| *** bach has joined #openstack-keystone | 00:02 | |
| *** topol has joined #openstack-keystone | 00:03 | |
| *** sbfox has quit IRC | 00:03 | |
| *** ChanServ changes topic to "Open discussion." | 00:04 | |
| -openstackstatus- NOTICE: the gate is still fairly backed up, though nodepool is back on track and chipping away at remaining changes. some py3k/pypy node starvation is slowing recovery | 00:04 | |
| *** leseb has quit IRC | 00:05 | |
| *** leseb has joined #openstack-keystone | 00:05 | |
| *** leseb has quit IRC | 00:06 | |
| *** bach has quit IRC | 00:07 | |
| *** david-lyle has joined #openstack-keystone | 00:09 | |
| *** bach has joined #openstack-keystone | 00:12 | |
| *** david-lyle has quit IRC | 00:13 | |
| *** topol has quit IRC | 00:14 | |
| *** topol_ has joined #openstack-keystone | 00:15 | |
| *** topol_ is now known as topol | 00:15 | |
| *** topol_ has joined #openstack-keystone | 00:21 | |
| *** topol has quit IRC | 00:24 | |
| *** topol_ has quit IRC | 00:26 | |
| *** packet has quit IRC | 00:30 | |
| ayoung_DadMode | jamielennox, why doesn't this work | 00:34 |
|---|---|---|
| ayoung_DadMode | keystone --os-identity-api-version=3 group-create name=kings | 00:34 |
| ayoung_DadMode | gives me | 00:35 |
| ayoung_DadMode | invalid choice: 'group-create' | 00:35 |
| jamielennox | --os-identity-api-version=3 has no effect | 00:35 |
| *** ayoung_DadMode is now known as ayoung | 00:35 | |
| ayoung | jamielennox, is there any way to get group actions in the CLI? | 00:35 |
| ayoung | actually, I need to do group-role-add | 00:35 |
| jamielennox | ayoung: groups aren't in v2 right? i can't remember | 00:35 |
| ayoung | Nope, not in v2 | 00:36 |
| ayoung | I'll use the python API then | 00:36 |
| ayoung | thanks. | 00:36 |
| *** ayoung is now known as ayoung_food | 00:36 | |
| jamielennox | use openstack cilent | 00:36 |
| jamielennox | i don't know if they do a v2/v3 hack or not | 00:37 |
| jamielennox | but they should have the v3 API implemetned | 00:37 |
| *** browne has quit IRC | 00:47 | |
| jamielennox | ayoung_food: openstack --os-identity-api-version 3 group create | 00:48 |
| *** bach has quit IRC | 00:56 | |
| *** leseb has joined #openstack-keystone | 01:06 | |
| *** amcrn has quit IRC | 01:09 | |
| *** leseb has quit IRC | 01:11 | |
| *** amcrn has joined #openstack-keystone | 01:12 | |
| *** sbfox has joined #openstack-keystone | 01:15 | |
| *** ayoung_food is now known as ayoung | 01:19 | |
| *** amcrn has quit IRC | 01:21 | |
| *** sbfox has quit IRC | 01:21 | |
| *** diegows has quit IRC | 01:30 | |
| *** theocean154 is now known as theocean154_zzzZ | 01:31 | |
| *** marcoemorais has quit IRC | 01:36 | |
| *** derek_c has quit IRC | 01:39 | |
| *** amerine has quit IRC | 01:40 | |
| *** amerine has joined #openstack-keystone | 01:40 | |
| *** amerine has quit IRC | 01:42 | |
| *** amerine has joined #openstack-keystone | 01:42 | |
| *** Chicago has quit IRC | 01:45 | |
| *** amcrn has joined #openstack-keystone | 01:52 | |
| *** zhiyan_ is now known as zhiyan | 01:59 | |
| *** richm has quit IRC | 02:04 | |
| *** leseb has joined #openstack-keystone | 02:07 | |
| *** leseb has quit IRC | 02:10 | |
| *** leseb has joined #openstack-keystone | 02:11 | |
| *** amerine has quit IRC | 02:12 | |
| *** amerine has joined #openstack-keystone | 02:13 | |
| *** leseb has quit IRC | 02:15 | |
| *** amerine has quit IRC | 02:17 | |
| *** mberlin1 has joined #openstack-keystone | 02:19 | |
| *** amerine has joined #openstack-keystone | 02:20 | |
| *** mberlin has quit IRC | 02:21 | |
| *** stevemar has joined #openstack-keystone | 02:45 | |
| *** stevemar has quit IRC | 02:53 | |
| *** gaud has quit IRC | 03:07 | |
| *** gaud has joined #openstack-keystone | 03:10 | |
| *** leseb has joined #openstack-keystone | 03:11 | |
| *** leseb has quit IRC | 03:16 | |
| *** zhiyan is now known as zhiyan_ | 03:18 | |
| *** harlowja is now known as harlowja_away | 03:20 | |
| *** harlowja_away is now known as harlowja | 03:21 | |
| *** stevemar has joined #openstack-keystone | 03:23 | |
| *** gaud has quit IRC | 03:26 | |
| *** derek_c has joined #openstack-keystone | 03:37 | |
| openstackgerrit | A change was merged to openstack/keystone: Add rally performance gate job for keystone https://review.openstack.org/90405 | 03:38 |
| *** sbfox has joined #openstack-keystone | 03:43 | |
| *** ayoung has quit IRC | 04:02 | |
| *** sbfox has quit IRC | 04:12 | |
| *** leseb has joined #openstack-keystone | 04:12 | |
| *** sbfox has joined #openstack-keystone | 04:16 | |
| *** leseb has quit IRC | 04:17 | |
| *** theocean154_zzzZ has quit IRC | 04:21 | |
| *** derek_c has quit IRC | 04:27 | |
| *** marcoemorais has joined #openstack-keystone | 04:42 | |
| *** derek_c has joined #openstack-keystone | 04:43 | |
| *** marcoemorais1 has joined #openstack-keystone | 04:45 | |
| *** marcoemorais has quit IRC | 04:46 | |
| *** derek_c has quit IRC | 04:49 | |
| *** morganfainberg is now known as morganfainberg_Z | 05:05 | |
| *** dstanek is now known as dstanek_zzz | 05:05 | |
| *** leseb has joined #openstack-keystone | 05:13 | |
