Friday, 2014-03-28

*** marcoemorais has quit IRC		00:07
*** marcoemorais has joined #openstack-keystone		00:07
*** devlaps has quit IRC		00:07
*** marcoemorais1 has joined #openstack-keystone		00:09
*** dstanek has joined #openstack-keystone		00:10
*** marcoemorais has quit IRC		00:11
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: test_v3_token_id correctly hash token https://review.openstack.org/83628	00:14
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Configurable token hash algorithm https://review.openstack.org/83629	00:14
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Configurable token hash algorithm https://review.openstack.org/80401	00:15
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow session to return an error response object https://review.openstack.org/83630	00:18
*** bknudson has joined #openstack-keystone		00:21
*** nkinder has joined #openstack-keystone		00:22
*** topol has joined #openstack-keystone		00:22
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow session to return an error response object https://review.openstack.org/83630	00:29
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow session to return an error response object https://review.openstack.org/83630	00:31
*** wwriverrat1 has left #openstack-keystone		00:35
*** andrew_______ has quit IRC		00:45
openstackgerrit	A change was merged to openstack/keystone: Refactor LDAP API https://review.openstack.org/82397	00:55
*** gokrokve has joined #openstack-keystone		01:03
*** david-lyle has joined #openstack-keystone		01:16
*** amcrn has quit IRC		01:26
*** gokrokve has quit IRC		01:43
*** gokrokve has joined #openstack-keystone		01:44
*** gokrokve_ has joined #openstack-keystone		01:45
*** marcoemorais1 has quit IRC		01:48
*** gokrokve has quit IRC		01:48
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: POC - Add openID Connect auth plugin https://review.openstack.org/61662	01:57
Mario_	pinging... for someone	01:58
Mario_	hi	01:59
Mario_	somebody help.. how do I make my users be part of the tenant groups? where my users is in existing ldap and tenants is on the mysql.	02:02
Mario_	or what should be the attribute to create in ldap... as per observation in mysql user table it has "default_project_id"	02:03
Mario_	in my case generate in the logs as this "2014-03-28 14:43:38.292 6509 INFO sqlalchemy.engine.base.Engine [-] SELECT domain.id AS domain_id, domain.name AS domain_name, domain.enabled AS domain_enabled, domain.extra AS domain_extra FROM domain WHERE domain.id = %s"	02:04
jamielennox	Mario_: i'm not sure exactly what you're asking but a user is a member of a tenant (we say project now) if they have a role on that project	02:23
jamielennox	it doesn't matter where the user or tenant data is stored	02:23
*** bknudson has quit IRC		02:24
Mario_	jamielennox but how can it determine the relationships	02:27
jamielennox	Mario_: at what level?	02:28
jamielennox	at the low level there is a table called user_project_roles or something like that	02:28
Mario_	i issue the command "keystone user-role-add --user nova --tenant service --role admin"	02:28
Mario_	for example for nova	02:28
jamielennox	yep	02:29
Mario_	"keystone user-create --tenant service --name nova --pass thepassword --enabled true" this is for the mysql but how about ldap to be part of the --tenant service	02:29
jamielennox	Mario_: assuming LDAP is set up correctly it won't matter	02:30
jamielennox	so long as the user_id is correct it will work across mysql and ldap	02:30
jamielennox	s/correct/consistent	02:30
Mario_	yes i got on the cli, but when I used to run on changing the authorization in for example /etc/nova/nova.conf got those error for example	02:31
Mario_	or do i need to comment the "connection=mysql://xxx" in the configurations of different services say nova	02:33
jamielennox	no, each server manages it's own database	02:34
jamielennox	you set this up in keystone and nova will talk to keystone for the info	02:34
jamielennox	so the log you mention should have nothing to do with this - domain is not related to tenants (at this level)	02:34
jamielennox	if it is working on cli (you can get a token scoped to a tenant) then it's fine and it's the other side that is wrong	02:35
Mario_	yes keystone is fine with me, or you mean on the other services is the problem?	02:35
jamielennox	i mean if you have done the above user-create and user-role-add then you should be able to do	02:36
jamielennox	keystone token-get --user nova --tenant service --password password and have it get a token	02:37
Mario_	except for the user-create i can't do..	02:37
jamielennox	(i think the params are slightly wrong there)	02:37
jamielennox	ok so user-create is failing	02:37
Mario_	yes creating I can't	02:38
jamielennox	ok does the log give you an error message	02:38
Mario_	because i had an existing users, I thought i cant to put the user in a tenant, to be a member	02:38
jamielennox	what you pasted above looks like a fairly common SQL ddebug statement	02:38
jamielennox	you don't need to recreate the user to put it in a tenant	02:39
jamielennox	a user can be a member of multiple tenants	02:39
