Friday, 2014-05-02

« Thursday, 2014-05-01 Index Saturday, 2014-05-03 »
*** shakamunyi has quit IRC00:05
*** diegows has quit IRC00:17
*** sbfox has joined #openstack-keystone00:21
*** ayoung_exercise has quit IRC00:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Discovery URL querying functions  https://review.openstack.org/8114600:43
*** richm has quit IRC00:44
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Unversioned endpoints in service catalog  https://review.openstack.org/7459900:44
*** amcrn has quit IRC00:44
*** jamielennox is now known as jamielennox|away00:53
*** arborism has joined #openstack-keystone00:53
*** derek_c has quit IRC00:57
*** marcoemorais has quit IRC01:02
*** arborism has quit IRC01:03
*** arborism has joined #openstack-keystone01:09
*** derek_c has joined #openstack-keystone01:11
*** ayoung has joined #openstack-keystone01:12
*** stevemar has quit IRC01:13
*** arborism has quit IRC01:24
*** jamielennox|away is now known as jamielennox01:28
*** praneshp has quit IRC01:40
*** arborism has joined #openstack-keystone01:41
*** arborism has quit IRC01:42
*** arborism has joined #openstack-keystone01:42
*** arborism has quit IRC01:46
*** rishi_ has joined #openstack-keystone01:55
rishi_hi01:56
rishi_do u kow the technique of open stack01:58
*** openstackgerrit has quit IRC02:04
*** openstackgerrit has joined #openstack-keystone02:05
*** rishi_ has quit IRC02:08
*** mberlin has joined #openstack-keystone02:19
*** mberlin1 has quit IRC02:20
*** lnxnut has joined #openstack-keystone02:44
*** harlowja is now known as harlowja_away02:50
gyeejamielennox, thinking it through a bit, I believe passing keystoneclient object into the service clients is a better way to go02:53
jamielennoxgyee: why/02:53
gyeereason is service may need additional functionalities besides authentication02:54
gyee1. catalog lookup02:54
gyee2. project/user lookup etc02:54
gyeetake event notification for example, say a service receive an event with just the ID of the affected resource02:56
gyeeservice may need to lookup the resource for additional info02:56
jamielennoxbut why wouldn't they take the session they were given and create there own keystoneclient02:57
jamielennoxthe same can be said of any of the servcies02:57
jamielennoxthe point of all of this is that once you have the session you can pass it to whatever you like and it will use the authentication correctly02:58
gyeethey could do it that way, but why make them do addition work instead of having everything in one go02:58
jamielennoxtwo things: 1 how often do they really need to do that that it makes sense to pass keystoneclient object to everything02:59
jamielennox2. then every client has a dependency on keystoneclient02:59
gyeebut isn't session already a dependency on keystoneclient?02:59
jamielennoxonly because i don't have the power in OpenStack to go and make things like new base libraries03:00
gyeeif we make them instantiate keystoneclient individually, we go back to the same mess03:00
jamielennoxideally session and the basic auth plugin, basic managers etc would be common and could come out into some framework library03:00
gyeewhat's the drawback of passing keystoneclient?03:01
gyeeother than dependency concern03:01
jamielennoxgyee: what's the point?03:01
jamielennoxkeystone is two very seperate components03:01
jamielennoxauth and CRUD03:01
gyeenot sure, is OAUTH just auth, or authz negotiation?03:02
jamielennoxthe CRUD stuff in keystone is no more important than any of the other services03:02
gyeejamielennox, where do you think session will live, oslo?03:08
jamielennoxi don't think oslo makes sense in the client libraries03:08
jamielennoxbut an oslo type library03:08
*** lnxnut has quit IRC03:09
gyeeyou thinking a separate project just for the session?03:10
*** stevemar has joined #openstack-keystone03:12
ayoungjamielennox, I was thinking of how we should rework auth_token middleware.  Basically:  2 steps:  first, check the policy file for the called method.  If it needs a token, unpack the token.  Then call the policy.  We are doing it backwards now.  But to keep from breaking other servers we should probably do it as a new middleware class, although it can live in the same file as ATM does at present03:13
*** lbragstad has joined #openstack-keystone03:14
jamielennoxgyee: ideally not just for session03:14
jamielennoxthe base manager class03:14
jamielennoxthe base resource class03:14
jamielennoxbasic exceptions03:14
jamielennoxall that stuff should be the same the same between clients03:14
gyeeI see what you mean03:15
gyeethat seem to make sense03:15
ayoungjamielennox, also, the middleware can then fetch the policy based on the endpoint id.03:16
gyeeayoung, lets make our policy API useful :)03:17
jamielennoxayoung: i'm interested in just starting again03:17
ayoungjamielennox, lets design it right.03:17
jamielennoxi don't know if it can/should be joined with policy03:17
ayounggyee, yeah...we  start with a Keystone API that fetches the appropriate policy file for an endpoint, and allow that to default to the policy file for a specific service03:18
ayoungjamielennox, well, how else are you going to allow thorugh non-protected services?  Like you need for discovery?03:18
ayoungWe need to know when to by pass unpacking the token03:18
morganfainbergjamielennox, ping https://review.openstack.org/#/c/81146 is it intended that the _discover.Discover statuses be globally changeable by one instance seeing a change?03:19
jamielennoxayoung: i had it solved for the current auth_token03:19
morganfainbergjamielennox, e.g. if i instantiate that object and change the statuses... all instantations of that class see the change03:19
jamielennoxif you are talking a complete re-design i don't know03:20
jamielennoxmorganfainberg: you're talking about the EXPERIMENTAL and whatever?03:20
ayoungjamielennox, I see it as a cleanup of the current implementation, that goes as far as policy enforcement.03:20
morganfainbergjamielennox, yep03:20
ayoungthe way Keystone does "flatten" for example, needs to be in middleware.  And keystone itself should use the same middleware that the other services do03:21
jamielennoxmorganfainberg: i don't mind really, i though it could be useful to add other terms to the deprecated list03:21
jamielennoxmorganfainberg: but honestly if that's a blocker for people i'll change it03:21
gyeeayoung, ++03:21
morganfainbergjamielennox, any changes are global for every instantiation03:21
morganfainbergeg.03:21
morganfainberghttp://pasteraw.com/k8xx7tvpzwrjinyvlkinovvngywmx0a03:22
jamielennoxayoung: so i agree we need to figure out something for global policy03:22
morganfainbergjamielennox, my concern is someone will do class(), statuses = class.CURRENT_STATUSES, statuses.append('thing')03:22
ayoungwe can let those ideas germinate for a week or two03:22
jamielennoxbut from the stuff i was doing with pecan i can tell you that the way we do it now doesn't work03:22
morganfainbergand then 'thing' is valid for every instantiation current and new.03:22
jamielennoxat least not from an enforcement at middleware point of view03:23
ayoungjamielennox, then lets base it on the lessons learned from Pecan.  I think that is a good starting point.03:23
jamielennoxmorganfainberg: yea - i know03:23
morganfainbergjamielennox, not security / locking out, just accidental changes being icky03:23
ayoungjamielennox, we can loop back 'round when you are not in such demand03:23
jamielennoxayoung: so the main takeaway from pecan is at middleware time you do not know the name of the controller, the name of the method or the resource that is actually being loaded03:23
jamielennoxall you know is the URL and the data in the request03:24
