Wednesday, 2014-04-02

*** dstanek has joined #openstack-keystone00:14
*** openstackgerrit has joined #openstack-keystone00:30
*** RockKuo has quit IRC00:42
*** marcoemorais has quit IRC01:21
*** zhiyan_ is now known as zhiyan01:32
*** mberlin1 has joined #openstack-keystone01:57
*** dims_ has quit IRC01:57
*** dims_ has joined #openstack-keystone01:58
*** mberlin has quit IRC01:58
ayoungjamielennox, I made one of those mistakes you make when you play as admin:  I de-allocated the keytab for HTTP on the IPA server02:04
ayounghaving a hard time figuring out how to get it set up correctly again02:04
jamielennoxayoung: heh - i'm certainly not the one to ask02:05
ayoungjamielennox, I know...just figured you'd enjoy the irony02:05
*** Chicago has joined #openstack-keystone02:05
jamielennoxso does it work with both running in httpd?02:05
ayoungjamielennox, this is the IPA server02:06
ayoungOh yeah I got that working02:06
ayoungI ned to create a WSGI group for each02:06
jamielennoxwhat we were talking about yesterday02:06
ayoungso two for horizon and 3 for keystone.  main, admin and krb02:07
ayoungI was trying to provision a Kerberos keytab for the horizon server, accidentally re-request a keytab for the IPA server02:07
ayoungand now I have two broken keytabs02:07
ayoungI went back to the IPA server and ran:02:07
ayoungipa-getkeytab -s $HOSTNAME -p HTTP/  -k /tmp/ipa.keytab02:08
ayoungthen mv /tmp/ipa.keytab /etc/http/conf  which is where it seems to go, chowned it...but some permission problem02:08
ayoungdid a restorecon just for luck02:08
ayounghell, I'll restart apache just for grins02:10
jamielennoxayoung: filed cross-project summit session:
jamielennoxnot particularly happy with the wording but at least it's there02:12
ayoungjamielennox, looks good.  You can continue to wordsmith02:12
*** stevemar has joined #openstack-keystone02:16
*** stevemar has quit IRC02:16
*** stevemar has joined #openstack-keystone02:17
*** amcrn has quit IRC02:21
jamielennoxayoung: want to do some simple +a's for me ?02:22
ayoungNo  I want to unf(*&^ my server02:22
ayoungjamielennox, in a minute02:24
jamielennoxayoung: it's fine, just messing with some stuff that they are useful for02:24
ayoungpost the links here and I'll get to them shortly02:25
nkinderayoung: I added you to an OSSN review for a bug you are familiar with -
*** stevemar has quit IRC02:27
nkinderayoung: take note that OSSNs are now being reviewed in gerrit!02:27
ayoungnkinder, you know anything about Kerberos and HTTPD?02:27
ayoungnkinder, yeah I saw that02:27
ayoungnkinder, I messed up the ipa.keytab file for my ipa server02:27
nkinderayoung: I might...  Depends...02:27
nkinderdefine messed up02:28
ayoungI have  a new keytab, and I checked that I can use it to kinit  like this02:28
nkinderkinit -kt ...02:28
nkinderso that works?02:28
ayoung kinit -V -k -t /tmp/ipa.keytab  HTTP/
ayoungso i did02:28
ayoung sudo mv /tmp/ipa.keytab /etc/httpd/conf/ipa.keytab02:28
ayoungsudo chown apache:apache /etc/httpd/conf/ipa.keytab02:29
ayoungbut if I try to do any Kerberos operations against the server I get02:29
nkinderls -lZ /etc/httpd/conf/ipa.keytab02:29
nkinderwhat's the selinux context?02:29
nkindermv is evil02:29
ayoungOK, just did a restorecon02:29
ayoung[Wed Apr 02 02:29:41.560955 2014] [auth_kerb:error] [pid 15593] [client] gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, Wrong principal in request), referer:
ayoungneew ERROR!02:30
nkinderok, so the old error was something else?02:31
ayoungnkinder, yeah, could not get auth for ...02:31
nkinderayoung: ok, one step forward then02:31
nkinderayoung: did you muck with the hostname for this system?02:31
*** RockKuo has joined #openstack-keystone02:32
ayoungI just looked in the kdc log02:32
nkinderayoung: you restarted httpd after fixing the selinux context?02:32
ayoung  was triggered by my last apache request02:32
nkinderheh, kdc log was my next question02:32
ayoungbefore I was geting this, no longer :   [Wed Apr 02 02:12:50.525805 2014] [auth_kerb:error] [pid 14523] [client] Failed to obtain credentials for principal HTTP/ Generic preauthentication failure (-1765328174), referer:
nkinderayoung: ok, kdc is fine from it's point of view02:33