Mario_	i see... i think the probs on the other services as they also has ldap configs if i am right	02:39
jamielennox	i don't think any of the other services use LDAP	02:39
jamielennox	they definetly shouldn't for user management	02:40
jamielennox	they will talk to keystone and keystone will talk to LDAP	02:40
Mario_	but for nova they have line for example #ldap_dns_soa_hostmaster=hostmaster@example.org	02:40
Mario_	yeah, that's what really on my first thought.. keystone do all for the authentication	02:41
jamielennox	Mario_: interesting - but it's not related to users	02:42
Mario_	but on every services it stated [keystone_authtoken] there is an admin_tenant_name=service	02:42
jamielennox	right	02:42
jamielennox	that is how the service authenticates against keystone	02:42
Mario_	that the probs, my existing user doesnt linke to admin_tenant_name=service	02:43
jamielennox	ok, so user creation and putting a user in a tenant are different things	02:43
Mario_	then what would be my config here?	02:43
jamielennox	it depends on the tenant you created	02:43
Mario_	under the "admin_tenant_name=service"	02:43
jamielennox	from "keystone user-role-add --user nova --tenant service --role admin" the tenant shouuld be service	02:44
jamielennox	you gave the nova user admin rights in the service tenant	02:44
jamielennox	have you been through devstack to see how these things are setup there?	02:45
*** mberlin1 has joined #openstack-keystone		02:46
*** mberlin has quit IRC		02:47
*** zhiyan_ is now known as zhiyan		02:50
Mario_	yes jamielennox	02:52
Mario_	it is running smooth on mysql	02:53
*** dims has quit IRC		02:53
*** prometheanfire has joined #openstack-keystone		02:53
jamielennox	did you create the users on mysql and then swap to LDAP? because keystone won't convert them over	02:54
Mario_	no i created a users in ldap too	02:54
prometheanfire	ohai, is it known that the CVE fix (0.7.x) for keystoneclient doesn't work with grizzly keystone (per it's package requirements)?	02:54
Mario_	what I did comment the sql to use ldap... but add assignment	02:55
Mario_	with your questions, yes i used to create users in mysql but when I used ldap i also created users nova,glance,neutron,et al	02:56
Mario_	as it doesn't exists	02:57
Mario_	as part of the admin group referring to the ldap	02:57
prometheanfire	last comment here for more info https://bugs.launchpad.net/python-keystoneclient/+bug/1282865	02:57
uvirtbot	Launchpad bug 1282865 in python-keystoneclient "[OSSA 2014-007] Keystone middleware may confuse contexts (CVE-2014-0105)" [Critical,Fix released]	02:58
prometheanfire	dolphm: ^ may intrest you (last comment) :D	02:58
jamielennox	Mario_: so when you recreated the users the user_id would have changed even though the username was the same	03:02
jamielennox	so you would have to do the role-add again	03:02
jamielennox	prometheanfire: oo, we've never released fixes for old client versions	03:03
jamielennox	prometheanfire: is that something any of the clients do?	03:03
Mario_	what do you mean jamielennox? on ldap	03:04
jamielennox	Mario_: did you redo the user-role-add?	03:04
prometheanfire	jamielennox: dunno, but leaving currently supported versions out of security releases is the same as not supporting them in my book	03:05
prometheanfire	so....	03:05
Mario_	yes, i used to rerun it	03:05
jamielennox	when you create a user it assigns it a unique id which is not the username (on mysql it's a uuid) so you can't use the old user	03:05
Mario_	as i thought would solved it	03:05
jamielennox	prometheanfire: that would depend on your definition of currently supported versions	03:05
jamielennox	of at least what we consider supported	03:06
prometheanfire	well, 2013.1.5 was just released	03:06
prometheanfire	that tells me security updates apply to it (at the least)	03:06
*** packet has joined #openstack-keystone		03:07
prometheanfire	and that means it's deps too (which python-keystoneclient is)	03:07
jamielennox	prometheanfire: fair enough	03:08
prometheanfire	ya, it's not the best position to be put in, but reality sucks :P	03:08
jamielennox	prometheanfire: i'm just thinking of all the other CVEs that must fall under the same situation	03:09
jamielennox	because AFAIK we've never backported a client fix	03:09
prometheanfire	I know of a couple of them	03:09
prometheanfire	for the server side too	03:10
*** Chicago has joined #openstack-keystone		03:10
jamielennox	prometheanfire: server side we try to backport	03:10
prometheanfire	ya, can't always, but meh	03:10
jamielennox	but client side we've never consider the client to be tied to the openstack cycle	03:10
jamielennox	we just keep upping the version	03:11
prometheanfire	unfortunately it is sometimes, swiftclient had that problem aparently	03:11
jamielennox	yea, umm so yea dolphm is definetly the one to talk to and i would raise it with QA because that might be something we have to do for all clients	03:11
prometheanfire	not always, as long as version constraints are not broken you don't have to backport	03:13
prometheanfire	it's just that sometimes projects versionlock onto clients, which should be punished :P	03:13
