Tuesday, 2014-04-29

« Monday, 2014-04-28 Index Wednesday, 2014-04-30 »
*** doddstack has quit IRC00:00
*** derek_c has quit IRC00:02
morganfainbergjamielennox, i'm going to be making a global "turn all mod_wsgi capable services on under httpd" option in devstack00:14
*** gokrokve has joined #openstack-keystone00:14
jamielennoxmorganfainberg: yea, i saw the comment on the review - seems like a good idea00:14
morganfainbergjamielennox, i think i'm going to fix the is_apache_enabled_service method to return true if a certain variable is set00:15
morganfainbergjamielennox, prob. the easiest approach00:16
jamielennoxmorganfainberg: as opposed to?00:16
jamielennoxoh, rather that APACHE_ENABLED_SERVICES=key,...00:16
morganfainbergyep00:16
jamielennoxi did it that way because it tied in with the existing approach - i have no attachment00:16
morganfainberglike ENABLE_APACHE_MOD_WSGI_SERVICES00:16
morganfainbergor something00:16
jamielennoxmorganfainberg: the way i saw that going was00:17
jamielennoxif ENABLE_APACHE_MOD_WSGI_SERVICES; then00:17
jamielennox    APACHE_ENABLED_SERVICES=key,swift,...00:17
jamielennoxfi00:17
jamielennoxof += i guess00:17
jamielennoxor00:17
morganfainbergnah,00:17
jamielennoxwhy rule out people wanting to deploy keystone that way and not swift?00:18
morganfainbergif ENABLE_APACHE_MOD_WSGI_SERVICES; then true else <current logic>00:18
morganfainbergso you either get all services under mod_wsgi, or you specify the ones you want in APACHE_ENABLED_SERVICES00:18
jamielennoxmorganfainberg: oh, you'll keep both?00:18
morganfainbergjamielennox, yes00:19
jamielennoxoh, i see what you mean00:19
*** gokrokve has quit IRC00:19
morganfainbergjamielennox, i can see a case you don't want swift under apache... or <new cool service>00:19
jamielennoxi thought you were just going to replace the whole check with a global true/false00:19
morganfainbergnah.00:19
jamielennoxmorganfainberg: well either way works00:20
morganfainbergdon't want to take granularity out00:20
morganfainbergbut, there is no real benefit to doing a complex test matrix (at this point) of apache / non-apache services00:20
jamielennoxthe downside would be nova could get a is_apache_enabled_service == true - but if they are checking that then they should be using it correctly00:20
jamielennoxmorganfainberg: no, not for gate - i was thinking people using devstack individually00:21
morganfainbergright.00:21
morganfainbergthey should follow the same mechanism as previous (swift keystone) mechanisms00:21
morganfainbergif is_apache_enabled_service <service>00:21
morganfainbergand get a true/false back00:21
morganfainbergnot expect... something else00:21
jamielennoxok, that's cool and makes sense00:22
jamielennoxi'd love to see it in the gate00:22
jamielennoxthough i know my keystone SSL stuff in devstack doesn't work with apache00:23
morganfainbergi'm hoping to have this ready for a non-vote check this week00:23
morganfainbergplans to make it gate this cycle00:23
jamielennoxmorganfainberg: ++ then start converting other services00:24
morganfainbergwell more to the point, make it the default deployment for keystone00:24
morganfainbergexactly!00:24
jamielennoxthough i think we should start by fixing up out own wsgi script00:24
jamielennoxsymlinking the script and checking the name is a little odd if we want to make this the default00:24
morganfainbergthat is part of why we do non-vote check00:24
morganfainbergalso want to deploy shared on port 80/44300:24
morganfainbergso there is more work to be done in devstack as well00:24
jamielennoxmorganfainberg: i'll be honest i don't care about 80/443 at all00:24
morganfainbergwe do because of ephemeral port issues00:25
stevemarbknudson, thanks for the review again00:25
morganfainberg5000 isn't our port, and 35357 is .. a conflict between linux and IANA00:25
morganfainbergso, eliminate the issue.00:25
jamielennoxmorganfainberg: i think we ditch the IANA port00:33
jamielennoxnobody knows what it is anyway because it's supposed to be private and returned by the service catalog00:34
jamielennoxanyone using 35357 directly is trying to do weird things with auth and should stop00:34
jamielennoxi don't think we eliminate the issue at all by moving to 44300:34
morganfainbergjamielennox, i agree, but we have work to do to get there00:35
*** browne has quit IRC00:35
jamielennoxmorganfainberg: absolutely - my point was i don't think moving to 443 is solving that issue at all00:35
morganfainbergjamielennox, well.. it's not that someone is using 35357 directly00:36
jamielennoxand there is ~zero other benefit i see00:36
morganfainbergjamielennox, it's that some other service could be using it and prevents keystone from starting00:36
morganfainbergsomething = anything using an ephemeral port under the default config of linux00:37
morganfainbergjamielennox, so it does solve the problem, it means using mod_wsgi and HTTP's port(s) we avoid keystone not starting because something claimed our port00:37
morganfainbergjamielennox, nothing (but httpd/web servers) should be on 80 or 44300:38
jamielennoxmorganfainberg: but again that's a 35357 issue - yes we should absolutey ditch that port, but people know and use :5000 and i don't mind keeping that one00:39
morganfainbergjamielennox, we don't own that port.00:39
morganfainbergjamielennox, there is a legitimate service that owns it00:39
jamielennoxmorganfainberg: and?00:40
morganfainbergwhatever "commplex-main      5000        tcp" is00:40
jamielennoxif they are running it on the same box as keystone that's an obvious issue00:40
jamielennoxbut i think "don't do that" is good advice for that situation00:40
jamielennoxwireshark is the only thing i can think of that may get confused00:41
morganfainbergjamielennox, i think we just have a difference of opinion here.00:41
morganfainbergjamielennox, i disagree with co-opting a port for arguably the one service in OpenStack that needs a well defined port (the rest can come from the catalog)00:42
jamielennoxmorganfainberg: fair00:42
jamielennoxmorganfainberg: i think running things on /identity is a hack00:42
jamielennoxif you are going to run on 443 you should own the service00:43
morganfainbergjamielennox, i would prefer to run /identity /compute /storage00:43
morganfainbergetc00:43
morganfainbergor openstack/identity openstack/compute etc00:43
jamielennoxOS_AUTH_URL=https://keystone.company.com00:43
jamielennoxlove it https=no need for port numbers00:43
ayoungstevemar, looks like the separator character is configuratble  in mod_lookup_identity,  so I'm good.00:43
morganfainbergjamielennox, doesn't mean i wouldn't run under httpd.00:44
stevemarayoung, awesome, i was hoping thats the case!00:44
jamielennoxmorganfainberg: right you can do vhosts etc - though i did start having trouble last time i tried that00:44
morganfainbergjamielennox, (actually i want to allow for a DNS serve record lookup)00:44
ayoungstevemar, so what mapping do I use to say "just accept this as a list of groups?"00:44
jamielennoxapache doesn't share python interpretters as well as you'd tink00:44
morganfainbergjamielennox, vhosts aren't an issue, sharing a default (ip) vhost is.00:44
ayoungstevemar, I assume I need to have the groups in the local IdP as well?00:44
morganfainbergjamielennox, mod_wsgi is good about not colliding them if the vhosts are really separate00:45
ayounger...identity backend00:45
