Friday, 2014-04-25

morganfainberg	dstanek, but... i'm not 100% clear still on some of the fallout from this one	00:00
morganfainberg	setting up vm now for schema tests	00:00
dstanek	morganfainberg: while i agree it seems like a lot of change because alembic doesn't support 5.5 naming convertions yet	00:00
dstanek	morganfainberg: when you are testing try to add a new fk and see if you can	00:01
morganfainberg	dstanek, ok i think i can create a contrived migration for that once i check schemas	00:01
morganfainberg	maybe this is because we renamed a column at some point?	00:02
dstanek	not sure if this is the same: https://bitbucket.org/zzzeek/alembic/issue/157/autogenerate-detected-removed-index-for	00:02
*** browne has quit IRC		00:06
morganfainberg	dstanek, http://pasteraw.com/5mrt8ccntb44an9ggwpnd370g4qmck1	00:06
morganfainberg	thats migrating from icehouse, then checking out master -> current (first file), 2nd file is applying migrate 50	00:06
*** nkinder has quit IRC		00:11
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: Add localized response test https://review.openstack.org/70610	00:15
*** derek_c has quit IRC		00:18
morganfainberg	dstanek, here is the juno (with collapsed migrate) version	00:19
morganfainberg	http://pasteraw.com/hfn76wtlhptgrfprpq3fwez66euhmtz	00:19
morganfainberg	but i am getting the sinking feeling we'll need one of these for each migration that has a FK	00:20
*** lbragstad has joined #openstack-keystone		00:27
*** jaosorior has quit IRC		00:31
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on projects https://review.openstack.org/86484	00:33
*** derek_c has joined #openstack-keystone		00:33
*** browne has joined #openstack-keystone		00:34
*** browne has quit IRC		00:36
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Allow 'description' in V3 Regions to be optional https://review.openstack.org/78658	00:38
morganfainberg	jamielennox, tagged you to lbragstad's review https://review.openstack.org/#/c/86483/3 on validation	00:38
morganfainberg	jamielennox, since you were working on the validator (descriptor style)	00:38
jamielennox	morganfainberg: looking	00:38
jamielennox	morganfainberg: i don't know if it's going to be worth it	00:38
jamielennox	i'm leaving it for now	00:38
morganfainberg	jamielennox, right.	00:39
lbragstad	morganfainberg: jamielennox thanks	00:39
jamielennox	spent more or less a whole day and was always so close	00:39
morganfainberg	jamielennox, lbragstad, i want to make sure we hit a good solution, even if it's rough	00:39
jamielennox	but the combination of what is and isn't a schema and what is and isn't an object just gets confusing	00:39
jamielennox	i'm thinking we do the most basic for now	00:39
morganfainberg	so since you both took different takes on it...	00:39
morganfainberg	:)	00:39
jamielennox	class Request(dict):	00:39
lbragstad	yeah.. I agree...	00:39
jamielennox	schema = { ... }	00:39
jamielennox	lbragstad: did you catch the stuff i was playing with yesterday?	00:40
lbragstad	jamielennox: I don't think I got the latest review...	00:40
lbragstad	do you have a link?	00:40
jamielennox	lbragstad: there was no review,	00:40
morganfainberg	jamielennox, hitting the simplest solution is the best. i'm thinking we keep looking for something that lets us deserialize and validate in the same mechanism	00:40
lbragstad	oh	00:40
jamielennox	i couldn't get it to play out how i wanted it to	00:40
morganfainberg	jamielennox, but i don't know if it exists.	00:41
lbragstad	jamielennox: what were you trying?	00:41
lbragstad	I'm jsut going of the nova V3 api validation stuff	00:41
morganfainberg	lbragstad, this will need a BP attached to it (in either case)	00:41
jamielennox	lbragstad: http://paste.openstack.org/show/76853/	00:41
* morganfainberg wants to see us be better about tracking associated changes.		00:42
morganfainberg	bugs or bp etc	00:42
jamielennox	lbragstad: if i could get it to work i think it would be really cool	00:43
lbragstad	interesting...	00:43
jamielennox	lbragstad: i've just wasted too much time on it already	00:43
lbragstad	so.. .you're validating types too	00:43
lbragstad	I don't think what I'm doing is that indepth	00:43
jamielennox	lbragstad: so i want to be somewhere between WSME/Sqlalchemy and jsonschema	00:43
lbragstad	right	00:44
jamielennox	the layout of WSME but still able to generate the full schema	00:44
jamielennox	morganfainberg: i got closer than that, i did figure out the problem of type vs data	00:44
jamielennox	morganfainberg: a pure type object, a model object and then a 'relationship' object that provided all the __get__ __set__ etc	00:45
jamielennox	relationship object was built 'magically' by the metaclass	00:45
morganfainberg	jamielennox, hmmm.	00:46
morganfainberg	jamielennox, interesting	00:46
lbragstad	nova accomplishes this by just having a schema template to validate against, which I was thinking we would have for each resource, and then we could validate with a wrapper, like sending a notification: https://review.openstack.org/#/c/86484/5/keystone/assignment/controllers.py	00:46
jamielennox	lbragstad: i was thinking a similar thing	00:46
lbragstad	so, when someone builds an extension they could leverage the jsonschema validator by adding the appropriate schema for the resource...	00:47
jamielennox	but i've long been of the opinion that we need to move all these dicts we pass around to actual objects	00:47
lbragstad	jamielennox: if you have ideas and want to hack on what I already have, you're more than welcome to... It's kinda a wip right now..	00:47
morganfainberg	jamielennox, ++++	00:47
lbragstad	so like nova	00:47
jamielennox	so i want a UserRequestInput object	00:47
lbragstad	and the migration to object representation	00:47
jamielennox	lbragstad: nova objects are way more indepth than that	00:48
lbragstad	.. I don't think I would mind that...	00:48
jamielennox	and actually the only thing i found that nova objects don't do is the representation	00:48
jamielennox	you still access them like a dictionary	00:48
jamielennox	(or you did last i looked)	00:48
lbragstad	right, which can make for an easier transition	00:48
jamielennox	lbragstad: right they will need to be at least dictionary compatible for a while/ever	00:49
lbragstad	+1	00:49
jamielennox	but i just want some protection and implicit validation of using the object and being able to know we are setting an incorrect value	00:49
lbragstad	on a side note, I think having a consistent validator will help clean up the controller code too	00:49
jamielennox	lbragstad: i want that to die so badly	00:50
lbragstad	jamielennox: agreed..	00:50
jamielennox	dolphm: -2ed my last patch in that way	00:50
lbragstad	lol	00:50
lbragstad	well, I'm hoping that this jsonschema thing is a step in the right direction	00:50
jamielennox	yea, i've given up on WSME	00:51
jamielennox	i just want to go schema	00:51
jamielennox	then we can actually expose the schema via an API	00:51
lbragstad	I like it because we can just set a schema for a resource...	00:51
jamielennox	i found http://www.alpacajs.org/ a while ago - and i want a reason to use it	00:51
lbragstad	so we have pretty good control over what is a 'valid' attribute or not	00:52
jamielennox	(not me, hate javascript, but someone...)	00:52
lbragstad	I think I've heard of that	00:52
lbragstad	I think my office mate was talking about it	00:52
jamielennox	i was thinking a while ago about building a service (non-openstack) where you could install a schema and then do CRUD operations against it	00:53
lbragstad	that'd be useful	00:54
jamielennox	you could automate 90% of forms, and a lot of custom services	00:54
*** lbragstad is now known as lbragstad__		00:54
lbragstad__	gotta run quick, jamielennox let me know what you think about the schema stuff if you get a chance, might need to fiddle with the layout a bit still	00:55
jamielennox	lbragstad__: ok, i want this to happen and i don't mind so much about the format for now if it's jsonschema based	00:55
lbragstad__	++ good deal, thank you	00:56
morganfainberg	i would love something like protobuf (that isn't... protobuf?)	01:03
morganfainberg	for each data type.	01:04
morganfainberg	s/data type/object type/	01:04
morganfainberg	not that i'd use it for external communication (sure there are arguments for/against it, but it would be a harder sell)	01:05
*** amcrn has quit IRC		01:05
*** marcoemorais has quit IRC		01:11
*** richm has quit IRC		01:11
*** marcoemorais has joined #openstack-keystone		01:14
*** marcoemorais has quit IRC		01:20
*** derek_c has quit IRC		01:24
jamielennox	morganfainberg: there was another one i just saw	01:25
jamielennox	morganfainberg: messagepack	01:27
jamielennox	i don't see any advantage to it over protobuf but it looked interesting	01:27
*** nkinder has joined #openstack-keystone		01:34
*** praneshp has quit IRC		01:35
morganfainberg	jamielennox, messagepack i'm not a huge fan of	01:35
morganfainberg	jamielennox, i've used it before, its FAST but there are utf8 issues	01:36
morganfainberg	and nasty ones	01:36
jamielennox	morganfainberg: interesting, they don't mention that on their website	01:36
*** stevemar has quit IRC		01:36
morganfainberg	jamielennox, it had a nasty bug related to it, i did a lot of work debugging it for saltstack at one point	01:37
morganfainberg	it's very unfun.	01:37
jamielennox	i don't care really either way - i think compression and validation support what we need	01:37
jamielennox	though it'd be nice if something could do validation and deserialization in one pass	01:37
morganfainberg	i think the best bet is protobuf for that	01:37
morganfainberg	using the json-protobuf module	01:37
morganfainberg	it does it in one shot iirc.	01:37
jamielennox	i was looking at ayoung's PKIZ review the other day	01:37
morganfainberg	but... might be a tough sell	01:38
jamielennox	we need a way of making that more pluggable	01:38
* ayoung snaps out of his stupor		01:38
*** diegows has quit IRC		01:38
morganfainberg	and you leave a lot on the table if you don't use the binary serialization/deserialize w/ protobuf (no no not advocating using it that way)	01:38
*** derek_c has joined #openstack-keystone		01:38
jamielennox	ayoung: i was going to -1 it and say why is this a seperate format rather than a decompress around an existing format	01:38
jamielennox	but you're doing DER now rather than PEM	01:38
