Monday, 2014-03-24

*** thedodd has joined #openstack-keystone00:12
*** arosen1 has quit IRC01:00
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Handle URLs via the session and auth_plugins
*** arosen1 has joined #openstack-keystone01:18
*** thedodd has quit IRC01:20
openstackgerritwanghong proposed a change to openstack/keystone: remove redundant code in catalog/
*** arosen1 has quit IRC01:59
*** thedodd has joined #openstack-keystone02:08
*** arosen1 has joined #openstack-keystone02:10
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Sync config fixture object from oslo.incubator
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Plugin loading from config objects
*** david-lyle has joined #openstack-keystone02:14
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Fix passing get_token kwargs to get_access
*** bknudson has quit IRC02:45
*** thedodd has quit IRC02:48
*** mberlin1 has quit IRC02:53
*** mberlin has joined #openstack-keystone03:08
*** arosen1 has quit IRC03:22
*** arosen1 has joined #openstack-keystone03:25
*** arosen1 has quit IRC03:28
*** arosen1 has joined #openstack-keystone03:29
*** arosen2 has joined #openstack-keystone03:30
*** arosen1 has quit IRC03:33
openstackgerritJamie Lennox proposed a change to openstack/keystone: Change the default version discovery URLs
*** topol has joined #openstack-keystone04:42
*** lbragstad has joined #openstack-keystone04:46
*** lbragstad1 has quit IRC04:47
*** chandankumar has quit IRC05:14
*** zhiyan_ is now known as zhiyan05:24
*** chandan_kumar has joined #openstack-keystone05:25
*** topol has quit IRC05:48
openstackgerritJenkins proposed a change to openstack/keystone: Imported Translations from Transifex
*** topol has joined #openstack-keystone06:06
*** derek_c has joined #openstack-keystone06:16
*** arosen2 has quit IRC06:31
*** topol has quit IRC06:32
*** saju_m has joined #openstack-keystone06:35
*** jamielennox is now known as jamielennox|away06:51
*** marekd|away is now known as marekd06:56
*** saju_m has quit IRC06:59
*** saju_m has joined #openstack-keystone07:12
*** saju_m has quit IRC07:17
*** saju_m has joined #openstack-keystone07:18
*** saju_m has quit IRC07:22
*** saju_m has joined #openstack-keystone07:24
*** saju_m has quit IRC07:30
*** saju_m has joined #openstack-keystone07:32
*** flaper87|afk is now known as flaper8707:40
*** derek_c has quit IRC08:20
openstackgerritMarek Denis proposed a change to openstack/keystone: Add dedicated URL for issuing unscoped federation tokens.
*** leseb has joined #openstack-keystone08:55
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Unimplemented get roles by group for project list
*** topol has joined #openstack-keystone10:28
*** jaosorior has joined #openstack-keystone10:33
*** david-lyle has quit IRC10:41
*** leseb has quit IRC11:16
*** leseb has joined #openstack-keystone11:16
*** leseb has quit IRC11:21
dolphmmarekd: on ...11:22
dolphmmarekd: should it be a GET or a POST?11:22
dolphmmarekd: you tell me what works11:22
dolphmmarekd: the latest patchset has a GET in the docstr, and then it's routed as a POST - so one of them needs to be corrected11:23
marekddolphm: if you use browser - it'd be GET, but this is not something that's gonna be eventually used. Accroding to some vague infor I have in those reference clients it's POST....11:23
dolphmmarekd: what do you mean that it's not going to be used?11:24
marekddolphm: you will not use your browser to get a token via Identity API, right?11:24
dolphmmarekd: in the case of federation - maybe? i don't know11:25
dolphmmarekd: should we specify and route *both* GET and POST?11:25
marekddolphm: but then you will only see the XML it something that people do?11:25
dolphmmarekd: it's something people have expressed interest in, but i do not know if it's the best solution or not (i'm also wondering if it's the *only* solution for some identity providers?)11:26
marekddolphm: in fact, this might be on only solution - yet *very* ugly. Because what you need to do is to use your browser, authn via webSSO (so no ECP), and later get an XML token response, copy token id and try to scope the token, possibly with you cli...11:28
marekd(if the step 2 is available).11:28
*** chandankumar_ has joined #openstack-keystone11:29
dolphmmarekd: i suspect the answer to that is to do a lot of the work with javascript in the browser?11:29
marekddolphm: when websso is used?11:29
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: add functional test for cache pool
dolphmmarekd: yes11:29
marekddolphm: in web sso a client is redirected to a webpage server by an IdP - you don't know what you get can be a simple html form,  but also js and maybe even flash..?11:30
marekddolphm: websso assumes a human is sitting at the other side and he is using a browser.11:31
dolphmmarekd: right11:31
marekdIdP is something we don't control.11:31
marekddolphm: ECP is something now widely spread, but we cannot do anything about thaat..11:31
marekdwhat's even worse, it's vaguely documented.11:32
dolphmmarekd: you mean *not* widely spread?11:32
marekddolphm: you can assume that every SAML2 IdP can speak webSSO and not every speaks ECP.11:33
marekddolphm: yes, i meant *not*11:34
marekddolphm: I think GET and POST methods should be fine, just to fire this particular function11:36
marekddolphm: but still get info about idp and protocol from the uri.11:36
dolphmmarekd: sounds good11:37
dolphmmarekd: put both in the docstr, and then ['GET', 'POST'] in the router?11:37
marekddolphm: changing.11:37
marekdin the docstring: double the line with two different methods, or you usually pack it together?11:38
marekddolphm: nvm, doubled.11:40
openstackgerritMarek Denis proposed a change to openstack/keystone: Add dedicated URL for issuing unscoped federation tokens.
