Thursday, 2014-04-10

*** wchrisj has joined #openstack-keystone00:11
*** stevemar has joined #openstack-keystone00:11
*** RockKuo has joined #openstack-keystone00:17
openstackgerritBrant Knudson proposed a change to openstack/keystone: Configurable token hash algorithm
*** mfisch has quit IRC00:20
openstackgerritBrant Knudson proposed a change to openstack/keystone: Configurable token hash algorithm
*** mfisch has joined #openstack-keystone00:29
*** mfisch has joined #openstack-keystone00:29
*** stevemar has quit IRC00:30
ayoungbknudson, is mode an option on cms already?00:30
bknudsonayoung: it just merged.00:30
ayoungand, if so, when did that happen00:30
bknudsonayoung: I hope that keystone tests will fail... unless it uses master.00:31
ayoung*will* fail?00:31
bknudsonayoung: I would expect the tests to fail until a new release of keystoneclient... maybe it won't00:32 lets see...00:32
bknudsonayoung: I'll mark the keystone change as WIP -- we don't want that to merge until the keystoneclient release.00:32
ayounglooks good, though00:33
bknudsonayoung: yes, dolphm's idea makes it easier.00:33
bknudsonand also works better.00:34
ayoungI like the sequence....hash support in the client, server support optional,  next up I assume is your support for both hash versions in the client?   Do you want that in before we release a new offcial version?00:34
bknudsonayoung: actually, I just split out the hash support in the client because it wasn't changing and made the other changes easier.00:34
bknudsonI was starting over with the client changes a lot00:35
*** mfisch has quit IRC00:35
bknudsonayoung: are the changes for the client to check multiple hashes.00:36
*** mfisch has joined #openstack-keystone00:36
*** mfisch has joined #openstack-keystone00:36
ayoungbknudson, I hope to make this whole thing Moot with Ephemeral, but this is a good risk mitigation effort.  I assume you will be backporting this to Icehouse for inhouse use?00:36
bknudsonayoung: please, do.00:36
ayoungI need to get back to revocation events in the client00:36
ayoungtask for tomorrow00:36
bknudsonayoung: yes, we'll have this backported to our product00:36
bknudsonnot sure if anyone will use it but it'll allow us to check the box.00:37
*** marcoemorais has quit IRC00:37
bknudsonbut I don't think we're the only ones interested either. It'll be out there for anyone.00:38
*** derek_c has quit IRC00:45
bknudsondstanek: you had a -1 on -- want to take another look?00:57
*** derek_c has joined #openstack-keystone00:58
*** derek_c has quit IRC01:06
openstackgerritayoung proposed a change to openstack/python-keystoneclient: revoke events
*** wchrisj has quit IRC01:08
*** richm has quit IRC01:12
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Example Initialization scripts
openstackgerritayoung proposed a change to openstack/python-keystoneclient: revoke events
ayoungand with that....goodnith01:13
ayounggood night01:13
*** ayoung is now known as ayoung-ZZzz_01:13
lbragstadbknudson: I'm still good with too, I'm thinking a topic should be purposed for talking about the jsonschema implementation?01:14
lbragstadfor the Keystone meeting?01:14
lbragstadaccording to marekd|away 's comment01:15
bknudsonlbragstad: not sure how useful it is to talk about it if nobody's going to work on it.01:16
lbragstadI have something that is *very* rough01:16
lbragstadstored away on a local branch01:16
lbragstadbknudson: it was a lot of what Nova already had as a validator, but I just wanted to give it a shot in Keystone to see if it would work01:18
lbragstadit does,  but it still needs some work01:18
*** dims has joined #openstack-keystone01:19
*** jamielennox has quit IRC01:23
*** bknudson has quit IRC01:23
*** jamielennox has joined #openstack-keystone01:24
*** bknudson has joined #openstack-keystone01:25
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on projects
openstackgerritNathan Kinder proposed a change to openstack/keystone: Treat LDAP attribute names as case-insensitive
nkinderanyone around for a unit test question?01:38
morganfainbergnkinder, whats up?01:40
nkindermorganfainberg: This is related to my fix for
nkinderI need to add a test where the LDAP implementation (fakeldap in this case) will return an attribute name with an unexpected case (like "cN")01:41
nkinderI suppose that is going to require me to tweak something in fakeldap itself?01:42
morganfainbergnkinder, hm. you could use mock.patch if you wanted to not need to screw up fakeldap too much01:42
morganfainbergnkinder, otherwise yeah, you'd need to tweak fakeldap to return something odd.01:43
openstackgerritNathan Kinder proposed a change to openstack/keystone: Treat LDAP attribute names as case-insensitive
morganfainbergs/odd/mixedup case01:44
*** derek_c has joined #openstack-keystone01:44
morganfainbergnkinder, you're looking for an end-to-end test (e.g. inline with other stuff) or contrived unit test of that method01:45
nkindermorganfainberg: well, I'd like to do something like get a user and ensure it has all of the expected values, even though LDAP returned the LDAP attribute names in some unexpected case.01:45
