Thursday, 2014-04-03

*** marcoemorais has quit IRC00:00
*** RockKuo has joined #openstack-keystone00:02
*** andreaf2 has quit IRC00:06
*** patelna has quit IRC00:09
bknudsondstanek: did you open a bug for parallel test failure? I'll open one otherwise00:14
dstanekbknudson: no, was distracted by dinner00:15
bknudsondstanek: ok, I think I've got a fix so will open and post it00:15
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix parallel unit tests keystoneclient partial checkout
bknudsonmorganfainberg: dstanek:
bknudson2 characters00:22
*** gokrokve has quit IRC00:22
morganfainbergbknudson, +200:23
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Create a test token generator and use it
bknudsonit's not using the cpu a whole lot with this change.00:25
morganfainbergbknudson, ?00:28
morganfainbergdid you clear out your .testrepository00:28
morganfainbergit gets in a wonky state sometimes.00:28
morganfainbergand does very bad trained binning of tests00:28
bknudsonmorganfainberg: ahh, I was wondering wtf all this testr code was doing.00:29
morganfainbergbknudson, yeah when you make changes to grouping et al (concurrency) you should prob. clear it out00:29
morganfainbergfirst run after clearing is alphabetical binning vs. time-to-run-test based00:30
dstanekbknudson: why does taking off the .+ work?00:45
bknudsondstanek: the regex used to match the whole string00:46
bknudsonso they were all in their own bucket00:46
bknudsongroup_callback for keystone.tests.test_keystoneclient.KcMasterTestCase.test_admin_requires_adminness is keystone.tests.test_keystoneclient00:46
dstanekah i see00:46
bknudsonthat's the output of a print statement I added to testr00:46
bknudsonso now they get put into a keystone.tests.test_keystoneclient bucket00:47
bknudsongroup for keystone.tests.test_keystoneclient_sql.KcMasterSqlTestCase.test_tenant_list_limit is keystone.tests.test_keystoneclient00:47
bknudsongroup_callback for keystone.tests.test_cert_setup.CertSetupTestCase.test_can_handle_missing_certs is keystone.tests.test_cert_setup00:48
bknudsonthose ones go in a different group00:48
bknudsongroup for keystone.tests.test_config.ConfigTestCase.test_config_default is None00:48
bknudsonand the rest are in no group00:49
openstackgerritA change was merged to openstack/identity-api: Fixed name attribute description of Projects
openstackgerritBrant Knudson proposed a change to openstack/keystone: Use efficient check for non-empty list in controller
*** harlowja is now known as harlowja_away01:01
morganfainbergjamielennox, ping re 7887701:03
jamielennoxmorganfainberg: hmm01:03
jamielennoxoh ok01:03
jamielennoxmorganfainberg: i'm a little questioning about it myself - but what specifically?01:04
morganfainbergjamielennox, i'm really not sure the context manager method of adding services is ... friendly01:05
morganfainbergjamielennox, it feels like the wrong use of a context manager, yanno?01:05
jamielennoxmorganfainberg: i would agree - i just don't know of a better way01:06
jamielennoxi can always return the service object (and i think i do)01:06
morganfainbergyeah that's what i'd do rather than the "with" statement01:06
morganfainbergjamielennox, it's that the __enter__ and __exit__ logic doesn't really add much benefit here.01:07
jamielennoxmorganfainberg: so it does return the service object01:07
morganfainbergso if you just return the service object when you're adding no need to do the "with" part and it would be easier to read01:07
morganfainbergthis is just the first thing i noticed.01:08
jamielennoxso all of those can be written as s = token.add_service() s.add_endpoint()01:08
jamielennoxi think it was more reflective of what the service is01:08
morganfainbergyeah. and probably would be easier to read/work with.01:08
morganfainbergyou're not really doing anything when the context exits01:08
jamielennoxby that i mean that you don't hang on to that object and there is no defined way to retrieve a service from those defined01:09
jamielennoxlike a token.service_find(type='')01:09
morganfainbergyou might want a way to retrieve the service via a method01:09
jamielennoxmorganfainberg: yep - i'm going for baby steps here - i'm still not certain it's a great idea01:09
morganfainbergi think having a canonical source of v2 tokens would be good01:10
jamielennoxthe point is though that if we can get novaclient et al to define there test tokens this way we won't have to fix them all01:10
morganfainbergbut honestly, i am almost thinking this should go into oslo.01:10
jamielennoxmaybe - i'm not sure if i like oslo for clients01:10
jamielennoxthough it's test code so whatever01:10
morganfainbergor separate from keystoneclient01:10
morganfainbergyeah i don't know, but i think oslotest (for the token generator, it doesn't rely on keystoneclient itself) would be good as a fixture01:11
morganfainbergif it requires keystoneclient code, then oslotest would be bad01:11
jamielennoxthe advantage but also i guess the disadvantage is that if we find an issue in token generation we can fix it in one place - but that can break people01:11
jamielennoxno it purposefully doesn't require keystone code01:12
morganfainbergthat is why i think it shouldn't go in keystoneclient itself.01:12
morganfainbergand keystoneclient should be using the same token fixtures for validation.01:12
morganfainbergyou can't "fix" keystoneclient and the "tokens" in the same commit01:12
jamielennoxmorganfainberg: so where? i'm of the impression it's too specific for oslo.test01:12
morganfainbergis it?01:12
morganfainbergthis might be something we need to poke at dhellman about01:12
jamielennoxcan switch to -dev but i assume it's late01:13
morganfainbergexample tokens seem to be used arount a lot of places01:13
jamielennoxmorganfainberg: right - and they are incorrect in places01:13
morganfainbergyeah this is a tomorrow discussion i think01:13
morganfainbergso lets put them in a "easy to consume" place, but i this is a case where it probably is correct to not put the token generator in ksc.01:14
jamielennoxthis was the point that if i provided a token builder api then we wouldn't get incorrect tokens that clients rely on01:14
morganfainbergi'm concerned the sample tokens will be "changed" as a side-effect of something else.01:14
jamielennoxso my thought was that ksc was the easy to consume place01:14
jamielennoxeverything should have that dep01:14
morganfainbergeven if oslotest is the wrong place, we should def. still do something like this01:14
jamielennoxand the keystoneclient is most likely place to know the correct way to generate keystone tokens01:15
morganfainberganyway my first reaction was the context manager just looked wrong01:15
bknudsonbtw - I didn't like the context manager either.01:15
bknudsonbut I guess it worked and was used.01:15
jamielennoxok - it's not hard to remove, i just thought the grouping looked better and i was providing both01:16
morganfainbergjamielennox, i don't think it adds clarity fwiw01:16
jamielennoxit's a shame that the v2 and v3 catalogs are so different that i can't make the APIs the same01:16
morganfainbergjamielennox, especially since i had to go look to see what the __exit__ was meant to do01:16
jamielennoxso scrap it altogether or default to not using01:17
bknudsonif there was a handy function in contextlib...01:17
jamielennoxmay as well scrap01:17
morganfainbergjamielennox, scrap the whoile thing? or the context manager?01:18
