Tuesday, 2014-04-01

*** andreaf has quit IRC00:02
*** Chicago has joined #openstack-keystone00:03
*** Chicago has joined #openstack-keystone00:03
*** gokrokve has quit IRC00:04
*** RockKuo has joined #openstack-keystone00:12
*** dstanek has joined #openstack-keystone00:14
*** gokrokve has joined #openstack-keystone00:26
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds style checks to ease reviewer burden  https://review.openstack.org/7811900:30
*** bknudson has joined #openstack-keystone00:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow passing auth plugin as a parameter  https://review.openstack.org/8367300:38
*** dstanek has quit IRC00:45
*** amcrn has quit IRC00:49
*** amcrn has joined #openstack-keystone00:55
*** marcoemorais has quit IRC00:56
*** zhiyan_ is now known as zhiyan00:57
*** zigo has quit IRC00:59
*** zigo has joined #openstack-keystone01:01
*** dstanek has joined #openstack-keystone01:17
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds style checks to ease reviewer burden  https://review.openstack.org/7811901:39
ayoungdtroyer, are you running Horizon now?  With SSL enabled?01:44
*** mberlin has joined #openstack-keystone01:57
*** mberlin1 has quit IRC01:59
*** dstanek has quit IRC02:01
*** zhiyan has left #openstack-keystone02:04
*** zhiyan has joined #openstack-keystone02:05
*** dims has quit IRC02:23
*** dims has joined #openstack-keystone02:24
dtroyerayoung: honestly, I hardly use horizon myself.  I'm guessing you are looking at it and other wgi apps getting along in apache?02:26
*** dstanek has joined #openstack-keystone02:28
openstackgerritZhang Yang proposed a change to openstack/keystone: Fix dict wrong use in ec2 auth  https://review.openstack.org/7883702:33
ayoungdtroyer, yes, I am alos looking at Kerberizing Horizon.02:39
*** dstanek has quit IRC02:42
*** amcrn has quit IRC02:42
*** david-lyle has joined #openstack-keystone02:44
*** topol has joined #openstack-keystone02:47
*** stevemar has joined #openstack-keystone02:53
*** harlowja is now known as harlowja_away02:59
*** harlowja_away is now known as harlowja03:09
ayoungjamielennox, so...running Keystone and Horizon in the same Apache instance...and getting errors like this:  ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option03:11
*** chandan_kumar has joined #openstack-keystone03:11
jamielennoxayoung: from where?03:11
ayoung File "/var/www/cgi-bin/keystone/main", line 42, in <module>03:11
ayoung  trying to login from the Horion UI03:11
ayoungjamielennox, its cuz they are in the same process space, I am fairly certain03:12
jamielennoxayoung: why are they in the same process space03:12
ayoungneed to find some way to segregate the Horizon and Keystone WSGI apps03:12
ayoungjamielennox, cuz my Apache Config Fu is Weak03:12
jamielennoxthat will be a problem in the same space as the CONF objects will clash03:12
jamielennox(i assume horizon uses CONF)03:12
jamielennoxayoung: i doubt it - you would have to try hard to get them in the same process03:12
ayoungI'm guess it is an Apache conf issue.  They are both defined in the same VirtualHost03:13
ayoungjamielennox, keystone worked fine before I got Horizon in SSL03:13
jamielennoxayoung: show me03:13
jamielennoxsame vhost?03:13
jamielennoxoh you're going for server.com/identity layout03:13
ayoungjamielennox, yeah03:13
ayoungI suspect that, even so, there is a way to segregate them03:14
ayoungbut maybe not03:14
jamielennoxis it on a machine i can ssh?03:14
ayoungyeah...lemme set a password03:14
jamielennoxi'm trying to rip client apart again - always looking for something more fun to do03:15
jamielennoxit's time for a rewrite...03:15
ayoungjamielennox, I'll be working on the "external" plugin here shortly03:15
jamielennoxayoung: client you mean?03:16
jamielennoxsee: https://review.openstack.org/#/c/84071/ for preliminary docs03:16
ayoungjamielennox, will do03:16
ayoungIts going to be super trivial03:17
ayoungbasically auth: {}03:17
ayoungthe tricky thing is going to be telling the requests library to do negotiate03:17
ayoungjamielennox, sent you the login info internal.  Let me know when you are in03:17
ayoungthe last thing I did was the file  /etc/httpd/conf.d/wsgi-horizon.conf03:18
jamielennoxayoung: that's not hard03:19
ayoungjamielennox, I know, I was dealing with NSS, though, and wanted to change as little as possible03:19
jamielennoxayoung: kerberos: ig Fu is Weak03:19
jamielennox<jamielennox> (i assume horizon uses CONF)03:19
jamielennoxayoung: kerberos: https://review.openstack.org/#/c/74974/03:20
jamielennoxthough i assume you want to do kerberos all the time rather than just on auth03:20
ayoungjamielennox, just on Auth is sufficient, I think03:21
jamielennoxalso his is overkill - it's much simpler than that03:21
jamielennoxayoung: really? then yours is the same as jose's and i can do it in like 5 lines03:21
ayoungit makes sense to do:  kerberos to /hostname/keystone/krb5/v3/auth and then get a token where the service catalog is under hostname/keystone/admin03:22
jamielennoxhmm, that will be a fun setup03:23
ayoungjamielennox, yeah, it should be pretty trivial.  I could see more complex things in the future.  But if you took the token, put it in a cookie, you would have a reasonable facsimile of what IPA does already03:23