morganfainbergnkinder, you probably could get away with circumventing the fakeldap stuff altogether and just test that method with a mock.patch01:45
*** sudorandom has quit IRC01:46
nkindermorganfainberg: would that still exercise _ldap_res_to_model() with the mock.patch approach?01:46
morganfainbergnkinder, let me take a closer look, sec01:46
*** sudorandom has joined #openstack-keystone01:48
nkindermorganfainberg: I'm completely unfamiliar with mock.patch too, so I need to look closer myself. :P01:49
morganfainbergnkinder, if you did something (mock.patch) to replace the ._ldap_get method on BaseLdap to return the format you want, you then call .get() and it exercises _ldap_res_to_model01:49
morganfainbergbasically mock.patch lets you replace a method and inspect the call on that method and / or control the explicit return value01:49
nkindermorganfainberg: I see.  So I can just return whatever object I want to fake it out01:50
morganfainbergnkinder, exactly01:50
nkindermorganfainberg: so take this example...01:50
nkinder@mock.patch.object(common_ldap_core.KeystoneLDAPHandler, 'connect')01:51
nkinder    def test_chase_referrals_on(self, mocked_fakeldap):01:51
nkindermocked_fakeldap is my method, and that overrides connect()?01:52
*** derek_c has quit IRC01:52
morganfainbergyou could do that.01:52
morganfainbergyou could also do it as a context manager01:53
morganfainbergand you can do
morganfainberg<mocked_method_reference>.return_value = <value to be returned>01:53
morganfainbergif you want01:53
morganfainbergor if you like the decorator, you could pass the return value in as the return_value kwarg to the decorator01:54
morganfainbergnkinder, and yes, mocked_fakeldap is the method that is overriding connect01:54
nkinderI see.  So set mock_foo.return_value before whatever call will actually invoke the method I'm mocking?01:54
morganfainbergnkinder, doesn't invoke the method, it statically assigns the return value01:55
morganfainbergso mock_foo() will now return that value no matter what01:55
nkinderI meant the caller.01:55
morganfainbergnkinder, oh yes01:56
nkinderSo it _ldap_res_to_model() calls _ldap_get(), I can create mock_ldap_get and set it's return value01:56
morganfainbergnkinder, sorry misread that01:56
nkinderI'll give it a shot.  Thanks for the help!01:56
morganfainbergyep. exactly01:56
morganfainbergnkinder, sure thing01:56
nkindermy python newb-ness is showing...01:56
openstackgerritsong (bruce) zhang proposed a change to openstack/keystone: replace word 'by' with 'be'
morganfainbergnkinder, phsaw, you're asking better questions than most python newbs (most wouldn't know to ask how to mock things out)01:57
morganfainbergnkinder, most seasoned developers get heachaches with mock and mox etc and unit tests01:57
morganfainbergnkinder, so.. nah not a newb ;)01:57
nkinderI'm used to plain C mostly01:57
morganfainbergnkinder, i kinda miss type-safely01:58
morganfainbergand real polymorphism01:58
morganfainbergit's kindof like i want something between python, c, c++, and java... then i feel dirty thinking about it :P01:59
*** mberlin has quit IRC02:06
*** Gue______ has joined #openstack-keystone02:11
*** derek_c has joined #openstack-keystone02:13
*** browne has joined #openstack-keystone02:14
*** xuhaiwei_ has joined #openstack-keystone02:15
xuhaiwei_how to use v3 API? It seems --os-identity-api-version doesn't work02:17
*** amcrn has quit IRC02:17
*** mberlin has joined #openstack-keystone02:22
xuhaiwei_@dolphm: could you answer my question?02:28
nkindermorganfainberg: the mock.patch approach worked great!  Thanks again for the tips!02:35
morganfainbergnkinder, np happy to help!02:35
*** stevemar has joined #openstack-keystone02:36
*** harlowja is now known as harlowja_away02:39
*** harlowja_away is now known as harlowja02:39
xuhaiwei_can v3 api be used now?02:40
xuhaiwei_can anyone answer this?02:40
*** xuhaiwei_ has quit IRC02:44
*** david-lyle has joined #openstack-keystone02:56
*** wchrisj has joined #openstack-keystone02:58
openstackgerritNathan Kinder proposed a change to openstack/keystone: Treat LDAP attribute names as case-insensitive
*** wchrisj has quit IRC03:02
*** Gue______ has quit IRC03:04
*** topol has joined #openstack-keystone03:10
dstanekbknudson: i'll take a second look03:21
*** stevemar has quit IRC03:25
*** wchrisj has joined #openstack-keystone03:42
*** wchrisj has quit IRC03:46
*** wchrisj has joined #openstack-keystone03:51
*** wchrisj has quit IRC04:06
*** chandan_kumar_ has joined #openstack-keystone04:14
*** chandan_kumar_ has quit IRC04:21
*** zhiyan_ is now known as zhiyan04:22
*** marcoemorais has joined #openstack-keystone04:22
*** wchrisj has joined #openstack-keystone04:29
*** chandan_kumar_ has joined #openstack-keystone04:36
*** gyee has quit IRC04:47
*** wchrisj has quit IRC04:57
*** harlowja is now known as harlowja_away05:10
*** ilives has joined #openstack-keystone05:19
*** ilives has quit IRC05:25
openstackgerritA change was merged to openstack/keystone: List all forbidden attributes in the request body.
