Monday, 2014-05-19

« Sunday, 2014-05-18 Index Tuesday, 2014-05-20 »
*** xianghui has joined #openstack-keystone01:19
*** mattinator has quit IRC01:21
*** diegows has joined #openstack-keystone01:45
*** diegows has quit IRC01:51
*** dstanek_zzz is now known as dstanek02:08
*** lbragstad has joined #openstack-keystone02:41
*** stevemar has joined #openstack-keystone02:43
*** mberlin1 has joined #openstack-keystone02:45
*** mberlin has quit IRC02:47
*** dstanek is now known as dstanek_zzz03:14
*** lnxnut has joined #openstack-keystone03:30
*** dstanek_zzz is now known as dstanek03:32
*** lnxnut has quit IRC03:57
*** Abhijeet has joined #openstack-keystone04:04
*** dstanek is now known as dstanek_zzz04:46
*** dstanek_zzz is now known as dstanek04:50
*** dstanek is now known as dstanek_zzz05:20
*** dstanek_zzz is now known as dstanek05:30
*** dstanek is now known as dstanek_zzz05:51
*** dims has quit IRC05:54
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/9028806:05
*** daneyon has quit IRC06:08
*** ajayaa has joined #openstack-keystone06:10
*** lbragstad has quit IRC06:18
*** jaosorior has joined #openstack-keystone06:32
*** andreaf has joined #openstack-keystone06:46
*** dstanek_zzz is now known as dstanek06:53
*** leseb has joined #openstack-keystone07:01
*** dstanek is now known as dstanek_zzz07:03
*** d0ugal has joined #openstack-keystone07:06
*** BAKfr has joined #openstack-keystone07:07
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Unimplemented get roles by group for project list  https://review.openstack.org/7647007:07
*** stevemar has quit IRC07:21
*** andreaf has quit IRC07:26
*** andreaf has joined #openstack-keystone07:27
*** praneshp_ has quit IRC07:33
*** jkappert has quit IRC07:37
*** jkappert has joined #openstack-keystone07:39
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor tests regarding required attributes  https://review.openstack.org/9253507:49
*** john3213 has joined #openstack-keystone08:25
*** john3213 has left #openstack-keystone08:30
*** leseb has quit IRC08:53
*** leseb has joined #openstack-keystone09:15
*** leseb has quit IRC09:20
*** Abhijeet has quit IRC09:22
*** leseb has joined #openstack-keystone09:25
jaosoriorping bknudson09:55
*** leseb has quit IRC10:12
*** leseb has joined #openstack-keystone10:14
openstackgerritKristy Siu proposed a change to openstack/identity-api: Trusted Attributes Policy for External Identity Providers (Federation pt 4)  https://review.openstack.org/6048910:19
*** leseb has quit IRC10:46
*** lnxnut has joined #openstack-keystone11:13
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor driver_hints  https://review.openstack.org/9399211:14
*** lbragstad has joined #openstack-keystone11:23
*** lnxnut has quit IRC11:24
*** leseb has joined #openstack-keystone11:52
*** diegows has joined #openstack-keystone12:00
*** JuanManuelOlle has joined #openstack-keystone12:05
*** dims_ has joined #openstack-keystone12:07
*** askb has joined #openstack-keystone12:07
*** askb has quit IRC12:12
*** askb has joined #openstack-keystone12:13
*** dstanek_zzz is now known as dstanek12:22
*** askb is now known as abelur12:24
openstackgerritChristian Berendt proposed a change to openstack/keystone: debug level logs should not be translated  https://review.openstack.org/9301312:24
openstackgerritChristian Berendt proposed a change to openstack/keystone: all non debug log messages should be translated  https://review.openstack.org/9418412:24
*** abelur is now known as askb12:25
*** askb is now known as abelur12:26
*** abelur is now known as abelurs12:27
*** abelurs is now known as askb12:28
*** askb has quit IRC12:28
*** leseb has quit IRC12:31
*** dhellmann is now known as dhellmann_12:31
*** askb has joined #openstack-keystone12:32
*** leseb has joined #openstack-keystone12:33
*** leseb has quit IRC12:35
*** leseb has joined #openstack-keystone12:35
*** dstanek is now known as dstanek_zzz12:38
*** henrynash has joined #openstack-keystone12:40
openstackgerritEmilien Macchi proposed a change to openstack/keystone: sql migration: ensure using innodb utf8 for assignment table  https://review.openstack.org/9418712:43
*** ayoung has joined #openstack-keystone12:43
*** leseb has quit IRC12:47
*** mberlin1 is now known as mberlin12:47
*** leseb has joined #openstack-keystone12:47
*** xianghui has quit IRC12:57
*** pliniker has quit IRC12:58
*** dstanek_zzz is now known as dstanek13:12
*** ayoung has quit IRC13:16
*** ayoung has joined #openstack-keystone13:17
*** leseb has quit IRC13:22
*** leseb has joined #openstack-keystone13:22
*** leseb has quit IRC13:27
*** leseb has joined #openstack-keystone13:29
*** ChanServ sets mode: +o dolphm13:29
afaranhaHello, does someone know how to add an user using the v3 API? There is the POST /user in V2 but I didn't found in V3.13:30