jamielennoxmorganfainberg: DNS is a nice idea, but all it gives you is an IP00:45
morganfainbergjamielennox, and port.00:45
morganfainbergjamielennox, serve (txt) record00:45
stevemarayoung, yes, the local groups must already exist in the identity backend00:45
jamielennoxmorganfainberg: dns will give you a port?00:45
morganfainbergsorry SRV record00:45
ayoungstevemar, I can work with that...what's the magic for the rule?00:45
morganfainbergjamielennox, http://en.wikipedia.org/wiki/SRV_record00:45
stevemarand you have to create a basic mapping rule, let me send you an example00:46
jamielennoxmorganfainberg: huh - i stand corrected00:46
jamielennoxcan you make it indicate http/s00:46
jamielennoxonly 80 vs 443 i guess00:46
morganfainbergjamielennox, _identity._https.<company>.com ?00:47
morganfainbergencode the information in the name.00:47
jamielennoxmorganfainberg: right but that's another lookup right?00:47
jamielennoxas in you query for _http and then for _https if not found00:47
jamielennox(reverse the order)00:47
morganfainbergjamielennox, well, perhaps you could do something about it00:48
morganfainberg*shrug*00:48
morganfainbergjamielennox, or use TLS instead of SSL, so you can negotiate00:48
jamielennoxbecause we still have the problem there with determining a path from that root00:48
morganfainbergjamielennox, not sure how well apache supports that00:48
morganfainbergjamielennox, but interesting idea00:48
morganfainbergjamielennox, well in the case of the SRV record you'd assume you own the whole VHOST00:49
morganfainbergjamielennox, well whole port00:49
jamielennoxmorganfainberg: can we dump it all in JSON in a TXT record?00:49
morganfainbergjamielennox, sure. that could be also possible00:49
morganfainbergjamielennox, but SRV is probably a better definition format00:50
jamielennoxmorganfainberg: always - but if you want to include /identity then you need to convey that somehow00:50
morganfainbergjamielennox, sure. things to think about as we support better options00:51
stevemarayoung, steps are here: https://gist.github.com/stevemart/c67b7bb238ff5ef6ab6a and mapping object is here: https://gist.github.com/stevemart/4cf26cfe4f85aa76fc5400:53
*** derek_c has joined #openstack-keystone00:53
stevemarayoung, the steps has the mapping object in the curl, but i made it easier to see in the second link00:53
ayoungstevemar, {"user":{"name":"{0}"}}],"remote":[{"type":"sub"}]}   how does that munge the data that comes in?00:53
ayoungstevemar, I want a rule that says:  any group (g) a user has in REMOTE_GROUPS gives the use membership in  group(g) local00:55
stevemarayoung, the user part of the rule is different from the group part. the user part is required, and could be something like 'ADFS_EMAIL' in this example: https://gist.github.com/zaccone/914822d37ac2eea420ce00:56
ayoungstevemar, I need username to be REMOTE_USER00:57
ayoungIt doesn't need to be anything more complex than that00:57
stevemarayoung, i think you still need to enumerate the different groups00:58
ayoungexplicitly?00:58
ayoungin the map[ping, or just in the backend?00:59
stevemarin the rule, because a specific group (on the idp) has to map to a specific keystone group id00:59
ayoungstevemar, no wildcards?  I'm sure that we had match_any semantics01:01
ayoungstevemar, what about type?01:02
ayounglocal {01:03
ayoung    "group": {01:03
ayoung        "name": "{0}"01:03
ayoung    }01:03
ayoung}01:03
ayoungstevemar, http://fpaste.org/97656/39873359/  no?01:07
*** marcoemorais has quit IRC01:07
stevemarayoung, let me check the code for a sec01:08
*** diegows has quit IRC01:11
stevemarayoung, no luck, you have to specify the group id in the local section. it was designed that way, because the thought was that the idp's group/role name would be very different from keystones group id01:12
ayoungstevemar, OK...we fix  that as a feature request for Juno01:13
stevemarayoung, if i had groups g1, g2, ... coming from an idp, and just used a wild card, it wouldn't know what to actually map to? i guess you were hoping to use names01:13
*** gyee has quit IRC01:13
ayoungstevemar, I'm doing default domain, but there would have to be some mapping of domain for it to be useful01:13
stevemarbut group names are not unique, yeah, what i was going to get at01:14
*** gokrokve has joined #openstack-keystone01:14
ayoungstevemar, I think the norm would be that group_id==group_name@@domainid  just like we were saying for user_id.   Perhaps someway of distinguishing users from groups would head off some confusion, too01:14
stevemarayoung, i managed to make a PoC for openID connect and actually communicated with our internal ibm idp, it worked awesomely :)01:15
stevemarayoung, that could work01:15
*** gokrokve_ has joined #openstack-keystone01:17
*** gokrokve has quit IRC01:18
*** gokrokve_ has quit IRC01:20
*** gokrokve has joined #openstack-keystone01:26
ayoungstevemar, so would I add "any_of"  ?01:28
ayoung"any_one_of": [01:28
*** gokrokve has quit IRC01:30
*** gokrokve has joined #openstack-keystone01:35
*** gokrokve has quit IRC01:38
*** lbragstad has quit IRC01:38
stevemarayoung, yes, "any_one_of": ['some group name']01:40
*** lbragstad has joined #openstack-keystone01:41
*** gyee has joined #openstack-keystone01:42
*** bach has joined #openstack-keystone01:42
*** lbragstad has quit IRC01:50
*** zhiyan_ is now known as zhiyan01:52
*** bach has quit IRC01:57
ayoungstevemar, "keystoneclient.openstack.common.apiclient.exceptions.Forbidden: Could not change immutable attribute(s) 'mapping' in target FederationProtocol (HTTP 403)"02:07
ayoungthat is what I get when I do02:07
ayoung    keystone_client.federation.mappings.create(mapping_id='map_id',rules=rules)02:08
ayoung    keystone_client.federation.identity_providers.create(id='sssd')02:08
ayoung    keystone_client.federation.protocols.create(identity_provider_id='sssd', protocol_id='kerberos', mapping='map_id')02:08
*** shakamunyi has quit IRC02:11
*** sbfox has joined #openstack-keystone02:16
*** ayoung has quit IRC02:17
*** mberlin1 has joined #openstack-keystone02:21
*** mberlin has quit IRC02:22
*** stevemar has quit IRC02:29
*** nkinder has joined #openstack-keystone02:42
*** bach has joined #openstack-keystone02:45
*** sbfox has quit IRC02:48
*** bknudson has quit IRC02:54
*** daneyon_ has joined #openstack-keystone02:58
derek_cwhat's a "group" in keystone?  how is that different from a "project"?02:59
*** daneyon has quit IRC03:00
*** bach has quit IRC03:09
derek_cwithin the sql auth backend, is there a way to get a list of projects that a given user is associated with?03:15
*** bach has joined #openstack-keystone03:15
*** bach has quit IRC03:17
*** lbragstad has joined #openstack-keystone03:20
*** daneyon_ has quit IRC03:26
*** daneyon has joined #openstack-keystone03:27
*** mfisch has quit IRC03:27
*** gokrokve has joined #openstack-keystone03:27
*** derek_c has quit IRC03:32
*** richm has quit IRC03:38
*** dstanek is now known as dstanek_zzz03:44
*** sbfox has joined #openstack-keystone03:45
*** mfisch has joined #openstack-keystone03:46
*** mfisch has joined #openstack-keystone03:47
*** cp16net has joined #openstack-keystone03:47
cp16netping anyone around?03:48
cp16netlooks like the uuid provider is not working now... its requiring /etc/keystone/ssl/certs/signing_cert.pem and this doesnt exist when setting the KEYSTONE_TOKEN_FORMAT=UUID03:49
cp16nethttps://gist.github.com/cp16net/1138959703:49