morganfainbergjamielennox, i don't think scrapping the fixture is a good idea. and if the context manager is what is needed to get it going, sure i wont block on this01:20
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Create a test token generator and use it
jamielennoxmorganfainberg: no just the context manager01:21
morganfainbergjamielennox, ok01:21
jamielennoxyou're right it's just syntax sugar - it doesn't buy anything01:21
jamielennoxnew version without the context manager01:21
morganfainbergi actually this this is easier to read01:21
jamielennoxit removes some of the mystery01:21
morganfainberglooking at it now01:21
jamielennoxhmm, what i know i don't do as part of that is to test the validate() method01:23
jamielennoxso my intention with this and other clients was to actually make it part of a fixtures.Fixture01:23
morganfainbergis anyone besides keystone client meant to import "keystonecleint.fixture" or just client_fixtures01:23
morganfainbergjamielennox, that would be good if possible01:24
jamielennoxmorganfainberg: client_fixtures?01:24
jamielennoxyou would create the token as part of __init__ then setup would run validate() to make sure you were using a sane token in your tests01:24
jamielennoxoh, no just keystoneclient.fixture01:24
jamielennoxanything in keystoneclient.tests is off limits01:24
morganfainberghm. you may want to call it something other than "fixture"01:25
morganfainbergcolliding namespaces and all01:25
jamielennoxi don't mind providing some samples later in the fixture folder01:25
morganfainbergnot sure if there is a good alternative though01:25
jamielennoxthat's why it's called fixture and not fixtures01:25
morganfainbergoh derp my brain was adding the s01:25
morganfainbergstrike that, it's fine.01:25
jamielennoxin reality i should probably call it fixtures and expect people to import it correctly01:26
morganfainbergor do it like we do in keystone proper01:26
morganfainbergor ksc_fixtures01:26
jamielennoxyea, but we should be looking at this from an external to ksc point of view01:27
morganfainbergsome testtools get horribly confused even with __absolute imports01:27
jamielennoxfrom keystoneclient import fixtures as ks_fixtures01:27
morganfainbergi should say01:27
jamielennoxbut yea, i noticed initially i had trouble when calling it fixtures01:27
jamielennoxbut i don't particularly like having the module with a singular name01:28
jamielennoxit's only internal to keystoneclient where this is going to be a namespace issue and i guess i can manage that01:28
morganfainbergi don't mind it in either case01:29
morganfainbergjust some general comments01:29
morganfainbergjamielennox, otherwise i think this looks reasonable01:30
morganfainbergjamielennox, just doing a bit more review before i +201:31
morganfainbergmake sure nothing else jumps out as "what is this"01:31
jamielennoxno worries - i expected that review to sit for a bit longer - it's not urgent01:31
jamielennoxmorganfainberg: but thanks :)01:32
morganfainbergjamielennox, it just happened to stand out as interesting01:32
*** richm has quit IRC01:32
morganfainbergjamielennox, was looking at your backlog of ksc reviews01:32
jamielennoxheh - it's down a bit, i got ayoung to push a few through01:32
jamielennoxmost of the 'easy' ones are in i think01:32
morganfainbergjamielennox, +2, one comment01:36
morganfainbergbut nothing that should be acted on in this review01:36
morganfainbergids and datetimes should be non-static.01:36
morganfainbergbut that requires more change than needs to go in here.01:36
morganfainbergesp. since datetimes are expired in all the example tokens01:37
jamielennoxreplied with pretty much that01:38
jamielennoxa change like this shouldn't actually change functionality01:39
jamielennoxit will be really simply to replace with utcnow() + timedelta(minutes=10)01:39
jamielennoxbecause the generator should accept a datetime or a string01:39
morganfainbergshould be done in a future patch before this is used widespread01:39
morganfainbergwell, you know waht i mean.01:40
jamielennoxmorganfainberg: doesn't matter though - that's in our tests not the generator01:40
morganfainbergcan't brain.01:40
morganfainbergi should stop looking at code :P01:40
jamielennoxhmm, but yea - i don't have a default expiry01:40
jamielennoxwhich is wrong01:40
jamielennoxif not expiry:01:41
*** ilives has joined #openstack-keystone01:41
jamielennoxyea whatever you know what i mean01:41
jamielennoxthese are all things that should be fleshed out into the validate() as we come across it01:42
jamielennoxmorganfainberg: oh! i do have a default expiry! sweet01:43
morganfainbergjamielennox, cool01:43
jamielennoxlove it when you look back at code from a few months ago and it's actually correct01:43
*** Chicago has quit IRC01:45
*** ilives has quit IRC01:48
*** ilives has joined #openstack-keystone01:49
morganfainbergjamielennox, ++01:49
*** mberlin1 has joined #openstack-keystone01:55
*** mberlin has quit IRC01:56
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Remove _factory methods from auth plugins
openstackgerritBrant Knudson proposed a change to openstack/keystone: Sync with oslo-incubator 2fd457b
openstackgerritxu-haiwei proposed a change to openstack/keystone: Fix assertEqual arguments order(catalog, cert_setup, etc)
jamielennoxbknudson: do you have an example of how to link to another class definition in RST?02:14
jamielennox:class:`...` seems to fail02:14
jamielennoxit drops it from the param list02:15
jamielennoxjust doing the `...` i get bold but no link02:15
jamielennoxbknudson: got it - sphinx / ReST is kind of cool but it's a pain to start02:26
*** nkinder has quit IRC02:29
*** topol has joined #openstack-keystone02:32
*** david-lyle has joined #openstack-keystone02:34
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow passing auth plugin as a parameter
*** nkinder has joined #openstack-keystone02:42
*** Chicago has joined #openstack-keystone02:56
openstackgerritA change was merged to openstack/keystone: Keystone doesn't use pam
ayoung_AFKdstanek, I'm still debugging.  I've put print statements in a bunch of locations.  THe token gets correctly allocated and returned, and all of the middleware in out pipelines return  (up through normalizing_filter)03:24
ayoung_AFKand then it dies03:24
ayoung_AFKonly in v3, though, not v203:24
ayoung_AFKcan't help but think it is something about how apache is calling the wsgi api03:24
ayoung_AFKand then...a size limit?03:25
ayoung_AFKmust be the size limit bug03:25
ayoung_AFKyep....?nocatalog and it worked...03:29
ayoung_AFKwonder if we could add a switch to make that the default03:29
ayoung_AFKoh, well.  Gnight03:30
*** gokrokve has joined #openstack-keystone03:36
*** gokrokve has quit IRC03:36
*** gokrokve has joined #openstack-keystone03:37
*** sld has joined #openstack-keystone03:46
sldI'm not sure if anyone is around but I have a quick question - I like the token_flush option for keystone-manage but am wondering.. are there any plans to have a simple configuration file option that can effectively tell the DB to automatically delete tokens, thus obsoleting the need for the token_flush option?  (...if that makes any sense?)03:47
*** harlowja_away is now known as harlowja04:00
*** stevemar has joined #openstack-keystone05:05
openstackgerritguang-yee proposed a change to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes.
