Monday, 2014-04-07

*** RockKuo has joined #openstack-keystone00:11
*** wchrisj has joined #openstack-keystone00:20
*** wchrisj has quit IRC00:50
openstackgerritA change was merged to openstack/keystone: Clean up config help text
openstackgerritA change was merged to openstack/keystone: Cleanup
*** derek_c has joined #openstack-keystone01:19
*** wchrisj has joined #openstack-keystone02:07
*** mberlin has quit IRC02:10
*** mberlin has joined #openstack-keystone02:10
*** wchrisj has quit IRC02:21
*** chandan_kumar has joined #openstack-keystone02:29
*** chandan_kumar has quit IRC02:30
*** jamielenz is now known as jamielennox|away02:37
*** jamielennox|away is now known as jamielennox02:38
*** derek_c has quit IRC02:41
openstackgerritJamie Lennox proposed a change to openstack/keystone: Isolate backend loading
*** chandan_kumar has joined #openstack-keystone03:30
*** chandan_kumar has quit IRC03:31
*** chandan_kumar has joined #openstack-keystone03:31
*** chandan_kumar has quit IRC03:48
*** zhiyan_ is now known as zhiyan03:50
*** kun_huang has joined #openstack-keystone03:57
*** chandan_kumar has joined #openstack-keystone04:08
*** jimbaker` is now known as jimbaker04:09
*** jimbaker has quit IRC04:10
*** jimbaker has joined #openstack-keystone04:10
*** topol has joined #openstack-keystone04:22
*** derek_c has joined #openstack-keystone04:24
*** stevemar has joined #openstack-keystone04:34
*** zhiyan is now known as zhiyan_04:39
*** chandan_kumar has quit IRC05:02
*** derek_c has quit IRC05:07
*** saju_m has joined #openstack-keystone05:13
*** chandan_kumar has joined #openstack-keystone05:27
*** mfisch has quit IRC05:29
*** mfisch has joined #openstack-keystone05:31
*** mfisch has joined #openstack-keystone05:31
*** derek_c has joined #openstack-keystone05:35
*** henrynash has joined #openstack-keystone05:44
*** topol has quit IRC05:52
*** stevemar has quit IRC05:58
openstackgerritJenkins proposed a change to openstack/keystone: Imported Translations from Transifex
*** rwsu has joined #openstack-keystone06:35
*** saju_m has quit IRC06:41
*** RockKuo has quit IRC06:51
*** saju_m has joined #openstack-keystone06:55
openstackgerritDavid Stanek proposed a change to openstack/keystone: Moves test database setup/teardown into a fixture
*** chandan_kumar has quit IRC07:02
*** chandan_kumar has joined #openstack-keystone07:07
*** henrynash has quit IRC07:22
*** leseb has joined #openstack-keystone07:34
*** marekd|away is now known as marekd07:51
*** derek_c has quit IRC07:55
*** RockKuo has joined #openstack-keystone08:15
*** nkinder has quit IRC08:22
*** nkinder has joined #openstack-keystone08:27
*** henrynash has joined #openstack-keystone08:33
openstackgerritMatthieu Huin proposed a change to openstack/identity-api: Fix for federation token request examples
openstackgerritMarek Denis proposed a change to openstack/keystone: List all forbidden attributes in the request body.
*** saju_m has quit IRC09:27
*** nkinder has quit IRC09:28
*** jaosorior has joined #openstack-keystone09:46
*** kurguzov has quit IRC10:03
*** nkinder has joined #openstack-keystone10:04
*** leseb has quit IRC10:18
*** leseb has joined #openstack-keystone10:19
*** leseb has quit IRC10:23
*** saju_m has joined #openstack-keystone10:32
*** inc0 has joined #openstack-keystone10:45
inc0hello, which API call will return me list of all tenants? even on admin tenant I don't get full list.10:46
*** saju_m has quit IRC10:49
*** leseb has joined #openstack-keystone10:49
*** leseb has quit IRC10:53
*** henrynash has quit IRC11:03
jaosoriorinc0, what version of the API are you using?11:03
inc0jaosorior, v211:04
*** leseb has joined #openstack-keystone11:04
jaosoriorwell, the resource to get the list of tenants in v2.0 is under /tenants11:09
jaosoriorfor example, if you were using curl to get the info, you would do something like this:11:09
jaosoriorcurl -s -H "X-Auth-Token: <your authenticated token>" http://<some address>:35357/v2.0/tenants11:10
jaosorioror, are you using the keystone cli client?11:10
jaosorioror something else?11:11
*** RockKuo has quit IRC11:14
inc0jaosorior, python client, but query you've shown will only show tenants this user has access to11:20
inc0but not all of them I guess11:20
inc0even if I use port 3535711:21
*** saju_m has joined #openstack-keystone11:25
inc0ah, sorry my fault11:33
inc0it seems its working, thank you very muich11:33
*** afaranha has left #openstack-keystone11:38
jaosorioralright :)11:47
*** jamielennox is now known as jamielennox|away11:56
*** lbragstad has quit IRC12:01
*** henrynash has joined #openstack-keystone12:06
*** zigo has quit IRC12:26
*** lbragstad has joined #openstack-keystone12:34
*** erecio has joined #openstack-keystone12:41
*** andreaf has quit IRC12:45
henrynashayoung: ping12:58
openstackgerritDavid Stanek proposed a change to openstack/keystone: Moves test database setup/teardown into a fixture
*** raildo has joined #openstack-keystone13:02
*** RockKuo has joined #openstack-keystone13:18
*** dims has joined #openstack-keystone13:22
*** andreaf has joined #openstack-keystone13:28
*** nkinder has quit IRC13:42
*** dstanek_zzz is now known as dstanek13:48
*** henrynash has quit IRC13:50
*** henrynash has joined #openstack-keystone13:51
*** chandan_kumar has quit IRC13:56
*** joesavak has joined #openstack-keystone13:56
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor: moved flatten function to utils
openstackgerritMarek Denis proposed a change to openstack/keystone: List all forbidden attributes in the request body.