*** henrynash has quit IRC13:31
dims_afaranha, see http://adam.younglogic.com/2013/09/keystone-v3-api-examples/13:31
afaranhadims_: Thankz, It's just a missing documentation then :)13:33
openstackgerritDiane Fleming proposed a change to openstack/identity-api: Clean up files for identity v2.0 reference  https://review.openstack.org/9419413:33
JuanManuelOlleafaranha: this is what you are lookinf for? https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#create-user-post-users13:36
openstackgerritChristian Berendt proposed a change to openstack/keystone: all non debug log messages should be translated  https://review.openstack.org/9418413:39
afaranhaJuanManuelOlle: Yes, it is. I always look at this one http://developer.openstack.org/api-ref-identity-v3.html, thankz13:39
*** leseb has quit IRC13:41
*** leseb has joined #openstack-keystone13:41
*** nkinder has joined #openstack-keystone14:02
*** rwsu has joined #openstack-keystone14:06
*** anteaya has joined #openstack-keystone14:09
anteayaI see this acl file creates a new group keystone-specs-core, I just want to confirm that this is intentional and you do want a new gerrit group: https://review.openstack.org/#/c/94119/2/modules/openstack_project/files/gerrit/acls/openstack/keystone-specs.config14:10
anteayathere is some copy/pastaing happening and some project do not in fact want a separate group for specs admin14:10
anteayas/project/projects14:11
*** lnxnut has joined #openstack-keystone14:14
*** morganfainberg_Z is now known as morganfainberg14:19
dolphmanteaya: i agree with the concern, but am not aware of a desire to have a new *-core group or not14:19
dolphmafaranha: POST /v3/users https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md14:19
morganfainbergdolphm, anteaya, that was my original intention, smae core group as we have14:20
anteayadolphm: okay, right now morganfainberg's acl patch depends on a new gerrit group14:20
morganfainberghad an issue with substitution in that file.14:20
anteayaokay so remove the -specs part of the group in the acl file on the next patchset14:20
morganfainbergdolphm, anteaya, going to fix that right now actually.  the other questions is should it be identity-specs or keystone-specs?14:20
anteayathat should get you what you want14:20
anteayaright, I saw that14:20
morganfainbergdolphm, anteaya, I'm inclined to use program.14:20
anteayaand dolphm raises a good point14:21
dolphmanteaya: is the consensus to name these repos as "{program}-specs" or "{project}-specs"?14:21
morganfainbergdolphm, i actually flipped that 3-4 times before submitting it the first time :P14:21
anteayatechnically it would be more correct to do {program}-specs14:21
diegowshi14:21
anteayabut the crowd is doing {project}-specs14:21
dolphmanteaya: even though clients don't follow the release naming process?14:21
diegowsI'm trying to write a custom authentication method using v3 api14:21
diegowsv3 api works for me using the stanard password method14:21
anteayathough it is implied that the {project}-specs repo encompases the program14:22
morganfainbergdolphm, anteaya, {program}-specs also future proofs if we add new projects14:22
diegowsbut when I add a new one, horizon always uses the password method name14:22
dolphmanteaya: that is not implied at all to me, unless it's {program}-specs14:22
morganfainbergdolphm, ++14:22
anteayaI don't get the sense that programs will be creating a per project specs repo14:22
diegowsis there a negotiation instance, config or something so the clients can use a specific method?14:22
dolphmanteaya: i'd specs {project}client-specs explicitly, or {program}-specs if there was client inclusion14:23
anteayadolphm: that is fair, but I think each program is only creating one specs repo14:23
morganfainberganteaya, dolphm, then since it seems mixed, unless there is a reason not to, i'd prefer identity-specs14:23
morganfainberganteaya, assuming 1 spec repo per program14:23
dolphmmorganfainberg: i'm fine with {program} -- but we'll need to communicate the release process will vary when there's client impact14:23
morganfainbergdolphm, ++14:24
morganfainbergdolphm, i was planning a separate directory for ksc in the specs repo14:24
dolphmmorganfainberg: the patch just needs to be made consistent then :)14:24
morganfainbergdolphm, yeah fixing it now :)14:25
*** dstanek is now known as dstanek_zzz14:26
ajayaaayoung: The concept of domains (new things) are only specific to keystone. Why do we need to change other components to use keystone v3?14:32