*** ilives has joined #openstack-keystone05:25
*** chandan_kumar_ has quit IRC05:31
*** topol has quit IRC05:38
*** ilives has quit IRC05:47
*** ilives has joined #openstack-keystone05:47
*** ilives has quit IRC05:49
*** ilives has joined #openstack-keystone05:53
openstackgerritJenkins proposed a change to openstack/keystone: Imported Translations from Transifex
*** ilives has quit IRC06:08
*** jamielennox is now known as jamielennox|away06:24
*** derek_c has quit IRC06:28
*** jaosorior has joined #openstack-keystone06:30
*** chandan_kumar has joined #openstack-keystone06:38
*** tomoiaga has joined #openstack-keystone06:39
*** ilives has joined #openstack-keystone06:55
*** dims has quit IRC06:58
ilivesDear stackers, does the keystone has the same authorization as the the AWS IAM?thanks!06:59
*** derek_c has joined #openstack-keystone07:05
*** ilives has quit IRC07:06
*** ilives has joined #openstack-keystone07:07
*** dims has joined #openstack-keystone07:10
*** ukalifon1 has joined #openstack-keystone07:19
*** zigo has quit IRC07:29
*** arborism has joined #openstack-keystone07:40
*** arborism is now known as amcrn07:40
tomoiagaIs there a way to login as a normal user without knowing the user password but having all the admin details ?07:50
*** marekd|away is now known as marekd07:57
*** derek_c has quit IRC08:10
*** marcoemorais has quit IRC08:10
*** andreaf has joined #openstack-keystone08:12
*** leseb has joined #openstack-keystone08:17
*** zigo has joined #openstack-keystone08:23
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Code which get elements of tree in ldap moved to one common method
*** inc0 has joined #openstack-keystone08:42
inc0hello, I have problem with keystone/dashboard. On my production env in admin dashboard I have Identity Panel in menu and it has Groups, Domains etc in submenu. On devstack on the other hand I have only projects and users in identity panel. I'm trying to find config which adds these views, but I have no luck so far. Could you please tell me what defines it?08:44
*** morganfainberg is now known as morganfainberg_Z09:03
*** david-lyle has quit IRC09:16
*** ilives has quit IRC09:18
*** ilives has joined #openstack-keystone09:19
*** andreaf has quit IRC09:22
openstackgerritLi Ma proposed a change to openstack/keystone: Password trunction makes password insecure
*** marcoemorais has joined #openstack-keystone09:38
*** zhiyan is now known as zhiyan_09:39
*** marcoemorais has quit IRC09:43
*** topol has joined #openstack-keystone10:14
*** topol_ has joined #openstack-keystone10:16
*** ilives has quit IRC10:16
*** ilives has joined #openstack-keystone10:17
*** topol has quit IRC10:18
*** topol_ is now known as topol10:18
*** marcoemorais has joined #openstack-keystone10:39
*** zhiyan_ is now known as zhiyan10:41
*** marcoemorais has quit IRC10:43
*** andreaf has joined #openstack-keystone10:50
*** RockKuo has quit IRC11:15
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync test_migrations
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Redundant unique constraint
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Compatible server default value in the models.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Explicit foreign key indexes.
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Make it possible to use multiprocess file locks
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.
*** marcoemorais has joined #openstack-keystone11:42
*** dims has quit IRC11:42
*** marcoemorais1 has joined #openstack-keystone11:44
*** marcoemorais has quit IRC11:47
*** marcoemorais1 has quit IRC11:48
dolphmmarekd: "reverify no bug" isn't a thing anymore, you have to cite a bug12:03
marekddolphm: ok, thanks.12:10
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.