*** stevemar has joined #openstack-keystone14:23
*** nkinder has joined #openstack-keystone14:31
dstanekmarekd: i just had one more really small comment on that review14:47
marekddstanek: yep, noticed it.14:47
marekddstanek: so the order is like:
*** saju_m has quit IRC14:50
dstanekmarekd: yep14:53
openstackgerritMarek Denis proposed a change to openstack/keystone: List all forbidden attributes in the request body.
dstanekmarekd: this talks about the details
marekddstanek: thanks.14:56
dstanekdolphm: ping14:59
dstanekdolphm: did you ever publish your raspberrypy code?15:02
marekddstanek: ^^ guessing...OpenStack on Raspbian?  ?15:03
*** nkinder has quit IRC15:03
dstanekmarekd: he has a webapp of some sort running in a py that watches zuul15:04
*** thedodd has joined #openstack-keystone15:05
*** inc0 has quit IRC15:05
*** inc0_ has joined #openstack-keystone15:05
dolphmdstanek: yes, and then i made it really slow with my last feature add :P15:06
dstanekdolphm: nice, thanks15:06
dolphmdstanek: demo
*** david-lyle has joined #openstack-keystone15:08
*** bada has joined #openstack-keystone15:09
*** ayoung has joined #openstack-keystone15:11
*** nkinder has joined #openstack-keystone15:15
*** Guest_ has joined #openstack-keystone15:16
*** gyee has joined #openstack-keystone15:20
*** browne has joined #openstack-keystone15:24
*** browne has quit IRC15:24
nkinderayoung: I did some security research of Keystone this weekend that you might find interesting -
nkinderayoung: I'd like to be sure I'm not missing anything, and there are some areas I wasn't 100% clear on.15:28
nkinderayoung: I'm trying to use Keystone as an example for collecting this information.  I'd like to get this sort of information in place for all integrated projects.15:29
*** wchrisj has joined #openstack-keystone15:36
*** browne has joined #openstack-keystone15:36
ayoungnkinder, I'll take a look15:43
ayoungnkinder, on the MD5, you kindof allude to it, but "user cannot generate the text that leads to the MD5."15:45
*** browne has quit IRC15:45
ayoungLDAP password hashing is only done for Read Write Keystone15:46
*** browne has joined #openstack-keystone15:46
ayoungnkinder, I would strongly recommend that keystone-manage pki_setup and ssl_setup be deprecated15:47
nkinderayoung: why should LDAP password hashing be needed, even for read/write?15:47
ayoungnkinder, storing the password?  Where else is it done?15:48
nkinderayoung: the LDAP server should hash the passwords, not keystone15:48
ayoungnkinder, actually, Keystone should get out of the Password busienss15:48
nkinderayoung: keystone should not be doing any hashing for LDAP passwords at all.15:48
ayoungnkinder, keystone should not be doing passwords at all15:48
nkinderayoung: well, that too. :)15:49
ayoungnkinder, I think the use of selfsigned certs for tokens and SSL should be called out15:49
ayoungin Red15:49
ayounguse a blink tag15:49
*** marcoemorais has joined #openstack-keystone15:50
*** nkinder has quit IRC16:02
*** saju_m has joined #openstack-keystone16:12
*** jsavak has joined #openstack-keystone16:15
*** chandan_kumar has joined #openstack-keystone16:16
*** nkinder has joined #openstack-keystone16:18
*** joesavak has quit IRC16:19
*** RockKuo has quit IRC16:19
*** joesavak has joined #openstack-keystone16:19
*** jsavak has quit IRC16:22
*** Guest_ has quit IRC16:25
*** Guest_ has joined #openstack-keystone16:25
*** zigo has joined #openstack-keystone16:28
*** zigo has quit IRC16:33
dolphmany reason why keystone.common.cache.backends.mongo couldn't be used as a general [kvs] backend?16:34
dolphmi had only considered it for caching, but... it looks like it would work as a general backend too16:34
*** zigo has joined #openstack-keystone16:34
*** saju_m has quit IRC16:35
*** Guest_ has quit IRC16:36
*** Guest_ has joined #openstack-keystone16:36
*** jaosorior has quit IRC16:40
*** zigo has quit IRC16:41
*** richm has joined #openstack-keystone16:42
*** zigo has joined #openstack-keystone16:46
*** leseb has quit IRC16:46
*** Guest_ has quit IRC16:52
*** Guest_ has joined #openstack-keystone16:52
*** harlowja has joined #openstack-keystone16:56
*** Guest_ has quit IRC16:58
*** Guest_ has joined #openstack-keystone16:58
*** Guest_ has quit IRC16:59
*** Guest_ has joined #openstack-keystone16:59
*** marcoemorais has quit IRC17:00
*** marcoemorais has joined #openstack-keystone17:02
dstanekonly 970 failing tests still! winning!17:07
