Thursday, 2014-03-27

Mario_did you check the firewall?00:00
jamielennoxergghh, xml is broken00:06
*** esmute has quit IRC00:06
jamielennoxdid we decide if we are able to deprecaate it properly?00:06
*** david-lyle has joined #openstack-keystone00:09
morganfainbergjamielennox, did it get undeprecated w/ v2?00:10
jamielennoxmorganfainberg: oh it's done already?00:10
morganfainbergjamielennox, v2 is undeprecated for I release00:10
jamielennoxyea, but the xml middleware?00:11
morganfainbergnot sure00:11
*** Trozz has joined #openstack-keystone00:19
*** Trozz has left #openstack-keystone00:20
ayoungmorganfainberg, that looks OK as far as it goes, but we need to pull the mock stuff out of those tests and put it somehow into the setup.  I don;t like that the LDAP tests run aainst Fake are so different from the Live tests.00:21
ayoungbut we won't00:22
ayoungI suspect not, anyway00:22
ayoungif we do, then it would be00:22
ayoung   /auth/x509 or /auth/SAML00:22
openstackgerritJamie Lennox proposed a change to openstack/keystone: Make service catalog include service name
*** browne has quit IRC00:32
Mario_does anyone got keystone able to connect to ldap? and to the dashboard00:36
*** marcoemorais has quit IRC00:47
*** marcoemorais has joined #openstack-keystone00:48
ayoungMario_, I think I might have seen it once or twice.00:51
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Example Initialization scripts
*** marcoemorais has quit IRC01:09
*** vhoward- has joined #openstack-keystone01:11
*** vhoward has quit IRC01:12
*** bknudson has quit IRC01:12
*** harlowja has quit IRC01:12
*** dolphm has quit IRC01:12
*** zigo has quit IRC01:12
*** amerine has quit IRC01:12
*** sudorandom has quit IRC01:12
*** marekd|away has quit IRC01:12
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add list function to services v3
*** derek_c has joined #openstack-keystone01:14
*** browne has joined #openstack-keystone01:16
*** harlowja has joined #openstack-keystone01:17
*** stevemar has quit IRC01:18
*** derek_c has quit IRC01:19
*** browne has quit IRC01:22
morganfainbergayoung, those tests are testing not LDAP stuff01:24
morganfainbergayoung, they are testing the get_connection code.01:24
ayoungoh, are they?  Hmmm... OK01:25
ayoungI'm still doing LaTex01:25
ayoungneed to explain to our Support groups all about Havana and Icehouse.01:25
morganfainbergayoung, yeah. it's validating that we call __init__ on the ldap handler with chase_referrals=False and that we don't call simple_bind_s if no password01:25
morganfainbergayoung, aha, good luck with that!01:26
ayoungwe have smart people01:26
morganfainbergayoung, i'm sure. doesn't mean a good luck isn;t warranted (i didn't mean it sarcastically)01:26
morganfainbergtime to reverify the SQLite change again.01:27
ayoungHeh...thanks.   I never had to learn LaTex before, but I like it01:27
ayoungBeats powerpoint01:27
morganfainbergayoung, ++01:32
morganfainbergayoung, next presentation i'm thinking of using impress.js01:32
ayoungUSE TEX!01:32
ayoungI'll give you miy slides01:32
morganfainbergayoung, hehe i'll bug you when i need to do my next presentation01:33
morganfainbergbut for now...01:33
morganfainbergnot soon01:33
ayoungDude, its like writing code01:33
ayoungbu without a bknudson code review to hold you up01:33
morganfainbergayoung, LOL01:33
ayoungI even use GIT!01:33
morganfainbergayoung, or the gate rechecks?01:33
* ayoung does an interim checking now01:33
morganfainbergayoung, doesn't help for reverifys01:34
ayoungmorganfainberg, I figured out how to pull the diagrams out into their own files, so I can even re-use them in future presentations....its what I've needed for presentations for a long time01:35
morganfainbergayoung, awesome01:36
ayoungmorganfainberg,  see how pretty01:37
ayoungOoh, reminds me, I need a "fixing things with the ADMIN_TOKEN" slide01:39
*** david-lyle has quit IRC01:46
jamielennoxayoung, morganfainberg: ugh, so i've got a situation in auth_token where the current behaviour means that if you specify an admin_token in the CONF as well as a user/pass and the admin_token is wrong01:49
*** bknudson has joined #openstack-keystone01:49
*** amerine has joined #openstack-keystone01:49
*** dolphm has joined #openstack-keystone01:49
*** zigo has joined #openstack-keystone01:49
*** sudorandom has joined #openstack-keystone01:49
*** marekd|away has joined #openstack-keystone01:49
*** sets mode: +o dolphm01:49
jamielennoxthen it will erase the admin_token and re-attempt with the user/pass01:49
jamielennoxis this behaviour i need to maintain?01:49
ayoungjamielennox, why not?01:49
jamielennoxayoung: because it works easily enough now when you are dealing with tokens directly01:50
jamielennoxbut when you go to auth plugins there isn't exactly a fallback01:50
ayoungjamielennox, maybe admin_token should be a different method01:50
ayoungor different auth_plugin01:50
jamielennoxayoung: it is a different auth_plugin01:50
ayoungSo, yeah, no fall back required01:51
jamielennoxbut that's the problem01:51
ayoungyou can break the existing behavior01:51
jamielennoxbecause it is a different plugin there is no real way to do a fallback01:51
ayoungis this going to break the CLI?01:51
jamielennoxwhat i *could* do is create a new plugin that stradles both methods - but i'm just not sure it's worth it01:52
jamielennoxayoung: no this is auth_token01:52 guess is that in auth_token, we should not even bother with admin token.01:52
ayoungthat should be honored only by Keystone01:52
jamielennoxayoung: you can use admin tokens in auth_token - you've always been able to01:53
jamielennoxthat's a much bigger change01:53
ayoungut don't you need to chose which to use?  Or, just that you need to pick one based on what comes in the token?  If the token has admin_token, use it and only it, I would say is proper01:54
ayoungadmin_token masks userid/pass when using the CLI anyway01:54
jamielennoxayoung: token?01:55
*** derek_c has joined #openstack-keystone01:56
jamielennoxayoung: this is all based on the CONF file and the paste file when other services configure keystoneclient middleware01:56
jamielennoxyou build auth mechanisms based on what is available01:56
