| *** henrynash has joined #openstack-keystone | 00:29 | |
| openstackgerrit | A change was merged to openstack/keystone: Ensure v3policysample correctly limits domain_admin access https://review.openstack.org/79897 | 01:09 |
|---|---|---|
| *** henrynash has quit IRC | 01:15 | |
| *** shakamunyi has joined #openstack-keystone | 01:37 | |
| *** bknudson has quit IRC | 01:38 | |
| *** ayoung-zzzZZ has quit IRC | 02:10 | |
| *** zhiyan_ is now known as zhiyan | 02:30 | |
| *** zhiyan is now known as zhiyan_ | 02:35 | |
| *** stevemar has joined #openstack-keystone | 02:46 | |
| *** mberlin has joined #openstack-keystone | 03:00 | |
| *** mberlin1 has quit IRC | 03:01 | |
| *** stevemar has quit IRC | 03:08 | |
| *** stevemar has joined #openstack-keystone | 03:09 | |
| openstackgerrit | A change was merged to openstack/keystone: Do not use keystone.conf.sample in tests https://review.openstack.org/79524 | 03:11 |
| *** stevemar has quit IRC | 04:44 | |
| *** stevemar has joined #openstack-keystone | 04:45 | |
| *** zhiyan_ is now known as zhiyan | 05:02 | |
| *** stevemar has quit IRC | 05:32 | |
| *** morganfainberg_Z is now known as morganfainberg | 05:34 | |
| openstackgerrit | A change was merged to openstack/keystone: Use class attribute to represent 'user' and 'group' https://review.openstack.org/74263 | 05:49 |
| *** derek_c has joined #openstack-keystone | 05:56 | |
| derek_c | I'm trying to write a contrib module for keystone. does anyone know how I can make sure that an action is triggered only if the user has been authenticated? | 06:00 |
| derek_c | so I have set up an endpoint using mapper.connect | 06:01 |
| derek_c | but I want to make sure whoever calls this endpoint has been authenticated already | 06:01 |
| morganfainberg | derek_c, ah, you need to use the @controller.protected() decorator (look in keystone.identity.controllers( | 06:02 |
| morganfainberg | and have the appropriate entry in the policy file. | 06:02 |
| openstackgerrit | Jenkins proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/78525 | 06:02 |
| morganfainberg | policy.json | 06:02 |
| derek_c | morganfainberg: ah thanks! what do you mean by "have the appropriate entry in the policy file?" | 06:03 |
| morganfainberg | derek_c, policy.json describes what is allowed / not allowed | 06:03 |
| morganfainberg | derek_c, look in etc/policy.json and etc/policy.v3cloudsample.json | 06:04 |
| morganfainberg | derek_c, that is the policy language, so you can define things like "must be admin" etc | 06:04 |
| morganfainberg | derek_c,if you're defining new protected restful api actions, you should be familiar with policy so you can see how to control it :) | 06:05 |
| derek_c | morganfainberg: great, I will look at it. thanks :) | 06:06 |
| morganfainberg | derek_c, np | 06:07 |
| jamielennox | morganfainberg: uh oh: https://review.openstack.org/#/c/80897/ | 06:08 |
| morganfainberg | jamielennox, OH SNAP! | 06:08 |
| morganfainberg | jamielennox, hmm, jenkins doesn't like it | 06:08 |
| morganfainberg | jamielennox, hmmmmmm i guess we need to go debug that. | 06:09 |
| jamielennox | yea | 06:09 |
| derek_c | I see this line saying ""identity:update_user": [["rule:admin_required"]]," | 06:09 |
| derek_c | in policy.json | 06:09 |
| morganfainberg | jamielennox, will look at it tomorrow. | 06:09 |
| derek_c | so that means, only the admin can modify a user, but not even the user himself? | 06:09 |
| jamielennox | morganfainberg: yea, i was going to go for a quick look but i'm not sure | 06:09 |
| morganfainberg | jamielennox, if thats cool (unless you tell me you don't need help by then) | 06:09 |
| jamielennox | not sure if those logs are available to us | 06:10 |
| jamielennox | derek_c: yes, in that case | 06:10 |
| morganfainberg | jamielennox, eh, likely i failed to get the jobs created sanely in the jenkins job builder | 06:10 |
| morganfainberg | jamielennox, look in config/modules/openstack_project/jenkins_job_builder | 06:10 |
| jamielennox | derek_c: update_user maps to a very specific function though in the controller | 06:10 |
| morganfainberg | jamielennox, i think | 06:11 |
| derek_c | jamielennox: I see that. thanks :)_ | 06:11 |
| jamielennox | derek_c: also the policy.json file is way more simplified than the policy v3 file | 06:11 |
| derek_c | jamielennox: ah, I see | 06:11 |
| derek_c | does v3 APIs use the v3 policy file by default? It seems to just be a sample | 06:12 |
| jamielennox | derek_c: no | 06:12 |
| jamielennox | nothing uses it by default | 06:12 |
| jamielennox | unfortunately to swap the default is a big break in compatability and so we just haven't done it but v3 is the recommended | 06:12 |
| derek_c | jamielennox: I see. thanks :) | 06:14 |
| morganfainberg | jamielennox, i'm scared, i think i somehow grasp the python MRO a lot better than before | 06:27 |
| jamielennox | morganfainberg: that's a bit like staring into the abyss right | 06:27 |
| morganfainberg | jamielennox, i think so | 06:28 |
| jamielennox | i get the principal - there are times i don't like to risk it | 06:28 |
| jamielennox | multiple inheritence with the same function call on all parents, i just prefer to make that explicit | 06:28 |
| morganfainberg | jamielennox, it ... just kinda makes sense now | 06:30 |
| morganfainberg | jamielennox, it clicked when i was mucking with our tests | 06:31 |
| morganfainberg | jamielennox, i dunno... it feels almost zen... but darker | 06:31 |
| morganfainberg | i think i like this cleanup of the test_configs even more now. | 06:32 |
| morganfainberg | just need to get the last test case to stop failing and should be good. | 06:33 |
| jamielennox | morganfainberg: i started looking through it | 06:33 |
| jamielennox | i +Aed the base one | 06:33 |
| morganfainberg | yeah addressing bknudson's comments on the test_conf removal one | 06:33 |
| jamielennox | i'm not sure why we still need the files at all in the later ones | 06:33 |
| morganfainberg | there are a couple cases where we want to allow overriding | 06:33 |
| jamielennox | sure but why do we do that by file? | 06:33 |
| morganfainberg | and specifically LDAP is an ugly mess of options that it's easier to load from a config. | 06:33 |
| morganfainberg | jamielennox, env variables? | 06:34 |
| morganfainberg | jamielennox, not sure if we have a better way | 06:34 |
| jamielennox | so load this file via env var? | 06:34 |
| morganfainberg | jamielennox, especially when we let people run against (say) a live ldap server | 06:34 |
| morganfainberg | jamielennox, well, i guess we could move to a "use this file from a path" | 06:34 |
| morganfainberg | but like i said in the case of the LDAP tests, we can't just do that because config_fixture.config overides anything loaded from a file | 06:35 |
| morganfainberg | so we need to set the default, and then set the default back? | 06:35 |
| jamielennox | but that seems like a fault in the LDAP tests rather than something we should be wroking around | 06:35 |
| morganfainberg | i think i can work through it, but i am inclined to make it as incremental as possible. | 06:35 |
| morganfainberg | jamielennox, the ldap tests (and BaseLDAP object) need a lot of reworking anyway | 06:36 |
| morganfainberg | jamielennox, i figure i'll hit those when i get to that part (towards parallel testing) | 06:36 |
| morganfainberg | jamielennox, cleanup when it involves the tests at this scale will always be incremental :( | 06:38 |
| jamielennox | yea, it's a hard thing to move | 06:39 |
| morganfainberg | wtf. how did this.. fail. | 06:39 |
| * morganfainberg goes digging | 06:40 | |
| morganfainberg | oooh *doh* | 06:47 |
| *** saju_m has joined #openstack-keystone | 06:47 | |
| jamielennox | morganfainberg: that sounded revealing | 06:51 |
| morganfainberg | jamielennox, 2 things 1: type, 2: oopse forgot to override an option on a secondary TestCase class | 06:52 |
| morganfainberg | jamielennox, about to post a fix for the couple of brant's comments | 06:52 |
| morganfainberg | jamielennox, then i'll rebase the next couple patches in that chain | 06:52 |
| jamielennox | it's gotten to the point i don't like approving things until brant's had a go over it | 06:53 |
| morganfainberg | initially i was that way | 06:53 |
| morganfainberg | jamielennox, i think it's mixed. | 06:54 |
| morganfainberg | jamielennox, some cases yes | 06:54 |
| morganfainberg | jamielennox, some cases no. | 06:54 |
| jamielennox | nah, i'm still going to do it - it's just he seems to find a whole bunch of stuff that are obvious when someone else points it out to you | 06:54 |
| *** YorikSar has quit IRC | 06:55 | |
| morganfainberg | hmm 1 more test case still failing | 06:57 |
| morganfainberg | sooooo close | 06:57 |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Discover should support other services https://review.openstack.org/72878 | 07:00 |
| morganfainberg | ookcay so wtf. somehow a single domain isn't being created correctly... | 07:02 |
| morganfainberg | weird... | 07:02 |
| *** YorikSar has joined #openstack-keystone | 07:15 | |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Handle URLs via the session and auth_plugins https://review.openstack.org/60752 | 07:17 |
| morganfainberg | aha! | 07:17 |
| openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Removal of test .conf files https://review.openstack.org/79525 | 07:20 |
| openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Move test .conf files to keystone/tests/config_files https://review.openstack.org/79526 | 07:21 |
| openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Make LIVE Tests configurable with ENV https://review.openstack.org/80409 | 07:22 |
| morganfainberg | jamielennox, ok so the first one (major conf removal) should be good to be looked at if you care to dig in. | 07:22 |
| morganfainberg | jamielennox, if not, no worries :) | 07:22 |
| jamielennox | morganfainberg: yep, tomorrow | 07:22 |
| jamielennox | (assuming it's not passed by then) | 07:23 |