morganfainberg	i want something that lets us deserialize and validate in one shot.	01:39
ayoung	morganfainberg, I kindof like the layerd stack	01:39
morganfainberg	but.. the one option i've found i'm not sure i want to really push that hard for (protobuf)	01:39
morganfainberg	ayoung, it has some nice advantages.	01:39
ayoung	compression, signature, and serialization are all tricky things. and I like using the best libraray we can for each level. Allos us to trade up if we want to	01:40
*** gokrokve has quit IRC		01:40
jamielennox	morganfainberg: right - because we would still end up validating the token format in the middleware again	01:40
dstanek	morganfainberg: sorry, was doing dad stuff	01:40
morganfainberg	jamielennox, yep. though tokens are a case i could see protobuf being a win	01:40
jamielennox	ASN1 tokens!	01:40
morganfainberg	jamielennox, provide the protoc stuff (yes i know it's binary) but it would work across languages	01:40
ayoung	Is that like ANS1?	01:41
dstanek	morganfainberg: you'd have to do that for every fk right?	01:41
jamielennox	heh, well cms.py supports both now	01:41
morganfainberg	dstanek, no, i can't tell why some are screwy and some aren't	01:41
morganfainberg	dstanek, well i know WHY but i don't know how we end up screwy.	01:41
morganfainberg	it's ... odd	01:42
jamielennox	ayoung: it's weird how there can be a code review process and no-one notices that stuff	01:42
morganfainberg	ayoung, when the original objectification talk occured (grizzly?) for nova i think there were a couple of us who said protobuf fit the need and provided versioned (layered?) objects	01:42
morganfainberg	jamielennox, lysdexia?	01:43
morganfainberg	and ANS1 - ansi?	01:43
jamielennox	morganfainberg: nah, the first and last letters need to be the same	01:43
morganfainberg	hehe	01:44
ayoung	morganfainberg, would that do signatures? Would it do compression?	01:44
morganfainberg	ayoung, well, we probably would need to layer in a signature object, but it could be the same object def for anything needing a sig	01:45
ayoung	then all it would really replace is the JSON?	01:45
morganfainberg	ayoung, no i mean if we used protobuf you'd have a "signed" object type, you'd include the signature in that type and that type would include the object that was signed	01:46
morganfainberg	ayoung, which could be ANY(type1, type2, type3) and you get validation on both fronts	01:46
morganfainberg	ayoung, it would replace JSON with binary... and it there is an argument against using binary wire formats ... debugging sucks.	01:46
morganfainberg	a lot	01:46
morganfainberg	ayoung, i think to do native protobuf compression you'd have to use the native RPC code	01:47
jamielennox	community: is this something we want to support in client?	01:47
jamielennox	https://review.openstack.org/#/c/77219/	01:47
jamielennox	(it's not mine)	01:48
morganfainberg	doesn't V3 remove the admin/public url specifics?	01:48
jamielennox	in general i don't mind - but it's making an exception for the admin/public split in v2 which i'm not sure i want to do	01:48
jamielennox	morganfainberg: yes - but currently the client defaults to admin url for everything	01:49
morganfainberg	jamielennox, i'm also wary of adding anything to v2 - unless it's REALLY needed	01:49
morganfainberg	jamielennox, v2 should be "frozen" imo.	01:49
jamielennox	which is something that should be changed - but it was something i was hoping to attack with the session object rather than in the client	01:49
ayoung	It seems like we have a good V2/V3 interop story now...or at least you can possibly use them both on the same endpoint, right?	01:50
jamielennox	ayoung: not even close	01:50
jamielennox	ayoung: there is a plan i think - but that's not an implemented story	01:50
ayoung	If the endpoint says v2.0, can you do a v3 call now, somehow?	01:50
jamielennox	yea - with the old client	01:50
jamielennox	but there is no way to know if v3 is supported by the server	01:51
jamielennox	there is no way to take a token you have and move to v3	01:51
jamielennox	well there is but it sucks	01:51
jamielennox	and i haven't done the v2/v3 hack in the session - so moving to the newer method doesn't help yet	01:51
ayoung	there is no automated way, but a savvy user could hit the endpoint with a browser and see	01:51
ayoung	Right? I mean, all of the CLI stuff assumed /v2.0, but if you want to explicitly create a V3 session and work with it, you can, or is there something missing?	01:53
jamielennox	umm, you can do v3 auth with a v2 client if you use the session object	01:53
jamielennox	i don't think anyone is actually doing that yet	01:54
jamielennox	also as i said if you do it that way you don't get the v2/v3 URL hack	01:54
jamielennox	i was waiting for the unversioned endpoints in catalog review to go through before i did that	01:55
jamielennox	that's dependent on the discovery changes	01:56
ayoung	So priority of review goes to..?	01:57
jamielennox	https://review.openstack.org/#/c/81146/	01:58
*** derek_c has quit IRC		01:59
ayoung	jamielennox, that is mostly code reshuffling, right? What is the actual logic difference?	01:59
jamielennox	ayoung: it's mostly reshuffling	02:00
*** topol has joined #openstack-keystone		02:00
jamielennox	ayoung: the problem is that the original discover has a dependency on the client object, because it can create clients for you	02:00
jamielennox	it means there is a circular dependency to actually using discovery for something within client	02:00
ayoung	and now...what is the path to using it?	02:01
ayoung	or is it still there?	02:01
jamielennox	i did the original discovery before i had the multi-client plan in place	02:01
jamielennox	so from inside the keystoneclient we can import _discovery - everyone else can use discovery as normal	02:01
jamielennox	the new way exposes things like url_for() so you can actually query discovery - the old way all you could really do was create a new client object	02:02
ayoung	any side effects or API breakages due to this? cuz it looks pretty straightforward otherwise.	02:03
jamielennox	there shouldn't be any breakages	02:03
jamielennox	(i'm getting pretty atuned to that now)	02:03
jamielennox	it's just adding some new functions to the discovery object	02:03
ayoung	morganfainberg, he addressed your concerns? Want to move this one ahead? Without v2/v3 interop, we are kindo dead inthe water stuck on V2.	02:04
morganfainberg	ayoung, hmm?	02:05
morganfainberg	ayoung, oh i'm not opposed to the change, i just want to make sure we're clear on why we're changing anything v2	02:06
morganfainberg	ayoung, and sure, this is def. a clear benefit	02:06
jamielennox	morganfainberg: new topic	02:06
morganfainberg	oh	02:06
jamielennox	https://review.openstack.org/#/c/81146/	02:06
morganfainberg	sorry was talking to someone here	02:06
ayoung	jamielennox, I think you have some rebasing to do	02:06
jamielennox	ayoung: possibly, i haven't actual chagned that code for a while	02:06
ayoung	https://review.openstack.org/#/c/74599/ is the unversioned patch you were talking about?	02:06
jamielennox	oh	02:07
jamielennox	yea	02:07
jamielennox	yea, there are discovery changes embedded in that which was the reason i made the other patch	02:07
ayoung	that is the big one, isn't it?	02:07
jamielennox	i need to update it	02:07
jamielennox	ayoung: yea, that will be very useful	02:07
jamielennox	it will let us do: https://review.openstack.org/#/c/81147/ as well	02:08
ayoung	jamielennox, if you get it working, I promise to browbeat the daytime crew into reviewing it	02:08
morganfainberg	jamielennox, looking at the new patchset now	02:08
jamielennox	i was going to do kite stuff today but i'll rebase that now	02:09
*** gokrokve has joined #openstack-keystone		02:11
ayoung	this is more important than Kite, IMNSHO	02:11
*** gokrokve_ has joined #openstack-keystone		02:13
*** derek_c has joined #openstack-keystone		02:14
morganfainberg	jamielennox, i wont block the 81146 but i think the docstrings could use some modifications. I see a lot of narrative-like stuff in them, in one case talking about a past implementation vs current implementation?	02:14
morganfainberg	jamielennox, i'm looking over the code as well again seeing if anything looks out of place	02:15
jamielennox	morganfainberg: please do, it's been a while since i wrote it	02:15
morganfainberg	jamielennox, ok do you want a -1 and pointers on the docstrings as well?	02:15
jamielennox	sure	02:15
*** gokrokve has quit IRC		02:15
morganfainberg	jamielennox, ok i'll get a bunch of comments up on it so we can be less narrative and more documenting the state of things.	02:16
morganfainberg	i'll do a second pass for code (or code then docstrings)	02:16
jamielennox	morganfainberg: explaining things is always my problem	02:16
jamielennox	well one of them	02:16
ayoung	jamielennox, question for you on regions	02:17
ayoung	https://review.openstack.org/#/c/79096/7/keystoneclient/v3/regions.py line 38	02:17
ayoung	I use that in https://review.openstack.org/#/c/82687/10/examples/scripts/regions.py but its a kwarg so it wasnt' explicit	02:17
ayoung	am I doing that right? It is right to make it explicit in the regions patch, right?	02:18
jamielennox	ayoung: it's just that by making it explicit you remove it from kwargs, but then don't pass it to super	02:19
ayoung	hmmm, ok , so I need to pass it to super, or should I just leave it in the kwargs?	02:20
ayoung	I guess just pass it is right...	02:20
jamielennox	ayoung: it's something that's not really handled very well anywhere	02:21
jamielennox	in some places it's explicit so that it is readily apparent	02:21
jamielennox	in others it's just part of kwargs because it does the same thing anyway	02:21
jamielennox	the best i'm hoping for here is that we get a nice clean new model in -SDK and then i can backport it as part of client 2.0	02:22
ayoung	None of this has to be pulled out, its really just documentation	02:22
ayoung	jamielennox, also, in update	02:22
ayoung	I assume I should change the parameter from parent_region_id to parent_region?	02:22
jamielennox	yea	02:24
jamielennox	sorry, went through that one fairly quickly, i need to get better at explainning things	02:25
ayoung	not a problem, I knew where to find you to ask	02:25
*** mberlin1 has joined #openstack-keystone		02:26
ayoung	jamielennox, but is it right that only the create takes id and the rest take region?	02:26