jamielennoxyou can either do an admin token or v2 user/pass01:56
ayoungjamielennox, this is for getting the revocation list from keystone?01:56
ayoungand certs etc?01:56
jamielennoxayoung: that and UUID tokens01:57
ayoungadmin_token trumps.01:57
jamielennoxthat's what i thought01:57
ayoungif admin_token is wrong, error out is fine01:57
jamielennoxbut if you specify both then it will fallback to user/pass if the admin token is wrong01:57
*** esmute has joined #openstack-keystone02:02
openstackgerritA change was merged to openstack/keystone: code hygiene; use six.text_type, escape regexp's, use key function
openstackgerritA change was merged to openstack/keystone: Add placeholders for reserved migrations
openstackgerritA change was merged to openstack/keystone: Add a space after the hash for block comments
*** stevemar has joined #openstack-keystone02:16
*** harlowja is now known as harlowja_away02:19
*** david-lyle has joined #openstack-keystone02:28
Mario_somebody helps what's wrong with this " Authorization failed. Invalid user / password from 192.x.x.x"02:28
Mario_in the ldap but I used to display in th keystone command all the users02:29
ayoungMario_, you probably used the Keystone admin_token to list users.02:32
ayoungMario_,  Authorization failed. Invalid user / password from 192.x.x.x  is probably using userid and password.  THere is also a special "admin_token" field at the start of the keystone conf that can be used to talk to tkeystone.  But als, thereis an admin user for talking to LDAP02:33
ayoungto authenticate an end user, it does a Simple Bind against the server.02:34
*** harlowja_away is now known as harlowja02:37
*** gyee has quit IRC02:37
*** devlaps has quit IRC02:46
*** zhiyan_ is now known as zhiyan02:48
*** mberlin has quit IRC02:48
*** ayoung has quit IRC02:51
*** mberlin has joined #openstack-keystone03:04
Mario_ayoung, i already configured to use the admin_token and the ldap... they able to communicate as I can list all the users of the ldap03:06
*** derek_c has quit IRC03:06
Mario_ayoung, but seems the problem is on the keystone, extraction of the password from the ldap. Coz if i use non-existing user, i got this  "Authorization failed. Could not find user,  user1"03:14
Mario_as observed the password in mysql is started with "$6$rounds=40000$" while on the ldap is different using standard algorithm03:16
Mario_mine is using ssha on the ldap, and I able to list all users using this command -> "keystone --os-token mytokenpass --os-endpoint http://localhost:35357/v2.0/ user-list" or using tenant-list, role-list03:18
Mario_referring to the ldap user03:19
*** derek_c has joined #openstack-keystone03:25
*** derek_c has quit IRC03:39
*** devlaps has joined #openstack-keystone03:40
*** harlowja is now known as harlowja_away03:47
*** chandan_kumar has joined #openstack-keystone03:52
*** derek_c has joined #openstack-keystone04:02
*** topol has joined #openstack-keystone04:32
*** chandan_kumar has quit IRC04:34
*** saju_m has joined #openstack-keystone04:39
*** amerine has quit IRC05:21
*** amerine has joined #openstack-keystone05:23
*** chandan_kumar has joined #openstack-keystone05:30
*** kun_huang has joined #openstack-keystone05:44
kun_huanghi guys, which is the simplest way to verify admin endpoint (5000 or 35357)05:46
*** devlaps has quit IRC05:55
*** devlaps has joined #openstack-keystone06:00
openstackgerritJenkins proposed a change to openstack/keystone: Imported Translations from Transifex
*** saju_m has quit IRC06:07
*** amcrn has quit IRC06:13
*** derek_c has quit IRC06:27
*** gokrokve has joined #openstack-keystone06:35
*** derek_c has joined #openstack-keystone06:50
*** saju_m has joined #openstack-keystone06:51
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Example Initialization scripts
*** derek_ has joined #openstack-keystone07:11
*** derek_ has quit IRC07:13
*** devlaps has quit IRC07:16
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add request/access token and consumer support for keystoneclient
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Authenticate via oauth
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add example script for oauth1 functions
*** jaosorior has joined #openstack-keystone07:22
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add example script for oauth1 functions
*** topol has quit IRC07:29
*** stevemar has quit IRC07:35
*** derek_c has quit IRC07:39
*** kun_huang has quit IRC07:43
*** flaper87|afk is now known as flaper8707:53
*** gokrokve has quit IRC07:56
*** gokrokve has joined #openstack-keystone07:56
*** gokrokve has quit IRC08:01
*** gokrokve has joined #openstack-keystone08:27
*** andreaf has joined #openstack-keystone08:28
*** gokrokve_ has joined #openstack-keystone08:29
*** gokrokv__ has joined #openstack-keystone08:31
*** jamielennox is now known as jamielennox|away08:32
*** gokrokve has quit IRC08:32
*** gokrokve_ has quit IRC08:34
*** gokrokv__ has quit IRC08:36
*** saju_m has quit IRC08:43
*** saju_m has joined #openstack-keystone08:56
*** amcrn has joined #openstack-keystone09:01
*** leseb has joined #openstack-keystone09:13
*** saju_m has quit IRC09:16
*** saju_m has joined #openstack-keystone09:28
*** gokrokve has joined #openstack-keystone09:32
*** gokrokve has quit IRC09:36
*** bvandenh has joined #openstack-keystone09:37
*** kun_huang has joined #openstack-keystone09:41
*** leseb has quit IRC09:43
*** amcrn has quit IRC09:44
*** leseb has joined #openstack-keystone10:12
*** saju_m has quit IRC10:24
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Identity Providers.
*** YorikSar has quit IRC10:25
*** YorikSar has joined #openstack-keystone10:28
*** gokrokve has joined #openstack-keystone10:29
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Identity Providers.
*** gokrokve has quit IRC10:34
*** marekd|away is now known as marekd10:35
*** bvandenh has quit IRC10:40
*** kun_huang has quit IRC10:43
marekdjamielennox|away: ^^ would you take a look at it?10:46
*** flaper87 is now known as flaper87|afk10:48
*** bvandenh has joined #openstack-keystone10:53
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Identity Providers.