ayounglet me kdestroy on the web browerser machine02:34
nkinderit's issuing a ticket, but it's up to the client to decrypt it at that point.02:34
ayoungnkinder, I think it was a bad service ticket02:35
ayoungkdestroy/kinit seemed to  fix things02:35
nkinderayoung: it's happy now?02:35
ayoungthat was nasty02:35
nkindercool.  Stop using mv02:35
ayoungnkinder, heh,  I did  a restorecon on an earlier attempt, but I think I had the principal wrong02:36
ayoungI was operating as the "fedora" user, not as root, so I didn't want to allocate in place:  didn't have perms in /etc/httpd/conf02:36
ayoungOK..last thing...let me try this on the horizon boxz02:36
nkinderayoung: I filed a bug on that 500 error when no headers were present for a v2 token request.02:36
nkinderayoung: ...then I tried to reproduce it on Havana, and it works fine.02:37
nkinderayoung: looks like we fixed it since Essex02:37
nkinderayoung: yeah, the bugs that resolve themselves are great02:37
ayoungthings that go away by themselves come back by themselves, I've found02:38
*** gyee has quit IRC02:39
ayoungnkinder, OK, same general problem on SELinux (Permisive) getting a  Permission denied.   I just did the kini from the CLI and its ok...keystab here is owned by fedora:wheel02:40
ayounglet me make sure I have the filename right02:40
nkinderayoung: this is the keytab for httpd?02:41
ayoungnkinder, yeah...I htink the problem is not the keytab02:41
nkinderayoung: who does httpd run as?02:41
ayoung[Wed Apr 02 02:41:43.753084 2014] [auth_kerb:error] [pid 13277] [client] Failed to obtain credentials for principal HTTP/ Generic preauthentication failure (-1765328174)02:42
ayoung[Wed Apr 02 02:41:43.768572 2014] [auth_kerb:error] [pid 13277] [client] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, Permission denied)02:42
ayoungfedora:wheel under devstack02:42
ayoungI lied02:42
ayoungthat is the wsgi app...02:42
nkindershould be owned by apache02:42 diff though02:43
ayoungheh pebcak02:43
ayoungYeah, helps the chown the right file02:44
ayoungI'm good.02:44
*** lbragstad has joined #openstack-keystone02:45
ayoungjamielennox, you were first in the queue02:45
nkinderayoung: so horizon is working now?02:45
ayoungnkinder, you need to put  some sort of check on the Gerrit.  You are going to get a slew of "whitespace" reviews.  If there is red on a review, its like the reveiwers can't see anything else02:46
ayoungnkinder, yeah, horizon is kerberosed...still using the user-id password, too.  But baby steps02:46
ayoungI'll  start the real work now...02:46
nkinderayoung: yeah, checks are needed....02:47
nkinderayoung: new patch coming...02:47
ayoungnkinder, its OK,  I've already +1ed and noted the whitespace.02:48
ayoungtreat my +1 as sticky, or I can hit it again if you need02:48
ayoungjamielennox, what did you need +As on?02:51
jamielennoxayoung: um02:53
jamielennoxthey are all really easy02:55
jamielennoxand all have a +2 on them02:55
jamielennoxand the last one lets me close off a blueprint02:55
*** david-lyle has joined #openstack-keystone02:56
ayoungjamielennox, done02:57
jamielennoxthat was fast02:57
ayoungjamielennox, I'd looked at most of them at some point02:57
jamielennoxyea - and the hard parts had all been done for them02:58
jamielennoxcool - and you got the keystone one i missed as well02:58
ayoungnkinder, BTW, I ended up publishing the PKI blog post03:00
ayoung  jamielennox you might be interested as well03:01
nkinderayoung: cool.  I'm working on a post for "ssl everywhere" stuff03:01
ayoungwe really need certmonger to play well with that03:01
ayoungand that means educating other CA's how to register and fetch03:02
jamielennoxayoung: finishing listening in on a meeting, but i'll have a look soon03:03
jamielennoxi am definetly interested - i don't think there is such a problem with signing03:03
jamielennoxit's just a question of key distribution and group membership03:04
ayoungwe can discuss...I'm fading03:04
*** david-lyle has quit IRC03:14
*** dims_ has quit IRC03:15
*** dims_ has joined #openstack-keystone03:18
*** vilobhmm has joined #openstack-keystone03:18
*** harlowja is now known as harlowja_away03:24
jamielennoxayoung: is the point to start trying to tie it to LDAP?03:30