*** praneshp has quit IRC03:55
*** gyee has quit IRC04:04
*** marcoemorais has joined #openstack-keystone04:04
*** chandan_kumar has joined #openstack-keystone04:05
*** dstanek_zzz is now known as dstanek04:05
*** marcoemorais has quit IRC04:08
*** dstanek is now known as dstanek_zzz04:15
*** morganfainberg is now known as morganfainberg_Z04:20
*** cynosure_ has joined #openstack-keystone04:21
*** praneshp has joined #openstack-keystone04:21
*** cynosure_ has quit IRC04:22
*** gokrokve has quit IRC04:22
*** praneshp_ has joined #openstack-keystone04:22
jamielennoxcp16net: that looks like a bug, can you file it please?04:23
*** marcoemorais1 has joined #openstack-keystone04:24
*** praneshp has quit IRC04:26
*** praneshp_ is now known as praneshp04:26
*** dstanek_zzz is now known as dstanek04:28
*** marcoemorais1 has quit IRC04:29
*** marcoemorais has joined #openstack-keystone04:30
*** sbfox has quit IRC04:36
*** sbfox has joined #openstack-keystone04:38
*** dstanek is now known as dstanek_zzz04:48
*** harlowja is now known as harlowja_away04:56
*** gokrokve has joined #openstack-keystone05:14
*** daneyon has quit IRC05:24
*** dstanek_zzz is now known as dstanek05:40
*** gokrokve_ has joined #openstack-keystone05:48
*** dstanek is now known as dstanek_zzz05:49
*** gokrokve has quit IRC05:52
*** gokrokve_ has quit IRC05:57
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/9028806:01
*** chandan_kumar has quit IRC06:01
*** sbfox has quit IRC06:05
*** praneshp has quit IRC06:12
*** chandan_kumar has joined #openstack-keystone06:16
*** jamielennox is now known as jamielennox|away06:18
*** chandan_kumar has quit IRC06:22
*** gokrokve has joined #openstack-keystone06:27
*** gokrokve_ has joined #openstack-keystone06:29
*** bvandenh has joined #openstack-keystone06:31
*** bvandenh has quit IRC06:31
*** gokrokve has quit IRC06:32
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/identity-api: Remove email as optional query parameter  https://review.openstack.org/9065606:32
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/identity-api: Fix typo in federation api  https://review.openstack.org/9065906:32
*** jaosorior has joined #openstack-keystone06:33
*** gokrokve_ has quit IRC06:34
*** chandan_kumar has joined #openstack-keystone06:40
*** dstanek_zzz is now known as dstanek06:40
*** dstanek is now known as dstanek_zzz06:50
*** gokrokve has joined #openstack-keystone06:57
*** dstanek_zzz is now known as dstanek07:05
*** marekd|afk is now known as marekd07:13
*** dstanek is now known as dstanek_zzz07:15
openstackgerritVictor Sergeyev proposed a change to openstack/keystone: oslo.db implementation  https://review.openstack.org/7721007:25
*** dstanek_zzz is now known as dstanek08:06
*** dstanek is now known as dstanek_zzz08:16
*** amcrn has quit IRC08:18
*** leseb has joined #openstack-keystone08:18
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor create_trust for readability  https://review.openstack.org/9094308:19
*** leseb has quit IRC08:35
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync test_migrations  https://review.openstack.org/8061808:37
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Redundant unique constraint  https://review.openstack.org/8444708:37
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Corresponding `nullable` value.  https://review.openstack.org/8444608:37
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Migration DB_INIT_VERSION in common place  https://review.openstack.org/8801608:37
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063008:37
*** leseb has joined #openstack-keystone08:38
*** leseb has quit IRC08:42
*** leseb has joined #openstack-keystone08:43
*** dstanek_zzz is now known as dstanek09:07
*** chandan_kumar has quit IRC09:14
*** chandan_kumar has joined #openstack-keystone09:15
*** dstanek is now known as dstanek_zzz09:17
*** marcoemorais has quit IRC09:49
openstackgerritMatthieu Huin proposed a change to openstack/keystone: More random values for oAuth1 verifier  https://review.openstack.org/8961210:00
*** andreaf has joined #openstack-keystone10:06
*** dstanek_zzz is now known as dstanek10:08
*** dstanek is now known as dstanek_zzz10:18
*** leseb has quit IRC10:29
*** dstanek_zzz is now known as dstanek11:09
*** dstanek is now known as dstanek_zzz11:18
*** leseb has joined #openstack-keystone11:20
*** dstanek_zzz is now known as dstanek11:54
*** erecio has joined #openstack-keystone12:09
*** zhiyan is now known as zhiyan_12:23
*** dims has quit IRC12:33
dstanekdolphm: you around?12:38
dolphmdstanek: yep!12:38
dstaneki was looking at https://review.openstack.org/#/c/89612; what is the concern about UI issues?12:39
dolphmdstanek: UX*12:44
dstanekdolphm: ah, ha - totally misread that12:44
dolphmdstanek: L41 looks like it addresses my concern https://review.openstack.org/#/c/89612/5/keystone/contrib/oauth1/core.py12:45
*** sphoorti has joined #openstack-keystone12:45
dstanekdolphm: i think i only have one more issue with that review, but i'm going over it again12:46
dolphmdstanek: on that line, or something else?12:46
dstanek''.translate only takes a single arg (the table) in py312:46
dolphmdstanek: i was about to say that translate() was new to me - i was about to look it up ...12:47
dolphmdstanek: i don't even see translate in the string module?12:48
*** dims has joined #openstack-keystone12:48
dstanekdolphm: it's a string method12:48
dolphmdstanek: oh the docs i was looking at were deprecated anyway!12:48
dstaneki've provided an alternate solution12:48
dolphmdstanek: post it! http://2.bp.blogspot.com/--zPE6kh7LM8/UART_ugKLSI/AAAAAAAACyI/0qwnJ7sMQWY/s1600/sonic-the-hedgehog.gif12:53
dstanekthe biggest issue is i don't have a way that works in both - trying to get of the version check12:57
dstanekat least with string translation tables - my new way is much more basic12:58
dolphmdstanek: iterative string replace or something?13:05
*** leseb has quit IRC13:06
*** leseb has joined #openstack-keystone13:06
*** leseb has quit IRC13:07
*** leseb has joined #openstack-keystone13:07
dolphmdstanek: http://pasteraw.com/8hxweehdyciobpf3l7m4982evta94vg13:08
dolphmthe second is py3413:09
dstanekdolphm: i just did a simple containment test since it's very easy to read and performance really doesn't matter here13:12
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Sync test_migrations  https://review.openstack.org/8061813:15
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Redundant unique constraint  https://review.openstack.org/8444713:15
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Correct `nullable` values in models and migrations  https://review.openstack.org/8444613:15
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Migration DB_INIT_VERSION in common place  https://review.openstack.org/8801613:15
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.  https://review.openstack.org/8063013:15
*** joesavak has joined #openstack-keystone13:17
*** bknudson has joined #openstack-keystone13:24
*** sphoorti has quit IRC13:39
*** nkinder has quit IRC13:40
dolphmmorganfainberg_Z: think we can land https://blueprints.launchpad.net/keystone/+spec/ephemeral-pki-tokens in j1?13:40
*** richm has joined #openstack-keystone13:43
dolphmdstanek: checkout the bottom two http://pasteraw.com/jg0r4bs1d8n7gnvxmn6cprwaix6au3m13:55
dstanekdolphm: you may have to adjust for py2.6 - i don't think it has dict comprehensions13:57
dolphmdstanek: dammit.13:58