*** kun_huang has joined #openstack-keystone10:59
*** david-lyle has quit IRC11:03
marekdAny git master available here and now?11:11
*** saju_m has joined #openstack-keystone11:14
*** leseb has quit IRC11:19
*** morganfainberg is now known as morganfainberg_Z11:19
*** leseb has joined #openstack-keystone11:19
*** kun_huang has quit IRC11:21
*** leseb has quit IRC11:24
*** YorikSar has quit IRC11:31
*** YorikSar has joined #openstack-keystone11:33
*** saju_m has quit IRC11:33
*** saju_m has joined #openstack-keystone11:36
*** kun_huang has joined #openstack-keystone11:49
*** kun_huang has quit IRC11:55
*** gokrokve has joined #openstack-keystone12:09
*** jaosorior has quit IRC12:10
*** gokrokve has quit IRC12:14
*** leseb has joined #openstack-keystone12:14
*** leseb has quit IRC12:19
*** topol has joined #openstack-keystone12:20
*** browne has joined #openstack-keystone12:26
*** gokrokve has joined #openstack-keystone12:29
*** gokrokve has quit IRC12:34
dstanekhey marekd12:44
dstanekmarekd: i'm no master, but i can try to help if you are still having an issue12:44
openstackgerritDolph Mathews proposed a change to openstack/keystone: Remove extraenous instantiations of managers
openstackgerritDolph Mathews proposed a change to openstack/keystone: Use in-memory SQLite for testing
openstackgerritDolph Mathews proposed a change to openstack/keystone: Use in-memory SQLite for sql migration tests
dolphmmarekd: more importantly, if you don't actually ask a question, *no one* can help :P12:46
*** leseb has joined #openstack-keystone12:47
marekddstanek: Hi!   So I am adding 3 parts to the keystoneclient - IdP CRUD, mapping CRUD, protocols CRUD. Already added IdP CRUD code, and by that I also created 'base structure' for all the parts, e.g. v3/contrib/federation, files like, etc. Now, as I want to add, say mapping, and make the IdPs as a dependency I shall just fetch patch with IdPs, checkout to new branch, add mapping related stuff and commit with new commit me12:48
marekddolphm: right, but already learned that asking the question without pinging somebody doesn't really work :P12:49
dolphmmarekd: sure it does - that's the beauty of IRC! there's more than just one person in the channel!12:51
dolphmmarekd: keep your patches small! you can use `git review -d ######` to checkout a specific review, make commits on top of it, and then `git review` again to propose a series of commits back to gerrit12:52
*** dims_ has quit IRC12:52
*** andrew_______ has joined #openstack-keystone12:53
marekddolphm: that's what i am trying to do, so there is already:
marekdnow i want to create another patch for mappings, but make the 1st one as a dependency, so I don't need to create structure again (directories, etc)12:53
dolphmmarekd: looks good, so you'd have a review that's dependent on that one to add mapping12:53
dolphmmarekd: git review -d 83337; vi keystoneclient/v3/contrib/federation/; git commit; git review12:54
*** wchrisj has joined #openstack-keystone12:56
dolphmmarekd: which checks out a local branch based on what's in gerrit, creates a commit in that branch, and then submits both reviews back to gerrit (rebased onto the latest master)12:56
*** bknudson has quit IRC12:58
andrew_______i'm doing an initial install of keystone and in my first tenant-create, i am getting "Invalid OpenStack Identity credentials". is there a logfile somewhere that would give me more details?12:58
marekddolphm: but it will then update the first patchset, right?12:58
dolphmmarekd: only by rebasing it12:59
dolphmmarekd: if you want to avoid that (and there's no reason not to, unless it's already gating), just use --no-rebase at the end12:59
dstanekmarekd: had to quickly drive the kids to school, but i see dolphm's got it covered12:59
marekddolphm: no, i want to get another Change-Id...12:59
dolphmandrew_______: if debug is enabled in keystone, the error message might change, and keystone's log should have some details12:59
marekddolphm: so i have two patchests: one for IdPs, one for mappings...13:00
dolphmmarekd: you'll get a second Change-Id before you upload to gerrit (when you git commit)13:00
marekddolphm: a, ok then :-)13:00
dolphmmarekd: in other words, don't git commit --amend, just git commit13:00
marekddolphm: OK~13:00
dolphmyou can verify with git log -n 2 before you git review13:00
andrew_______how would i enable debug? (i installed the regular binaries via yum install.)13:00
andrew_______and where is the log?13:01
dolphmandrew_______: set debug=true in /etc/keystone/keystone.conf13:01
dolphmandrew_______: the path to the log would be configured there as well13:01
dolphmandrew_______: i'm not sure where the yum packages put it13:01
marekddolphm: ok, thanks for your help!13:02
* dolphm wanders off to produce release notes for icehouse :( #paperwork13:03
marekddstanek: no worries :-)13:03
*** dims_ has joined #openstack-keystone13:05
andrew_______dolphm: thanks13:05
*** flaper87|afk is now known as flaper8713:11
andrew_______in my initial tenant-create, it fails because my request "requires authentication". what is it asking for, exactly?13:14
*** bknudson has joined #openstack-keystone13:18
*** joesavak has joined #openstack-keystone13:28
*** wchrisj has quit IRC13:28
*** gokrokve has joined #openstack-keystone13:29
*** gokrokve has quit IRC13:34
*** chandankumar_ has joined #openstack-keystone13:35
*** ayoung has joined #openstack-keystone13:36
*** nkinder has quit IRC13:47
*** thedodd has joined #openstack-keystone13:48
*** jaosorior has joined #openstack-keystone13:55
*** zigo has quit IRC14:01
*** zigo has joined #openstack-keystone14:03
*** topol has quit IRC14:09
dolphmjust pushed keystoneclient 0.7.1 to pypi with the v2.0 -> v3 hack14:13
*** stevemar has joined #openstack-keystone14:13
openstackgerritJohn Dennis proposed a change to openstack/keystone: Expand the use of non-ascii values in ldap test
openstackgerritJohn Dennis proposed a change to openstack/keystone: Properly handle unicode & utf-8 in LDAP
openstackgerritJohn Dennis proposed a change to openstack/keystone: Refactor LDAP API
*** david-lyle has joined #openstack-keystone14:28
*** dims_ is now known as dims14:28
*** dims is now known as Guest6849914:28
*** Guest68499 has quit IRC14:29
*** gokrokve has joined #openstack-keystone14:29
*** dims_ has joined #openstack-keystone14:29
*** gokrokve has quit IRC14:34
*** nkinder has joined #openstack-keystone14:38
*** leseb_ has joined #openstack-keystone14:38
openstackgerritJohn Dennis proposed a change to openstack/keystone: Expand the use of non-ascii values in ldap test
openstackgerritJohn Dennis proposed a change to openstack/keystone: Properly handle unicode & utf-8 in LDAP
openstackgerritJohn Dennis proposed a change to openstack/keystone: Refactor LDAP API
*** leseb has quit IRC14:42
*** andreaf has quit IRC14:45
*** chandankumar_ has quit IRC14:46
*** topol has joined #openstack-keystone14:48
*** devlaps has joined #openstack-keystone14:51
*** gokrokve has joined #openstack-keystone14:52
*** gokrokve_ has joined #openstack-keystone14:52
*** chandankumar_ has joined #openstack-keystone14:53
openstackgerritA change was merged to openstack/keystone: Remove extraenous instantiations of managers