*** henrynash has quit IRC17:12
*** amcrn has joined #openstack-keystone17:13
*** topol has joined #openstack-keystone17:14
openstackgerritPriti Desai proposed a change to openstack/keystone: Adding one more check on project_id
openstackgerritguang-yee proposed a change to openstack/keystone: Make sure all the auth plugins agree on the shared identity attributes.
openstackgerritJenkins proposed a change to openstack/keystone: Updated from global requirements
*** marcoemorais has quit IRC17:33
*** marcoemorais has joined #openstack-keystone17:34
*** Guest_ has quit IRC17:42
*** Guest_ has joined #openstack-keystone17:43
*** Guest_ has quit IRC17:49
*** dolphm changes topic to "Open for Juno development; submit design summit session proposals ASAP (deadline: April 20th)"17:54
*** kun_huang has quit IRC18:02
*** marcoemorais has quit IRC18:03
*** nkinder has quit IRC18:03
*** marcoemorais has joined #openstack-keystone18:03
*** nkinder has joined #openstack-keystone18:09
*** pcargnel has joined #openstack-keystone18:22
pcargnelhi! where can I found stored the project_id in a group?18:24
*** raildo has quit IRC18:30
ayoungmorganfainberg_Z, wake up! What is the trick to getting fail fast to work in tox?18:32
ayoungpcargnel, there is no stored project_id in groups18:32
ayoungdolphm, mongo could very well be a KVS backend18:32
ayoungthat was the intention dolphm18:33
pcargnelayoung, If I have to look for group roles of a user related to a specific project, can I use the tenant_id instead?18:33
ayoungpcargnel, roles are in the assignments backend, so what you want is "what roles are assigned to a group"18:34
ayoungand roles are assigned per proejct18:34
ayoungpcargnel, so, I think what you are asking is 'how can I find out what role assignments a user would get in a specific project based on their group membership?'18:35
ayoungor something along those lines?18:35
pcargnelYes, kind of. I need to get group roles for a user in project. It's related to this bug
uvirtbotLaunchpad bug 1205506 in keystone "get_group_project_roles() asks same ldap query for all groups associated with user" [Medium,Triaged]18:36
*** morganfainberg_Z is now known as morganfainberg18:39
*** andreaf has quit IRC18:40
morganfainbergayoung, bunch of milestone-proposed patches, anything i should be aware of before reviewing them?18:41
ayoungmorganfainberg, those are all backports of the UTF-8 stuff.  Lets make sure they clear gate before spending any time on them18:43
ayoungthey pass unit tests, but there was some pep8 weirdness18:43
morganfainbergayoung, ++ thanks! just want to prioritize milestone-proposed18:44
morganfainbergayoung, i'll keep an eye on the master patches/equivalents.18:44
ayoungmorganfainberg, master went in for those18:44
morganfainberghm. oh ok i see, you're getting them to pas check then worry about approval18:44
ayoungmorganfainberg, they were all done by jdennis, but he's off this month, so our manager asked me to shepherd them through18:44
morganfainbergayoung, sorrry, need more coffee :P18:45
ayoungthe real deal is that I need to backport them to havana18:45
morganfainbergayoung, ah yeah18:45
morganfainbergayoung, but they need to land in I first, I get it18:45
ayoungmorganfainberg, how do I get fail-fast?18:45
morganfainbergayoung, use run_tests18:45
ayoungno way in tox?18:45
morganfainbergayoung, i'm working on getting a patch into tox so we can make it work18:45
morganfainbergit needs to not be part of "testr-args" it has to be an option to testr itself18:46
morganfainbergso -- --subunit --failfast nets a "unknown option"18:46
morganfainbergthe fix is make is so we can do optional replacements.18:46
morganfainbergin the tox.ini config18:46
ayoungmorganfainberg, can I hack tox.ini to get it for now?18:49
*** saju_m has joined #openstack-keystone18:51
*** Guest_ has joined #openstack-keystone18:58
*** MrDan has joined #openstack-keystone19:00
*** MrDan has left #openstack-keystone19:00
*** thedodd has quit IRC19:01
dstanekmorganfainberg: this database fixturing is a royal pain19:02
dstanekmorganfainberg: partially because i wanted to do the right thing and remove the db setup/teardown from TestCase and put it where it belongs19:03
*** thedodd has joined #openstack-keystone19:03
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Change package to build docs to correct name