dolphmdstanek: or do you just have to use dict() instead?13:59
dstanekdolphm: yeah, something like dict.fromkeys((ord(i) for i in '...'), None)14:01
dstaneki'm pretty sure fromkeys is in 2.614:01
dstanekor the standard dict((ord(i), None) for i in '...')14:01
*** stevemar has joined #openstack-keystone14:08
*** topol has joined #openstack-keystone14:17
stevemarmarekd, thanks for the email :)14:17
marekdstevemar: no problem, i think it should solve ayoung's issue :-)14:18
marekdstevemar: btw it's funny he didn't put any body here and neither client nor server complained....14:20
marekdstevemar: https://github.com/admiyo/python-keystoneclient/commit/ed635f3dbfc81f1c86cc7dc9a688fc62a4d61583#diff-5f96027df52cfcac40372e71f5df9ea3R5814:20
*** david-lyle_ has joined #openstack-keystone14:22
stevemarmarekd, that is funny14:22
*** zhiyan_ is now known as zhiyan14:23
marekdstevemar: not funny at all....14:23
marekdstevemar: well ok, to be honest I didn't run the code, i don't even know if Adam did it.14:23
stevemarmarekd, there are inconsistencies between including xyz_id and not including it14:24
marekdstevemar: you mean?14:25
*** david-lyle_ is now known as david-lyle14:25
*** thedodd has joined #openstack-keystone14:29
*** diegows has joined #openstack-keystone14:31
dolphmthis is holding up a few approved patches: https://review.openstack.org/#/c/84446/14:33
cp16netjamielennox|away: https://bugs.launchpad.net/keystone/+bug/131401014:33
uvirtbotLaunchpad bug 1314010 in keystone "uuid support should not require ssl cert (dup-of: 1312858)" [Undecided,New]14:33
uvirtbotLaunchpad bug 1312858 in python-keystoneclient "Keystone + Devstack fail when KEYSTONE_TOKEN_FORMAT=UUID" [High,In progress]14:33
openstackgerritIhar Hrachyshka proposed a change to openstack/keystone: Synced jsonutils from oslo-incubator  https://review.openstack.org/9105414:36
*** sbfox has joined #openstack-keystone14:37
*** nkinder has joined #openstack-keystone14:39
*** andreaf has quit IRC14:41
dstanekstevemar, marekd: thoughts on https://review.openstack.org/#/c/84446 ? also why is mapping_id not a foreign key?14:45
marekddstanek: let me see14:46
stevemardstanek, no good reason, it is for idp, but not mapping https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/backends/sql.py14:48
marekddstanek: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/backends/sql.py#L2914:49
marekddstanek: looks like inconsistency between sqlalchemy model and migration scripts...?14:49
*** YorikSar has left #openstack-keystone14:50
stevemarmarekd, it's not inconsistent though, it's not in the model either14:50
dstanekmarekd: yes, the fix is for nullability, but i'm wondering if it needs to be a foreign key - although a migration for that may be hard if the column does have null values14:50
marekdstevemar: hold on, we are talking about https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/backends/sql.py#L29 'not being null'...right?14:51
dstanekstevemar: the model says the column is not nullable and i think the migration makes it nullable14:51
marekddstanek: ++14:51
stevemarmarekd, the fix here https://review.openstack.org/#/c/84446/24 is for nullable values, that are inconsistnet14:51
dstanekjust thought you guys may weigh in on that review14:52
stevemarbut dstanek is asking why no FK, which we should use14:52
*** topol has quit IRC14:53
marekdstevemar: ok, appartenly thinking about the same, talking about something else i got puzzled after yours 'it's not in the model either14:53
marekd'14:53
marekdlet me look for older patches14:53
marekdconcerning mapping_id FKness14:54
stevemardstanek, re: nullable mapping_id, you are concerned that the patch is assuming the model as the correct version? when really the model could be wrong?14:55
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Check that the user is dumb moved to the common method  https://review.openstack.org/8851715:02
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Check that the user is dumb moved to the common method  https://review.openstack.org/8851715:04
dstanekstevemar: that is one concern yes15:06
dstanekstevemar: i have a question about https://review.openstack.org/#/c/81980 when you have a sec15:10
*** Manishanker_ has joined #openstack-keystone15:10
stevemardstanek, whats the q15:13
dstanekstevemar: what is the expected behavior is someone uses client.oauth1 without the oauthlib library installed?15:14
dstanekan AttributeError from inside oauth1?15:14
*** daneyon has joined #openstack-keystone15:15
stevemardstanek, that's what i'm trying to nail down15:18
*** gokrokve_ has joined #openstack-keystone15:18
stevemarwe don't seem to have an expected behaviour for this sort of situation?15:19
dstanekstevemar: what would actually be using client.oauth1?15:20
*** shakamunyi has joined #openstack-keystone15:21
stevemaropenstackclient would call it, for starters15:22
*** gokrokve has quit IRC15:22
stevemardstanek, ^ and if there are any python scripts15:22
stevemar(not sure i understand the question)15:22
dstanekstevemar: that's what i thought15:23
dstaneki have a comment on the view and i wanted to make sure i'm not way off base15:24
dstanekstevemar: published my thoughs15:29
*** zhiyan is now known as zhiyan_15:31
marekddstanek: stevemar: back in here. i think we didn't conclude with the mapping_id FKness - are you okay with changing that? I think dstanek is as he raised the question.15:32
stevemarmarekd, i'm okay with it, it should be a FK, should be a new patch set15:35
openstackgerritIhar Hrachyshka proposed a change to openstack/python-keystoneclient: Synced jsonutils from oslo-incubator  https://review.openstack.org/9108015:36
stevemardstanek, also, thanks for answering that question about why json was required15:36
marekddstanek: stevemar: if so, do you think the patch should make q15:39
marekdthis https://review.openstack.org/#/c/84446/24 a dependency somewhat?15:39
marekdwell, not dependency but there will be somehow a conflict...15:40
stevemarmarekd, the making mapping_id a FK should go in last, i think that series of patches will be merged soon15:40
marekdstevemar: ok15:40
*** zhiyan_ is now known as zhiyan15:42
openstackgerritA change was merged to openstack/keystone: Refactor notifications  https://review.openstack.org/8166015:50
dstanekstevemar: no problem15:50
*** topol_ has joined #openstack-keystone15:55
*** leseb has quit IRC15:55
*** andreaf has joined #openstack-keystone15:55
*** Manishanker_ has left #openstack-keystone15:56
*** leseb has joined #openstack-keystone15:58
*** topol_ is now known as topol15:59
openstackgerritA change was merged to openstack/keystone: Some methods in ldap were moved to superclass  https://review.openstack.org/8625016:02
*** gokrokve_ has quit IRC16:02
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Check that the user is dumb moved to the common method  https://review.openstack.org/8851716:04
dolphmlove the subject ^16:05
marekdstevemar: dstanek: a question. in the sql files in contrib/federation/migrate_repo/versions there are now two files -> 001_*.py with identity_provider and federation_protocol CREATE script, and 002_*.py with mapings. Now, to make federation_protocol.mapping_id a FK I have two options: merge all the tables into one migration file, so move 002_ content to 001 or add 003 script that alter the table. Now, can we go option 1? :-)16:06
marekddolphm: ++16:06