jamielennoxi've always had LDAP as a possible backend for KDS - though i'm not sure that works for symmetric keyst03:30
*** morganfainberg is now known as morganfainberg_Z03:34
*** marcoemorais has joined #openstack-keystone04:01
*** marcoemorais has quit IRC04:03
openstackgerritA change was merged to openstack/python-keystoneclient: Sync config fixture object from oslo.incubator
*** marcoemorais has joined #openstack-keystone04:40
openstackgerritA change was merged to openstack/keystone: Make service catalog include service name
*** jamielennox is now known as jamielennox|away05:55
openstackgerritJenkins proposed a change to openstack/keystone: Imported Translations from Transifex
*** vilobhmm has quit IRC06:06
*** henrynash has joined #openstack-keystone06:06
*** jamielennox|away is now known as jamielennox06:11
*** jaosorior has joined #openstack-keystone06:21
*** lbragstad has quit IRC06:28
*** saju_m has joined #openstack-keystone06:39
*** lbragstad has joined #openstack-keystone06:39
*** flaper87|afk is now known as flaper8707:14
*** marekd|away is now known as marekd07:24
*** jroovers has joined #openstack-keystone07:26
*** marcoemorais has quit IRC07:27
*** zhiyan is now known as zhiyan_07:35
*** saju_m has quit IRC07:42
*** florentflament has joined #openstack-keystone07:43
*** jroovers|afk has joined #openstack-keystone07:46
*** jroovers has quit IRC07:49
*** jroovers|afk has quit IRC07:50
*** jroovers has joined #openstack-keystone07:51
*** saju_m has joined #openstack-keystone07:52
*** zoresvit has quit IRC07:56
*** zoresvit has joined #openstack-keystone07:59
*** leseb has joined #openstack-keystone08:09
openstackgerritJose Castro Leon proposed a change to openstack/keystone: Initial kerberos plugin implementation.
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Identity Providers.
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Fedration Mapping Rules.
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Identity Providers.
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.
*** saju_m has quit IRC08:48
*** saju_m has joined #openstack-keystone08:49
*** roeyc has joined #openstack-keystone08:50
openstackgerritA change was merged to openstack/python-keystoneclient: Tests should use identity_uri by default
*** chandankumar_ has joined #openstack-keystone08:59
*** leseb has quit IRC09:01
*** leseb has joined #openstack-keystone09:02
*** leseb_ has joined #openstack-keystone09:04
*** leseb has quit IRC09:07
openstackgerritJose Castro Leon proposed a change to openstack/python-keystoneclient: Initial kerberos plugin implementation.
*** saju_m has quit IRC09:24
*** saju_m has joined #openstack-keystone09:26
*** saju_m has quit IRC09:31
*** saju_m has joined #openstack-keystone09:42
*** henrynash has quit IRC09:45
*** jaosorior has quit IRC09:50
*** leseb_ has quit IRC10:03
*** leseb has joined #openstack-keystone10:04
*** jroovers has quit IRC10:04
*** jroovers|afk has joined #openstack-keystone10:04
*** leseb has quit IRC10:08
*** chandankumar_ has quit IRC10:11
*** leseb has joined #openstack-keystone10:18
*** jroovers has joined #openstack-keystone10:18
*** jroovers|afk has quit IRC10:22
*** leseb has quit IRC10:22
*** RockKuo_iPad has joined #openstack-keystone10:29
*** RockKuo_iPad has quit IRC10:30
*** RockKuo_iPad has joined #openstack-keystone10:30
*** RockKuo_iPad has quit IRC10:32
*** RockKuo_iPad has joined #openstack-keystone10:33
*** leseb has joined #openstack-keystone10:34
*** leseb_ has joined #openstack-keystone10:36
*** leseb has quit IRC10:38
*** leseb_ has quit IRC10:41
*** kun_huang has joined #openstack-keystone10:41
*** RockKuo_iPad has quit IRC10:42
*** roeyc has left #openstack-keystone10:42
*** RockKuo has quit IRC10:47
*** zoresvit has quit IRC11:07
*** openstackgerrit has quit IRC11:08
*** openstackgerrit has joined #openstack-keystone11:08
*** leseb has joined #openstack-keystone11:11
*** leseb has quit IRC11:15
*** flaper87 has left #openstack-keystone11:19
*** kun_huang has quit IRC11:44
*** leseb has joined #openstack-keystone11:44
*** topol has joined #openstack-keystone11:59
*** henrynash has joined #openstack-keystone12:03
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Fedration Mapping Rules.