| morganfainberg | jamielennox, it's cleanup so it can happen as people have time (hopefully J1-ish no later so it's less fighting features) | 07:23 |
| morganfainberg | jamielennox, i kinda like how much smaller the queue of reviews gets towards the end of the cycle | 07:24 |
| morganfainberg | jamielennox, :P | 07:24 |
| jamielennox | are we looking at the same queue? | 07:25 |
| morganfainberg | jamielennox, also, if you didn't see the reverts on the oauthlib stuff for keystoneclient ... those got pushed through post-haste, (and keep in mind for the future even though stable trees now track that w/ gate checks_) | 07:25 |
| jamielennox | morganfainberg: yea i saw that, it was a dependency error right - something in keystoneclient's requirements.txt that wasn't in global? | 07:26 |
| morganfainberg | jamielennox, it's < 100, we were close to 200 before Milestone3 | 07:26 |
| morganfainberg | wasn't in stable/havana global | 07:26 |
| jamielennox | how did that happen - i thought there was a gate job that would pick that up | 07:26 |
| jamielennox | ah | 07:26 |
| jamielennox | hmm | 07:26 |
| morganfainberg | there are now checks for stable/havana | 07:26 |
| jamielennox | ok, cool - that was my next poin t | 07:26 |
| morganfainberg | this makes progressing clients very hard | 07:26 |
| morganfainberg | esp. since distro maintainers might get unhappy w/ new requirements after a version ships | 07:27 |
| jamielennox | yea, that would annoy me - i'm not sure that's the right approach for clients | 07:27 |
| morganfainberg | so things like oauthlib in ksc would be 2 releases away? | 07:27 |
| jamielennox | no we can't hinge on that | 07:28 |
| morganfainberg | i am firmly of the opinion (now) that we need to not have python-*client libraries | 07:28 |
| jamielennox | eh? | 07:28 |
| jamielennox | why | 07:28 |
| morganfainberg | well not managed by each project | 07:28 |
| morganfainberg | more centrally managed that is | 07:29 |
| jamielennox | not sure how that would change this | 07:29 |
| morganfainberg | actually i have an idea on this. | 07:29 |
| morganfainberg | strike last couple lines | 07:29 |
| morganfainberg | keystoneclient plugins package. | 07:29 |
| jamielennox | mmm | 07:30 |
| morganfainberg | release auth_plugins separate from keystoneclient | 07:30 |
| *** flaper87|afk is now known as flaper87 | 07:30 | |
| morganfainberg | we might be able to use that to avoid making distro maintainers unhappy | 07:30 |
| morganfainberg | or alternatively | 07:31 |
| morganfainberg | we can use the same methodology dogpile.cache uses to load the libs in ksc | 07:31 |
| jamielennox | so yes and no, i'm already looking at loading auth plugins from outside of ksc | 07:31 |
| morganfainberg | jamielennox, https://bitbucket.org/zzzeek/dogpile.cache/src/1f6c6b50fed188ba68c2e98a3798a94de5df9307/dogpile/cache/backends/memcached.py?at=master#cl-233 | 07:32 |
| morganfainberg | basically don't do the import until the plugin is actually loaded | 07:32 |
| jamielennox | https://review.openstack.org/#/c/79542/ | 07:32 |
| jamielennox | at some point we need to figure out what to do about extensions | 07:32 |
| jamielennox | cause they should be able to be external - which is most things in contrib | 07:33 |
| morganfainberg | jamielennox, i am mixed on that stuff | 07:33 |
| jamielennox | but there are problems with that | 07:33 |
| morganfainberg | jamielennox, but yeah. | 07:34 |
| jamielennox | i think auth we need to be able to extend, i'm holding off the 'magic' concept | 07:34 |
| jamielennox | but i'm not sure if it helps us with the distros | 07:34 |
| jamielennox | at some point we will still need to add new deps | 07:34 |
| morganfainberg | jamielennox, well if we don't load a plugin and the code wouldn't be executed... | 07:35 |
| morganfainberg | jamielennox, i don't see it as being an issue | 07:35 |
| morganfainberg | document "if you want to use auth X, you need module Y" | 07:35 |
| morganfainberg | or.. | 07:35 |
| morganfainberg | release the auth plugins a separate packages | 07:35 |
| morganfainberg | i'm actually kindof liking that. | 07:35 |
| jamielennox | yea, maybe we should have done that for oauth - i'm not sure what hooks we would need | 07:35 |
| morganfainberg | if we do it right we can make the auth plugin package be the same for keystone and keystoneclient (if we can make sure the auth plugin interface is super stable) | 07:36 |
| morganfainberg | and i mean commit to that interface for the lifespan of the api version | 07:36 |
| jamielennox | i want to fixup the server side auth plugins in J | 07:37 |
| morganfainberg | jamielennox, ++++++ | 07:37 |
| jamielennox | cause i've thought that too that we should be able to do client and server plugins together | 07:37 |
| jamielennox | or at lesat somehow linked i guess | 07:37 |
| morganfainberg | if you think we can commit to a stable interface, i am 100% for making auth plugins released separately from keystone and keystone client | 07:37 |
| morganfainberg | it would make them truely optional | 07:37 |
| morganfainberg | except (obviously) the core "password, token, external" et al ones | 07:38 |
| jamielennox | it's hard because the dependencies can be rather different | 07:38 |
| morganfainberg | eh, not too much different | 07:38 |
| jamielennox | although i guess you just pass the request etc by param | 07:38 |
| jamielennox | don't need to actually import pecan just use the values passed | 07:39 |
| morganfainberg | jamielennox, something to think about | 07:39 |
| morganfainberg | jamielennox, yep. | 07:39 |
| morganfainberg | jamielennox, i think we can make this work. | 07:39 |
| jamielennox | so steve should be able to fix oauth without worrying about the auth_plugin | 07:39 |
| jamielennox | oh - not the auth plugins are still loaded by default | 07:40 |
| jamielennox | maybe i should have made him put the plugin in the oauth file rather than the v3 auth file | 07:40 |
| jamielennox | hmmm | 07:40 |
| morganfainberg | possibly | 07:40 |
| jamielennox | yea, i think i should hvae | 07:40 |
| jamielennox | it's not a core method | 07:40 |
| jamielennox | and he can still link back in when it gets pluggable | 07:41 |
| morganfainberg | yah | 07:41 |
| jamielennox | ok, i'll enforce that next time the review comes through | 07:41 |
| morganfainberg | do need to document requirements for those plugins though e.g. for havana if someone wants that. | 07:41 |
| jamielennox | the server side auth plugins? | 07:42 |
| morganfainberg | the clientside | 07:42 |
| morganfainberg | wait i mistook what you were saying | 07:42 |
| jamielennox | that shouldn't make a difference to requirements | 07:42 |
| morganfainberg | ugh it's too late i'm crossing things in my brain | 07:42 |
| jamielennox | yea, these aren't immediate problems | 07:43 |
| jamielennox | i'm going home i think | 07:43 |
| morganfainberg | jamielennox, i'm gonna try and fix my pull request for tox and then get sleep | 07:43 |
| jamielennox | good luck | 07:43 |
| morganfainberg | do you know if you can "change" the commit in a pull request? | 07:43 |
| morganfainberg | or is it just make a new one? | 07:43 |
| jamielennox | oh, and if your review queue is getting too short remember you can also look at the client side | 07:43 |
| * morganfainberg dislikes pull requests compared to gerrit. | 07:43 | |
| jamielennox | yea, if you push with --force it will change it | 07:44 |
| morganfainberg | jamielennox, haha, i've been trying to do both. | 07:44 |
| jamielennox | i think you loose a lot of context though | 07:44 |
| morganfainberg | jamielennox, if you noticed i've been reviewing client stuff too! | 07:44 |
| jamielennox | morganfainberg: i'm biased to my list i guess, though i saw one of yours today i'm sure | 07:45 |
| morganfainberg | it's not been as common because of RC looming | 07:45 |
| jamielennox | was hoping that would start to make it more common as people can't submit features | 07:46 |
| morganfainberg | i think it will provided we have no more emergencies | 07:46 |
| morganfainberg | jamielennox, i'm also being yanked towards building infrastructure internally. | 07:47 |
| morganfainberg | jamielennox, so i'm about elbow deep in puppet manifests | 07:47 |
| jamielennox | fun | 07:48 |
| jamielennox | alright, i'm going home | 07:48 |
| jamielennox | cya | 07:48 |
| openstackgerrit | Jamie Lennox proposed a change to openstack/python-keystoneclient: Handle URLs via the session and auth_plugins https://review.openstack.org/60752 | 07:49 |
| *** jamielennox is now known as jamielennox|away | 07:50 | |
| *** marekd|away is now known as marekd | 08:07 | |
| *** amuller has joined #openstack-keystone | 08:14 | |
| *** derek_c has quit IRC | 08:16 | |
| *** openstack has quit IRC | 08:21 | |
| *** openstack has joined #openstack-keystone | 08:29 | |
| *** openstackstatus has joined #openstack-keystone | 08:30 | |
| *** andreaf has joined #openstack-keystone | 08:31 | |
| *** amuller has joined #openstack-keystone | 08:33 | |
| *** morganfainberg is now known as morganfainberg_Z | 08:45 | |
| *** leseb has joined #openstack-keystone | 08:46 | |
| *** henrynash has joined #openstack-keystone | 08:52 | |
| *** leseb has quit IRC | 09:00 | |
| *** leseb_ has joined #openstack-keystone | 09:03 | |
| *** andreaf2 has joined #openstack-keystone | 09:04 | |
| *** leseb_ has quit IRC | 09:05 | |
| *** leseb_ has joined #openstack-keystone | 09:05 | |
| *** andreaf has quit IRC | 09:07 | |
| *** leseb_ has quit IRC | 09:09 | |
| *** leseb has joined #openstack-keystone | 09:09 | |
| *** leseb has quit IRC | 09:18 | |
| *** leseb_ has joined #openstack-keystone | 09:21 | |
| openstackgerrit | wanghong proposed a change to openstack/keystone: For ldap, API wrongly reports user is in group https://review.openstack.org/80934 | 09:30 |
| openstackgerrit | henry-nash proposed a change to openstack/keystone: Provide option to make domain_id immutable https://review.openstack.org/80769 | 09:34 |