ayoungmorganfainberg, dolphm BTW...   https://github.com/admiyo/identity-api/14:32
ayoungsince I am sure you have not cleared your inboexes to actually get to my mail about it.14:33
ayoungah. dolphm did...shoulda guessed14:33
* ayoung still clearing email14:33
morganfainbergayoung, saw the email.14:33
ayoung21643 unread to go....14:33
morganfainbergayoung, but i haven't cleared email yet :P14:33
ayoungok,   not that many14:34
ayoungonly 2164 unread to go....14:34
morganfainbergayoung, https://review.openstack.org/#/c/94119/ cc dolphm  - should be consistent now14:34
morganfainbergidentity-specs repo14:34
ayoungajayaa, so we don't really.  I mean, we probably want Horizon to be able to use Domains as part of hte login, but for the other components, they should be able to work with the existing contracts.14:34
ayoungajayaa, Heat, is different, in that it actually needs to call in to Keytone to do work (Mistral will too)14:35
ayoungajayaa, but for things like Nova and Glance, they will make minor modifications for the Hierarchical Multitenacy Blueprint, but beyond that, should be able to handle V2/V3 from Keystone without any real changes.14:35
morganfainberganteaya, should be fixed for not creating a new core team now and should be consitent. thanks!14:36
anteayamorganfainberg: okay thanks14:39
anteayaand jenkins likes it, will review14:39
dolphmmorganfainberg: question inline https://review.openstack.org/#/c/94119/14:41
morganfainbergdolphm, answer in-line. i was using nova-specs... iirc as the template for this14:42
morganfainbergdolphm, since they did it first.14:42
morganfainbergdolphm, let me go take a closer look at that today when I get to the office.14:43
openstackgerritRodrigo Duarte Sousa proposed a change to openstack/python-keystoneclient: Add /role_assignments endpoint support  https://review.openstack.org/9157814:44
*** lnxnut is now known as hipster14:45
*** packet has joined #openstack-keystone14:47
lbragstaddolphm: morganfainberg it doesn't look like anyone flagged the glance-spec commit for 27 jobs... https://review.openstack.org/#/c/90461/214:48
morganfainberglbragstad, there is a test that some repos use to check headings14:48
morganfainbergetc14:48
morganfainberghttps://github.com/openstack/tripleo-specs/blob/master/tests/test_titles.py14:48
morganfainbergi plan on stealing that test14:48
lbragstadgotcha,14:49
morganfainberglbragstad, means we can be sure all the specs have some semblance of consistency14:49
lbragstadmorganfainberg: cool, I agree with that14:50
lbragstadI was digging up the glance and qa spec commits to see if anyone had commented on not including the 27 jobs14:50
morganfainberglbragstad, tripleo has them :)14:50
lbragstadalong with nova, neutron and oslo14:51
dolphmmorganfainberg: anteaya: lbragstad: +114:53
lbragstadnice14:53
morganfainbergdolphm, for KSC releases are we going to want to "archive" implemented BPs somehow?14:53
*** dstanek_zzz is now known as dstanek14:54
morganfainbergdolphm, since we wont have the nice /juno /k<something> etc dirs14:54
dolphmmorganfainberg: i can move implented specs into versioned directories at release time14:55
morganfainbergdolphm, ++ woks for me.14:55
*** thedodd has joined #openstack-keystone14:56
ayoungdolphm, say someone wants to use Facebook Oauth to connect to Horizon.  What is our path forward to that?14:56
ayoungWould it be:14:56
ayounghoirzon/auth connects to the Federation extension, and then does the redirect?14:56
morganfainbergayoung, besides cringing? :P (I know it's a valid approach)14:56
ayoungmorganfainberg, Trystack14:56
morganfainbergayoung, yeah. like i said, i know it's valid14:57
ayoungmorganfainberg, they already do it, but then cache a local password for Keystone, so its extra ugly14:57
morganfainbergayoung, oh ick14:57
ayoungyup14:58
dstanekayoung: really? where do they put the password?14:58
morganfainbergdstanek, do you _really_ want to know? :P [I am sure I don't]14:58
ayoungdstanek, extra table14:58
ayoungspecific to Horizon.14:59
dstanekhow does that get by a security review?14:59
morganfainbergayoung, that redirection seems fine if it works, it's how i'd assume any oauth would work w/ horizon14:59
ayoungdstanek, trystack is short lived "Demo openstack"14:59
ayounghttp://trystack.org/14:59
ayoung"Rule No. 1: Remember that TryStack is designed exclusively as a testing sandbox. "15:00
ayoungThe second rule of TryStack is that you don;t talk...sorry, wrong movie15:00
*** browne has joined #openstack-keystone15:01
morganfainbergayoung, making soap are we?15:01