*** gokrokve has quit IRC14:56
*** packet has quit IRC14:57
*** jagee has joined #openstack-keystone15:01
bknudsonI want to propose for Juno that we don't sync modules from oslo-incubator15:10
bknudsonall or nothing.15:10
bknudsonI think morganfainberg_Z had a patch up to sync all of oslo-incubator...15:10
dolphmeveryone should read
dolphmi also just realized i capitalized PyPI wrong, twice15:16
bknudsonthis could be the most anticipated release of python-keystoneclient yet.15:24
*** chandankumar_ has quit IRC15:24
dstanekso we have this blueprint for py3kcompat which the drafter really says it's about using six - should i make a new one or update that one to be more general?15:25
dstaneki was thinking first-class-python3-support15:25
bknudsondstanek: in keystone or keystoneclient?15:26
dstanekbknudson: keystone15:27
bknudsonsix is a part of the work, and the libs are another part... I'd say a new blueprint could be used for the libs.15:28
*** kun_huang has joined #openstack-keystone15:30
dolphmbknudson: ++ it's a bigger relief to me to get that out the door than icehouse itself!15:34
*** kun_huang has quit IRC15:38
*** gyee has joined #openstack-keystone15:41
*** david_lyle_ has joined #openstack-keystone15:43
*** saju_m has quit IRC15:44
*** david-lyle has quit IRC15:46
*** gokrokve_ has quit IRC16:00
*** gokrokve has joined #openstack-keystone16:00
dstanekjust created to track the fun!16:02
*** gokrokve_ has joined #openstack-keystone16:03
*** andreaf has joined #openstack-keystone16:04
*** gokrokve has quit IRC16:05
*** dims_ has quit IRC16:10
*** zhiyan is now known as zhiyan_16:16
*** marcoemorais has joined #openstack-keystone16:16
*** zhiyan_ is now known as zhiyan16:16
*** dims_ has joined #openstack-keystone16:25
openstackgerritJenkins proposed a change to openstack/keystone: Updated from global requirements
*** zigo has quit IRC16:41
*** amcrn has joined #openstack-keystone16:43
*** leseb_ has quit IRC16:49
*** leseb has joined #openstack-keystone16:50
*** wchrisj has joined #openstack-keystone16:52
*** leseb has quit IRC16:54
marekdstevemar: jamielennox|away: some initial comments  very much appreciated: :-)16:58
*** marekd is now known as marekd|away16:58
stevemarmarekd|away, i'm actually reviewing it now16:58
dstanekdolphm: if that were only a little closer16:59
dolphmdstanek: it'll be a bit closer to you when it's at pycon :P16:59
dstanekdolphm: nah, no pycon for me this year; too much going on16:59
*** harlowja_away is now known as harlowja17:08
*** leseb has joined #openstack-keystone17:09
ayoungdolphm, can you please attend?17:09
*** thedodd has quit IRC17:09
ayoungdolphm, I'm kindof astounded that no onw has started a M2-py33 port17:12
*** amcrn has quit IRC17:13
*** bvandenh has quit IRC17:20
dolphmayoung: i'm planning on it17:24
dolphmayoung: it's not great timing for me, though :-/17:25
dolphmayoung: superficially, the cryptography package appears to be fairly well done17:25
ayoungdolphm, I forwarded it to edewata, the Dogtag dev that lives in Austin.  He's going to try to make it, too.17:26
dolphmayoung: cool!17:26
*** leseb has quit IRC17:26
*** morganfainberg_Z is now known as morganfainberg17:26
*** bada has quit IRC17:28
*** arborism has joined #openstack-keystone17:30
*** david_lyle_ is now known as david_lyle17:31
*** dims_ has quit IRC17:32
*** zigo has joined #openstack-keystone17:39
*** zhiyan is now known as zhiyan_17:40
morganfainbergayoung, dolphm, when is pycon?17:41
ayoungnext week?17:41
morganfainbergayoung, ah17:41
morganfainbergi knew i was forgetting a conference this year >.<17:42
bknudson PyCon 2014 is sold out!17:42
bknudsonback on Feb 1717:42
bknudsonlooks like you need to sign up early17:42
morganfainberglike i said. knew is was missing a conf :(17:42
morganfainbergi was planning on going.17:42
ayoungIts like Burning Man, noly for programmers17:42
morganfainbergah well, budget wasn't going to play nice with it.17:43
morganfainbergas in, i didn't want to jump through hoops for approvals17:43
morganfainbergbknudson, ++ on only syncing the whole oslo-incubator!17:43
morganfainbergbknudson, that would make me happier than trying to resolve individual modules17:43
morganfainbergunless we have an explicit need for a speciifc bug fix17:44
bknudsonmorganfainberg: I thought you had a patch to do that ... wasn't too much change?17:44
morganfainbergbknudson, it was a while back, we should do it from scratch instead i think.17:45
morganfainbergbknudson, it was when i was resolving sample_config automation things17:45
bknudsonok, if I get a chance I'll take a look at it.17:45
morganfainbergbknudson, if not i'll try and get something up this weekend / early next week17:45
*** gokrokve has joined #openstack-keystone17:46
*** dims_ has joined #openstack-keystone17:47
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Fix assertEqual arguments order(auth_plugin, backend, backend_sql, etc)
*** gokrokve_ has quit IRC17:50
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Fix assertEqual arguments order(auth_plugin, backend, backend_sql, etc)
*** dims_ has quit IRC17:57
*** arborism has quit IRC18:04
*** gokrokve has quit IRC18:05
*** gokrokve has joined #openstack-keystone18:06
*** gokrokve_ has joined #openstack-keystone18:09
*** thedodd has joined #openstack-keystone18:09
*** gokrokve has quit IRC18:11
*** dims has joined #openstack-keystone18:11
*** gokrokve_ has quit IRC18:13
*** flaper87 is now known as flaper87|afk18:13
*** gokrokve has joined #openstack-keystone18:14
*** nachi has joined #openstack-keystone18:29
*** gokrokve has quit IRC18:33
*** gokrokve has joined #openstack-keystone18:34
*** gokrokve has quit IRC18:38
bknudsonEver seen then when running the tests? "Your configuration specifies to merge with the ref 'master'"18:46
*** vhoward- has left #openstack-keystone18:48
*** nachi has quit IRC18:50
*** jaosorior has quit IRC18:50
openstackgerritBrant Knudson proposed a change to openstack/keystone: Templated v3 catalog
*** derek_c has joined #openstack-keystone19:04
openstackgerritBrant Knudson proposed a change to openstack/keystone: Templated v3 catalog
*** ayoung has quit IRC19:23
dolphmjust finished the icehouse release notes if anyone wants to provide feedback
dolphmi put it on the meeting agenda for next week as well19:25
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add localized response test
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add localized response test
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove noqa form import _s
*** derek_c has quit IRC19:45
*** derek_c has joined #openstack-keystone20:03
*** harlowja is now known as harlowja_away20:03
dstanekmorganfainberg: i am so sad, py3 is tragic20:06
openstackgerritBrant Knudson proposed a change to openstack/keystone: Safer noqa handling
*** amcrn has joined #openstack-keystone20:11
*** wwriverrat has joined #openstack-keystone20:11
openstackgerritDavid Stanek proposed a change to openstack/keystone: Make the py33 Jenkins job happy
bknudsonv3 of anything never works out... py3, identity v3, nova v3.20:12
bknudsonshould just jump to v420:13
dstanekbknudson: for reals? that make the whole file unchecked?20:13
bknudsondstanek: that's what happened for me...