openstackgerritMarek Denis proposed a change to openstack/keystone: Add dedicated URL for issuing unscoped federation tokens.
openstackgerritJenkins proposed a change to openstack/keystone: Updated from global requirements
openstackgerritJenkins proposed a change to openstack/python-keystoneclient: Updated from global requirements
*** leseb has joined #openstack-keystone11:55
*** leseb has quit IRC11:59
*** jamielenz has joined #openstack-keystone12:01
*** jamielennox|away has quit IRC12:03
*** lbragstad has quit IRC12:10
*** chandankumar_ has quit IRC12:13
*** leseb has joined #openstack-keystone12:19
*** lbragstad has joined #openstack-keystone12:36
*** bknudson has joined #openstack-keystone13:06
*** browne has joined #openstack-keystone13:06
dstaneki wish i had the power to bring back to life13:09
dstanekdolphm: i fixed a minor test thing yesterday on are you still working on it?13:10
*** andreaf has joined #openstack-keystone13:36
dolphmdstanek: THANKS! i was about to address brant's comment, unless you have a revision working already13:38
dolphmdstanek: you can manually bring it back with a new change-id, but i really wish we had Restore :(13:38
*** devlaps has joined #openstack-keystone13:40
*** nkinder has quit IRC13:40
dstanekdolphm: no, i haven't looked at it - him comment is actually about the change i made yesterday13:44
dstaneki left a comment on that review for the original author to restore - i'll give him a few days before i do anything13:44
*** henrynash has joined #openstack-keystone13:47
*** daneyon has joined #openstack-keystone13:51
*** daneyon has quit IRC13:52
dolphmdstanek: testing a patch for the service enabled thing now13:52
*** daneyon has joined #openstack-keystone13:52
*** joesavak has joined #openstack-keystone13:54
*** wchrisj has joined #openstack-keystone13:54
*** daneyon_ has joined #openstack-keystone13:58
*** daneyon has quit IRC13:58
*** daneyon_ has quit IRC13:59
dstanekdolphm: i'm available to review when you push14:04
dstaneki'll just looking over more client reviews right now14:04
openstackgerritDolph Mathews proposed a change to openstack/keystone: Always include 'enabled' field in service response
dolphmdstanek: ^14:14
dstanekdolphm: thx14:15
*** thiagop has joined #openstack-keystone14:16
*** rwsu has joined #openstack-keystone14:17
dstanekdolphm: these last few reviews are the first time i've seen server_default used; looks like sqlalchemy has everything :-)14:21
dolphmdstanek: me too14:22
dolphmdstanek: did your patch to testrepository to fix the miscount ever get accepted?14:24
dstanekthey fixed it themselves, but i still think they have an off-by-114:24
dstanekdolphm: but yes they did fix it so that it no longer double counts errors14:25
openstackgerritAndrey Kurilin proposed a change to openstack/python-keystoneclient: Reuse module `exceptions` from Oslo
*** nkinder has joined #openstack-keystone14:26
dstanekdolphm: do we need to worry about people counting on using enabled in the extra field?14:28
dolphmdstanek: 'extra' should just be an implementation detail, so no14:29
dstanekwhat if they create a new service with extra={'enabled': False}?14:30
dolphmdstanek: through what?14:31
dolphmwhat interface*14:31
*** topol has quit IRC14:31
dstanekdolphm: can't they post that directly?14:31
dstanekdolphm: i guess they can't because extra would be put into the extra :-) nm14:33
dolphmdstanek: ++14:34
openstackgerritAndrey Kurilin proposed a change to openstack/python-keystoneclient: Use `HttpNotImplemented` in `tests.v3.test_trusts`
dolphmis eventlet monkey patching undoable?14:38
*** saju_m has quit IRC14:39
dstanekdolphm: at runtime?14:43
dolphmdstanek: yeah...14:43
*** david-lyle has joined #openstack-keystone14:43
dolphmlike             eventlet.patcher.monkey_patch(os=False, select=False, socket=False, thread=False, time=False, psycopg=False, MySQLdb=False) resets stdlib14:43
dstanekdolphm: probably not entirely14:44