*** dims_ has quit IRC12:13
*** bknudson has quit IRC12:13
*** saju_m has quit IRC12:17
*** kun_huang has joined #openstack-keystone12:26
*** dims_ has joined #openstack-keystone12:27
*** bknudson has joined #openstack-keystone12:33
openstackgerritJose Castro Leon proposed a change to openstack/python-keystoneclient: Initial kerberos plugin implementation.
*** chandankumar_ has joined #openstack-keystone12:39
*** saju_m has joined #openstack-keystone12:48
*** kun_huang has quit IRC12:50
*** chandankumar_ has quit IRC12:51
*** kun_huang has joined #openstack-keystone12:54
*** chandan_kumar has quit IRC12:55
*** henrynash has quit IRC12:59
*** henrynash has joined #openstack-keystone13:09
*** henrynash has quit IRC13:15
*** leseb has quit IRC13:17
*** leseb has joined #openstack-keystone13:17
*** leseb has quit IRC13:22
*** stevemar has joined #openstack-keystone13:24
*** leseb has joined #openstack-keystone13:25
*** joesavak has joined #openstack-keystone13:27
*** RockKuo has joined #openstack-keystone13:32
dolphmi'd like to backport this to milestone-proposed if anyone can review the master patch :)
*** saju_m has quit IRC13:36
*** dstanek has quit IRC13:40
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Example Initialization scripts
*** chandan_kumar has joined #openstack-keystone13:49
ayoungdolphm, looks like a bug13:52
ayoungdropped  or []13:52
ayoungit could be13:53
dolphmayoung: i noticed that as well - i didn't comment on it because i couldn't think of a scenario where methods would be expected to be anything else13:53
ayoungI would like to keep the "methods" collection optional for the external case.13:54
dolphmayoung: 'methods': '' or 'methods': null or 'methods': 0 would all behave differently with .get('methods', []) vs ['methods'] or []13:54
ayoungah, true13:55
dolphmayoung: what is methods in the external case, if not 'methods': ['external'] ?13:55
ayoungdolphm, I don't think that is currently required13:55
ayoungdolphm, link in a sec13:56
ayoungdolphm, external does not look at the body of the request except I think to get the project13:57
ayoungdolphm, I'm actually just testing out Jose's Kerberos patch.  I don;t think he adds 'external' in there14:01
bknudsonmethods wasn't optional14:02
bknudsonyou'd get a KeyError if methods wasn't in auth['identity']14:02
bknudsonI guess it would turn an empty string into a list14:03
bknudsondolphm: I had a couple of comments on, but I think it's good as is.14:05
*** dstanek has joined #openstack-keystone14:06
*** richm has joined #openstack-keystone14:14
dolphmbknudson: replied to both your comments14:17
dolphmbknudson: in short, order matters from a spec perspective, but we're not taking advantage of that today (AFAIK?)14:17
bknudsondolphm: maybe calls with duplicated methods should be rejected?14:18
bknudsonas in a 403 Forbidden14:18
bknudsonbecause I don't think we know what they meant... if the order matters14:19
dolphmbknudson: i was just about to say it could be a 40014:19
bknudsonI'm also fine with this as is... so I'll +a14:20
bknudsonunless someone else is looking at it?14:20
ayoungdolphm, UGh.  So, in reviewing Jose's compiler patch, I see a python33 failure that is probably not something we can work around.  ImportError: No module named 'compiler'   in the request-kerberos module.  I'm guessing requests-kerberos is not Py3314:30
ayoung   yep   "Actually, we don't support 3.3."14:31
dolphmayoung: what's compiler?14:31
dolphmayoung: fixed since hte last release?14:32
*** chandankumar_ has joined #openstack-keystone14:40
*** david-lyle has joined #openstack-keystone14:43
ayoungdolphm, cool.  I'll submit the change to add requests-kerberos to global requirements, too14:45
ayoungdolphm, although...I guess I should do >=  next release?14:46
ayoungcurrent looks like 0.4, so would it make sense to d14:47
*** thedodd has joined #openstack-keystone14:50
dolphmayoung: not sure that would pass gating for openstack/requirements as it couldn't be mirrored14:54
*** doddstack has joined #openstack-keystone14:54
ayoungdolphm, I'll hold off on it until the upstream is released14:54
dolphmayoung: maybe propose and leave as WIP if you want to wait until 0.5 is released14:54
stevemarayoung, let jose know in the form of a comment :O14:54
ayoung  stevemar I did.  But I can't seem to add him to this review14:56
*** thedodd has quit IRC14:57
stevemarayoung, i just didit for ya14:58
*** d0ugal has joined #openstack-keystone15:03
*** _TheDodd_ has joined #openstack-keystone15:05
*** david_lyle_ has joined #openstack-keystone15:07
*** doddstack has quit IRC15:07
*** dklyle has joined #openstack-keystone15:08
*** dklyle has quit IRC15:10
*** dklyle has joined #openstack-keystone15:10
*** david-lyle has quit IRC15:10
*** dklyle is now known as david-lyle15:11
*** david_lyle_ has quit IRC15:11
*** dstanek has quit IRC15:20
*** openstackgerrit has quit IRC15:21
*** openstackgerrit has joined #openstack-keystone15:21
*** leseb has quit IRC15:28
*** leseb has joined #openstack-keystone15:28
*** gokrokve has joined #openstack-keystone15:30
*** jsavak has joined #openstack-keystone15:32
*** leseb has quit IRC15:33
*** joesavak has quit IRC15:35
*** ilives has joined #openstack-keystone15:36
*** joesavak has joined #openstack-keystone15:36
*** jsavak has quit IRC15:39
*** leseb has joined #openstack-keystone15:40
*** Vic has joined #openstack-keystone15:51
*** topol has quit IRC15:54
*** marekd is now known as marekd|away15:56
*** zhiyan_ is now known as zhiyan15:59
*** jsavak has joined #openstack-keystone16:01
*** joesavak has quit IRC16:05
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync test_migrations
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Redundant unique constraint
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.