jamielennoxcookie? who needs the token as a cookie? why are we doing anything with cookies?03:25
ayoungjamielennox, it shoulda been cookies all along....just to use the standard mechanism03:25
ayoungbut the nice thing about the customer header we use is it has built in XSRF protection03:25
jamielennoxhmm, i've never tried setting things up like this before03:28
ayoungjamielennox, I assume you got in?03:28
stevemarmorganfainberg, ayoung can either of you +2/+A this guy: https://review.openstack.org/#/c/83169/03:30
ayoungstevemar, thought I already had03:30
ayoungstevemar, done03:31
stevemarayoung, it had to get rebased03:31
stevemarfor some very odd reason03:32
ayoungjamielennox, anyway, I assume the reason I am getting the conflict is that the  WSGIDaemonProcess horizon user=fedora group=wheel processes=3 threads=10 home=/opt/stack/horizon  is getting used by both horizon and keystone03:34
jamielennoxayoung yep03:34
ayoungnot sure how to scope those...maybe through a location directive.  Virtual host does'n't look to be an option03:34
jamielennoxno you set WSGIProcessGroup03:34
jamielennoxbut that should require daemon mode for keystone03:35
*** chandan_kumar has quit IRC03:35
ayoungjamielennox, yeah, I think I can do that per Location... http://stackoverflow.com/questions/6590587/multiple-mod-wsgi-apps-on-one-virtual-host-directing-to-wrong-app03:35
ayounganyway, I'll play with that tomorrow.03:35
jamielennoxyep, i was just writing that out03:36
ayoungyou going to change the config on this machine?03:36
jamielennoxbut i can leave it for  you as i'm not sure i have a kerberos cred on that domain anyway03:36
ayoungall the machines are in our cloudlab.  ipa.cloudlab.freeeipa.org is the IPA vm.03:37
jamielennoxayoung: i'll leave it anyway03:37
ayoungF20 machine03:37
jamielennoxthat's pretty much the guide i was following anyway03:37
ayoungOK...I can get it tomorrow.  this has been trial and error, and I've been making progress.  Once I get this, its kerberize Horizon, then drop the form based auth03:38
jamielennoxayoung: heh that SO question was asked by gabriel hurley03:38
jamielennoxstack overflow03:38
jamielennoxyou can do some awesome and strange stuff with httpd03:39
*** ayoung is now known as ayoung-ZZZzzz__03:41
jamielennoxayoung: cya03:41
ayoung-ZZZzzz__BTW...its been a long year, hasn't it jamielennox ?03:42
*** ayoung-ZZZzzz__ has quit IRC03:42
jamielennoxyes and no03:42
*** chandan_kumar has joined #openstack-keystone03:59
*** chandan_kumar has quit IRC04:01
*** chandan_kumar has joined #openstack-keystone04:06
*** dstanek has joined #openstack-keystone04:28
*** dstanek has quit IRC04:33
stevemarjamielennox, thanks for replying to the ML04:38
jamielennoxstevemar: np04:38
stevemarjamielennox, have you seen this error before in a jenkins run? http://logs.openstack.org/69/83169/3/check/gate-keystone-python27/160e2d4/testr_results.html.gz04:39
jamielennoxstevemar: ah04:39
stevemarjamielennox, it looks like a nasty one04:42
stevemarthe patch doesn't touch the revocation code either04:42
stevemarso it's worrisome04:42
jamielennoxyea, 2 != 3 would imply that there is some sort of race or something04:42
stevemardid the parallel testing stuff get merged?04:43
stevemarah it did: https://review.openstack.org/#/c/83584/04:43
jamielennoxstevemar: it shouldn't matter - the database should be created per process04:44
jamielennoxalthough there was an in-mem testing thing recently04:44
*** gokrokve_ has joined #openstack-keystone04:50
*** topol has quit IRC04:51
*** stevemar has quit IRC04:51
*** gokrokve has quit IRC04:53
*** harlowja is now known as harlowja_away05:11
*** gyee has quit IRC05:20
openstackgerritAndrey Kurilin proposed a change to openstack/python-keystoneclient: Reuse module `exceptions` from Oslo  https://review.openstack.org/6889705:27
*** amerine has quit IRC05:27
*** zhiyan is now known as zhiyan_05:42
openstackgerritJenkins proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/8395506:00
*** saju_m has joined #openstack-keystone06:21
*** dstanek has joined #openstack-keystone06:27
*** dstanek has quit IRC06:31
*** flaper87|afk is now known as flaper8706:50
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.  https://review.openstack.org/8382907:12
*** marekd|away is now known as marekd07:13
*** jamielennox is now known as jamielennox|away07:27
*** leseb has joined #openstack-keystone07:28
*** gokrokve_ has quit IRC07:40
*** gokrokve has joined #openstack-keystone07:41
*** gokrokve has quit IRC07:45
*** andreaf has joined #openstack-keystone08:37
*** zhiyan_ is now known as zhiyan08:38
*** saju_m has quit IRC08:43
*** saju_m has joined #openstack-keystone08:56
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.  https://review.openstack.org/8382909:01
*** bvandenh has quit IRC09:10
*** gokrokve has joined #openstack-keystone09:16
*** jaosorior has joined #openstack-keystone09:20
*** gokrokve has quit IRC09:21
*** chandankumar_ has joined #openstack-keystone09:25
*** zoresvit has joined #openstack-keystone09:25
*** zoresvit has quit IRC09:29
*** dstanek has joined #openstack-keystone09:30
openstackgerritMarek Denis proposed a change to openstack/keystone: List all missing/forbidden attributes in the request body.  https://review.openstack.org/8438909:31