bknudsondstanek: removed the `# flake8: noqa` and then it noticed that there was only 1 line between functions20:14
dstanekbknudson: wow, that makes me want to rip out 'flake8: ' entirely20:15
bknudsondstanek: that seems reasonable... the only places it's used now are on the that import and don't use...20:16
bknudsonwe'd have to #noqa all the lines.20:16
bknudsondstanek: I thought that doc meant that if # flake8: noqa was on a line by itself then the file is ignored.20:16
bknudsonbut apparently it's anywhere on a line20:17
bknudsondstanek: also, `# noqa` doesn't work with everything.20:17
bknudsonthe flake8 test has to explicitly check for `# noqa` and not all of them do20:18
dstanekbknudson: for that one it may need to be on 254 where the statement begins20:18
dstanekbknudson: ah, good to know20:18
*** ayoung has joined #openstack-keystone20:19
dstanekbknudson: i would have expected the flake8 framework to deal with that instead of each check20:19
bknudsonI didn't try putting it on a different line...20:20
*** leseb has joined #openstack-keystone20:21
*** packet has joined #openstack-keystone20:21
bknudsondstanek: enabled_is_true = Endpoint.enabled == True  # noqa20:24
bknudsonstill fails... not sure what the deal is.20:24
bknudsondstanek: but my version is like "match ="20:25
bknudsonso fixed in a newer version, maybe.20:25
*** leseb has quit IRC20:34
*** wwriverrat has quit IRC20:34
*** harlowja_away is now known as harlowja20:35
morganfainbergbknudson, doesn't it need to be flake8: noqa? i thought noqa was a global file tag?20:35
bknudsonmorganfainberg: "flake8: noqa" is the global file tag.20:36
bknudsonpep8 is busted.20:36
bknudsonif noqa or nrows == 1:20:36
bknudsonnoqa is a function20:36
morganfainbergbknudson, oh joy20:36
ayoungis it possible to source a bash file from python and get the env vars available?20:39
ayoungcuz I would really like to have a python script that starts with  . ./keystone.rc20:39
ayoungdolphm, but is there an equivalent to the bash call . ./keystone.rc?20:41
ayoungthat library gives access to the vars afterwards20:41
*** mspreitz has joined #openstack-keystone20:45
mspreitzanybody having trouble with dbus?20:47
*** leseb has joined #openstack-keystone20:49
dstanekayoung:  you want to source a python file and have it set variables in your shell?20:50
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Cleanup ldap tests (mox and reset values)
*** amrita has joined #openstack-keystone20:51
amritaHi folks20:51
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Cleanup ldap tests (mox and reset values)
amritamy keystone mssql db somehow got washed off y'day20:52
amritaand I am trying to recover the cluster back up20:52
amritafor now the horizon UI gets an error "unable to retrieve the authorized projects" for everytime a user tries to login20:53
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Enable concurrent testing by default
amritacan you guys - suggest a way to recover the data ?20:54
amrita[root@node-23 log]# keystone user-role-list --user amande --tenant admin WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). An unexpected error prevented the server from fulfilling your request. (ProgrammingError) (1146, "Table 'keystone.user_project_metadata' doesn't exist") 'SELECT user_project_metadata.user_id AS user_project_metadata_user_id, user_project_metadat20:54
amritahere is the error i get on the keystone cmdline20:54
ayoungdstanek, I got it20:55
ayoung   dstanek20:55
ayoungI wanted to source keystone.rc20:56
morganfainbergamrita, this looks like a case where you'd want to restore from a backup if possible. what happened to get you in this state?20:56
ayoungMario_, did you get it to work20:56
*** jagee has quit IRC20:56
Mario_ayoung stilll having issues20:56
dstanekayoung: ok, looks like you were doing the opposite of what i was thinking20:56
ayoungdstanek, yep.  I want to reuse the same env var file for a script that is used elsewhere20:57
amritamorganfainberg, unfortunately the mssql backup wasn't configured correctly - and hence in this state of mine - i ahve no way to restore the data from a point20:57
Mario_i think my probs is on the password linking to other services of openstack ayoung20:57
morganfainbergamrita, what occurred that caused this?20:58
amritamorganfainberg, is there any way that i can manually recreate the tables missing?20:58
morganfainbergamrita, did it just disappear?20:58
dstanekayoung: i usually just use a wrapper shell script for that20:58
ayoungdstanek, how unpythonic20:58
amritamorganfainberg, I don't quite know, a reason for sure. Looks like it just dissapeared20:58
morganfainbergamrita, because that could indicate a larger issue.  sure you could recreate the table, but the data would be missing20:58
dstanekayoung: reusable!20:59
*** derek_c has quit IRC20:59
amritaI did do keystone-manage db_sync - and it didn't create me all the tables20:59
dstanek./script_to_set_env python doit.py20:59
ayoungdstanek, I'm actually trying to move away from bash and toward python for my day-to-day scripting for Openstack stuff:  make more use of client apis20:59
Mario_ayoung got this on my logs "An unexpected error prevented the server from fulfilling your request. {'info': 'Password: attribute type undefined', 'desc': 'Undefined attribute type'} (HTTP 500)" supposedly to create user in keystone in the ldap20:59
ayoungplus token reuse20:59
morganfainbergamrita, so you had a running OpenStack deployment, the table disappeared and you tried to recover with db_sync?20:59
morganfainbergamrita, since the actual backup is/was broken21:00
ayoungMario_, are you trying to use an existing LDAP set up, or are you going to have an LDAP server dedicated to Open Stack?21:00
bknudsonayoung: ? it parses INI files.21:00
ayoungbknudson, yeah, but this bash21:00
ayoungexport OS_AUTH_URL=
amrita===================>>> credential.frm  domain.frm    group_domain_metadata.frm  group_project_metadata.frm  policy.frm   role.frm     token.frm db.opt          endpoint.frm  group.frm                  migrate_version.frm         project.frm  service.frm <<<<<<<<<<<<<<<<<<<<<------- these are the only tables it creayted21:00
bknudsonok, it wouldn't like the export21:00
Mario_ayoung, yes an existing LDAP but my assignments are on the mysql, local.21:01