prometheanfire	heatclient used to versionlock on keystoneclient, but doesn't anymore, so ya :D	03:13
jamielennox	prometheanfire: yea that was something that was remove from the global requirements a little while ago	03:14
jamielennox	is it possible to open that up for grizzly as well? i'm assuming not	03:15
prometheanfire	dunno, depends on why it was locked in the first place	03:15
jamielennox	prometheanfire: oh and what i should have picked up earlier - keystone is not affected by that CVE	03:17
jamielennox	the middleware that is referred to is what the other clients use to authenticate against keystone, but keystone doesn't (can't) use it itself	03:17
prometheanfire	right, but the client it needs is	03:17
jamielennox	oh, right - can't install on same box as another	03:18
prometheanfire	:D	03:18
prometheanfire	fun problem eh?	03:18
jamielennox	ah distro packaging	03:18
prometheanfire	well, it's your requirements.txt stuff I'm using	03:19
prometheanfire	blame that :D	03:19
*** harlowja is now known as harlowja_away		03:19
jamielennox	right but if you use pip it ignores everything except the package you want to install now and so it just overrides it anyway - problem solved :p	03:21
prometheanfire	LOL, 'solved', no overarching consistency there	03:22
*** mutex has joined #openstack-keystone		03:22
jamielennox	:)	03:23
mutex	Hi	03:23
mutex	my keystone DB seems to have had some data corruption	03:23
mutex	a few of the tables are missing	03:23
mutex	now luckily they didn't have a lot of critical data in them, like the user_group_metadata table	03:23
mutex	so I could re-create them in short	03:23
mutex	order	03:23
mutex	but I do need to find the origina CREATE TABLE command for that particular table	03:24
mutex	any pointers as to where that is in the keystone source ?	03:24
jamielennox	mutex: the migrations are in keystone/common/sql/migrate_repo/versions/	03:25
jamielennox	but that's migrations so it's not a clear endpoint	03:25
mutex	hm	03:25
mutex	maybe the create is in the puppet manifest	03:25
jamielennox	mutex: if you look in the various backend/sql.py folders you will see the table layouts	03:26
mutex	yeah I could reconstruct it, but having the preset CREATE TABLE line would be much easier ;-)	03:26
mutex	i lost like 6 tables :-(	03:26
jamielennox	mutex: no that's what is used to create the tables - but always we go from one state to another rahter than start from scratch	03:26
mutex	ah	03:26
mutex	so what is the trust table used for ?	03:26
jamielennox	mutex: ah - we use sqlmigrate for that stuff so you will still have to look at the table schema and do the SQL from that	03:27
jamielennox	trusts allow you to delegate auth from one user to another	03:27
jamielennox	that will be the record of who set up what	03:27
mutex	interesting	03:28
mutex	seems like I don't need to reconstruct that table	03:28
jamielennox	mutex: what i would do in your situation is start with a fresh db, run the full migration script then dump the table and get the structures that way	03:28
mutex	oh good point	03:29
mutex	I have another nice table right here	03:29
mutex	on a pristine system	03:29
mutex	I could just dump it	03:29
*** stevemar has quit IRC		03:29
jamielennox	mutex: also just to make sure - was it corruption or did you update and not run keystone-manage db_sync/	03:30
mutex	no I had a galera cluster that stopped working	03:32
mutex	when I got the database backup and running the frm files were missing from those tables	03:32
mutex	so I'm hoping that maybe the data is still around, even though the metadata is hosed	03:32
*** gokrokve_ has quit IRC		03:32
jamielennox	mutex: no worries, always need to check	03:32
mutex	besides, all my users are in ldap I was really just using the keystone DB for role mapping and group membership	03:33
jamielennox	mutex: it might be worth backing up your current tables and starting again then	03:33
jamielennox	the tables are fairly easy to interpret for that sort of thing	03:34
mutex	yeah	03:34
* mutex croses fingers		03:34
mutex	yeah so these are the 'missing' tables:	03:36
mutex	user_group_membership, user_project_metadata, trust_role, trust, user_domain_metadata	03:37
jamielennox	mutex: user_group should be fairly obvious - and it probably doesn't matter if that's in LDAP	03:37
mutex	group info was in sql	03:38
mutex	but easy to recreate	03:38
jamielennox	user_project is a problem because that's where project membership will live	03:38
mutex	It was hard to get IT to buy into having a process with create privileges on the AD server ;-)	03:38
jamielennox	mutex: you don't have to do that	03:38
mutex	nah I only had like ... 30 musers max, should be easy to just recreate	03:38
mutex	well you had to if one was using horizon for group/project membership	03:39
jamielennox	i thought that would have been sql	03:39
jamielennox	not use/ group membership, but user/project	03:40
mutex	yeah so we have the havana feature where you can use LDAP for users	03:40
mutex	and SQL for projects/project membership	03:40
Mario_	i bit confused now on the configurations going to other services... as it has connection=mysql://nova:my_pass@localhost/nova which contrast to my ldap	03:43