ayoungjamielennox, that is actually true even of what we do now.  Middleware might not be the right abstraction.03:24
*** topol has joined #openstack-keystone03:24
jamielennoxmorganfainberg: ok i'll change that - i'd like to get that one passed soon03:24
morganfainbergjamielennox, thats why i'm reviewing it :)03:24
jamielennoxmorganfainberg: i'll wait for you to finish then03:24
gyeedinner time03:25
jamielennoxayoung: i like the middleware idea - i just don't think it's possible03:25
*** gyee has quit IRC03:25
morganfainbergjamielennox, so far thats the only thing i've seen03:25
morganfainbergjamielennox, but i'm taking my time here.03:25
jamielennoxayoung: you should look at the other services to, they all do RBAC differently03:25
ayoungjamielennox, yeah, I figured.  THe question is, which of them have the reusable ideas and which are in a state of sin?03:25
ayoungNeed to do a survey, I guess03:26
jamielennoxayoung: none and all03:26
jamielennoxactually it's not like that03:26
ayoungYou sure there is nothing we would want to reuse from them.  I admit, we are probably all in a state of sin03:26
jamielennoxit's just that most services still do admin role checking and thats it03:26
jamielennoxayoung: so most of them tie into a context better than we do, but if we're going to embrace pecan then i'd prefer to just do that than do better at contexts03:27
ayoungDoes pecan have an abstraction already that matches what we do with policy?03:27
jamielennoxbut the point is off the top of my head keystone is the only service that has configurable RBAC running03:28
jamielennoxayoung: no, it has a SecurityController that i tried to hack for ages - but essentially it's the same thing as middleweare03:28
jamielennoxyou don't know what you're going to be calling at the time you are doing routing03:28
ayoungVery static?03:28
jamielennoxayoung: well at routing all you should know is the URL you're using03:29
jamielennoxpossibly the headers etc03:29
jamielennoxthat would be sufficient for 99% of services cause you just want a header with a token to be valid before letting people access it03:29
*** sbfox has quit IRC03:30
jamielennoxbut in keystone we hit the database and retrieve things and pass that out to RBAC03:30
jamielennoxit became easier to just do that with a decorator03:30
ayoungjamielennox, right, and other projects have asked for that03:30
ayoungthe decorator can live in our code.03:30
ayoungfrom keystoneclient import policy03:30
jamielennoxso Ryan Patrello (i'm sure i mispelt that) is the Pecan author, he works for rax and he wrote the pecan for barbican conversion03:31
jamielennoxi learnt some stuff from that03:31
ayounglets hit him up at the summit, then03:31
jamielennoxtechniques i didn't try with keystone03:31
jamielennox++ that's my though03:31
jamielennox++ that's my thought03:31
jamielennoxthat's why i haven't fixed that patch up - there feel's like there should be a 'good' solution there but i can't quite hit it03:32
jamielennoxthat and it's really not top of my list03:32
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Discovery URL querying functions  https://review.openstack.org/8114603:33
jamielennoxmorganfainberg: ^^ just [] -> ()03:33
dstanekayoung, jamielennox: if you guys do talk to Ryan let me know03:33
morganfainbergjamielennox, sure that works frozenset() would have also worked03:33
ayoungI would like to have a coherent vision for this by the time we have the policy discussion,  that is near the end of the summit03:34
dstanekwe were chatting the other day about pecan/tulip so i'm very interested03:34
ayoungdstanek, yeah.  I need to understand pecan a touch better so I can have an intelligent conversation about it.03:34
jamielennoxayoung: it's not bad - i don't know what makes it better than any of the other frameworks03:35
jamielennoxdstanek: will do, i'd like to see how it handled async as well03:35
dstanekjamielennox: it doesn't right now - that was what started the conversation03:36
ayoungjamielennox, I would be OK with a plan to rpelace auth token middleware with straight decorator calls that happen later.03:36
dstaneki see movement on both sides and right now they don't meet up03:36
jamielennoxdstanek: yea, i meant more if there were plans, but i've heard wsgi in general will have some problems with async (though i don't understand the reasons)03:37
jamielennoxdstanek: i know we should start a new one!03:37
jamielennoxayoung: it can't work completely that way03:37
jamielennoxyou still need to do token decompiling etc03:37
jamielennoxbut it should probably default to passing through if the token doesn't exist03:38
dstanekjamielennox: Python could always us another web framework!03:38
jamielennoxthere is a setting for that which i know swift uses03:38
jamielennoxdstanek: but this one will be different!03:38
ayoungjamielennox, or even just a way of indicating that a suburl should or should not require a token unpack action03:39
jamielennoxayoung: if there is a token it should always be unpacked and expiration etc checked03:39
jamielennoxthat is right and that should be auth_tokens job03:39
*** praneshp has joined #openstack-keystone03:40
jamielennoxit just shouldn't assume that no token is wrong03:40
jamielennoxthe thing that actually says this operation requires these roles can't happen at that level03:40
jamielennoxthe advantage i see of Pecan is that it's lightweight and configurable enough that we could work our own enforcement around it03:41
jamielennoxthe last time i tried that though i got bogged down in json validation layers03:42
jamielennoxmorganfainberg: i made a mistake in that last one, would you prefer i did frozenset?03:43
morganfainbergjamielennox, your call.03:43
morganfainbergjamielennox, i like frozenset for speedier lookup03:44
morganfainbergjamielennox, but the datasets are small03:44
morganfainbergand likely wont be hit that often03:44
morganfainbergjamielennox, what mistake?03:44
*** praneshp_ has joined #openstack-keystone03:44
jamielennox(deprecated) != (deprecated,)03:44
morganfainbergah, doh missed that03:44
*** ayoung is now known as ayoung_ZZzz__zz_03:44
jamielennoxit works cause it does str in str, but it's wrong03:44
morganfainbergother than that +203:44
morganfainbergright03:44
morganfainbergthat is the other reason i use frozensets :P03:45
morganfainbergfrozenset([]) doesn't really have the ability to be screwed up as easily03:45
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Discovery URL querying functions  https://review.openstack.org/8114603:45
jamielennoxmeh, as you say they're one and 2 elements - uploaded with just tuples03:45
morganfainbergyep03:45
morganfainbergboth work for me in this case03:45
morganfainbergok +2 that looks good to me.03:46
morganfainbergjamielennox, wanted to make sure i looked over everything inc. tests.03:46
jamielennoxmorganfainberg: thanks03:46
morganfainbergjamielennox, yeah.03:46
morganfainbergjamielennox, unfortunately limited time to review the last couple... weeks03:47
morganfainberg:(03:47
*** praneshp has quit IRC03:47
*** praneshp_ is now known as praneshp03:47
openstackgerritA change was merged to openstack/keystone: Allow 'description' in V3 Regions to be optional  https://review.openstack.org/7865803:50
*** dstanek is now known as dstanekafk04:27
*** chandan_kumar has joined #openstack-keystone04:36
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Remove the configure portion of extension docs  https://review.openstack.org/8988205:16