ayoungonly the finest15:01
ayoungmorganfainberg, so, unless we expose Keystone to the outside world as a web UI, we need some sort of way to pass through from Hoirzon that the oauth provider approved the call15:05
morganfainbergayoung, that was the general thought I had when discussing it with some coworkers.15:05
ayoungmorganfainberg, its kindof like the S4U2 Proxy thing for Kerberos15:06
morganfainbergayoung, yeah.15:06
ayoungmorganfainberg, what if we ran a limited Keystone on the same machine as the Horizon server, mounted under /auth and responding to HTML content requests?15:06
ayoungwe need something to either trigger REMOTE_USER or.....what?15:07
morganfainbergayoung, sounds like a dirty hack. this _probably_ should be written as part of openstack_django_auth module (or whatever the name is)15:07
ayoungmorganfainberg, right, but what would that pass to Keystone?>15:08
ayoungI assume it would be something like this:15:08
ayounggo to horizon/auth.  THat calls to the fedreation extension15:08
*** hipster has quit IRC15:08
ayoungbut that would do a redirect...no?15:08
ayoungit needs to be enough to say "go to Facebook, and hand me back soemthing"15:08
ayoungwe need stevemar here for this conversation15:09
morganfainbergayoung, or marekd|away15:09
ayoungyep15:09
*** leseb has quit IRC15:09
dstanekonce facebook redirects back to horizon couldn't it just forward the data to keystone?15:09
*** leseb has joined #openstack-keystone15:10
ayoungdstanek, but it only has the "facebook has authorized this data" at that point15:10
morganfainbergdstanek, i think it can, but I don't know what that data actually looks like tbh15:10
ayoungnot enough to authenticate with Keystone.15:10
morganfainbergayoung, does it? it should have some user info as well15:10
ayoungoauth is not authenitcation. but delegation and info sharing15:10
morganfainbergayoung, platform data is more than "authorized" alone15:10
*** radez has joined #openstack-keystone15:10
ayoungwhat I mean is that it could not get anything that couldn't be faked out by a direct call, I think.15:11
ayoungthere are no "secrets" in that handshake.15:11
morganfainbergayoung, but isn't that what the secret tokens in oauth are for?15:11
dstanekayoung: it should have something like an oauth verifier15:11
ayoungIf Keystone did it directly, it could trust thr response, though.15:11
dstaneki'm not 100% familiar with the FB flow, but that last step should have more data15:12
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: use logging function parameters instead of string format arguments  https://review.openstack.org/9420515:13
morganfainbergdstanek, that is my understanding15:13
morganfainbergdstanek, ayoung, though there might be restrictions on what data can be kept that needs to be handled differently for FB specifically15:13
ayoungshort of the mapping API, we have no way of saying "this user maps to that IdP remote user."  so we need a new auth plugin, or need to modify the SAML auth plugin to accept something.  BNutright now that needs REMOTE_USER15:14
ayoungwe need an auth plugin that can accept what oauth is going to output.  Then horizon would use that to make a token request, right?15:15
ayoungmethods = ["oauth"]  in the token15:15
dstanekayoung, morganfainberg: so if we get an access token we have have a really simple plugin to pull user data instead of an Apache plugin15:16
morganfainbergayoung, i think we should bring this back up with stevemar around. will be better. i feel like we have some gaps here.15:16
morganfainberghe might be able to fill in and make this easier to figure out15:16
dstanekit's actually really easy except establishing a trust relationship with the oauth provider (but that's because I haven't looked into the federation details)15:17
morganfainbergayoung, or some extra research to fill in the gaps (e.g. FB data provided, etc)15:17
ayoungdstanek, yeah...I suspect it will tie in with out oauth stuff.15:17
radezmorganfainberg: here's the way that trystack does it now in a django auth plugin15:17
radezhttps://github.com/trystack/python-django-horizon-facebook/blob/master/horizon/facebook/backend.py15:17
ayoungradez, that is using the "shadow" table, right?15:18
radezcorrect15:18
morganfainbergayoung, https://developers.facebook.com/docs/facebook-login/login-flow-for-web/v2.0 FB connect right?15:19
ayoungdstanek, right now, we can use an oauth token issued by Keystone in order to get a token.  Seems to me that we need a way to use an oauth token issued by Facebook to get a token15:19
ayoungand a way to link the Facebook and Keystone accounts.15:20