ayoung	or should I do the base.getid approach	02:27
jamielennox	ayoung: yes, because you shouldn't be passing an existing region object to create	02:27
jamielennox	that would be all kinds of messed up	02:27
*** mberlin has quit IRC		02:27
jamielennox	to clarify (because the or came after) yes, create should use id	02:28
jamielennox	i think the parameter should be id=, because of the masking thing you might find some people want it renamed to region_id=	02:29
*** derek_c has quit IRC		02:30
*** zhiyan_ is now known as zhiyan		02:33
ayoung	morganfainberg, ... this patch really needs to be run with the scripts I pulled out of it...because you were insisting on tempest tests...I don't think I can make that happen	02:36
ayoung	https://review.openstack.org/#/c/79096/7/keystoneclient/v3/regions.py	02:37
openstackgerrit	ayoung proposed a change to openstack/python-keystoneclient: Regions Management https://review.openstack.org/79096	02:37
morganfainberg	ayoung, i am very concerned that if we don't use those scripts in a gate job (could be tempest or otherwise) we're not going to maintain them	02:37
morganfainberg	ayoung, could we .. make a test case that exercises them?	02:37
morganfainberg	vs. tempest even?	02:38
ayoung	morganfainberg, nah...these are examples. People will be running them and asking us questions about them	02:38
ayoung	this will be the code that we point people at, and when the break they say "I tried that and got a 404"	02:38
morganfainberg	ayoung, ok so we (reviewers) need to run the examples on any change to make sure they aren't broken.	02:38
openstackgerrit	A change was merged to openstack/keystone: Make test_revoke expiry times distinct https://review.openstack.org/90224	02:38
ayoung	They are examples. We can use them to write tempest tests, but that would be secondary	02:39
ayoung	but, they are someting we could run to test changes out, yes	02:39
morganfainberg	our in-tree examples should really be checked that they stay working imo	02:39
morganfainberg	i get a feeling they are going to bit-rot quickly otherwise. I'm happy to contribute time to help make is so we check them.	02:40
morganfainberg	s/is/it	02:40
ayoung	OK...how about this	02:40
morganfainberg	and yes the tests can come after.	02:40
ayoung	we write them, and then as a follow on, we do tempest tests that call them	02:40
morganfainberg	just we need to be sure we do it.	02:41
morganfainberg	yep.	02:41
morganfainberg	works for me, i just want to make sure we don't wait too long to get those tests in place	02:41
ayoung	OK...let me see...the setup and teardown goes back to being its own...region goes back in here, and the revoation event goes back into its own...	02:42
morganfainberg	maybe we should get a bug / bp that tagged to j1 for that we can shuffle it down the line, but it puts it on the radar	02:42
morganfainberg	and keeps us looking at it	02:42
morganfainberg	for testing the examples that is	02:42
ayoung	++	02:42
ayoung	morganfainberg, and when tempest rejects them?	02:44
morganfainberg	ayoung, we do the same (less fun) thing we do for keystoneclient tests	02:44
morganfainberg	make a testcase that at least tries to keep our examples working	02:45
ayoung	"the same thing we do every night Pinky..."	02:45
morganfainberg	ayoung, ++	02:45
ayoung	NARF!	02:45
morganfainberg	ayoung, but... where are we going to get a pair of rubber pants in our size at this time of night?	02:45
*** derek_c has joined #openstack-keystone		02:45
ayoung	You never cease to amaze me.	02:46
jamielennox	morganfainberg: we need uvirtbot to do those	02:46
morganfainberg	uvirtbot, get on it!	02:46
uvirtbot	morganfainberg: Error: "get" is not a valid command.	02:46
morganfainberg	jamielennox, i agree.	02:47
morganfainberg	is the python interpreter super smart.. or will "if item in THING and boolean:" end up looking in the "thing" before checking the boolean	02:48
morganfainberg	?	02:48
jamielennox	i think and is higher precendence	02:48
morganfainberg	hm...	02:48
jamielennox	it certainly should be	02:48
morganfainberg	yeah it should	02:48
* morganfainberg doesn't know for sure.		02:49
morganfainberg	shrug	02:49
jamielennox	mind you i'd invert that anyway as the bool is cheaper and you wouldn't have that problem	02:49
morganfainberg	yeah.	02:49
jamielennox	then again if you care about the cost of order of operations you probably shouldn't be doing python	02:49
morganfainberg	haha	02:49
morganfainberg	i was asking because of line https://review.openstack.org/#/c/81146/2/keystoneclient/_discover.py 166	02:50
morganfainberg	it was pure curiosity	02:50
morganfainberg	not because i'd ask you to change it	02:50
jamielennox	yea should be fine - though it appears i break my own rules	02:50
morganfainberg	hehe	02:51
jamielennox	comment it, because i assume i'm re-rolling it at this point	02:51
morganfainberg	like i said... that is so much a nit of a potential optimisation i was just curious.	02:51
ayoung	uvirtbot what are we going to do tonight?	03:01
uvirtbot	ayoung: Error: "what" is not a valid command.	03:01
ayoung	It was worth a try	03:01
*** david-lyle has joined #openstack-keystone		03:01
*** david-lyle has quit IRC		03:02
ayoung	usually with and you want to evaluate the first and ignore the second if the frst is false	03:02
ayoung	so it should be if boolean and item in thing:	03:02
morganfainberg	ayoung, yeah	03:09
morganfainberg	ayoung in this case it's super nit-picky though,	03:09
ayoung	morganfainberg, depends on how often it is executed, and it looks like that logic is in a few places...would be worthwhile to mention it to get it streamlines when you see it	03:09
morganfainberg	ayoung, it also depends on the size of the list/set	03:10
ayoung	I'd think a boolean would always be faster by several operations even for comparing with an empty list	03:10
morganfainberg	ayoung, i'd agree	03:11
ayoung	but if there is even one element in the list, its a string comparison...so significantly faster	03:11
*** marcoemorais has joined #openstack-keystone		03:11
morganfainberg	jamielennox, ok commented on the review, lots of suggestions	03:11
morganfainberg	jamielennox, only really one code suggestion, remove the for/else :P	03:12
morganfainberg	jamielennox, ooooh i need to look at the tests. possibly more incoming	03:12
jamielennox	morganfainberg: what's wrong with for/else	03:12
morganfainberg	jamielennox, it is very non-intuative even for seasoned python developers	03:12
*** marcoemorais has quit IRC		03:12
jamielennox	bah, i think in which case seasoned python developers should expand there horizons	03:12
morganfainberg	jamielennox, it's a code maintainability and future developer comment, it is really a suggestion, but if there isn't a good alternative, this is a case it's more valid than some of the others i've seen	03:13
morganfainberg	jamielennox, it's just a non-intuative language construct... no other language really does a "if we didn't break out of the loop, run this code"	03:13
jamielennox	morganfainberg: debating on the principal that i like the for/else thing in certain places, i can't remember what i'm doing with it	03:13
*** harlowja is now known as harlowja_away		03:13
morganfainberg	jamielennox, you're doing it in a nested loop	03:14
morganfainberg	jamielennox, which is why i think it has more merit than other cases i've seen	03:14
jamielennox	hmm, yea i don't know if it would be as clean to remove it there	03:15
morganfainberg	jamielennox, exactly. i'm ok with keeping it if there isn't a good alternative	03:15
morganfainberg	jamielennox, but it's a strange logic construct	03:16
morganfainberg	most people would think "oh if i _don't_ iterate, run this code"	03:16
morganfainberg	worse is while/else	03:16
morganfainberg	jamielennox, anyway overall the patchset looks good	03:19
jamielennox	what should the default behaviour be if someone requests a url for a service but doesn't specify a version/	03:28
jamielennox	i want compute service on public interface version 3 is easy	03:29
jamielennox	if version is ommitted do we return the most recent?	03:29
jamielennox	or just use the URL given in the service catalog	03:29
*** Chicago has quit IRC		03:29
*** Chicago has joined #openstack-keystone		03:34
*** Chicago has joined #openstack-keystone		03:34
*** Chicago has quit IRC		03:35
morganfainberg	jamielennox, hmm.	03:50
morganfainberg	jamielennox, i think most recent is a sane answer	03:50
jamielennox	morganfainberg: that's what the original patch does	03:50
morganfainberg	jamielennox you didn't specify, we have to assume you want whatever we think is "best"	03:50
jamielennox	but i don't know if we can	03:50
jamielennox	the existing behaviour is to just use the service catalog	03:51
morganfainberg	oh backwards compat doh	03:51
jamielennox	- but that's a broken assumption already because the whole point is to move to unversinoed endpoints	03:51
morganfainberg	can we make a compat interface that does the same thing as now and new interface "hey guys use this new interface" that does the "get most recent"?	03:51
morganfainberg	basically transitional option	03:51
morganfainberg	if you don't change what you're doing you get current behavior (and a message telling you you should use the new "way")	03:52
morganfainberg	?	03:52
jamielennox	not that i can see	03:52
jamielennox	we're into plugins territory	03:52
morganfainberg	damn	03:52
jamielennox	so we're already about 4 layers removed from the actual decision	03:52
*** praneshp has joined #openstack-keystone		03:52
morganfainberg	grumble	03:52
jamielennox	i don't know if it matters because in the client there should be a layer that says all calls through here are for the identity service	03:53
morganfainberg	jamielennox, i really want to use the latest version...	03:53
jamielennox	and that layer should know to add the correct version	03:53
morganfainberg	jamielennox, hm. can .. we make that assumption?	03:53
*** praneshp_ has joined #openstack-keystone		03:53
jamielennox	so it's not something that user's should ever be concerned with i think	03:53
morganfainberg	jamielennox, hmmm.	03:53
jamielennox	not sure, but it's the best way i can think of to indicate that we are changing behaviour is to add the version= param	03:53
morganfainberg	jamielennox, might be the best option	03:54