| *** leseb has quit IRC | 05:14 | |
| *** derek_c has joined #openstack-keystone | 05:27 | |
| *** daneyon has quit IRC | 05:35 | |
| *** harlowja is now known as harlowja_away | 05:37 | |
| *** Manishanker has joined #openstack-keystone | 05:41 | |
| *** sbfox has quit IRC | 05:51 | |
| *** bach has joined #openstack-keystone | 05:52 | |
| *** sbfox has joined #openstack-keystone | 05:53 | |
| openstackgerrit | Steve Martinelli proposed a change to openstack/keystone: Add detailed federation configuration docs https://review.openstack.org/89220 | 05:55 |
| *** ukalifon1 has quit IRC | 05:59 | |
| *** Manishanker has quit IRC | 05:59 | |
| openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/90288 | 06:01 |
| *** stevemar has quit IRC | 06:02 | |
| *** bach has quit IRC | 06:03 | |
| *** dstanek_zzz is now known as dstanek | 06:07 | |
| *** bach has joined #openstack-keystone | 06:09 | |
| *** leseb has joined #openstack-keystone | 06:16 | |
| *** sbfox has quit IRC | 06:16 | |
| *** dstanek is now known as dstanek_zzz | 06:16 | |
| *** leseb has quit IRC | 06:20 | |
| *** derek_c has quit IRC | 06:42 | |
| *** chandan_kumar has joined #openstack-keystone | 06:44 | |
| *** chandan_kumar has quit IRC | 07:07 | |
| *** leseb has joined #openstack-keystone | 07:16 | |
| *** praneshp has quit IRC | 07:18 | |
| *** leseb has quit IRC | 07:21 | |
| *** jamielennox is now known as jamielennox|away | 07:23 | |
| *** amcrn has quit IRC | 08:12 | |
| *** leseb has joined #openstack-keystone | 08:17 | |
| *** leseb has quit IRC | 08:22 | |
| *** andreaf has joined #openstack-keystone | 08:26 | |
| *** Manishanker has joined #openstack-keystone | 09:05 | |
| *** marcoemorais1 has quit IRC | 09:11 | |
| *** Manishanker has quit IRC | 09:15 | |
| *** leseb has joined #openstack-keystone | 09:18 | |
| *** leseb has quit IRC | 09:22 | |
| *** Manishanker has joined #openstack-keystone | 09:23 | |
| Manishanker | Hello everyone | 09:27 |
| Manishanker | Can anyone help me on this | 09:28 |
| Manishanker | I am trying to fix this bug (https://bugs.launchpad.net/keystone/+bug/1313837) | 09:28 |
| uvirtbot | Launchpad bug 1313837 in keystone "unnecessary period in logs make searching/copy/paste annoying" [Low,Confirmed] | 09:28 |
| openstackgerrit | A change was merged to openstack/python-keystoneclient: Fix typo in BaseAuthTokenMiddlewareTest https://review.openstack.org/90616 | 09:43 |
| openstackgerrit | A change was merged to openstack/python-keystoneclient: auth_token test remove unused fake_app parameter https://review.openstack.org/90617 | 09:44 |
| openstackgerrit | Andreas Jaeger proposed a change to openstack/identity-api: Fix typos, capitalization and remove duplicated words https://review.openstack.org/91539 | 09:53 |
| *** chandan_kumar has joined #openstack-keystone | 10:15 | |
| openstackgerrit | Andreas Jaeger proposed a change to openstack/identity-api: Fix typos, capitalization and remove duplicated words https://review.openstack.org/91539 | 10:17 |
| *** chandan_kumar has quit IRC | 10:52 | |
| *** lbragstad has quit IRC | 11:38 | |
| *** lbragstad has joined #openstack-keystone | 11:40 | |
| *** bach has quit IRC | 11:45 | |
| *** lbragstad has quit IRC | 11:45 | |
| *** bach has joined #openstack-keystone | 11:45 | |
| *** afaranha has joined #openstack-keystone | 11:48 | |
| *** amerine has quit IRC | 11:54 | |
| *** amerine has joined #openstack-keystone | 12:04 | |
| dolphm | Manishanker: o/ what have you accomplished so far? | 12:28 |
| *** Manishanker has quit IRC | 12:31 | |
| openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/91225 | 12:37 |
| *** dstanek_zzz is now known as dstanek | 12:38 | |
| *** Manishanker has joined #openstack-keystone | 12:39 | |
| *** bknudson has quit IRC | 12:42 | |
| openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/91240 | 12:42 |
| *** Manishanker has quit IRC | 12:43 | |
| *** Manishanker has joined #openstack-keystone | 12:49 | |
| *** dstanek is now known as dstanek_zzz | 12:53 | |
| *** lbragstad has joined #openstack-keystone | 12:53 | |
| *** gaud has joined #openstack-keystone | 12:59 | |
| *** dstanek_zzz is now known as dstanek | 13:02 | |
| *** Manishanker has quit IRC | 13:16 | |
| *** joesavak has joined #openstack-keystone | 13:20 | |
| *** nkinder has quit IRC | 13:25 | |
| *** nkinder has joined #openstack-keystone | 13:26 | |
| *** bach has quit IRC | 13:26 | |
| *** nkinder has quit IRC | 13:35 | |
| *** bach has joined #openstack-keystone | 13:35 | |
| openstackgerrit | Christian Berendt proposed a change to openstack/identity-api: fixed typos found by topy https://review.openstack.org/91557 | 13:36 |
| *** nkinder has joined #openstack-keystone | 13:41 | |
| *** bknudson has joined #openstack-keystone | 13:44 | |
| *** ayoung has joined #openstack-keystone | 13:44 | |
| openstackgerrit | OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/91225 | 13:44 |
| dstanek | lbragstad: hey | 13:46 |
| lbragstad | dstanek: morning | 13:47 |
| dstanek | lbragstad: good morning | 13:47 |
| *** nkinder has quit IRC | 13:48 | |