dstaneki'm sure you can find where it put the originals and put them back, but by then it's likely too late because of imports14:44
dstanekthey'll have references to the eventlet versions - that's one of the reasons why you have to patch eventlet as one of the first things you do14:45
*** lucasagomes has joined #openstack-keystone14:47
*** dims has quit IRC14:47
lucasagomeshi, I'm trying to use the keystone v3 /credentials but I'm getting this error:
lucasagomesis it working?14:47
*** thedodd has joined #openstack-keystone14:48
lucasagomesif I access it via curl in the API I can list the credentials14:48
*** wchrisj has quit IRC14:54
*** dims has joined #openstack-keystone15:00
openstackgerritDolph Mathews proposed a change to openstack/keystone: test tcp_keepidle only if it's available on the current platform
dolphmanyone else dev on OS X? ^15:01
dolphmdstanek: it turns out eventlet on OS X != eventlet on everything else15:02
dolphmdstanek: i thought my problem was that eventlet was leaving things unexpectedly patched or something, but it was just that eventlet does not patch socket in the same way it does on other platforms15:03
*** topol has joined #openstack-keystone15:04
dolphmlucasagomes: definitely pass a project_name instead of a tenant_name to the Client()15:04
dstanekdolphm: what is it doing differently?15:04
dolphmdstanek: actually maybe it's not eventlet - the socket module is missing socket.TCP_KEEPIDLE regardless of whether it's monkey patched or not15:06
*** mberlin has quit IRC15:09
dolphmdstanek: that's on python 2.7.6 installed via homebrew15:09
*** mberlin has joined #openstack-keystone15:11
dstanekdolphm: very odd - i've never been able to run the entire test suite on my Mac15:13
*** zhiyan is now known as zhiyan_15:13
lucasagomesdolphm, will try15:13
dolphmdstanek: i've been ignoring this failure for a couple months :-/ but it's the only one15:14
dstanekdolphm: i think the biggest things for me was the file descriptor leaks that i fixed - i just haven't gone back to the Mac since15:14
lucasagomessame :/15:16
*** leseb has quit IRC15:18
*** leseb_ has joined #openstack-keystone15:19
*** topol has quit IRC15:21
dolphmlucasagomes: what does your service catalog look like?15:24
lucasagomesdolphm, lemme check, any command in specific u want me to run? (I'm a ks noob)15:28
dstanekdolphm: - is service_id there something that should be used? or just something pulled from the original review?15:28
*** packet has joined #openstack-keystone15:29
*** richm has joined #openstack-keystone15:34
openstackgerritA change was merged to openstack/python-keystoneclient: add functional test for cache pool
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: sanity check memcached availability before running tests against it
*** wchrisj has joined #openstack-keystone15:38
*** gyee has joined #openstack-keystone15:39
dolphmdstanek: took the chance to fix another annoying test failure that bites me when i dev outside of devstack ^ (who runs memcached otherwise?)15:40
dolphmdstanek: bknudson is correct there -- that line should be removed15:41
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Regions Management
*** andreaf2 has joined #openstack-keystone15:44
openstackgerritDolph Mathews proposed a change to openstack/keystone: Always include 'enabled' field in service response
*** andreaf has quit IRC15:45
openstackgerritA change was merged to openstack/identity-api: Update to clouddocs-maven-plugin 1.15
dstanekdolphm: just saw bknudson's comment now15:52
dstanekdolphm: the only other thing that i see is the ep/eps naming here:
dstanekdolphm: i noticed it because you renamed new_eps to new_service15:53
*** marcoemorais has joined #openstack-keystone16:05
openstackgerritDolph Mathews proposed a change to openstack/keystone: Always include 'enabled' field in service response
dolphmdstanek: fixed ^16:11
*** lucasagomes has left #openstack-keystone16:11
openstackgerritMarek Denis proposed a change to openstack/identity-api: Add dedicated URL for federated authentication.
