing to the Gypsy King version of Hotel California02:17
ayoungas you might guess...It worked02:17
morganfainbergyeah02:17
ayoungso, it is interesting that, for testing we need to imports that trigger this pep8 error02:18
ayoung./keystone/tests/core.py:433:1: F401 'oauth1' imported but unused02:18
ayoungI can flake8 noqa those02:18
ayoungbut that is what registers the extension now02:18
*** amcrn has quit IRC02:19
morganfainbergwould it make sense to use importutils so you fon't need to flake8 noqa? (don't mind either way)02:19
*** dstanek_afk has joined #openstack-keystone02:20
*** mberlin has joined #openstack-keystone02:20
ayoungactually, I don;t need them.  And that kindof scares me02:22
ayoungI really hope everything I does here is kosher.02:23
ayoungmorganfainberg, so now it looks like it is working in PyCharm and with run_tests.sh but not tox02:28
*** flashgordon is now known as jogo02:37
ayoungmorganfainberg, so...assuming I get this patch in.  Question is what to do about Horizon02:37
morganfainbergayoung, getting this patch in will solve horizon's issue02:38
ayoungI'm tempted to say "revoking a token is neither necessary nor sufficient, so don't do it"02:38
ayoungyeah, but in the future...02:38
morganfainbergayoung, we can work on the other part in Juno02:38
ayoungI can revoke a token by user and issued_at02:38
morganfainbergwhether that is "don't revoke" or making it so we can revoke on issued_at as well02:38
ayoungbut I don't want to02:38
morganfainbergi think that is a Juno topic02:38
morganfainbergwe have a biut more breathing room on that front02:38
ayoungyeah.  But turning off the revocations in Horizon means it can get tested sooner02:39
morganfainbergwont happen in Icehouse02:39
morganfainberglets bring it up with them once RC is cut02:39
ayoungWell, I can get QA on it in house02:39
morganfainberginvade the channel.02:39
morganfainberg:)02:39
ayoungif I user a token t1 to create t2 and t2 to create t3, then I revoke t2,  by the horizon logic, t3 would still be out there02:40
ayoungeither re-auth, or don't revoke tokens02:40
morganfainbergcorrect02:40
ayoungmake the expiry really short02:40
morganfainbergand since we've supported that model up until now, we need to evaluate if we can change that02:41
ayoungand the revoke need goes away02:41
morganfainbergi agree the revoke is silly02:41
morganfainbergbut i don't know if we can "change" that behavior w/o calling it API incompatible02:41
ayoungMy goal is to get kerberos and s4u2proxy working to kerberize Horizon and have horizon use a service ticket to fetch a token.  THen they can revoke away to their hearts content.02:43
morganfainberg++02:43
ayoungx509, OTOH, does not provide a nice delegation mechanism02:43
ayoungFeh, Horizon is silly anyway.  I mean, who does server side scripting anymore?02:44
*** kfox1111 has quit IRC02:52
ayoungmorganfainberg, here it is https://review.openstack.org/#/c/80441/02:54
ayoungand I am going to sign off02:55
*** david-lyle has joined #openstack-keystone03:06
*** david-lyle has quit IRC03:10
*** david-lyle has joined #openstack-keystone03:13
*** harlowja is now known as harlowja_away03:22
*** stevemar has joined #openstack-keystone03:23
stevemarjogo, oh noes, i have no idea stable/havana uses latest keystoneclient code!03:42
stevemarhad*03:42
*** dstanek_afk is now known as dstanek03:47
*** stevemar has quit IRC03:48
*** derek_c has quit IRC03:49
*** wchrisj has joined #openstack-keystone04:29
*** wchrisj has quit IRC05:02
*** zhiyan` has left #openstack-keystone05:43
*** zhiyan` has joined #openstack-keystone05:43
*** dstanek has quit IRC05:43
*** stevemar has joined #openstack-keystone05:47
*** gyee has quit IRC05:48
*** derek_c has joined #openstack-keystone05:56
*** jraim has quit IRC06:20
*** jraim has joined #openstack-keystone06:40
*** stevemar has quit IRC07:15
*** zhiyan` is now known as zhiyan_07:30
*** saju_m has joined #openstack-keystone07:44
jogoayoung morganfainberg: one more patch to revert https://review.openstack.org/8076608:09