*** harlowja is now known as harlowja_away05:32
*** bvandenh has joined #openstack-keystone05:33
*** marekd|away is now known as marekd05:46
*** andreaf2 has joined #openstack-keystone05:57
openstackgerritJenkins proposed a change to openstack/keystone: Imported Translations from Transifex
*** gokrokve has quit IRC06:02
*** andreaf_ has joined #openstack-keystone06:05
*** andreaf_ has quit IRC06:07
*** andreaf_ has joined #openstack-keystone06:07
*** andreaf has quit IRC06:08
*** andreaf_ has quit IRC06:09
*** andreaf has joined #openstack-keystone06:09
*** andreaf has quit IRC06:10
*** andreaf has joined #openstack-keystone06:10
*** andreaf2 has quit IRC06:12
*** stevemar has quit IRC06:23
*** gokrokve has joined #openstack-keystone06:33
*** gokrokve has quit IRC06:43
marekdjamielennox: hey, still here!06:45
openstackgerritMarek Denis proposed a change to openstack/keystone: List all missing/forbidden attributes in the request body.
*** zigo has quit IRC07:04
*** d0ugal has joined #openstack-keystone07:04
*** d0ugal has quit IRC07:04
*** d0ugal has joined #openstack-keystone07:04
openstackgerritMarek Denis proposed a change to openstack/keystone: List all missing/forbidden attributes in the request body.
*** zigo has joined #openstack-keystone07:08
openstackgerritMarek Denis proposed a change to openstack/keystone: Remove common.V3Controller.check_required_params() method.
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Identity Providers.
*** d0ugal has quit IRC07:34
*** gokrokve has joined #openstack-keystone07:40
*** Chicago has quit IRC07:40
*** gokrokve has quit IRC07:45
openstackgerritMarek Denis proposed a change to openstack/keystone: List all forbidden attributes in the request body.
*** leseb has joined #openstack-keystone08:04
*** d0ugal has joined #openstack-keystone08:13
*** d0ugal has quit IRC08:13
*** d0ugal has joined #openstack-keystone08:13
*** Chicago has joined #openstack-keystone08:33
*** gokrokve has joined #openstack-keystone08:40
*** gokrokve has quit IRC08:44
jamielennoxsld: there are no plans for that - the only way to trigger something like that would be on a user's request which would slow things down significantly09:05
jamielennoxat the very least you would have to call a url to trigger that - and in which case you are safer to have it run by an admin09:06
jamielennoxis there a reason not to just run it as a cron job every 10 minutes or so?09:06
jamielennoxmarekd: not really, just checked in? anyting quick?09:06
marekdjamielennox: left my comments here,  so we can try talking later09:08
marekdjamielennox: when are you going to be more 'pingable' ?09:08
jamielennoxmarekd: the time earlier would normally be good09:09
jamielennoxmarekd: so does anything use _put() already?09:09
jamielennoxmarekd: but more - can't we just fix _put()09:09
marekdjamielennox: sure, i am on watch now, so I can propose something ~now, but in a separated patch.09:10
marekdjamielennox: however I was not sure what's the reason for keeping CrudManager._put and CrudManager._update09:10
marekdjamielennox: and this is something puzzled me TBH.09:10
jamielennoxthe managers are rubbish09:11
jamielennoxi don't have a particular preference it's just that by doing _put in your class it wouuld imply that you are somehow override the underlying one09:12
jamielennoxyou can either just use update from your class - but the fix for _put should be only a couple of lines09:13
marekdjamielennox: sure. one quick question: is it fine to keep CrudManager._put() just for backwards compatibility and it's fine to keep _update() ?09:13
marekdif so, I will fix it now.09:13
jamielennoxyou can keep both09:14
jamielennoxyou can also fix the _put without worrying about compatibility09:14
jamielennoxbecause it starts with an _ it's considered private09:14
*** morganfainberg is now known as morganfainberg_Z09:15
marekdi think calling _update() from _put will be mmuch better - it clearly indicated there is no different usecase for calling _put and _update(). Otherwise people may wonder: shall I use _update or _put()? like i did... ok, let me make a patch for that.09:16
marekdjamielennox: ok, thanks for this quick chat.09:17
marekdjamielennox: and the review.09:17
jamielennoxmarekd: oh - i see what i did wrong there09:17
*** ilives has quit IRC09:18
marekdjamielennox: ?09:18
jamielennoxmarekd: see put() at line 34209:18
marekdjamielennox: aaaahhh, that's the different story :-)09:18
marekdasked about that 2-3 times but never got any response :-)09:18
*** ilives has joined #openstack-keystone09:18
jamielennoxso put should look almost exactly the same as update on line 34809:18
jamielennoxso fix that to call _put() and that will tie it up09:19
jamielennoxthat work?09:20
marekdi think so.09:20
marekdabstractmethods are the other topic, harder to make it work as it'd have an impact on the whole keystoneclient, so that not for now.09:22
marekdjamielennox: anyway, thanks!09:22
jamielennoxyea, we can't necessarily do all abstract because they don't all have every method - eg you can list some things09:22
marekdi was thinking the same.  Same with the tests you want to run.09:24
*** gokrokve has joined #openstack-keystone09:41
*** gokrokve has quit IRC09:45
*** leseb has quit IRC09:51
*** leseb has joined #openstack-keystone09:51
*** leseb has quit IRC09:55
*** leseb has joined #openstack-keystone10:00
*** d0ugal has quit IRC10:00
*** d0ugal has joined #openstack-keystone10:17
*** chandankumar_ has joined #openstack-keystone10:22
*** leseb has quit IRC10:29
*** leseb has joined #openstack-keystone10:29
*** leseb has quit IRC10:33
*** gokrokve has joined #openstack-keystone10:42
*** gokrokve has quit IRC10:46
*** leseb has joined #openstack-keystone11:04
*** leseb has quit IRC11:09
*** lbragstad has quit IRC11:13
*** leseb has joined #openstack-keystone11:18
*** zhiyan_ is now known as zhiyan11:22
*** d0ugal has quit IRC11:30
*** gokrokve has joined #openstack-keystone11:43
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync test_migrations
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Redundant unique constraint
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.
*** gokrokve has quit IRC11:48
*** henrynash has joined #openstack-keystone12:01
*** kun_huang has joined #openstack-keystone12:08
*** gokrokve has joined #openstack-keystone12:09
*** gokrokve has quit IRC12:13
*** ayoung_AFK has quit IRC12:14
*** david-lyle has quit IRC12:23
*** jagee has joined #openstack-keystone12:27
*** lbragstad has joined #openstack-keystone12:35
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Fix base.CrudManager.put() method.