*** stevemar has quit IRC05:22
*** amcrn has joined #openstack-keystone05:37
*** chandan_kumar has quit IRC05:47
*** chandan_kumar has joined #openstack-keystone06:01
*** morganfainberg is now known as morganfainberg_Z06:03
*** lbragstad is now known as lbragstad_06:09
*** topol has quit IRC06:10
*** rwsu is now known as rwsu-away06:14
*** bvandenh has joined #openstack-keystone06:36
*** amcrn has quit IRC06:42
*** chandan_kumar has quit IRC06:51
*** dstanekafk is now known as dstanekafk_zzz06:57
*** openstackgerrit has quit IRC06:57
*** chandan_kumar has joined #openstack-keystone07:05
*** waterkinfe has joined #openstack-keystone07:10
*** arborism has joined #openstack-keystone07:12
*** arborism is now known as amcrn07:12
*** jamielennox is now known as jamielennox|away07:14
*** leseb has joined #openstack-keystone07:20
*** dstanekafk_zzz is now known as dstanek07:48
*** waterkinfe has quit IRC08:02
*** dstanek is now known as dstanek_zzz08:03
*** Manishanker has joined #openstack-keystone08:06
*** Ju_ has joined #openstack-keystone08:25
*** KurtMartin has joined #openstack-keystone08:25
*** ayoung_ has joined #openstack-keystone08:32
*** Ju_ has quit IRC08:33
*** dhellmann_ has joined #openstack-keystone08:33
*** derek_c has quit IRC08:33
*** bknudson1 has quit IRC08:34
*** afaranha has quit IRC08:34
*** asselin__ has quit IRC08:34
*** d0ugal has quit IRC08:34
*** dhellmann has quit IRC08:34
*** larsks has quit IRC08:34
*** dhellmann_ is now known as dhellmann08:34
*** ayoung_ZZzz__zz_ has quit IRC08:34
*** Ju has quit IRC08:34
*** kmartin has quit IRC08:34
*** larsks has joined #openstack-keystone08:37
*** chandan_kumar has quit IRC08:40
*** bknudson has joined #openstack-keystone08:46
*** afaranha has joined #openstack-keystone08:46
*** asselin__ has joined #openstack-keystone08:53
*** d0ugal has joined #openstack-keystone08:53
*** chandan_kumar has joined #openstack-keystone08:53
*** dstanek_zzz is now known as dstanek08:55
*** rwsu-away has quit IRC08:56
*** praneshp has quit IRC08:58
*** dstanek is now known as dstanek_zzz09:05
marekdHi! Is there any way to build only one documentation file with tox -e docs? I don't want to rebuild all docs every time. Tried $ tox -e docs file.rst but no luck.09:11
*** Ju has joined #openstack-keystone09:33
*** dstanek_zzz is now known as dstanek09:48
*** dstanek is now known as dstanek_zzz09:58
*** asselin__ has quit IRC10:15
*** leseb has quit IRC10:22
*** leseb has joined #openstack-keystone10:25
*** dstanek_zzz is now known as dstanek10:49
*** leseb has quit IRC10:54
*** topol has joined #openstack-keystone10:58
*** dstanek is now known as dstanek_zzz10:59
*** leseb has joined #openstack-keystone11:35
*** dstanek_zzz is now known as dstanek11:50
*** dstanek is now known as dstanek_zzz12:00
*** dstanek_zzz is now known as dstanek12:09
*** shakamunyi has joined #openstack-keystone12:36
*** shakamunyi has quit IRC12:41
*** topol has quit IRC12:45
*** dstanek is now known as dstanek_zzz13:04
*** joesavak has joined #openstack-keystone13:12
*** ayoung_ is now known as ayoung13:12
*** lbragstad_ is now known as lbragstad13:15
*** dstanek_zzz is now known as dstanek13:28
*** rodrigods has quit IRC13:31
*** rodrigods has joined #openstack-keystone13:33
*** rodrigods has quit IRC13:36
*** zhiyan_ is now known as zhiyan13:45
*** ukalifon has joined #openstack-keystone13:48
*** lnxnut has joined #openstack-keystone13:51
*** dstanek is now known as dstanek_zzz13:52
*** daneyon has joined #openstack-keystone13:59
*** packet has joined #openstack-keystone14:00
*** dstanek_zzz is now known as dstanek14:06
lbragstadmorganfainberg_Z: bknudson quick question on modifying some of the tempest Identity code, wondering if I could get your opinions?14:07
*** openstackgerrit has joined #openstack-keystone14:09
*** stevemar has joined #openstack-keystone14:10
lbragstadthe addition to the jsonschema validator that I pushed up found that we aren't using valid UUID format for the domain_id and project_id in the tempest identity client. https://github.com/openstack/tempest/blob/master/tempest/services/identity/v3/json/identity_client.py#L104 and https://github.com/openstack/tempest/blob/master/tempest/services/identity/v3/json/identity_client.py#L256 and https://github.com/openstack/temp14:10
bknudsonlbragstad: you mean the domain_id, 'default' ?14:11
lbragstadbknudson: yep14:11
bknudsonlbragstad: I think that's how keystone is set up by default14:11
lbragstadsince it's not a valid UUID format, compared to uuid.uuid4().hex14:12
lbragstadso I should add a case to the jsonschema validator for that specifically?14:12
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: fixed typos found by RETF rules  https://review.openstack.org/9179414:12
bknudsonno, jsonschema shouldn't require IDs to be uuids14:13
lbragstadok14:13
*** zhiyan is now known as zhiyan_14:13
*** topol has joined #openstack-keystone14:13
lbragstadbknudson: i'll respin my validator patch accordingly, thanks!14:18
*** richm has joined #openstack-keystone14:22
*** david-lyle has joined #openstack-keystone14:28
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add detailed federation configuration docs  https://review.openstack.org/8922014:30
*** dims is now known as swip14:39
*** dstanek is now known as dstanek_zzz14:40
dolphmside note- as we're starting to benefit from federated scenarios, and talking about finally having separate keystone deploys talking to each other - user-defined IDs are looking much less attractive as we need the global uniqueness that UUID's provide14:43
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Unimplemented get roles by group for project list  https://review.openstack.org/7647014:47
*** amcrn has quit IRC14:47
*** shakamunyi has joined #openstack-keystone14:54
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator  https://review.openstack.org/8648314:55
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources  https://review.openstack.org/8648414:55
*** shakamunyi has quit IRC14:56
*** shakayumi has joined #openstack-keystone14:59
*** daneyon has quit IRC15:01
dolphmtopol: can you follow up on this? https://review.openstack.org/#/c/84053/15:02
topoldolphm, sure15:02
*** shakayumi has quit IRC15:03
*** shakamunyi has joined #openstack-keystone15:03
*** shakamunyi has quit IRC15:03
topoldolphm, looks great +1!15:05
*** thedodd has joined #openstack-keystone15:08
*** amcrn has joined #openstack-keystone15:10
*** shakamunyi has joined #openstack-keystone15:18
*** kfox1111 has joined #openstack-keystone15:19
dolphmtopol: thanks!15:19
* dolphm protip, if you do all the code reviews before most people wake up, then you don't have to worry about revisions while you're reviewing :D15:20
kfox1111does ldap users + sql service users with multidomain stuff make it into icehouse?15:21
dolphmkfox1111: "multiple identity backends" didn't land in icehouse, but you *could* accomplish that with the federation extension in icehouse, if you can deploy keystone to apache and configure mod_shib to talk to your ldap infrastructure15:23
*** amerine has joined #openstack-keystone15:23
kfox1111darn. :(15:23
dolphmkfox1111: docs are still in review, but http://docs-draft.openstack.org/20/89220/12/check/gate-keystone-docs/f94cc11/doc/build/html/configure_federation.html15:23
kfox1111I was just hoping to avoid pushing all the serice accounts into ldap. I guess I'll have to.15:24
dolphmkfox1111: i understand that!15:24
bknudsonkfox1111: alternatively you could write your own "mod_shib" (middleware) that goes to LDAP for users15:24
bknudsonor middlware that gets user from LDAP and sets REMOTE_USER15:25
bknudsonI posted a WIP that just backports the rally config from master to stable-icehouse -- looks like it works15:26
bknudsonso should we run rally on stable/icehouse?15:26
kfox1111bknudson: hmm.. interesting. thanks for the tip.15:27
dolphmbknudson: i'm definitely not opposed; i'd be curious if the rally folks have an opinion though15:27