morganfainbergjogo, another?08:09
morganfainbergjogo, let me take a look08:09
jogosecond part of the BP08:09
jogoboth patches landed around the same time08:10
morganfainbergjogo ahh yeah08:10
jogohttp://logs.openstack.org/35/80435/1/check/check-tempest-dsvm-full/d061a95/logs/horizon_error.txt.gz08:10
jogostack trace to back it up08:10
morganfainberghmm. ayoung is out for the night08:11
morganfainbergi'll see who we can round up to get that in08:12
jogospeaking of which I should be out for the night as well08:12
jogomorganfainberg: thanks!08:12
* morganfainberg goes back to playing some diablo308:12
morganfainbergjamielennox|away, bknudson, ayoung, stevemar, dolphm, https://review.openstack.org/#/c/80766/ could use a seoncd +2/A08:12
*** derek_c has quit IRC08:51
*** henrynash has joined #openstack-keystone08:52
morganfainberghenrynash, ping08:59
morganfainberghenrynash, could use a second +2 on https://review.openstack.org/#/c/80766/ if you're around.09:00
henrynashmorganfainberq: hi….looking09:00
morganfainberghenrynash, trying to help infra unbreak stable/havana gate09:00
morganfainberghenrynash, thanks! :)09:00
henrynashmorganfainberg: looks like it has failed pep809:03
morganfainbergdoh09:03
henrynashmorganfainberg: but other than that, fine09:03
morganfainbergi'll fix the pep8 if i can09:06
*** leseb has joined #openstack-keystone09:11
henrynashmorganfainberg: as an aside, when you have a moment perhaps you could look at: https://review.openstack.org/#/c/79897/309:32
*** leseb has quit IRC09:35
*** leseb has joined #openstack-keystone09:43
morganfainberghenrynash, sure i'll take a gander at it09:45
morganfainbergthen i need to go to sleep it's 245am09:45
henrynashmorganfainberq: understand!!!!!09:45
morganfainberghenrynash, +2 on that, a couple of comments, but no reasont o block the change09:53
henrynashmorganfainberq: thx09:53
*** saju_m has quit IRC09:54
henrynashmorganfainberg: as an aside, do you prefer to see the internal rules to be all clustered at the top…or placed (as I did) ahead of the block of api calls that use them?09:55
morganfainbergat the top09:55
morganfainbergpersonally09:55
morganfainbergbut honestly, i don't care :)09:55
henrynash:-)09:55
morganfainbergi think it's easy to see all the rules if they're all in one place09:55
morganfainbergbut, meh09:55
morganfainbergif it works09:56
morganfainberghenrynash, also if you have any input on https://review.openstack.org/#/c/80409/ (e.g. is this a terrible idea) that would be great09:59
morganfainberghenrynash, i don't expect that to go in until RC is cut though09:59
henrynashmorganfainberg: ok, will look09:59
morganfainbergjust changing how to run live tests09:59
morganfainbergjogo, +2/+A on that keystoneclient fix10:01
morganfainbergreally? domains aren't immutable now?10:02
morganfainberghenrynash, does anyone _actually_ move things between domains? I really hope not10:03
henrynashmorganfainberq: I hope not as well…..but unfortunately we kind of support it10:03
morganfainberghmm. i wonder if this is a ML topic we can ask operators if they do this (explaining why it's a bad idea) and see about getting it inverted10:04
morganfainberghenrynash, can we add (even if it doesn't change functionality) a config option this late in the cycle?10:05
morganfainberghenrynash, also it looks like you have a new string change.10:05
henrynashmorganfainberq: we could indeed…i was trying to obviously not change existing functionally for now…and then maybe for Juno we change the option to disabled  by default10:05
morganfainberghenrynash, that one i am fairly certain we can't w/o doing an exceptionr equest10:06
henrynashmorganfainberq: oh, you mean a string change?10:06
morganfainbergyeah we're past String Freeze10:06
morganfainbergi'm checking the string now.10:07
henrynashmorganfainberq: oops, damn10:07
morganfainbergyep10:07
morganfainberghenrynash, line https://review.openstack.org/#/c/80769/2/keystone/common/controller.py 52810:07