Mario_	which is now the priority? ldap or mysql? referring to other services says /etc/nova/nova.conf	03:44
mutex	from what I recall there is a preferred driver section in the keystone config	03:44
mutex	driver = keystone.identity.backends.ldap.Identity	03:45
Mario_	yeah how about going to the other say nova	03:45
mutex	nova uses keystone service	03:45
Mario_	does it has also driver in the nova.conf	03:46
mutex	doesn't connect directly to keystones sql tables	03:46
mutex	the nova mysql seciont is for novas internal data to be kept in mysql	03:46
mutex	*section	03:46
Mario_	but my users are linked to ldap mutex	03:46
mutex	yes, and ?	03:47
mutex	if nova needs user information it calls a keystone JSON api	03:47
Mario_	but tenant and role are in the internal	03:47
mutex	which then backends to ldap	03:47
mutex	maybe I don't understand your question ;-)	03:47
Mario_	my keystone is working fine, but when I used the nova, glance it generates error	03:48
Mario_	"ERROR: Invalid OpenStack Nova credentials."	03:48
mutex	ah	03:48
Mario_	i tried to linked it already to ldap.	03:48
mutex	ah, I had a similar problem	03:48
mutex	but it was because I didn't populate the LDAP with the service account names	03:49
mutex	nova, neutron, heat, etc	03:49
mutex	the services still need to authenticate as a user	03:49
mutex	to call the APis	03:49
Mario_	yeah already define or populated on the ldap	03:49
Mario_	but as said there is connection=mysql://nova:my_pass@localhost/nova which may contrast.. or do i need to delete those previous data?	03:50
Mario_	referring the previous data on the internal	03:50
mutex	that is just the mysql password AFAIK	03:51
mutex	I also had to make sure that my 'id' field was consistent for before/after the LDAP migration	03:51
mutex	so my username fields and id fields meant that I had accounts nova:nova	03:51
mutex	but the internal keystone role assignment was expecting a UUID in the 'id' field for some of the roles	03:52
mutex	so I had to fix that as well	03:52
*** chandankumar_ has joined #openstack-keystone		04:23
*** chandankumar_ has quit IRC		04:23
*** wchrisj has quit IRC		04:27
openstackgerrit	A change was merged to openstack/keystone: Start using to oslotest https://review.openstack.org/79068	04:28
openstackgerrit	A change was merged to openstack/keystone: Allows override of stdout/stderr/log capturing https://review.openstack.org/79069	04:28
openstackgerrit	A change was merged to openstack/keystone: Removes the use of mutables as default args https://review.openstack.org/78117	04:28
openstackgerrit	A change was merged to openstack/keystone: Use CMS to generate sample tokens https://review.openstack.org/73772	04:32
openstackgerrit	A change was merged to openstack/python-keystoneclient: Use AccessInfo in auth_token middleware https://review.openstack.org/74956	04:32
*** dstanek has quit IRC		04:40
*** packet has quit IRC		04:43
*** dstanek has joined #openstack-keystone		05:09
*** wchrisj has joined #openstack-keystone		05:11
*** dstanek has quit IRC		05:27
*** wchrisj has quit IRC		05:28
*** gyee has quit IRC		05:33
*** stevemar has joined #openstack-keystone		05:57
openstackgerrit	Jenkins proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/83297	06:00
*** gtt116_ has joined #openstack-keystone		06:22
*** gtt116 has quit IRC		06:22
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow passing auth plugin as a parameter https://review.openstack.org/83673	06:25
*** saju_m has joined #openstack-keystone		06:38
*** dstanek has joined #openstack-keystone		06:39
*** dstanek has quit IRC		07:04
*** topol has quit IRC		07:05
*** bvandenh has joined #openstack-keystone		07:07
*** stevemar has quit IRC		07:12
*** topol has joined #openstack-keystone		07:25
*** dstanek has joined #openstack-keystone		07:32
*** topol has quit IRC		07:32
*** dstanek has quit IRC		07:48
*** flaper87\|afk is now known as flaper87		08:05
marekd\|away	jamielennox: thanks for hints in here https://review.openstack.org/#/c/83337/3. There was some magic unclear to me. Now I am starting to feel it all.	08:16
*** marekd\|away is now known as marekd		08:16
*** leseb has joined #openstack-keystone		08:40
*** dstanek has joined #openstack-keystone		08:45
*** saju_m has quit IRC		09:05
*** saju_m has joined #openstack-keystone		09:26
*** bada has joined #openstack-keystone		09:35
marekd	jamielennox: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/base.py#L342 - why does the put() force empty body?	09:36
*** andreaf has quit IRC		09:58
*** leseb has quit IRC		10:00
*** leseb has joined #openstack-keystone		10:00
*** leseb_ has joined #openstack-keystone		10:02
*** leseb has quit IRC		10:04
*** flaper87 is now known as flaper87\|afk		10:18
*** andreaf has joined #openstack-keystone		10:23
*** david-lyle has quit IRC		10:27
*** david-lyle has joined #openstack-keystone		10:27
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Identity Providers. https://review.openstack.org/83337	10:29