openstackgerritMarek Denis proposed a change to openstack/keystone: List all missing/forbidden attributes in the request body.  https://review.openstack.org/8438909:32
*** dstanek has quit IRC09:34
*** morganfainberg is now known as morganfainberg_Z09:46
*** gokrokve has joined #openstack-keystone09:47
*** zoresvit has joined #openstack-keystone09:50
*** gokrokve has quit IRC09:52
*** chandankumar_ has quit IRC09:54
*** david-lyle has quit IRC09:55
marekdbknudson: thought you could take a look at this patchset: https://review.openstack.org/#/c/84389/210:23
*** leseb has quit IRC10:32
*** leseb has joined #openstack-keystone10:32
*** leseb has quit IRC10:37
*** gokrokve has joined #openstack-keystone10:48
*** gokrokve has quit IRC10:53
*** leseb has joined #openstack-keystone11:01
*** leseb has quit IRC11:05
*** saju_m has quit IRC11:44
*** gokrokve has joined #openstack-keystone11:47
*** gokrokve has quit IRC11:52
openstackgerritJose Castro Leon proposed a change to openstack/keystone: Initial kerberos plugin implementation.  https://review.openstack.org/7431711:55
*** saju_m has joined #openstack-keystone11:57
*** leseb has joined #openstack-keystone11:57
*** saju_m has quit IRC12:02
*** leseb has quit IRC12:10
*** leseb has joined #openstack-keystone12:11
*** leseb has quit IRC12:16
*** RockKuo has quit IRC12:18
*** saju_m has joined #openstack-keystone12:21
*** dims has quit IRC12:22
*** saju_m has quit IRC12:23
*** leseb has joined #openstack-keystone12:26
*** dstanek has joined #openstack-keystone12:32
*** dims_ has joined #openstack-keystone12:34
*** dstanek has quit IRC12:36
*** saju_m has joined #openstack-keystone12:40
*** gokrokve has joined #openstack-keystone12:47
*** zoresvit has quit IRC12:51
*** gokrokve has quit IRC12:52
*** browne has joined #openstack-keystone12:53
openstackgerritFlorent Flament proposed a change to openstack/keystone: Sanitizes authentication methods received in requests.  https://review.openstack.org/8442512:56
*** zoresvit has joined #openstack-keystone12:59
*** zoresvit has quit IRC13:02
*** lbragstad has joined #openstack-keystone13:07
openstackgerritJose Castro Leon proposed a change to openstack/keystone: Initial kerberos plugin implementation.  https://review.openstack.org/7431713:07
*** dstanek has joined #openstack-keystone13:07
*** saju_m has quit IRC13:15
marekdlbragstad: around?13:16
lbragstadmarekd: hey, what's up?13:16
marekdlbragstad: hey, wanted to add you as a reviewer but gerrit compained about your l-p account. Anyways, you were moving check_immutabe_params() from federation controllers to general V3Controllers and I thought you might want to take a look at this: https://review.openstack.org/#/c/84389/ :-) Feel free to add yourself as a reviewer :-)13:17
lbragstadmarekd: sure thing! if you need to add me to thing you can use ldbragst@us.ibm.com13:18
marekdahh, now it works!13:19
marekdlbragstad: I was trying your full name and got @gmail.com results only...13:19
lbragstadyeah, I tied a second acct to it and it doesn't exactly work right13:20
lbragstadthis is good, before it only list the first attribute13:20
marekdlbragstad: yep, I think you discussed it with dolphm i think.13:20
lbragstadmarekd: yeah,13:20
marekdlbragstad: ok, i think so too - may make some people lifes easier.13:21
lbragstadmarekd: I agree, I was also working on using jsonschema to validate the request, but that was a little more involved.13:22
lbragstadI saw that Nova uses it when validating their V3 api13:22
marekdlbragstad: or Keystone when validating mapping rules.13:22
marekdlbragstad: do you have something already on gerrit/github?13:22
lbragstadnot yet, I had a little more free time so I started stringing a bunch of commits together, but that was before my schedule was filled with other commitments.13:23
marekdlbragstad: Unserstand.13:23
lbragstadIt was pretty cool though,13:24
lbragstadyou essentially would add a schema for a resource type (like trusts) and the schema would enforce the parameters being passed in13:24
*** ayoung has joined #openstack-keystone13:24
lbragstadand it almost looked like the notifications wrapper.13:24
marekdlbragstad: yeah.13:25
lbragstadyou just wrapped the method that needed validation13:25
lbragstadNova had a pretty good implementation13:25
* lbragstad digs for a link13:25
marekdlbragstad: you were planning to bake the jsonschema template in the code or load it dynamically from external, configurable files?13:25
lbragstadmarekd: when I originally just hacked it together it was baked in the code, and following the identify api spec13:26
lbragstadbut there could be other ways to do it too.13:26
lbragstadmarekd: https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/plugins/v3/admin_password.py#L4013:28
lbragstadmarekd: and this would be the schema enforced https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/schemas/v3/admin_password.py13:28
*** saju_m has joined #openstack-keystone13:29
marekdlbragstad: nice.13:36