*** joesavak has quit IRC19:04
*** Guest_ has quit IRC19:09
*** derek_c has joined #openstack-keystone19:10
stevemardstanek, mind if i pick your brain for a sec19:14
morganfainbergayoung, yeah19:14
dstanekstevemar: sure19:15
morganfainbergayoung, if you put the --fail-fast (or is if --failfast) arg in right after --slowest19:15
morganfainbergayoung, that _should_ do it19:15
stevemardstanek, can you take a look at the changes here:
morganfainbergdstanek, yeah :(19:15
ayoungmorganfainberg, good enough,  although I've moved on and am running once again with  I wonder if fail-fast as the default behaviour would be OK?19:16
morganfainbergayoung, not for gate19:16
ayoungno?  I guess not19:16
ayoungmorganfainberg, could we do a second target?19:16
morganfainbergayoung, nah, we want all failures not just the first19:16
ayoungtox -epy27-fast?19:16
dstanekstevemar: looking now19:17
morganfainbergayoung, we could but we lose the magic "pyXX" version targeting19:17
morganfainbergayoung, tox looks for pyXX not pyXX.*19:17
stevemardstanek, line 90, I want to move that function too, but it requires identity_api; is there a way to use the dependency function without a class? cause utils doesn't have any class but the rule processor19:17
morganfainbergayoung, it's... kinda silly.19:17
morganfainbergayoung, i wish i could leverage the "magic" versioning.19:17
dstanekstevemar: pass it as a param19:17
ayoungmorganfainberg, there is a lot of silliness in development work19:18
morganfainbergayoung, i might propose another fix to tox to let us define the added py\d{2}.* regex instead for the magic version setting19:19
morganfainbergayoung, let me figure out the best way to do it and propose this fix as well.19:20
morganfainbergthe worst part about contributing to tox is that they use hg and i suck at using hg for version control :P19:20
morganfainberghmm. wait a sec --failfast should work as we have it.19:21
* morganfainberg goes and checks19:21
stevemardstanek, i don't like it when you're correct so quickly19:21
morganfainbergstevemar, dstanek has that super power19:21
dstanekstevemar: :-) about the param?19:22
stevemardstanek, serves me right for trying to do this too late at night19:22
dstanekstevemar: believe me i know the feeling - i was up until 3am messing around with database fixtures19:23
*** inc0_ has quit IRC19:24
bknudsonNova's got a problem when it's using neutron.19:24
bknudsonIt takes the token on the boot request and passes it on to neutron19:25
*** Chicago has quit IRC19:25
bknudsonbut of course the token could expire or get revoked19:25
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Refactor: move federation functions to federation utils
bknudsonsounds like a place where a trust could be used?19:25
morganfainbergayoung, oh i see how we have to do this. wow... "-- --subunit -- --failfast"19:25
morganfainbergayoung, that is such a horrible syntax.19:25
ayoungmorganfainberg, python rarely bothers itself with such limiting factors as Syntax19:26
*** thedodd has quit IRC19:29
*** marcoemorais has quit IRC19:31
*** thedodd has joined #openstack-keystone19:31
*** thedodd has quit IRC19:31
*** marcoemorais has joined #openstack-keystone19:31
*** thedodd has joined #openstack-keystone19:33
*** joesavak has joined #openstack-keystone19:36
bknudsonLooks like Nova could use the user's token to create a trust which gives the nova user the user's roles on the project19:38
*** doddstack has joined #openstack-keystone19:38
bknudsonThen Nova could get its own token and use that to get a token with "scope" { (the new trust) }19:38
*** thedodd has quit IRC19:40
morganfainbergbknudson, isn't that what heat (essentially) does?19:41
bknudsonprobably, when talking to nova19:41
*** leseb has joined #openstack-keystone19:47
*** jimbaker has quit IRC19:51
*** henrynash has joined #openstack-keystone19:51
*** jimbaker has joined #openstack-keystone19:51
*** jimbaker has quit IRC19:51
*** jimbaker has joined #openstack-keystone19:51
bknudson"Expecting to find trust_id in trust." ... wonder why that is.20:00
bknudsonoops, my fault20:02
*** marcoemorais has quit IRC20:03
*** marcoemorais has joined #openstack-keystone20:03
*** harlowja has quit IRC20:03
bknudsonthat seems to work... I'll see if nova will take it.20:04
*** dims has quit IRC20:08
morganfainbergayoung, i'm trying to figure out why this is occurring. I don't see how we could get into this situation20:08