kfox1111hmm.. so, if there is only one identity provider, how does the heat multidomain stuff actually work?15:27
bknudsonkfox1111: I would guess the heat multidomain doesn't work with the LDAP backend.15:28
kfox1111ugg.15:29
bknudsonkfox1111: I tried starting up devstack with keystone configured for LDAP with heat yesterday and it failed...15:29
bknudsoncreated a domain but then failed to list domain15:29
dolphmbknudson: because it didn't actually create the domain, right?15:31
dolphm(if so, why didn't it fail there?)15:32
kfox1111my co workers are going to have a cow when I tell them we're going to have to keep using my hack to enable heat+ldap to work rather then the new multidomain stuff. :(15:32
dolphmheat should work with federated IdP's, as the users heat creates would be local15:32
dolphm(and the domains are local)15:33
bknudsondolphm: I thought it was odd that I was able to create a domain and the list failed... I didn't have time to look into it.15:34
openstackgerritA change was merged to openstack/identity-api: Fix typos, capitalization and remove duplicated words  https://review.openstack.org/9153915:36
*** shakayumi has joined #openstack-keystone15:37
*** shakamunyi has quit IRC15:38
kfox1111hmmm... so does shibboleth federation work with the dashboard/cli commands?15:44
*** amerine_ has joined #openstack-keystone15:44
*** amerine has quit IRC15:46
*** packet has quit IRC15:47
*** gyee has joined #openstack-keystone15:48
dolphmkfox1111: neither, yet!15:49
dolphmkfox1111: client work is in progress15:49
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm  https://review.openstack.org/8039815:50
*** bvandenh has quit IRC15:51
kfox1111ok. thanks. I guess for our end users then, I can't use any of it until juno then. But good to know progress is being made.15:51
*** chandan_kumar has quit IRC15:55
*** bvandenh has joined #openstack-keystone15:56
gyeedolphm, https://review.openstack.org/#/c/8012416:00
gyeedolphm, I plan on doing the same for the other clients soon, just want to make sure we are good with the approach16:01
*** amcrn has quit IRC16:02
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources  https://review.openstack.org/8648416:02
*** joesavak has quit IRC16:03
openstackgerritA change was merged to openstack/keystone: Check that all po/pot files are valid  https://review.openstack.org/8421116:03
*** joesavak has joined #openstack-keystone16:04
*** sbfox has joined #openstack-keystone16:04
dolphmgyee: nice! i'll add it to my queue for today16:06
gyeedolphm, thanks!16:10
*** sbfox has quit IRC16:11
*** joesavak has quit IRC16:11
*** Manishanker has quit IRC16:13
*** marcoemorais has joined #openstack-keystone16:15
*** sbfox has joined #openstack-keystone16:18
*** dstanek_zzz is now known as dstanek16:19
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: fixed typos found by RETF rules  https://review.openstack.org/9179416:23
*** devkulkarni has joined #openstack-keystone16:25
devkulkarniHey there — I am part of the Solum team. Recently asalkeld added trust capability in solum https://review.openstack.org/#/c/91260/6  I was wondering if someone from here can take a look at this patch? Your help in this regard would be much appreciated :)16:31
*** rodrigods has joined #openstack-keystone16:38
*** rodrigods has quit IRC16:38
*** rodrigods has joined #openstack-keystone16:38
openstackgerritDavid Stanek proposed a change to openstack/keystone: Cleanup of openstack-common.conf and sync  https://review.openstack.org/9182516:42
*** marekd is now known as marekd|away16:44
*** rodrigods has quit IRC16:49
*** amcrn has joined #openstack-keystone16:51
dolphmon https://review.openstack.org/#/c/81980/12/keystoneclient/v3/contrib/oauth1/access_tokens.py ...16:52
*** amcrn has quit IRC16:52
dolphmstevemar: ^ shouldn't the consumer key/secret be optional if you already have a request key/secret?16:52
*** amcrn has joined #openstack-keystone16:53
*** devkulkarni has quit IRC16:54
stevemardolphm, the user should still send them16:56
*** sbfox has quit IRC16:56
stevemardolphm, we could get the from the backend, but i think, in most client libraries, it's best to make the user present those credentials?16:57
dolphmstevemar: does oauthlib *require* both to create a client?16:57
dolphmboth sets16:57
dolphmer, pairs16:57
stevemarhttp://oauthlib.readthedocs.org/en/latest/oauth1/client.html16:58
stevemardolphm, ^16:58
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator  https://review.openstack.org/8648316:59
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources  https://review.openstack.org/8648416:59
*** marcoemorais has quit IRC17:03
*** leseb has quit IRC17:04
*** marcoemorais has joined #openstack-keystone17:05
*** harlowja_away is now known as harlowja17:06
*** dims has joined #openstack-keystone17:13
*** dims has quit IRC17:13
*** swip has quit IRC17:15
*** dims has joined #openstack-keystone17:16
*** dims has quit IRC17:20
*** dims has joined #openstack-keystone17:20
openstackgerritA change was merged to openstack/keystone: Remove the configure portion of extension docs  https://review.openstack.org/8988217:21
*** KurtMartin has quit IRC17:28
*** sbfox has joined #openstack-keystone17:29
*** devkulkarni has joined #openstack-keystone17:30
*** dims has quit IRC17:36
*** dims has joined #openstack-keystone17:36
*** morganfainberg_Z is now known as morganfainberg17:37
morganfainbergdolphm, almost have everything in place to handle mod_wsgi deployment (on the way to makeing this default) checks on each patch keystone and keystoneclient17:45
morganfainbergwheeeee17:45
*** ayoung has quit IRC17:46
*** ayoung has joined #openstack-keystone17:47
dolphmmorganfainberg: +++17:48
*** shakayumi has quit IRC17:52
*** praneshp has joined #openstack-keystone17:57
*** leseb has joined #openstack-keystone18:05
*** marcoemorais has quit IRC18:06
*** marcoemorais has joined #openstack-keystone18:08
*** leseb has quit IRC18:09
stevemardtroyer, responsible for magic code in keystoneclient18:15
dolphmdtroyer: this is from 2012, but if you can remember any fun facts, they'd be appreciated! https://review.openstack.org/#/c/3933/9/keystoneclient/v2_0/tenants.py18:17
*** ericvw has joined #openstack-keystone18:19
*** amcrn has quit IRC18:21
dtroyerdolphm: I have no memory of that and I suppose18:22
dtroyerI'm the one who commitedd it, right?18:22
dolphmdtroyer: fair enough!18:22
dolphmdtroyer: in keystoneclient afaict, you may have gotten it from another client?18:22
*** sbfox has quit IRC18:23
dtroyermy guess is though that the comment is the key, it was a defensive move against keystone-original18:23
dtroyerbut then why is in the v2 tree?18:23
ericvwdolphm: I wanted to follow up on https://bugs.launchpad.net/keystone/+bug/1231488 - I am guessing I should start here: http://docs.openstack.org/developer/keystone/setup.html to get my environment setup.18:23
dtroyerargh...18:23
uvirtbotLaunchpad bug 1231488 in python-keystoneclient "ldap config "user_id_attribute" is ignored" [High,Invalid]18:23
dolphmdtroyer: oh, i was referring to self = retval, and the reasoning behind except Exception18:24
dolphmdtroyer: identity v1 was rackspace's own auth, pre-openstack18:24
dolphmdtroyer: ensuring every attribute is set is definitely a v2-ism, where we didn't have partial updates18:24
dtroyerI'm not sure what exception is expected there18:25
ayoungdstanek, on theimports https://review.openstack.org/#/c/71181/33/keystoneclient/common/cms.py,cm  is six supposed to be below zlib?18:25
dolphmayoung: yes, six is a 3rd party library18:27
dstanekayoung: yes, six is third party and zlib is Python stdlib18:27