*** dstanek has quit IRC		10:33
*** topol has joined #openstack-keystone		10:36
*** flaper87\|afk is now known as flaper87		10:42
*** leseb_ has quit IRC		10:43
*** leseb has joined #openstack-keystone		10:44
*** dstanek has joined #openstack-keystone		10:57
*** marekd has quit IRC		11:06
*** marekd has joined #openstack-keystone		11:06
*** leseb has quit IRC		11:10
*** jamielennox is now known as jamielennox\|away		11:15
*** RockKuo_iPad has joined #openstack-keystone		11:16
*** dstanek has quit IRC		11:17
*** RockKuo_iPad has quit IRC		11:17
*** RockKuo_iPad has joined #openstack-keystone		11:17
*** RockKuo_iPad has quit IRC		11:17
*** RockKuo_iPad has joined #openstack-keystone		11:18
*** morganfainberg is now known as morganfainberg_Z		11:20
*** dstanek has joined #openstack-keystone		11:20
*** RockKuo_iPad has quit IRC		11:24
*** leseb has joined #openstack-keystone		11:28
*** leseb has quit IRC		11:41
*** RockKuo_iPad has joined #openstack-keystone		11:41
*** leseb has joined #openstack-keystone		11:42
*** RockKuo_iPad has quit IRC		11:45
*** leseb has quit IRC		11:46
*** dstanek has quit IRC		11:46
*** saju_m has quit IRC		11:50
*** RockKuo_iPad has joined #openstack-keystone		12:01
*** david-lyle has quit IRC		12:06
*** dstanek has joined #openstack-keystone		12:15
*** jaosorior has joined #openstack-keystone		12:33
*** dstanek has quit IRC		12:36
*** leseb has joined #openstack-keystone		12:42
*** dstanek has joined #openstack-keystone		12:45
*** leseb has quit IRC		12:47
*** chandan_kumar has quit IRC		12:51
*** browne has joined #openstack-keystone		12:54
*** leseb has joined #openstack-keystone		12:58
*** RockKuo_iPad has quit IRC		13:11
*** zigo has quit IRC		13:13
*** zigo has joined #openstack-keystone		13:14
*** saju_m has joined #openstack-keystone		13:15
*** jagee has joined #openstack-keystone		13:25
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Fedration Mapping Rules. https://review.openstack.org/83742	13:26
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Fedration Mapping Rules. https://review.openstack.org/83742	13:41
*** bknudson has joined #openstack-keystone		13:45
*** zigo has quit IRC		13:47
*** zigo has joined #openstack-keystone		13:47
*** RockKuo_iPad has joined #openstack-keystone		13:48
*** zigo has quit IRC		13:51
*** finite has joined #openstack-keystone		13:53
*** jimbaker has quit IRC		13:55
*** zigo has joined #openstack-keystone		13:55
*** joesavak has joined #openstack-keystone		13:58
*** zigo has quit IRC		13:59
*** RockKuo_iPad has quit IRC		13:59
*** zigo has joined #openstack-keystone		13:59
*** wchrisj has joined #openstack-keystone		14:06
*** leseb has quit IRC		14:07
*** vhoward- has joined #openstack-keystone		14:10
*** stevemar has joined #openstack-keystone		14:11
dstanek	anyone here have experience with test scenerios?	14:19
*** openstack has joined #openstack-keystone		14:20
*** leseb has joined #openstack-keystone		14:28
*** david-lyle has joined #openstack-keystone		14:31
*** rwsu has quit IRC		14:38
*** rwsu has joined #openstack-keystone		14:41
*** dolphm changes topic to "Open for Juno development"		15:04
*** finite has quit IRC		15:04
*** leseb has quit IRC		15:13
*** leseb has joined #openstack-keystone		15:13
*** leseb_ has joined #openstack-keystone		15:15
*** leseb has quit IRC		15:16
*** leseb_ has quit IRC		15:17
*** leseb has joined #openstack-keystone		15:18
*** packet has joined #openstack-keystone		15:18
*** jaosorior has quit IRC		15:20
*** ayoung-afk is now known as ayoung		15:24
*** saju_m has quit IRC		15:35
*** packet has quit IRC		15:41
*** topol has quit IRC		15:45
*** devlaps has joined #openstack-keystone		15:49
*** jogo is now known as flashgordon		16:07
*** marcoemorais has joined #openstack-keystone		16:10
*** leseb has quit IRC		16:22
*** leseb has joined #openstack-keystone		16:23
*** topol has joined #openstack-keystone		16:27
*** leseb has quit IRC		16:27
*** gyee has joined #openstack-keystone		16:35
*** joesavak has quit IRC		16:42
*** leseb has joined #openstack-keystone		16:45
*** browne has quit IRC		16:51
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Cleanup config.py https://review.openstack.org/81671	16:52
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Clean up config help text https://review.openstack.org/78497	16:52
marekd	Hi all! Any hints on what's the best way to actually skip the test in the python-keystoneclient? For instance part of the API i am implementing now doesn't support 'list'-like commands, so I just want to skip test_list() tests. One way is to reimplement the method to def test_list(self): pass but I was wondering there is any better way...	17:02
bknudson	marekd: write the test to show what it does instead... it must do something if you try to list.	17:04
marekd	bknudson: ah, this approach. Makes sense...	17:05
marekd	bknudson: thanks!	17:05
*** gokrokve has joined #openstack-keystone		17:09
*** browne has joined #openstack-keystone		17:09
*** bvandenh has quit IRC		17:13
*** leseb has quit IRC		17:14
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols. https://review.openstack.org/83829	17:14
*** harlowja_away is now known as harlowja		17:15
*** marekd is now known as marekd\|away		17:15
*** saju_m has joined #openstack-keystone		17:20
openstackgerrit	David Stanek proposed a change to openstack/keystone: Moves database setup/teardown closer to its usage https://review.openstack.org/83832	17:22