*** joesavak has joined #openstack-keystone13:37
*** nkinder has quit IRC13:40
*** gokrokve has joined #openstack-keystone13:47
lbragstadmarekd: yeah its kinda cool, would've been handy for some of the api validation work bknudson was doing the endpoints (Is the 'enabled' field actaully a boolean?)...13:47
bknudsonwe need the api validation on all the resources and to not be trying to fix it piecemeal13:48
bknudsonthey're all incorrect at this point13:48
*** gokrokve_ has joined #openstack-keystone13:49
marekdbknudson: referring to lbragstad and my discussion now?13:49
bknudsonmarekd: yes13:50
marekdbknudson: hmmm, so what would you suggest?13:50
bknudsonwe should do what nova did.13:51
lbragstadthe jsonschema validation is pretty robust13:51
*** gokrokve has quit IRC13:52
lbragstadand, it's pretty simple to implement on new resources... So say someone adds a new extention to keystone. They have to be sure to add the schema the enforces the Create and Update (possibly Read), API requests, and then wrap those methods in their extention13:53
*** gokrokve_ has quit IRC13:54
bknudsonDELETE statement on table 'federation_protocol' expected to delete 1 row(s); 0 were matched.  Please set confirm_deleted_rows=False within the mapper configuration to prevent this warning.13:59
bknudsonEver seen that?13:59
marekdnope, where did you get that?14:00
*** stevemar has joined #openstack-keystone14:01
bknudsonwas running the tests.14:01
bknudsonit came from several tables14:01
marekdbknudson: all federation related?14:02
bknudsonno, they weren't all federation related14:02
*** topol has joined #openstack-keystone14:06
marekdbknudson: I assume you are going to try testsuite again to see if it will happen again...14:06
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes.  https://review.openstack.org/8444414:09
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models.  https://review.openstack.org/8444514:09
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value.  https://review.openstack.org/8444614:09
openstackgerritIlya Pekelny proposed a change to openstack/keystone: federation_protocol unique constraint  https://review.openstack.org/8444714:09
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks  https://review.openstack.org/8444814:09
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync test_migrations  https://review.openstack.org/8061814:09
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063014:09
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync test_migrations  https://review.openstack.org/8061814:12
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Missed unique constraint  https://review.openstack.org/8444714:12
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks  https://review.openstack.org/8444814:12
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063014:12
*** saju_m has quit IRC14:14
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone: Filter User by project  https://review.openstack.org/8413614:16
*** Chicago has quit IRC14:16
marekdstevemar: o/ Do you have some reference implementations for oauth (or similar) for the cli?14:17
*** kun_huang has joined #openstack-keystone14:20
*** sneezewort has joined #openstack-keystone14:20
openstackgerritJose Castro Leon proposed a change to openstack/python-keystoneclient: Initial kerberos plugin implementation.  https://review.openstack.org/7497414:26
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063014:26
*** nkinder has joined #openstack-keystone14:30
*** lbragstad has quit IRC14:32
*** lbragstad has joined #openstack-keystone14:33
*** david-lyle has joined #openstack-keystone14:35
*** kun_huang has quit IRC14:39
*** lbragstad has quit IRC14:40
*** kun_huang has joined #openstack-keystone14:41
dolphmanyone have time to try and reproduce this today? https://bugs.launchpad.net/keystone/+bug/1279000/comments/1214:42
uvirtbotLaunchpad bug 1279000 in glance "db migrate script to set charset=utf8 for all tables" [Medium,In progress]14:42
dolphmi'm guessing ubuntu is defaulting mysql to latin1?14:42
*** zoresvit has joined #openstack-keystone14:43
dolphmwe might need an exception in oslo.db for migrate_version, because i'm not sure we care about the charset of that table14:45
*** gokrokve has joined #openstack-keystone14:47
bknudsondo we use oslo.db?14:49
*** gokrokve has quit IRC14:51
*** gokrokve has joined #openstack-keystone14:53
*** ayoung has quit IRC14:56
bknudsonit's not in keystone requirements.txt14:56
*** thedodd has joined #openstack-keystone14:56
*** lbragstad has joined #openstack-keystone14:58
*** jroovers|afk has joined #openstack-keystone15:00
jroovers|afkhi all!15:00
*** jroovers|afk is now known as jroovers15:00
jrooversI've been looking at https://blueprints.launchpad.net/keystone/+spec/identity-providers15:00
jrooverswondering whether there is a wiki or something that has some instructions on how setup (in e.g. devstack)15:01
*** stevemar has quit IRC15:05
*** stevemar has joined #openstack-keystone15:05
*** kun_huang has quit IRC15:08
*** gordc has joined #openstack-keystone15:08
*** ayoung has joined #openstack-keystone15:09
*** kun_huang has joined #openstack-keystone15:11
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.  https://review.openstack.org/8382915:12