*** dims has joined #openstack-keystone12:35
*** marcoemorais has joined #openstack-keystone12:45
*** marcoemorais has quit IRC12:49
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Code which gets elements of tree and deletes them was moved to one method
*** topol has quit IRC13:02
*** nkinder has quit IRC13:05
*** tomoiaga has left #openstack-keystone13:07
ayoung-ZZzz_ilives, no idea.  Never used Amazon.13:20
ilivesThanks Adam.Currently the keystone do the authorization with the help of the other serivces's policy.json , there is no centralized way in keystone to do authorization for other servcies , is that correct?thanks!13:24
*** kun_huang has joined #openstack-keystone13:27
ilivesAs for  AWS IAM , it provides a centralized identity and authorization serivce for all the AWS services by RBAC, will the keystone do the same in a future?thanks!:)13:31
*** wchrisj has joined #openstack-keystone13:34
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Code which gets and deletes elements of tree was moved to one method
*** stevemar has joined #openstack-keystone13:41
*** wchrisj has quit IRC13:41
*** wchrisj has joined #openstack-keystone13:44
*** marcoemorais has joined #openstack-keystone13:45
stevemarmarekd, fyi `reverify no bug` doesn't do anything, you can only use `no bug` on rechecks :)13:45
*** wchrisj has quit IRC13:46
*** topol has joined #openstack-keystone13:46
marekdstevemar: yep, dolph already enlightened me :-)13:46
stevemarmarekd, ah okay! cool13:47
marekdstevemar: but thanks for being on watch! :D13:47
stevemarnp at all13:47
*** marcoemorais has quit IRC13:50
*** saju_m has joined #openstack-keystone13:50
marekdstevemar: what lines like that one actually do?13:54
marekdstevemar: some indication: "this is for APIv3" ?13:55
stevemarmarekd, basically, yes13:55
stevemarmarekd, if you have OS_IDENTITY_API, as an env. var, set to 3, it'll use those values13:56
stevemarif you have it set to 2, or not set (it defaults to 2), you get the ones at line 12513:56
marekdstevemar: ok13:56
dolphmilives: what about centralized authorization are you interested in? what's the advantage you're looking for?13:57
stevemarmarekd, if you tried to issue a v3 command, when OS_IDENTITY_API is set to 2, it would respond in an error13:57
marekdstevemar: so when I have something like  domain_create = openstackclient.identity.v3.domain:CreateDomain it means that the command domain_create is added and one can call now $ openstack domain_add ?13:57
marekdstevemar: i guess not.13:57
*** nkinder has joined #openstack-keystone13:58
stevemarmarekd, you were right until the last part, it would be $ openstack domain create13:58
marekdstevemar: ok, so there is a magic splitting somewhere in between13:58
stevemarmarekd, yep13:58
marekdstevemar: what if want to add commands like identity_provider {add,delete,list,show,...} ?13:59
marekdi should go ahead and so sth like identity_provider_add, identity_provider_delete and so on?13:59
openstackgerritLance Bragstad proposed a change to openstack/keystone: Templated v3 catalog
stevemarthen add_identity_provider = ...13:59
marekdstevemar: why the other way round?14:00
stevemaradd != create14:00
stevemarin OSC, add is reserved for adding one entity to another14:01
lbragstaddolphm: addressed your comments ^14:01
marekdstevemar: good to know, however this was not my point. You can s/add/create and I think my question stays? :-)14:02
marekdstevemar: I can suspect the algorithm will always split on the last '_' and the first parts is an object/section (identity_provider) and the second the action (create, delete, update) ?14:02
*** G________ has joined #openstack-keystone14:02
stevemarmarekd, ohh you are worried about the underscores14:03
stevemarmarekd, all the _'s are turned to spaces14:03
stevemarthat line is issued with $ openstack ec2 credentials create <args>14:04
*** diegows has joined #openstack-keystone14:04
stevemarmarekd, openstack [<global-options>] <object-1> <action> [<object-2>] [<command-arguments>]14:05
stevemarwhere the arguments in [] are optional14:05
openstackgerritA change was merged to openstack/keystone: replace word 'by' with 'be'
openstackgerritA change was merged to openstack/python-keystoneclient: Add CRUD operations for Identity Providers.
*** ukalifon1 has quit IRC14:12
ilives@dolphm, keystone will be the real authentication and authorization service in the cloud, here is a sample scenario correct me if i am wrong, the keystone admin or cloud admin defines a role  in keystone which can do what actions on which openstack services, just like AWS IAM do.14:12
*** thiagop has quit IRC14:13
ilivescurretly keystone will use the policy.json in each services to do authorization and this policy file cannot be modified in horizon dashboard if we add another new role which is not defined in the policy file.14:15
ilivesthe cloud admin would be happy to use dashboard to do role based acess control for the tenant or users in the cloud, and to achieve this the keystone should be provide api to let the cloud admin do the authorization.that is my humble opinion.thanks!14:19
*** ukalifon has joined #openstack-keystone14:24
*** wchrisj has joined #openstack-keystone14:27
*** jaosorior has quit IRC14:30
*** G________ has quit IRC14:32
*** raildo has joined #openstack-keystone14:33
raildoanyone knows any method that returns true/false if a role is inheritable?14:40
*** chandan_kumar has quit IRC14:47
*** ilives has quit IRC14:47
*** ilives has joined #openstack-keystone14:48
ayoung-ZZzz_stevemar, are you sure that list doesn't exist in services?:
stevemarayoung-ZZzz_, i don't see it here:
*** thedodd has joined #openstack-keystone14:53
*** Guest_ has joined #openstack-keystone15:00
*** Guest_ has quit IRC15:00
*** thedodd has quit IRC15:00
*** thedodd has joined #openstack-keystone15:01
*** saju_m has quit IRC15:05
*** inc0 has quit IRC15:14
dstanekayoung-ZZzz_: create bug #1305950 regarding the first of several problems i'm having running tests against real databases15:19
uvirtbotLaunchpad bug 1305950 in keystone "Inconsistency with handling of unique constraints" [Undecided,New]
*** ayoung-ZZzz_ is now known as ayoung15:23
ayoungstevemar, Ill test, but I thought I had that working15:25
*** wchrisj has quit IRC15:37
*** wchrisj has joined #openstack-keystone15:41
*** browne has joined #openstack-keystone15:42
*** ukalifon has quit IRC15:55
afaranhaDoes anybody knows how can I create a keystoneclient in a fake environment? I implemented a nova API that uses keystoneclient to check users and projects. I need a test environment where I can create users and projects, and that the keystoneclient in nova API access these datas. Thank you15:55
*** wchrisj has quit IRC16:03
*** wchrisj has joined #openstack-keystone16:08
*** marcoemorais has joined #openstack-keystone16:11
stevemarayoung, get any results back?16:13
ayounghaven't context shifted back yet.16:13
*** marcoemorais has quit IRC16:15
afaranhaayoung: About yesterday, It works to create a v3 keystoneclient, but I needed to replace the "v2.0" in the url, by "v3" (string replace to, only cutting off the v2.0 didn't work. But after all it worked, thank you :)16:15
ayoungafaranha, glad to hear it.16:15
ayoungafaranha, discovery should have worked (determining the v3 was missing), but maybe I misunderstood how you were calling it.  Nice to know.16:16
raildoayoung: Do you know any method that returns true/false if a role is inheritable?16:18
ayoungraildo, nope16:18
afaranhaayoung: I tried with discory in the begging, but now that you recommended me to just cutting off the "v2.0" I didn't try. I'll see if its work now16:18
ayoungraildo, doesn't mean it doesn't exist, just I don't know off the top of my head16:18
ayoungafaranha, yeah, discovery assumes you are starting above the versions, so /v3 would mess it up, as would /v2.016:19
raildoayoung: thanks16:19
*** marcoemorais has joined #openstack-keystone16:22
*** browne has quit IRC16:24
*** david-lyle has joined #openstack-keystone16:26
*** gyee has joined #openstack-keystone16:34
*** david_lyle_ has joined #openstack-keystone16:37
afaranhaayoung: No, It didn't work with discovery, it's really strange because it uses exactly the same Client(V3) but only without the version in the url... Anyway, do you have any links that helps me to create tests for it? I need to add users and projects in a fake environment and be able to retrieve those in the nova API.16:37
*** dklyle has joined #openstack-keystone16:38
ayoungafaranha, yep16:38
*** leseb has quit IRC16:39
*** david-lyle has quit IRC16:40
nkinderayoung: I got to the bottom of that LDAP case-sensitivity bug -
*** david-lyle has joined #openstack-keystone16:40
ayoungnkinder, looking16:41
*** david_lyle_ has quit IRC16:41
*** david_lyle_ has joined #openstack-keystone16:41
ayoungnkinder, that is against master, but I assume it is backportable, although it will need to work around jdennis' refactoring16:42
ayoungnkinder, is using 'string' the right python33 way?16:42
*** dklyle has quit IRC16:43
nkinderayoung: correct.  I think it's backport worthy, as we know that AD doesn't return case as expected16:43
nkinderayoung: possibly not right for python33...  good point16:43
nkinderI'd ask jdennis if he wasn't on vacation16:43
ayoungbknudson, dstanek do we need a six specific way to do lowercase?
*** david-lyle has quit IRC16:45
dstanekayoung: not really, but i don't think that code will work in py316:46
*** marekd is now known as marekd|away16:46
dstanekthe string module usually shouldn't be used for things in py2 anyway and lower was removed16:46
dstaneki'll comment with an alternate solution16:47
*** andreaf has quit IRC16:48
*** saju_m has joined #openstack-keystone16:48
dstanekayoung: just commented; the code was creating two separate lists and then combining back together :-( so i countered with a generator driver version16:52
nkinderdstanek, ayoung: it doesn't wotk in py3.  It needs to use str.lower() instead of string.lower().16:53
nkinderdstanek: or your other approach (which I'm about to read)16:54
dstaneknkinder: i'm using str.lower, but since you were using the key and values from a single dict, i was able to use a generator16:56
ayoungcan't you use the lower method on the object16:57
dstanekayoung: ? it's not a string object?16:58
ayoungah, yeah, that is what you are doing...16:58
*** david_lyle_ has quit IRC16:58
ayoungah, type safety, how I miss thee...16:59
nkinderdstanek: That approach works nicely.  New patch coming once the tests finish running.17:04
dstaneknkinder: i forgot to comment about removing the import17:05
*** wchrisj has quit IRC17:06
*** harlowja_away is now known as harlowja17:07
nkinderdstanek: yeah, I got that already17:08
openstackgerritNathan Kinder proposed a change to openstack/keystone: Treat LDAP attribute names as case-insensitive
dstanekKrsna: take a look at the linked issue - it has a pretty good discussion17:20
Krsnadstanek: one second17:20