*** chandankumar_ has quit IRC16:20
openstackgerritA change was merged to openstack/keystone: Sanitizes authentication methods received in requests.
*** mberlin has joined #openstack-keystone16:30
*** d0ugal has quit IRC16:30
*** leseb has quit IRC16:30
*** leseb has joined #openstack-keystone16:31
*** mberlin1 has quit IRC16:31
*** d0ugal has joined #openstack-keystone16:32
*** d0ugal has quit IRC16:33
bknudsonI forgot about trusts when we were talking about V3 features that other projects could use16:35
bknudsonI think heat is using them already16:35
*** leseb has quit IRC16:35
bknudsonand nova probably should be... nova has an issue where if it takes a long time to boot an image and using neutron it will fail.16:35
bknudsondue to their token expiring16:36
*** marcoemorais has joined #openstack-keystone16:36
*** Vic has quit IRC16:41
*** ilives has quit IRC16:42
*** bknudson has quit IRC16:47
*** zhiyan is now known as zhiyan_16:51
*** gokrokve has quit IRC16:52
*** jroovers has quit IRC16:56
*** leseb has joined #openstack-keystone17:02
*** gokrokve has joined #openstack-keystone17:06
*** afaranha has left #openstack-keystone17:15
*** morganfainberg_Z is now known as morganfainberg17:23
*** huats_ has quit IRC17:26
*** huats has joined #openstack-keystone17:27
*** harlowja_away is now known as harlowja17:35
*** gokrokve_ has joined #openstack-keystone17:37
*** gokrokve has quit IRC17:38
*** jroovers has joined #openstack-keystone17:48
*** jroovers|afk has joined #openstack-keystone17:50
*** topol has joined #openstack-keystone17:52
*** jroovers has quit IRC17:53
*** _TheDodd_ has quit IRC17:55
*** leseb has quit IRC17:55
*** afaranha has joined #openstack-keystone17:56
*** bknudson has joined #openstack-keystone18:02
*** kun_huang has quit IRC18:02
*** patelna has joined #openstack-keystone18:05
*** vilobhmm_ has joined #openstack-keystone18:07
*** leseb has joined #openstack-keystone18:07
*** dstanek has joined #openstack-keystone18:08
*** vilobhmm___ has joined #openstack-keystone18:11
*** vilobhmm_ has quit IRC18:12
*** vilobhmm___ has quit IRC18:17
*** chandankumar_ has joined #openstack-keystone18:41
*** chandankumar_ has quit IRC18:55
*** _TheDodd_ has joined #openstack-keystone18:56
*** gokrokve_ has quit IRC18:56
*** rwsu has quit IRC19:01
*** rwsu has joined #openstack-keystone19:07
*** jroovers|afk has quit IRC19:10
*** gokrokve has joined #openstack-keystone19:12
*** nkinder has quit IRC19:19
*** leseb has quit IRC19:21
*** leseb has joined #openstack-keystone19:22
dstanekdolphm, stevemar, bknudson: why is everyone being cautious on
bknudsondstanek: I don't know... I guess it's hard to tell always when something isn't used.19:25
*** gokrokve has quit IRC19:25
bknudsondstanek: I noticed that it wasn't used when there were some changes going in for migrations to use oslo-incubator db19:25
*** leseb has quit IRC19:26
bknudsonbecause it was clearly broken beforehand and the changes were leaving it broken19:26
dstanekbknudson: was that ever used?19:26
bknudsondstanek: never used as far as I can tell19:26
stevemardstanek, yeah, echoing bknudson, just wary is all, but i guess it can go19:27
*** gokrokve has joined #openstack-keystone19:27
*** gokrokve has quit IRC19:29
*** nkinder has joined #openstack-keystone19:33
*** leseb has joined #openstack-keystone19:37
dstaneki'm not very familiar with how our database sync and plugins work together - it i add a plugin to the pipeline will it's models by synced to the database by keystone-manager?19:39
bknudsondstanek: you have to keystone-manage db_sync --extension <whatever>19:42
bknudsondstanek: that goes --
dstanekbknudson: ah, that's right - i remember now - thanks!19:43
bknudsondstanek: which goes here --
bknudsonand that loads the sql package in the extension directly; doesn't call the extension's db_sync19:44
bknudsondstanek: note that we also have a db_sync in the other backends that isn't used as expected...