*** praneshp has quit IRC		03:57
*** praneshp_ is now known as praneshp		03:57
*** stevemar has joined #openstack-keystone		04:18
*** chandan_kumar has joined #openstack-keystone		04:21
*** derek_c has quit IRC		04:40
*** bvandenh has joined #openstack-keystone		04:57
openstackgerrit	A change was merged to openstack/keystone: More notification unit tests https://review.openstack.org/81659	05:00
*** topol has quit IRC		05:26
*** stevemar has quit IRC		05:39
*** derek_c has joined #openstack-keystone		05:45
*** bvandenh has quit IRC		05:48
*** bvandenh has joined #openstack-keystone		05:48
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/90288	06:01
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Refactor notifications https://review.openstack.org/81660	06:09
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Unversioned endpoints in service catalog https://review.openstack.org/74599	06:12
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Discovery URL querying functions https://review.openstack.org/81146	06:12
dstanek	morganfainberg: thanks	06:16
dstanek	i wonder why it got confused	06:16
morganfainberg	dstanek, np, it got lost somehow	06:17
morganfainberg	didn't we have a gerrit upgrade?	06:17
morganfainberg	oh nope not yet	06:17
morganfainberg	soon™	06:17
morganfainberg	no idea how it got confused.	06:17
morganfainberg	ok i need to do a full review on https://review.openstack.org/#/c/80398/23 again	06:18
morganfainberg	maybe tomorrow.	06:18
morganfainberg	dstanek, https://review.openstack.org/#/c/89235/ dogpile update going in	06:19
morganfainberg	dstanek, means we can fix that cache thing	06:19
morganfainberg	and the backend property :)	06:19
dstanek	morganfainberg: excellent - i think it's in one of the patches for Python 3	06:23
morganfainberg	dstanek, yep	06:23
dstanek	now that the oslo fix is in all that stuff is ready to go	06:24
morganfainberg	woo	06:25
dstanek	that'll give us some py3 coverage	06:25
morganfainberg	it's a start!	06:25
morganfainberg	i need to go home :P	06:26
morganfainberg	i was going to go home much earlier but wanted to get some code reviewing done	06:27
morganfainberg	did we get blinker added to the global reqs?	06:29
morganfainberg	dstanek, or were you waiting?	06:30
morganfainberg	anyway. g'night	06:31
dstanek	morganfainberg: i was waiting; we can talk about it tomorrow	06:32
dstanek	have a good night	06:32
*** morganfainberg is now known as morganfainberg_Z		06:41
*** ericn has quit IRC		06:53
*** rwsu has quit IRC		06:57
openstackgerrit	Juan Antonio Osorio Robles proposed a change to openstack/keystone: No longer allow listing users by email https://review.openstack.org/90296	07:07
*** jaosorior has joined #openstack-keystone		07:09
openstackgerrit	A change was merged to openstack/keystone: Explicit foreign key indexes. https://review.openstack.org/84444	07:10
openstackgerrit	A change was merged to openstack/keystone: Compatible server default value in the models. https://review.openstack.org/84445	07:15
*** praneshp_ has joined #openstack-keystone		07:25
*** praneshp has quit IRC		07:27
*** praneshp_ is now known as praneshp		07:27
*** gokrokve_ has quit IRC		07:31
*** gokrokve has joined #openstack-keystone		07:32
*** gokrokve has quit IRC		07:36
openstackgerrit	Marek Denis proposed a change to openstack/identity-api: Add ``user`` object to the mapping rules examples. https://review.openstack.org/90121	07:40
openstackgerrit	Marek Denis proposed a change to openstack/identity-api: Fix federation mapping rules examples. https://review.openstack.org/90303	07:45
*** praneshp has quit IRC		07:46
*** jamielennox is now known as jamielennox\|away		07:51
*** gokrokve has joined #openstack-keystone		08:02
*** gokrokve has quit IRC		08:04
*** gokrokve has joined #openstack-keystone		08:04
*** leseb has joined #openstack-keystone		08:07
openstackgerrit	A change was merged to openstack/python-keystoneclient: Enhance tests for auth_token middleware https://review.openstack.org/90251	08:08
*** gokrokve has quit IRC		08:08
openstackgerrit	A change was merged to openstack/keystone: Updated from global requirements https://review.openstack.org/89235	08:12
openstackgerrit	A change was merged to openstack/keystone: Fix typo of ANS1 to ASN1 https://review.openstack.org/87071	08:12
openstackgerrit	Marek Denis proposed a change to openstack/keystone: Add detailed federation configuration docs https://review.openstack.org/89220	08:29
*** derek_c has quit IRC		08:35
*** gokrokve has joined #openstack-keystone		09:02
*** gokrokve has quit IRC		09:07
*** zhiyan is now known as zhiyan_		09:14
*** leseb has quit IRC		09:26
*** andreaf has joined #openstack-keystone		09:27
openstackgerrit	A change was merged to openstack/python-keystoneclient: Debug log when token found in revocation list https://review.openstack.org/89693	09:29
*** leseb has joined #openstack-keystone		09:30
*** gokrokve has joined #openstack-keystone		10:03
*** gokrokve has quit IRC		10:08
openstackgerrit	A change was merged to openstack/keystone: Added statement for ... if ... else https://review.openstack.org/90013	10:13
*** leseb has quit IRC		10:30
*** leseb has joined #openstack-keystone		10:31
*** leseb has quit IRC		10:35
*** waterkinfe has joined #openstack-keystone		10:44
*** gokrokve has joined #openstack-keystone		11:03
*** gokrokve_ has joined #openstack-keystone		11:05
*** vhoward has joined #openstack-keystone		11:05
*** gokrokve has quit IRC		11:08
*** leseb has joined #openstack-keystone		11:08
*** gokrokve_ has quit IRC		11:10
*** leseb has quit IRC		11:13
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/89245	11:23
*** leseb has joined #openstack-keystone		11:52
*** gokrokve has joined #openstack-keystone		12:03
*** erecio has joined #openstack-keystone		12:03
*** gokrokve has quit IRC		12:07
*** thiagop has joined #openstack-keystone		12:37
*** erecio_1 has joined #openstack-keystone		12:53
*** erecio has quit IRC		12:56
*** dims has quit IRC		13:01
*** dims has joined #openstack-keystone		13:03
*** gokrokve has joined #openstack-keystone		13:03
*** lbragstad__ is now known as lbragstad		13:07
*** gokrokve has quit IRC		13:08
*** joesavak has joined #openstack-keystone		13:10
*** diegows has joined #openstack-keystone		13:10
*** waterkinfe has quit IRC		13:28
*** toddnni has joined #openstack-keystone		13:38
toddnni	Hi, I would like to ask shortly about Openstack keystone and LDAP integration. We at Cybercom took into use RDO Havana with Ldap identity backend. We are using AD so we needed to change id attribute to sAMAaccountName and I think we bumbed to #1231488. To fix it we added id attribute to identity/backends/ldap.py attribute_options_names list and it fixed the problem in our case. So the question is does anyone have up to date	13:40
toddnni	It seems that the same bug is in icehouse also.	13:41
*** dims has quit IRC		13:41
toddnni	ayoung: I understood that you know something about this?	13:42
*** dims has joined #openstack-keystone		13:43
ayoung	toddnni, you probably need to change the case of the attribute. It needs to match exactly	13:43
openstackgerrit	Marek Denis proposed a change to openstack/identity-api: Add ``user`` object to the mapping rules examples. https://review.openstack.org/90121	13:44
marekd	dolphm: ^^ addressed your comments.	13:44
*** dims has quit IRC		13:53
*** topol has joined #openstack-keystone		13:55
*** dims has joined #openstack-keystone		13:55
*** leseb has quit IRC		13:56
*** leseb has joined #openstack-keystone		13:56
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Allow 'description' in V3 Regions to be optional https://review.openstack.org/78658	14:02
*** gokrokve has joined #openstack-keystone		14:04
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm https://review.openstack.org/80398	14:07
*** thedodd has joined #openstack-keystone		14:12
*** chandan_kumar has quit IRC		14:13
toddnni	ayoung: we confrmed that id attribute change had no effect by looking keystone ldap debug output, and the fix I made worked. So I have a fix, but I	14:13
*** ayoung is now known as ayoung_meeting		14:14
toddnni	'm wondering if my way is the right way to fix it	14:14
toddnni	or if there is a fix or idea how to fix it already	14:15
lbragstad	jamielennox\|away: we wouldn't necessarily have to need something like this using the schema would we? http://paste.openstack.org/show/77095/	14:25
lbragstad	on delete that is	14:26
*** stevemar has joined #openstack-keystone		14:27
*** erecio_1 has quit IRC		14:30
*** tomoiaga has joined #openstack-keystone		14:39
tomoiaga	the keystone developer docs have examples on how one can use a keystone client through python. However, this doesn't seem to work unless an auth plugin is specified (not mentioned in the docs). Furthermore, the auth param is marked as being optional, but nothing works without it. (keystone v3, examples here: http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html )	14:40
ayoung_meeting	toddnni, with you in a bit...working through something with someone else	14:41
*** dims has quit IRC		14:45
*** dstanek is now known as dstanek_zzz		14:45
*** dims has joined #openstack-keystone		14:47
*** leseb has quit IRC		14:54
*** afaranha has left #openstack-keystone		15:01
*** leseb has joined #openstack-keystone		15:03
*** zhiyan_ is now known as zhiyan		15:05
*** tomoiaga has quit IRC		15:05
*** zhiyan is now known as zhiyan_		15:07
*** jagee has joined #openstack-keystone		15:07
openstackgerrit	Marek Denis proposed a change to openstack/identity-api: Add ``user`` object to the mapping rules examples. https://review.openstack.org/90121	15:08
openstackgerrit	Marek Denis proposed a change to openstack/identity-api: Fix federation mapping rules examples. https://review.openstack.org/90303	15:09
*** erecio_1 has joined #openstack-keystone		15:11
*** stevemar has quit IRC		15:14
*** gyee has joined #openstack-keystone		15:17
*** dstanek_zzz is now known as dstanek		15:21
mfisch	is the admin token in the keystone db somewhere?	15:22
mfisch	a better question is how I can update it	15:23
dstanek	mfisch: it's in your keystone.conf - http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone.conf.sample#n13	15:24
mfisch	dstanek: so I can just change it there and restart?	15:24
mfisch	I assumed it was more than that but maybe not	15:24
*** browne has joined #openstack-keystone		15:24
dstanek	mfisch: i'm pretty sure that's all you have to do	15:24
mfisch	ok	15:24