* dolphm the user isn't normally an idiot, the user is just drunk!16:06
openstackgerritA change was merged to openstack/keystone: Use oslo.test mockpatch  https://review.openstack.org/8396816:08
*** zhiyan is now known as zhiyan_16:11
*** ayoung has joined #openstack-keystone16:15
*** sbfox has quit IRC16:16
*** browne has joined #openstack-keystone16:18
*** sbfox has joined #openstack-keystone16:18
openstackgerritBrant Knudson proposed a change to openstack/keystone: Escape values in LDAP search filters  https://review.openstack.org/8714216:18
*** chandan_kumar has quit IRC16:19
*** jaosorior has quit IRC16:21
*** marcoemorais has joined #openstack-keystone16:31
*** leseb has quit IRC16:35
*** Chicago has quit IRC16:43
openstackgerritA change was merged to openstack/keystone: Ignore broken endpoints in get_v3_catalog  https://review.openstack.org/8152716:46
rodrigodsis there anyone available to review this blueprint: https://blueprints.launchpad.net/python-keystoneclient/+spec/roles-assignment-support?16:47
*** vhoward has left #openstack-keystone16:48
*** ericn has joined #openstack-keystone16:58
*** harlowja_away is now known as harlowja16:59
openstackgerritBrian Lamar proposed a change to openstack/python-keystoneclient: Allow token revocation list to be unimplemented  https://review.openstack.org/9110017:01
*** amcrn has joined #openstack-keystone17:02
stevemarrodrigods, the commandline portion should be done in https://blueprints.launchpad.net/python-openstackclient17:07
dstanekdolphm, morganfainberg_Z: any thoughts on ayoung's comments here: https://review.openstack.org/#/c/73368/ ? i don't mind moving the model defs, but it's different from what was discussed in SAT so i want a concensus before stuff starts moving back and forth17:07
rodrigodsstevemar, thanks, will update the description and assign OSC as well17:08
stevemardolphm, there is nothing on the meeting agenda for today :\17:09
dolphmstevemar: fixed17:10
dolphmdstanek: thinking17:10
*** topol has quit IRC17:11
*** praneshp has joined #openstack-keystone17:17
*** morganfainberg_Z is now known as morganfainberg17:18
morganfainbergdolphm, wow thats'a great subject!17:18
*** chandan_kumar has joined #openstack-keystone17:20
*** gyee has joined #openstack-keystone17:23
*** ericn has quit IRC17:24
morganfainbergalso good morning or afternoon (depending on where you are)17:25
dolphmdstanek: i hate the idea of "optional dependencies" -- doubly so for extensions. if we want to use internal callbacks, that's fine, but we need to be super careful about plaintext passwords being passed into a notification framework!17:26
morganfainbergdstanek, looking at ayoung's comment17:26
dolphmdstanek: regarding where the model lives, i don't really care that much, but it seems like a natural evolution for the base identity implementation (to support deployer-configurable features like repeating old passwords, etc)17:26
morganfainberghonestly, i'd make this a core feature of SQL vs an extension17:27
dolphmdstanek: i suppose this is another argument against making it an API extension in the first place, but IIRC i lost that argument17:27
morganfainbergthis is part of keeping SQL a "real" IDP (see summit session)17:27
dolphmmorganfainberg: ++17:28
morganfainbergdolphm, can we defer until post summit session? if we're keeping SQL as a first class IDP we make it core part of SQL17:28
morganfainbergdstanek, ^ (what i just ask'd dolph)17:28
dolphmdstanek: if you called the table just 'password' it would avoid any unnecessary connotation with the extension17:29
dolphmmorganfainberg: yes17:29
morganfainbergdolphm, because i want SQL as a first class IDP still, and I think this needs to not be an extension17:29
dolphmdstanek: morganfainberg: let's be ready to +A or abandon in the session though :)17:29
morganfainbergdolphm, ++17:29
morganfainbergdolphm, dstanek, it may make more sense to call the table user_password, and we move all password lookups for SQL to it (migrate them out of the user data)17:30
dstanekdolphm, morganfainberg: so make is part of the SQL backend instead of an extension?17:30
morganfainbergdolphm, dstanek, that would be my preference - though we might lose that argument :(17:31
dstanekwho would argue that? if you don't want to use it then don't17:31
morganfainbergdstanek, there tends to be the sentiment that everything should be an extension17:32
morganfainbergdstanek, i don't think we will lose this argument though17:32
dolphmwe introduced an API attribute for this, right?17:32
morganfainbergdstanek, but it  might happen17:32
ayoungdstanek, if the rotation is going into core, the SQL goes into core.  If the rotation is in an extension, the SQL is in an extension17:32
*** openstackgerrit has quit IRC17:32
morganfainbergayoung, ok that works for me.17:32
ayoungBut...extension can be "supported buy default or not"17:33
*** openstackgerrit has joined #openstack-keystone17:33
dolphmayoung: i was originally arguing for this to be core api, which is i think how we got ehre17:33
ayoungmorganfainberg, so I think "extension first"17:33
morganfainbergayoung, i don't think this belongs as an extension at all.17:33
ayoungdolphm, I'd rather make most of the identity stuff and extension17:33
ayounguser managemend does not belong in core;17:33
dolphmhttps://gist.github.com/dolph/766501117:33
morganfainbergayoung, that is a different argument.17:33
ayoungunderstood17:33
dolphmspecifically https://gist.github.com/dolph/7665011#user-self-service-password-rotation17:33
dstanekdolphm: this adds new resource URLs to manage the rotated passwords17:34
morganfainbergayoung, and i'm not opposed to that.17:34
ayoungmorganfainberg, but I thik rotation is a good starting point for splitting user out into an extension, and thne being able to run Keystone/IdP on a separate machine from Keystone/Assignement17:34
ayoungBut...all I insist on is that we don't split the SQL from the implementation17:35
ayoungthe rest I will state my preference and then let it roll17:35
morganfainbergayoung, i'd rather keep identity management stuff (user, password, etc) more centralized before we make an effort to split it up17:35
dolphmayoung: "don't split the SQL from the implementation" ?17:35
ayoungdolphm, for the the password rotation17:35
dolphmayoung: i don't understand the statement17:36
ayoungSQL migrate repo is in the same place as the code.   so if the code is core, the migrations go in core.  If the rotate is in an extension, the migrations go in the extension17:36
morganfainbergayoung, i also think that splitting the management stuff off (IDP separate system from assignment) is a great point to discuss in the SQL as a first class IDP session (and I am a big supporter of being able to run ID separately)17:36
*** sbfox has quit IRC17:36
morganfainbergdolphm, dstanek, i don't disagree w/ ayoung, we should keep the pieces together. I'd like to see this as core though vs extension.17:37
dolphmdstanek: i don't think you need to introduce new driver methods for this patch17:37
dolphmdstanek: s/need to/should/17:37
dstanekayoung: that's what is interestig about our compromise. the code is in identity core and all the extension does is add the URL support17:38
*** ukalifon1 has joined #openstack-keystone17:38
morganfainbergdolphm, there was one case, since admin password changes invalidate all passwords.17:38
morganfainbergdolphm, so you need to know if it was a user update or a password change17:38