| dstanek | lbragstad: nice work on the validators - i'll be extremely happy to see real validation | 13:48 |
| lbragstad | dstanek: :) me too | 13:48 |
| lbragstad | thanks | 13:48 |
| lbragstad | jamielennox|away: and I were kinda talking about it a few days ago | 13:49 |
| lbragstad | dstanek: I noticed your comments, and I plan to address. thanks for the review | 13:49 |
| lbragstad | I need to look into the factory stuff | 13:49 |
| dstanek | lbragstad: great; if you have any questions you know where to find me | 13:51 |
| lbragstad | dstanek: sure thing, I'll probably have some. If you have any other impl ideas feel free to push a review or diff me a patch and I'll integrate, I told jamielennox|away the same. Hoping to get this as close to right the first time | 13:52 |
| openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Allow 'description' in V3 Regions to be optional https://review.openstack.org/78658 | 13:55 |
| dstanek | lbragstad: will do | 13:56 |
| dstanek | lbragstad: it looks like that test case i commented on in https://review.openstack.org/#/c/78658 is just a hybrid of the other two; is it testing something specific? | 13:58 |
| *** shakamunyi has joined #openstack-keystone | 13:59 | |
| lbragstad | dstanek: test_create_regions_with_same_description_string() test creating two regions with the same description string passed in and test_create_regions_without_descriptions tests creating two regions without descriptions in the requests at all | 13:59 |
| lbragstad | I guess test_create_regions_without_descriptions is the one that ensure we test this logic: https://review.openstack.org/#/c/78658/9/keystone/catalog/core.py | 14:00 |
| lbragstad | the other makes sure we don't regress uniqueness | 14:00 |
| *** chandan_kumar has joined #openstack-keystone | 14:01 | |
| lbragstad | or just makes sure we don't require uniqueness for V3 region descriptions | 14:01 |
| dstanek | lbragstad: i think that's what confused me - one tests shows that we use empty string with description is not provided and another shows that descriptions don't have to be unique | 14:02 |
| *** stevemar has joined #openstack-keystone | 14:02 | |
| dstanek | the third test appears to trigger the logic and ensure multple empty strings can be stored | 14:03 |
| lbragstad | right, so test_create_regions_with_same_description_string tests uniqueness and test_create_regions_without_descriptions no region description + uniqueness, | 14:03 |
| *** thedodd has joined #openstack-keystone | 14:12 | |
| openstackgerrit | Alex Gaynor proposed a change to openstack/keystone: Fixed some typos throughout the codebase https://review.openstack.org/91575 | 14:16 |
| ayoung | dstanek, on https://review.openstack.org/#/c/90476/5/keystone/token/providers/pki.py I say we deal with Python 3 when we get there. Until I can actually test it, I am reluctant to make Python3 specific changes. Considering the hoops we have to jump through for the client, can we please not inflict Pythjon 3 compat on ourselves until we are ready to do it across the board? | 14:16 |
| ayoung | I can't currently run a Python 3 Keystone behind Apache HTTPD. Until I can do that, I have no real way to verify what actually would work. | 14:17 |
| lbragstad | does anyone here have experience with kerberos vs. requests-kerberos? | 14:20 |
| lbragstad | the python packages that it? | 14:21 |
| lbragstad | is* | 14:21 |
| *** david-lyle has joined #openstack-keystone | 14:31 | |
| *** nkinder has joined #openstack-keystone | 14:35 | |
| *** daneyon has joined #openstack-keystone | 14:36 | |
| openstackgerrit | Rodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add /role_assignments endpoint support https://review.openstack.org/91578 | 14:36 |
| openstackgerrit | Rodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add /role_assignments endpoint support https://review.openstack.org/91578 | 14:40 |
| *** sbfox has joined #openstack-keystone | 14:43 | |
| *** amerine_ has joined #openstack-keystone | 14:46 | |
| *** amerine has quit IRC | 14:48 | |
| *** sbfox has quit IRC | 14:58 | |
| *** richm has joined #openstack-keystone | 15:12 | |
| *** bach has quit IRC | 15:22 | |
| *** amerine has joined #openstack-keystone | 15:22 | |
| *** bach has joined #openstack-keystone | 15:23 | |
| *** bach has quit IRC | 15:23 | |
| *** amerine_ has quit IRC | 15:26 | |
| *** chandan_kumar has quit IRC | 15:39 | |
| *** bach has joined #openstack-keystone | 15:39 | |
| *** bach has quit IRC | 15:41 | |
| *** bach has joined #openstack-keystone | 15:46 | |
| *** bach_ has joined #openstack-keystone | 15:48 | |
| *** bach_ has quit IRC | 15:49 | |
| *** bach has quit IRC | 15:51 | |
| *** bach has joined #openstack-keystone | 15:51 | |
| *** bach has quit IRC | 15:53 | |
| *** daneyon has quit IRC | 15:59 | |
| *** packet has joined #openstack-keystone | 16:01 | |
| *** packet has quit IRC | 16:01 | |
| *** packet has joined #openstack-keystone | 16:02 | |
| *** sbfox has joined #openstack-keystone | 16:03 | |
| dolphm | ayoung: bknudson: defaulting this to True maintains the bug that was introduced in 0.8.0 https://review.openstack.org/#/c/90472/ | 16:07 |