bknudsonsince they all wind up doing the same thing... we only have 1 migrations db for identity, assignment, etc.19:46
dstanekwhat calls the db_sync in the identity manager?19:47
bknudsonwell, it used to be keystone-manage db_sync ... I'm not sure if that's the case anymore.19:47
bknudsonI wonder when that changed... was it with the oslo-incubator db change...19:48
bknudsondstanek: here it is in grizzly:
bknudsonI think it was the change to provide migrations for extensions19:50
*** leseb has quit IRC19:51
bknudsondstanek: yep, that was it --
bknudsondstanek: should probably get rid of the db_sync's in the other backends, too.19:52
dolphmbknudson: i believe ayoung wanted to use that functionality, but never did (and i'm not aware of any plans to)19:52
dstanekbknudson: i have them all deleted locally and am running the tests to see what happens :-)19:52
dolphmbknudson: isn't there a keystone-manage --extension argument? or did that already get cut19:53
ayoungno, that is there, and should stay there, and this is good thing, ja?19:53
dstanekdolphm: for db_sync? there is an --extension19:53
bknudsondolphm: there is an extension argument... it looks for a sql package in the extension and doesn't call the db_sync19:53
ayoungkeystone-manage --db_sync --extension19:53
dolphmbknudson: dstanek:
ayoungit calls the db_sync for the extension19:54
dolphmayoung: which is unused atm?19:54
ayoungdolphm, you need to run it explicitly if you want the revocation events19:54
*** leseb has joined #openstack-keystone19:54
bknudsonthe db_sync for the extension isn't called.19:54
ayoungI had a question about that, actually, whether the behavior when callewd with no args should be to migrate all extensions19:55
bknudsonayoung: it loads the repo path directly -- here's the original change:
ayoungbknudson, did you look at the name on that review?19:56
ayounger, commit19:56
bknudsonayoung: yes, but you're saying it calls the extension db_sync which it never did19:56
ayoungthere have been some changes on top of that...let me read up so I know your issue19:56
ayoungyes it does19:56
bknudsonayoung: it does  migration.db_version_control(version=None, repo_path=repo_path)  , not extension.db_sync()19:57
ayoungI see the difference19:57
ayoungbknudson, yes, I think you are right.  I misread what you were saying19:57
ayoungbknudson, absolutely,  that is a vestige that predates me on the project and should go away19:57
bknudsonayoung: I like the change... it makes more sense than calling db_sync on all the backends... since they were all the same repo anyways.19:58
ayoungbknudson, I just +2ed yours19:58
dolphmayoung: thanks for chiming in :)20:00
*** gokrokve has joined #openstack-keystone20:00
*** baffle has joined #openstack-keystone20:01
dolphmayoung: bknudson: dstanek: +2/+A20:01
dstanekcan the rest of the db_sync methods be deleted too?20:02
bknudsondstanek: yes, do you have that change?20:02
ayoungthey are not used.  they can all die20:02
stevemarall the db_sync methods for all backends?20:03
dstanekbknudson: yeah, i can commit and push20:04
dstanektest run should be finishing up soon20:04
bknudsonthis should up our coverage %20:05
dolphmi didn't really read what this is doing, but based on the commit message, we should steal it
dolphmwould have prevented bug 129934920:12
uvirtbotLaunchpad bug 1299349 in neutron "upstream-translation-update Jenkins job failing" [High,In progress]
bknudsondolphm: I think it's submitted already20:12
dolphmbknudson: awesome!20:12
dstanekbknudson, ayoung: the extension migrations commit is the one that removed the calls to db_sync right?20:13
ayoungdstanek, nope20:13
ayoungdstanek, I think they all stayed there.  THe extensions migrations worked around them20:13
ayoungignored them,really20:14
bknudsondstanek: which db_sync, the extensions or the backends?20:14
dstaneki thought that's what line 64 was doing20:15
ayoungnot really20:15
ayoungonly the first one of those had any effect20:15
bknudsondstanek: it used to call db_sync on all the backends and then it was changed to do migration.db_sync directly20:15
ayoungthe others were duplicating the effort20:15
bknudsony, it was weird.20:16
ayoungbknudson, I think the original intention was that the backend code would control its own repo, which is what we moved to with extensions20:16
ayoungbut it was never implemented that way20:16
openstackgerritDavid Stanek proposed a change to openstack/keystone: Removes unused db_sync methods
dstanektests are not completed locally, but hey...20:17
bknudsonparallel testing bug??