morganfainbergdolphm, password change == rotation (iirc from the discussion)17:38
dolphmmorganfainberg: correct...17:38
dolphm*looking through sql driver*17:38
ukalifon1ayoung: Hi. I'm working with the federation API. I created an identity provider, a protocol in it (saml2) and now I'm creating a mapping. Where in all this do I define that the source is saml.myorg.com ?17:40
ukalifon1Look at the docs here: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-federation-ext.md17:40
*** sbfox has joined #openstack-keystone17:40
dolphmukalifon1: that's done in your shibboleth configuration17:40
dolphmukalifon1: start there before working with the federation API in keystone17:41
dstanekdolphm: i needed a way to manage rotated passwords separate from regular passwords17:42
ayoungdstanek, are you sure?17:43
dstanekyes, because changing a password doesn't automatically rotate it; you have to specifically ask for it to be rotated17:43
ukalifon1dolphm: thanks, how do I configure shibboleth and where can I find the docs?17:44
dstanekif we are going to support checking against the last X password then me may have to store it, but it would not be active after the password change17:45
morganfainbergdstanek, if we make all password checks go against this new table in SQL wouldn't that resolve that?17:45
dstanekmorganfainberg: resolve having to know if it's rotated?17:46
morganfainbergdstanek, the "may have to store it17:46
morganfainberg"17:46
morganfainberg?17:46
morganfainbergdstanek, oh i see. i was thinking from a password history / rotation mechanism.  nevermind.17:47
*** chandan_kumar has quit IRC17:49
dolphmmarekd: ^ see ukalifon117:52
dolphmdstanek: but why not migrate away the 'password' field, from the User table right now?17:53
morganfainbergdstanek, dolphm , +++17:53
morganfainbergdolphm, i'd love to see the password info get moved out of the user_ref wherever possible (eliminates something we need to "filter" out)17:54
dstanekdolphm, morganfainberg: i can make that change too17:55
dolphmmorganfainberg: that's exactly what i was thinking17:57
dstanekwe've talked about that a few times; the last time we talked about it just waiting until we add all of the other password features - that why the tables isn't named passwords17:58
*** jamielennox|away is now known as jamielennox18:03
*** ericn has joined #openstack-keystone18:06
andreafbknudson: hi18:10
bknudsonandreaf: hi18:10
andreafbknudson: I addressed your comments on https://review.openstack.org/#/c/81872/718:11
andreafhttps://review.openstack.org/#/c/81872/18:11
andreafbknudson:I decided to go for a comment rather than mass-rename for now, I added some explanations in the patch-set18:11
bknudsonandreaf: ok18:12
andreafbknudson: let me know if you are ok with that18:12
bknudsonandreaf: the name isn't super important. I'm sure keystonev3 is being used all over tempest.18:13
bknudsonandreaf: also, there's an issue where v3 tests are in the admin package.18:13
bknudsonhttp://git.openstack.org/cgit/openstack/tempest/tree/tempest/api/identity/admin/v3 -- why is it admin/v3?18:14
bknudsonmakes no sense18:14
andreafbknudson: well yes that's not aligned with compute, so it's inconsistent. The code structure is much  better now I think but there are still a few inconsistencies18:16
andreafcan you file a LP for that so we have it in qa queue?18:16
bknudsonok18:16
andreafthanks18:17
andreafit should be v3/admin rather than admin/v3 to be the same as compute18:18
andreafbut another inconsistency is that for instance glance has v1 and v2 folders, while compute has v2 tests in root foler and v3 in subfolder, and so does keystone18:18
bknudsonthere's an admin interface and public interface in v2, but v3 is served the same on both admin and public interfaces18:19
bknudsonso v3 should be a sibling of admin18:20
andreafbknudson: the admin folder refers to the role required on the user to run the tests, rather than the interface18:20
rodrigodsstevemar, https://blueprints.launchpad.net/python-keystoneclient/+spec/roles-assignment-support and https://blueprints.launchpad.net/python-keystoneclient/+spec/roles-assignment-list. any suggestion?18:20
bknudsonfor v3, you can configure keystone to allow whatever role you want. it's not required to be admin.18:21
bknudsonin v2 the admin api requires admin18:21
andreafbknudson: good to know. I guess that's true for the  other services as well, it depends on the policy configu18:22
andreafbut I'd say a common deployment option is to require admin18:22
andreafbknudson: there is WIP to identify which tests require admin roles to run - see https://review.openstack.org/#/c/86967/ in case you want to comment on it - the spec is still open18:23
andreafbknudson: we had a question in the QA meeting on best practices for setting up admin roles with keystone v3 - I sent a message to the DL about thi http://lists.openstack.org/pipermail/openstack-dev/2014-April/033698.html18:27
dolphmmorganfainberg: nasty bug with db_sync - but i'm not able to reproduce on a fresh wheezy64 install https://bugs.launchpad.net/keystone/+bug/131434018:31
uvirtbotLaunchpad bug 1314340 in keystone "db_sync throws CRITICAL KeyError: <VerNum(1)>" [Undecided,New]18:31
dolphmmorganfainberg: getting a 14.04 box in a minute18:32
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation  https://review.openstack.org/7118118:34
morganfainbergdolphm, i already commented on it18:34
morganfainbergdolphm, the issue is https://github.com/openstack/keystone/blob/master/keystone/common/sql/migration_helpers.py#L16518:34
*** sbfox has quit IRC18:35
morganfainbergdolphm, the 0 needs to reference the DB_INIT_VERSION18:35
morganfainbergdolphm, if db_sync was called instead of db_version this issue wouldn't have occured18:35
ayoungcan someone confirm the fingerprint for the new ssh key?18:36
morganfainbergayoung, for gerrit?18:36
ayoungyeah18:36
dolphmmorganfainberg: weird18:36
morganfainberg28:c6:42:b7:44:d2:48:64:c1:3f:31:d8:1b:6e:3b:63 (RSA)18:37
morganfainberg6c:95:14:fd:8b:0f:de:d3:e3:10:77:5a:de:22:8a:5f (DSA)18:37
dolphmayoung: https://review.openstack.org/#/settings/ssh-keys18:37
ayoung28:c6:42:b7:44:d2:48:64:c1:3f:31:d8:1b:6e:3b:6318:37
morganfainbergdolphm, yeah looks like we have a couple places we need to solve that.18:37
ayoung++18:37
morganfainbergdolphm, erm, one that is18:37
morganfainbergayoung, https://review.openstack.org/#/settings/ssh-keys and from the email from Fungi (signed [infra] to the ML)18:38
morganfainbergayoung in case you were wondering where i got the info18:38
ayoungmorganfainberg, thanks18:38
morganfainbergayoung np18:39
*** sbfox has joined #openstack-keystone18:39
*** marcoemorais1 has joined #openstack-keystone18:40
ayoungWe done?18:40
*** marcoemorais has quit IRC18:42
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Set proper DB_INIT_VERSION on db_version command  https://review.openstack.org/9112318:43
*** ukalifon1 has quit IRC18:46
dolphmmorganfainberg: bknudson: o/18:58
bknudsondolphm: \o18:58
morganfainbergo\18:58
dolphmbknudson: there's no use case i can think of for having a revocation list with uuid tokens18:58
dolphmbknudson: if the uuid token is in the cache, you're done18:58
jamielennoxdolphm: it depends on your cache strategy i guess18:59
jamielennoxif you cache UUID tokens for 5 minutes then you don't18:59
dolphmjamielennox: "then you don't" ... what?18:59