| dolphm | ayoung: it breaks UUID deployments, period | 16:07 |
| ayoung | dolphm, defaulting it to True gives them a way to unbreakn it | 16:08 |
| ayoung | unbreak i9t | 16:08 |
| ayoung | bah! | 16:08 |
| ayoung | dolphm, defaulting it to False means that in PKI deploments, revocation is never checked. That would be A CVE | 16:09 |
| bknudson | dolphm: UUID deployments would have to set the value to False | 16:09 |
| ayoung | bknudson, explicitly, but yes | 16:09 |
| ayoung | bknudson, this is like the MD5 hashing. Auth token has no way of querying the intentions of the Keystone server. | 16:10 |
| dolphm | ayoung: the revocation list has *already been checked.* this is a REDUNDANT check occurring between when the token was already validated while it's still in the cache. | 16:10 |
| dolphm | s/between/after/ | 16:11 |
| bknudson | dolphm: what do you mean by reverting to the 0.7.1 behavior? don't check the revocation list for cached tokens at all? | 16:11 |
| dolphm | bknudson: correct, if we can't seem to introduce this new behavior cleanly, it should be reverted | 16:12 |
| ayoung | dolphm, that was not my understanding of how the code actually processed...let me double check. If I am wrong, than I can withdraw th objection | 16:12 |
| openstackgerrit | Kevin Kirkpatrick proposed a change to openstack/keystone: Add API V3 warning for auth plugin docs https://review.openstack.org/91464 | 16:13 |
| openstackgerrit | Kevin Kirkpatrick proposed a change to openstack/keystone: Add API V3 warning for auth plugin docs https://review.openstack.org/91596 | 16:13 |
| dolphm | ayoung: did you even do a code review the first time around? | 16:13 |
| ayoung | dolphm, I did. I panicked when I saw it, and maybe I was too cautious | 16:13 |
| bknudson | http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/middleware/auth_token.py?id=6c3cbab1a8e19f085c152a062b753bb2696b8964#n834 | 16:13 |
| rodrigods | stevemar, thanks for the review, fixing here =) | 16:18 |
| stevemar | rodrigods, np at all | 16:18 |
| *** gaud has quit IRC | 16:19 | |
| mfisch | bknudson: thx for the review for Kevin, trying to teach him the process | 16:23 |
| *** diegows has joined #openstack-keystone | 16:26 | |
| *** marcoemorais has joined #openstack-keystone | 16:33 | |
| dolphm | dstanek: pushed next-review 0.4.0 with your patch for gerrit 2.8 support | 16:34 |
| dolphm | dstanek: (to pypi) | 16:34 |
| dstanek | dolphm: nice, i'll install it and staring using it instead of my version | 16:34 |
| openstackgerrit | Rodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add /role_assignments endpoint support https://review.openstack.org/91578 | 16:52 |
| rodrigods | stevemar, ready for another review =) | 16:53 |
| stevemar | rodrigods, excellent | 16:54 |
| *** bach has joined #openstack-keystone | 17:04 | |
| *** shakamunyi has quit IRC | 17:09 | |
| *** sbfox has quit IRC | 17:15 | |
| *** sbfox has joined #openstack-keystone | 17:17 | |
| openstackgerrit | Rodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add /role_assignments endpoint support https://review.openstack.org/91578 | 17:18 |
| *** ukalifon1 has joined #openstack-keystone | 17:18 | |
| ayoung | dolphm, Ok, ATM._call__ calls _validate_user_token if it is cached, we call if self._is_token_id_in_revoked_list(token_id): but if it is not, we call verified = self.verify_signed_token(user_token), which does to the if self.is_signed_token_revoked(signed_text): call. So for PKI tokens, we check revocation twice. That is a mistake. | 17:28 |
| ayoung | I have to admit, I assumed that the older patch had pulled the validation code out of the validate_signed_token, as we don't want to do it twice. | 17:28 |
| ayoung | I'll remove the -2, and file a bug for that | 17:28 |
| *** sbfox1 has joined #openstack-keystone | 17:29 | |
| *** morganfainberg_Z is now known as morganfainberg | 17:30 | |
| *** sbfox has quit IRC | 17:31 | |
| *** gyee has joined #openstack-keystone | 17:36 | |
| *** praneshp has joined #openstack-keystone | 17:37 | |
| *** thedodd has quit IRC | 17:38 | |
| *** bach has quit IRC | 17:40 | |
| *** leseb has joined #openstack-keystone | 17:45 | |
| *** praneshp has quit IRC | 17:46 | |
| *** praneshp has joined #openstack-keystone | 17:52 | |
| *** daneyon has joined #openstack-keystone | 17:54 | |
| openstackgerrit | Kevin Kirkpatrick proposed a change to openstack/keystone: Add API V3 warning for auth plugin docs https://review.openstack.org/91631 | 17:56 |
| *** dstanek is now known as dstanek_zzz | 18:00 | |
| *** sbfox1 has quit IRC | 18:01 | |
| *** bach has joined #openstack-keystone | 18:02 | |
| *** harlowja_away is now known as harlowja | 18:12 | |
| openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Initial implementation of validator https://review.openstack.org/86483 | 18:13 |
| openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources https://review.openstack.org/86484 | 18:13 |
| *** amcrn has joined #openstack-keystone | 18:21 | |
| *** daneyon has quit IRC | 18:27 | |
| *** dstanek_zzz is now known as dstanek | 18:27 | |