dstanekbknudson: you had a comment about validating the request path here:
bknudsondstanek: the client tests should validate that the correct request is made -- the path and body16:36
bknudsonand method16:36
bknudsonand headers16:36
bknudsonand also that the client handles the expected responses16:37
dstanekbknudson: i can add an assertEqual to a hard coded string, but i don't think it's necessary because i believe the test will fail if it requestion a path other than the one passed into stub_url16:37
bknudsonok, maybe it's tested already16:37
dstanekbknudson: i do want to delete the assert on the body16:38
bknudsonhow about a test for the case where the server responds with an error?16:38
bknudsonwhat does the assert on the body do?16:38
dstanekbknudson: it just tests the stubbing library right now16:39
dstanekbknudson: yeah, i don't think he has anything to test handling server errors16:39
dstanekhmmm...i don't think we do that at all in test_users.py16:40
bknudsonso this is the return value of the manager... I guess if we always expect the method to return None then could validate it.16:41
bknudsonBut if the method returns None then I wouldn't expect an application to really care.16:41
*** browne has quit IRC16:45
*** packet has quit IRC16:46
dstanekbknudson: i'm just going to go with because it's more explicit even if not needed16:47
openstackgerritDavid Stanek proposed a change to openstack/python-keystoneclient: Add a method for changing a user's password in V3
*** harlowja has joined #openstack-keystone16:49
bknudsondstanek: the proposal in the pasted diff looks good to me.16:49
*** browne has joined #openstack-keystone16:56
*** amcrn has joined #openstack-keystone16:57
dstanekdolphm: i think your changes look fine17:06
*** jaosorior has quit IRC17:20
*** leseb_ has quit IRC17:22
*** bada has joined #openstack-keystone17:30
*** flashgordon is now known as jogo17:34
openstackgerritDirk Mueller proposed a change to openstack/keystone: Create TMPDIR for tests recursively
openstackgerritA change was merged to openstack/identity-api: Clean up naming to match  new conventions
marekdIs my understanding correct that the method put() will issue a request with empty body?18:19
*** andreaf2 has quit IRC18:23
*** morganfainberg_Z is now known as morganfainberg18:24
morganfainbergdolphm, i keep trying to develop on OS X18:26
morganfainbergdolphm, it's a challenge sometimes.18:26
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation
openstackgerritayoung proposed a change to openstack/python-keystoneclient: remove universal_newlines
ayoungmorganfainberg, so... I got the compressed token code working in both py27 and py3318:27
morganfainbergayoung, nice18:28
ayoungmorganfainberg, look at this:  line 29418:28
ayoungmakes me nostalgic for type safe languages18:29
ayoungbut need to differentiate between python27 "everything is a string" as well as "sometimes the data is really a string:18:29
morganfainbergayoung, just be carefule, bytearray is muteable18:29
ayoungmorganfainberg, 'slaright18:29
morganfainbergayoung, unlike strings in python.18:29
ayoungmorganfainberg, needs to be in binary form for the follow on operations, though18:30
ayoungnamely uncompress18:30
morganfainbergayoung, sure.18:30
morganfainbergayoung, i'd probably put a comment in because bytearray isn't used commonly (but, eh, w/e)18:31
ayoungmorganfainberg, comment on that in the code review, and see if it stirs some other reviewer feedback18:31
ayoungmorganfainberg, it will be in py3318:31
ayoungpy27 "everything is a string" is going away18:31
ayoungbuh bye18:31
morganfainbergayoung, you don't need to use it in py33.  bytes != bytearray18:32
morganfainbergbytearray is mutable, bytes is not18:32
ayoungmorganfainberg, until we get there....18:32
morganfainbergmost people will use bytes.18:32
morganfainbergjust py2.7 bytes = str18:32
morganfainbergwhich is lame :P18:32
*** thedodd has quit IRC18:33
ayoungmorganfainberg, agreed.  I was conspiring w/ other devs:  for Juno 1, we do a full court press to get Python33 working for Keystone.  Then make that the primary dev platform, with 27 considered legacy18:33
ayoungIE:  Code in 33 and run tox -epy33 first18:34
morganfainbergayoung, when does RHEL7 launch?18:34
morganfainbergand waht is the python version in it?18:34
ayoungmorganfainberg, In RHEL we can use software collections now, so we can do 3318:34
morganfainbergayoung, look at what i tacked onto the IRC meeting for this week18:34
morganfainbergayoung, I'm looking forward to rhel7 tbh18:34
morganfainbergayoung, ++ yay!18:35
morganfainbergour biggest blocker is eventlet moving to py3318:35
morganfainbergtalked w/ -infra this weekend18:35