stevemarbknudson, i thought i found one too..20:21
uvirtbotLaunchpad bug 1300581 in keystone "test_revoke.RevokeTreeTests.test_cleanup fails" [Critical,Triaged]20:21
stevemarif itworker-2 ? worker-3?20:22
stevemarif it says worker-# does that mean it's being done in parallel?20:23
bknudsontags: worker-220:23
bknudsonstevemar: we enabled concurrent testing by default, so they should all be parallel20:24
stevemarbased on the number of cores a machine has right?20:24
bknudsonstevemar: it's probably whatever the machine reports for # cpus20:25
bknudsonthey don't run in the same process space.20:25
bknudsonbut share the filesystem20:26
bknudsone.g., the python-keystoneclient git repos20:26
morganfainbergbknudson, all the keystoneclient tests should be on the same worker20:26
morganfainbergbknudson, _should_20:26
bknudsonwe probably need a lock? although I thought the keystoneclient tests were supposed to run in 1 worker...20:26
morganfainbergbknudson, in theory the grouping should force them on the same worker so you don't have git issues20:27
*** lbragstad has quit IRC20:27
*** lbragstad has joined #openstack-keystone20:27
dolphm"I currently have an opportunity for a remote, work from home, contract. The customer is looking for someone with a background developing for Openstack Keystone, with strong skills in Python development." -recruiter20:27
morganfainbergdolphm, @recruiterbro worthy?20:28
dolphmmorganfainberg: needs too much context for recruiterbro lol20:28
morganfainbergdolphm, true20:28
bknudsonhere it is --
bknudsongroup_regex=.*(test_cert_setup|test_keystoneclient).+ -- puts them in 1 worker?20:28
morganfainbergbknudson, my understanding is it should20:28
morganfainbergbknudson, it groups based upon the first match group20:29
*** patelna_ has joined #openstack-keystone20:29
morganfainbergbknudson, are you seeing issues with the keystoneclient git checkouts causing failures?20:29
bknudsonmorganfainberg: look at
bknudsonfrom keystoneclient.v2_0 import client as ks_client -- ImportError: No module named v2_020:30
morganfainbergbknudson, i saw that w/o concurrent tests20:30
morganfainbergoh the pathspec20:30
morganfainbergsorry scorlls down20:30
bknudsonso somehow keystoneclient doesn't have v2_0??20:30
morganfainbergwonder if checkout_vendor is doing something dumb20:31
morganfainbergi'll bet that isn't getting properly grouped in20:31
bknudsonmorganfainberg: maybe could see it by causing checkout_vendor to raise ... then that would cause all the tests to fail and could see if they're in the same worker20:31
*** joesavak has joined #openstack-keystone20:32
morganfainbergbknudson, i haven't been able to duplicate that specifically (even w/ 8 workers) fwiw.20:32
*** patelna has quit IRC20:32
morganfainbergbknudson, that would be good to know20:32
morganfainbergbknudson, the revoke_api one steve reported seems like some odd parallel issue20:33
*** jsavak has quit IRC20:34
*** RockKuo_TW has joined #openstack-keystone20:35
morganfainbergi see how the revoke_api one is failing.20:36
morganfainbergor.. not20:36
*** RockKuo has quit IRC20:38
*** leseb has quit IRC20:41
openstackgerritDavid Stanek proposed a change to openstack/keystone: Check that all po/pot files are valid
*** leseb has joined #openstack-keystone20:47
ayounghmmm, running in HTTPD, and all I am getting for debug info is the LDAP.  Getting a token (which works in the35357 and 5000 keystone wsgi servers)  gets me <title>500 Internal Server Error</title>20:53
ayounghttpd log shows20:53
ayoung[Wed Apr 02 20:52:33.106253 2014] [core:error] [pid 7760] [client] Premature end of script headers: admin20:54
ayoung[Wed Apr 02 20:52:33.106604 2014] [:error] [pid 7754] [remote] mod_wsgi (pid=7754): Exception occurred processing WSGI script '/var/www/cgi-bin/keystone/admin'.20:54
ayoung[Wed Apr 02 20:52:33.106667 2014] [:error] [pid 7754] [remote] IOError: failed to write data20:54
ayoungSomehow I am not getting the error messages.  What is next in debugging?20:54