*** chandankumar_ has joined #openstack-keystone15:12
*** browne has quit IRC15:13
*** RockKuo has joined #openstack-keystone15:18
*** stevemar has quit IRC15:21
*** stevemar has joined #openstack-keystone15:21
*** dstanek has quit IRC15:30
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Fedration Mapping Rules.  https://review.openstack.org/8374215:38
openstackgerritFlorent Flament proposed a change to openstack/keystone: Sanitizes authentication methods received in requests.  https://review.openstack.org/8442515:45
*** browne has joined #openstack-keystone15:45
*** gyee has joined #openstack-keystone15:49
*** leseb has quit IRC15:51
*** leseb has joined #openstack-keystone15:51
*** jsavak has joined #openstack-keystone16:01
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.  https://review.openstack.org/8382916:02
*** joesavak has quit IRC16:04
*** jaosorior has quit IRC16:10
*** marekd is now known as marekd|away16:14
*** RockKuo has quit IRC16:17
*** gordc has left #openstack-keystone16:27
*** jroovers has quit IRC16:29
*** dtroyer has quit IRC16:29
*** stevemar2 has joined #openstack-keystone16:30
*** ayoung has quit IRC16:30
*** marcoemorais has joined #openstack-keystone16:30
*** dtroyer has joined #openstack-keystone16:30
*** stevemar has quit IRC16:33
*** leseb has quit IRC16:41
*** leseb has joined #openstack-keystone16:41
*** ayoung has joined #openstack-keystone16:45
*** leseb has quit IRC16:45
*** jordant has quit IRC16:48
*** dstanek has joined #openstack-keystone16:50
*** henrynash has joined #openstack-keystone17:01
*** afaranha has joined #openstack-keystone17:03
afaranhaHello, I have a question about keystone client.17:05
afaranhaI want to list all the projects that a user participates but I don't know which method I call to do this. In the API I only use this<user-id>/projects and get all the projects, is there a way to get this using the client. THank you?17:05
dolphmafaranha: i believe it's c.projects.list(user=user_id)17:11
*** harlowja_away is now known as harlowja17:14
*** kun_huang has quit IRC17:15
*** david-lyle is now known as david-lyle_afk17:17
afaranhadolphm: I think it's it, thank you17:17
*** browne1 has joined #openstack-keystone17:20
dolphmbknudson: i just meant keystone.openstack.common.db17:20
*** browne has quit IRC17:22
*** browne has joined #openstack-keystone17:23
*** browne1 has quit IRC17:26
*** zhiyan is now known as zhiyan_17:27
*** thedodd has quit IRC17:29
*** joesavak has joined #openstack-keystone17:29
*** morganfainberg_Z is now known as morganfainberg17:31
*** jsavak has quit IRC17:31
openstackgerritPablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager  https://review.openstack.org/8036817:34
*** henrynash has quit IRC17:41
*** jsavak has joined #openstack-keystone17:44
ayoungdolphm, so, I was looking at running Keystone in the same HTTPD instance as Horizon (Devstack) and I came across an issue which lead to this:  https://blueprints.launchpad.net/horizon/+spec/share-the-web-server17:44
*** chandankumar_ has quit IRC17:46
ayoungmorganfainberg, that probably should have been for you ^^17:47
bknudsonayoung: on another project I worked on we had a redirect from / to the GUI -- e.g., redirect / to dashboard/17:47
ayoungbknudson, I accounted for that17:47
*** joesavak has quit IRC17:47
ayoungits pretty easy:  standard HTTPD install from RPMS puts in a welcome.conf that you modify and redirect / to /dashboard17:48
bknudsonayoung: we did - RewriteEngine On -- RewriteRule ^/$ https://%{SERVER_NAME}/dashboard/ [R=permanent,L] -- in the .conf file17:50
ayoungbknudson, also works17:50
ayoungbknudson, that is the joy of apache.17:50
morganfainbergayoung, hi17:51
*** amcrn has joined #openstack-keystone17:51
morganfainbergayoung, yeah i agree on that17:51
ayoungmorganfainberg, I think I have the answer to your "how do we run horizon and keystone in the same web server"17:51
ayoungread up17:51
morganfainbergayoung, the message to dolphm?17:52
morganfainbergayoung, and the bp?17:52
morganfainbergyeah that was what i was agreeing with17:52
ayoungmorganfainberg, I'm not there 100% yet, as I am working through SSL ification17:52
morganfainbergayoung, yeah that is the "fun" part17:52
morganfainbergayoung, but personally i like that approach17:53
morganfainbergdolphm, really ubuntu is installing the default as latin1?17:53
ayoungmorganfainberg, I need to get ascheme in place for each part of openstack having its own <Location> inside the config17:54
dolphmmorganfainberg: that's just my guess17:54
morganfainbergdolphm, i can stand up a clean 12.04 instance in about 3 minutes and tell you17:54
dolphmmorganfainberg: appreciated :)17:54
morganfainbergwell, it's a slightly older base of 12.04 but i'll apt update everything before installing mysql and see what is going on17:55
morganfainbergshouldn't change anything17:55
morganfainbergvagrant is awesome for this type of testing17:56
*** jamielennox|away is now known as jamielennox18:02
morganfainbergdolphm, looks like ubuntu doesn't override the characterset, and yes the default is latin1. boo18:04
*** jaosorior has joined #openstack-keystone18:11
dolphmmorganfainberg: is there any reason why the charset for migrate_version would ever matter?18:11