*** RockKuo has quit IRC12:43
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Make base.CrudManager._put() use _update() method.
openstackgerritDavid Stanek proposed a change to openstack/keystone: Identity authentication now uses rotated passwords
marekdjamielennox: ^^ this will fail on test_put test and I have no clue why.12:55
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds table and model for storing rotated passwords
openstackgerritDavid Stanek proposed a change to openstack/keystone: password rotation extension WIP
*** bashok has joined #openstack-keystone12:59
*** dims_ has quit IRC13:07
*** lbragstad has quit IRC13:07
*** lbragstad has joined #openstack-keystone13:08
*** gokrokve has joined #openstack-keystone13:10
*** lbragstad has quit IRC13:12
*** gokrokve has quit IRC13:14
*** chandankumar_ has quit IRC13:19
*** dims_ has joined #openstack-keystone13:20
openstackgerritA change was merged to openstack/keystone: Sync from oslo db.sqlalchemy.migration
*** d0ugal has joined #openstack-keystone13:23
*** d0ugal has quit IRC13:23
*** d0ugal has joined #openstack-keystone13:23
*** d0ugal has quit IRC13:24
*** d0ugal has joined #openstack-keystone13:25
*** d0ugal has quit IRC13:25
*** d0ugal has joined #openstack-keystone13:25
*** joesavak has joined #openstack-keystone13:28
*** bashok has left #openstack-keystone13:31
*** lbragstad has joined #openstack-keystone13:32
openstackgerritA change was merged to openstack/keystone: Fix parallel unit tests keystoneclient partial checkout
*** nkinder has quit IRC13:45
*** ayoung has joined #openstack-keystone13:45
*** ilives has quit IRC13:48
*** ilives has joined #openstack-keystone13:52
*** gokrokve has joined #openstack-keystone14:11
*** gokrokve has quit IRC14:15
*** thedodd has joined #openstack-keystone14:18
ayoungdolphm, so I just tripped over the 500 error due to the size of the Catalog in V3...I can't quite figure out why the V3 catalog would be bigger than the V2.  However, we do have "legacy_endpoint_id" in the catalog...would it be safe to provide an option to drop that  field?  Trying to find ways to shrink the service catalog for apache.14:18
*** jdob has joined #openstack-keystone14:26
*** chandan_kumar has quit IRC14:27
jdobis there anyone around that can give me a hand with getting the tuskar API to authenticate against keystone?14:27
baffleI'm trying to get Nova to work with Keystone with domains. eystoneclient.middleware.auth_token seems to be able to verify user tokens in the Default domain, but for some reason when it recieves a token scoped to a different domain it barfs? And somehow ends up inside verify_uuid_token() ? But I use pki tokens...? :)14:27
*** chandan_kumar has joined #openstack-keystone14:27
*** gokrokve has joined #openstack-keystone14:27
*** stevemar has joined #openstack-keystone14:27
*** chandan_kumar has quit IRC14:30
dstanekayoung: can you print out the catalog for both calls (or save to files) to see why the size difference?14:35
baffleIf I print out the user_token before it checks if it is a PKI token, it looks like this: 0b6d252be95bdbb00e3f5e16e23848c3 <- clearly not a PKI token.14:38
*** nkinder has joined #openstack-keystone14:38
ayoungdstanek, I'm doing that now....14:45
ayoungbaffle, nope, just a uuid14:45
ayoungjdob, you are fourth in the queue14:45
jdob:)  thanks ayoung14:45
ayoungjdob, is this making tuskar accept tokens for the user?14:48
ayoungare you using auth_token middleware?14:48
ayoungis tuskar in Python?14:48
jdobyes, but realize I inherited the code which I think was copied from ironic and never actually understood, so there's no assertions we're using it correctly14:49
jdobi'm going through your middlewarearchitecture.html page now14:49
ayoungjdob, ^^14:49
jdobayoung: looking14:50
baffleayoung: Thanks, looking at it now.14:51
ayoungbaffle, what version of what are you using?14:51
dolphmayoung: yes, there's an open bug to remove legacy_endpoint_id from the v3 catalog, along with 'enabled' (which should always be true)14:55
ayoungdolphm, cool.  A base devstack setup means that the v3 token is too big, but a v2 is ok...I'm guessing we are right at a limit14:56
ayounglet me see if I can shrink it down14:57
jdobayoung: what I keep getting tripped up on is that I keep seeing this in keystone's logs:  keystone.middleware.core [-] Auth token not in the request header.14:58
jdobthat's when I pass in the token as a header under X-Auth-Token or have it as admin_token in my conf file14:58
jdobthat ring any bells?14:58
ayoungjdob, you've created a Tuskar admin_user?14:59
jdobno, been using the default admin14:59
ayoungjdob, the admin needs a token to  feth the certs and the revocation list.  I'm guessing your breakdown is there.14:59
jdobok, I see users for the other services, lemme add a tuskar15:00
baffleayoung: I'm using keystoneclient 0.3.2 -> keystone git master. I'm trying to dig down into it.. :-) I get "Non-default domain is not supported" in keystones log when doing requests from the 0.3.2 client (I think). I'm quite confused right now, think I might have to draw up some thing...15:00
*** david-lyle has joined #openstack-keystone15:14
*** d0ugal_ has joined #openstack-keystone15:20
*** d0ugal has quit IRC15:20
*** arun_kant has joined #openstack-keystone15:25
*** zhiyan is now known as zhiyan_15:25
*** henrynash has quit IRC15:28
*** leseb has quit IRC15:30
*** leseb has joined #openstack-keystone15:30
*** leseb has quit IRC15:34
dolphmbaffle: are you trying to do multi-domain v3 stuff?15:37
baffledolphm: Yeah.15:37
baffledolphm: Not separate auth backends, but just multidomain.15:38
baffledolphm: For now I'm failing miserably.15:38
baffledolphm: It's supposed to work. Right? :)15:39
*** henrynash has joined #openstack-keystone15:39
*** andreaf has quit IRC15:41
dolphmbaffle: i'd definitely upgrade to the latest client (0.3.2 is super old), but you need to use the v3 client against the v3 endpoint15:42
baffledolphm: "The v3 client"?15:42
dolphmbaffle: and not use LDAP (which i just realized you might be?) which doesn't support multidomain15:42
dolphmbaffle: keystoneclient.v3 rather than v2_015:43
baffledolphm: No, not using LDAP. I looked into it, and saw that it didnt' support multidomain. :)15:43
*** henrynash has quit IRC15:43
baffledolphm: I'm starting to think it is a horizon -> novaclient problem now.. I see in horizons log that X-Auth-Token: is what looks like a UUID.. Very confused. :)15:45
*** leseb has joined #openstack-keystone15:47
*** d0ugal_ has quit IRC15:50
*** d0ugal_ has joined #openstack-keystone15:51
david-lylebaffle: you can't make nova api calls outside of the default domain when using keystone v3 as there is no support in the nova apis for v3 auth15:53
david-lyleHorizon is just representing the state of openstack to you :(15:54
baffleSo when in Havana it says "\o/ domains \o/" it really means "\o/ keystone has domains you can't use for anything \o/" ? :-)15:55
*** henrynash has joined #openstack-keystone15:55
*** d0ugal_ has quit IRC15:55
*** d0ugal_ has joined #openstack-keystone15:55
david-lyleunfortunately yes, there used to be a bug in the keystoneclient that briefly allowed it to work, that bug was closed as it should have been15:55
*** d0ugal_ is now known as d0ugal15:56
baffleWhat is HP doing? They seem to have working domains? Confused.15:56
david-lyleHP uses a different identity backend15:56