| *** bach has quit IRC | 18:36 | |
| *** thedodd has joined #openstack-keystone | 18:43 | |
| *** sbfox has joined #openstack-keystone | 18:44 | |
| morganfainberg | dstanek, ping https://review.openstack.org/#/c/90476/5 is there a concern merging this from an eventlet running keystone perspective? | 18:51 |
| morganfainberg | dstanek, and this ... likely only matters with mod_wsgi | 18:52 |
| morganfainberg | perhaps just a if six.py2: str() | 18:52 |
| morganfainberg | ? | 18:52 |
| morganfainberg | ayoung, cc ^ - i don't want to cause issues with eventlet but i think this is needed now and am ready to approve. maybe a fixme / todo will aleviate dstanek's immidiate concern | 18:53 |
| dstanek | morganfainberg, ayoung: i'd be ok with a fixme so that i can find it easier later | 18:54 |
| morganfainberg | dstanek, ok | 18:54 |
| ayoung | dstanek, you got it | 18:54 |
| dstanek | ayoung: you rock | 18:55 |
| morganfainberg | ayoung, +2/ from me with the fixme then. can get it gating today if things aren't too backed up (I need this to enable mod_wsgi checks in the check queue) - :) | 18:55 |
| ayoung | morganfainberg, wilco | 18:55 |
| dstanek | it's hard enough to find the existing stuff to fix - i'm trying to make sure we aren't hiding new problems | 18:55 |
| ayoung | dstanek, # TODO(ayoung): Make to a byte_str for Python3 | 18:55 |
| ayoung | OK? | 18:55 |
| morganfainberg | ayoung, i'm going to add the mod_wsgi keystone check to both keystoneclient and keystone since this was a change to ksc that cause the issue | 18:55 |
| morganfainberg | ayoung, ++ LGTM | 18:56 |
| dstanek | works for me | 18:56 |
| openstackgerrit | ayoung proposed a change to openstack/keystone: Ensure token is a string https://review.openstack.org/90476 | 18:58 |
| ayoung | morganfainberg, ^^ | 18:58 |
| morganfainberg | ayoung, +2 applied | 18:58 |
| dstanek | mine too | 18:59 |
| morganfainberg | ayoung, commented to approve once jenkins +1 | 18:59 |
| morganfainberg | ayoung, if i'm at lunch / afk go for it | 18:59 |
| ayoung | If I set +2 and Workflow +1, will that do the right thing by check and gate? | 18:59 |
| morganfainberg | ayoung, yeah workflow +1 is approve, but because things are backed up i'd wait for jenkins to +1 first | 19:00 |
| dstanek | don't you have to wait for the jenkins +1? | 19:00 |
| morganfainberg | dstanek, technically it can't gate now until you get a jenkins +1 | 19:00 |
| ayoung | I thought they fixed that? | 19:00 |
| dstanek | been lots of failures the last few days | 19:00 |
| morganfainberg | but external CI (db2 for us) wont run if we approve before jenkins weighs in | 19:00 |
| ayoung | OK | 19:00 |
| ayoung | I'll wait | 19:00 |
| morganfainberg | should only pre-emptively approve if for things like overnight or super critical | 19:01 |
| morganfainberg | dstanek, the failures in the last couple days were the combination failures and nodepool images being bad | 19:01 |
| morganfainberg | dstanek, combination failures = transient ones stacking up to big ones iirc | 19:01 |
| *** derek_c has joined #openstack-keystone | 19:11 | |
| *** diegows has quit IRC | 19:11 | |
| *** bach has joined #openstack-keystone | 19:13 | |
| *** marcoemorais has quit IRC | 19:15 | |
| *** marcoemorais has joined #openstack-keystone | 19:21 | |
| openstackgerrit | A change was merged to openstack/identity-api: Replace non-breaking space https://review.openstack.org/91440 | 19:26 |
| *** ukalifon1 has quit IRC | 19:29 | |
| openstackgerrit | A change was merged to openstack/python-keystoneclient: Remove unused AdjustedBaseAuthTokenMiddlewareTest https://review.openstack.org/90618 | 19:38 |
| openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token configurable check of revocations for cached https://review.openstack.org/90472 | 19:41 |
| openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token check revocation list once on validate https://review.openstack.org/91657 | 19:41 |
| openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token configurable check of revocations for cached https://review.openstack.org/90472 | 19:42 |
| *** stevemar has quit IRC | 19:43 | |
| openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token configurable check of revocations for cached https://review.openstack.org/90472 | 19:44 |
| *** marcoemorais has quit IRC | 19:44 | |
| *** marcoemorais has joined #openstack-keystone | 19:45 | |
| *** stevemar has joined #openstack-keystone | 19:49 | |
| *** zhiyan_ is now known as zhiyan | 19:49 | |
| *** Manishanker has joined #openstack-keystone | 19:54 | |
| marekd|away | Hello, anybody willing to take a look and maybe give another +2/+A - https://review.openstack.org/#/c/90121/ | 19:55 |
| *** marekd|away is now known as marekd | 19:55 | |
| *** schofield has joined #openstack-keystone | 19:55 | |
| *** schofield has quit IRC | 19:56 | |
| *** schofield has joined #openstack-keystone | 19:57 | |
| *** packet has quit IRC | 19:58 | |
| *** schofield has left #openstack-keystone | 20:04 | |
| *** derek_c has quit IRC | 20:09 | |
| dstanek | marekd: hi | 20:09 |
| *** bach has quit IRC | 20:23 | |