openstackgerrit	David Stanek proposed a change to openstack/keystone: wip: this needs to be made in oslo https://review.openstack.org/83833	17:22
openstackgerrit	David Stanek proposed a change to openstack/keystone: First real Python 3 tests https://review.openstack.org/83834	17:22
openstackgerrit	David Stanek proposed a change to openstack/keystone: Make the py33 Jenkins job happy https://review.openstack.org/83565	17:22
dstanek	yuck	17:24
openstackgerrit	David Stanek proposed a change to openstack/keystone: Check domain_id with equality in assignment kvs https://review.openstack.org/83836	17:28
*** leseb has joined #openstack-keystone		17:33
*** bknudson has left #openstack-keystone		17:34
*** saju_m has quit IRC		17:35
*** saju_m has joined #openstack-keystone		17:36
*** leseb has quit IRC		17:37
*** leseb has joined #openstack-keystone		17:38
*** morganfainberg_Z is now known as morganfainberg		17:39
morganfainberg	dstanek, yuck?	17:39
dolphm	marekd\|away: why isn't list supported?	17:42
*** leseb has quit IRC		17:42
dstanek	morganfainberg: i still had to do some of that sys.modules patching	17:44
morganfainberg	dstanek, ick	17:44
morganfainberg	could be worse i guess...	17:44
dstanek	morganfainberg: by moving some of the db stuff about i was able to not have to mock out a bunch migrate stuff	17:44
dstanek	morganfainberg: actually i notice something about that today that i wanted to ask you about	17:45
morganfainberg	dstanek, sure	17:45
dstanek	morganfainberg: i did this to move the migrate imports out of tests.core https://review.openstack.org/#/c/83832/	17:46
*** bknudson has joined #openstack-keystone		17:46
dstanek	setup_database and teardown database are only used in test_v3	17:46
morganfainberg	dstanek, sure	17:47
dstanek	morganfainberg: besides those there is some db stuff here: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/core.py#n487	17:48
dstanek	should that functionaltity actually go into *_database and then make the changes to other test cases to use it?	17:49
morganfainberg	dstanek, hm.	17:51
morganfainberg	dstanek, i'm not opposed to keeping all DB stuff in one place.	17:51
dstanek	morganfainberg: i dont' know, but if feel like something is wrong - things are using the database and not having setup_database called	17:52
morganfainberg	dstanek, this almost feels like it should be a fixture.	17:52
morganfainberg	dstanek, well setup_database was really "Setup_migrated_Database"	17:52
dstanek	morganfainberg: i almost made it a fixture, but i haven't figured out how to get those to work under nose	17:52
morganfainberg	dstanek, not really "setup_database"	17:53
morganfainberg	dstanek, wait fixtures don't work under nose?	17:54
dstanek	once i get fixtures to work there are a half dozen or so test modules that can be added to the tox.ini file	17:54
openstackgerrit	Clint "SpamapS" Byrum proposed a change to openstack/keystone: Discourage use of pki_setup https://review.openstack.org/80819	17:54
*** david-lyle is now known as david-lyle_afk		17:54
dstanek	morganfainberg: they do in a clean environment on Py3, but i think my mocking/patch messed it up	17:54
morganfainberg	oh oh	17:54
morganfainberg	aha	17:54
dstanek	they work fine in py27 on keystone	17:54
morganfainberg	sorry, py3 still.	17:54
* morganfainberg drinks more coffee		17:55
dstanek	i setup a new py3 project to get it out so i didn't have to worry about the keystone baggage and it worked fine	17:55
morganfainberg	dstanek, making it a fixture and making all the DB setup stuff in that fixture would be fantastic	17:56
dstanek	i'm actually working on the fixture problem now so hopefully it'll be an easy fix	17:56
dolphm	morganfainberg: rebase required https://review.openstack.org/#/c/83235/	17:57
morganfainberg	dolphm, actually in process of that now	17:57
morganfainberg	dolphm, just making sure tests run before posting	17:57
morganfainberg	dolphm, :)	17:57
dolphm	morganfainberg: cool	17:58
dolphm	it's not our normal policy, but considering the severity... i attached a backport of the eventlet+memcached context confusiong patch for python-keystoneclient 0.2.5 to https://bugs.launchpad.net/python-keystoneclient/+bug/1282865 if anyone wants to review it (it won't actually go through gerrit, i think it'll just get picked up by debian)	18:00
uvirtbot	Launchpad bug 1282865 in python-keystoneclient "[OSSA 2014-007] Keystone middleware may confuse contexts (CVE-2014-0105)" [Critical,Fix released]	18:00
bknudson	dolphm: we might need the patch here, too... I'll take a look.	18:01
dolphm	i don't know what other version other distros package, but auth_token has changed so much they're probably all screwed if they're not willing to ship 0.7.0 :-/	18:01
dolphm	bknudson: the 0.2.5 backport didn't forward port cleanly to even 0.3.0	18:02
morganfainberg	dolphm, wow. 0.2.5?	18:02
dolphm	morganfainberg: released november 2012	18:02
bknudson	I expect updating the products that include keystoneclient would have a hard time with the new requirements moving up to 0.7.0	18:02