mfisch	puppet was displeased, let me try stuff by hand	15:25
mfisch	dstanek: well it doesn't work that way	15:30
mfisch	dstanek: I mean more is required	15:30
dstanek	mfisch: are you using OS_TOKEN to specify it for the client?	15:31
*** david-lyle_ has joined #openstack-keystone		15:32
*** richm has joined #openstack-keystone		15:32
*** erecio_1 has quit IRC		15:32
mfisch	dstanek:SERVICE_TOKEN=ABCD SERVICE_ENDPOINT=http://localhost:35357/v2.0/ keystone user-list	15:33
*** arunkant has quit IRC		15:33
*** david-lyle_ is now known as david-lyle		15:34
*** jagee has left #openstack-keystone		15:34
*** dstanek is now known as dstanekafk		15:35
*** dstanekafk is now known as dstanek		15:35
dstanek	mfisch: hmmm...i'll give it a try locally and see what happens	15:37
dstanek	mfisch: i think the SERVICE* environ vars are old style, but i'll check on that in a second	15:38
openstackgerrit	Sergey Skripnick proposed a change to openstack/keystone: Add rally job https://review.openstack.org/90405	15:38
mfisch	dstanek: OS_SERVICE or SERVICE* should work	15:39
mfisch	dstanek: and neither do	15:39
*** bach has joined #openstack-keystone		15:40
boris-42	morganfainberg_Z hi	15:41
*** bach has quit IRC		15:41
*** andreaf has quit IRC		15:41
*** bach has joined #openstack-keystone		15:41
boris-42	morganfainberg_Z take a look pls at https://review.openstack.org/90405 rally job for keystone	15:41
boris-42	morganfainberg_Z as well here infra patch https://review.openstack.org/90405	15:41
dstanek	boris-42: morganfainberg_Z's probably sleeping	15:42
boris-42	dstanek yep but he will read this message a bit latter=)	15:42
dstanek	ooh a rally patch, nice	15:42
boris-42	dstanek yep	15:42
dstanek	boris-42: how's that been going? i haven't been keeping up	15:42
boris-42	dstanek let me show sample in rally	15:43
*** shakamunyi has joined #openstack-keystone		15:43
boris-42	dstanek cause in rally we already have this job	15:43
boris-42	dstanek so https://review.openstack.org/#/c/90248/	15:43
boris-42	dstanek there is file called rally-scenarios/your_project.yaml	15:43
boris-42	dstanek inside it you are specifying any amount of benchmarks with any load	15:44
*** gabriel-bezerra has joined #openstack-keystone		15:44
boris-42	dstanek and it's run in gates by rally against cloud	15:44
dstanek	the results.html is pretty neat	15:44
boris-42	dstanek after that you have check-rally-dsvm-rally job	15:44
boris-42	and yep you are getting results.html	15:45
boris-42	with results of all benchmarks (on top there is select )	15:45
boris-42	dstanek in future (quite soon) we will support plugins	15:45
boris-42	dstanek so you'll be able to write in keystone source tree plugins for rally	15:45
dstanek	boris-42: nice - i'd love to make stuff faster, but it's hard to tell what to attack with micro benchmarks	15:46
boris-42	dstanek by plugins I mean new benchmarks	15:46
dstanek	this is going to be a huge help	15:46
*** mfisch has quit IRC		15:46
boris-42	dstanek yep and I am happy to say that project will be fully independent from rally	15:46
*** david-lyle has quit IRC		15:46
boris-42	dstanek so you don't need to make any patches in rally even if you would like to have another benchmark =)	15:46
*** david-lyle has joined #openstack-keystone		15:46
boris-42	dstanek cause waiting every time code reviews is sadness	15:47
*** mfisch has joined #openstack-keystone		15:49
*** mfisch has quit IRC		15:49
*** mfisch has joined #openstack-keystone		15:49
*** marekd is now known as marekd\|away		15:50
*** jaosorior has quit IRC		15:51
*** med_ has quit IRC		15:53
*** bach has quit IRC		15:53
*** medberry has joined #openstack-keystone		15:53
*** dims has quit IRC		15:53
dstanek	mfisch: what does your pipeline look like? you probably don't have the middleware in there	15:54
*** bach has joined #openstack-keystone		15:55
*** dims has joined #openstack-keystone		15:55
dstanek	mfisch: admin_token_auth, I believe	15:55
mfisch	dstanek: yes, I do	15:56
mfisch	I'll change the value back and show you	15:56
mfisch	dstanek: and it works fine, so I claim that token is stored somewhere else besides in memory	15:57
*** morganfainberg_Z is now known as morganfainberg		15:57
dstanek	mfisch: i think it is only in the config, but you may have to do some more debugging if it doesn't work for you	15:58
mfisch	dstanek: I'll bet you a beer in Atlanta that I'm right ;)	15:58
*** erecio_1 has joined #openstack-keystone		15:59
*** marcoemorais has joined #openstack-keystone		16:02
dstanek	mfisch: shore	16:02
dstanek	mfisch: i just changed my token in the config file, restarted and i was good to go	16:02
mfisch	dstanek: well I owe you a beer in Atlanta, its not in the DB	16:03
mfisch	dstanek: and I did too, I bet my other issue was HA related, didn't restart all nodes	16:03
dstanek	i used - keystone --os-token=token --os-endpoint http://localhost:35357/v2.0 endpoint-list	16:03
mfisch	dstanek: yep, you were right, hope you like good beer	16:04
*** vhoward has left #openstack-keystone		16:06
*** zhiyan_ is now known as zhiyan		16:08
morganfainberg	bknudson, if you're interested in oslo-meeting its in #openstack-meeting-alt now (not sure if you're interested in joining it)	16:09
bknudson	morganfainberg: I thought it was in openstack-meeting	16:09
morganfainberg	bknudson, so did I, aparantly it changed	16:10
*** ayoung_meeting is now known as ayoung		16:11
dims	y there was a request to change the time and the slot was taken	16:11
ayoung	toddnni, you get an answer yet?	16:11
dstanek	morganfainberg: hmmm...and i was lurking in #openstack-meeting wondering if i had the time wrong	16:11
*** david-lyle has quit IRC		16:12
ayoung	morganfainberg, do you understand the mapping extension? I need to test something out, and stevemar is MIA	16:12
morganfainberg	ayoung, i can try and help.	16:13
ayoung	morganfainberg, OK, so I have an apache module that, in addition to setting REMOTE_USER givres me groups and email	16:13
morganfainberg	ayoung, though i am expecting a phone call, might become MIA myself at a moment's notice	16:13
ayoung	I have a Keystone setup with LDAP	16:13
ayoung	I want to make it do mapping and externalize everything instead	16:13
*** zhiyan is now known as zhiyan_		16:14
ayoung	I assume I can't do that using an auth plugin yet, can I?	16:14
morganfainberg	ayoung, i want to say the saml plugin was the example for that	16:15
*** chandan_kumar has joined #openstack-keystone		16:15
morganfainberg	ayoung, yeah looks like the saml2 plugin leverages the federation mapping for an IDP	16:15
morganfainberg	ayoung, you could probably do something similar	16:16
ayoung	morganfainberg, right. So I need to basically munge the SAML and external plugins into a single thing...but it still needs an identity backend for groups	16:16
morganfainberg	yah	16:16
morganfainberg	that is my understanding	16:16
ayoung	and then I would need 4 mapping rules: one for REMOTE_USER->userid, REMOTE_USER->username, REMOTE_AEMAIL->email and REMOTE_GROPUS to...group assignments?	16:17
morganfainberg	hmm	16:17
morganfainberg	sec let me look at that	16:18
morganfainberg	the last one is the one i'm not sure on. it sounds right	16:18
morganfainberg	hmmm	16:19
ayoung	morganfainberg, I've been called to lunch-pickup-duty...we can pick this up after your phone call and my lunch	16:20
*** david-lyle has joined #openstack-keystone		16:20
morganfainberg	sounds good, i'll be off the phone in ~1.5hrs or so	16:20
*** leseb_ has joined #openstack-keystone		16:23
*** leseb_ has quit IRC		16:23
*** leseb has quit IRC		16:26
boris-42	morganfainberg hi one more time=)	16:32
morganfainberg	boris-42, hi there, saw your message earlier	16:32
boris-42	morganfainberg ok nice=)	16:32
*** bach has quit IRC		16:32
toddnni	ayoung: no I didn't get. I will get back to this on next week, because of the weekend. Thanks for your attention	16:32
*** david-lyle has quit IRC		16:32
*** bach has joined #openstack-keystone		16:32
morganfainberg	boris-42, i'll look over everything (and read the conv you and dstanek had earlier) in more detail when i get to the office in a little bit	16:33
morganfainberg	boris-42, thanks for getting the work done!	16:33
morganfainberg	boris-42, (i'll also review the infra patchset)	16:33
boris-42	morganfainberg after those patches only rally benchmark plugins will be missing	16:33
boris-42	morganfainberg but they should be quite soon as well	16:34
morganfainberg	boris-42, ok good to know	16:35
*** david-lyle has joined #openstack-keystone		16:42
*** harlowja_away is now known as harlowja		16:45
*** wchrisj has joined #openstack-keystone		16:46
*** wchrisj has left #openstack-keystone		16:46
openstackgerrit	Richard Megginson proposed a change to openstack/keystone: ldap/core deleteTree not always supported https://review.openstack.org/74897	16:51
*** amcrn has joined #openstack-keystone		16:54
*** chandan_kumar has quit IRC		16:54
*** bach has quit IRC		16:56
*** ericn has joined #openstack-keystone		16:58
*** bada has quit IRC		17:02
nkinder	gyee: I provided some responses to your comments in https://review.openstack.org/#/c/74897/	17:05
nkinder	gyee: let me know if you have any follow-up questions on them, and I'd be happy to discuss	17:06
*** openstackstatus has quit IRC		17:07
*** ryanpetrello has joined #openstack-keystone		17:08
ryanpetrello	anybody aware of current keystone + devstack issues related to using UUID tokens?	17:08
*** openstackstatus has joined #openstack-keystone		17:09
ryanpetrello	specifically, if I specify `KEYSTONE_TOKEN_FORMAT=UUID` in my localrc, I see keystone failing with something like this: http://screens.objects.dreamhost.com/04-25-2014-12-47-35.png	17:09
ryanpetrello	`$keystone-manage pki-setup` and restarting keystone seems to fix things	17:10
gyee	nkinder, looking	17:10
gyee	ryanpetrello, that option is deprecated, you need to change the provider if you want UUID token	17:11
ryanpetrello	I see	17:12
gyee	nkinder, I still don't understand this "'(\|(objectclass=*)(objectclass=ldapsubentry))'	17:12
nkinder	gyee: are you familiar with operational attributes?	17:12
gyee	it matching objectclass=*	17:12
gyee	that's the search filter	17:12
nkinder	gyee: it's a similar concept though	17:12
nkinder	ldapsubentry is used to crete operational entries	17:12
gyee	but that's a search filter	17:13
nkinder	that is, entries that are not returned unless you specify objectclass=ldapsubentry	17:13