| bknudson | should the rally job be disabled for stable/icehouse? | 20:26 |
| bknudson | morganfainberg: ^ | 20:26 |
| bknudson | and also gate-keystone-python33 ? | 20:27 |
| *** bach has joined #openstack-keystone | 20:27 | |
| *** sbfox has quit IRC | 20:29 | |
| *** sbfox has joined #openstack-keystone | 20:32 | |
| *** derek_c has joined #openstack-keystone | 20:33 | |
| *** daneyon has joined #openstack-keystone | 20:38 | |
| *** andreaf has quit IRC | 20:39 | |
| *** daneyon has quit IRC | 20:45 | |
| *** daneyon has joined #openstack-keystone | 20:46 | |
| *** daneyon has quit IRC | 20:47 | |
| *** daneyon has joined #openstack-keystone | 20:47 | |
| openstackgerrit | Rodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add /role_assignments endpoint support https://review.openstack.org/91578 | 20:51 |
| *** daneyon has quit IRC | 20:52 | |
| *** daneyon has joined #openstack-keystone | 20:53 | |
| dolphm | bknudson: aren't non-voting jobs disabled on stable/ anyway?? | 20:55 |
| bknudson | dolphm: we've got 4 non-voting jobs on stable/icehouse | 20:56 |
| dolphm | bknudson: i think they're intended to all be disabled... for example https://review.openstack.org/#/c/73402/ | 20:57 |
| bknudson | dolphm: that makes more sense | 20:58 |
| dolphm | bknudson: although they *are* run as checks there - just not part of the gate job (despite the name) -- which are you seeing? | 20:58 |
| bknudson | check-tempest-dsvm-neutron - check-tempest-dsvm-neutron-heat-slow - check-grenade-dsvm-neutron - gate-keystone-python33 - check-rally-dsvm-keystone | 21:00 |
| bknudson | oops, that first one just failed | 21:00 |
| bknudson | check-tempest-dsvm-neutron-heat-slow - check-grenade-dsvm-neutron - gate-keystone-python33 - check-rally-dsvm-keystone | 21:00 |
| bknudson | are nonvoting | 21:00 |
| bknudson | this is on the check job, not verify | 21:00 |
| dolphm | bknudson: in the long run, it makes sense to run the rally job - as we have backported performance specific patches in the past | 21:01 |
| *** asselin__ has joined #openstack-keystone | 21:01 | |
| bknudson | dolphm: so get it to run? | 21:01 |
| bknudson | seems like we just need the config file | 21:02 |
| dolphm | bknudson: in stable/ ? | 21:02 |
| bknudson | dolphm: right, get rally running in stable/icehouse | 21:02 |
| asselin__ | Hello, I was using openstack master and downgraded to icehouse/stable via unstack and stack. Any tips on how to resolve this error "2014-05-01 13:58:15.623 CRITICAL keystone [-] AssertionError: There is no script for 45 version | 21:03 |
| asselin__ | " | 21:03 |
| dolphm | bknudson: i was referring to master -> stable/juno -> ... if it's easy to get it running on icehouse, i don't think it would hurt... but it seems odd to introduce after the fact though | 21:03 |
| bknudson | asselin__: find /opt/stack/keystone -name "*.pyc" -print0 | xargs -0 rm | 21:03 |
| *** david-lyle has quit IRC | 21:03 | |
| dolphm | asselin__: you might have to remove any *.pyc files in keystone's migration repository? | 21:04 |
| dolphm | asselin__: what bknudson said | 21:04 |
| *** andreaf has joined #openstack-keystone | 21:04 | |
| asselin__ | bknudson, dolphm thanks that seems to have worked. | 21:05 |
| *** Manishanker has quit IRC | 21:05 | |
| openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Initial implementation of validator https://review.openstack.org/86483 | 21:05 |
| openstackgerrit | Lance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources https://review.openstack.org/86484 | 21:05 |
| dolphm | asselin__: i actually do that in every project every time i switch branches | 21:05 |
| asselin__ | dolphm, yes that's a good pracice to follow. I will update my branch switching script. | 21:06 |
| *** bach_ has joined #openstack-keystone | 21:12 | |
| *** bach_ has quit IRC | 21:12 | |
| *** bach_ has joined #openstack-keystone | 21:13 | |
| *** bach has quit IRC | 21:15 | |
| *** jamielennox|away is now known as jamielennox | 21:18 | |
| dstanek | stevemar: i've been thinking about the doc rename - why not just name them extension.rst? | 21:18 |
| dstanek | stevemar: i'm ok with the name in the patch, but what happens if we actually do document more than just how to enable it | 21:19 |
| *** bach_ has quit IRC | 21:24 | |
| *** zhiyan is now known as zhiyan_ | 21:24 | |
| *** joesavak has quit IRC | 21:24 | |
| stevemar | dstanek, i thought of that too, i'm okay with the suggestion | 21:29 |
| stevemar | you got a point | 21:29 |
| stevemar | dstanek, should they be re-titled? | 21:32 |
| *** daneyon has quit IRC | 21:37 | |
| *** daneyon has joined #openstack-keystone | 21:38 | |
| *** sbfox has quit IRC | 21:41 | |
| morganfainberg | bknudson, hmm. we prob want to make sure new jobs don't appear on old stable releases? | 21:41 |
| *** diegows has joined #openstack-keystone | 21:42 | |
| bknudson | morganfainberg: seems like a waste of cpu to run it if it's never going to do anything | 21:43 |
| morganfainberg | bknudson, ++ | 21:43 |
| bknudson | it takes 11 mins... the py33 job only takes 26s | 21:43 |