david-lyleAPI compatible, at least for the public cloud15:57
david-lyleAPI compatible with keystone that is15:58
david-lylebaffle: that said, HP is trying to migrate to keystone, but impediments like this incompatibility prevent much progress15:59
dolphmdavid-lyle: what's the incompatibility, exactly?16:00
baffledavid-lyle: Oh, I was under the impression that they used Keystone, but had a properitary storage backend. Must have misunderstood.16:00
david-lyledolphm, let grab the specific details16:00
david-lyledolphm, so for a v3 token we run into
*** andreaf has joined #openstack-keystone16:03
*** henrynash has quit IRC16:03
david-lyleline 454 is the exception16:03
dolphmdavid-lyle: that looks right -- you just need to validate the token against the v3 API, otherwise keystone can't correctly represent the token (as requested on v2 without breaking compatibility with v2)16:05
david-lyleright but nova is not validating against the v3 API16:06
dolphmdavid-lyle: in other words, we need to get auth_token 100% onto the v3 API. right now it's still hardcoded to do some work against v2 :(16:06
*** henrynash has joined #openstack-keystone16:06
dolphmdavid-lyle: (it's not nova's fault, it's ours!)16:06
david-lyleoh, ok, that's easier to fix then16:07
david-lylefrom a scale perspective16:07
ayoungdstanek,  note thes sizes  -rw-rw-r--. 1 ayoung ayoung 4631 Apr  3 12:10 /tmp/token-v2.raw16:10
ayoung-rw-rw-r--. 1 ayoung ayoung 9022 Apr  3 11:39 /tmp/token-v3.raw16:10
dstanekayoung: wow16:10
ayoungyea...going to unpack them to see what I can see16:10
*** d0ugal has quit IRC16:11
dolphmayoung: v3 catalog has a ton of cruft!16:11
dstanekayoung: maybe the catalog is in there twice :-)16:11
dolphm?nocatalog :P16:11
baffleI'm having some problems with the huge tokens via haproxy, even if I set tune.bufsize and friends.. They sure are massive.16:12
baffleI'm a bit confused with Horizon.. I get (huge) x-subject-token from Keystone when I log into Horizon. But then horizons novaclient tries to connect using an (apparently) UUID-token?16:15
baffleIs it confusing the hash of the PKI token with an MD5 hash or something? :-P16:15
baffleShouldn't it use the X-Auth-Token I recieved from Keystone to talk with Nova?16:15
dolphmbaffle: it might just be logging a hash of the actual token16:17
baffledolphm: Well, it displays the complete curl command line as well..16:17
dolphmbaffle: keystone's API supports MD5-hashed tokens for validation purposes16:18
bafflenovaclient connection created using token "beb99d9efc94d82d605100ee3b83ece7" and url ""16:18
baffleREQ: curl -i '' -X GET -H "X-Auth-Project-Id: 7a113261536a4d15a20d8d6e98834e43" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: beb99d9efc94d82d605100ee3b83ece7"16:18
dolphmbaffle: GET /v3/auth/tokens + X-Subject-Token: <md5 hashed PKI token> or GET /v2/tokens/{md5_hashed_pki_token}16:18
dolphmbaffle: could be either -- md5 hex digests are the same length as uuid hex digests16:20
baffledolphm: So, if it sends Nova the md5 hash of the PKI token, Nova would have to connect to Keystone to check if the token is expired then I guess..16:21
baffledolphm: But nova seems to think it is an UUID token..?16:23
dolphmbaffle: correct, but it *shouldn't* be doing that...16:23
baffledolphm: Well, it sure looks like one. :)16:24
dolphmbaffle: i'm not disagreeing! you could do a GET http://KEYSTONE:35357/v3/auth/tokens + X-Auth-Token: ADMIN + X-Subject-Token: beb99d9efc94d82d605100ee3b83ece7 to debug16:30
dolphmsubstitute for more appropriate values :)16:30
*** henrynash has quit IRC16:31
*** leseb has quit IRC16:40
*** leseb has joined #openstack-keystone16:40
*** leseb has quit IRC16:42
*** leseb has joined #openstack-keystone16:42
openstackgerritDavid Stanek proposed a change to openstack/keystone: Make the py33 Jenkins job happy
openstackgerritDavid Stanek proposed a change to openstack/keystone: Replace all use of mox with mock
openstackgerritDavid Stanek proposed a change to openstack/keystone: setUp must be called on a fixture's parent first
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fix cache configuration checks
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixed the size limit tests in Python 3
openstackgerritDavid Stanek proposed a change to openstack/keystone: wip: this needs to be made in oslo
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixed the policy tests in Python 3
openstackgerritDavid Stanek proposed a change to openstack/keystone: First real Python 3 tests
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds several more tests to the Python 3 test run
dolphmdstanek: nice ^ :P16:50
*** leseb has quit IRC16:51
dstanekdolphm: i'm trying to fill up the chat with noise16:51
*** leseb has joined #openstack-keystone16:51
baffleSo it's like instantly then.16:52
dolphmdstanek: productive* noise16:52
dolphmbaffle: that pic looks familiar16:52
baffledolphm: It's from your twitter feed.16:52
ayoungdstanek, the v2 token is 1/2 the size of the v316:53
dolphmdstanek: your first change will conflict with this one
dstanekdolphm: i'll rabase on top of that after it merges16:55
dstanekdolphm: is it unapproved now?16:56
dolphmdstanek: i'd rather get yours in first16:56
dstanekwe can do that too16:57
*** leseb has quit IRC16:57
dstanekthe general discussions on the ML and irc have been to stop using mox and it was an easy change to make16:57
*** andreaf has quit IRC16:59
dolphmdstanek: is there any argument against using it in py2?16:59
dstanekthe biggest reasons are social - mock is the standard and why use 2 mocking frameworks17:01
*** wchrisj_ has joined #openstack-keystone17:03
dstanekayoung: your v3 token seems to have a much bigger catalog - lots more entries17:05
ayoungdstanek, this is base devstack17:05
ayoungbut each endpoint is more than twcie the size in v3 than in v217:05
ayoungv2 cat 30517:05
ayoungv3 cat 71517:05
dstanekayoung: ah, the endpoints in v3 are separate for admin, public and internal17:06
ayoungdstanek, yeah...too chatty17:06
ayoungdstanek, lets see the effect of just removeing legacy_endpoint_id17:08
dolphmdstanek: maybe we should leave mox commented out in our test-requirements with a note to reviewers not to allow it to be re-enabled, with a link to why17:08
*** kun_huang has quit IRC17:09
dolphmayoung: i'd kill to simplify the v3 catalog format :( ?nocatalog + GET /v3/catalog might be the only answer without /v3/17:09
dolphmwithout /v4/ *17:09
dstanekdolphm: i can do that - i was planning on adding a new pep8 checker to watch for modules we don't want to use17:09
dolphmdstanek: how many of those are there?17:10
openstackgerritA change was merged to openstack/python-keystoneclient: Create a test token generator and use it
ayoungv2 cat 30517:12
ayoungv3 cat 49017:12
ayoungyeah...that looks like the ticket.  dolphm can we make "remove enabled and legacy_endpoint_id from token service catalog" an rtc2 blocker, please17:12
dstanekdolphm: mox (and maybe some of the deprecated oslo stuff) for sure - i remember seeing past reviews were we changed what should be imported - i'd want to check for those too17:12
dstanekdolphm: things like this we can easily automate so that we can focus on the clarity and indent of the code17:13
*** harlowja_away is now known as harlowja17:14
*** marekd is now known as marekd|away17:14
dolphmayoung: regression!