afaranhaayoung: I actually initialize keystone, but I need to initialize it in another environment for tests purposes. The way I'm doing right know is exactly like the one in your code, but I should not use real url for testing. Is there a way to create a fake url that can be accessible in nova API keystoneclient?17:21
Krsnadstanek: lauchpad seems to be having issues opening that bug17:23
dstanekKrsna: looks like launchpad may be having issues17:25
dstanekKrsna: the idea is the ldap servers return the names in a seeminly arbitrary case - this makes it hard to look for them in the dictionary17:26
afaranhaayoung: I don't understand because I use to access openstack, but using localhost I could retrieve all the openstack users. Also in here it uses localhost too. Should I keep using it?17:26
dstanekKrsna: the patch converts the names to lower case for easier lookup17:27
dstaneknkinder: i just had one comment on the test and then i'd have no problem giving this a +217:27
Krsnadstanek: Yes, but how are we sending requests? Because if we are doing searches in a case insensitve way (in this case lowercase) then the server might not return valid results if it is expecting case sensitive searches17:27
dstanekKrsna: i believe we are using the case as defined in the config file, but i'd have to defer to nkinder or ayoung17:28
KrsnaI personally would like to see that as an option that can be toggled on and off. I don't think that it should be the default and ONLY option. It makes a sane default IMHO but should be able to be turned off17:31
nkinderKrsna: why would it need to be turned off?  It doesn't affect the way anything is displayed to a user of keystone17:31
nkinderKrsna: I can provide more background from an LDAP perspective if you like17:31
Krsnankinder: because let us say that my server IS case sensitve then your change would be breaking everything for me.17:32
nkinderKrsna: then your server is not LDAP17:32
nkindereven AD follows the standard in this regard17:32
nkinderKrsna: I'm not referring to the case of attribute values17:33
nkinderthis is the case of attribute names as returned in a search result17:33
nkinderKrsna: for example, "uid: foo" vs "UID: foo"17:34
Krsnankinder: You are correct. The spec does state that it is case insensitve (
ayoungafaranha, "real" versus "fake"  ?  I would assume you would set up a development keystone server.  It would be a "real" url frpom Nova's persepcitive, just have no data in it17:35
ayoungafaranha, localhost implies only that it is on the same machine, which might suit your purposes.17:35
ayoungnkinder, I would hate to add just another knob to turn for this one.  I'd rather it always be the case-insensitive version.17:37
nkinderKrsna: one other thign to point out is that this is just an internal case-insensitivity when we consult a mapping to convert an LDAP result to the model.  It doesn't permanently change the case of anything.17:37
nkinderayoung: yeah, no knob is needed.  Just want to be sure Krsna understands why it's not needed.17:38
Krsnankinder: thanks for explaining.17:38
nkinderKrsna: Sure thing.17:38
ayoungSo is the launchpad site accefted by heartbleed?  Do we all need to update our launchpad passwords?17:38
afaranhaayoung: Yes, that's right. I need a working keystone server but without the data from the other server I'm running in this machine. I'm trying this right now, thanks17:40
*** wchrisj has joined #openstack-keystone17:42
ayoungHmmmm. can't log in to Launchpad17:46
nkinderdstanek: I can add the uuid values to the test, but I'm curious about the purpose of checking those values since I'm mocking out the search results from LDAP.17:47
nkinderdstanek: are you thinking it would better test taking the values from the LDAP result and copying them to the model?17:47
nkinderdstanek: I suppose it adds a bit of code coverage there17:47
*** ukalifon has joined #openstack-keystone17:47
dstaneknkinder: i didn't look at the code under test, but i assume is pulls the values from that mocked data; i just want to make sure it's doing that because it "could" have those keys for other reasons17:48
nkinderdstanek: yeah, it's mocked (though I see value in doing what you suggest now that I've thought through it)17:48
nkinderdstanek: I'll update the patch.17:48
dstaneknkinder: great, thanks!17:49
ayoungSo, I'ma go out on a limb here and say that the Ubuntu version of OpenSSL is likely to have been HeartBleed vulnerable, and they are updating launchpad.  Once that is done, we should probably all update out passwords.17:49 launchpad is broken17:50
afaranhaayoung: I have one keystone server running on my machine (A), but I need to create another one when testing and then destroy it (B), so that I can add and remove users from B without interfere in A. Do you know if it's possible? If so, how can I do this? Thank you17:53
dstanekafaranha: you just want to create a second server that is isolated from the first?17:54
afaranhadstanek: Yes. I need this to do tests for my implementation.17:55
*** morganfainberg_Z is now known as morganfainberg17:56
*** kun_huang has quit IRC17:56
dstanekafaranha: why can't you just create a new instance then? as long as you use a different database or LDAP server it won't interfere with your other Keystone server17:56
morganfainbergafternoon everyone not on the west coast :)17:57
ayoungmorganfainberg, Good morning17:57
ayoungmorganfainberg, have you patched openssl on all of your servers?17:58
morganfainbergayoung, yeop17:58