| morganfainberg | py33 job doesn't do much of anything | 21:44 |
| morganfainberg | the rally job is a devstack one though. that burns a potential tempest node | 21:44 |
| morganfainberg | could be worse when gate/check get backed up | 21:44 |
| bknudson | downloads eventlet and craps the bed | 21:45 |
| morganfainberg | yep | 21:45 |
| *** sbfox has joined #openstack-keystone | 21:45 | |
| morganfainberg | bknudson, dstanek has some things working on that | 21:45 |
| morganfainberg | bknudson, but it's not going to net comprehensive testing (yet) because of ... eventlet etc | 21:45 |
| bknudson | we need eventlet in the tests? | 21:46 |
| morganfainberg | bknudson, actually infra asked us to disable the py33 test if we weren't going to make it pass. | 21:46 |
| morganfainberg | bknudson, well, no, but it's in our requirements so yes. | 21:46 |
| morganfainberg | don't think functionally we need it | 21:46 |
| morganfainberg | just it is required because requirements | 21:46 |
| *** derek_c has quit IRC | 21:46 | |
| *** derek_c has joined #openstack-keystone | 21:47 | |
| *** leseb has quit IRC | 21:52 | |
| *** daneyon has quit IRC | 21:53 | |
| *** leseb has joined #openstack-keystone | 21:56 | |
| bknudson | morganfainberg: https://review.openstack.org/#/c/84815/ | 21:58 |
| jamielennox | gyee: is it possible to just convert barbican to using a session object? | 21:58 |
| bknudson | morganfainberg: -> https://review.openstack.org/#/c/91690/ | 21:58 |
| morganfainberg | bknudson, saw the post in -infra channel | 21:58 |
| jamielennox | gyee: that patch somewhat a mess of mixing concepts | 21:58 |
| bknudson | now I just need to test it locally | 21:59 |
| *** marcoemorais has quit IRC | 22:00 | |
| jamielennox | gyee: barbicanclient implements it's own auth_plugins :( | 22:01 |
| ayoung | jamielennox, this comes as a surprise to no one | 22:02 |
| jamielennox | ayoung: just makes me sad i guess | 22:03 |
| ayoung | stevemar, OK, just learned some good things about Mapping | 22:03 |
| *** marcoemorais has joined #openstack-keystone | 22:03 | |
| *** derek_c has quit IRC | 22:03 | |
| *** dstanek is now known as dstanek_zzz | 22:03 | |
| stevemar | ayoung, oh? what did you learn? | 22:04 |
| ayoung | stevemar, if you have multiple rules that match, they all apply. So, for example, if one rule maps the assertion group A to the Keystone Group A and a different rule maps the Asertion Group B to the Keystone group B, and the user has both A and B in their assertion, they get both Keystone groups | 22:04 |
| ayoung | also | 22:04 |
| stevemar | ayoung, correct | 22:04 |
| ayoung | I split up the mapping of REMOTE_USER from REMOTE_USER_GROUPS, and the different fields both get properly mapped. | 22:04 |
| stevemar | I don't understand that last one | 22:05 |
| stevemar | you made two rules? | 22:05 |
| ayoung | stevemar, yes | 22:05 |
| ayoung | so REMOTE_USER -> user_id and REMOTE_USER_GROUPS is split up and executed by different rules | 22:06 |
| ayoung | I have not yet checked to see what happens when two rules both match for, say user_id | 22:06 |
| ayoung | which one would win. | 22:06 |
| stevemar | ayoung, hmm, handling the user_id is kinda funny in that regard | 22:06 |
| ayoung | would you expect first matched or last matched to win out? | 22:06 |
| stevemar | first is matched, and the rest are logged | 22:07 |
| *** bach has joined #openstack-keystone | 22:07 | |
| stevemar | ayoung, i think... let me check, that was a contentious point during the reviews | 22:07 |
| *** lbragstad has quit IRC | 22:07 | |
| *** bach has quit IRC | 22:07 | |
| ayoung | stevemar, I assume you tested DomainID as well? I am using an LDAP backend, and it all works against that, but no multi domain. | 22:07 |
| stevemar | ayoung, https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py#L254 | 22:08 |
| *** bach has joined #openstack-keystone | 22:08 | |
| stevemar | i was wright, expect first matched, and log the rest | 22:08 |
| *** leseb has quit IRC | 22:08 | |
| ayoung | stevemar, yep | 22:08 |
| *** lbragstad has joined #openstack-keystone | 22:08 | |
| stevemar | ayoung, there is no support to map to domain_id yet | 22:08 |
| ayoung | stevemar, we are going to need some tooling for end users that are trying to set up mappings | 22:08 |
| stevemar | yeah, i don't know what's best | 22:09 |
| stevemar | it takes some getting used to | 22:09 |
| ayoung | stevemar so one that I would expect to be useful is to split the REMOTE_USER field with one part becoming username and the other part domain name | 22:09 |
| ayoung | That plus Kerberos Trusts would be very useful | 22:10 |
| stevemar | i don't know if that is true with all the stuff coming from apache though | 22:10 |
| ayoung | it dpends on the apache setup | 22:10 |
| ayoung | I have apache configured right now to chop off the REALM if it is the same as the REALM for the HTTPD server, | 22:10 |
| ayoung | KrbLocalUserMapping on | 22:11 |
| ayoung | but if I turned that off, I would get | 22:11 |
| stevemar | ayoung, it sounds like you're liking it :) | 22:11 |
| ayoung | ayoung@CLOUDLAB.FREEIPA.ORG | 22:11 |