morganfainberglets just say, we should plan to kill eventlet18:35
morganfainberglead the charge so to speak18:35
ayoungYep...I plan on smashing that one in a coordinate attack including synchronized ground an dair strikes18:35
morganfainbergi was told, eventlet is dead18:36
morganfainbergwe should be using trollius if we want eventlet like code18:36
morganfainbergwe can move to wsgiref for basic wsgi stuff18:36
ayoungWe have been trolled long enough18:36
ayoungAnd Cressida was wanton18:36
morganfainbergso step 1 move to wsgiref, step 2 celebrate, step 3 determine if we can/want to use coroutine-like-things18:37
morganfainbergand both wsgiref and trollius are in global reqs18:37
ayoungstep 1 move to Apache and mod_wsgi with prefork mode18:37
ayounguse paste for testing and be done with it18:38
morganfainbergayoung, actually, that is an easy fix for devstack gate. i'll propose that today (wont change ports, but it'll make keystone run under apache by default)18:38
morganfainbergayoung, well we need to still support (legacy) stand-alone keystone18:38
morganfainbergayoung, wsgiref is the answer there.18:38
ayoung    \m/   >_<    \m/18:38
ayoung    \m/   (>_<)    \m/18:38
*** marekd is now known as marekd|away18:48
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Regions Management
openstackgerritayoung proposed a change to openstack/identity-api: Make expires_at optional
morganfainbergayoung, running my devstack now to make sure i don't have anything else to "fix" before proposing this change to make keystone default to running under apache18:55
ayoungmorganfainberg, you do realize that without compressed tokens it is a non-starter18:55
ayoungand it looks like I got a false sense of security on those18:56
morganfainbergayoung, the default service catalog is too large?18:56
morganfainbergayoung, last time i checked it was small enough under devstack18:56
ayounglets see18:56
*** browne has quit IRC18:59
*** lbragstad has quit IRC18:59
*** harlowja has quit IRC19:01
*** lbragstad has joined #openstack-keystone19:01
*** harlowja has joined #openstack-keystone19:03
morganfainbergayoung, so compressed tokens might not be a solution or did i read that wrong?19:05
*** marcoemorais has quit IRC19:06
*** marcoemorais has joined #openstack-keystone19:06
ayoungmorganfainberg, no, compressed tokens are a solution, I'm jsut having trouble figuring out how to deal with the strings in python19:06
morganfainbergayoung, ah19:07
*** derek_c has joined #openstack-keystone19:08
dolphmbknudson: strange failure on
bknudsondolphm: that is a strange failure... guessing it's not something caused by my change.19:23
dolphmbknudson: agree19:23
bknudsondolphm: I'll ask in openstack-oslo19:24
*** thedodd has joined #openstack-keystone19:25
*** browne has joined #openstack-keystone19:25
*** lbragstad has quit IRC19:36
openstackgerritDolph Mathews proposed a change to openstack/identity-api: Provide alternative to overloading /v3/auth/tokens
*** marcoemorais has quit IRC19:43
*** marcoemorais has joined #openstack-keystone19:44
dolphmmarekd|away: ^19:44
dolphmmorganfainberg: ayoung: you can configure devstack to allow larger tokens than 8190 with LimitRequestFieldSize19:45
morganfainbergdolphm, this is the header issue19:45
morganfainbergdolphm, not the request size. iirc mod_wsgi had a hard-set compiletime value as well?19:46
dolphmmorganfainberg: "The LimitRequestFieldSize directive allows the server administrator to set the limit on the allowed size of an HTTP request header field."19:46
dolphmmorganfainberg: ah19:46
morganfainbergdolphm, hm. i'll try it out :)19:46
bknudsonkeystone also has a setting for max token size.19:46
ayoungdolphm, problem is that Apache HTTPD limit  is hard coded.  The work around you posted only handles the Eventlet side19:47
ayoungI need #ifdef PYTHON_3319:48
dstanekayoung: i want that in requirements.txtr!19:48
bknudsonif six.PY319:48
morganfainbergbknudson, ++19:51
dstanekbknudson: that's interesting. does requirement.txt only get used in py2 then?19:55
dstanekbknudson: i'll have to play with that a little. i'd like to make our py33 builder start being at least somewhat useful19:56
bknudsondstanek: good question... I just noticed it when I did a git pull.19:56
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation
ayoungbknudson, dstanek bknudson if you want to see some true py27 py33 ugliness ^^19:56
ayoungalthough probably should wait to see if jenkins hates it again19:57
ayoungand if I messed up pep819:57