morganfainbergayoung, looks like we would get userID, auth success, access token (oauth?), and signed data bout the user15:20
ayoungyeah, access token is the oauth thing15:20
dstanekayoung: yes, a plugin to take the authtoken from the final step and use it to query FB15:20
ayoungcould keystone verify that?15:20
ayoungah..signed data15:21
dstaneks/authtoken/access token/15:21
morganfainbergayoung, should eb able to with the standard oauth stuff we have15:21
ayoungso it should be just linke the cms verify15:21
morganfainbergsimilar15:21
morganfainbergayoung, but...15:21
morganfainbergayoung, FB Connect is Oauth215:22
morganfainbergayoung, not 1.115:22
morganfainbergwe, iirc, only support 1.115:22
ayoungmorganfainberg, so what.15:22
ayoungthis is new noi matter what15:22
ayounghttps://developers.facebook.com/docs/graph-api/securing-requests15:22
morganfainbergayoung, not new, just something to add functionality for if we need 2.015:23
ayoungmorganfainberg, keystone would need to generate app_secret_proof.15:23
morganfainbergayoung, hm. yeah.15:24
ayoungSo go to Keystone, request a request token for facebook with an app secret proof....Keystone generates it, and gets beack the access token with the proof in it.15:24
morganfainbergayoung, i'll be back in a bit. need to go head into the office.15:24
ayoungHeh.  Good morning15:24
morganfainbergayoung, that looks like one mechanism to me.15:24
dstanekayoung: yeah, the keystone FB plugin would need to do that15:25
ayoungdstanek, ++15:25
ayounghttps://developers.facebook.com/docs/facebook-login/security/15:25
morganfainbergall looks reasonable15:25
morganfainbergand not awful to implement15:25
dstaneki dont' know how this will work in trystack because the initiate the flow trystack will have to be registered and i think that means each instance will need to do that15:26
ayoungso it looks like they did what we thought about doing with Keystone tokens.  use a private key to sign your request, and have the public key avaialbe.  That way, it isn't a bearer token15:26
morganfainbergayoung, dstanek, that looks like FB app vs FB connect though?15:26
morganfainbergayoung, dstanek, FB Connect is more traditional OAuth iirc15:26
ayoungmorganfainberg, go to the office.  I promise we won';t implement until we hear from you again15:26
morganfainbergayoung, LOL i'd be ok if you implemented it before I got to the office . in fact, I'd be really impressed15:27
dstanek...or will he...15:27
morganfainbergthat app_secret_proof looks like it would be used for a FB platform app, not the external FB connect auth mechanism15:28
morganfainbergi don't think we want this to be a platform app15:28
morganfainbergand with that...15:28
ayoungradez, https://developers.facebook.com/docs/facebook-login/access-tokens/#sizes15:33
ayoungradez, so we need to figure out how to split that middle tier15:34
ayoungI think it would be passed through to Keystone to generate app secret.15:35
ayounglong lived token would live in Horizon15:35
*** wwriverrat has joined #openstack-keystone15:35
ayoungBut..I think that would mean that Trystack would have to be a registered app with Facebook.15:35
ayoungand...my head asplode15:36
*** morganfainberg is now known as morganfainberg_Z15:38
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: replace string format arguments with function parameters  https://review.openstack.org/9420515:40
*** askb has quit IRC15:43
*** jsavak has joined #openstack-keystone15:47
openstackgerritChristian Berendt proposed a change to openstack/python-keystoneclient: replace string format arguments with function parameters  https://review.openstack.org/9420515:49
jsavakdolphm - looking at doing md for https://blueprints.launchpad.net/keystone/+spec/keystone-to-keystone-federation/ but noticed new BP review repo (keystone-specs). Should i still submit agianst identity-api until keystone-specs is there?15:49
*** henrynash has joined #openstack-keystone15:58
*** henrynash has quit IRC16:01
*** gabriel-bezerra has joined #openstack-keystone16:01
*** BAKfr has quit IRC16:05
*** marcoemorais has joined #openstack-keystone16:13
*** praneshp_ has joined #openstack-keystone16:14
*** ericvw has joined #openstack-keystone16:15
*** marcoemorais has quit IRC16:17
*** hipster has joined #openstack-keystone16:18
rodrigodsthe failing tests at https://review.openstack.org/#/c/91578/ don't seem to be related with my changes, does anyone have a hint of what's the problem there?16:21
*** leseb has quit IRC16:22
ayoungdolphm, so  what is our policy on upgradinbg keystone-paste.api from release to release?  In  icehouse we have the simple cert extension, but it is not in previous ones, and Grenade asploeds on it16:22