*** mhu1 has joined #openstack-keystone20:09
morganfainbergayoung, i'm going to propose some attribute cleanup code for test_revoke cases, but I don't think that will actually help.20:09
*** mhu has quit IRC20:10
*** mhu1 is now known as mhu20:10
ayoungmorganfainberg, looks like a mess20:10
morganfainbergayoung, yeah20:10
ayoungmorganfainberg, could be something is getting double counted20:10
morganfainbergayoung, only sometimes20:11
morganfainbergayoung, not consistently.20:11
ayoungmorganfainberg, only on 26, or across the  board?20:11
morganfainbergsometimes 2720:11
morganfainberg33 doesn't work so... dunnio20:11
morganfainbergit's intermittent so it feels like a parallel testing issue20:12
morganfainbergand therefore test isolation problems20:12
ayoungwow...that one is in a loop....hmmm, maybe something hasn't caught up?  But it should be single threaded....could it be a problem in event delivery?20:13
morganfainbergayoung, yeah that is my concern20:13
ayoungmorganfainberg, looks like something didn't get delivered20:14
ayoung self.assertEqual(turn + 1, len(self.tree.revoke_map20:14
ayoung4 != 3 means the the turn is 4, and we expect 4 delivered events20:14
morganfainbergwhich ... this loop feels like it should break differently.20:14
ayoungmorganfainberg, could also be something wonky in the match logic.20:15
morganfainbergayoung, i hope it's that rather than the former tbh20:15
ayoungmorganfainberg, could be a glitch in the test logic.  Is it always that same line that fails?20:17
morganfainbergayoung, i think it's always 41820:17
ayoungmorganfainberg, hmmm20:17
morganfainbergayoung, that is the first equalcheck in _assertEventsMatchIteration20:17
henrynashayoung: hi….I have a rather dumb question about….errr…keystone20:18
morganfainbergwell the first one lookin into the tree map20:18
ayounghenrynash, fire away20:18
*** harlowja has joined #openstack-keystone20:19
henrynashayoung: so keystone is single threaded as far as processing a cmds, right (i.e. we don’t try and process more than one wsgi cmd in parallel do we)?20:19
ayounghenrynash, wow, loaded question.20:19
ayounghenrynash, Eventlet is single threaded ,but you can run multiple worker threads20:20
ayoungand HTTPD is multiprocess20:20
henrynashayoung: right, so if you are kicking it off our of Apache, then it depends on how you haev that configured20:20
ayoungmorganfainberg, If it were reversed:  that more events were delivered than expected, I would blame it on parallel testing20:21
morganfainbergayoung, ok. i'll do a deep dive on the delivery parts20:21
morganfainbergayoung, this one is potentially icky, wanted to make you aware of it20:21
morganfainbergayoung, might have further questions as i continue here20:22
henrynashayoung: what about non Apache confgs….  like can we be processing a cmd via the admin port and the publc port in parallel too (we start two servers right, one for each)?20:22
*** derek_c has quit IRC20:25
*** derek_c has joined #openstack-keystone20:25
ayounghenrynash, yes we can20:25
ayounghenrynash, althought, I think that those are both in the same thread, now that I think about it20:26
ayoungmorganfainberg, I'm wondering if it could still be parallel testing20:26
henrynashayoung: that was the bit I was not so sure of20:26
ayoungmaybe the event got swallowed by the wrong test?20:27
ayounghenrynash, I lie20:27
ayoungtest empirically20:27
morganfainbergayoung, i think i'm going to propose attribute cleanup on these tests see if it helps20:27
henrynashayoung: so, no change there….:-)20:27
morganfainbergayoung, but ... it's an odd one20:27
ayoungNope, I have always lied20:27
ayoungmorganfainberg, yep20:27
henrynashayoung: i always lie about lieing20:28
*** amcrn has quit IRC20:28
*** jsavak has joined #openstack-keystone20:31
morganfainbergayoung, that shouldn't be possible in a single thread... should it?20:31
ayoungmorganfainberg, not in a single thread20:32
*** marcoemorais has quit IRC20:32
ayoungmorganfainberg, I'm just brainstorming20:32
*** marcoemorais has joined #openstack-keystone20:32
morganfainbergayoung, ahh20:32
morganfainbergayoung, ok20:32
*** amcrn has joined #openstack-keystone20:33
*** andreaf has joined #openstack-keystone20:34
*** joesavak has quit IRC20:35
*** afaranha has joined #openstack-keystone20:37
*** saju_m has quit IRC20:41
*** jsavak has quit IRC20:43
marekdayoung: isn't the fail you and morganfainberg  were taling ~30 mins ago?20:46
ayoungmarekd, yep20:47