| marekd | henrynash: Morning! Looks like you are one of the few not sleeping :-) A quick question, do you know if there is any possibility to write a unittest in that test change a configration parameter (normally stored in the keystone.conf file) ? | 09:47 |
| *** chandan_kumar has joined #openstack-keystone | 09:48 | |
| henrynash | marekd: absolutelly | 09:49 |
| henrynash | marekd: see a change I just proposed as an example (https://review.openstack.org/#/c/80769/3/keystone/tests/test_v3_identity.py)... | 09:50 |
| henrynash | marekd: see the line: self.config_fixture.config(domain_id_immutable=True) | 09:50 |
| marekd | henrynash: oh, great! | 09:50 |
| henrynash | marekd: no problem | 09:51 |
| marekd | so this hardcoded name self.config_fixture does the magic? | 09:51 |
| marekd | henrynash: ^^ | 09:51 |
| henrynash | marekd: yep…and won't affect other tests :-) | 09:52 |
| marekd | henrynash: cool! | 09:52 |
| *** leseb_ has quit IRC | 09:57 | |
| *** leseb has joined #openstack-keystone | 10:02 | |
| *** mberlin has quit IRC | 10:12 | |
| *** saju_m has quit IRC | 10:17 | |
| *** amuller has quit IRC | 10:25 | |
| marekd | henrynash: do you know how can actually set parameter under certain 'section' ? | 10:25 |
| *** mberlin has joined #openstack-keystone | 10:25 | |
| marekd | henrynash: in my case it's stored under 'federation' | 10:25 |
| marekd | henrynash: ok, found it. | 10:27 |
| marekd | henrynash: self.config_fixture.config(group='federation', assertion_prefix='someval') | 10:27 |
| *** saju_m has joined #openstack-keystone | 10:33 | |
| openstackgerrit | wanghong proposed a change to openstack/keystone: For ldap, API wrongly reports user is in group https://review.openstack.org/80934 | 10:35 |
| openstackgerrit | Marek Denis proposed a change to openstack/keystone: Filter SAML2 assertion parameters with certain prefix. https://review.openstack.org/80946 | 10:53 |
| *** openstackgerrit has quit IRC | 11:10 | |
| *** openstackgerrit has joined #openstack-keystone | 11:10 | |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Sync test_migrations https://review.openstack.org/80618 | 11:11 |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630 | 11:11 |
| *** amuller has joined #openstack-keystone | 11:11 | |
| *** amuller has left #openstack-keystone | 11:14 | |
| *** saju_m has quit IRC | 11:15 | |
| *** andreaf2 has quit IRC | 11:21 | |
| *** leseb has quit IRC | 11:28 | |
| *** leseb has joined #openstack-keystone | 11:28 | |
| *** leseb has quit IRC | 11:33 | |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Uses explicit imports for _ https://review.openstack.org/58766 | 11:36 |
| *** saju_m has joined #openstack-keystone | 11:37 | |
| *** leseb has joined #openstack-keystone | 11:59 | |
| *** leseb has quit IRC | 12:00 | |
| *** leseb has joined #openstack-keystone | 12:01 | |
| *** YorikSar_ is now known as YorikSar | 12:01 | |
| *** leseb has quit IRC | 12:05 | |
| openstackgerrit | A change was merged to openstack/python-keystoneclient: document that --pass can be required https://review.openstack.org/77605 | 12:05 |
| openstackgerrit | A change was merged to openstack/python-keystoneclient: Generate module docs https://review.openstack.org/72515 | 12:05 |
| openstackgerrit | A change was merged to openstack/python-keystoneclient: Fix doc build errors https://review.openstack.org/73878 | 12:05 |
| *** dims has quit IRC | 12:18 | |
| *** dims has joined #openstack-keystone | 12:18 | |
| *** chandan_kumar has quit IRC | 12:21 | |
| *** ChanServ sets mode: +o dolphm | 12:43 | |
| *** leseb has joined #openstack-keystone | 12:54 | |
| *** pcargnel has joined #openstack-keystone | 12:59 | |
| *** lbragstad has quit IRC | 13:07 | |
| openstackgerrit | Ilya Pekelny proposed a change to openstack/keystone: Uses explicit imports for _ https://review.openstack.org/58766 | 13:14 |
| *** browne has joined #openstack-keystone | 13:15 | |
| *** dstanek has joined #openstack-keystone | 13:19 | |
| *** ayoung has joined #openstack-keystone | 13:20 | |
| *** YorikSar has quit IRC | 13:30 | |
| *** wchrisj has joined #openstack-keystone | 13:34 | |
| *** lbragstad has joined #openstack-keystone | 13:38 | |
| *** wchrisj has quit IRC | 13:39 | |
| *** YorikSar has joined #openstack-keystone | 13:46 | |
| *** bknudson has joined #openstack-keystone | 13:58 | |
| *** wchrisj has joined #openstack-keystone | 14:01 | |
| *** rwsu has joined #openstack-keystone | 14:07 | |
| *** stevemar has joined #openstack-keystone | 14:08 | |
| *** jraim has quit IRC | 14:11 | |
| *** jraim has joined #openstack-keystone | 14:11 | |
| openstackgerrit | Pablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager https://review.openstack.org/80368 | 14:15 |
| *** nkinder has joined #openstack-keystone | 14:17 | |
| henrynash | ayoung: hi | 14:24 |
| ayoung | hey henrynash | 14:24 |
| henrynash | ayoung: so do you think it should be in the manager of all entity types, or just the assignment | 14:25 |
| ayoung | henrynash, actually, it most needs to be in the identity manager] | 14:25 |
| ayoung | as it is most important not to be able to change a user's domain id | 14:26 |
| ayoung | but same gos for project | 14:26 |
| *** flaper87 has quit IRC | 14:26 | |
| ayoung | any way that a role assignement could get flipped from one domain to another needs to be limited | 14:26 |
| henrynash | ayoung: so I agree with that…and I did start implementing it in the manager….but as you say it is more complicated - | 14:26 |
| ayoung | henrynash, yeah, just a TODO for now | 14:27 |
| ayoung | but I don't want to lose that concept once it is checked in | 14:27 |
| henrynash | ayoung: ok….I can imaging implementing it there once we make whatever changes we will do for multi-backend etc. as we;; | 14:27 |
| henrynash | well | 14:27 |
| ayoung | yeah | 14:28 |
| ayoung | henrynash, if you could give this one an +2+A https://review.openstack.org/#/c/80441/5 I'd appreciate it. I am alomst willing to hit the +A myself, as morganfainberg_Z 's really reviewed it, just added a few adjustments | 14:29 |
| ayoung | but doing it proper is always best, and it is an RC blocker | 14:29 |
| henrynash | ayoung: was just looking at it | 14:29 |
| ayoung | thanks | 14:29 |
| *** flaper87|afk has joined #openstack-keystone | 14:31 | |
| *** flaper87|afk is now known as flaper87 | 14:32 | |
| *** flaper87 has quit IRC | 14:32 | |
| *** flaper87 has joined #openstack-keystone | 14:32 | |
| henrynash | ayoung: any reason I should not approve rather than just +2 ? | 14:32 |
| ayoung | henrynash, please approve if you are willing to | 14:32 |
| henrynash | ayoung: done | 14:33 |
| openstackgerrit | henry-nash proposed a change to openstack/keystone: Provide option to make domain_id immutable https://review.openstack.org/80769 | 14:44 |
| *** ram5391 has joined #openstack-keystone | 14:45 | |
| ram5391 | Hi, I just deployed a new openstack installation via juju. I'm having trouble starting keystone due to a port conflict on the machine. Is the keystone service that juju deploys somehow separate from 'service keystone start'? | 14:53 |
| ram5391 | any keystone command I give (with proper credentials) is met with a 504 "unable to communicate with identity service" issue | 14:54 |
| ayoung | ram5391, might be port 5000 | 14:55 |
| ayoung | that is the public port, but registered to somethuing else like Plug and play | 14:55 |
| ayoung | $ getent services 5000 | 14:56 |
| ayoung | commplex-main 5000/tcp | 14:56 |
| ayoung | not likely though ram5391 | 14:56 |
| ayoung | is it possible that you have two copies of Keystone running? | 14:56 |
| ram5391 | ayoung: I suppose it is possible, but when I run a netstat command to find a pid, there is no pid associated with the 35357 or 5000 port | 14:57 |
| ayoung | ram5391, are you only deploying Keystone on the box? | 14:57 |
| ram5391 | ayoung, so my services are running \separately on their own vms, keystone has it's own vm, nova has its own etc. So on that vm, yes only keystone is deployed | 14:59 |
| ram5391 | doing a ps aux reveals that avahi-daemon seems to be doing something with keystone | 15:00 |
| *** thedodd has joined #openstack-keystone | 15:01 | |
| *** saju_m has quit IRC | 15:03 | |
| ram5391 | killing those instances of keystone doesn't seem to do anything though | 15:04 |
| marekd | https://review.openstack.org/#/c/80293/ <--- need another approval :-) | 15:06 |
| marekd | https://review.openstack.org/80946 <- this should be easy for you guys as well... | 15:08 |
| *** daneyon has joined #openstack-keystone | 15:13 | |
| *** daneyon has quit IRC | 15:13 | |
| *** daneyon has joined #openstack-keystone | 15:13 | |
| *** andreaf has joined #openstack-keystone | 15:14 | |
| henrynash | dolphm: hi | 15:15 |
| *** fabiog has joined #openstack-keystone | 15:15 | |
| dolphm | henrynash: o/ | 15:15 |
| dolphm | marekd: can you repeat your question here? | 15:16 |
| henrynash | dolphm: for https://review.openstack.org/#/c/80769, this has a new string in it…"Can't change Domain ID"…now we are past string freeze, so.... | 15:16 |
| henrynash | dolphm: we could ask for an exception, or | 15:16 |
| dolphm | henrynash: new strings are acceptable | 15:17 |
| marekd | dolphm: yeah, sorry, wanted to do it here... | 15:17 |
| henrynash | dolphm: ok, in that case, fine! | 15:17 |
| dolphm | henrynash: it's changing existing translated strings causes churn for the translation folks | 15:17 |
| henrynash | dolphm: ah, right | 15:17 |
| dolphm | henrynash: https://wiki.openstack.org/wiki/StringFreeze | 15:17 |
| marekd | I got that error when was playing with federated-apache when my browser was mimicing a client. | 15:18 |
| marekd | I think I tried to raise that - engines that build responses in XML doesn't really like variable OS-FEDERATION:groups and make Keystone fail. Is it something that should really concern us? | 15:19 |
| *** saju_m has joined #openstack-keystone | 15:21 | |
| bknudson | henrynash: can you re-gen the sample config? https://review.openstack.org/#/c/80769/ | 15:22 |
| bknudson | I get a different result | 15:22 |
| *** fabiog has quit IRC | 15:22 | |
| openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: Ensure that cached token is not revoked https://review.openstack.org/78241 | 15:25 |
| openstackgerrit | ayoung proposed a change to openstack/python-keystoneclient: Ensure that cached token is not revoked https://review.openstack.org/78241 | 15:27 |
| dolphm | marekd: i assume you got a backtrace somewhere? what was it? | 15:27 |
| dolphm | marekd: the convention of using EXT-PREFIX:namespaced_parameter came from XML in the first place | 15:28 |
| *** david-lyle has joined #openstack-keystone | 15:28 | |
| bknudson | henrynash: I can post an updated review with the fixed sample config file if you want | 15:28 |
| marekd | dolphm: let me reprodice it once i am back from the meetingn and paste it, but IIRC it was something around lxml etc. | 15:29 |
| henrynash | bknudson: yep, just saw that…not sure what happened….let me resolve | 15:29 |
| *** shakamunyi has quit IRC | 15:31 | |
| *** flaper87 is now known as flaper87|afk | 15:34 | |
| *** andreaf has quit IRC | 15:42 | |
| openstackgerrit | Dolph Mathews proposed a change to openstack/keystone: Replace httplib.HTTPSConnection in ec2_token https://review.openstack.org/76476 | 15:46 |
| dstanek | when can we deprecate the XML interface? | 15:49 |
| dolphm | dstanek: it is deprecated, i believe | 15:49 |
| ayoung | dolphm, you sure we should do this https://review.openstack.org/#/c/76476/6..7/keystone/middleware/ec2_token.py | 15:49 |
| ayoung | defaulting to "secure" I mean | 15:49 |
| dstanek | dolphm: really? i don't remember seeing that, but that would be great | 15:49 |
| dolphm | ayoung: we've made this same changes in several places, breaking insecure https deployments | 15:50 |
| dolphm | ayoung: so, yes -- in the name of improving security | 15:50 |
| ayoung | dolphm, sounds good. So long as it is deliberate and we are willing to stand up for it. | 15:50 |
| dolphm | dstanek: https://github.com/openstack/keystone/blob/master/keystone/middleware/core.py#L147-L151 | 15:51 |
| dolphm | ayoung: ++ | 15:51 |
| dstanek | dolphm: ah, nice. i was poking about a serialization last week and didn't see anything there. makes much more sense to be in the middleware | 15:52 |
| dolphm | bknudson: the sample conf generator refuses to produce a fresh sample conf for me :-/ | 15:54 |
| bknudson | dolphm: I can post it if you want | 15:54 |
| *** andreaf has joined #openstack-keystone | 15:54 | |
| dolphm | bknudson: please do; i'm trying to debug the generator in the mean time | 15:54 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Replace httplib.HTTPSConnection in ec2_token https://review.openstack.org/76476 | 15:55 |
| dolphm | bknudson: thanks! | 15:57 |
| openstackgerrit | A change was merged to openstack/python-keystoneclient: Rely on OSLO.config https://review.openstack.org/76758 | 16:13 |
| *** gyee has joined #openstack-keystone | 16:13 | |
| *** saju_m has quit IRC | 16:15 | |
| henrynash | bknudson: do you know how the oslo stuff gets into the conffig file….do I need to separately make sure I have the latesest oslo on my machine to avoid the config -> keystone.conf translation from getting out of sync? | 16:23 |
| dolphm | henrynash: it pulls it from keystone's repo, so as long as you're rebased onto master you'll be fine | 16:24 |
| bknudson | henrynash: that could very well be the case... I've got oslo.config in /opt/stack/oslo.config. | 16:24 |
| henrynash | dolphm: hmm, so Ijust did that (rebased on master), ran fox and most of the oslo config options are different in my config.py to that of master | 16:25 |
| henrynash | (ran tox, rather) | 16:25 |
| bknudson | what does the tox say? | 16:25 |
| bknudson | henrynash: did you tox -r -e sample_config? | 16:25 |
| henrynash | bknduson: agh, not….that doesn't happen automatically? | 16:26 |
| bknudson | henrynash: rebuild your venv? I don't think it happens automatically... I just wind up doing it every once in a while | 16:26 |
| bknudson | I also sometimes wipe out my local pip cache | 16:27 |
| henrynash | bknudson: yep, got it…sorry my mind hadn't caught up with my typing :-) | 16:27 |
| henrynash | bknudson: rebuilding... | 16:27 |
| marekd | dolphm: the traceback looks something like: http://pasteraw.com/kge59mromyyas23sh4vp1xa4e52d6mw | 16:35 |
| *** henrynash has quit IRC | 16:37 | |
| dolphm | marekd: hmm, i wonder if we need to break it apart into "OS-FEDERATION": {"groups": ...} | 16:38 |
| dolphm | pete5: can you propose your patch for https://bugs.launchpad.net/python-keystoneclient/+bug/1289074/ in gerrit? | 16:47 |
| *** amcrn has joined #openstack-keystone | 16:49 | |
| *** marcoemorais has joined #openstack-keystone | 16:50 | |
| *** browne has quit IRC | 16:51 | |
| *** dstanek has quit IRC | 16:55 | |
| marekd | dolphm: "OS-FEDERATION: {"groups": [id, id, id]}" ? | 16:55 |
| marekd | dolphm: not so sure, just another layer (dictionary) for keeping a list of ids..... | 16:57 |
| marekd | how about changing the parameter name? | 16:57 |
| marekd | dolphm: OS-FEDERATION_groups (i know its ugly....) | 16:57 |
| *** browne has joined #openstack-keystone | 17:01 | |
| dolphm | marekd: this is in the token, correct? | 17:04 |
| marekd | dolphm:yes, issuing unscoped thoken. | 17:04 |
| marekd | token | 17:04 |
| dolphm | marekd: i'd rather not make a bunch of irrelevant changes | 17:04 |
| dolphm | marekd: it's a list of objects, correct? | 17:04 |
| dolphm | marekd: not a list of string IDs | 17:05 |
| marekd | dolphm: list of string ids. | 17:05 |
| dolphm | marekd: that's not what it says in the spec https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-federation-ext.md | 17:06 |
| marekd | dolphm: my bad, you are right, just checked the code. | 17:07 |
| marekd | dolphm: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L512 | 17:08 |
| *** harlowja_away is now known as harlowja | 17:09 | |
| openstackgerrit | Dolph Mathews proposed a change to openstack/identity-api: merge OS-FEDERATION objects together https://review.openstack.org/81022 | 17:10 |
| dolphm | marekd: i'd suggest this https://review.openstack.org/#/c/81022/ | 17:10 |
| marekd | dolphm: dolphm ok | 17:10 |
| marekd | dolphm: ok, let it be this way. | 17:10 |
| dolphm | marekd: there's a bug number for this, correct? | 17:10 |
| marekd | dolphm: not yet. | 17:10 |
| marekd | dolphm: shall i file a bug and submit a patch for that? | 17:11 |
| *** morganfainberg_Z is now known as morganfainberg | 17:14 | |
| morganfainberg | mornin | 17:14 |
| dolphm | morganfainberg: /salute | 17:17 |
| dolphm | marekd: please! | 17:17 |
| morganfainberg | dolphm, have a good weekend? | 17:18 |
| marekd | dolphm: roger that | 17:18 |
| dolphm | morganfainberg: until i inhaled dirt and spent the last few days coughing up dirt & blood | 17:18 |
| morganfainberg | dolphm, ick! well | 17:18 |
| morganfainberg | dolphm, sometimes hazards of being out having fun | 17:18 |
| dolphm | morganfainberg: i was doing yard work :( | 17:19 |
| bknudson | hire it out, man | 17:19 |
| morganfainberg | bknudson, ++ | 17:19 |
| ayoung | ok....What is the rationale for not putting anything in __init__.py? Why do we have empty files of these all over the place with imports from core.py? Seems messy | 17:27 |
| morganfainberg | ayoung, the argument is more to be explicit about importing | 17:27 |
| ayoung | morganfainberg, but, why would you niot put the public interface in that file? | 17:28 |
| morganfainberg | from blah import * is harder to understand/resolve/etc | 17:28 |
| morganfainberg | even in __init__ | 17:28 |
| morganfainberg | ayoung, fair enough, usually you should have iirc an __all__ in there but nothing else unless there is legitimately something used for the module level namespace vs. submodule | 17:29 |
| morganfainberg | ayoung, but tbh, i prefer from core import * | 17:29 |
| morganfainberg | ayoung, i just understand the complaint against using that | 17:29 |
| ayoung | morganfainberg, so, I have model.py in contrib/revoke in the server. I want to move it to client. It needs to be modified slightly, but should still be recognizable | 17:29 |
| ayoung | so I want to put it in keystoneclient/v3/contrib/revoke/model.py | 17:29 |
| morganfainberg | ayoung, ok surer | 17:30 |
| morganfainberg | sure* | 17:30 |
| ayoung | but there is a some main behavior for the client (fetch from server, front the trwee, etc) | 17:30 |
| ayoung | and I don't undertand why it would be wrong to put it in __init__.py | 17:30 |
| ayoung | I mean, other than "blindly following a rule" | 17:30 |
| morganfainberg | ayoung, convention | 17:30 |
| *** richm has joined #openstack-keystone | 17:31 | |
| morganfainberg | ayoung, there is nothing unpythonic about putting things in __init__ | 17:31 |
| ayoung | We treading on Emmersonian ground here? | 17:32 |
| ayoung | sorry | 17:32 |
| ayoung | Emersonian | 17:32 |
| *** zhiyan is now known as zhiyan_ | 17:32 | |
| dolphm | bknudson: wishlist? https://bugs.launchpad.net/keystone/+bug/1293698 | 17:33 |
| bknudson | dolphm: could be... seems like a pretty obvious bug to me. | 17:33 |
| bknudson | dolphm: since user is supposed to allow description | 17:33 |
| ayoung | dolphm, why do users need description? Most defy description | 17:33 |
| ayoung | Except for descriptions you would get in trouble for recording anyway | 17:34 |
| bknudson | dolphm: the fix is -7 +3 | 17:34 |
| bknudson | lines | 17:34 |
| morganfainberg | ayoung, i'd say put it in __init__ if it feels the right place, and fight that battle if someone complains | 17:34 |
| bknudson | doensn't include the tests. | 17:34 |
| ayoung | morganfainberg, except then I look like an idiot if I don't understand the rationale | 17:35 |
| *** leseb has quit IRC | 17:35 | |
| morganfainberg | ayoung, this is going into keystoneclient? | 17:35 |
| ayoung | morganfainberg, yeah. | 17:36 |
| morganfainberg | ayoung, i have a good litmus test | 17:36 |
| ayoung | morganfainberg, thing is, I can see that there is a client specific piece of code here, which makes it unsuitable for __init__ | 17:36 |