*** jsavak has joined #openstack-keystone19:59
*** joesavak has quit IRC20:02
*** joesavak has joined #openstack-keystone20:02
*** derek_c has quit IRC20:03
*** stevemar has joined #openstack-keystone20:04
*** jsavak has quit IRC20:04
dstanekayoung: why do you have to use memoryview/buffer in there?20:12
ayoungdstanek, because if I don't it complains20:12
ayoungdstanek, specifically, can't be a string going in on py2720:12
dstanekayoung: interesting; i have only seen those used when a big chunk of data is loaded and you want to process parts of it without copying20:13
ayoungargh...context switch...!20:13
ayoungdstanek, I have to admit I am writing this via trial and error20:14
ayoungdstanek, I could probably do something different from py3320:15
ayoungdstanek, so there are a couple cases to take into account:  1.  the data might be string based for signing (PEM format) and it might be binary (DER)20:16
ayoungdstanek, also there is py27 vs 33  treatment of strings20:17
ayoungand the fact that something signed by one may need to be validated by the other20:17
marekd|awaydolphm: I have already commited a patchset: - you probably missed that, but fine. I will abandon it.20:17
ayoungnow we don't compress PEM, so that should simplify things in this vase20:17
marekd|awaydolphm: anyways, thanks!20:17
dolphmmarekd|away: oh, hrm... neither have shown up on the bug report :(20:18
dolphmthe bot must be asleep20:18
*** derek_c has joined #openstack-keystone20:19
dstanekayoung: i just tried running the tests and i get 25 failures that look unrelated; do they all run OK for you?20:19
dolphmmarekd|away: did you mean to eliminate /v3/auth/tokens completely? it has no utility?20:19
ayoungdstanek, they run for me, yes20:19
ayoungwhat failures do you see?20:20
openstackgerritA change was merged to openstack/keystone: test tcp_keepidle only if it's available on the current platform
openstackgerritA change was merged to openstack/keystone: Create TMPDIR for tests recursively
dstanekayoung: it's not you, it's me; this just isn't working out20:22
dstanekayoung: i have local errors import gdbm - rebuilding with tox now20:22
marekd|awaydolphm: i didn't erase /auth/tokens completely....line 78320:23
*** marekd|away is now known as marekd20:23
*** lbragstad has joined #openstack-keystone20:24
marekddolphm: but if you are asking about issuing unscoped token - yes IMHO it does not have any utility at the moment...unless you want to make every /auth/tokens SAML2 protected.20:24
marekd*every /auth/tokens call to be SAML2 protected...20:25
openstackgerritBrant Knudson proposed a change to openstack/keystone: Sync oslo-incubator db.sqlalchemy b9e2499
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix doc build errors with SQLAlchemy 0.9
openstackgerritBrant Knudson proposed a change to openstack/keystone: Updated from global requirements
dolphmmarekd: let me combine our patches then20:27
*** harlowja_ has joined #openstack-keystone20:27
marekddolphm: sure, you are the native here :D20:27
marekddolphm: also, feel free to abandom mine if you want to.20:28
*** harlowja has quit IRC20:31
dolphmmarekd: "WebSSO and ECP mechanisms have different authentication workflows" does one rely on GET and the other on POST? if so, which?20:33
*** jsavak has joined #openstack-keystone20:33
marekdfrom what i've seen it's: websso -> GET and ECP ( GET, later POST, because it sends XML SOAP body with authn Response from IdP)20:34
marekdbut maybe we can skip this part?20:35
*** joesavak has quit IRC20:37
dolphmmarekd: skip what, POST for now?20:37
*** stevemar has quit IRC20:38
*** tellesnobrega_ has joined #openstack-keystone20:38
marekddolphm: the part in the docs you quoted.20:38
*** tellesnobrega_ is now known as tellesnobrega20:38
dolphmmarekd: abandoned my patch, since it looks like yours is better20:42
marekddolphm: ok, feel free to lynch  me for poor grammar/non proper english20:44
dolphmmarekd: you missed a comma ;)20:44
marekdand articles i guess...20:45
marekdthey are so unnatural for me :-)20:45
dstanekwhat are the load_tests functions in keystoneclient for?20:47
*** jsavak has quit IRC20:47
*** tellesnobrega has left #openstack-keystone20:49
ayoungdstanek, when we use Eventlet, is it "selects" or "epolls"20:49
*** joesavak has joined #openstack-keystone20:51
*** derek_c has quit IRC20:54
*** jsavak has joined #openstack-keystone20:55
*** stevemar has joined #openstack-keystone20:56
dstanekdolphm: interesting. load_tests isn't implemented in 2.6 :-(20:57
dstanekit also makes nose unhappy20:57
*** joesavak has quit IRC20:58
openstackgerritayoung proposed a change to openstack/keystone: Remember the DN
*** browne has left #openstack-keystone21:01
dstanekayoung: just removing the use of bytearray got the tests working. is there another case not in the tests that fails?