dolphm	bknudson: i know it's a long jump, but i couldn't think of any blockers (not that i've tried / done any analysis)	18:03
dolphm	bknudson: what are you thinking would give them a hard time?	18:03
*** marcoemorais has quit IRC		18:03
morganfainberg	dolphm, right and someone claims they're supporting essex for 5 years.	18:03
dolphm	bknudson: oh you mean package deps?	18:03
dolphm	morganfainberg: haha	18:03
bknudson	dolphm: yes, it's the package deps	18:03
*** marcoemorais has joined #openstack-keystone		18:03
*** marcoemorais has quit IRC		18:03
dolphm	bknudson: sudo pip!	18:04
*** marcoemorais has joined #openstack-keystone		18:04
*** marcoemorais has quit IRC		18:04
bknudson	I wish we could do that... tell the lawyers.	18:04
*** marcoemorais has joined #openstack-keystone		18:04
morganfainberg	dolphm, https://wiki.ubuntu.com/ServerTeam/CloudArchive	18:06
prometheanfire	dolphm: thanks for taking a look at that	18:06
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Cleanup ldap tests (mox and reset values) https://review.openstack.org/83235	18:09
dolphm	bknudson: speaking of lawyers, if there's some way i can credit you for your email the other day, let me know	18:09
bknudson	dolphm: nope, forget about it	18:09
dolphm	bknudson: alrighty, thanks!	18:10
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Enable concurrent testing by default https://review.openstack.org/83584	18:10
morganfainberg	oooh what the heck	18:11
dolphm	morganfainberg: what caused the conf update?	18:12
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Cleanup ldap tests (mox and reset values) https://review.openstack.org/83235	18:13
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Enable concurrent testing by default https://review.openstack.org/83584	18:14
morganfainberg	dolphm, ok rebased. somehow my rebase snuck in a config sample change boggle	18:14
morganfainberg	dolphm, had to fix that	18:14
*** andreaf has quit IRC		18:20
*** dims has joined #openstack-keystone		18:25
*** dstanek has quit IRC		18:33
*** dstanek has joined #openstack-keystone		18:34
ayoung	morganfainberg, did you get Apache HTTPD to run on the same server as Horizon?	18:36
morganfainberg	ayoung, no, got pulled off into some internal work.	18:36
morganfainberg	ayoung, it's been a slow slog because of the way "templating" is done in devstack	18:37
ayoung	morganfainberg, did you make any progress on it? Is there some masking of the WSGI Aliases	18:37
morganfainberg	ayoung, i got it to work by hand.	18:37
morganfainberg	ayoung, just not configured by devstack	18:37
ayoung	morganfainberg, what did your config look like?	18:37
morganfainberg	ayoung, give me a sec, let me find it	18:38
ayoung	morganfainberg, thanks	18:39
morganfainberg	ayoung, i can't find my actual config, but basically you can set multiple WSGIScriptAliases (just not at /, it looked to work if you specified a separate path, but might be ordering) and for ease of identifying the processes, I used multiple Processgroups	18:44
openstackgerrit	A change was merged to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/83297	18:47
*** openstackgerrit has quit IRC		18:48
*** openstackgerrit has joined #openstack-keystone		18:48
*** dstanek has quit IRC		18:49
ayoung	morganfainberg, did you change the WSGIScriptAliases for Horizon?	18:51
ayoung	morganfainberg, did you have keystone on port 80/443 or did you have it on 5000 35357?	18:58
morganfainberg	ayoung i think i moved horizon to /dashboard	18:59
morganfainberg	ayoung, and yes port 80/443	18:59
*** marcoemorais has quit IRC		18:59
ayoung	Ah...that makes sense	18:59
*** marcoemorais has joined #openstack-keystone		18:59
morganfainberg	ayoung and i did a rewrite on raw / to /dashboard	18:59
ayoung	morganfainberg, is that in the review?	19:00
morganfainberg	ayoung, well anything no keystone (^/keystone)	19:00
*** harlowja is now known as harlowja_away		19:00
ayoung	right	19:00
morganfainberg	ayoung, no i lost it, i need to find it somewhere	19:00
*** david-lyle_afk is now known as david-lyle		19:00
ayoung	morganfainberg, I might end up reproducing it. If I keep asking questions, we can consider it documented on evesdrop	19:00
ayoung	morganfainberg, so when I change	19:02
ayoung	WSGIScriptAlias /dashboard /opt/stack/horizon/openstack_dashboard/wsgi/django.wsgi	19:02
morganfainberg	ayoung, sure thing. i lost my external HDD so trying to find a backup	19:02
ayoung	I lose all of the context....is there some top level config file I need to hit?	19:02
morganfainberg	this was pre-review (Wasn't even WIP worthy yet)	19:02
ayoung	morganfainberg, nah, just talk me through it....then I'll scrape the logs and make a document out of it	19:03
morganfainberg	ayoung, hmm.	19:03
morganfainberg	ayoung, how are you losing context? (what behavior)	19:04
morganfainberg	ayoung, aha, ok so i did icky mod_rewrite magic	19:07
morganfainberg	ayoung, i did a vhost on localhost running keystone w/ all the WSGI directives	19:07
morganfainberg	ayoung, and the horizon one rewrote the right urls using [P] in the rewrite rule to the 127.0.0.1 vhost	19:08
morganfainberg	ayoung, i kept horizon on /	19:08