openstackgerritA change was merged to openstack/keystone: Fixed some typos throughout the codebase  https://review.openstack.org/9157518:27
ayoungAh, thought six was considered std...good to know18:27
dolphmayoung: dstanek: i didn't want to comment on it, but i'm fine with seeing that fixed in a single patch, specifically because you have to touch those lines of code anyway18:28
dolphmayoung: dstanek: if it's code you don't have to touch, then it might as well be a separate patch since it'll get quick +A and can be on it's way18:28
dolphm(without resulting in a merge conflict with your own patch)18:30
dstanekdolphm: i'm OK with either - just wanted to note it in the patch so that it will eventually happen18:30
ayoungthe double check of the revoke list?  Yeah, I like his approach18:30
ayoungI'm actually touching that code in the comporessed patch, too, and I'll make sure I apply the same semantics.18:31
ayoungI'll rebase on his18:31
bknudsonyou never know what gerrit is going to look like these days18:33
*** d0ugal has quit IRC18:34
*** d0ugal has joined #openstack-keystone18:34
*** d0ugal has quit IRC18:34
*** d0ugal has joined #openstack-keystone18:34
*** sbfox has joined #openstack-keystone18:34
openstackgerritA change was merged to openstack/keystone: Sync with oslo-incubator 28fba9c  https://review.openstack.org/9060418:39
dolphmdstanek: sucks that we have to explicitly flatten out all the dependencies in openstack-common.conf now :-/18:44
*** sbfox has quit IRC18:45
*** devkulkarni has left #openstack-keystone18:45
dstanekdolphm: we don't have to, but there would be warnings if we don't18:46
dolphmdstanek: just seems unnecessary on oslo's part - but your inline comments are probably the best we can do on our side18:47
dstanekdolphm: but maybe that patch wont' be accepted18:47
*** rodrigods has joined #openstack-keystone18:50
bknudsonif oslo is going to print out warnings for not listing their dependencies then that seems like a bug to me18:50
dstanek i think i mentioned it in one of my comments on the patch, but i think that every project will start getting warnings because of the change18:52
openstackgerritA change was merged to openstack/keystone: Set proper DB_INIT_VERSION on db_version command  https://review.openstack.org/9112318:52
bknudsondstanek: I guess it would be easy enough to remove all the lines with a comment when we remove a library, then re-add the ones with warnings18:53
dstanekdolphm, morganfainberg: how long after those Py3 patches merging do we make the py3 job voting?18:53
ayoungdolphm, in the examples https://review.openstack.org/#/c/71181/33/keystoneclient/tests/client_fixtures.py,cm  I have a bunch of things wiht _Z.  Instead of spelling out COMPRESSED, would _PKIZ  be acceptable?18:53
bknudsonimmediately18:53
morganfainbergdstanek, i'd agree with brant here.18:54
dstanekbknudson, morganfainberg: sounds good to me18:54
morganfainbergmeans we wont see regressions in the tests we're checking already18:54
ayoungDo we have a Py3 Eventlet?18:55
dstanekayoung: nope, i don't think we ever will18:56
ayoungthen...what Py3 patches are we discussing?18:56
bknudsonthat will make it easier to drop eventlet18:56
bknudsoncan we run keystone in apache with py3?18:56
bknudsonor some other wsgi server18:57
ayoungbknudson, I think we can.  I have not tested it, though18:57
dstanekbknudson: not yet, but that's what i was working toward18:58
morganfainbergdstanek, https://review.openstack.org/#/c/84052/ there is a lingering comment in there.18:58
morganfainbergdstanek, that isn't needed anymore.18:58
dstanekayoung: my py3 patches start here: https://review.openstack.org/#/c/83565/18:58
morganfainbergdstanek, +2/+A when it's removed.18:58
*** marcoemorais has quit IRC18:59
dolphmdstanek: unless there's some exceptional circumstance, i'd +2 a move to a voting job ASAP18:59
ayoungdstanek, so, for unit tests, we'll run paste?18:59
morganfainbergdolphm, my plan is similar for the mod_wsgi check, non-vote to make sure we get it working then voting as soon as it's working.18:59
dstanekayoung: i haven't gotten that far yet; i was going through all the code a few modules at a time19:00
ayoungYouse guys are da BEST!19:00
* ayoung goes back to compression19:00
dolphmmorganfainberg: what's the likelihood of something breaking the py33 job really soon, that we need to land?19:00
dstanekmorganfainberg: fixing now19:00
*** marcoemorais has joined #openstack-keystone19:00
morganfainbergdolphm, unlikely. but it's a minor change to make it voting (we should also add to gate at the same time)19:01
dstanekdolphm: just got a clone of the infra config to make the change19:01
dstanekmorganfainberg: add what to the gate?19:01
morganfainbergnow... we are potentially adding in another layer of py33 dep changes we can't get things through gate.19:01
dolphmdstanek: make sure your py33 happiness patch has landed before you propose it :P19:02
morganfainbergdstanek, py33, if it's voting, it probably should be both gate and check19:02
dstanekdolphm: yep :-)19:02
dolphmmorganfainberg: ++ one and the same19:02
*** rodrigods has quit IRC19:02
dolphmthis is the lowest number of open reviews we've had in like 5 months19:03
*** derek_c has joined #openstack-keystone19:03
dstanekso if i 'git review -d' the py3 patchset will i mess with the ones already approved? as i understand it since nothing is changed they won't be updated in gerrit19:03
morganfainbergdstanek, use -R19:03
dolphmdstanek: yes, use -x19:03
morganfainbergdoesn't rebase.19:03
morganfainbergor -X19:04
morganfainbergerm -x19:04
dolphm-X and -x are nearly identical19:04
dolphmwhat's -R?19:04
bknudsondstanek: git-review -d checks out19:04
bknudson-R means don't rebase19:04
morganfainbergoh oh was thinking submission19:04
morganfainberg-R is no-rebase19:04
bknudson-F means rebase19:04
dolphmoooh, i'm confused too19:04
dolphmdstanek: -d won't rebase anything, and won't break things that are gating, that's safe19:05
morganfainbergdolphm, yeah i think i'm conviused.19:05
morganfainbergdolphm, i also can't type atm.19:05
dolphmdstanek: but when you go to submit a revision to gerrit, use -R / --no-rebase to avoid rebasing what's gating19:05
*** leseb has joined #openstack-keystone19:05
morganfainbergdstanek, https://review.openstack.org/#/c/84053/9/keystone/middleware/core.py so what happens if ! req.body.is_readable ?19:05
morganfainbergdstanek, sorry to pull you in a ton of different directions, doing lots of reviewing today and amazingly, your patches are on the list!19:06
dolphmmorganfainberg: return self.application19:06
dolphmsame as before?19:06
morganfainbergdolphm, right, so we don't limit?19:06
dolphmmorganfainberg: correct19:06
dolphmmorganfainberg: i don't know what would cause an unreadable body though19:06
morganfainbergdolphm, is that intended.19:06
morganfainbergdolphm, thats why i'm wondering if this is intended19:07
bknudsonthere might not be a request body19:07
dolphmbknudson: wouldn't that be an empty string then?19:07
morganfainbergbknudson, that makes it non-readable?19:07
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator  https://review.openstack.org/8648319:08
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources  https://review.openstack.org/8648419:08
dolphmis_body_readable: http://docs.webob.org/en/1.1/modules/webob.html19:08
morganfainbergdolphm, was looking for that actually19:08
morganfainbergoh19:09
morganfainbergyick.19:09
morganfainberghttps://bitbucket.org/ianb/webob/issue/619:09
*** leseb has quit IRC19:10
morganfainbergdo we ... need a test for this?19:10
dstanekso i was trying to keep the logic the same and just get around the None issue19:12
bknudsonmorganfainberg: is it not covered by tests?19:12