uvirtbotLaunchpad bug 1152635 in keystone "legacy_endpoint_id returned on v3" [Medium,Fix released]17:14
dstanekdolphm: do you want me to add that comment? if you do i can do it before i wonder off to lunch17:14
ayoungdolphm, I'm taking and actively working on it.  Cool?17:14
dolphmayoung: file a new bug, but cite it as a regression of that one17:15
dolphmdstanek: i really don't want to focus on the indent ;)17:15
ayoungdolphm, wilco17:15
dolphmdstanek: if you're removing mox from test-requirements somewhere (i didn't actually see that?), then yes17:16
dstanekdolphm: i didn't remove it, but i should have17:17
*** ilives has quit IRC17:17
*** ilives has joined #openstack-keystone17:18
dstanekdolphm: thoughts?
dolphmdstanek: cite the mailing list, maybe this one
*** mutex has left #openstack-keystone17:24
dolphmdstanek: or straight to russell's email
*** morganfainberg_Z is now known as morganfainberg17:34
dolphmmorganfainberg: ish, as usual17:35
morganfainbergdolphm, yeah17:35
morganfainbergdolphm, rebasing the cleanup patch (removal of the identity proxy) now17:35
*** packet has joined #openstack-keystone17:36
*** packet has quit IRC17:36
dolphmwe're ready to release icehouse-rc2 if necessary, but i'd like to hold as long as possible to get more fixes in :)17:36
morganfainbergdolphm, any thing else slated that needs to get in?17:36
morganfainbergdolphm, i can go look at it now (but the list seemed small earlier)17:37
dolphmmorganfainberg: needs, no17:37
*** gokrokve has quit IRC17:37
dolphmmorganfainberg: just a nice to have or two17:37
morganfainbergdolphm, any specifics I can help get into RC2?17:39
morganfainbergdolphm, or just waiting for master patches to land / check / etc before we get to it17:39
dolphmgyee got this up, but i'm not sure how i feel about putting *more* proprietary responsibility into auth plugins :-/17:40
*** thedodd has quit IRC17:45
openstackgerritPablo Fernando Cargnelutti proposed a change to openstack/keystone: Moving delete_user and delete_group calls to IdentityManager
openstackgerritDavid Stanek proposed a change to openstack/keystone: Make the py33 Jenkins job happy
openstackgerritDavid Stanek proposed a change to openstack/keystone: Replace all use of mox with mock
openstackgerritDavid Stanek proposed a change to openstack/keystone: setUp must be called on a fixture's parent first
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fix cache configuration checks
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixed the size limit tests in Python 3
openstackgerritDavid Stanek proposed a change to openstack/keystone: wip: this needs to be made in oslo
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixed the policy tests in Python 3
openstackgerritDavid Stanek proposed a change to openstack/keystone: First real Python 3 tests
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds several more tests to the Python 3 test run
*** rwsu has quit IRC18:03
*** topol has quit IRC18:07
ayoung"CalledProcessError: Command 'openssl' returned non-zero exit status 3"   WHO BROKE MY UNIT TESTS?18:09
*** thedodd has joined #openstack-keystone18:11
*** gokrokve has joined #openstack-keystone18:12
openstackgerritA change was merged to openstack/keystone: Removes unused db_sync methods
*** raildo has joined #openstack-keystone18:13
ayoungAh...ok, false alarm.18:13
ayoungthought some regressed me18:13
morganfainbergdolphm, i'm looking at the patch from gyee18:14
morganfainbergdolphm, hmm this is an interesting choice.18:15
* morganfainberg keeps reviewing18:15
* morganfainberg sneaks in if os.environ['user'] == 'ayoung': sys.exit('<evil laugh>')18:16
ayoung+2 FILGTM18:16
openstackgerritAndreas Jaeger proposed a change to openstack/keystone: Check that all po/pot files are valid
dolphmayoung: lol18:21
*** marekd|away is now known as marekd18:25
morganfainbergdolphm, i feel like keystone should prevent the auth_plugins from doing bad things not the plugin's themselves.18:27
morganfainbergdolphm, as in overriding that method in the plugin could cause the check to pass and get mis-aligned identity info18:27
morganfainbergdolphm, this looks more brittle than i would like (though it might be the solution we need for the moment)18:28
ayoungdolphm, in removing endpoint attributes['enabled'[ from the token do I need to remove any endpoints that are  enabled=False, or should those have been filtered out already?18:45
bknudsonayoung: only enabled endpoints are in the catalog18:51
ayoungbknudson, cool18:51
ayoungbknudson, so should make_v3_endpoint  delete the enabled and legacy_id fields, too?18:52
bknudsonayoung: that would make the most sense18:53
bknudsonit's already deleting service_id18:53
ayoungjdob, please feel free to ask dumb devstack questions in here18:54
jdobok  :)18:54
jdobso if i'm reading this right, devstack will configure nova to use keystone. i'm trying a curl command against the nova apis, passing in X-Auth-Token in the headers, but its failing18:55
jdobi feel like I'm missing something really dumb, I'm using the token for the admin user18:55
bknudsonjdob: does the token have any roles?18:55
bknudsonis it scoped to the tenant?18:55
jdobit has a role and tenant, both named admin18:56
ayoungjdob, how did you create the token?18:56
jdobkeystone token-get, with the admin credentials18:57
ayoungjdob, and you went through that troubleshooting guide I sent you?18:57
ayoungjdob, BTW...devstack on Fedora etc means SELinux setenforce=Permissive18:58
jdobya, its permissive18:58
jdobalso dumb question, i keep seeing port 35357, but devstack puts keystone on 500018:58
ayoungjdob, both18:59
ayoung5000 is the main one that end users use for getting tokens18:59
ayoung35357 is the admin interface18:59
ayoungjdob, and that decision predates all of the people that currently work on Keystone, so don't blame us....we are supporting other people's bad ideas19:00
jdobhrm, I dont have anything on 35357, but I can get the signing cert from 5000, and it's still valid19:00
jdob(from your blog post)19:00
jdobtoken-get is the right way to get the token, right?19:00
jdoband I care about the id in the returned result?19:00
ayoungjdob, " I dont have anything on 35357"  is your problem19:01
ayoungnova is trying to get the certs from 3535719:02
ayoungit might be the "35357 is an ephemeral port"  issue19:02
ayoungwe were assigned a port by IANAL that, while technically legal, is smack dab in the middle of the range that Linux considers ephemeral19:02
ayoungtry killing and restarting keystone:19:02
ayoungscreen -x19:02
ayoungctrl a 119:02
ayoung(keystone is ususally screen 1)19:03
ayoungctrl C and then it should be the first item in your bash history19:03
jdobI took a slightly different approach, I changed nova.conf to point to 5000 and it seemed to get further19:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove assignment proxy methods/controllers
ayoungjdob, hmmmm....that probably is not going to work19:04
ayoungthe token revocation list should not be exposed on that port19:04
jdobok cool, that worked  \o/. odd, since when tuskar was trying 35357 I saw timeouts but nova didn't really reflect that19:04
jdobreally? I actually got a response19:04
ayoungjdob, It may be.  You are capable of magic, as I have seen.  Of Both black and white variety.19:05
jdobi appreciate the optimisim that how I got this working was intentional and not pure luck :)19:05
*** thedodd has quit IRC19:06
jdobok, so back to tuskar, that one still doesn't work. i see in keystone: 2014-04-03 15:05:49.116 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action, identity:revocation_list.19:06
jdobayoung: is that what you were expecting on port 5000?19:06