morganfainbergamrita, you could look at the model for the table and recreate from that, but like i said, you wont have the data.  if tables are randomly disappearing from your db server, I'd go look into that before going any further. perhaps you could do some recovery on that front. unfortunately recreating the live data isn't easy21:01
ayoungMario_, OK, so you don't use keystone to add users, just to do role assingments21:01
morganfainbergamrita, if you don't care about the previous data (at all, in the keystone db) you could recreate the db w/ a clean db_sync.21:02
amritait didn't create the following ------->>>>>>>>>>>>>>>>>>>>>>>>>>> trsut_role.frm users*.frm <<<<<<<<<<<<<<<<<,,===========================21:02
morganfainbergamrita, but that involves destroying the whole db first.21:02
ayoungMario_, so create the project and roles using the ADMIN_TOKEN and assign a role on that project to a user, then , as that user, to token-get...21:02
*** marcoemorais has quit IRC21:02
*** marcoemorais has joined #openstack-keystone21:03
ayoungMario_, you can either set env vars, or pass the values you want on the command line.21:03
*** marcoemorais has quit IRC21:03
*** marcoemorais has joined #openstack-keystone21:03
amritano other way of selectively recreating / restoring the data (somehow) from ...... ? without being destructive ?21:04
Mario_ayoung, I bit little confused as of linking with ldap... it's working fine using mysql..21:04
*** YorikSar has quit IRC21:04
ayoungkeystone --os-endpoint=   --os-token=<match admin_token in your config file>21:04
ayoungMario_, yeah...switching over is tricky21:04
morganfainbergamrita, from what i'm hearing the DB is suspect to begin with, tables don't go missing arbitrarily in my experience21:04
morganfainbergamrita, if you solve that issue you might be able to find the data / restore21:04
ayoungMario_, are you comfortable with the LDAP search tools?  Its often useful to confirm all of your assumptions via direct LDAP queries21:04
ayoungMake sure that the user you want to auth as is alive, etc21:05
morganfainbergamrita, but unfortunately while the tables could be recreated, i don't have magic to recreate the data in those tables.21:05
Mario_ayoung, yes i can do it using ldapsearch.21:05
amritaany specific logs that I can begin digging ?21:05
morganfainbergamrita, so i'd stop trying to restore the table structure first and make sure your db server wont do this again21:05
ayoungMario_, so assuming you have a user named admin in LDAP, it would look like this21:05
Mario_ayoung, how do i able to link my exising ldap users to the tenant or role21:06
amritatrue! ... anything you would do - to steer me in the right direction ?21:06
mspreitzAnybody having trouble with keystone tripping over dbus while installing with DevStack?21:06
amritacoz right now I am clueless21:06
ayoungMario_, the normal approach is that the last segment of the DN becomes the user_id21:06
amritaas to what caused this21:06
ayoungso for example  id mine were CN=ayoung,CN=redhat.CN=com  my userid is ayoung21:06
morganfainbergamrita, hmm. unfortunately I don't have much direction to give on recovering dbs in a case like this. it's been a while since i've had to look at it. but you could start with dmesg / mysql (this is mysql right?) logs.21:06
Mario_ayoung, yes i will follow your message21:07
ayoungyou would create a role assignment where user_id=ayoung21:07
amritayeah mssql.21:07
ayoungMario_, so you can do21:07
morganfainbergamrita, mssql? (microsoft sql server?) or MySQL?21:07
ayoungkeystone --os-endpoint=   --os-token=<match admin_token in your config file>  user_list21:07
ayoungand you get back everyone in your LDAP...21:08
ayoung(not something you want to do a lot, but a good test)21:08
ayoungor, say21:08
ayoungthat should be user-list21:08
ayoungnot user_list21:08
ayoung keystone user-get ayoung21:09
*** thedodd has quit IRC21:09
morganfainbergamrita, in either case i am not sure where to direct you besides perhaps the documentation on recovery / tables disappearing. if it's MySQL, the percona/maria-db folks are usually pretty helpful (but honeslty not sure where to find them)21:09
Mario_ayoung, yes I got it I able to list all the users21:09
ayoungMario_, I was working on a sample script for populating a Keystone server
*** YorikSar has joined #openstack-keystone21:09
Mario_of the ldap using that command21:09
ayoungyou don't want to do all of that, but21:10
morganfainbergamrita, if it's microsoft, i really have even less advice to give.  i really don't want to give you bad advice on data recovery. it isn't my area of expertise.21:10
*** YorikSar has quit IRC21:10
ayoung51    project = admin_client.projects.list(name='admin', domain='default')[0]21:10
ayoung52    user = admin_client.users.list(name='admin', domain='default')[0]21:10
ayoung53    role = admin_client.roles.list(name='admin')[0]21:10
ayoung55    try:21:10
ayoung56        admin_client.roles.grant(role=role, user=user, domain=domain)21:10
* ayoung apologized for the flood21:10
morganfainbergayoung, OMG so flood.21:11
morganfainbergayoung, :P21:11
*** YorikSar has joined #openstack-keystone21:11
Mario_ayoung, thanks for the link, I will try to use it21:11
ayoungmorganfainberg, being the root cause of floods goes with the name Adam21:11
ayoungMario_, nah, just understand it21:12
morganfainbergayoung, lol nice21:12
ayoungnote that it uses the ADMIN_TOKEN to  set things up, and then you should be able to log on as the user21:12
*** joesavak has quit IRC21:12
ayoungMario_, if you poke around in the mysql instance, you need to see:  a Role, a Project, and a Role Assignment....which version of Keystone are you running?21:13
Mario_ayoung, I am using 0.4.121:13
Mario_i got a probs on using keystone user-get 'user'21:13
*** florentflament has joined #openstack-keystone21:13
ayoungMario_, OK,  so that is Havana....the table with the various role assignments got consolidated in Icehouse..21:14
ayoungMario_, turn on logging and see what LDAP query the server is running, probably a problem with mapping the DN to the ID21:14
ayoungwhat do your DNs look like?21:14
*** YorikSar has quit IRC21:14
ayoungMario_, also, are your users all in one node, or do you need subtree queries?21:15
openstackgerritA change was merged to openstack/keystone: Use in-memory SQLite for testing
morganfainbergayoung, ^ woooooooooot!!21:15
Mario_yes i used the subtree21:15
ayoungmorganfainberg, ^^^^^^^^^^^^^^^  \m_  (>.<) _\m/21:15
morganfainbergayoung, the second one is about to merge too21:16
*** derek_c has joined #openstack-keystone21:16
Mario_my DN is ou=users,dc=example,dc=com21:16