dstaneki think there is a test for it already - that's how i knew it was broken19:12
morganfainbergdstanek, hm.19:12
morganfainbergdstanek, oh i see you're not checking content_length anymore.19:13
morganfainbergaha19:13
morganfainbergbknudson, it is, just didn't see it, i was looking for the wrong thing.19:13
morganfainbergdstanek, ok all the patches in the py33 chain look good except that one comment bit.19:16
morganfainbergdstanek, if you'd rather submit that comment fix as a separate patch that works for me as well19:16
dolphmit's one of the last in the series, right?19:17
dstanekdolphm: no HEAD~419:17
morganfainbergdolphm, about middle19:17
dolphmoh19:17
morganfainbergdolphm, which is why i'm ok with it as a separate patch to fix comment19:17
dstaneki just made the change - so i can 'git review -R' it or i can just add another patch on top19:17
dolphmdstanek: your call - i'm here to re-review19:18
morganfainbergdstanek, ^ that19:18
morganfainbergi mean dolphm ++19:18
dstaneki'll just add another commit so that i don't disturb what is already ready to go19:18
morganfainbergi'll change my -1 then19:18
morganfainbergdstanek, ooh lots of unhappy in the gate on these.19:20
morganfainbergdstanek, well.. possibly transient failure19:20
dstanekmorganfainberg: really?19:20
morganfainberghttps://jenkins07.openstack.org/job/gate-grenade-dsvm/3093/console19:20
*** ukalifon has quit IRC19:21
morganfainbergprob just a transient.19:21
morganfainbergconsidering the failure was a tox.ini change :P19:21
morganfainbergdstanek, but gate is red :( boo.19:22
*** a_hacker has joined #openstack-keystone19:23
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add request/access token and consumer support for keystoneclient  https://review.openstack.org/8198019:25
dstanekmorganfainberg: the failures i've look at so are seem unrelated; things like not being able to detach volumes and timeouts19:27
morganfainbergdstanek, yeah. looks like transient/unrelated19:27
a_hackerHey Guys, I'm getting the following error when I try to run keystone endpoint-list/user-list, etc....19:28
a_hackerThe resource could not be found. (HTTP 404)19:28
a_hackerIt works with endpoint/token auth, but not username/pw19:28
a_hackerHere's the log output: https://gist.github.com/bmac423/71decdfc919395a0c65a19:29
dolphma_hacker: does your user have the 'admin' role?19:29
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation  https://review.openstack.org/7118119:30
morganfainbergayoung, that is on my list to review today. i think most my concerns were already covered by other comments though19:31
morganfainbergayoung, any nits we can address separate from that main-patch19:31
ayoungmorganfainberg, in compression?19:32
morganfainbergayoung, yeah19:32
morganfainbergayoung, i mean if i see any nits, i'll tag em and we can fix after that merges19:32
ayoungah, ok.19:32
morganfainbergayoung, don't want to block because of something trivial19:32
a_hackerkeystone --insecure user-role-list Unknown Attribute: auth_tenant_id19:33
ayoungmorganfainberg, we were down to nits on that one already19:33
*** derek_c has quit IRC19:33
morganfainbergayoung, yeah like i said, i think most everything i was concerned about already got tagged by  others19:33
ayoungmorganfainberg, I might need to rebase it once the fix for the revocation list goes through.19:33
morganfainbergayoung, ack19:33
dolphmmorganfainberg: ayoung: one of ya'll could review that https://review.openstack.org/#/c/90472/19:34
ayoungpretty sure I will, actually.  Just wanted to get the fixes up there.19:34
*** david-lyle has quit IRC19:34
ayoungdolphm, sure.  on it19:34
dolphmalthough bknudson put up another patch today that sort of addresses it as well ( bknudson- link? )19:34
morganfainbergdolphm, on it19:34
*** david-lyle has joined #openstack-keystone19:34
bknudsondolphm: addresses what?19:35
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Add request/access token and consumer support for keystoneclient  https://review.openstack.org/8198019:35
bknudsonall these changes to auth_token are going to conflict19:35
ayoungdolphm, +219:35
ayoungdolphm, this one does the same logic19:35
dolphmbknudson: yeah, i know :(19:35
a_hackerdolphm : got this error: keystone --insecure --os-tenant-name=admin user-role-list Unknown Attribute: auth_tenant_id19:35
dolphmdstanek: is there a way we can safely test a package not being installed? munge sys.modules with a mock or something?19:36
bknudsonthere's also configurable hash algorithms -- https://review.openstack.org/#/c/80398/19:36
morganfainbergayoung, see a +2 from you, any reason not to apporve?19:37
ayoungPKC is going to rock.  Hard19:37
morganfainbergthe one dolph just pointed us at.19:37
ayoungmorganfainberg, on config hash?  Don't think so, was just rechecking19:37
morganfainbergnod.19:38
dolphmayoung: i think he's referring to the uuid + revocation list check19:38
dolphmayoung: pkc?19:38
ayoung+A on uuid19:38
morganfainbergdolphm, i am19:38
ayoungpython keystone client19:38
dolphmah19:38
dolphmgyee put up a patch for barbicanclient to utilize auth plugins... a reality check on my -1 there would be appreciated https://review.openstack.org/#/c/80124/19:39
dolphmjamielennox|away: ^19:39
*** amerine has joined #openstack-keystone19:43
*** leseb has joined #openstack-keystone19:44
morganfainbergdolphm, bknudson, ayoung, jamielennox|away, gyee, stevemar, dstanek, https://www.surveymonkey.com/results/SM-PLBYBKM/ <--- use of backends survey19:45
morganfainbergplus jaypipes who says he uses SQL19:45
dolphmmorganfainberg: you don't think he voted too? lol19:46
dolphmmorganfainberg: i thought pipes used templated?19:46
morganfainbergdolphm, he might have.19:46
bknudsonsomebody's using LDAP19:46
morganfainbergdolphm, hm.19:46
*** amerine_ has quit IRC19:46
dolphmbknudson: not for the service catalog!19:46
stevemarmorganfainberg, so far no surprises19:47
morganfainbergdolphm, oh right, templated by his email19:47
dolphm3 responses for templated out of 15 is actually surprising19:47
dolphmso 4 out of 16 ish19:47
morganfainbergdolphm, and one custom that uses templated for some and SQL for others19:47
morganfainbergdolphm, someone uses LDAP for catalog (custom) it looks like?19:48
morganfainbergdolphm, thats... interesting19:48
dolphmreally?19:48
dolphmmaybe they didn't read the question19:48
morganfainbergdolphm, i think someone is confused about identity, assignment, and catalog19:48
morganfainbergdolphm, yeah19:48
bknudsonhow do you even use kvs?19:48
dolphm"my keystone services are provided by ldap!"19:48
dolphmbknudson: luck?19:48
stevemarhope19:49
*** leseb has quit IRC19:49
morganfainbergi'll add that i didn't vote on this, but thats because we plan on going SQL but are grizzly atm19:49
bknudsonI think this was trying to find out if we can drop the templated backend but seems it's in use.19:51
bknudsonwe still don't have the best support for it19:51
bknudsonshould probably change it to allow a v3-style format19:51
morganfainbergbknudson, yep19:51
morganfainbergbknudson, ++19:51
bknudsonand we've got the filtering code that I'm not sure if it supports the templated backend19:52
morganfainbergbknudson, my answer is it shouldn't19:52
morganfainbergadvanced features need SQL imo19:52
*** arborism has joined #openstack-keystone19:53
morganfainbergbknudson, but template looks like it's needed for simpler deployments19:53
*** arborism has quit IRC20:00
*** a_hacker has quit IRC20:00
*** sbfox has joined #openstack-keystone20:06
*** daneyon has joined #openstack-keystone20:07
openstackgerritA change was merged to openstack/keystone: Refactor service readiness notification  https://review.openstack.org/9007920:07