*** amcrn has quit IRC17:59
ayoungmorganfainberg, wonder if the launchpad ones have been updated...I can';t log in right now17:59
*** amcrn has joined #openstack-keystone18:00
morganfainbergayoung, the quick in-browser test shows LP isn't affected currently18:00
morganfainbergayoung, but that doesn't mean the test "works"18:00
dstanekayoung: it's back for me18:00
*** ukalifon has quit IRC18:00
*** amcrn has quit IRC18:00
morganfainbergayoung, and i just logged in for gerrit.18:00
ayoungyep, me too.  Just updated the PW.  Figure if the vuln is still there...they are are...18:00
morganfainbergayoung, so maybe a hiccup18:00
afaranhadstanek: Can I just do this to code test to pass on Jenkins? I need to implement tests to submit with my code to be approved by the community.18:01
ayoungafaranha, see the test in keystone/tests/test_v3*py files18:01
ayoungwell,  I guess that is not going to work for nova18:01
dstanekafaranha: if you are just looking to develop then you can just run the tests out of the repo18:01
morganfainbergayoung, claims LP is fixed.18:02
morganfainbergayoung, i hope it's accurate18:02
dstanekafaranha: i have a devstack instance, but i almost always work entirely out of my working copy18:02
afaranhadstanek: Actually I already manually test it. Is it okay to just submit without the test files? I'm confused about this. My implementation is done to be deployed, but I'm having trouble in the tests files.18:07
dstanekafaranha: more likely than not tests will be needed; unless the code is already being tested18:09
dstanekafaranha: what trouble are you having?18:09
dstanekafaranha: you can create a bug and code review with what you have and maybe someone can help with the tests18:09
afaranhaIn the Nova API I'm using keystoneclient services to check users and projects, so in the test file I need to access a independent keystoneclient to create users. And in Nova API it need to get the information of this keystoneclient. Maybe I need to do another kind of test, but I'm confused on how to do it.18:09
afaranhaand the best way to do it18:09
afaranhadstanek: I'll do that, thank you.18:10
*** browne has joined #openstack-keystone18:12
dstanekafaranha: ping me when you have a review up; it sounds like you are making it more complicated than it needs to be18:12
dstanekafaranha: unit tests should not have anything to do with Nova (or any other non-Keystone project)18:12
*** Guest_ has joined #openstack-keystone18:14
*** browne has quit IRC18:16
*** leseb has joined #openstack-keystone18:17
*** leseb has quit IRC18:22
*** amcrn has joined #openstack-keystone18:26
openstackgerritNathan Kinder proposed a change to openstack/keystone: Treat LDAP attribute names as case-insensitive
*** Guest_ has quit IRC18:45
*** gyee has quit IRC18:46
*** zhiyan is now known as zhiyan_18:56
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Collapse SQL Migrations
*** chandan_kumar has joined #openstack-keystone19:19
*** chandan_kumar_ has joined #openstack-keystone19:19
*** chandan_kumar_ has quit IRC19:19
*** ukalifon has joined #openstack-keystone19:19
*** ilives has quit IRC19:24
*** thiagop has joined #openstack-keystone19:28
*** ukalifon has quit IRC19:32
ayoungOK...the launchpad password field has autocomplete="off" set now.  So I need to type it in every time.  Mozilla doesn't really honor this, except that it now refuses to save old passwords.19:39
morganfainbergayoung, thats...20:01
ayoungmorganfainberg, Ima have some operational difficulties with launchpad in the near future20:01
ayoungand Firefox doesn't let you edit the passwords it saves.20:02
morganfainbergayoung, i use lastpass for this stuff mostly20:02
morganfainbergayoung, but, that has other concerns.20:02
ayoungmorganfainberg, and where exactly does lastpass ship your passwords off to?20:02
morganfainbergayoung, lol20:02
morganfainbergayoung, like i said other conciderations20:03
morganfainbergayoung, i don't use Lastpass for anything financial or email to be fair20:03
ayoungmorganfainberg, Keeping my stored passwords in a password protected NSS database on my laptop is about the best I can do.  Most of my passwords are `uuidgen -r | sed 's!-!!g'`20:04
morganfainbergayoung, thats pretty much what i end up doing with lastpass20:04
ayoungalthough I guess most sites would probably accept the dashes20:04
morganfainbergayoung, little more complex, but same concept20:04
morganfainbergpassword complexity that is20:04
ayoungmaybe chrome is friendlier about this.  I think they now share a password db20:05
morganfainbergchrome and FF?20:05
*** nkinder has quit IRC20:05
ayoungyeah.  At least chrome now reads FF password file20:07
ayoungwhich kindof freaks me out, too20:08
morganfainberginteresting. never would have guessed chrome and FF having that kind of interoperability20:08
morganfainbergalso... how secure is that password store then?20:08
ayoungmorganfainberg, chrome has its own cache, it just reads from the FF one if FF is open.  It is evil  EEEEvil.20:13
morganfainbergayoung, oh god20:13
morganfainbergayoung, that is evil!20:13
ayoungI think.  It got passwords from FF somehow20:14
ayoungthe PW cache in my chrome profile is tiny20:14
ayoungnot sure how passwords are encrypted in FF.  I do know they are stored in:20:14
ayoungfor exampe:20:15
ayoungsqlite3 $HOME/.mozilla/firefox/x4kktanr.default/signons.sqlite20:16
ayoungsqlite> .table20:16
ayoungmoz_deleted_logins  moz_disabledHosts   moz_logins20:16
ayoungPRAGMA table_info (moz_logins);20:17