gyee	nkinder, its a or ('\|') filter	17:13
nkinder	objectclass=* will not return an entry that has "objectclass: ldapsubentry"	17:13
nkinder	gyee: yes, we want all entries	17:13
gyee	objectclass=* or objectclass=ldapsubentry	17:13
gyee	so the second part seem redundant	17:14
nkinder	gyee: it wouldn't work with an &	17:14
gyee	that's my point, objectclass=* will return everything	17:14
nkinder	gyee: as I stated, "objectclass=*" will not return an entry that has the "ldapsubentry" objectclass in it	17:14
nkinder	gyee: and I'm stating that it will not	17:14
nkinder	think of ldapsubentry as hidden entries	17:15
nkinder	even objectclass=* will not return them	17:15
ryanpetrello	gyee: any idea when that devstack option was deprecated?	17:15
*** erecio_1 has quit IRC		17:15
ryanpetrello	there’s no mention of it at `http://devstack.org/lib/keystone.html`	17:15
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources https://review.openstack.org/86484	17:16
nkinder	gyee: this is why I say it's like operational attributes. If you ask for all attributes to be returned with "*", you still won't get operational attributes	17:17
*** erecio has joined #openstack-keystone		17:17
nkinder	gyee: this works the same way, as "objectclass=*" won't return operational entries	17:17
gyee	nkinder, I see, trying to figure out why operation attributes are needed	17:18
nkinder	gyee: ok, so the point of this patch is to do a recursive delete of a tree with children	17:19
gyee	right, but we are talking about user or group trees	17:19
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources https://review.openstack.org/86484	17:19
nkinder	gyee: how do you know someone didn't put a subentry in there?	17:19
nkinder	gyee: keystone may not have, but what if someone did that to the ldap server directly?	17:20
nkinder	gyee: the server would return an error in that case, as we'd be tryign to delete a non-leaf	17:20
nkinder	gyee: we need to make sure that we delete all children first, including subentries	17:21
*** raildo has joined #openstack-keystone		17:21
gyee	nkinder, that's fine, I would think if user want keystone to write to their LDAP, they would want to keep their hands off these subtrees	17:23
nkinder	gyee: they should, but if they don't keystone will fail.	17:23
gyee	nkinder, that's fine then, keep that code	17:24
nkinder	gyee: this is the same thing that a LDAP server will do if it supports the tree delete control	17:24
nkinder	gyee: it's really just implementing the same logic in keystone in case a server doesn't support tree delete	17:25
gyee	nkinder, I am good with that	17:25
nkinder	gyee: cool. Just wanted to explain why it is needed.	17:25
ayoung	nkinder, I need a one-word "method" to describe using external-auth + mod_identity_lookup talking SSSD.	17:26
nkinder	bob	17:26
ayoung	I was thinking maybe sssd, but not sure that is really clear or the heart of it	17:26
ayoung	dbus?	17:26
nkinder	that seems more confusing than sssd	17:27
ayoung	the whole thing is an acronym soup	17:27
nkinder	is this for a config setting or something?	17:27
ayoung	I'm trying to remove LDAP from Keystone	17:27
ayoung	direct LDAP access	17:28
ayoung	I spent some time with Jan this morning getting a server up and running where I can get env vars from IPA using mod_id_lookup	17:28
ayoung	and I think I can use the Current SAML2 code as is	17:29
nkinder	ayoung: I know what you are trying to do, but I'm wondering where the "method" name is being used	17:29
ayoung	I want to keep Kerberos working, and that is sitting on "external" until I get this working	17:29
ayoung	I might just call is saml as that lets me use the existing plugin. There is nothing saml about the plugin	17:30
ayoung	http://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/saml2.py	17:30
nkinder	ayoung: what is the name going to be for? A plug-in name?	17:31
ayoung	If I understand it correctly, I should be able to set up some mapping values for REMOTE_USER and REMOTE_GROUPS	17:31
ayoung	nkinder, yeah.	17:31
gyee	nkinder, I am just about to +2 the patch, but what about bknudson's comments?	17:32
ayoung	nkinder, Heh, I was the one that protested against "federated"	17:32
gyee	nkinder, he mentioned the reverse won't help	17:32
nkinder	gyee: not sure, richm? ^^^	17:32
richm	I suppose it is theoretically possible that an ldap search may return entries that are not in child -> parent order	17:33
richm	however - every ldap delete tool I have ever seen assumes this order	17:33
richm	including openldap ldapdelete, which is arguably the most ldap compliant tool	17:34
gyee	ryanpetrello, I see this	17:34
gyee	if [[ "$KEYSTONE_TOKEN_FORMAT" = "UUID" ]]; then	17:34
gyee	iniset $KEYSTONE_CONF token provider keystone.token.providers.uuid.Provider	17:34
gyee	fi	17:34
richm	another way to say it - if an ldapsearch does not return entries in child->parent order, then many, many ldap tools will be broken as a result	17:34
richm	if keystone does run into some ldap server that does not support subtree delete by deleting the entries in the reverse order as returned by ldap search, then there are probably going to be other problems with keystone support for that ldap server	17:35
ryanpetrello	gyee: and that seems to be working as expected, the keystone.conf that’s generated uses the uuid provider	17:36
ryanpetrello	but when keystone starts, it still fails on my aforementioned `unable to load certificate` exception	17:36
ryanpetrello	(http://screens.objects.dreamhost.com/04-25-2014-12-47-35.png)	17:36
gyee	ryanpetrello, can you file a bug?	17:37
gyee	richm, are you aware of any LDAP server which does not support subtree delete?	17:38
*** morganfainberg is now known as morganfainberg_Z		17:39
gyee	nm, openldap	17:40
richm	openldap, 389/rhds, SunDS (certain versions), not sure about apache DS, opendj	17:41
ryanpetrello	gyee: doing so	17:41
richm	gyee: I think it will be quite uncommon to find an ldap server that does support the subtree delete control, other than AD	17:42
nkinder	ayoung: "external" seems most appropriate	17:45
nkinder	ayoung: keystone doesn't know what is being used really, just that the webserver is providing the info from some external source	17:46
ayoung	nkinder, yeah. Actually, I was going enven further and trying to avoid putting any value into "methods"	17:47
ryanpetrello	gyee: okay, filed: https://bugs.launchpad.net/keystone/+bug/1312858, thanks	17:50
uvirtbot	Launchpad bug 1312858 in keystone "Keystone + Devstack fail when KEYSTONE_TOKEN_FORMAT=UUID" [Undecided,New]	17:50
ayoung	Premature end of script headers: main	18:05
*** bach has joined #openstack-keystone		18:06
ayoung	that sounds like the "too big service catalog problem", right?	18:06
*** praneshp has joined #openstack-keystone		18:10
*** morganfainberg_Z is now known as morganfainberg		18:12
*** bach has quit IRC		18:12
*** bach has joined #openstack-keystone		18:15
*** dstanek is now known as dstanek_zzz		18:15
morganfainberg	ayoung, ok i'm in the office now	18:15
ayoung	morganfainberg, and I have managed to torque up my system. Its an old devstack that I was updating	18:16
morganfainberg	ayoung, ah.	18:16
ayoung	and I need to get the python-keystoneclient in the right state:	18:16
ayoung	{"error": {"message": "cms_hash_token() got an unexpected keyword argument 'mode'", "code": 400, "title": "Bad Request"}}[ayoung@ayoung530 scripts]$	18:16
morganfainberg	ayoung, ick	18:16
ayoung	morganfainberg, nah, just an old client	18:16
ayoung	does devstack pip install the client?	18:16
morganfainberg	ayoung, it should	18:17
morganfainberg	but if the version is already satisfied....	18:17
*** dstanek_zzz is now known as dstanek		18:19
*** gokrokve has quit IRC		18:19
*** gokrokve has joined #openstack-keystone		18:20
ayoung	morganfainberg, nah, I just need to git fetch and rebase on the RIGHT machine	18:20
ayoung	now I get	18:20
ayoung	[Fri Apr 25 18:14:05.271413 2014] [:error] [pid 3907] [remote 10.10.63.250:52064] File "/var/www/cgi-bin/keystone/main", line 51, in <module>	18:20
ayoung	[Fri Apr 25 18:14:05.271501 2014] [:error] [pid 3907] [remote 10.10.63.250:52064] drivers = service.load_backends()	18:20
morganfainberg	ah	18:20
ayoung	what did we do?	18:20
morganfainberg	thats odd...	18:21
morganfainberg	oh	18:21
morganfainberg	we need to exercise the mod_wsgi scripts, i think this was the fix to isolate the backend loading	18:21
* morganfainberg looks		18:22
*** amcrn has quit IRC		18:22
morganfainberg	ayoung, i'll start working on getting apache test in check (perhaps just a simple tempest run that does keystone apache deploy) [non vote to start]	18:22
ayoung	Oh yes	18:22
morganfainberg	we need to exercise this stuff on each commit. i'll do that this weekend	18:23
ayoung	can we dothat and LDAP in one fell poop?	18:23
morganfainberg	ayoung, hm. sure i can do both.	18:24
*** gokrokve has quit IRC		18:24
morganfainberg	though i think i'd rather those be separate if we can afford it.	18:24
morganfainberg	but i can propose both easily	18:25
ayoung	morganfainberg, and we can run the scripts in keystoneclient/examples/scripts!	18:25
morganfainberg	aha! good plan!	18:25
morganfainberg	:)	18:25
morganfainberg	that'll make everyone happier.	18:25
morganfainberg	examples that are maintained... whoa.. is that allowed?	18:26
morganfainberg	:P	18:26
morganfainberg	i also want to convert keystone-all and keystone-manage to using the entry-point logic to generate the scripts instead of having separate code for it	18:27
morganfainberg	so all the cli code is fully in tree vs. in like /bin	18:27
ayoung	morganfainberg, wrong error message:	18:28
ayoung	[Fri Apr 25 18:28:14.775659 2014] [:error] [pid 5075] [remote 10.10.63.250:2982] mod_wsgi (pid=5075): Exception occurred processing WSGI script '/var/www/cgi-bin/keystone/main'.	18:28
ayoung	[Fri Apr 25 18:28:14.775801 2014] [:error] [pid 5075] [remote 10.10.63.250:2982] TypeError: expected byte string object for header value, value of type unicode found	18:28
morganfainberg	blink wiat what?	18:28
morganfainberg	erm. something is wonky	18:29
ayoung	wonder if that is due to my recent cms change?	18:30
morganfainberg	that is a very non-helpful message.	18:30
morganfainberg	that looks like it.	18:30
morganfainberg	but it's odd, in py27 it should still be a byte_str	18:30
ayoung	unicode	18:31
ayoung	utf-8 vs ascii?	18:31
ayoung	for encoding?	18:31