*** daneyon has quit IRC20:09
*** daneyon has joined #openstack-keystone20:10
openstackgerritA change was merged to openstack/keystone: fixed typos found by RETF rules in RST files  https://review.openstack.org/9178620:13
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Regions Management  https://review.openstack.org/7909620:19
*** amerine has quit IRC20:21
*** sbfox has quit IRC20:26
*** dims has quit IRC20:27
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Revocation event API  https://review.openstack.org/8116620:31
openstackgerritA change was merged to openstack/python-keystoneclient: auth_token configurable check of revocations for cached  https://review.openstack.org/9047220:33
*** harlowja is now known as harlowja_away20:33
*** harlowja_away is now known as harlowja20:37
*** derek_c has joined #openstack-keystone20:38
*** sbfox has joined #openstack-keystone20:38
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Fix docstrings in keystoneclient  https://review.openstack.org/9189320:40
*** joesavak has joined #openstack-keystone20:41
*** leseb has joined #openstack-keystone20:42
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Example Initialization scripts  https://review.openstack.org/8268720:44
openstackgerritayoung proposed a change to openstack/python-keystoneclient: regions sample script  https://review.openstack.org/9189420:44
openstackgerritayoung proposed a change to openstack/python-keystoneclient: revocation_events script  https://review.openstack.org/9189520:44
*** richm has quit IRC20:45
ayoungstevemar, "fix docstrings"  you are just submitting that to get your ATC pass to Paris, admit it.20:50
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator  https://review.openstack.org/8648320:50
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources  https://review.openstack.org/8648420:50
stevemarayoung, nah, that's when i resort to spelling mistakes20:50
* lbragstad punctuation for the win20:50
morganfainbergayoung, ++20:58
*** diegows has joined #openstack-keystone21:01
*** richm has joined #openstack-keystone21:09
*** david-lyle has quit IRC21:12
*** bach has joined #openstack-keystone21:16
*** kfox1111 has quit IRC21:19
*** kfox1111 has joined #openstack-keystone21:20
*** bach has quit IRC21:21
ayoungdolphm, I take it I need to rebase 71181 again by hand....will do so later on.21:21
stevemarsometimes i wonder why i do things, clearly bknudson must have done them already (i'll mark https://review.openstack.org/#/c/91906/ abandoned)21:22
bknudson stevemar: you wouldn't have to do it if it had been merged back in Feb.21:23
stevemarbknudson, true true21:23
stevemarbknudson, did this build correctly? https://review.openstack.org/#/c/73879/3/openstack/common/apiclient/client.py21:23
stevemari thought lists had to be *'ed21:24
stevemara la - https://review.openstack.org/#/c/91906/1/openstack/common/apiclient/client.py21:24
*** dims has joined #openstack-keystone21:24
bknudsonstevemar: uhh... I think I tried it until it built cleanly... this was back in feb.21:24
bknudsonI'm not sure I checked if it actually looked good.21:25
stevemari think it will build cleanly, but won't render as a list in a browser21:25
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Compressed Signature and Validation  https://review.openstack.org/7118121:27
*** leseb has quit IRC21:32
*** stevemar has quit IRC21:32
*** d0ugal has quit IRC21:33
*** topol has quit IRC21:41
*** leseb has joined #openstack-keystone21:41
gyeemorganfainberg, sorry I was afk, we use sql for the endpoint templates too21:49
morganfainberggyee, yeah. figured as much21:49
morganfainberggyee, it seems most do.21:49
gyeemorganfainberg, we support service self-service21:50
gyeebut that's our own internal stuff21:50
*** dims has quit IRC21:51
morganfainberggyee, sure that makes sense21:51
*** joesavak has quit IRC21:57
-openstackstatus- NOTICE: Zuul is being restarted with some dependency upgrades and configuration changes; ETA 221521:59
*** leseb has quit IRC21:59
*** bach has joined #openstack-keystone22:04
*** packet has joined #openstack-keystone22:08
*** bach has quit IRC22:09
*** bach has joined #openstack-keystone22:10
*** bach has quit IRC22:12
gyeebknudson, https://bugs.launchpad.net/keystone/+bug/131555622:24
uvirtbotLaunchpad bug 1315556 in keystone "Disabling a domain does not disable the projects in that domain" [Undecided,New]22:24
gyeenot sure if this is a regression, I thought you fixed something like that earlier22:24
bknudsongyee: that sounds bad... I don't remember fixing something like that...22:25
bknudsonthere was an issue fixed with enabled/disabled endpoints in the catalog22:25
gyeebknudson, I can reproduce it in my dev env, if you guys can confirm that we may need to tag it as security bug22:26
bknudsongyee: at least we won't have to mark it as a private security bug.22:26
bknudsongyee: what about users in a disabled domain?22:27
gyeebknudson, users in disabled domain works as expected22:27
gyeethey can't get tokens22:28
*** browne has joined #openstack-keystone22:31
*** lnxnut has quit IRC22:33
*** sbfox has quit IRC22:35
*** sbfox has joined #openstack-keystone22:41
morganfainberggyee, bknudson, i'm sure disable wasn't ever disabling projects22:42
morganfainberggyee, bknudson, disabling domains that is22:42
bknudsonmorganfainberg: on purpose?22:43
bknudsonsorry, meant porpoise22:43
morganfainbergbknudson, probably as an oversight22:43
morganfainbergbknudson, lol22:43
gyeemorganfainberg, but disabling a domain should effectively disable all the resources in it22:43
gyeewe don't need explicit cascade disable, but user should not be able to anything with that domain22:44
morganfainberggyee, sure, we should probably disable the projects at that point.22:44
morganfainberggyee, probably do, otherwise tokens issued for a user not a member of that domain, but with an assignment on a project in that domain could still launch instances etc22:44
morganfainberggyee, and i don't think we validate for new tokens issued for users not in that domain *should check*22:45
*** thedodd has quit IRC22:45
gyeemorganfainberg, we should, or our revocation logic is broken22:45
gyeerevocation check that is22:46
morganfainberggyee, yeah. let me look really quckly here if we check on project's domain being disabled22:46
morganfainberggyee, i'm not seeing anywhere where we check project domain for being enabled...22:49
morganfainberggyee, i might be missing it though.22:50
gyeemorganfainberg, you looking at the revocation tree logic?22:51
morganfainberggyee, no i'm looking at issuance of new tokens not even revocations.22:51
gyeemorganfainberg, good, you just confirmed that bug then22:52
morganfainberggyee, haven't even gotten to revoking valid tokens yet :P22:52
*** ericvw has quit IRC22:52
morganfainberggyee yeah. let me standup a devstack and be 100% sure.22:52
morganfainberggyee, but i don't see code checking things.22:52
gyeemorganfainberg, let me work on it fix, just want someone to tell me I was smoking something :)22:52
gyees/was/wasn't/22:52
morganfainberggyee, nah, don't think you're on anything here22:53
morganfainberggyee, i'll 2x verify with a real keystone here in a sec.22:53
gyeemorganfainberg, thanks!22:53
morganfainberggyee, and i'm pretty sure we need to cascade disable the projects.22:53
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token middleware hashes tokens with configurable algorithm  https://review.openstack.org/8039822:53
*** derek_c has quit IRC22:55
gyeemorgainfainberg, I am struggling with this22:56
gyeeon one hand, cascading status update may have significant performance impact22:57
gyeeespecially if we are moving to hierarchical tree model22:57