morganfainbergyou're adding a new string in for translation10:08
morganfainberghenrynash, we could try and get an exception, but my gut feeling is this should land J110:08
morganfainberghenrynash, unless there is a real "it10:09
morganfainberg's broken" reason to get this into I10:09
morganfainbergwhichcase, we should request the exception :)10:09
henrynashmorganfainberq: so I can only come up with half of the security hole….i.e. using policy.v3cloudsample, it means you can move a user into a domain you don't have a roles on10:10
morganfainbergoh ick :(10:10
morganfainbergthat is worth getting an exception in i think10:10
henrynashmorganfainberq: that's why I thought it was worth pushing it…although in theory you can't then do anything with that moved user (since you don't have a role on that domain), it feels like the a preparation step for a hole somewhere!10:11
morganfainbergyeah10:12
morganfainberglets hit dolph up on Monday and confirm10:12
morganfainbergit seems benign, but... yanno10:12
henrynashmorgainfainberq: my thoughts exactly….10:12
morganfainbergactually odd thought...10:12
morganfainbergby moving the user to a domain they dont' control is there any way that user would gain extra rols on the new domain10:13
henrynashmorganfainberq: (btw, i fixed the commit comment in https://review.openstack.org/#/c/79897)10:13
morganfainberge.g. escalate to admin?10:13
morganfainberghold on10:13
*** saju_m has joined #openstack-keystone10:19
*** leseb has quit IRC10:27
*** morganfainberg is now known as morganfainberg_Z10:34
*** saju_m has quit IRC10:53
*** saju_m has joined #openstack-keystone10:59
*** leseb has joined #openstack-keystone11:24
*** leseb has quit IRC11:29
*** david-lyle has quit IRC12:47
*** bvandenh has joined #openstack-keystone13:04
*** dstanek has joined #openstack-keystone13:32
*** wchrisj has joined #openstack-keystone13:44
*** saju_m has quit IRC14:02
*** henrynash has quit IRC14:09
*** henrynash has joined #openstack-keystone14:50
*** openstackgerrit has joined #openstack-keystone14:54
*** openstackstatus has joined #openstack-keystone14:55
*** henrynash has quit IRC14:59
*** david-lyle has joined #openstack-keystone15:12
*** flaper87|afk is now known as flaper8715:34
*** dstanek has quit IRC15:47
*** wchrisj has quit IRC16:19
*** wchrisj has joined #openstack-keystone17:00
*** wchrisj has quit IRC17:14
*** henrynash has joined #openstack-keystone17:20
*** wchrisj has joined #openstack-keystone17:26
*** wchrisj has quit IRC17:32
*** henrynash has quit IRC17:40
*** leseb has joined #openstack-keystone19:56
*** wchrisj has joined #openstack-keystone20:08
*** wchrisj has joined #openstack-keystone20:10
*** leseb has quit IRC20:14
*** wchrisj has quit IRC20:43
*** thedodd has joined #openstack-keystone21:04
*** leseb has joined #openstack-keystone21:25
*** tellesnobrega has quit IRC21:26
*** leseb has quit IRC21:30
*** stevemar has joined #openstack-keystone21:41
*** dstanek has joined #openstack-keystone21:41
*** tellesnobrega has joined #openstack-keystone21:45
*** stevemar has quit IRC21:50
*** leseb has joined #openstack-keystone21:59
*** morganfainberg_Z is now known as morganfainberg22:13
*** thedodd has quit IRC22:20
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Don't automatically enable revocation events.  https://review.openstack.org/8044122:44
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Don't automatically enable revocation events.  https://review.openstack.org/8044122:47
morganfainbergayoung, proposed a fix to address the comments i had about your patch.22:49
ayoungmorganfainberg, that "catch" is what happens when you actyally disable the extension22:54
morganfainbergayoung, yeah i know22:54
morganfainbergayoung, ++22:54
ayoungmorganfainberg, why didn't you change dict() to {}?22:55
ayoungI thought {} meant something else...or am I getting confused22:56
morganfainberg{} is a literal dict22:56