ayoungMario_, it is going to do a subtree serarch, find the entry, then chop off the first segment of the DN21:16
ayoungMario_, is it cn=Mario,ou=users....?21:16
dstanekmorganfainberg: nice!21:16
morganfainbergdstanek oh that isn't a bad patchset...21:17
Mario_ayoung, it is uid=Mario,ou=users... as I am using openldap21:17
*** YorikSar has joined #openstack-keystone21:17
Mario_but cn also same as UID21:17
ayoungok,  so you need to say that the DN field is uid, in the config file21:17
morganfainbergdstanek, is this WIP?21:18
*** YorikSar has quit IRC21:18
openstackgerritA change was merged to openstack/keystone: Use in-memory SQLite for sql migration tests
morganfainbergdstanek, oh i see you're overriding the commands.21:18
morganfainbergdstanek, just so that it passes.21:18
Mario_ayoung, my config I put there as user_name_attribute = cn21:19
morganfainbergdstanek, i uhm. almost think we should probably make this an expirimental job instead of a non-voting one21:19
morganfainbergdstanek, rather than have a dummy command run.21:19
ayoungMario_, you also need to set the user_id_attr21:19
Mario_and user_pass_attribute = Password21:19
morganfainbergdstanek, i think infra would likely agree on that front.21:19
Mario_ayoung, you mean user_id_attr = '(&(%(id_attr)s=%(id)s)'21:20
Mario_am I right?21:20
ayoungMario_, can you post the LDAP section of your config on  and post the link?  Drop the password, of course, and any other sensitive data21:20
ayoungMario_, heh, I didn't give you the context
*** leseb has quit IRC21:21
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Enable concurrent testing by default
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Cleanup ldap tests (mox and reset values)
ayoungself.id_attr,  for user is user_id_attr in the conf file21:21
dstanekmorganfainberg: the patch i'm working on right now runs a handful of the tests21:22
ayoung   Mario_21:22
dstanekmorganfainberg: that was just the first step21:22
ayoungdefault is cn, so you might be OK21:22
morganfainbergdstanek, i still think this is a case where moving to expirimental until it's ready (unless it'll be ready soon) makes sense21:22
dstanekmorganfainberg: today i'll have another patch that runs at least a few test modules21:23
morganfainbergdstanek, and by ready i mean something we'd legitimately want to gate on21:23
morganfainbergdstanek, partial test runs i'm not sure if there is a huge win for. i'll go with your gut feeling though21:23
morganfainbergdstanek, i just think even a non-voting test if it's running a very partial test suite is misleading.21:23
dstanekmorganfainberg: that's what oslo is currently doing - partial test runs21:24
Mario_ayoung, I paste the logs on the link21:24
morganfainbergdstanek, ah ok then prior art, i'm fine with it21:24
Mario_ayoung, not logs you mean the configs21:24
ayoungMario_, yeah, config21:24
dstanekif you start with that then you can gradually start making everything py3 friendly - and that'll stop regressions in things that are already working21:25
morganfainbergdstanek, mind i i hold off on +2 until the next patchset?21:25
*** jamielennox|away is now known as jamielennox21:25
morganfainbergdstanek, the one that enables some tests21:25
morganfainbergthat is21:25
dstanekmorganfainberg: because our test suite is currently so top heavy i'm struggling with exactly how to get things to run without being evil21:25
dstanekmorganfainberg: sure21:26
morganfainbergdstanek, be evil :P i mean... sounds good to me (you've convinced me i was incorrect, my mind is changed)21:26
*** mspreitz has left #openstack-keystone21:26
dstanekmorganfainberg: this is the kinds of crap i started with
morganfainbergdstanek, LOL21:27
dstaneki've since been able to remove the need for some of that - i want it all gone before the next patch21:27
*** dims has quit IRC21:28
dstanekmorganfainberg: there are many more problematic libraries than i realized - they install ok, but paste and mox don't actually work in py321:28
morganfainbergdstanek, i would like to see mox go away21:30
morganfainbergdstanek, i don't particularly like it21:30
morganfainbergdstanek, but not sure if there is another good option atm.21:31
morganfainbergwell, mock.patch.object is my new favorite, but thats personal pref.21:31
dstanekmorganfainberg: i thought that was on my blueprint. it wasn't so i just added it21:31
morganfainbergand the patchobject fixture is pretty cool21:31
morganfainbergdstanek, :)21:31
dstanekthe general openstack trend is toward mock anyway21:32
morganfainbergdstanek, i'm not opposed to this.21:32
Mario_ayoung, done pasting the ldap section21:32
ayoungtopol, Mario_ post the link it gave you21:32
ayoungMario_, you see how dstanek posted  ?  same kind of thing21:32
ayoungMario_, good21:33
topolayoung, whats up21:33
ayoungtopol, heh21:33
ayoungmeant to yell at you about this21:33
topolayoung, oh no21:34
ayoungtopol, look at his examples:21:34
ayoungtopol he has from credentials import get_nova_creds21:34
ayoungwhat is that?21:34
*** amrita has quit IRC21:34
ayoungsince you are responsible for all thing IBM, of course.21:34
ayoungah...I see21:34
*** nachi has joined #openstack-keystone21:34
ayoungits earlier in his doc...21:34
topolwhats wrong with the paper. I havent read it21:34
topolis it wrong?21:35
ayoungnah, its fine...just points to the need for a unified approach to the API auth21:35
topoldoes it need revised?21:35
ayoungListing 521:35
*** nachi has quit IRC21:35
ayoungtopol, actually, I was wondering if you had seen the doc, and if you were in some way involved21:36
topolayoung, so I dont have much experience on the client side. I assume its totally wrong?21:36
topolI did not write that article. Not listed as an author. ayoung, but if something is in error I can get it fixed21:37
ayoungtopol, nah...I've been drinking the AuthPLugin coolaid for so long...I never tried to do straight python to nova before21:37
ayoungtopol, instead, i think we should target a follow up article once:  AuthPlugins are done and we have a unified CLI21:37
ayoungbut...that code is ugly21:37
topolayoung agreed21:37
ayoungnot his fault...its ours21:38
ayoungtopol, its actually a very good intro article21:38
topolLet's  write a new article and fix it that way. I may be able to then get the old one revised to point to the new one. ayoung, sound ok?21:38
morganfainbergdstanek, any reason not to +A
morganfainbergdstanek, ?21:39