| ayoung | IE, it would not make sense if called from inside the keystone server....I think | 17:36 |
| morganfainberg | ayoung, then make it a submodule | 17:36 |
| ayoung | where I think I am headed with this is that there is going to be 3 pieces | 17:36 |
| morganfainberg | ayoung, and expect explicit import | 17:36 |
| ayoung | model, which is common | 17:36 |
| ayoung | client fetch code (via JSON) and server fetch code (via the backend) | 17:37 |
| ayoung | but maybe I should move the model out of v3 then | 17:37 |
| ayoung | it makes no sense to have | 17:37 |
| morganfainberg | ayoung, possibly | 17:37 |
| ayoung | keystoneclient/v3/contrib/revoke/client.py | 17:37 |
| ayoung | vs | 17:38 |
| morganfainberg | ayoung, if it is shared between v2 and v3, it should be shared in a common locaiton | 17:38 |
| ayoung | keystone/contrib/revoke/server.py | 17:38 |
| ayoung | morganfainberg, well, it is only v3 | 17:38 |
| ayoung | its shared between server and client | 17:38 |
| ayoung | or will be once it gets synced | 17:38 |
| morganfainberg | ayoung, i think this is treading on difficult ground. | 17:38 |
| ayoung | morganfainberg, yeah...I'm kindof going by feel here | 17:39 |
| morganfainberg | ayoung, you can rationalize either option, pick the one that feels right and make a case for it, i don't think there is a wrong answer | 17:39 |
| ayoung | I need to make a minor extension to model.py to deal with json marshalling. Other than that, it should be a package rename only | 17:39 |
| morganfainberg | ayoung, i wouldn't be opposed to either | 17:39 |
| ayoung | there is a piece that needs to fit into the v3 client | 17:39 |
| morganfainberg | ayoung, common or otherwise. | 17:39 |
| ayoung | IE : here is how you fetch revocation events from the server | 17:39 |
| morganfainberg | ayoung, but i would be inclined to put the model not in the client v3 specific path | 17:39 |
| ayoung | the format of those events are failry v3 specific | 17:40 |
| morganfainberg | ayoung, if i were to develop this | 17:40 |
| ayoung | fairly | 17:40 |
| ayoung | so...there is a contrib submodule alread | 17:40 |
| ayoung | y | 17:40 |
| ayoung | so I could put module into | 17:40 |
| ayoung | keystoneclient/contrib/revoke/model.py | 17:41 |
| ayoung | but then there would be nopthing in __init__.py in that directory | 17:41 |
| ayoung | but naming the module revoke.py would conflict with the v3 code, and make things less clear | 17:41 |
| ayoung | bknudson, so this is why there is no clear description field for users: https://tools.ietf.org/html/rfc4519#section-3.9 | 17:43 |
| ayoung | that is the "base class" for users (lowest common denominator of LDAP object classes) | 17:44 |
| dolphm | can we get one more +2 on https://review.openstack.org/#/c/76476/ ? brant and i contributed the last two patchsets | 17:44 |
| ayoung | excpet that it turns out there is one in the superclass (even more simple than inet org person) https://tools.ietf.org/html/rfc2256#section-7.7 | 17:45 |
| bknudson | ayoung: https://tools.ietf.org/html/rfc4519#section-3.12 | 17:45 |
| morganfainberg | dolphm, so conversion to requests.post? | 17:45 |
| ayoung | right...that is where I was going | 17:45 |
| bknudson | ayoung: organizationalPerson is SUP person | 17:46 |
| morganfainberg | dolphm, vs urllib | 17:46 |
| morganfainberg | dolphm, LGTM +2/+A | 17:46 |
| ayoung | bknudson, I still don't see the rationale for a description field on Person | 17:46 |
| bknudson | ayoung: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#api-resources | 17:46 |
| *** marekd is now known as marekd|away | 17:46 | |
| ayoung | but, whatever, your patch is the right approach | 17:46 |
| bknudson | update the spec then. | 17:46 |
| ayoung | bknudson, nah...too much water under the bridge. Its obvisouly there in the LDAP world for some reason | 17:47 |
| ayoung | I( just don | 17:47 |
| ayoung | 't understand the rationale.... | 17:47 |
| ayoung | dolphm, sorry, was pretty sure I had +2ed your ec2 patch. | 17:48 |
| ayoung | suspect bknudson where is the fix for https://bugs.launchpad.net/keystone/+bug/1293698 ass I coulda swore I saww it before? | 17:49 |
| bknudson | ayoung: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n219 | 17:51 |
| morganfainberg | dolphm, isn't https://blueprints.launchpad.net/keystone/+spec/grant-table-rationalization completed? | 17:51 |
| morganfainberg | i think henry already did that. | 17:51 |
| bknudson | ayoung: also http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n384 | 17:51 |
| morganfainberg | aha says complete | 17:52 |
| morganfainberg | just wasn't tagged to the right milestone | 17:52 |
| ayoung | bknudson, how does that dfeal with 'description' ? | 17:52 |
| morganfainberg | dolphm, did you want that tagged to i3 where it was actually released? | 17:52 |
| bknudson | ayoung: if you have an extra_attribute_mapping with description it's ignored. | 17:52 |
| dolphm | morganfainberg: removed the milestone assignment | 17:52 |
| ayoung | I saw something from nkinder or richm around description not long ago, but I thought it was due to use sending a blank and LDAOP chking on it | 17:53 |
| ayoung | use->us | 17:53 |
| bknudson | ayoung: also, the search doesn't include any of the extra attributes, so description would not be included. | 17:53 |
| morganfainberg | dolphm, ++ | 17:53 |
| dolphm | morganfainberg: see the whiteboard and "Definition" | 17:53 |
| nkinder | ayoung: yes, richm worked on a patch for that | 17:53 |
| richm | yes | 17:53 |
| morganfainberg | dolphm, aha i see it now | 17:53 |
| ayoung | nkinder, https://bugs.launchpad.net/keystone/+bug/1293698 | 17:53 |
| bknudson | ayoung: there is another "bug" where keystone is sending an empty string for description which LDAP is rejecting due to schema | 17:53 |
| richm | bknudson: my patch fixes that too | 17:53 |
| bknudson | richm: this is for projects/tenants? | 17:54 |
| richm | for all ldap objects | 17:54 |
| ayoung | bknudson, my question is, if the bug you reported is true, how are we ever seing the descripotion even going back and forth | 17:54 |
| bknudson | ayoung: projects have description. | 17:54 |
| ayoung | bknudson, ah, so just a problem with users | 17:54 |
| bknudson | ayoung: http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n910 | 17:55 |
| richm | users didn't have a "mandatory" description attribute in ldap - that's what my patch adds | 17:55 |
| ayoung | richm, does your patch need to be brought back to life? | 17:55 |
| ayoung | link? | 17:55 |
| richm | by adding description to user_additional_attribute_mapping=description:description | 17:55 |
| richm | ayoung: the patch is still active/current | 17:56 |
| richm | probably needs a rebase | 17:56 |
| ayoung | link? | 17:56 |
| richm | bug 1282676 | 17:56 |
| nkinder | ayoung: dolphm blocked it from icehouse for now | 17:57 |
| richm | https://review.openstack.org/#/c/76002/ | 17:57 |
| ayoung | nkinder, unly due to it not having a bug IIRC | 17:57 |
| bknudson | richm: how does your fix allow user_additional_attribute_mapping=description:description ? | 17:57 |
| ayoung | https://review.openstack.org/#/c/76002/7/keystone/common/ldap/core.py is the heart of it, and the rest is just calling that function | 17:58 |
| bknudson | but 'description' isn't going to be allowed in extra attribute mapping. | 17:59 |
| bknudson | for users | 17:59 |
| richm | my fix adds it - you recommended that this was the best way to add a "required" ldap attribute, rather than adding user_description_attribute | 17:59 |
| ayoung | bknudson, when you rebase that, add in a Fixes tag for bknudson 's but, plus any other bugs that it fixes. I think it is important enough to get it in, and it really is bug fixes, not features | 17:59 |
| *** tstevenson has joined #openstack-keystone | 17:59 | |
| richm | bknudson: unless I misunderstood your review comment | 17:59 |
| ayoung | richm, it also cleanly deals with empty descriptions, correct? | 17:59 |
| richm | yes | 17:59 |
| richm | on write - if an ldap attribute is none or empty, it will just remove the attribute from ldap - so that the ldap entry does not have that attribute anymore | 18:00 |
| bknudson | richm: the description mapping is just ignored anyways, because of http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n219 | 18:00 |
| *** marcoemorais has quit IRC | 18:00 | |
| richm | on read - if the entry does not have the attribute, but the ldap object -> keystone object mapping "requires" that property, the keystone object will get the property with a None value | 18:01 |
| *** marcoemorais has joined #openstack-keystone | 18:01 | |
| *** marcoemorais has quit IRC | 18:01 | |
| *** marcoemorais has joined #openstack-keystone | 18:02 | |
| richm | bknudson: I'm sorry - what should I be looking at in the above link? | 18:02 |
| bknudson | richm: self.attribute_mapping doesn't contain 'description' for user, so it'll print a warning and ignore it. | 18:02 |
| *** Nathan255 has joined #openstack-keystone | 18:03 | |
| bknudson | richm: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/ldap/core.py#n166 is where attribute_mapping gets set. | 18:04 |
| bknudson | richm: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/identity/backends/ldap.py#n192 is the attibute_options_names for users | 18:04 |
| richm | bknudson: right - and my previous patch had that | 18:04 |
| richm | bknudson: but you said that was not the way to do it - I can't find your review comment now | 18:05 |
| ayoung | dolphm, can we consider https://review.openstack.org/#/c/76002/7 for rc, please? | 18:05 |
| richm | bknudson: see https://review.openstack.org/#/c/76002/5/keystone/common/config.py | 18:06 |
| dolphm | Nathan255: o/ | 18:06 |
| dolphm | ayoung: looking | 18:06 |
| bknudson | richm: I see that... https://review.openstack.org/#/c/76002/6/keystone/identity/backends/ldap.py | 18:06 |
| richm | "we've already got user_additional_attribute_mapping so we don't need to add all of these separately." | 18:06 |
| bknudson | richm: I thought that user_addition_attribute_mapping actually worked | 18:06 |