*** afazekas_ has joined #openstack-keystone16:22
*** leseb has joined #openstack-keystone16:22
afazekas_ayoung:16:23
afazekas_ayoung: probably this is the right place for adding extra upgrade steps: https://github.com/openstack-dev/grenade/blob/master/from-havana/upgrade-keystone16:23
*** afazekas_ is now known as afazekas16:24
ayoungafazekas, yep16:24
ayoungafazekas, if devstack doesn't touch any of the values in the paste api, we could probably get away with a swap of the file16:25
*** leseb has quit IRC16:25
*** leseb has joined #openstack-keystone16:26
afazekasayoung: is it a normally recommended upgrade step ?16:27
ayoungafazekas, that is what I am trying to ascertain.  We don't have a keystone specific tool for upgrading changes to paste-api16:27
ayoungbut if an end user modified theirs, then their changes would be overwritten by a blind replace of the file, and I think we treat it as a config file, not code16:28
*** david-lyle has joined #openstack-keystone16:29
*** leseb has quit IRC16:29
*** leseb has joined #openstack-keystone16:30
afazekasayoung: what are the exact changes required If I want those https://bugs.launchpad.net/keystone/+bug/1320670 calls working ?16:30
uvirtbotLaunchpad bug 1320670 in tempest "404 on GET /v3/OS-SIMPLE-CERT/ca at grenade" [Undecided,New]16:30
*** wwriverrat has left #openstack-keystone16:31
ayoungafazekas, add in the filter:16:31
afazekasiniset <config_file> <section> <option> <value>16:31
ayoung[filter:simple_cert_extension]16:31
ayoungpaste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory16:31
ayoungthat usually goes right after [filter:endpoint_filter_extension]16:31
ayoungpaste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory16:31
ayoungwhich should be there in havana16:31
ayoungand then16:31
ayoungin [pipeline:api_v3]  add16:31
ayoungsimple_cert_extension  right before service_v316:32
afazekasI guess the ordering for [filter:simple_cert_extension] does not matters.16:33
ayoungafazekas, nope, just has to come before the pipeline that uses it16:38
*** marcoemorais has joined #openstack-keystone16:39
ayoungafazekas, you could potentially apply the diff patch bbetween havana and icehouse, and then in the downgrade, unapply it16:40
ayoungafazekas, http://paste.fedoraproject.org/103149/05176971/16:42
ayoungafazekas,   I got that from git diff origin/stable/havana:etc/keystone-paste.ini  origin/stable/icehouse:etc/keystone-paste.ini16:43
afazekas Creating a patch..16:43
*** morganfainberg_Z is now known as morganfainberg16:44
ayoungafazekas, ++  let me know if you need anything else16:44
afazekasayoung: first version: https://review.openstack.org/9422616:46
*** harlowja has joined #openstack-keystone16:48
afazekasayoung: I would like to see typo related comments before jenkins finishes :)16:49
ayoungafazekas, lets see...16:49
ayoungafazekas, can you past a before and after foto?16:50
*** leseb has quit IRC16:53
*** leseb has joined #openstack-keystone16:53
*** leseb_ has joined #openstack-keystone16:57
afazekasayoung: http://www.fpaste.org/103157/40051864/16:57
*** leseb has quit IRC16:57
ayoungafazekas, thanks, cuz my machine is spinning on  yum search iniset16:58
ayoungafazekas, looks like that puts the filter at the bottom.  Not sure if that will work.  Is suspect not.16:59
afazekasayoung: you need to source the devstack/functions16:59
ayoungah16:59
afazekasayoung: it is similar to crudini or openstack-config16:59
ayoungmorganfainberg, does order matter in paste config?16:59
morganfainbergayoung, iirc it shouldn't17:00
afazekasAFAIK it does not matter in any python conf17:00
ayoungafazekas, cool.  I can confiurm in a devstack I have running....17:00
*** gyee has joined #openstack-keystone17:01
ayounglooks like it works17:01
*** jaosorior has quit IRC17:01
ayoung afazekas what is  local pipeline?17:02
ayoungand...it is 1PM.17:04
afazekasayoung: limits the variable scope to the function17:04
*** BAKfr has joined #openstack-keystone17:04
ayoung++17:04
* ayoung a little rusty on bashisms17:04
*** leseb_ has quit IRC17:07
*** amcrn has joined #openstack-keystone17:26
*** thedodd has quit IRC17:29
*** jaosorior has joined #openstack-keystone17:30
jaosoriorlbragstad, what do you think of my suggestion as put in this change? https://review.openstack.org/#/c/92535/17:35
lbragstadjaosorior: checking17:37
lbragstadjaosorior: I don't think it would be that big of a deal, I was just thinking it could save an extra method.. since we have _require_attribute and _require_attributes, both of what are used by assert_attribute and assert_attributes, that way the assert method would determine which _require method to call.17:39