ayoungjdob, maybe19:06
ayoungjdob, actually, I would not19:06
ayoungI would expect a 404 from 500019:06
ayoungbut...maybe that mnakes sense, acutally19:07
jdobmaybe I missed a step. i made a tuskar user, though I didn't assign it to any roles19:07
ayoungjdob, it looks like it is a valid request, but with a user that is not authorized19:07
jdobsince it didn't look like the other service users weren't19:07
ayoungah, yeah that is it19:07
ayoungit needs an "admin" role19:07
ayoungadd them as admins to the "service" project19:07
bknudsonif you're getting an RBAC error then it's using v3 api19:07
ayoungbknudson, is_admin for V219:08
ayounguser needs the admin role on the token that is request the Revocation list19:08
ayoungnot RBAC19:08
openstackgerritayoung proposed a change to openstack/keystone: Remove legacy_endpoint_id and enabled from service catalog
jdobanother dumb question: when i add tuskar to the admin role, it should show up in user-role-list, right?19:10
ayoungjdob, yes19:10
jdobsays i added it, but i'm not seeing it19:11
ayoungjdob,  --user b8d9c33a2f3a42489bec039b8080a0a6   vs  4b70f754d39a482eae75101eac8e07d9  for userid in that query19:12
ayoungyou are looking at two different users19:12
ayoungkeystone user-role-list  I think is giving the answer for admin19:12
jdobsweet, ok, with the tuskar credentials I see it19:13
ayoungjdob, I need to head home:  I 'l  be back online around 4is (though in a meeting on the phone)19:14
jdobok, I'm at a different error now, so this is progress and something for me to look at19:14
*** ayoung has quit IRC19:19
*** thedodd has joined #openstack-keystone19:21
*** david-lyle has quit IRC19:24
openstackgerritA change was merged to openstack/keystone: For ldap, API wrongly reports user is in group
openstackgerritA change was merged to openstack/keystone: remove the unused variable in test_sql_upgrade
openstackgerritA change was merged to openstack/python-keystoneclient: Split sample PKI token generation
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Allow hash tokens with sha256
*** vhoward- has left #openstack-keystone19:36
*** leseb has joined #openstack-keystone19:41
raildoI'm with a doubt and think that someone could help me. I'm trying to reproduce the error that happened in
uvirtbotLaunchpad bug 1081221 in keystone "Keystone POST /tokens response does not contain all endpoints" [Medium,Triaged]19:42
raildoWhen he speaks in /POST token, this refers to usually get a token?19:42
raildoI could not view the list of endpoints, anyone know any way to do this?19:43
*** zhiyan_ is now known as zhiyan19:50
*** ilives has quit IRC19:55
*** ilives has joined #openstack-keystone19:56
*** rwsu has joined #openstack-keystone19:56
*** harlowja has quit IRC20:02
*** harlowja has joined #openstack-keystone20:03
*** ilives has quit IRC20:03
*** ilives has joined #openstack-keystone20:05
*** rwsu has quit IRC20:07
*** rwsu has joined #openstack-keystone20:09
*** rwsu has quit IRC20:11
*** rwsu has joined #openstack-keystone20:11
*** ayoung has joined #openstack-keystone20:18
*** topol has joined #openstack-keystone20:18
*** leseb has quit IRC20:20
*** leseb has joined #openstack-keystone20:21
*** leseb has quit IRC20:26
baffledolphm: So, having looked at things a bit; Am I correct in understanding that domains just doesn't work with Nova (and possibly other core parts of openstack)?20:27
*** rwsu has quit IRC20:27
bknudsonbaffle: what do domains have to do with nova? you get a token with roles and nova uses the roles.20:28
bknudsonwhat does nova have to do with the domain of the user?20:28
*** rwsu has joined #openstack-keystone20:31
*** jogo has joined #openstack-keystone20:37
*** jogo has left #openstack-keystone20:37
*** henrynash has joined #openstack-keystone20:38
*** david-lyle has joined #openstack-keystone20:40
*** marekd has quit IRC20:43
*** marekd has joined #openstack-keystone20:47
*** amcrn has joined #openstack-keystone20:55
*** gokrokve_ has joined #openstack-keystone20:59
marekdhi, I am having lots of failures not related to my change, nor to the failing tests. Anybody aware of the bug number I should put in the comment, or just keep trying with recheck no bug? and one of the logs: | grep exit .21:01
*** gokrokve has quit IRC21:02
*** leseb has joined #openstack-keystone21:07
bknudsonmarekd: please look into the issue and open a bug if it's a new problem.21:09
bknudsonmarekd: this will help out the entire openstack project21:09
*** henrynash has quit IRC21:09
*** jdob has quit IRC21:10
marekdbknudson: ok21:11
*** stevemar has quit IRC21:12
jamielennoxmarekd: i don't *think* that one was your fault21:14
jamielennox2014-04-03 16:17:55.144 | + openstack --os-token 111222333444 --os-url= --os-identity-api-version=3 role add --user heat_domain_admin --domain 675d578ed1eb42adbea279b17b2dd6aa admin21:14
jamielennox2014-04-03 16:17:55.607 | ERROR: create_grant() got an unexpected keyword argument 'role' (HTTP 400)21:14
marekdjamielennox: yeah, i am looking at the same lines.21:16
jamielennoxit's a pity that openstackclient doesn't run with debug21:17
bafflebknudson: I'm very confused; If I auth with a user that's not in the default domain I can't auth with nova.21:18
bafflebknudson: From Horizon.21:18
bknudsonbaffle: anything in the nova log?21:18
jamielennoxdtroyer: do you know where the above create_grant() is coming from?21:18
bafflebknudson: Keystone says "Authorization failed. Non-default domain is not supported" and Nova says "Invalid user token - rejecting request".21:20
dtroyerjamielennox: I do not.  it isn't in the master branch of OSC21:21
jamielennoxdtroyer: yea, it didn't show up with a grep - but it's being used in devstack and it's not coming from keystoneclient21:22
*** rwsu has quit IRC21:22
jamielennoxcoming from the end of
bafflebknudson: I guess it is related to this:
bafflebknudson: But I don't know *why* it's like that. :)21:22
bknudsonbaffle: are you authenticating with V2?21:24
bknudsonif so, you wouldn't be able to get a token for a user in the non-default domain.21:24
bafflebknudson: I think horizon uses novaclient wich uses V2?21:26
bafflebknudson: I auth to Horizon with V3, but I think Horizon uses novaclient wich uses V2? If I'm not mistaken.21:27
marekdjamielennox: probably re-running it with "recheck no bug" is not the smartest idea and filing a bug is a better one.21:28
jamielennoxmarekd: i know what it is21:28
marekdjamielennox: yes..?21:28
jamielennoxmarekd: see how on line 349 you move the line url = self.build_url(dict_args_in_out=kwargs) inline21:29
jamielennoxthat build_url modifies the kwargs dict21:29
jamielennoxwhich is why you have to run it first and then use the kwargs again later21:29
jamielennoxso the roles= value is still in the body when you construct  body={self.key: kwargs} because it is being executed before build_url21:30
jamielennoxcreate_grant is the coming from keystone server21:30
marekdjamielennox: ok, got it.21:32
bafflebknudson: Yeah.. I auth to Horizon with V3. Then it uses my token (wich is a scoped domain token) to connect to Nova: 'novaclient connection created using token "8060d8d6bf021b7cec8f4fa059fb19de" and url ""'  'REQ: curl -i '' -X GET -H "X-Auth-Project-Id: 7a113261536a4d15a20d8d6e98834e43 " -H "21:33
marekdjamielennox: so I think the put() should behave the same way?21:33
jamielennoxmarekd: yep21:34
bafflebknudson: And then Nova tries to use that and keystone rejects it.21:34
marekdjamielennox: patching.21:36
*** marcoemorais has joined #openstack-keystone21:36
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Allow hash tokens with sha256
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Fix base.CrudManager.put() method.