*** andreaf has joined #openstack-keystone21:15
openstackgerritMarek Denis proposed a change to openstack/identity-api: Add dedicated URL for federated authentication.
marekddolphm: ^^21:16
ayoungdstanek, was that both py33 and py27?21:16
*** derek_c has joined #openstack-keystone21:17
dstanekayoung: yeah, i was using nose though, which shouldn't matter, but who knows21:18
ayoungdstanek, does the code in examples/pki/ run, too?21:19
dstanekayoung: good question, jas21:19
dstanekayoung: i didn't get any output at all, so i assume it worked21:21
ayoungshould have21:21
ayoungdstanek, the files in pki/cms should have be regenerated21:21
dstanekit seems that the pem files where not recreated21:22
ayoungdstanek, submit it, and see if jenkins likes it better than mine.  Something is messing up devstack21:23
ayoungyeah, only the cms files get redone21:23
ayoungpkiz that is21:23
dstanekah, ok21:23
dstanekayoung: i had a few comments in the review i was working on for it - i'll fix this too21:23
*** jsavak has quit IRC21:26
*** Gippa has joined #openstack-keystone21:27
*** Gippa has quit IRC21:28
dstanekayoung: dinner time so i'll do it in about an hour :-) gotta be the family man for a bit21:30
jamielenzdstanek: load_tests is generally something that you need to use for testscenarios - i can't remember if we use it in client21:30
ayoungdstanek, thanks for looking at this21:30
jamielenzdstanek: nose doesn't implement the protocol at all so certain tests won't run with nose21:31
dstanekjamielenz: all the tests seem to run in nose (at least they don't fail), but nose thinks load_tests is a test to run and that fails21:31
dstanekjamielenz: it was added in the commit dolphm mentioned21:32
jamielenzdstanek: yea at this point i would assume that nose doesn't work for ksclient21:32
jamielenzyep, that makes sense21:32
ayoungjamielenz, casual nick er...tuesday?  Something require a shorter nick?21:32
*** jamielenz is now known as jamielennox21:33
jamielennoxi hadn't looked that closely - no idea why that happened21:33
ayoungI was worried that someone else with a nick really like yours was getting involved.  nick completion would have been a real PITA21:33
jamielennoxprobably the bouncer getting connections mixed up21:34
jamielennoxdstanek: load_tests is a well known python testing protocol - just nose doesn't obey it21:34
ayoungjamielennox,  your comment and my response21:34
dstanekayoung: np21:34
ayoungjamielennox, parent_region_id=None  vs parent_region=None21:34
ayoungwhat should that look like?21:35
jamielennoxdolphm: can you weigh in on the backwards compatibility here: af far as i'm concerned auth_token doesn't have a public stable interface21:35
dstanekjamielennox: i don't think i've ever had the need to override the test suite during discovery - at least not with nose or py.test21:35
dstanekjamielennox: my though there was that there is nothing from stopping my from subclassing your middleware to extend it21:36
jamielennoxdstanek: i'm not sure, i was doing some stuff with testscenarios in keystoneclient tests previously and i know it didn't work with nose21:36
*** amcrn has quit IRC21:36
jamielennoxdstanek: yes, it's definetly possible - i've just never operated on that constraint before21:37
dstanekjamielennox: that doesn't surprise me - testr and friends seemed to have gone a different direction21:37
jamielennox*most* usages should just use it as middleware, that's not to say that someone is trying to do something funny21:37
jamielennoxbut if you need to customize middleware what you really should be doing is putting new middleware in21:37
dstanekjamielennox: in that case i would subclass your middleware to extend (or change) it and then put that in the pipeline21:38
dstaneki don't know what our guarantees are, which is why i raised the question21:38
dstaneki'd be fine either way - i just don't know the policy21:39
jamielennoxayoung: base.getid(None) should return None - i don't like anything about that system but it's used elsewhere in manages21:39
jamielennoxdstanek: yep, will wait for dolphm to respond otherwise i'll bring it up at the meeting tomorrow21:40