morganfainberg	yeah but...	18:32
morganfainberg	a utf8 encode of ascii text should stay bytestr iirc	18:32
morganfainberg	maybe not.	18:32
morganfainberg	i greatly dislike text vs bytestr in py27	18:33
morganfainberg	can we move to py33 yet? :P	18:33
ayoung	lets get the best of both worlds and do BOTH!	18:34
ayoung	and py2.6	18:34
morganfainberg	ayoung, hehe	18:37
morganfainberg	how far into RHEL7 are we going to need to wait to drop py27 support in OpenStack?	18:37
ayoung	https://groups.google.com/forum/#!topic/modwsgi/HvD3TJbUkTc	18:38
ayoung	morganfainberg, I don't think it is RHEL7 dependent. I think software collections means we should be able to do it now.	18:38
morganfainberg	ayoung, does 6 support software collections well?	18:39
ayoung	yes	18:39
morganfainberg	i thought 6 was limited in that regard	18:39
morganfainberg	oh cool.	18:39
morganfainberg	well, prob a cycle or two then.	18:39
ayoung	http://developerblog.redhat.com/2013/09/12/rhscl1-ga/	18:39
ayoung	Yeah, but for Juno it should be a no-brainer	18:39
morganfainberg	awesome	18:39
morganfainberg	my guess is K at the earliest	18:40
ayoung	what about Ubuntu?	18:40
morganfainberg	juno will move that direction	18:40
morganfainberg	hm. i think ubuntu has py33 runtimes	18:40
morganfainberg	12.04 and 14.04 are the only ones that really matter as of ~november	18:41
morganfainberg	right now 13.10 is still relevant	18:41
ayoung	we just need a story about how to run on py33 Ubuntu, doesn't need to be default python	18:48
ayoung	but we have this Eventlet Anchor	18:48
*** praneshp has quit IRC		18:49
*** gokrokve has joined #openstack-keystone		18:50
morganfainberg	this is such a strange problem...	18:54
morganfainberg	on os x this regex '.*pot?' doesn't match the .po files	18:54
morganfainberg	in find	18:54
morganfainberg	oh sorry .*\.pot?	18:54
morganfainberg	but .\.pot does match	18:55
morganfainberg	the regex doc doesn't indicate the ? shouldn't work	18:55
*** thiagop has quit IRC		18:58
*** bvandenh has quit IRC		19:04
ayoung	morganfainberg, so do I fix the server or do I fix the cms code?	19:11
ayoung	I'm guessing the server	19:11
morganfainberg	ayoung, well.	19:11
ayoung	I think in the middleware that sets the token I need to say	19:11
morganfainberg	it depends on where the issue actually is	19:11
ayoung	morganfainberg, I'm guessing that the context type encoding defaults to ascii	19:12
ayoung	and we need to say "utf-8"	19:12
morganfainberg	it might make sense to fix this in cms	19:12
ayoung	"Content-type:	19:12
ayoung	application/xml; charset=utf-8",	19:12
morganfainberg	would someone else consuming this code be surprised by this behavior?	19:12
morganfainberg	ah oh then	19:13
morganfainberg	yeah fix the middleware :)	19:13
ayoung	or json in our case	19:13
morganfainberg	as long as we don't surprise people it should be all good	19:13
openstackgerrit	A change was merged to openstack/keystone: Fix the "search for sql.py" files for db models https://review.openstack.org/90173	19:16
ayoung	morganfainberg, It looks like Headers can't be anything but ASCII	19:20
morganfainberg	ayoung, well then. i think that answers our question.	19:20
ayoung	might need to fix this in the client	19:20
morganfainberg	ayoung, HTTP/2.0 amidoingitrite?	19:20
morganfainberg	ayoung, yeah :(	19:20
*** ryanpetrello has left #openstack-keystone		19:31
*** vhoward has joined #openstack-keystone		19:32
bknudson	so auth_token gets a UUID token	19:35
bknudson	and with the recent change to check all tokens against revocation list	19:35
bknudson	the server tries to get the revocation list	19:35
bknudson	I mean the auth_token middleware tries to get the revocation list	19:35
*** joesavak has quit IRC		19:35
bknudson	but I haven't set up the PKI certs because I'm using UUID	19:36
bknudson	should I have to set up the PKI certs if I'm using UUID?	19:36
ayoung	morganfainberg, so..converting all of the calls to 'ascii' made no difference?	19:37
morganfainberg	ayoung, you're somehow decoding something to unicode, hmm.	19:37
morganfainberg	ayoung, this is odd.	19:37
ayoung	hmmm....UUID tokens should never trigger a fetch of the revocation list	19:37
ayoung	bknudson, bt maybe with the cached check...there is no way to tell the difference?	19:38
ayoung	yeah... bknudson its due to the cache check.	19:38
ayoung	morganfainberg, OK, I can put a debug log statement in the wsgi keystone.py file	19:39
ayoung	what should I look for?	19:39
bknudson	I assume the revocation list is signed with the PKI cert so that's why we need the PKI cert	19:39
morganfainberg	you probably need to look at the %r of the headers	19:39
morganfainberg	before we try and decode them	19:40
ayoung	actually its in wsgi.py.	19:40
morganfainberg	see which header is ... wonky	19:40
morganfainberg	ayoung, uhm.. do we know what line is raising that exception?	19:41
ayoung	morganfainberg, nope	19:41
ayoung	its in the exchange between wsgi and mod_wsgi	19:41
*** derek_c has joined #openstack-keystone		19:42
ayoung	mod_wsgi is parsing the headers it gets on the outgoing response	19:42
morganfainberg	oh this is an outgoing header issue?	19:42
morganfainberg	i was thinking incoming	19:42
morganfainberg	hm. i wonder if this is an issue in our debug middleware	19:43
morganfainberg	ayoung, https://github.com/openstack/keystone/blob/master/keystone/common/wsgi.py#L433 might be the culprit here	19:44
ayoung	doesn't look like it, and It might help me out....let me see	19:45
ayoung	morganfainberg, that filter is not in my pipeline...but I'ma add it	19:45
morganfainberg	cool	19:46
morganfainberg	hopefully that helps out	19:46
morganfainberg	if not i can try and duplicate you env and see if i can dig anything up here	19:46
* morganfainberg is just looking at code atm vs running it		19:46
morganfainberg	let me know if you want me to set it all up	19:46
*** harlowja is now known as harlowja_away		19:49
*** shakamunyi has quit IRC		19:50
*** marcoemorais has quit IRC		19:51
*** browne1 has joined #openstack-keystone		19:56
*** browne2 has joined #openstack-keystone		20:00
*** browne has quit IRC		20:00
*** browne1 has quit IRC		20:00
richm	trying to debug some code with python -m pdb - n works, c works, b works, l works, etc. But s(tep) does not work - it does a continue instead - has anyone seen this before? How do I get step to actually step and not continue?	20:01
ayoung	morganfainberg, its def the token	20:02
ayoung	+ for header in headers:	20:02
ayoung	+ LOG.debug('%s:%s ', header[1], type(header[1]))	20:03
ayoung	richm, yep	20:03
ayoung	when you run, you need to turn of eventlets threading	20:03
ayoung	this Keystone? run wiht	20:03
ayoung	--standard-threads	20:03
richm	nova, actually, but I figured it would apply to all openstack projects - I had a feeling it had something to do with monkey patching	20:03
nkinder	ah, that explains why step always works for me. I have always used --standard-threads	20:03
ayoung	richm, not sure if nova support --standard-threads	20:04
richm	will find out	20:04
ayoung	but if they are now monkey-patching Thread, they will need it	20:04
ayoung	and monkeypatch of thread is needed for memcached	20:04
*** mat-lowery has left #openstack-keystone		20:04
ayoung	richm, you can always hack it where they call monkeypatch and modify it to not patch thread if necessary...as ugly as that sounds	20:05
richm	no, nova does not support --standard-threads	20:08
*** harlowja_away is now known as harlowja		20:09
*** praneshp has joined #openstack-keystone		20:09
*** marcoemorais has joined #openstack-keystone		20:09
*** marcoemorais has quit IRC		20:10
nkinder	richm: this might help - https://ask.openstack.org/en/question/815/how-do-i-debug-nova-service-with-eclipse-and-pydev/	20:11
*** marcoemorais has joined #openstack-keystone		20:11
richm	thanks	20:13
*** bach has quit IRC		20:17
boris-42	morganfainberg hey	20:18
boris-42	morganfainberg http://logs.openstack.org/48/90248/5/check/check-rally-dsvm-rally/f099cfd/rally-plot/results.html.gz	20:18
boris-42	morganfainberg 100 concurrency too much for gates	20:19
ayoung	morganfainberg, to add some mystery to this mystery, it only happend for V3 tokens	20:20
ayoung	V2 works fine, but I don't think v2 puts the token in a header	20:20
morganfainberg	boris-42, interesting, not surprising though, that is a single-threaded keystone (eventlet)	20:21
boris-42	morganfainberg so why we don't use in gates by default something more production?	20:21
morganfainberg	ayoung, blink what are we doing differently with v3	20:21
ayoung	boris-42, becasue the world is resistant to change. I've been pushing HTTPD for two years now....	20:21
ayoung	morganfainberg, the token comes back not in a header	20:22
ayoung	body can be unicode, just not header	20:22
morganfainberg	ayoung, ooooooh	20:22
morganfainberg	ayoung, but still.	20:22
boris-42	I mean probably APACHE_ENABLED_SERVICES+=keystone,	20:22
boris-42	^ will help us	20:22
nkinder	ayoung: is there some reason HTTPD couldn't be used in the gates?	20:22
morganfainberg	boris-42, it's there, there are some things we need to make sure are merged before we do that	20:22
morganfainberg	boris-42, i think...	20:22
morganfainberg	ayoung, nkinder, i think we were having an issue with token size still..now it might be ok	20:23
boris-42	morganfainberg for example?	20:23
morganfainberg	boris-42, ^ the tokens size was an issue.	20:23
morganfainberg	boris-42, i think we've solved that.	20:23
morganfainberg	boris-42, this weekend i'll be proposing the changes to make sure we use httpd at (the very least) in a check gate if not make it the default gate deploy option	20:24
boris-42	morganfainberg okay that will be nice	20:24
morganfainberg	boris-42, there is likely some minor work that needs to be done, but it should be straightforward to make that the default.	20:24
nkinder	ok, so it's just a real bug/issue and not "thou must use eventlet" thing	20:24
ayoung	morganfainberg, ok....it just got weird	20:24
morganfainberg	nkinder, yes. it has been that way for a bit	20:24
nkinder	morganfainberg: ++ on proposing the changes!	20:25
ayoung	running from HTTPD the type is shown to be unicode, but on my home machine in PyCHarm it shows as str	20:25
* ayoung going to start drinking soon		20:25
morganfainberg	nkinder, i think i'm going to do a non-voting check for a hsort bit before we move to the default, and then ensure we still do a gate on eventlet	20:25