morganfainbergdolphm, sql-a migrate bitched at me at one point about non-utf8 lets chat post meeeting18:11
dolphmmorganfainberg: ack18:13
*** richm has joined #openstack-keystone18:20
openstackgerritRichard Megginson proposed a change to openstack/keystone: better handling for empty/None ldap values  https://review.openstack.org/7600218:29
*** jroovers has joined #openstack-keystone18:42
openstackgerritA change was merged to openstack/keystone: Remove _delete_tokens function from federation controller  https://review.openstack.org/8316918:47
*** thedodd has joined #openstack-keystone18:48
*** dstanek has quit IRC18:55
dolphmtopol: ayoung: yeah, nova is the obvious goal, but it might be nice to use another smaller project as a test case first19:01
dolphmlike a stackforge project19:01
gyeejamielennox, we need to sync up on helping other projects to integrate with keystoneclient. I am doing the same thing right now. Just went to make sure we don't duplicate the work.19:01
jamielennoxdolphm: also want to have a talk about https://review.openstack.org/#/c/81973/19:01
jamielennoxgyee: i'm mostly looking at other clients right now19:01
dolphmgyee: jamielennox: keep me in the loop!19:01
ayoungheaded home...back online in a few19:02
gyeedolphm, sure I'll add you as reviewer once I have the patch up19:02
*** ayoung has quit IRC19:02
jamielennoxtrying to iron out the changes between the various service catalog implementations and such19:02
dolphmgyee: ping me directly, my review queue in gerrit is too big19:02
gyeek :)19:03
dolphmjamielennox: now or at the summit? :)19:03
jamielennoxumm, don't know if it matters - it's not particularly urgent i guess19:03
topoldolphm, most important is we need to provide enough support (to Nova or whomever) so the transition is painless.     then the others can follow the path that was blazed19:03
gyeetopol, absolutely, otherwise, we won't make it out of the parking lot!19:04
dolphmtopol: ++19:07
dolphmtopol: that's literally my highest priority for juno (atm?)19:07
dolphmanyone know/remember what happened to our coverage job in august? https://jenkins.openstack.org/view/All/job/keystone-coverage/1325/console19:07
dolphmdid we just stop the job because it wasn't useful? ^19:08
*** gokrokve_ has joined #openstack-keystone19:10
*** gokrokve has quit IRC19:14
*** gyee has quit IRC19:14
*** gokrokve_ has quit IRC19:20
*** leseb has joined #openstack-keystone19:21
*** dstanek has joined #openstack-keystone19:32
*** gokrokve has joined #openstack-keystone19:46
*** jogo has left #openstack-keystone19:46
*** florentflament has quit IRC19:51
dolphmi had this one mis-tagged as icehouse-backport-potential, but it's an icehouse-rc-potential https://review.openstack.org/#/c/84425/19:55
*** marcoemorais has quit IRC19:59
*** marcoemorais has joined #openstack-keystone19:59
*** marcoemorais has quit IRC19:59
*** marcoemorais has joined #openstack-keystone20:00
bknudsondolphm: we get coverage in post -- http://logs.openstack.org/b8/b803fe85ba53a9c666b9badd0923502fcb5c3b0e/post/keystone-coverage/07cc472/cover/20:00
dolphmbknudson: ah perfect -- i've seen this fairly recently but couldn't recall if it was on openstack.org or not -- thanks!20:01
*** marcoemorais1 has joined #openstack-keystone20:02
*** marcoemorais has quit IRC20:04
morganfainbergdolphm, so i haven't tried running migrations w/o setting ?charset=utf8 directly20:05
morganfainbergdolphm, i'll try that in a moment (w/o the charset on the connection string)20:06
*** ayoung has joined #openstack-keystone20:07
ayoungdstanek, would you expect https://review.openstack.org/#/c/71181/  to pass now?  I haven't looked at your last change20:21
jamielennoxdolphm: can/should we have another repo for auth plugins?20:22
dstanekayoung: not sure, it passed all unit test, but appeared to fail on all other tests20:22
ayoungyeah, grenade, something about tempest20:23
ayoungdstanek, not sure that just bringing it back and rebasing will trigger a jenkins run20:23
jamielennoxfor jose's kerberos plugin and new things like that, keystoneclient has pluggable auth, keystone has more or less pluggable auth, can we have a keystone-kerberos package that contains both sides of that?20:23
*** florentflament has joined #openstack-keystone20:24
*** gyee has joined #openstack-keystone20:24
dstanekayoung: actually this may have been the failure on at least one of the test runs: [ERROR] ./grenade.sh:275 Failure in upgrade-tempest20:24
ayoungdstanek, saw that, but not looked at the details20:24
dstanekayoung: maybe there way an independent issue that's gone now20:24
ayoungyeah, that is what I am hoping20:25
*** leseb has quit IRC20:27
*** leseb has joined #openstack-keystone20:27
dolphm"nice work to the whole keystone team" -russelb20:27
*** leseb has quit IRC20:32
bknudsondolphm: they're going to let us stick around?20:32
morganfainbergbknudson, heh20:34
morganfainbergpip install -e .20:35
morganfainbergdamn it20:35
dolphmbknudson: for now :)20:37
morganfainbergdolphm, pip freeze shows jsonschema==2.3.0 installed20:38
dstanekbknudson: why use patch object instead of just patch?20:38
morganfainbergdolphm, keystone-manage raises pkg_resources.DistributionNotFound: jsonschema>=2.0.0,<3.0.020:38