ayoungmarekd, and it happened on a differen iteration, and a different line20:47
ayoungactually...that maybe the same line20:47
andreafbknudson: ping20:48
marekdayoung: yep, but the error was similar, that's why i was not sure. Any reason for *not*  'recheck no bug' and hoping it will pass this time?20:48
bknudsonandreaf: what's up?20:48
andreafbknudson: hi, thanks for your review on
ayoungrecheck bug #20:49
ayoungmorganfainberg, was that bug filed?20:49
*** erecio has quit IRC20:49
andreafbknudson: I addressed most of your comments, only I didn't go for the abstract class as I'd like to still be able to instantiate the class and unit test the implemented methods20:49
bknudsonandreaf: ok20:50
andreafbknudson: if you have time for another review the new patchset is up an passing check20:50
bknudsonandreaf: yep, it's on my list20:50
andreafbknudson: thanks20:51
marekdayoung: ok
uvirtbotLaunchpad bug 1300581 in keystone "test_revoke.RevokeTreeTests.test_cleanup fails" [Critical,Triaged]20:51
morganfainbergmarekd, it'll pass most of the time20:51
morganfainbergmarekd, it's highly transient20:51
*** pcargnel has quit IRC21:00
openstackgerritJenkins proposed a change to openstack/keystone: Updated from global requirements
mhustevemar, got a moment to talk about your OpenID connect PoC ?21:13
openstackgerritJenkins proposed a change to openstack/python-keystoneclient: Updated from global requirements
stevemarmhu, err, in the middle of something, but write anyways, and i'll see if i can reply?21:17
mhustevemar, just wanted some advice on how to test it with google oidc21:19
openstackgerritJenkins proposed a change to openstack/keystone: Updated from global requirements
*** marekd is now known as marekd|away21:23
openstackgerritJenkins proposed a change to openstack/python-keystoneclient: Updated from global requirements
*** derek_c has quit IRC21:27
*** harlowja is now known as harlowja_away21:31
*** topol has quit IRC21:32
gyeedolphm, ayoung, morganfainberg,
uvirtbotLaunchpad bug 1304049 in keystone "able to create two users with the same name in the same domain" [Undecided,New]21:34
*** harlowja_away is now known as harlowja21:35
gyeethought we tested this some time back already, apparently not21:35
ayounggyee, wowza21:35
*** topol has joined #openstack-keystone21:35
*** derek_c has joined #openstack-keystone21:41
*** nkinder has quit IRC21:46
*** nkinder has joined #openstack-keystone21:46
*** derek_c has quit IRC21:53
*** nkinder has quit IRC21:55
*** leseb has quit IRC22:02
*** marcoemorais has quit IRC22:03
*** marcoemorais has joined #openstack-keystone22:03
*** henrynash has quit IRC22:05
*** marcoemorais has quit IRC22:05
*** marcoemorais has joined #openstack-keystone22:05
*** amcrn has quit IRC22:08
*** amcrn has joined #openstack-keystone22:12
*** askb_ has joined #openstack-keystone22:17
*** topol has quit IRC22:21
morganfainberggyee, oh dear22:21
morganfainberggyee, that using SQL or LDAP?22:22
morganfainberggyee, or both?22:22
morganfainberglooks like sql in that case.22:22
gyeemorganfainberg, I only tested with sql so far22:24
morganfainberggyee, does this work w/ the milestone proposed? if so we should tag it with RC potential22:24
*** lbragstad has quit IRC22:24
gyeemorganfainberg, yeah should be RC potential22:25
gyeeI tested against the latest master22:25
morganfainberggyee, ++ you working on this? or want me to jump on it. (happy to help if needed)22:25
morganfainberggyee, if you've got it, ping me with the review so i can +2 it when ready :)22:25
gyeemorganfainberg, should be a trivial fix I think, I'll work on it22:26
morganfainberggyee, ack22:26
gyeemorganfainberg, I don't think we should put a security tag on it as this is admin protected API. What do you think?22:27
morganfainberggyee, agree22:28
morganfainberggyee, this might also need Havana backport22:28
morganfainbergi'll take a look and tag the bug if it looks like this could occur22:28
morganfainbergi'm wondering if it's better to force the backends to handle this or the manager... there is an advantage w/ SQL of just making it a unique constraint, but it looks like something better implemented outside of individual backends (so a badly implemented backend doesn't repeat this)22:30
gyeemorganfainberg, yet it should be backend neutral. But I hear ya, performance may take a hit22:32
gyeebut lookup is hitting dogpile so it shouldn't be that bad22:32