morganfainberggyee, well the reason we might need to cascade is because we need to revoke outstanding tokens scoped to those projects22:57
gyeebut if we don't cascade, notification may failed miserably22:57
morganfainbergyeah22:58
morganfainberggyee, ok issuance of new tokens doesn't work23:05
morganfainberggyee, on v323:05
morganfainberggyee, http://pasteraw.com/hpib87ooviohxzahm2pazlz569txo4u23:05
morganfainberggyee, aha23:06
morganfainberggyee, https://github.com/openstack/keystone/blob/master/keystone/token/core.py#L94 it's deep in the token code.23:08
gyeemorganfainberg, what about v3?23:11
morganfainberggyee, covers both cases23:11
morganfainberggyee, v3 still calls the token.core code.23:11
*** rupsky has joined #openstack-keystone23:12
morganfainberggyee, the reason why it wasn't aparant is because we do all the work to get to the "token.create_token" method before we error out.23:12
gyeewhere does that method get invoked?23:12
*** rupsky has left #openstack-keystone23:12
morganfainberggyee, https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L40223:13
morganfainbergerm..23:13
morganfainberghttps://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L40223:13
morganfainberghrm.23:14
morganfainbergok wait a moment.23:14
morganfainberggyee, v3: https://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L15623:18
morganfainbergwhich calls _lookup_domain, which calls _assert_domain_is_enabled23:19
gyeemorganfainberg, yeah, but if we have have "scope": {"project": {"id": "project_id"}}}" it will fail23:22
gyeethat case is only for "scope": {"project": {"name": "project_name": "domain": {}}}23:23
morganfainberggyee, looks like we call _lookup_project in all cases23:23
morganfainberghttps://github.com/openstack/keystone/blob/master/keystone/auth/controllers.py#L18923:24
morganfainberggyee, oh23:24
morganfainberggyee, i see now.23:25
gyeemorganfainberg, yes we do, but the domain checking logic is only exercise if "domain" is in "project"23:25
gyeeif one specifies project ID, then we don't check project domain23:25
morganfainberggyee we need to do a _lookup_domain in the else case still23:25
morganfainbergok let me try that really quickly23:25
gyeemorganfainberg, precisely23:25
morganfainbergsince i have a live keystone23:25
*** sbfox has quit IRC23:25
-openstackstatus- NOTICE: paste.openstack.org is going down for a short database upgrade23:26
morganfainberggyee, confirmed23:26
morganfainberggyee, http://pasteraw.com/pz0g7mzqv971jibyebior72t3mp3gjf23:27
gyeemorganfainberg, thanks, should be a trivial fix23:27
gyeewe will tackle the cascade issue some other day23:27
gyeethat one needs some deep thinking23:27
morganfainberggyee yeah should be easy to move the _lookup_domain bit outside of the if/else block23:27
morganfainberggyee, should file the cascade issue as a separate bug23:28
morganfainberggyee, or this one as a separate bug from that one23:28
ayoungbknudson, what is your logic on https://review.openstack.org/#/c/80398/26  and checking all hashes?23:28
gyeemorganfainberg, agree, that issue is much broader implications23:28
gyees/is/has/23:28
morganfainberggyee, ... and unfortunately, this probably needs a backport to ICehouse and Havana23:28
morganfainberglet me confirm if this affects icehouse and/or Havana23:29
morganfainberggyee, affects I: https://github.com/openstack/keystone/blob/stable/icehouse/keystone/auth/controllers.py#L16023:30
gyeebloody23:30
morganfainberggyee same for H23:30
morganfainberghttps://github.com/openstack/keystone/blob/stable/havana/keystone/auth/controllers.py#L12123:30
morganfainberggyee, this code hasn't changed much23:31
gyeemorganfainberg, yeah, we need backport then23:31
*** dims has joined #openstack-keystone23:32
ayounggyee, I don't think we can.  Revoke-all-tokens-for-domain is going to be  painful23:34
ayoungWe don't have any way of enumerating that23:34
morganfainbergayoung, domain -> projects -> token23:35
ayoungmorganfainberg, do we have that data?23:35
morganfainbergayoung, if we don't this is one i think we can get.23:36
morganfainbergayoung, fairly easily23:36
ayoungmorganfainberg, revocation_events23:36
morganfainbergayoung, ++ solves this going forward23:36
morganfainbergmuch more elegantly23:36
gyeeayoung, but in theory the revocation tree should cover that right?23:37
ayoungI think it might already be implemented.23:37
ayoungIn fact, I'm pretty sure it is.23:37
gyeemeaning, you check for the scoped token's domain has not been revoked right?23:37
ayoungyep23:37
gyeesorry scoped project23:37
morganfainbergayoung, hm.23:38
ayoungone sec, I'll show you23:38
morganfainbergayoung, trying to think if there are gaps in it -- i think you cover most of these.23:38
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/revoke/model.py#n17823:38
ayoungif a domain is disabled, we revoke all tokens that have those alternatives23:39
ayoung'identity_domain_id', 'assignment_domain_id'23:39
ayoungthose are pulled from the tokens...(it is cleaner in the client code)23:39
morganfainbergayoung, ++ good. means we only need to fix pre-events.23:40
ayoungmorganfainberg, known issue, document, fix moving forward.  Don't fix pre-events23:40
gyeeayoung, don't fix pre-events?23:42
ayounggyee, nope....its going to be a nightmare to fix23:42
ayounglets drive on to getting the events working instead23:42
ayoungit will be easier long term, and better, too23:42
gyeebut the fix is trivial, we just make sure user can't get the token to begin with23:42
ayounggyee, oh...not revoking?23:43
morganfainbergayoung we have 2 issues 1 is revoking23:43
gyeeayoung, I mean not issue a new token23:43
ayoungdef fix that23:43
morganfainbergyep23:43
gyeeayoung, you mean the cascade update?23:43
morganfainbergayoung, yeah that was the lesser of the two concerns23:43
ayounggyee, I meant disable domain should revoke tokens23:43
ayoungnot issue new token++23:43
gyeeayoung, no, I agree with you on that one23:44
ayoungcool23:44
morganfainbergayoung, yeah we're on the same page23:44
*** dims has quit IRC23:44
openstackgerritayoung proposed a change to openstack/python-keystoneclient: Example Initialization scripts  https://review.openstack.org/8268723:46
ayoungwhere is the rebase button on the new UI?23:47
morganfainbergayoung, uhm... hiding23:47
morganfainbergayoung, top left23:48
morganfainbergayoung, under the "strategy"23:48
morganfainberg"cherry-pick", "rebase", "abandon"23:48
ayounghmmm, not seeing a rebase there, even though I updated the parent.23:49
ayoungMaybe it does it automatically?23:49
morganfainbergayoung, do you own the patchset?23:49
ayoungyep23:49
morganfainbergayoung, don't think it'23:49
morganfainbergs automatic23:49
ayoungmorganfainberg, I see cherry-pick and abandon23:50
morganfainbergayoung, i stopped using the "new screen" when i kept losing the change sets.23:50
morganfainbergerm, losing button locatiion23:50
gyeeayoung, I don't see the rebase button either23:50
morganfainbergayoung, did you somehow endup uploading both?23:50
ayounggonna look at the old one23:50
openstackgerritayoung proposed a change to openstack/python-keystoneclient: regions sample script  https://review.openstack.org/9189423:51
openstackgerritayoung proposed a change to openstack/python-keystoneclient: revocation_events script  https://review.openstack.org/9189523:51
ayoungwell, that answered that question23:51
morganfainberglol23:51
morganfainbergok23:51
*** dims has joined #openstack-keystone23:55
*** dims has quit IRC23:55
*** dims has joined #openstack-keystone23:56
dstaneki think the gate hates me23:57
gyeedstanek, at least it is consistent :)23:59
morganfainbergdstanek, /unset _break_patches_from_dstanek23:59
gyeeheh23:59
« Thursday, 2014-05-01 Index Saturday, 2014-05-03 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!