ayoungjamielennox, so return super(RegionManager, self).create(description=description, enabled=enabled, base.getid( parent_region), **kwargs)21:41
jamielennoxi really want to fix all that i'm just not sure which way to go21:41
*** marekd is now known as marekd|away21:42
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Regions Management
*** dims has quit IRC21:56
jamielennoxayoung: i'd love to know what our plans are about region management with regards to the service catalog and client side22:03
andreafHi I'm working on a couple of blueprints to enable gate testing based on keystone v3 (and higher) - see and
andreafI'd welcome reviews by keystone developers - see,n,z for the current open patches22:09
harlowja_hey guys, does anyone remember what happened to
harlowja_did that get sucked into another project?22:13
* harlowja_ can't seem to remember22:13
*** derek_c has quit IRC22:13
*** dims_ has joined #openstack-keystone22:13
jamielennoxharlowja_: its never been implemented and  i dont think anyone is working on it22:14
jamielennoxharlowja_: from memory we were saying that this should be managed by the service itself or some other new service22:15
harlowja_ya, it seems like some other service is really needed, central quota stuff would be a really nice thing22:15
jamielennoxdstanek: i had some replies in:
jamielennoxharlowja_: yep, but it seems keystone was chosen because everyone already talks to it - rather than that i has anything to do with identity22:16
harlowja_put the kitchen sink into keyston22:16
harlowja_and don't forget the toaster22:16
jamielennoxheh, i like the analogy that it is electrocuting keystone22:17
jamielennoxthere is a new project that is trying to do something with resource pre-allocation22:17
jamielennoxi can't remember what it is called or whether it is trying to support this or is just worried about things like pre-reserving compute instances22:18
jamielennoxayoung: no +A?
harlowja_jamielennox agreed, altough u aren't supposed to throw the toaster into the kitchen sink22:24
harlowja_with water, lol22:24
harlowja_pre-reserving though is different from quota centralization22:25
harlowja_but anyways, thxs22:25
jamielennox but yea i'm not sure if it's expected to do simpe quotas22:26
jamielennoxi'm guessing not as climate would talk to everyone and the model for this would be everyone talked to climate22:26
harlowja_i think the new project should be called kitchensink22:29
*** leseb has joined #openstack-keystone22:33
*** andreaf has quit IRC22:33
*** thedodd has quit IRC22:34
*** nkinder has quit IRC22:35
bknudsonthese changes are to get sqlalchemy 0.9.x requirement update --
*** gyee has quit IRC22:40
*** leseb has quit IRC22:44
*** nkinder has joined #openstack-keystone22:49
*** henrynash has quit IRC22:50
*** david-lyle has quit IRC22:52
*** gokrokve has joined #openstack-keystone23:02
*** zoresvit has joined #openstack-keystone23:24
*** amcrn has joined #openstack-keystone23:27
*** zoresvit has quit IRC23:27
*** bknudson has quit IRC23:28
dstanekayoung: should there be a default outform for cms_sign_data? that's what the test failure is about23:36
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove extra cache layer debugging
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove extraenous instantiations of managers
*** gokrokve has quit IRC23:48
dolphmmorganfainberg: just unblocked RC1 from the memcache / TZ bug - let me know if you disagree23:53
morganfainbergdolphm, checking now23:53
dolphmalso, this might be the last RC-blocking change that needs a review?
morganfainbergdolphm, yeah unblocking is fine. if it's a legitimate issue we can backport but i can't duplicate it and it just doesn't make sense.23:54
morganfainbergdolphm, reviewing now.23:54
morganfainbergdolphm, i was about ½ way through earlier when i got yanked into a meeting23:55
morganfainbergdolphm, is the table shell game for SQLite compat?23:56
morganfainbergoh comment says as much23:56
* morganfainberg learns to read23:56
openstackgerritA change was merged to openstack/identity-api: Add dedicated URL for federated authentication.
morganfainbergdolphm, +2/+A23:59
dolphmmorganfainberg: YAY23:59

Generated by 2.14.0 by Marius Gedminas - find it at!