topolayoung the developerworks manager is right down the hall. Should be easy to get fixed.21:39
dstanekmorganfainberg: no it should be fine21:40
ayoungtopol, I don't think there is anything to fix, yet....I just missed the module he wrote.  But I can see why he did, to make it easier  for auth in future subsections21:40
ayoungits the keystone client that needs to be fixed, and then we need to get Nova client to consume the Auth Plugin from the keystone client21:40
*** leseb has joined #openstack-keystone21:41
ayoungtopol, jamielennox did a nice write up of how it should look:
Mario_ayoung, just a recap do I need to create a user cinder,glance,nova,neutron on my ldap.. as it does not exist21:41
ayoungMario_, yes you do21:41
ayoungthose service users will attempt to contact Keystone to fetch certificates and the revocation list21:41
Mario_ayoung, it seems the problem is there21:41
ayoungand they need to be admin users21:41
Mario_ayoung, you mean admin users in the ldap?21:42
ayoungMario_, ...thanks, you just reminded me of something I need to add to a presentation I am putting together21:42
ayoungMario_, yes21:42
ayoungits a shortcoming of our current deployment that service users must be in the same backend as everything else21:42
Mario_ayoung, I see.. where is your presentation? so we can take a look hehe21:43
jamielennoxtopol: what's wrong?21:43
*** dims has joined #openstack-keystone21:43
ayoungMario_, internal, for now...but I will post it once its done.  Nothing proprietary, just need to polish it.21:43
ayoungI can post though21:43
topolayoung, jamielennox nothing wrong. sounds like you wrote the better mouse trap.21:44
ayoungjamielennox, see this and you will under stand
ayoungjamielennox, the way we need to auth to Nova is just...antiplugin21:44
Mario_ayoung, no worries21:45
ayoungMario_, one sec21:45
jamielennoxayoung, topol: whoa - that doesn't work21:45
ayoungMario_,   that is still under development.  Take a look, but don't share it around until I finish it up21:45
ayoungjamielennox, it does, it just sucks21:45
Mario_ayoung, yes I do..21:46
topolayoung, tell him the plan so he feels better21:46
jamielennoxayoung: oh - misread21:46
ayoungjamielennox, once we get auth plugins together, we are going to write up a follow up article and have this one point to it21:46
ayoungMario_, ah...I had it in there...see the LDAP slid "Service users must be in LDAP"21:47
ayoungpage 1021:47
jamielennoxayoung: ++21:47
openstackgerritBrant Knudson proposed a change to openstack/keystone: Safer noqa handling
Mario_ayoung, I see it's cool21:47
ayoungMario_, thanks.21:48
jamielennoxayoung: a review for you when you have a minute:
Mario_I see it added also selinux, as on my configs I disble it21:49
ayoungMario_, don't disable SELinux.21:49
ayoungits like taking off your seat belts in a road race21:49
Mario_don't much of the selinux, ok but need to refine my settings21:50
jamielennoxdolphm: can you unblock:
Mario_what do you mean by this trust? a two-way trust to different keystones21:50
ayoungkeystone/common/ldap/, -211  with most of the additions comments?  Must be a jdennis review.21:52
Mario_ayoung, as I also concern this, can we have a multiple domains/ldaps on keystone?21:52
ayoungMario_, not yet21:52
ayoungMario_, its on the schedule for the Juno summit.  Was supposed to be in Icehouse, but we couldn't quite agree on the approach.  I think we have a path forward, though.21:53
Mario_I see, something to be wait hehe21:54
Mario_but I see on the config in the dashboard, that you can setup multiple domains, is it not working? then21:54
ayoungOnly in SQL Mario_21:58
ayoungMulti LDAP didn't quite make the cut, nor having multiple domain in a single directory21:58
Mario_ayoung, in my existing setup, it is on a one-way trust..22:00
ayoungMario_, so you have a local LDAP server, and then you pull users over from Active Directory?22:00
ayoungor some other centrla LDAP?22:00
Mario_ayoung, yes that's the setup22:01
ayoungMario_, can you add local users?22:01
ayoungthey can go in a different subtree22:01
Mario_ayoung, no because of the trust but yes can add local users22:02
ayoungMario_, will that work for you, then, to put the nova, etc users in your local LDAP, and get the rest via trust?22:02
*** derek_c has quit IRC22:03
Mario_ayoung, that's will be my next task, I just need the local LDAP work first, as got the probs but I'm modifying my configs to what you said earlier and test if gonna work22:04
ayoungGood luck22:04
Mario_ayoung, thanks22:04
Mario_give you feedback later on22:04
*** amcrn has quit IRC22:05
*** ayoung is now known as ayoung-afk22:06
*** topol has quit IRC22:06
*** nkinder has quit IRC22:06
*** derek_c has joined #openstack-keystone22:23
*** leseb has quit IRC22:23
*** bknudson has quit IRC22:30
*** gokrokve has joined #openstack-keystone22:32
*** gokrokve_ has joined #openstack-keystone22:32
openstackgerritA change was merged to openstack/keystone: Remove noqa form import _s
mfischis there a way to make all users show as enabled with the LDAP backend WITHOUT using the enabled emulation (which is horrifyingly slow)22:33
mfischI'd rather have everyone show enabled rather than a blank field22:33
*** marcoemorais has quit IRC22:33
mfischor maybe it doesn't matter that Enabled shows blank??22:33
*** marcoemorais has joined #openstack-keystone22:34
*** gokrokve has quit IRC22:36
*** marcoemorais has quit IRC22:36
*** marcoemorais has joined #openstack-keystone22:37
mfischlooks like setting enabled_default and enabled_mask and not setting enabled_attribute does what I want22:38
*** derek_c has quit IRC22:43
*** browne has left #openstack-keystone22:44
*** marcoemorais has quit IRC22:48
*** marcoemorais has joined #openstack-keystone22:48
*** finite has joined #openstack-keystone23:01
finiteAnyone have time to help me troubleshoot apache throwing 503s when using wsgi to front keystone?23:02
*** gokrokve_ has quit IRC23:04
*** topol has joined #openstack-keystone23:13
*** david_lyle has quit IRC23:19
*** finite has quit IRC23:27
*** amcrn has joined #openstack-keystone23:29
*** packet has quit IRC23:29
*** dstanek has quit IRC23:44
*** topol has quit IRC23:48
*** wwriverrat has joined #openstack-keystone23:51
openstackgerritBrant Knudson proposed a change to openstack/keystone: Safer noqa handling
*** wwriverrat1 has joined #openstack-keystone23:53
*** wwriverrat has quit IRC23:59

Generated by 2.14.0 by Marius Gedminas - find it at!