*** topol has quit IRC20:22
ayoungmorganfainberg, so the table itself is not encrypted, but the fields are.20:22
ayoungI know the password I used to encrypt,  but I suspect that the password is used to protect a different file, which then contains these passwords...or something like that20:23
morganfainbergayoung interesting20:25
ayoungmorganfainberg, what is interesting is that If I've used the same password on two sites, they both end up the same in that table's encryptedPassword  field;20:28
*** saju_m has quit IRC20:28
morganfainbergayoung, huh.20:28
*** saju_m has joined #openstack-keystone20:29
*** gyee has joined #openstack-keystone20:29
ayoungmorganfainberg, actually, not quite...the first half of the encrypted password is the same, but the second half is different.20:32
*** richm has joined #openstack-keystone20:39
*** marcoemorais has quit IRC20:40
*** marcoemorais has joined #openstack-keystone20:41
ayoungstevemar, so, not sure about the list operation, as, for now, default_domain ='default')  is failing on me20:42
ayoungkeystoneclient.apiclient.exceptions.NotFound: The resource could not be found. (HTTP 404)20:43
*** derek_c has joined #openstack-keystone20:44
stevemarayoung, try 'Default' ?20:44
ayoungstevemar, lemme see what mysql says20:45
ayoungid = default, name = Default20:45
ayoungstevemar, I bet I'm going against MAIN and not ADMIN20:48
ayoungstevemar, v2.020:49
stevemarayoung, even worse :P20:49
*** jamielennox|away is now known as jamielennox20:49
stevemarayoung, set those env vars!20:49
ayoungidentity_service ='identity',20:50
ayoung                                                      type='identity')[0]  works20:50
ayoungstevemar, try my script20:50
ayoungactually, let me update it20:50
*** harlowja is now known as harlowja_away20:56
afaranhadstanek: Hello, I just submitted the code. Here:
stevemarayoung, maybe that class gets list as a freebie because it extends something21:06
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Example Initialization scripts
dstanekafaranha: ah, this is a nova change. i thought you were making keystone changes21:06
ayoungstevemar, I asssume that is the case. But take a look yourself.  I updated the scripts in ^^ to take envvars for everything21:06
jamielennoxsome non-controversial client reviews for people:
jamielennoxand one that was passed previously but failed merge:
jamielennoxthere are some there that do actual changes if you want to go looking21:09
openstackgerritayoung proposed a change to openstack/python-keystoneclient: revoke events
*** chandan_kumar has quit IRC21:23
morganfainbergayoung, i hate to ask, but should we make either a tempest scenario test or an isolated keystone test that makes the example scripts do work21:24
morganfainbergayoung, ensure they don't languish21:24
*** nkinder has joined #openstack-keystone21:35
*** thedodd has quit IRC21:36
*** Guest____ has joined #openstack-keystone21:38
*** harlowja_away is now known as harlowja21:45
jamielennoxayoung: have you had a look at jose's kerberos plugin (server side) for dealing with http as well?21:48
*** wchrisj has quit IRC21:54
*** diegows has quit IRC22:02
*** wchrisj has joined #openstack-keystone22:04
*** marcoemorais has quit IRC22:06
*** marcoemorais1 has joined #openstack-keystone22:10
*** marcoemorais1 has quit IRC22:11
*** marcoemorais1 has joined #openstack-keystone22:11
*** marcoemorais2 has joined #openstack-keystone22:13
*** marcoemorais2 has quit IRC22:13
*** marcoemorais has joined #openstack-keystone22:13
*** marcoemorais1 has quit IRC22:15
*** gabriel-bezerra has joined #openstack-keystone22:20
*** saju_m has quit IRC22:20
*** dims has quit IRC22:24
*** huats has quit IRC22:37
*** huats has joined #openstack-keystone22:41
*** huats has quit IRC22:41
*** huats has joined #openstack-keystone22:41
Krsnamorganfainberg: Just an update. Had a meeting and there is a ticket for federated keystone. Next monday I should be able to tell you if that will accepted or not. Either way it is something that needs to be done and if it is not me then it will be someone that should be helping you with that.22:42
morganfainbergKrsna, great!22:42
*** browne has joined #openstack-keystone22:48
*** dims has joined #openstack-keystone22:58
*** diegows has joined #openstack-keystone23:03
*** derek_c has quit IRC23:08
*** marcoemorais has quit IRC23:25
*** marcoemorais has joined #openstack-keystone23:25
*** marcoemorais has quit IRC23:26
gabriel-bezerraHi folks23:29
*** marcoemorais1 has joined #openstack-keystone23:29
gabriel-bezerraIsn't the GET v3/extensions supposed to work?23:29
*** marcoemorais1 has quit IRC23:30
*** marcoemorais1 has joined #openstack-keystone23:30
*** marcoemorais1 has quit IRC23:30
*** stevemar has quit IRC23:30
*** marcoemorais1 has joined #openstack-keystone23:30
gabriel-bezerraI can only get the extensions from the v2.0 api23:30
gabriel-bezerra$ curl http://localhost:5000/v3/extensions {"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}}23:31
gabriel-bezerraI'm running devstack with a clone of openstack/keystone repository23:32
gabriel-bezerrathe latest commit in there is of today: Merge "replace word 'by' with 'be'"23:33
*** Guest____ has quit IRC23:47
*** browne has quit IRC23:51
*** wchrisj has quit IRC23:56
gabriel-bezerraeven more strange here: OS-FEDERATION is being listed as an extension when I call v2.0/extensions23:58
gabriel-bezerrapardon me, I thought I'd seen OS-FEDERATION instead of OS-OAUTH1 in the API documentation at

Generated by 2.14.0 by Marius Gedminas - find it at!