bknudsonyou can set the cache time different from the revocation list cache time18:59
jamielennoxif your tokens default to 24 hours expiry and you cache for the whole thing then you need the revocation list18:59
morganfainbergjamielennox, 5min is within clock skew iirc, so...18:59
bknudsonso the revocation list cache time is 10 sec and the token cache time is 5 mins18:59
morganfainberghmm.19:00
jamielennox(also not defending the process here - just why i think it came about)19:00
dolphmjamielennox: wtf19:00
dolphmjamielennox: that's layering unnecessary complexity for absolutely zero gain19:00
morganfainbergfood time...19:01
jamielennoxdolphm: depedning on how you're using your tokens i can see gain in that19:01
*** morganfainberg is now known as morganfainberg_Z19:01
jamielennoxif your revocation lists are good (better than ours is)19:01
dolphmjamielennox: so you're starting with a false premise, continue...19:01
jamielennoxyou cache all the active tokens you have memory for and you don't need to online validate every 5 minutes19:02
bknudsonall you need to check against is the revocation list19:02
bknudsonassuming the revocation list is available19:02
jamielennoxif you're talking a small number of revocations then that traffic is way smaller than continual validations19:02
*** ericn has quit IRC19:02
jamielennoxi don't recommend anyone do that setup with the system we have today - but i can see the argument19:03
dolphmand you don't mean revocation *events* -- you actually mean revocation *list*?19:04
*** vhoward has joined #openstack-keystone19:05
*** erecio_1 has joined #openstack-keystone19:05
jamielennoxdolphm: i don't think i care enough about this argument to be on the defensive, but i mean with a good revocation system (which we don't have) I can see an argument for caching a UUID token for it's full expiry period19:06
dolphmjamielennox: if you're starting with a false premise, then it's not an argument :)19:06
*** vhoward has left #openstack-keystone19:07
jamielennoxdolphm: it's always an argument - i just might be wrong19:07
*** erecio has quit IRC19:08
dolphmjamielennox: i don't think you can be wrong in an invalid argument19:12
*** thiagop has quit IRC19:20
gabriel-bezerrajamielennox, morganfainberg_Z: Might you review https://review.openstack.org/90631, please?19:27
jamielennoxgabriel-bezerra: cool, i didn't know you could do that19:28
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token configurable check of revocations for cached  https://review.openstack.org/9047219:28
openstackgerritayoung proposed a change to openstack/keystone: Compressed Token Provider  https://review.openstack.org/9114519:29
ayoungbknudson, ^^ should be WIP, but I don't see the button letting me set that19:30
*** afaranha has joined #openstack-keystone19:30
bknudsonayoung: set WorkFlow -119:30
ayoungbknudson, where?19:31
bknudsonayoung: where you would set WorkFlow +1 to approve it19:31
ayoungbknudson, thanks19:31
bknudsonayoung: I switched to the "new" view so am not sure what the old buttons are19:31
ayounggot it, thanks./  I am not even sure if that will pass tox, I suspect not.19:32
bknudsonayoung: updated https://review.openstack.org/90472 to have a config option19:32
ayoungbknudson, I'll remove the -219:32
*** dstanek is now known as dstanek_zzz19:33
gabriel-bezerrathanks, jamielennox19:33
openstackgerritA change was merged to openstack/keystone: Move hacking code to a separate fixture  https://review.openstack.org/8699819:34
jamielennoxgabriel-bezerra: np19:34
dolphmhow do you know if you're using the new / old view?19:34
bknudsondolphm: go to Settings19:35
bknudsonPreferences19:35
bknudsonit's the Change View option19:35
dolphmbknudson: thanks19:35
dolphmbknudson: i'll try the New view later to see what all the complaining is about19:36
bknudsonI just thought I'd try it since there were complaints on the ml.19:36
ayoungbknudson, yeah, its different.  But the big plus is that it givers you all of the comments inline....19:38
ayoungOK...time to move....19:38
*** ayoung has quit IRC19:39
jamielennoxbknudson: ahh - the new view might need some css tweaks19:47
bknudsonjamielennox: what's not working?19:48
rodrigodsstevemar, created the additional blueprint: https://blueprints.launchpad.net/python-openstackclient/+spec/roles-assignment-list19:48
jamielennoxbknudson: it's just really squished together, but i like having the line comments out like that19:49
jamielennoxoo, the new screen let's you edit the commit message from gerrit - there's no going back now19:51
dolphmthe javascript seems super slow in the new view19:52
morganfainberg_Zdolphm, i switched back because the new view was kinda wonky19:52
*** morganfainberg_Z is now known as morganfainberg19:52
jamielennoxhmm, and all of the pregenerated git pull/checkout links are gone19:54
jamielennoxi use those19:54
morganfainbergjamielennox, they are int the top right dropdown19:54
*** dstanek_zzz is now known as dstanek19:55
morganfainbergjamielennox, i didn't think UX would get better in gerrit... but i didn't think it would end up this much worse :P19:55
bknudsongit-review -d to pull it19:55
jamielennoxmorganfainberg: ah, thanks19:55
jamielennoxbknudson: yea, i just never got in the habit19:55
dolphm+1 for git-review -d / -x19:56
jamielennoxclicking on the project name in a review now gives you the settings for the project, clicking on the magnifying glass next to it no longer defaults to status:open so you see everything19:57
bknudsondoes the new gerrit still have drafts?19:57
morganfainbergjamielennox, yeah that... bothers me19:57
morganfainbergbknudson, i'm guessing it does, but drafts were aweful19:57
morganfainbergbknudson, WIP is better19:57
dolphmbknudson: (why do you need drafts?)19:58
*** leseb has joined #openstack-keystone19:58
bknudsonwould be nice if we had a better way to review the embargoed changes19:58
dolphmbknudson: that's coming!19:58
morganfainbergbknudson, yes that is planned.19:58
bknudsonwould have to hide them from zuul?19:59
bknudsonzuul status page19:59
morganfainbergbknudson, i think that is all in the works19:59
dolphmbknudson: separate infrastructure19:59
*** dstanek is now known as dstanek_zzz20:04
*** derek_c has joined #openstack-keystone20:05
*** erecio_2 has joined #openstack-keystone20:10
*** bach has joined #openstack-keystone20:12
*** erecio_1 has quit IRC20:12
*** bach has quit IRC20:15
*** ayoung has joined #openstack-keystone20:37
*** dstanek_zzz is now known as dstanek20:38
*** leseb has quit IRC20:41
*** klrmn has joined #openstack-keystone20:42
klrmni have a newly installed keystone server, but nothing is showing up in /var/log/keystone/ … what do i need to do to get logging turned on?20:43
gabriel-bezerraklrmn: check if verbose=True or debug=True on /etc/keystone/keystone.conf20:57
gabriel-bezerrain the [DEFAULT] section20:58
gabriel-bezerramorganfainberg: Might you review https://review.openstack.org/90631, please?21:00
*** dstanek is now known as dstanek_zzz21:00
*** erecio_2 has quit IRC21:01
*** marcoemorais1 has quit IRC21:03
morganfainberggabriel-bezerra, i'll look at it when i'm out of my next slew of meetings21:03
*** marcoemorais has joined #openstack-keystone21:04
*** dstanek_zzz is now known as dstanek21:05
*** marcoemorais has quit IRC21:06
*** andreaf has quit IRC21:06
*** marcoemorais has joined #openstack-keystone21:08
*** derek_c has quit IRC21:13
*** derek_c has joined #openstack-keystone21:13
*** morganfainberg is now known as morganfainberg_Z21:22
*** morganfainberg_Z is now known as morganfainberg21:25
*** bach has joined #openstack-keystone21:27
boris-42morganfainberg ping21:27