ayoungfor the log file I have log_file=/var/log/keystone/keystone_log and I see the LDAP logging in there (and the initial config) from both HTTPD and Eventelt20:55
bknudsonI usually look for the apache error logs20:55
ayoungbknudson, that is what I just spewed in here20:56
ayoungonly those 3 lines are produced20:56
ayoungI'm using CURL, and the only difference between a successful call and a non-successful is whether I target the eventlet url or the HTTPD.  Oh, one other thing, V2.0 works OK, this is only V320:57
dstanekayoung: it looks like maybe an uncause exception that kills the process. can you confirm?20:58
ayoungdstanek, how?20:58
dstanekayoung: take a look at the pids, run a few requests and see if they are different (best way i can think of)20:58
dstaneklooks like that will try to log the exception and die21:00
ayoungdstanek, so, it looks like the pids are not changing21:01
dstaneknot sure why you don't see the traceback21:01
dstanekayoung: i think line 74 should really be LOG.exception because i have to imagine you'd want the traceback even if you are not in debug mode21:02
*** patelna has joined #openstack-keystone21:02
ayoungdstanek, true21:02
ayoungbut I have debug enabled...I think.  I should be seeing a lot more spew, though21:03
*** patelna_ has quit IRC21:05
ayoungAll I am getting is LDAP debugging.  There must be something misconfigured21:05
dstanekit's odd that we'd want to exit in this situation21:07
*** topol has quit IRC21:08
*** _TheDodd_ has quit IRC21:09
ayoungdstanek, OK, I am also seeing notifications and caching log messages, I am guessing that this path is just dropping the message.21:10
dstanekayoung: that's pretty strange; nothing in the apache error log?21:11
ayoungdstanek, nope.  The Keystone log is directed elsewhere, and that seems to be working.21:11
ayoung/var/log/keystone/keystone_log  gets cache logging, and then nothing21:12
ayoungI can stick some debug into the token creationg code...but need to go be dad for a while21:12
*** ayoung is now known as ayoung_AFK21:12
morganfainbergdolphm, about to propose the sync fix for
uvirtbotLaunchpad bug 1301036 in oslo "openstack.common.db.sqlalchemy.migration utf8 table check issue on initial migration" [Critical,In progress]21:12
*** bvandenh has joined #openstack-keystone21:12
morganfainbergdolphm, will propose the same patch to milestone-proposed as well21:13
bknudsondstanek: looks like ran into the same problem I did.21:13
dstanekbknudson: yeah, i just saw that21:14
dstanekdid you create a bug for it?21:14
bknudsondstanek: no, I'm in the middle of other work21:14
dstanekbknudson: np, i'll do it21:15
bknudsondo you guys realize how many security vulnerabilities there are in openstack??21:15
dstaneksounds like a lot21:15
*** joesavak has quit IRC21:19
*** bvandenh has quit IRC21:20
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Sync from oslo db.sqlalchemy.migration
bknudsonmorganfainberg: I've already got the change ^ --
bknudsonoh, yours has extra stuff now.21:33
bknudsonI'll need to re-sync21:33
morganfainbergbknudson, ah.21:38
morganfainbergbknudson, specifically for RC2 bug21:38
morganfainbergbknudson, mine is a very specific target that affects RC2 (blocker)21:39
*** stevemar has quit IRC21:51
openstackgerritA change was merged to openstack/keystone: Remove unused db_sync from extensions
*** david-lyle has quit IRC22:11
*** leseb has quit IRC22:17
*** leseb has joined #openstack-keystone22:18
*** leseb has quit IRC22:22
*** harlowja has quit IRC22:35
*** harlowja has joined #openstack-keystone22:36
*** dstanek has quit IRC22:38
*** dstanek has joined #openstack-keystone22:39
*** dims_ has quit IRC22:40
*** harlowja has quit IRC22:54
*** harlowja has joined #openstack-keystone22:55
*** dims_ has joined #openstack-keystone22:56
*** bada has quit IRC23:26
*** andreaf2 has joined #openstack-keystone23:41

Generated by 2.14.0 by Marius Gedminas - find it at!