| bknudson | why would it ignore an attribute like description? | 18:07 |
| richm | but it is not known that it doesn't work, so I need to rework my patch? | 18:07 |
| richm | but it is now known | 18:07 |
| bknudson | richm: the way it is now, it doesn't work, right? description is ignored anyways. | 18:07 |
| bknudson | I assume you get a warning that it's ignored every time the server starts | 18:08 |
| richm | let me check | 18:08 |
| morganfainberg | ayoung, changing the default value. hmmm. | 18:09 |
| bknudson | let's not change the default at this point. | 18:09 |
| morganfainberg | bknudson, ++ | 18:09 |
| ayoung | morganfainberg, that will have no real effect except to enable description is the users actual put anything in there | 18:10 |
| ayoung | which is part of the API spec. | 18:11 |
| ayoung | I guess we could leave the default though, | 18:11 |
| ayoung | just more to document. Still not a reason to -2 though | 18:11 |
| morganfainberg | ayoung, sure, i'm concerned about changing a default this late, but i am not seeing much else that would warrant a -2. | 18:12 |
| ayoung | ++ | 18:12 |
| *** henrynash has joined #openstack-keystone | 18:13 | |
| ayoung | richm, what would reseting the default value do? NOt much, right? I mean the patch would fix the bug. | 18:14 |
| ayoung | Just it would require a little more 'splainin to do | 18:14 |
| openstackgerrit | henry-nash proposed a change to openstack/keystone: Provide option to make domain_id immutable https://review.openstack.org/80769 | 18:17 |
| *** leseb has joined #openstack-keystone | 18:18 | |
| morganfainberg | henrynash, i think we need to look at inverting that option and make domain immutable for the reasons we discussed before (though that requires an exception and/or an ok to break that functionality) | 18:20 |
| morganfainberg | henrynash, i'll let you describe the reasoning if you're up to it (i think your description was a bit more clear than mine) - or do tyou want to wait till the meeting? | 18:21 |
| dolphm | reviews for two RC1-blockers https://review.openstack.org/#/c/78429/ https://review.openstack.org/#/c/80293/ | 18:21 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Allow any attributes in mapping https://review.openstack.org/81040 | 18:21 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Include extra attributes in list results https://review.openstack.org/81041 | 18:21 |
| henrynash | morganfainberg: perhaps what we do is get the patch in as is….and then at the meeting discuss flipping the option | 18:21 |
| morganfainberg | henrynash, hm. sure | 18:21 |
| morganfainberg | dolphm, the string one needs to use six | 18:22 |
| morganfainberg | dolphm, instead of isinstance(v, basestring) | 18:23 |
| morganfainberg | dolphm, want me to push a fix for that real quick? | 18:23 |
| dolphm | morganfainberg: oh good catch | 18:23 |
| dolphm | morganfainberg: sure | 18:23 |
| morganfainberg | dolphm, ok | 18:23 |
| morganfainberg | give me a moment to fix it | 18:23 |
| dolphm | morganfainberg: i remember looking at that line of code and thinking "i haven't seen isinstance(..., basestring) in awhile" -- didn't consider why! | 18:24 |
| morganfainberg | dolphm, hehe | 18:24 |
| openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Filter out nonstring environment variables before rules mapping. https://review.openstack.org/80293 | 18:26 |
| morganfainberg | dolphm, ok other than that, lgtm | 18:27 |
| dolphm | stevemar: were you going to try and tackle this? https://bugs.launchpad.net/keystone/+bug/1283943 | 18:28 |
| stevemar | dolphm, i addressed #1 | 18:28 |
| dolphm | morganfainberg: marekd|away: +2 | 18:28 |
| dolphm | stevemar: but didn't reference this bug? | 18:29 |
| stevemar | dolphm, but as i looked deeper into the other issues, they were larger than anticipated | 18:29 |
| dolphm | stevemar: 2 and 3 are actually tracked in another bug | 18:29 |
| stevemar | dolphm, thought i did... | 18:29 |
| dolphm | 4) i'd rather just link to https://wiki.openstack.org/wiki/IRC | 18:29 |
| stevemar | dolphm, https://review.openstack.org/#/c/78352/ | 18:30 |
| morganfainberg | dolphm, +1'd will let another core do +2/+A (even though my fix is small) *pokes stevemar* | 18:31 |
| dolphm | stevemar: hmm... that should have worked, but next time use Partial-Bug: 1283943 | 18:31 |
| stevemar | morganfainberg, reviewing it now | 18:31 |
| morganfainberg | dolphm, i understand python MRO so much better now =/ as jamielennox|away so eloquently stated, it's kind of looking into the abyss :P | 18:32 |
| *** vhoward has left #openstack-keystone | 18:33 | |
| *** vhoward has joined #openstack-keystone | 18:33 | |
| stevemar | morganfainberg, looks good, waiting for jenkins to pass | 18:34 |
| *** vhoward has left #openstack-keystone | 18:34 | |
| stevemar | dolphm, okay, partial it is | 18:34 |
| stevemar | dolphm, marekd sent us an email a few days ago, i think there are still 2 federation bugs | 18:34 |
| ayoung | henrynash, +A | 18:35 |
| stevemar | dolphm, https://bugs.launchpad.net/keystone/+bug/1291157 | 18:36 |
| dolphm | stevemar: commented and untargeted from RC1 https://bugs.launchpad.net/keystone/+bug/1283943 | 18:37 |
| morganfainberg | dolphm, other one (SQL common) +2/+A | 18:37 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Include extra attributes in list results https://review.openstack.org/81041 | 18:37 |
| stevemar | dolphm, cool, agree with all of those, no need to do it now if it's not icehouse specific | 18:37 |
| morganfainberg | dolphm, any reason not to +A https://review.openstack.org/#/c/58766/ | 18:38 |
| morganfainberg | ? | 18:38 |
| dolphm | stevemar: i'd be happy to see those changes land within icehouse, but don't want to block icehouse on it | 18:38 |
| morganfainberg | that one has been fighting rebases a lot. | 18:38 |
| stevemar | agreed | 18:38 |
| dolphm | morganfainberg: i haven't looked at that patch since jan 6th, when I +2'd lol ... happy to see it land now | 18:39 |
| morganfainberg | it looks fine now, going to +2/+A it after a quick once-over | 18:39 |
| stevemar | dolphm, for federation: https://bugs.launchpad.net/keystone/+bug/1291157 and the one i emailed you about, i'll open a bug soon | 18:40 |
| dolphm | morganfainberg: i'll race you | 18:40 |
| morganfainberg | dolphm, i cheated, i didn't ask until i was over ½ way done | 18:41 |
| morganfainberg | :P | 18:41 |
| dolphm | morganfainberg: i had already started too | 18:41 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Enhance tests for user extra attribute mapping https://review.openstack.org/81046 | 18:44 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Allow any attributes in mapping https://review.openstack.org/81040 | 18:44 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Include extra attributes in list results https://review.openstack.org/81041 | 18:44 |
| bknudson | those are the changes for https://bugs.launchpad.net/keystone/+bug/1293698 ^ | 18:53 |
| bknudson | I'll propose a change to devstack to set user_additional_attributes=description:description | 18:53 |
| bknudson | user_additional_attribute_mapping=description:description | 18:54 |
| *** arunkant has joined #openstack-keystone | 18:57 | |
| *** marcoemorais has quit IRC | 18:59 | |
| stevemar | ayoung, ping | 19:03 |
| * ayoung slaps stevemar with a wet noddle | 19:03 | |
| ayoung | and yes, noddle, not noodle | 19:04 |
| ayoung | becvause I cantt typoe | 19:04 |
| stevemar | ayoung, oh yeah, forgot you hate ping requests | 19:04 |
| ayoung | :) | 19:04 |
| ayoung | stevemar, plus I am always here | 19:04 |
| stevemar | ayoung, way back when, marekd|away had proposed a separate url for federation auth requests | 19:04 |
| bknudson | I thought we had a separate url? | 19:04 |
| stevemar | ayoung, stating that the apache mod couldn't handle both normal requests and saml requests | 19:05 |
| ayoung | it was more than an url; | 19:05 |
| ayoung | it was a whole separate controller | 19:05 |
| stevemar | bknudson, it goes to /auth/tokens | 19:05 |
| bknudson | btw - apache auth can't handle /v3/auth/tokens. | 19:05 |
| stevemar | ayoung, correct | 19:05 |
| ayoung | and I said "do it in a separate url if you need, but use the same controller" | 19:05 |
| *** leseb has quit IRC | 19:05 | |
| bknudson | we should have a separate url for POST /v3/auth/tokens | 19:05 |
| bknudson | or just external auth maybe | 19:06 |
| *** marcoemorais has joined #openstack-keystone | 19:06 | |
| stevemar | ayoung, 'More | 19:07 |
| stevemar | reasonable to modify the file in keystone/httpd to mount the SAML | 19:07 |
| stevemar | protected Keystone under a different suburl.' | 19:07 |
| stevemar | ayoung, do you have any more info on the kind of changes that would be needed? | 19:11 |
| ayoung | stevemar, it is all httpd config as far as I can tell. It might require unforeseen code changes, but I don't think so | 19:12 |
| ayoung | you need to tell apache "mount this wsgi app under this URL" | 19:12 |
| ayoung | and also | 19:12 |
| ayoung | "protect this URL with mod_auth_saml" or mellon or whatnot | 19:13 |
| ayoung | stevemar, https://github.com/openstack/keystone/blob/master/httpd/wsgi-keystone.conf would get another script alias ,say | 19:15 |
| ayoung | WSGIScriptAlias /keystone/saml /var/www/cgi-bin/keystone/main | 19:16 |
| ayoung | and then also | 19:16 |
| ayoung | A segment like <Location "/keystone/saml"> | 19:16 |
| ayoung | with AuthType SAML or however that gets configured | 19:17 |
| stevemar | marekd|away, ^^^^ | 19:19 |
| *** finite has joined #openstack-keystone | 19:20 | |
| ayoung | stevemar, TBH, this is pretty basic HTTPD conf stuff, of which I am hardly an expert. | 19:21 |
| *** leseb has joined #openstack-keystone | 19:22 | |
| *** gokrokve has joined #openstack-keystone | 19:27 | |
| *** marekd|away is now known as marekd | 19:29 | |
| *** topol has joined #openstack-keystone | 19:29 | |
| marekd | stevemar: ayoung i used sth like this for my internal setup...didn't really are whether the uri is 'good'. | 19:30 |