morganfainberg	ayoung, just found an old test devstack	19:08
morganfainberg	ayoung, so the WSGI* directives were isolated to a given vhost	19:09
*** dstanek has joined #openstack-keystone		19:10
morganfainberg	ayoung, actually this makes the devstack work waaaaay easier.	19:11
*** harlowja_away is now known as harlowja		19:17
ayoung	morganfainberg, ugh. Yuck. Bleah	19:17
ayoung	So no publically exposed Keystone?	19:17
ayoung	off the machine?	19:17
*** marcoemorais has quit IRC		19:23
*** marcoemorais has joined #openstack-keystone		19:23
*** marcoemorais has quit IRC		19:23
*** marcoemorais has joined #openstack-keystone		19:24
openstackgerrit	A change was merged to openstack/keystone: Use assertIsNone when comparing against None https://review.openstack.org/78118	19:24
*** prometheanfire has left #openstack-keystone		19:32
*** packet has joined #openstack-keystone		19:33
openstackgerrit	A change was merged to openstack/keystone: test_v3_token_id correctly hash token https://review.openstack.org/83628	19:40
openstackgerrit	A change was merged to openstack/keystone: Use assertIn in test_v3_catalog https://review.openstack.org/82305	19:40
*** david-lyle has quit IRC		19:40
openstackgerrit	A change was merged to openstack/keystone: Fix test_provider_token_expiration_validation transient failure https://review.openstack.org/76249	19:40
*** david-lyle has joined #openstack-keystone		19:40
*** topol has quit IRC		19:44
*** dstanek has quit IRC		19:50
morganfainberg	ayoung, well not directly, it still all lives in apache, just the main vhost proxies to the internal one	19:54
morganfainberg	ayoung, so https://<host>/keystone would be public	19:54
ayoung	morganfainberg, interesting. A workaround, not necessarily the long term approach I'd shoot for, but functional	19:55
morganfainberg	ayoung, it's part of the issue with directive limitations iirc	19:55
morganfainberg	ayoung, but i _think_ there is a way of doing this in one vhost	19:56
ayoung	morganfainberg, yes, there is, but we need to clarify which application owns which suburl. RIght now, Django owns everything	19:56
morganfainberg	ayoung, yeah it's suboptimla	19:57
openstackgerrit	A change was merged to openstack/keystone: Cleanup revocation query https://review.openstack.org/82403	19:58
openstackgerrit	A change was merged to openstack/keystone: Remove unnecessary test setUps https://review.openstack.org/82938	19:58
*** stevemar has quit IRC		20:06
openstackgerrit	Andrey Kurilin proposed a change to openstack/python-keystoneclient: Reuse module `exceptions` from Oslo https://review.openstack.org/68897	20:23
*** topol has joined #openstack-keystone		20:31
openstackgerrit	A change was merged to openstack/keystone: Properly handle unicode & utf-8 in LDAP https://review.openstack.org/82398	20:31
openstackgerrit	A change was merged to openstack/keystone: Expand the use of non-ascii values in ldap test https://review.openstack.org/82399	20:31
openstackgerrit	A change was merged to openstack/python-keystoneclient: Remove releases.rst from keystone docs https://review.openstack.org/82962	20:31
openstackgerrit	A change was merged to openstack/keystone: Check domain_id with equality in assignment kvs https://review.openstack.org/83836	20:31
openstackgerrit	A change was merged to openstack/keystone: Cleanup ldap tests (mox and reset values) https://review.openstack.org/83235	20:31
*** zhiyan is now known as zhiyan_		20:38
*** marcoemorais has quit IRC		20:38
*** marcoemorais has joined #openstack-keystone		20:39
*** dims has quit IRC		20:53
*** andreaf has joined #openstack-keystone		20:54
*** marcoemorais has quit IRC		20:56
*** marcoemorais has joined #openstack-keystone		20:56
*** marcoemorais has quit IRC		20:58
*** marcoemorais has joined #openstack-keystone		20:59
*** raildo has quit IRC		21:04
*** amcrn has joined #openstack-keystone		21:08
*** topol has quit IRC		21:26
*** marcoemorais1 has joined #openstack-keystone		21:30
*** marcoemorais1 has quit IRC		21:30
*** marcoemorais1 has joined #openstack-keystone		21:30
*** marcoemorais1 has quit IRC		21:31
*** marcoemorais1 has joined #openstack-keystone		21:31
*** marcoemorais1 has quit IRC		21:31
*** marcoemorais1 has joined #openstack-keystone		21:32
*** marcoemorais has quit IRC		21:32
*** amerine_ has joined #openstack-keystone		21:33
*** amerine has quit IRC		21:34
*** jagee has quit IRC		22:05
*** wchrisj has quit IRC		22:06
*** bknudson has quit IRC		22:06
*** marcoemorais1 has quit IRC		22:21
*** marcoemorais has joined #openstack-keystone		22:21
*** marcoemorais has quit IRC		22:21
*** marcoemorais has joined #openstack-keystone		22:22
*** andreaf has quit IRC		22:24
*** marcoemorais has quit IRC		22:24
*** marcoemorais has joined #openstack-keystone		22:24
*** packet has quit IRC		22:51
*** leseb has joined #openstack-keystone		23:02
*** david-lyle has quit IRC		23:16
*** gyee has quit IRC		23:31
*** browne has quit IRC		23:33
*** leseb has quit IRC		23:46
*** gokrokve has quit IRC		23:49
*** gokrokve has joined #openstack-keystone		23:50
*** gokrokve has quit IRC		23:54

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!