lbragstadeither way would be fine by me now that I think about it17:39
jaosorioralright, tomorrow I'll upload it with decorators17:39
lbragstadjaosorior: cool! I'll be sure to check it out17:40
jaosoriorit's 9pm here and I forgot my work laptop (haven't managed to set up an environment for keystone in my home computer with ArchLinux)17:40
lbragstad gotcha17:40
*** dims_ has quit IRC17:42
*** afazekas has quit IRC17:46
*** harlowja has quit IRC17:50
*** harlowja has joined #openstack-keystone17:50
*** rodrigods_ has joined #openstack-keystone17:55
*** rodrigods_ has quit IRC17:57
*** harlowja has quit IRC18:00
*** harlowja has joined #openstack-keystone18:00
*** rodrigods_ has joined #openstack-keystone18:02
*** rodrigods_ has quit IRC18:04
*** thedodd has joined #openstack-keystone18:08
*** hipster has quit IRC18:15
*** andreaf has quit IRC18:18
*** atmark has quit IRC18:18
*** rodrigods_ has joined #openstack-keystone18:23
*** gokrokve has joined #openstack-keystone18:38
openstackgerritDiane Fleming proposed a change to openstack/identity-api: Clean up files for identity v2.0 reference  https://review.openstack.org/9419418:41
*** hipster has joined #openstack-keystone18:47
*** hipster has quit IRC18:51
*** andreaf has joined #openstack-keystone18:55
*** rodrigods_ has quit IRC19:01
*** marcoemorais has quit IRC19:04
*** marcoemorais has joined #openstack-keystone19:10
*** dstanek is now known as dstanek_zzz19:12
*** dstanek_zzz is now known as dstanek19:14
*** hipster has joined #openstack-keystone19:18
openstackgerritguang-yee proposed a change to openstack/keystone: Make sure scoping to the project of a disabled domain result in 401.  https://review.openstack.org/9425119:21
*** hipster has quit IRC19:23
*** praneshp_ has quit IRC19:29
*** dims has joined #openstack-keystone19:34
*** ajayaa has quit IRC19:41
*** marcoemorais has quit IRC19:42
*** marcoemorais has joined #openstack-keystone19:42
*** radez is now known as radez_g0n319:43
*** hipster has joined #openstack-keystone19:47
*** jaosorior has quit IRC19:51
ayoungmorganfainberg, we want to put user or group into the hash when we do https://etherpad.openstack.org/p/juno-keystone-user-ids19:52
*** hipster has quit IRC19:52
ayoungothewise user ids and group ids that are the same will hash to the same value19:52
*** amcrn has quit IRC19:54
*** jraim has quit IRC19:54
*** browne has quit IRC19:55
*** browne has joined #openstack-keystone19:55
*** jraim has joined #openstack-keystone19:57
*** henrynash has joined #openstack-keystone19:57
*** packet has quit IRC19:58
*** browne1 has joined #openstack-keystone19:58
*** erecio has quit IRC19:59
*** browne has quit IRC19:59
*** praneshp_ has joined #openstack-keystone20:00
*** praneshp_ has quit IRC20:00
*** amcrn has joined #openstack-keystone20:00
*** harlowja has quit IRC20:01
*** marcoemorais has quit IRC20:01
*** marcoemorais has joined #openstack-keystone20:02
*** harlowja has joined #openstack-keystone20:02
*** erecio has joined #openstack-keystone20:04
*** rodrigods has quit IRC20:06
*** henrynash has quit IRC20:07
openstackgerritDavid Stanek proposed a change to openstack/python-keystoneclient: Fixes an erroneous type check in a test  https://review.openstack.org/9425620:08
*** praneshp_ has joined #openstack-keystone20:10
*** dims has quit IRC20:11
*** dims has joined #openstack-keystone20:12
*** dims has quit IRC20:18
*** daneyon has joined #openstack-keystone20:19
*** atmark has joined #openstack-keystone20:28
*** atmark is now known as Guest8213020:28
*** dstanek is now known as dstanek_zzz20:30
*** amcrn has quit IRC20:36
*** bobt has joined #openstack-keystone20:37
*** amcrn has joined #openstack-keystone20:42
morganfainbergayoung, good point20:42
ayoungmorganfainberg, you responding to what I said in -dev?20:43
morganfainbergayoung, no the group thing20:43
morganfainbergayoung, with hashing20:43
ayoungah, yep20:43
morganfainberghadn't cycled over to -dev yet20:43