bknudsonbaffle: UUID tokens?21:38
bafflebknudson: No, MD5 of the PKI token. Wich incidentially looks just like a UUID token.21:39
bknudsonhorizon does the md5?21:39
bafflebknudson: If you look at the user.Token code in openstack_auth you see that it converts the x-auth-token to a md5 hash...21:40
bknudsonbaffle: openstack_auth?21:41
baffleYeah, openstack_auth.user .. ?21:41
bknudsonbaffle: never heard of it ... is it part of keystone?21:42
bafflebknudson: Hmm, maybe not.. Come to think of it, it's an addon to Django that Horizon uses. So maybe that is the culprit.21:43
bknudsonbaffle: ok, so keystone gets a v2 request to validate a token, but the user's not in the default domain... I would expect that to fail.21:44
bknudsonsince a user in a non-default domain would require a v3 token response.21:44
dstanekthere was talk about always syncing all of olso - is that the direction?21:45
bafflebknudson: Thanks, I'll dig into it some more.. Maybe with a big flowchart so I can try to keep the whole chain in my head.. :-)21:45
bknudsonbaffle: I assume it's auth_token middleware doing the token validation... seems like it should be using v3 to validate tokens.21:46
dstanekbknudson: nice thanks21:46
*** nkinder has quit IRC21:48
*** stmi has joined #openstack-keystone21:49
bknudsonbaffle: try setting auth_token's auth_version to v3.021:49
*** leseb has quit IRC21:55
*** marcoemorais1 has joined #openstack-keystone21:56
*** marcoemorais has quit IRC21:58
*** lbragstad has quit IRC22:05
*** zhiyan is now known as zhiyan_22:08
*** marcoemorais1 has quit IRC22:14
jamielennoxmarekd: you will probably need a simple test for that put() review22:23
*** rwsu has joined #openstack-keystone22:26
*** dstanek has quit IRC22:26
marekdjamielennox: something like this but with _put() ?22:27
openstackgerritBrant Knudson proposed a change to openstack/keystone: Configurable token hash algorithm
jamielennoxmarekd: what the hell is that22:28
jamielennoxwhoever wrote that test mocked it to the point where it doesn't actually test anything22:28
jamielennoxso it appears that put() was always supposed to take a body - the test just doesn't do anything22:29
marekdjamielennox: not me! not me!22:29
marekdjamielennox: hah, so it appears that python-keystoneclient has some suprises hidden...even for you :-)22:30
jamielennoxoh, they are mocking client.put22:31
jamielennoxmarekd: i don't claim that it's all that good22:31
marekdjamielennox: i know22:31
jamielennoxmarekd: ok, _put() calls client.put() and that's where the mock is22:32
jamielennoxbut nothing is testing manager.put()22:32
jamielennoxin which case why do we even have manager.put()22:32
jamielennoxmarekd: honestly it's good if you fix put() but i'd almost just use _put() for your patch22:34
*** joesavak has quit IRC22:34
marekdjamielennox: those are separated things - I would even go for _update() as it looks this should be the only method left one day...22:35
jamielennoxdepends, i think most people will understand and want to explicity specify PUT or PATCH22:36
jamielennoxbut honestly the managers suck - my approach has been whatever works22:36
openstackgerritBrant Knudson proposed a change to openstack/keystone: Configurable token hash algorithm
marekdjamielennox: i am talking about deprecating _put() and refactoring patch(), put(), update() to call _update() with method argument hardcoded.22:38
*** marcoemorais has joined #openstack-keystone22:38
jamielennoxmarekd: there has been some work recently to standardize the managers across all the projects22:39
jamielennoxmarekd: honestly i don't mind either way22:39
marekdjamielennox: got it.22:39
jamielennoxbut there may be some conflict there22:39
marekdjamielennox: why?22:39
jamielennoxnot conflict - just that it may come back later with a sync across all the projects22:40
marekdjamielennox: ah, ok.22:40
*** gokrokve_ has quit IRC22:42
*** jagee has quit IRC22:53
*** dstanek has joined #openstack-keystone22:54
*** dstanek has quit IRC22:59
*** bvandenh has quit IRC23:00
*** david-lyle has quit IRC23:01
*** thedodd has quit IRC23:12
*** nkinder has joined #openstack-keystone23:15
*** dstanek has joined #openstack-keystone23:21
openstackgerritPriti Desai proposed a change to openstack/keystone: Adding one more check on project_id
marekddstanek: Hi. Regarding your comments on I think I will just try to add tests just for V3Controller (something like in
marekddstanek: and test exactly the method, so also the message output it stores in the Exception object.23:28
marekdIt's late here, time to bed. Good night!23:32
*** marekd is now known as marekd|away23:32
bafflebknudson: Actually, I think that might be it.. It was set to "v3" wich is clearly wrong, as I can see from the sources..23:49
bknudsonbaffle: seems like v3 should work, since that's the url23:50
bknudsonbut the code says differently23:50

Generated by 2.14.0 by Marius Gedminas - find it at!