| stevemar | ayoung, are you using saml assertions too? | 22:11 |
| ayoung | stevemar, its good to finally get to work with it. | 22:12 |
| *** derek_c has joined #openstack-keystone | 22:12 | |
| ayoung | no, I'm doing mod_identity_lookup and SSSD | 22:12 |
| ayoung | it just adds additional env vars based on the LDAP data for the Kerberized user | 22:12 |
| stevemar | i noticed that it's super easy to make work with other idps | 22:12 |
| stevemar | i made a plugin for openidconnect for our internal AD | 22:12 |
| stevemar | and it's almost no changes to the federation code, just a different auth plugin | 22:13 |
| ayoung | so...we probably want to be able to decuce the IdP and map that to the domain. Explcicitly setting protocol and IdP is not really what we want long term | 22:13 |
| stevemar | yeah | 22:13 |
| stevemar | that could be better | 22:13 |
| ayoung | I could see a plugin that looks at the env var before doing the mapping, and selects the mapping based on the value in that | 22:14 |
| ayoung | stevemar, I'm going to try setting up the server to be able to talk to two different Kerbers KDCs http://www.freeipa.org/page/Web_App_Authentication/Namespace_separation | 22:14 |
| ayoung | I should be able to get an env var that tells me which one the user came from, and use that to select the mapping | 22:15 |
| *** marcoemorais has quit IRC | 22:15 | |
| ayoung | stevemar, I have a stack of about 4 patches from jamielennox that I needed in order to get the mapping working from the client | 22:17 |
| stevemar | ayoung, in addition to the ones done by marekd ? | 22:17 |
| stevemar | what do they do? | 22:18 |
| ayoung | stevemar, here's my tree: https://github.com/admiyo/python-keystoneclient/tree/federation_script | 22:18 |
| ayoung | stevemar, discover, and ignore the /v2.0 at the end of the endpoint for Keystone | 22:18 |
| ayoung | stevemar, https://review.openstack.org/#/c/74599/ when you get a chance. | 22:20 |
| stevemar | ayoung, uhh yeah, i've been avoiding it long enough | 22:20 |
| ayoung | and https://review.openstack.org/#/c/90632/ | 22:21 |
| ayoung | stevemar didn't you get the memo? Between Icehouse Release and summit is Client Review time! | 22:21 |
| morganfainberg | ayoung, we actually got a number of the changes on client looked at because of that. | 22:22 |
| morganfainberg | ayoung, :) | 22:22 |
| ayoung | morganfainberg, ++ | 22:22 |
| ayoung | morganfainberg, https://review.openstack.org/#/c/90632/ is probably the most important thing we need | 22:22 |
| *** dstanek_zzz is now known as dstanek | 22:22 | |
| ayoung | if we ever want to drop the V2 interface | 22:22 |
| morganfainberg | ayoung, looking now. | 22:22 |
| morganfainberg | ayoung, ooh a few deep | 22:23 |
| morganfainberg | ayoung, i'll review all of them once i stand up a devstack and see if we need any fixes for logging for mod_wsgi (i think we do) | 22:23 |
| ayoung | morganfainberg, yeah, 3 deep. All about discovery | 22:24 |
| morganfainberg | ayoung, yeah. tough reviews | 22:24 |
| morganfainberg | usually | 22:24 |
| ayoung | morganfainberg, it helps to step through the code in a debugger | 22:25 |
| morganfainberg | yep. | 22:25 |
| ayoung | client is nice that way, as you can talk to remote servers | 22:25 |
| morganfainberg | ayoung, ++ way easier than stepping a whole devstack through a debugger ;) | 22:25 |
| ayoung | ++ | 22:26 |
| *** ayoung is now known as ayoung_exercise | 22:26 | |
| *** bknudson has quit IRC | 22:27 | |
| *** marcoemorais has joined #openstack-keystone | 22:32 | |
| *** bach has quit IRC | 22:34 | |
| *** thedodd has quit IRC | 22:38 | |
| *** marcoemorais has quit IRC | 22:44 | |
| *** nkinder has quit IRC | 22:45 | |
| *** marcoemorais has joined #openstack-keystone | 22:45 | |
| *** marcoemorais has quit IRC | 22:46 | |
| *** marcoemorais has joined #openstack-keystone | 22:47 | |
| *** daneyon has joined #openstack-keystone | 22:49 | |
| *** lbragstad has quit IRC | 22:51 | |
| *** sbfox has quit IRC | 22:54 | |
| *** nkinder has joined #openstack-keystone | 22:59 | |
| *** sbfox has joined #openstack-keystone | 22:59 | |
| *** andreaf has quit IRC | 23:02 | |
| *** leseb has joined #openstack-keystone | 23:19 | |
| *** nkinder has quit IRC | 23:22 | |
| *** leseb has quit IRC | 23:23 | |
| *** daneyon has quit IRC | 23:24 | |
| *** amcrn has quit IRC | 23:30 | |
| *** amcrn has joined #openstack-keystone | 23:37 | |
| *** amerine has quit IRC | 23:40 | |
| *** bknudson has joined #openstack-keystone | 23:42 | |
| *** shakamunyi has joined #openstack-keystone | 23:42 | |
| *** sbfox has quit IRC | 23:43 | |
| *** bknudson1 has joined #openstack-keystone | 23:45 | |
| *** bknudson has quit IRC | 23:47 | |
| openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token configurable check of revocations for cached https://review.openstack.org/90472 | 23:52 |
| openstackgerrit | Brant Knudson proposed a change to openstack/python-keystoneclient: auth_token configurable check of revocations for cached https://review.openstack.org/90472 | 23:55 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!