*** daneyon_ has joined #openstack-keystone21:27
*** daneyon has quit IRC21:28
boris-42dolphm ping21:28
*** derek_c has quit IRC21:31
*** morganfainberg is now known as morganfainberg_Z21:33
*** morganfainberg_Z is now known as morganfainberg21:34
*** bach has quit IRC21:35
*** joesavak has quit IRC21:40
morganfainbergboris-42, hi21:41
morganfainbergboris-42, here now21:41
*** sbfox has quit IRC21:41
boris-42morganfainberg so we need to get +1 from dolphm in infra21:41
boris-42morganfainberg here https://review.openstack.org/#/c/90404/21:42
morganfainbergah21:42
morganfainbergdolphm, ^ when you get a chance could use your eyes.21:42
morganfainbergboris-42, best bet is keep following up with us. i'll work from this side.21:43
morganfainbergboris-42, hopefully we can get that in soonish :)21:43
boris-42morganfainberg yep we just get approve for glance performance job21:44
boris-42morganfainberg so we will see how it works there=)21:44
morganfainbergcool!21:44
morganfainbergboris-42, thanks for the work on this!21:44
*** sbfox has joined #openstack-keystone21:44
boris-42morganfainberg it should support plugins21:45
morganfainbergnice21:45
boris-42morganfainberg otherwise it won't be sexy21:45
morganfainberghehe21:45
boris-42morganfainberg cause you will need to merge new benchmarks first in rally21:45
morganfainbergyeah, plugin support makes it super awesome instead of just very cool21:45
boris-42morganfainberg and this process is not quite fast=)21:45
*** dstanek is now known as dstanek_zzz21:45
boris-42morganfainberg cause we are nerds=)21:45
morganfainbergboris-42, yep. :) hehe21:46
boris-42morganfainberg actually patch is already done https://review.openstack.org/#/c/72679/21:46
boris-42morganfainberg just waiting for pretty .rst with description21:46
morganfainbergyeah docs are good.21:47
*** praneshp has quit IRC21:50
*** praneshp has joined #openstack-keystone21:51
*** dims has quit IRC21:57
bknudsonI think I22:00
bknudsonI'm going to have to give up on the new gerrit view22:00
bknudsonthe diff viewer doesn't show _s22:00
morganfainbergbknudson, yeah it's a little odd and has some issues22:02
gabriel-bezerraHi guys. Have you ever seen this on Keystone? TypeError: expected byte string object for header value, value of type unicode found22:05
gabriel-bezerrait is showing up when I POST /v3/auth/tokens22:06
morganfainberggabriel-bezerra, yep.22:06
gabriel-bezerraI'm trying to deploy a federated Keystone, so it is running in Apache, but I haven't turned SSL nor Shib on yet.22:07
morganfainberggabriel-bezerra, i can actually point you at the bug.22:07
morganfainbergmaster?22:07
morganfainbergor icehouse?22:07
gabriel-bezerramaster22:07
morganfainberggabriel-bezerra, https://review.openstack.org/#/c/90476/ that review should fix the issue22:07
morganfainbergbug https://bugs.launchpad.net/python-keystoneclient/+bug/131297122:07
uvirtbotLaunchpad bug 1312971 in python-keystoneclient "mod_wsgi exception processing UTF-8 Header" [High,Triaged]22:07
morganfainberggabriel-bezerra, that isn't the end-all fix, but it's the immidiate stopgap22:09
*** dims has joined #openstack-keystone22:10
gabriel-bezerraIs there any workaround for it?22:10
morganfainbergeither apply that patch, or don't use HTTPd to deploy. i expect we'll get that fix committed into master soon22:11
morganfainbergsince you're doing federation, the only real solution is to apply that patch22:11
morganfainbergsince HTTPD is needed.22:11
*** daneyon_ has quit IRC22:11
morganfainbergi'll poke at some people here this afternoon and see if we can get it at least into gate (depending on the depth of the queue it make take time to actually merge)22:12
*** daneyon has joined #openstack-keystone22:12
gabriel-bezerraoh, good.22:13
gabriel-bezerraI'll keep an eye on it22:13
*** topol has joined #openstack-keystone22:14
gabriel-bezerrashould I subscribe as a reviewer to get updates?22:14
morganfainberggabriel-bezerra, if you would like.22:14
gabriel-bezerramorganfainberg: thank you for reviewing my change about keystone on apache in devstack22:17
gabriel-bezerrawhat should I do now to move it forward?22:17
morganfainberggabriel-bezerra, sure thing! glad to have more people contributing.22:17
morganfainberggabriel-bezerra, now it's a waiting game mostly, need to get the core team on devstack to review/approve it22:17
gabriel-bezerrashould I poke anyone or add them as reviewers?22:18
gabriel-bezerraor they already have a list with +1ed and verified changes?22:19
*** topol has quit IRC22:19
bknudsondstanek_zzz: dolphm: stevemar: any reason https://review.openstack.org/#/c/84446/ wasn't approved already?22:20
morganfainberggabriel-bezerra, not sure what their workflow is, you can ask them in IRC or just add them to the review (always good)22:20
morganfainberggabriel-bezerra, i haven't had a huge issue with devstack reviews languishing without eyes on them22:24
morganfainberggabriel-bezerra, also realize this week is officially marked as a quiet week for the openstack community (preparing for the design summit and we've released icehouse) there are a number of people on vacation this week22:25
morganfainberggabriel-bezerra, so thinks might move a little slower until after the design summit22:25
morganfainberggabriel-bezerra, s/thinks/things22:25
gabriel-bezerraok, right22:26
stevemarbknudson, cause we're wimps?22:28
bknudsonlet's all grow a pair!22:28
morganfainbergbknudson, stevemar, quick -2 that!22:28
morganfainbergi mean...22:28
morganfainberg+122:28
*** bach has joined #openstack-keystone22:28
morganfainbergi mean.. approve22:28
bknudsonhttps://review.openstack.org/#/c/84446/ is approved now... seemed to have enough reviews and I think all the comments were addressed.22:30
gabriel-bezerramorganfainberg: thank you for your hand on those changes. Got to go now.22:30
*** zigo_ has joined #openstack-keystone22:35
morganfainberggabriel-bezerra, thanks for working on that stuff! have a good one!22:37
*** zigo has quit IRC22:37
bknudsonIf we want to add a foreign key can do it in a separate commit.22:37
bknudsonI'm not even sure how you would do that safely.22:37
*** thedodd has quit IRC22:37
*** bach has quit IRC22:40
*** dstanek_zzz is now known as dstanek22:41
stevemarbknudson, i guess the downgrade path would be hard?22:41
bknudsonstevemar: how would you know which mapping the federation_protocol was referring to if it wasn't referring to an existing one?22:43
bknudsonwas supposed to refer to22:43
stevemarbknudson, yeah, i can see how that could be a problem22:44
*** nkinder has quit IRC22:50
morganfainbergbknudson, adding a FK sanely?22:56
morganfainbergbknudson, uhm...22:56
*** david-lyle has quit IRC22:59
*** bach has joined #openstack-keystone23:08
*** bach has quit IRC23:14
*** shakamunyi has quit IRC23:14
*** shakamunyi has joined #openstack-keystone23:19
openstackgerritA change was merged to openstack/identity-api: Fix typo in federation api  https://review.openstack.org/9065923:21
*** dstanek is now known as dstanek_zzz23:21
*** bknudson has quit IRC23:23
*** amcrn has quit IRC23:36
*** dstanek_zzz is now known as dstanek23:45
*** stevemar has quit IRC23:51
« Monday, 2014-04-28 Index Wednesday, 2014-04-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!