nkinder	ayoung: it IS friday	20:25
morganfainberg	ayoung, ... that is bizzare	20:25
morganfainberg	ayoung, wait... json.loads	20:25
morganfainberg	ayoung, that does unicode magic stuffs	20:25
morganfainberg	ayoung, could that be getting in the way somehow?	20:26
nkinder	morganfainberg: are you going to be in Atlanta?	20:26
morganfainberg	nkinder, absolutely!	20:26
*** daneyon has joined #openstack-keystone		20:26
nkinder	awesome! Are all (or most) of the keystone regulars going?	20:26
morganfainberg	nkinder, as far as i know, yes.	20:26
nkinder	I'm looking forward to putting faces to names	20:27
morganfainberg	nkinder, even some of the folks that missed HK summit.	20:27
*** daneyon has quit IRC		20:27
morganfainberg	nkinder, yeah it's great to meetup in person.	20:27
*** daneyon has joined #openstack-keystone		20:27
ayoung	nkinder, "I'm looking forward to putting faces to name" I still have no idea what you look like.	20:28
nkinder	ayoung: I'll have to have a conversation with you before letting you know who I am... :)	20:28
ayoung	HA!	20:28
*** thedodd has quit IRC		20:29
*** stevemar has joined #openstack-keystone		20:31
*** gokrokve has quit IRC		20:31
openstackgerrit	Richard Megginson proposed a change to openstack/keystone: better handling for empty/None ldap values https://review.openstack.org/76002	20:33
ayoung	https://twitter.com/nathan_kinder	20:35
marekd\|away	ayoung: started googling for nkinder, but he didn't publish his photo on linkedin :P	20:36
ayoung	marekd\|away, nor on the internal Roster, either	20:36
nkinder	marekd\|away: yeah, no particiular reason other than I don't have a decent/recent pic.	20:37
nkinder	ayoung: never used twitter	20:38
ayoung	morganfainberg, AHA. Local keystone debugging not using git version of python-keystoneclient, but rather installed	20:38
ayoung	ok...how do I install git version in my tox environ?	20:38
ayoung	I've got venv activated....	20:38
marekd\|away	i am guessing the bigger topic for ATL sumit will be 'nkinder hunting :P	20:38
marekd\|away	biggest*	20:38
*** marekd\|away is now known as marekd		20:39
nkinder	it's like where's waldo	20:39
ayoung	nah...I know people that know what he looks like that will be there	20:39
ayoung	so unless he can swear them all to secrecy.	20:39
ayoung	3 people can keep a secret...if you off two of them.	20:39
marekd	dstanek: Hello! Did you have any chance to take a look at my email concerning apache/wsgi regexes?	20:40
marekd	ayoung: ++	20:40
ayoung	morganfainberg, if I do this: cd /opt/stakc/keystone; . .tox/py27/bin/activate ; cd /opt/stack/python-keystoneclient ; python ./setup.py install	20:41
ayoung	do I get my git version of the client in my repo?	20:41
ayoung	er venv?	20:41
ayoung	yes, yes I do!	20:41
ayoung	PcLAxZ5fM=:<type 'unicode'>	20:42
*** joesavak has joined #openstack-keystone		20:42
openstackgerrit	Diane Fleming proposed a change to openstack/identity-api: Update KSADM extension for Identity v2.0 https://review.openstack.org/90468	20:42
ayoung	Who is Diane Fleming, and how do we thank her for that?	20:43
openstackgerrit	A change was merged to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/89245	20:44
openstackgerrit	A change was merged to openstack/keystone: Add localized response test https://review.openstack.org/70610	20:44
openstackgerrit	A change was merged to openstack/keystone: Removed duplication with list_user_ids_for_project https://review.openstack.org/88621	20:44
openstackgerrit	A change was merged to openstack/keystone: Sync with oslo-incubator 74ae271 https://review.openstack.org/87980	20:44
*** openstackstatus has quit IRC		20:45
*** marcoemorais has quit IRC		20:46
dstanek	marekd: i did see it, but i haven't had a chance to replicate and hack on it	20:46
dstanek	marekd: i'll do that tonight and get back to you with an answer hopefully	20:46
morganfainberg	ayoung, diane flemming is a doc person i think	20:46
*** openstackstatus has joined #openstack-keystone		20:46
marekd	dstanek: hey, take your time. I was just wondering if you have a quick fix for it or not :-)	20:47
marekd	dstanek: and thanks!	20:47
dstanek	marekd: i think it will likely be quick once i get it setup - i'll keep you posted	20:47
*** marcoemorais has joined #openstack-keystone		20:47
marekd	dstanek: would be cool!	20:47
morganfainberg	ayoung, how the heck does that end up being type unicode?	20:48
morganfainberg	ayoung, oh oh i see	20:48
morganfainberg	ayoung, installed vs non-installed	20:48
ayoung	morganfainberg, so even if I encode('ascii') it becomes unicode...need to convert that to a string	20:49
boris-42	morganfainberg actually good new seems like that we don't have any issues with tenants list command	20:50
boris-42	news*	20:50
morganfainberg	boris-42, that is good news!	20:50
boris-42	morganfainberg it works perfect	20:50
*** openstackstatus has quit IRC		20:50
*** raildo has quit IRC		20:50
boris-42	morganfainberg but with creating tenants something weird is happening =)	20:50
*** openstackstatus has joined #openstack-keystone		20:51
morganfainberg	boris-42, ok so something we need to get fixed	20:52
boris-42	morganfainberg yep but it will be nice to get infra guys=)	20:52
boris-42	morganfainberg to merge patch to add rally job in keystone	20:52
boris-42	morganfainberg cause I am paling from rally https://review.openstack.org/#/c/90248/	20:52
boris-42	playing*	20:53
boris-42	morganfainberg so it's impossible to test together with patch	20:53
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token allow initial check of revocation list to fail https://review.openstack.org/90472	20:53
ayoung	morganfainberg, w00t!	20:54
morganfainberg	ayoung, got it?	20:54
ayoung	morganfainberg, http://paste.fedoraproject.org/97074/98459265/	20:54
morganfainberg	ayoung, stupid question, does that break py33	20:55
morganfainberg	ayoung, str != bytes in py33 remember	20:55
*** gokrokve has joined #openstack-keystone		20:56
dhellmann	morganfainberg: that change for the tests loading their plugins fixed my internal packaging build, thanks!	20:56
*** jsavak has joined #openstack-keystone		20:56
morganfainberg	dhellmann, np!	20:56
*** ChanServ sets mode: +v openstackstatus		20:56
*** marekd is now known as marekd\|away		20:56
*** rodrigods has quit IRC		20:58
-openstackstatus- NOTICE: Gerrit will be unavailable for a few hours starting at 1600 UTC on Monday April 28th for an upgrade. See https://wiki.openstack.org/wiki/GerritUpgrade		20:59
*** marcoemorais has quit IRC		20:59
*** joesavak has quit IRC		20:59
ayoung	morganfainberg, doesn't matter	21:00
ayoung	this is in server	21:00
*** marcoemorais has joined #openstack-keystone		21:01
*** marcoemorais has quit IRC		21:02
*** marcoemorais has joined #openstack-keystone		21:03
openstackgerrit	ayoung proposed a change to openstack/keystone: Ensure token is a string https://review.openstack.org/90476	21:04
*** jaosorior has joined #openstack-keystone		21:05
jaosorior	Hi, how do I get Jenkins to recheck my patch?	21:05
boris-42	jaosorior recheck no bug	21:05
jaosorior	It didn't fail in the first run, but now one test failed, for some reason	21:05
openstackgerrit	ayoung proposed a change to openstack/keystone: Ensure token is a string https://review.openstack.org/90476	21:05
boris-42	jaosorior ^ in review type	21:06
jaosorior	thanks man	21:06
*** browne2 has quit IRC		21:07
*** bach has joined #openstack-keystone		21:08
*** bach has quit IRC		21:08
*** daneyon has quit IRC		21:10
*** derek_c has quit IRC		21:11
*** topol has quit IRC		21:14
*** erecio has quit IRC		21:15
*** thedodd has joined #openstack-keystone		21:19
*** derek_c has joined #openstack-keystone		21:30
*** dstanek is now known as dstanek_zzz		21:45
*** browne has joined #openstack-keystone		21:51
*** browne has quit IRC		21:51
*** browne has joined #openstack-keystone		21:52
*** amcrn has joined #openstack-keystone		21:53
*** bach has joined #openstack-keystone		21:53
openstackgerrit	Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token allow initial check of revocation list to fail https://review.openstack.org/90472	21:55
*** browne1 has joined #openstack-keystone		22:02
*** jsavak has quit IRC		22:03
*** browne has quit IRC		22:05
*** thedodd has quit IRC		22:31
*** gokrokve has quit IRC		22:33
*** david-lyle has quit IRC		22:36
*** derek_c has quit IRC		22:37
*** daneyon has joined #openstack-keystone		22:37
*** gokrokve has joined #openstack-keystone		22:53
*** marcoemorais has quit IRC		22:58
*** marcoemorais has joined #openstack-keystone		23:00
*** bach has quit IRC		23:06
*** jaosorior has quit IRC		23:11
*** derek_c has joined #openstack-keystone		23:12
*** bach has joined #openstack-keystone		23:13
*** daneyon has quit IRC		23:13
*** gokrokve_ has joined #openstack-keystone		23:15
*** gokrokve has quit IRC		23:18
*** bach has quit IRC		23:23
*** leseb has joined #openstack-keystone		23:24
openstackgerrit	ayoung proposed a change to openstack/keystone: Ensure token is a string https://review.openstack.org/90476	23:37
*** dims has quit IRC		23:39
morganfainberg	ayoung, i'm not sure mod_wsgi is throwing that error. i'm curious it looks awefully pythonic for an apache error	23:40
morganfainberg	ayoung, not saying your fix doesn't solve it, but curious where it's actually coming from	23:40
ayoung	morganfainberg, its def mod_wsgi	23:40
ayoung	there are two log files	23:40
ayoung	one is /var/log/httpd/error_log	23:40
ayoung	the other is /var/log/keystone/keystone.log	23:40
ayoung	it comes from the first	23:40
morganfainberg	i mean the TypeError and the fact it's looking for a byte_string	23:41
morganfainberg	mod_wsgi isn't mod_python.	23:41
ayoung	I realize	23:41
ayoung	but I am guessing the wsgi marshalls unicode differently than strings	23:41
morganfainberg	maybe.. might also be an artifact in deploy	23:42
ayoung	and mod_wsgi can tell the difference	23:42
morganfainberg	i think it's probably hiding below the level we interface in keystone. i'm just curious about the error. thats all	23:42
ayoung	If the error were in Keystone I would see a trace in /var/log/keystone/keystone.log but that is just fine. No this is it.	23:43
morganfainberg	ah right	23:43
morganfainberg	exception would be trapped earlier right	23:44
*** dims has joined #openstack-keystone		23:51
*** shakamunyi has joined #openstack-keystone		23:55

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!