morganfainbergdolphm, clean precise install.20:38
* morganfainberg debugs further20:38
bknudsondstanek: I'd expect the string to be shorter since it'll mostly be in the import20:39
morganfainbergsomehow repoze.lru isn't installed20:41
dstanekbknudson: in most of the cases where i used patch i got rid of the import depencency - your saying you'd rather see that added back in?20:41
morganfainbergwhich seems to be a requirement for routes.mapper?20:41
morganfainbergbknudson, dolphm, ^20:41
morganfainbergany ideas on why repose.lru would be missing?20:42
morganfainbergbesides maybe broken deps on routes package20:42
bknudsondstanek: I'd rather the import was there if the module is using it.20:42
morganfainbergwhich means we might want/need to get repoze.lru in global reqs so this isn't broken?20:42
bknudsondstanek: I get help from my editor for symbols... with strings I wouldn't get any help20:43
*** jroovers has quit IRC20:43
dstanekbknudson: when you say using it do you mean directly in the test code or somewhere under the hood?20:43
dstanekah, i see - i can add that back in for you. if the code i'm patching isn't used directly by the test i normally don't import it just to patch it20:44
bknudsondstanek: the test is going to require that the module can be imported, isn't it?20:44
*** dims_ has quit IRC20:44
*** stevemar2 is now known as stevemar20:44
dstanekbknudson: in many cases the test doesn't directly use the module - some the test is using uses it20:45
dolphmmorganfainberg: packaging issue?20:45
dolphmmorganfainberg: ... me is catching up ...20:45
bknudsondstanek: is there any situation where you'd do a patch.object?20:45
bknudsonI always just thought it was easier, and made sure that the package was imported.20:46
morganfainbergdolphm, this is an issue with pip -U20:46
morganfainbergdolphm, it doesn't update repoze in all cases when installing mapper20:46
morganfainbergdolphm, https://bugs.launchpad.net/cinder/+bug/1270602 this is the exact issue20:46
uvirtbotLaunchpad bug 1270602 in cinder "repoze.lru not installed in test venv" [Undecided,Invalid]20:46
dstanekbknudson: with imports required at the top of modules the thing being patched would be imported already - in the past i've rarely used patch.object - but i can switch that if it makes it easier for the ide20:47
morganfainbergdolphm, in theory, the best way to solve this would be to shove that in our requirements file.20:47
morganfainbergdolphm, but eh.20:47
morganfainbergdolphm, but i'm still unable to run keystone-manage20:48
morganfainberggetting jsonschema not found20:48
morganfainbergdolphm, ok interesting. can't use -e in some cases with pip ... moving on20:50
morganfainbergdolphm, 2014-04-01 13:50:59.122 19795 CRITICAL keystone [-] ValueError: Tables "migrate_version" have non utf8 collation, please make sure all tables are CHARSET=utf820:51
morganfainbergdolphm, yep can't migrate w/o the table being utf820:51
bknudsonmorganfainberg: where is that raised from?20:51
morganfainbergbknudson, keystone-manage --config-file ./etc/keystone.conf.sample db_sync20:52
morganfainbergbknudson, where the sample config was modified to use local mysql precise clean install20:52
morganfainbergbknudson, which defaults to latin1 table charsets20:52
morganfainbergand sql-a migrate doesn't explicitly set utf820:53
bknudsonbut it's only the one table20:53
morganfainbergso the migration_version table is latin120:53
bknudsonmorganfainberg: but your tables are actually migrated?20:54
morganfainbergwhich means we can't migrate if the charset isn't utf8 explicitly in the my.cnf or on the conneciton stirng20:54
bknudsonThe schema should be ok?20:54
*** leseb has joined #openstack-keystone20:54
morganfainbergbknudson, http://pasteraw.com/tqkqhinj78b7c7d4lkmb76pep2c4dhd20:54
morganfainbergbknudson, nope20:54
morganfainbergbknudson, it bails before making any tables20:54
*** marcoemorais1 has quit IRC20:55
morganfainbergbknudson, http://pasteraw.com/5epv3qgcya26msrw7b2hzbb31dr0bln20:55
*** florentflament has quit IRC20:55
bknudsonI see... it checks first20:55
bknudsonbut not afterwards.20:55
*** marcoemorais has joined #openstack-keystone20:55
*** marcoemorais has quit IRC20:55
*** marcoemorais has joined #openstack-keystone20:56
*** marcoemorais has quit IRC20:56
bknudsonmorganfainberg: my opinion is that the migrate_version table should be ignored.20:56
morganfainbergbknudson, i agree20:56
bknudsonin the sanity check20:56
*** marcoemorais has joined #openstack-keystone20:56
morganfainbergbknudson, it is a SQLA migrate table, we shouldn't care what the charset there is20:57
morganfainbergbknudson, it's not something we control.20:57
dolphmmorganfainberg: ooh, what is ubuntu using for the connection string??20:58
morganfainbergbknudson, want me to go poke the oslo guys and see about a concurrent change. also is this an RC2 issue? cc dolphm20:58
dolphmmorganfainberg: maybe that's the easiest fix20:58
morganfainbergdolphm, i use ?charset=utf8 in all my deployments20:58
morganfainbergdolphm, that solves it.20:58
morganfainbergor ... i think it does20:58
* morganfainberg checks20:58
dolphmmorganfainberg: it should20:58
morganfainbergdolphm, nope20:59
morganfainbergdolphm, this looks like it requires a my.cnf change20:59