| marekd | https://github.com/zaccone/keystone-federation/blob/master/etc/apache2/sites-available/wsgi-keystone.conf | 19:30 |
| ayoung | marekd, if it works, it is good | 19:31 |
| ayoung | I loves me some snakeoil | 19:31 |
| marekd | ayoung: yes, but ofc a client who wants unscoped token cannot go to /v3/auth/tokens. | 19:31 |
| ayoung | ofc? | 19:32 |
| marekd | of course | 19:32 |
| marekd | ayoung: if that's what you are asking about :-) | 19:33 |
| ayoung | marekd, ofc it was | 19:33 |
| ayoung | marekd, when you say " a client who wants unscoped token" why is that? Because the token scope is deduced from the SAML doc? | 19:34 |
| marekd | ayoung: for the same reason you were proposing another <Location> in the keystone.conf file.. ? you mark in the apache/shib conf /auth/token as 'protected', you require valid saml session...if you protect /auth/tokens then no other auth methods will work.. | 19:35 |
| marekd | ayoung: apache doesn't care about the content, it cares about valid saml2 session per url. | 19:36 |
| ayoung | marekd, so mount it twice | 19:36 |
| ayoung | URLs are cheap | 19:36 |
| ayoung | so you don't mean unscoped | 19:37 |
| marekd | ayoung: mount the controller you mean? | 19:37 |
| ayoung | you mean authenticated by something other than saml, right? | 19:37 |
| marekd | ayoung: no, i mean: if I want to authn myself via federation i should not touch /v3/auth/tokens, i rather should go to /v3/OS-FEDERATION/whatever | 19:38 |
| ayoung | marekd, sure. | 19:38 |
| marekd | ayoung: ok, so we are on the same page. | 19:38 |
| marekd | ayoung: i have setup my own federated-apache and used browser as a client. | 19:39 |
| ayoung | marekd, yep, playing the same tune, and even on the same beat | 19:39 |
| marekd | ayoung: https://github.com/zaccone/keystone-federation | 19:40 |
| marekd | i used testshib.org as a publicly reference idp | 19:40 |
| marekd | so everybody can use it.. | 19:40 |
| ayoung | sounds about right | 19:40 |
| marekd | also needed my internal hack, but who cares - i wanted to make it work and see whether the cores stuff works as expected. | 19:41 |
| ayoung | "internal hack" being what marekd ? | 19:42 |
| marekd | https://github.com/zaccone/keystone/blob/federated-apache/keystone/auth/controllers.py#L309 | 19:42 |
| marekd | when you use browser, you are redirected from idp to the sp (keystone) with a GET method. | 19:42 |
| marekd | https://github.com/zaccone/keystone/blob/federated-apache/keystone/auth/routers.py#L41 | 19:43 |
| marekd | ayoung: ^^ | 19:43 |
| ayoung | marekd, so...that implies that we would at some point add a UI to Keystone? | 19:43 |
| marekd | UI you mean? | 19:44 |
| ayoung | marekd, at least something that can handle direct web traffic | 19:47 |
| marekd | ayoung: i think requests can do that? besides there are two stories. I think when you play ECP stuff you can control what you are sending and how, but i didn't have too much time to play with that. this is on my list starting Tuesday/Wednesday. | 19:48 |
| ayoung | marekd, sounds cool. I was thinking more interms of "SAML to Horizon, users gerts reduirected to the i SAML IDP, and then to Keystone to pick up the token data." or some such none-sense | 19:49 |
| marekd | ayoung: this sounds fine, but honestly i don't see federation as a usable solution if one can use it only from a horizon level...;/ | 19:50 |
| ayoung | marekd, agreed | 19:51 |
| marekd | ayoung: there is a proof of concept that somebody wrote in Java that can authn against ADFS2.0 | 19:51 |
| *** dstanek has joined #openstack-keystone | 19:52 | |
| marekd | i am about to work on that and rewrite into Python. Later we cantry bake this into keystoneclient. | 19:52 |
| marekd | s/cantry/can try/ | 19:52 |
| *** leseb has quit IRC | 19:53 | |
| marekd | already did some research, know some people who can help, as some MS classes are close-sourced and does this very important magic i cannot figure out :-) | 19:53 |
| *** Nathan255 has quit IRC | 19:57 | |
| *** ram5391 has quit IRC | 19:59 | |
| marekd | morganfainberg: hi, thanks for patching https://review.openstack.org/#/c/80293 . just curious, the only reason for pushing into six library is 2to3 compatilibity, nothing more, right? | 19:59 |
| morganfainberg | marekd, np | 19:59 |
| morganfainberg | marekd, yeah | 20:00 |
| morganfainberg | marekd, the hope is when eventlet stops breaking py33, it'll be minimal work to get us to py33 compat | 20:00 |
| marekd | morganfainberg: ok, understood. | 20:00 |
| morganfainberg | marekd, same reason we now use "except Exception as e" instead of "except Exception, e" | 20:01 |
| morganfainberg | marekd, one is py33 friendly, the other is not | 20:01 |
| marekd | morganfainberg: ACK. | 20:01 |
| marekd | morganfainberg: i might be mixing something, but are there any plans to remove eventlet in favour of something 'better' ? | 20:03 |
| marekd | morganfainberg: utilizing threads... | 20:03 |
| morganfainberg | that is a bigger conversation | 20:03 |
| marekd | morganfainberg: i can imagine that :-) | 20:03 |
| morganfainberg | i don't know of any explicit plans yet, we've all talked about things. | 20:03 |
| morganfainberg | also, threads in python suck to use :P | 20:03 |
| morganfainberg | yay GIL | 20:03 |
| marekd | morganfainberg: hehe | 20:04 |
| dstanek | morganfainberg: hiya | 20:04 |
| morganfainberg | dstanek, oh hai | 20:04 |
| marekd | morganfainberg: hm, long story short any libs replacing eventlet or some 'design pattern' - names, links? | 20:04 |
| morganfainberg | marekd, there has been some ML traffic | 20:04 |
| dstanek | morganfainberg: going through bugs and was that your review https://review.openstack.org/#/c/80409/ is actually a fix for https://review.openstack.org/#/c/53208/ | 20:04 |
| morganfainberg | marekd, but i don't know of anything specific. | 20:05 |
| marekd | morganfainberg: ok, will look into that. | 20:05 |
| morganfainberg | dstanek, LOL sure | 20:05 |
| dstanek | oops wrong link i think | 20:05 |
| morganfainberg | dstanek, nah | 20:05 |
| morganfainberg | dstanek, same concept, different approach | 20:05 |
| morganfainberg | dstanek, you had the right links | 20:05 |
| morganfainberg | i'm happy to go with either solution | 20:06 |
| dstanek | morganfainberg: i like yours | 20:06 |
| morganfainberg | dstanek, ayoung proposed the ENV vars, I didn't see your take on it | 20:06 |
| morganfainberg | dstanek, so i think we need to get a closes-bug line in there | 20:06 |
| dstanek | i was just about to rebase mine on master and i decided to rebase on your changes | 20:07 |
| dstanek | but you already have it done | 20:07 |
| ayoung | morganfainberg, cuz I am heads down working on the client side of revocation events and trying to ignore the world. | 20:07 |
| morganfainberg | ayoung, keep at it, was just saying you proposed an idea. | 20:07 |
| morganfainberg | dstanek, :) | 20:07 |
| morganfainberg | dstanek, want me to toss the closes-bug on that review then? | 20:08 |
| morganfainberg | dstanek, and you can re-review the change chain | 20:08 |
| dstanek | morganfainberg: sure, that sounds good to me | 20:09 |
| ayoung | ah | 20:09 |
| openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Make LIVE Tests configurable with ENV https://review.openstack.org/80409 | 20:10 |
| morganfainberg | dstanek, done. | 20:10 |
| *** derek_c has joined #openstack-keystone | 20:11 | |
| dstanek | morganfainberg: thanks! | 20:12 |
| openstackgerrit | Marek Denis proposed a change to openstack/keystone: Filter SAML2 assertion parameters with certain prefix. https://review.openstack.org/80946 | 20:13 |
| marekd | stevemar: tox -e sample_config ^^ | 20:13 |
| morganfainberg | marekd, ++ | 20:13 |
| stevemar | thx marekd | 20:13 |
| marekd | stevemar: morganfainberg once it passes the tests (hopefully), please lean over that patchset :) | 20:15 |
| marekd | gotta run, should be back in 2-3 hours. | 20:17 |
| morganfainberg | dolphm, do we want an RC bug saying "make sure sample_config is up to date, this should be the last bug before we are ready to cut RC"? | 20:17 |
| *** marekd is now known as marekd|bbl | 20:17 | |
| morganfainberg | dolphm, we could do that each milestone instead of trying to keep things in sync and merge "fun" associated with it. | 20:17 |
| dolphm | morganfainberg: worth trying | 20:18 |
| morganfainberg | dolphm, i'll do that for RC, if we like it... we can keep doing it | 20:18 |
| dolphm | morganfainberg: and no reason not to | 20:18 |
| morganfainberg | dolphm, https://bugs.launchpad.net/keystone/+bug/1293781 leaving it unassigned for now. | 20:20 |
| morganfainberg | unless you want me to assign it to you / me | 20:20 |
| morganfainberg | or i guess i could assign it to drivers. | 20:20 |
| morganfainberg | stevemar, ayoung, bknudson, gyee, henrynash, jamielennox|away, dolphm, dstanek, lbragstad, https://bugs.launchpad.net/keystone/+bug/1293781 - don't worry about sample.config updates for patches going into RC (if they have them it's fine) but we're going to try and do a sync as the last bug in RC. | 20:24 |
| stevemar | morganfainberg, yes, that would be helpful | 20:24 |
| gyee | morganfainberg, wonder if we can gate this | 20:25 |
| ayoung | morganfainberg, ++ | 20:25 |
| gyee | meaning auto detect any config changes | 20:25 |
| morganfainberg | gyee, i am working on getting a check job that says "we are out of date" | 20:25 |
| gyee | morganfainberg, nice! | 20:25 |
| *** derek_c has quit IRC | 20:25 | |
| morganfainberg | gyee, it will be non-voting | 20:26 |
| morganfainberg | gyee, just a "oh hay it's out of date" | 20:26 |
| gyee | why non-voting? | 20:26 |
| morganfainberg | gyee, second, in Juno (probably middle/latter half) sample configs will hopefully be generated at release cut time and in doc runs | 20:26 |
| bknudson | gyee: it kept breaking when oslo libraries would change under us. | 20:26 |
| morganfainberg | gyee, because it breaks the gate if a dependent library (oslo.messaging) changes opts | 20:26 |
| gyee | oh bloody | 20:27 |