morganfainberggyee, i'm inclined to say push this down to the backends.22:33
morganfainberggyee, and document/test for it22:33
morganfainberggyee, but i'll defer to your choice (I don't mind either)22:34
*** zhiyan_ has quit IRC22:34
*** zhiyan_ has joined #openstack-keystone22:35
morganfainberggyee, looks like KVS checks for this.22:35
gyeemorganfainberg, I prefer doing it in the manager for consistency. Only advantage of doing it in the backend is performance but mileage may vary depending on the type of backend.22:35
morganfainbergthat same code is in havana22:36
gyeeyeah, but almost nobody using kvs identity backend in production22:37
morganfainberggyee, ldap might work/might not depending on the attribute used for name22:37
morganfainberggyee, sql def. doesn't have a check for this / schema to limit it22:37
morganfainbergoh wow.22:37
gyeemorganfainberg, ldap should work if username is part of the DN22:37
morganfainbergthis might be a migration issue.22:38
gyeeotherwise, same problem22:38
gyeeso group is having the same issue?22:39
gyeewow, lemme verify22:39
morganfainberggyee, we don't create the unique constraint in the user table.22:39
morganfainberglooking at group now.22:39
*** andreaf has quit IRC22:40
morganfainberggyee, we create a unique constraint on name/domain_id in the group table22:40
morganfainbergmigration 014, line ~3422:41
gyeeyeah, group is fine looks like22:41
morganfainbergwe just never created the unique constraint...and it looks like LDAP we don't enforce it, we rely on the LDAP server to enforce it22:41
morganfainbergfor user/domain22:41
gyeemorganfainberg, LDAP only enforce DN uniqueness afaik22:42
morganfainberggyee, yeah22:43
morganfainberggyee, well... i think there are other unique ways to contrain it, but not typically used22:43
morganfainberggyee, so ... LDAP group is probably going to have the same issue *checks*22:43
gyeeprobably, I22:44
morganfainberggyee, yep. unless the name is part of the DN, you could have the same issue with LDAP group afaict22:44
gyeell need to boot up my openldap vm to check it out22:44
morganfainberggyee, just looking at the code, we don't do a group name check.22:44
gyeek, we have some problem with ldap backend then22:46
morganfainberggyee, and the manager doesn't know about "get_group_by_name"22:46
morganfainberggyee, this looks like we need to push it to the backends since we'd need to expand the manager api / driver api (i'd rather not) for H22:46
gyeeno shit, really?22:46
morganfainbergyep, get_group is all we have.22:47
morganfainbergwhich takes an id22:47
morganfainbergthe question is ... do we care about names in groups?22:47
*** nkinder has joined #openstack-keystone22:47
morganfainbergfor users, yes.22:47
morganfainbergi ... don't think we do for groups in this case.22:47
gyeemorganfainberg, yes, group name should be unique within a domain22:48
gyeemorganfainberg, oh maybe not, we are not using group name anywhere except in UI22:49
morganfainberggyee, ok lets target this for the driver.  we can make this a manager construct in Juno if we really don't like it (e.g. fix it later) but i think Icehouse and Havana have "shipped" on this front22:49
morganfainberggyee, yeah that is what it looks like to me22:49
gyeebut that would be a usability issue at the very least22:49
morganfainberggyee, we can hold on the group name stuff for H22:49
morganfainbergi don't think it's super critical for I even.22:49
gyeemorganfainberg, I agree, group name is not that urgent22:50
morganfainbergso i'd love to fix the constraint in the db for H, but i think that is a tall order w/ no backport sql migrations available22:50
morganfainbergi think best bet is just get_user_by_name in the manager and raise a conflict if it exists for H and I22:51
morganfainberggyee, fix the constraint in J for consistency22:51
gyeemorganfainberg, k, I'll try the driver approach22:51
nkindermorganfainberg: how much do you know about the token backend?22:51
morganfainbergnkinder, more than i'd like to :)22:51
nkindermorganfainberg: I'm trying to understand why the entire PKI token needs to be kept there.22:52
nkindermorganfainberg: I know we need to have information about the token for revocation22:52
gyeenkinder, for performance22:52
gyeecreate token is a multiple lookup22:52
morganfainbergnkinder, it actually doesn't. i'm about to start work on not storing it there (ephemeral tokens), if we're using pki tokens i expect to use cms to extract it in all cases in Juno22:52