morganfainbergin the[mysqld] section20:59
morganfainbergdolphm, ubuntu uses the mysql default charset of latin1 in the default install.21:00
*** david-lyle_afk is now known as david-lyle21:01
*** henrynash has joined #openstack-keystone21:05
*** marcoemorais has quit IRC21:08
*** marcoemorais has joined #openstack-keystone21:08
openstackgerritDavid Stanek proposed a change to openstack/keystone: Cleanup of test_cert_setup tests  https://review.openstack.org/8455021:12
bknudsonmorganfainberg: how do you create the db?21:12
morganfainbergbknudson, hm...21:12
bknudsonmorganfainberg: http://git.openstack.org/cgit/openstack-dev/devstack/tree/lib/databases/mysql#n4221:12
morganfainbergbknudson, hmm.21:13
morganfainbergbknudson, to be fair that is just as bad as needing to do a my.cnf change21:13
morganfainbergbknudson, so yeah that fixes it... this should really be a non-issue if we are not enforcing this (we make all our tables utf8 explicitly everywhere else)21:17
morganfainbergerm if we are enforcing this.21:17
openstackgerritDavid Stanek proposed a change to openstack/keystone: Removes useless wrapper from manager base class  https://review.openstack.org/8455321:19
bknudsonmorganfainberg: is there a way to convert the table to utf8?21:19
morganfainbergbknudson, sure. it's an alter command21:19
bknudsonmorganfainberg: is this an upgrade or a new install?21:19
morganfainbergbknudson, new install. but this is a bug report21:20
morganfainbergbknudson, not my personal install21:20
morganfainbergbknudson, i was just duplicating it21:20
morganfainbergbknudson, https://bugs.launchpad.net/keystone/+bug/1279000/comments/1221:20
uvirtbotLaunchpad bug 1279000 in oslo "db migrate script to set charset=utf8 for all tables" [High,Fix committed]21:20
bknudsonmorganfainberg: on a new install, I don't see any problem with asking them to create their database with utf8.21:22
dstanekanyone here good with debian packaging?21:23
morganfainbergbknudson, that is in the same category of saying "go change my.cnf to make utf8 the default"21:23
morganfainbergbknudson, it's not well documented and we shouldn't error because SQLA-Migrate does something different than anything else21:24
bknudsonmorganfainberg: a better error message would be useful.21:24
morganfainbergbknudson, ++ that too.21:24
bknudsonmorganfainberg: I'm still a little worried about the upgrade case...21:24
morganfainbergbknudson, going to raise this at the release meeting as well in a moment21:24
morganfainbergbknudson, it might be a simple document it, it might be a fix the oslo code21:24
morganfainbergit might be something else21:24
bknudsonmorganfainberg: seems like you'd be able to create havana schema and wouldn't be able to upgrade21:26
morganfainbergbknudson, shouldn't be an issue21:26
morganfainbergbknudson, migration 004 should fix all tables iirc21:26
morganfainbergfor us at least21:26
bknudsonmigration 4 was havana?21:26
morganfainbergother projects unsure21:26
morganfainbergno, we fixed this issue back when we fixed all other tables21:27
morganfainbergwe migrate from 0 though. vs a squashed migration like nova21:27
bknudsonok, so havana schema would have the migrate table utf821:28
morganfainbergbknudson, currently yes21:28
morganfainbergbknudson, i think21:30
morganfainbergbknudson, i'm not finding it though.... uhoh21:30
*** henrynash has quit IRC21:31
bknudsonmorganfainberg: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/sql/migrate_repo/versions/005_set_utf8_character_set.py#n24 ?21:31
morganfainbergi'm not seeing the migrate_version table in there21:31
*** jaosorior has quit IRC21:40
openstackgerritA change was merged to openstack/python-keystoneclient: Replace auth fragements with identity_uri  https://review.openstack.org/7749121:40
openstackgerritA change was merged to openstack/python-keystoneclient: Rename request_uri to identity_uri  https://review.openstack.org/7774821:40
openstackgerritA change was merged to openstack/keystone: support conventional domain name with one or more dot  https://review.openstack.org/7982921:44
openstackgerritA change was merged to openstack/keystone: Fix create_region_with_id raise 500 Error bug  https://review.openstack.org/7581621:44
*** lbragstad has quit IRC21:45
*** topol has quit IRC21:49
*** stevemar has quit IRC21:49
*** jsavak has quit IRC21:50
*** dstanek has quit IRC21:52
*** openstackgerrit has quit IRC21:54
*** browne has quit IRC21:54
*** dstanek has joined #openstack-keystone22:01
*** dims_ has joined #openstack-keystone22:06
*** dstanek has quit IRC22:14
*** leseb has quit IRC22:14
*** leseb has joined #openstack-keystone22:15
*** dims_ has quit IRC22:18
*** leseb has quit IRC22:19
*** dims_ has joined #openstack-keystone22:36
*** nkinder has quit IRC22:40
*** dstanek has joined #openstack-keystone22:40
*** thedodd has quit IRC22:43
*** richm has quit IRC22:50
*** sneezewort has quit IRC23:00
*** gokrokve has quit IRC23:12
*** david-lyle has quit IRC23:20
*** nkinder has joined #openstack-keystone23:37
*** dstanek has quit IRC23:46
*** flaper87 is now known as flaper87|afk23:57
*** RockKuo has joined #openstack-keystone23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!