| morganfainberg | gyee, yeah | 20:27 |
| morganfainberg | gyee, the real solution being generate sample on demand (docs / release) not any other time | 20:27 |
| morganfainberg | initially i proposed a periodic like translations bug no one liked that | 20:27 |
| dstanek | morganfainberg: i like the on demand approach | 20:28 |
| morganfainberg | so do i, but it's a bit of work to get there | 20:29 |
| dstanek | morganfainberg: is there anything we can do in our code that could break the generation process that we should gate on? | 20:29 |
| morganfainberg | so lets stop-gap and make sure we're aware when we're out of sync | 20:29 |
| morganfainberg | when we get there, i think we will know more | 20:29 |
| morganfainberg | dstanek, probably nothing that wouldn't break docs | 20:29 |
| morganfainberg | dstanek, but we could make part of the doc build to ensure we actually built the sample | 20:30 |
| morganfainberg | dstanek, and fail if the sample doesn't build | 20:30 |
| morganfainberg | dstanek, going to circle back on that in Juno for sure. | 20:30 |
| dstanek | nice | 20:31 |
| openstackgerrit | Pablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager https://review.openstack.org/80368 | 20:31 |
| morganfainberg | also working on getting a patch into tox so we can do optional things based upon env vars (e.g. the subunit thing, --failing, etc) | 20:32 |
| morganfainberg | dstanek, https://bitbucket.org/hpk42/tox/pull-request/86/support-optional-env-variable-substitution/diff#comment-1432498 | 20:32 |
| morganfainberg | dstanek, hg makes me cry though :( | 20:32 |
| * morganfainberg likes git + gerrit workflows | 20:32 | |
| richm | bknudson: you said "it doesn't work, right?" - is there a particular test/test suite that I should be running? With my fix, both the live ldap tests pass, and tox -e py27 passes - or is the problem that we don't have an appropriate test for this? | 20:37 |
| *** derek_c has joined #openstack-keystone | 20:39 | |
| openstackgerrit | A change was merged to openstack/keystone: Don't automatically enable revocation events. https://review.openstack.org/80441 | 20:43 |
| *** harlowja is now known as harlowja_away | 20:44 | |
| morganfainberg | yay | 20:45 |
| openstackgerrit | Diane Fleming proposed a change to openstack/identity-api: Clean up naming to match new conventions https://review.openstack.org/81076 | 20:50 |
| dstanek | morganfainberg: was _ldap_skip_live left on on accident? https://review.openstack.org/#/c/80409/6/keystone/tests/test_ldap_livetest.py | 20:50 |
| morganfainberg | dstanek, so it was. | 20:51 |
| morganfainberg | oh wait no | 20:51 |
| morganfainberg | that is wrong, it should call _ldap_skip_live | 20:51 |
| morganfainberg | because the TLS version inherits | 20:51 |
| morganfainberg | good catch | 20:52 |
| openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Make LIVE Tests configurable with ENV https://review.openstack.org/80409 | 20:53 |
| morganfainberg | dstanek, fixed. | 20:53 |
| dstanek | morganfainberg: lgtm, thanks! | 20:55 |
| openstackgerrit | Dolph Mathews proposed a change to openstack/python-keystoneclient: add pooling for cache references https://review.openstack.org/81078 | 20:56 |
| openstackgerrit | Dolph Mathews proposed a change to openstack/python-keystoneclient: add pooling for cache references https://review.openstack.org/81078 | 20:57 |
| *** leseb has joined #openstack-keystone | 21:01 | |
| *** topol has quit IRC | 21:01 | |
| bknudson | richm: I submitted a change to add a test -- https://review.openstack.org/#/c/81046/1/keystone/tests/test_backend_ldap.py | 21:03 |
| bknudson | richm: I don't think we would have a test that says description doesn't work as a mapping. | 21:03 |
| bknudson | morganfainberg: I wasn't able to recreate the problem described in the bug for https://review.openstack.org/80441 | 21:05 |
| bknudson | morganfainberg: I submitted a tempest test... | 21:05 |
| bknudson | morganfainberg: https://review.openstack.org/#/c/80837/ | 21:05 |
| *** derek_c has quit IRC | 21:07 | |
| morganfainberg | bknudson, hm.. i'll get my coworker to chase down exactly what horizon was doing | 21:10 |
| morganfainberg | bknudson, oh, UUID tokens | 21:10 |
| bknudson | morganfainberg: it only affects UUID? | 21:10 |
| morganfainberg | bknudson, well it would affect anything that is asking keystone for a validate on a token | 21:10 |
| morganfainberg | bknudson, let me look at your tempest check | 21:11 |
| bknudson | morganfainberg: these tests are going directly to keystone | 21:11 |
| bknudson | since it's using unscoped token | 21:11 |
| morganfainberg | yeah let me look. | 21:11 |
| morganfainberg | the case was nova was rejecting a UUID token as invalid | 21:11 |
| morganfainberg | but in theory it would also affect keystone actions uuid or pki | 21:12 |
| * dolphm is really happy with what entered the gate today :D | 21:13 | |
| * dolphm wanders off to find a beer | 21:13 | |
| morganfainberg | bknudson, i think there is a missing step somewhere in here | 21:14 |
| bknudson | morganfainberg: so keystone had it in revoked tokens but it was still valid? | 21:15 |
| bknudson | not sure how that would happen since revoked tokens is generated from db query | 21:15 |
| morganfainberg | bknudson, well not in revoked tokens, it was matching a revoke event | 21:15 |
| *** rwsu has quit IRC | 21:16 | |
| morganfainberg | bknudson, and because revoke_api was loaded by default, it was gating validity of the tokens as well | 21:16 |
| morganfainberg | bknudson, revocation_list had nothing to do with it | 21:16 |
| morganfainberg | bknudson, to nail down the process i'll need to run this test against an unpatched version of keystone (i'll do it locally) | 21:16 |
| morganfainberg | since we just merged the fix making revoke_api actually optional | 21:17 |
| bknudson | morganfainberg: I was hoping it would show the failure and then we'd fix it... but for some reason no failure | 21:17 |
| morganfainberg | bknudson, it was a headache to make the unit test work properly, it's a narrow scope | 21:18 |
| morganfainberg | bknudson, i'll see what i can turn up over the next couple days | 21:18 |
| morganfainberg | bknudson, hopefully i can force a failure to occur | 21:18 |
| morganfainberg | :) | 21:18 |
| bknudson | tempest seems to be a little short on keystone tests in general | 21:19 |
| morganfainberg | bknudson, yeah | 21:19 |
| *** topol has joined #openstack-keystone | 21:19 | |
| morganfainberg | we have good coverage with our unit tests! | 21:19 |
| bknudson | I just added the test for getting a token from unscoped | 21:19 |
| openstackgerrit | Brant Knudson proposed a change to openstack/keystone: Remove duplication when picking test config files https://review.openstack.org/79219 | 21:27 |
| *** finite has quit IRC | 21:29 | |
| *** rwsu has joined #openstack-keystone | 21:31 | |
| morganfainberg | bknudson, mind seeing if that is still relevant with https://review.openstack.org/#/c/79525/ ? | 21:33 |
| morganfainberg | bknudson, if so, rebase on that. | 21:33 |
| morganfainberg | bknudson, or let me know so i can fix that review. | 21:33 |
| *** nkinder has quit IRC | 21:34 | |
| *** topol has quit IRC | 21:36 | |
| *** topol has joined #openstack-keystone | 21:40 | |
| richm | bknudson: ok - yes, keystone complains about Invalid additional attribute mapping | 21:47 |
| bknudson | richm: https://review.openstack.org/#/c/81040/ | 21:49 |
| openstackgerrit | Pablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager https://review.openstack.org/80368 | 21:51 |
| *** pcargnel has quit IRC | 21:53 | |
| *** topol has quit IRC | 22:00 | |
| openstackgerrit | A change was merged to openstack/keystone: Replace httplib.HTTPSConnection in ec2_token https://review.openstack.org/76476 | 22:01 |
| *** jamielennox|away is now known as jamielennox | 22:03 | |
| *** david-lyle has quit IRC | 22:04 | |
| *** wchrisj has quit IRC | 22:05 | |
| *** lbragstad has quit IRC | 22:05 | |
| *** thedodd has quit IRC | 22:08 | |
| *** harlowja_away is now known as harlowja | 22:17 | |
| *** nkinder has joined #openstack-keystone | 22:30 | |
| *** ravikumar_hp has joined #openstack-keystone | 22:33 | |
| ravikumar_hp | one question: - when Keystone V2 APi will be deprecated ? Not in Icehouse release Right? | 22:36 |
| *** leseb has quit IRC | 22:37 | |
| *** leseb has joined #openstack-keystone | 22:37 | |
| bknudson | ravikumar_hp: it's deprecated in icehouse | 22:38 |
| *** marekd|bbl is now known as marekd | 22:38 | |
| ravikumar_hp | ok | 22:39 |
| morganfainberg | ravikumar_hp, it'll be available and supported until K release | 22:39 |
| *** openstackgerrit has quit IRC | 22:39 | |
| morganfainberg | ravikumar_hp, but it is officially deprecated as of Icehouse | 22:39 |
| *** openstackgerrit has joined #openstack-keystone | 22:39 | |
| *** leseb has quit IRC | 22:42 | |
| *** browne has quit IRC | 22:49 | |
| *** andreaf has quit IRC | 22:50 | |
| *** leseb has joined #openstack-keystone | 22:54 | |
| *** bvandenh has quit IRC | 22:56 | |
| *** stevemar has quit IRC | 23:02 | |
| bknudson | http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_v3_auth.py#n128 | 23:11 |
| bknudson | this test assumes that the order of the fields in a dict is fixed. | 23:11 |
| *** derek_c has joined #openstack-keystone | 23:20 | |
| *** dims has quit IRC | 23:24 | |
| *** leseb has quit IRC | 23:31 | |
| *** henrynash has quit IRC | 23:32 | |
| morganfainberg | bknudson, awesome. | 23:38 |
| bknudson | morganfainberg: it was actually easy to fix... used response body rather than response json. | 23:38 |
| morganfainberg | sounds good. | 23:38 |
| bknudson | kind of surprising that it's worked all this time. | 23:38 |
| *** bknudson has quit IRC | 23:39 | |
| *** dims has joined #openstack-keystone | 23:39 | |
| *** ravikumar_hp has quit IRC | 23:47 | |
| openstackgerrit | Morgan Fainberg proposed a change to openstack/keystone: Uses explicit imports for _ https://review.openstack.org/58766 | 23:57 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!