morganfainbergnkinder, part of that work will be to address the data structure and create calls etc (gyee pointed out the lookup issue)22:53
dstanekmorganfainberg: does that setup_database stuff actually do anything useful? i removed the function and none of the test failed22:53
morganfainbergdstanek, if you're using non-sqlite it does the migration22:53
nkinderI was doing some SQL queries on a Havana install I have.  It's idle, and I had 1300 tokens in the backend (with a 24 hour validity period and token_flush configured via cron)22:54
dstanekmorganfainberg: ah, ok - i'll have to test with something else then - is there  a specific test that should fail?22:54
morganfainbergdstanek, our unit tests don't rely on migrations now. we test the migrations explicitly and separately, but use the in-mem sqlite (so reflection created tables) for generic unit tests / restful testcases22:54
morganfainbergdstanek, any restful test case22:54
morganfainbergdstanek, make sure to set your concurrency to 122:55
morganfainbergdstanek, though... i wonder if the reflection created tables would work in mysql even.22:55
morganfainbergnkinder, yeah.22:55
openstackgerritDavid Stanek proposed a change to openstack/keystone: Moves test database setup/teardown into a fixture
nkindermorganfainberg: It seems like we would only need an identifier (hash) of the token, then info on who the token was issued to, what roles it has, etc.  I'm simplifying, but the point is that the token shouldn't be needed in it's entirety22:55
dstanekmorganfainberg: it should work just fine22:56
morganfainbergnkinder, remember we use the same store for UUID as well, and technically we use PKI and UUID tokens interchanably22:56
morganfainbergnkinder, e.g. if you provide the short hash of the PKI token, it should work as a UUID token22:56
morganfainbergnkinder, when uuid tokens die, that issue goes away. in J there will be an option to eliminate UUID token support.22:57
nkindermorganfainberg: cool22:57
morganfainbergnkinder, so i think you just added one extra phase to ephemeral tokens: 1) no uuid - meaning only store the hash data and use PKI data decode in keystone, 2) don't store any data for tokens (revocation events)22:58
morganfainbergnkinder, good idea! :)22:58
morganfainbergs/hash data/hash and timestamp info22:59
nkindermorganfainberg: we need some data for tokens though, right?23:00
nkindermorganfainberg: for example, if you delete a group, all tokens issued for members of that group are revoked23:00
morganfainbergnkinder, some basic data if we support revoke_by_id23:00
nkindermorganfainberg: we'd need a way to look that up23:00
morganfainbergnkinder, correct. the enumrated token methods (old style token revocation list) will maintain some basic data in the table23:01
nkinderthat should be pretty minimal compared to the whole token with catalog, etc.23:01
morganfainbergnkinder, using revocation events will remove that need completely, since we can match the PKI decoded data against the event vs. an explicit TRL23:01
morganfainbergnkinder, it'll be basically what we have now with the json blob eliminated23:02
morganfainbergor more to the point, unused23:02
*** jamielennox|away is now known as jamielennox23:07
ayoungnkinder, the entire token is kept in the backend in case the permissions change, so we can record the origianl permissions and not what they were at the time of checking.   That said, morganfainberg actually had the ephemeral patches in the pipeline, but needs the revocation events first23:15
*** doddstack has quit IRC23:16
ayoungrevocations are in, but there is as of yet no client support23:16
*** ayoung is now known as ayoung_cooking23:17
*** david-lyle has quit IRC23:20
*** gyee has quit IRC23:21
jamielennoxdamn, that openssl bug is nasty - will have huge repocussions23:24
morganfainbergjamielennox, which one?23:28
*** amcrn has quit IRC23:33
*** marcoemorais has quit IRC23:35
*** marcoemorais has joined #openstack-keystone23:35
jamielennoxquestion mark because i think that's what it's called23:36
jamielennoxhow many bugs have fancy websites with a .com ?23:38
*** koolhead17 has quit IRC23:40
*** derek_c has joined #openstack-keystone23:51
*** koolhead17 has joined #openstack-keystone23:53
*** gyee has joined #openstack-keystone23:58

Generated by 2.14.0 by Marius Gedminas - find it at!