ayoungthere was one python collection where   initializing with the empty was not the same as initializing with a value22:56
morganfainbergin py27 {key: value} is a dict, {key, key, key} is a set22:56
ayoungis it []?  or ()  ?22:56
morganfainberg()22:56
ayoungah, right22:56
morganfainbergif you do (blah) that is just blah22:56
ayoungso I thought {} was an empty set, not an empty dict22:57
morganfainbergif you do (blah,)22:57
morganfainbergthat is the tuple22:57
morganfainbergyeah, imo never use the set literal22:57
morganfainbergsets are used far less frequently, so set() is better22:57
ayoungwhich is why I did dict()22:57
ayoungno question22:57
morganfainbergand you can't initilaize an empty set (afaict) with a literal22:57
morganfainbergayoung, in short, i forgot22:57
ayoungand it should be done once at startup22:57
morganfainbergit was such a nit, i didn't care too much22:57
ayounggo for it if it is important to you22:58
morganfainbergnah22:58
morganfainbergnot worth the bits on the wire :P22:58
morganfainbergwe've already over-talked it22:58
morganfainbergit was more of a future looking thing. I'd never -1 for that unless someone made a dict() 100s of times22:58
morganfainbergso, i wanted to run an interesting thought by you.22:59
ayoungfire away23:00
morganfainbergwhen it comes to a design, does it make sense to ensure everything that goes back to the driver (there are exceptions but not the majority) are always args vs kwargs?23:00
ayoungI kindof hate kwargs23:00
morganfainbergany optional argument stuff happens at the business logic layer23:00
morganfainbergand that changes interactions23:01
ayoungI think we abuse them23:01
morganfainbergrather than the driver being smart23:01
morganfainbergand knowing all the variations23:01
ayoung++23:01
morganfainbergand i mean from a pythonic standpoint less so from a keystone or openstack (we'd inherit it)23:01
ayounganything that could be done in the manager should be done in the manager23:01
ayounginstead of the driver23:01
morganfainbergit's been bothering me how much kwargs is abused across python23:02
morganfainbergi just don't know if i'm the one taking crazy pills ;)23:02
ayoungI was thinking about that.  Inversion of control and dependency injection in particular says "I need something that meets this contract:  blah"  but without type safety....how dso you specify the contract?23:02
ayoungI mean, all you get is the names of the parameters to a constructor23:03
morganfainbergayoung, yeah.23:03
morganfainbergayoung, welcome to duck-type hell23:03
ayoungand, with the .requires  appraoch we don't even really get that23:03
ayoungif it smells like brimstone, and burns like brimstone....23:03
morganfainbergthe way we handle this is we make everything a type-defined object23:03
morganfainbergsomething protobuf like23:03
morganfainbergif you're doing user things, you have a user object23:03
morganfainbergwith a defined schema23:04
ayoungso then how do you specify that a function only accepts an object of that type?23:04
morganfainbergi think that becomes "at the entry point" e.g. public interface we validate23:04
morganfainbergprobably w/ a decorator23:04
ayoungprotobuf?  smells like IDL to me23:04
morganfainberg@validate_arg(type)23:05
ayoungyeah, I'm guessing thatis the best we are going to get23:05
morganfainbergprotobuf is probably not the right solution, but it could be a solution23:05
ayoungbut...I don;t know that I really like even that.  It only works for code we write ourselves, and ideally DI is done with anyone's code23:05
ayoungOK...back to the family23:05
ayoungthanks for looking at that patch23:06
morganfainbergyeah.23:06
morganfainberghave a good weekend23:06
ayoungwe can noodge people about it on Monday23:06
*** ayoung is now known as ayoung-zzz23:06
*** flaper87 is now known as flaper87|afk23:38
*** stevemar has joined #openstack-keystone23:46
« Friday, 2014-03-14 Index Sunday, 2014-03-16 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!