*** hipster has joined #openstack-keystone20:47
*** amcrn has quit IRC20:51
*** hipster has quit IRC20:52
*** JuanManuelOlle has quit IRC20:53
*** ayoung is now known as ayoung_dad_mode20:59
*** browne has joined #openstack-keystone21:04
*** browne1 has quit IRC21:04
*** rodrigods has joined #openstack-keystone21:14
*** dstanek_zzz is now known as dstanek21:14
*** dstanek is now known as dstanek_zzz21:24
*** harlowja has quit IRC21:32
*** harlowja has joined #openstack-keystone21:33
*** jsavak has quit IRC21:43
*** dims has joined #openstack-keystone21:44
*** dstanek_zzz is now known as dstanek21:45
*** hipster has joined #openstack-keystone21:47
*** hipster has quit IRC21:52
*** andreaf has quit IRC21:55
*** dstanek is now known as dstanek_zzz21:55
*** andreaf has joined #openstack-keystone21:55
*** rodrigods has quit IRC21:58
*** rodrigods has joined #openstack-keystone21:59
*** rodrigods has quit IRC22:15
*** browne has quit IRC22:15
*** rodrigods has joined #openstack-keystone22:15
*** rodrigods has joined #openstack-keystone22:15
*** BAKfr has quit IRC22:22
*** rodrigods has quit IRC22:28
*** nkinder has quit IRC22:28
*** dims has quit IRC22:30
*** thedodd has quit IRC22:38
*** dstanek_zzz is now known as dstanek22:40
*** rodrigods has joined #openstack-keystone22:41
*** browne has joined #openstack-keystone22:42
*** hipster has joined #openstack-keystone22:42
*** hipster_ has joined #openstack-keystone22:44
*** afaranha has quit IRC22:44
*** gabriel-bezerra has quit IRC22:46
*** hipster has quit IRC22:47
*** hipster has joined #openstack-keystone22:47
bknudsonis keystoneclient broken now?22:47
*** rodrigods has quit IRC22:47
*** hipster_ has quit IRC22:49
*** r-daneel has joined #openstack-keystone22:49
morganfainbergbknudson, is it?22:49
bknudsonmorganfainberg: https://review.openstack.org/#/c/91240/22:50
bknudsonmorganfainberg: looks like dstanek might have a fix -- https://review.openstack.org/#/c/94256/22:50
bknudsonor a workaround22:50
*** stevemar has joined #openstack-keystone22:50
morganfainbergdid httpretty change?22:50
bknudsonrequests22:51
morganfainbergoh22:51
morganfainbergboo22:51
dstanekbknudson: yeah, it was breaking my environment - i always run the latest :-(22:51
morganfainbergwonder how bad this will break everything else...22:51
morganfainbergis ksc the only affected client?22:52
*** hipster has quit IRC22:52
morganfainbergdo we need to cap requests until it's fixed everywhere?22:52
dstanekmorganfainberg: probably - the test there was being dumb22:52
bknudsonhistory is a list and not a tuple... I hope no clients were expecting a tuple rather than a list.22:52
*** gokrokve has quit IRC22:52
morganfainbergbknudson, ++22:52
dstanekmorganfainberg: s/probably/probably not/22:53
morganfainbergdstanek,. yeah looks ok elsewhere22:53
bknudsonso req_resp is a list now but ses_resp is a tuple?22:54
morganfainbergbknudson, thats what it looks like22:54
bknudsonI'm wondering if ses_resp should be a list22:54
morganfainbergbknudson, they should probably match22:54
bknudsonses_resp.history22:55
morganfainbergbknudson, but i don't know if we should gate on those matching type wise22:55
*** gokrokve_ has joined #openstack-keystone22:55
*** browne has quit IRC22:55
dstanekbknudson, morganfainberg: either way our code shouldn't care22:56
bknudsonthere's a NOTE in the code says we set .history to a tuple so it matches the requests library22:56
bknudsonso that note isn't valid anymore.22:56
morganfainbergbknudson, dstanek, i'm fine with us not caring about the mismatch (fixing the test in this case).22:58
bknudsonhttp://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/session.py#n25922:58
morganfainbergbknudson, ack22:58
morganfainbergi think it's fair to either fix the code or remove the comment, though we might want to ask jamielennox|away if there is any other concerns about a mismatch there.22:59
*** gokrokve_ has quit IRC22:59
*** r-daneel has quit IRC23:03
*** browne has joined #openstack-keystone23:03
*** r-daneel has joined #openstack-keystone23:04
*** dstanek is now known as dstanek_zzz23:04
*** dstanek_zzz is now known as dstanek23:05
*** r-daneel has quit IRC23:07
*** amcrn has joined #openstack-keystone23:11
dstanekmorganfainberg, bknudson: i'm thinking i want to delete those three lines as a part of my patch23:13
bknudsondstanek: which 3 lines?23:13
dstanekbknudson: http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/session.py#n25923:14
bknudsondstanek: works for me.23:15
*** rodrigods has joined #openstack-keystone23:15
*** rodrigods has joined #openstack-keystone23:15
dstaneki'm going to create a bug then since that's in production code23:15
*** jamielennox|away is now known as jamielennox23:17
*** stevemar has quit IRC23:17
jamielennoxbknudson, morganfainberg: what happened?23:20
openstackgerritDavid Stanek proposed a change to openstack/python-keystoneclient: Fixes an erroneous type check in a test  https://review.openstack.org/9425623:21
jamielennoxdstanek: oh, yea - cool i'm happy to have that be a list, i never understood why requests forced it to a tuple23:21
*** david-lyle has quit IRC23:23
dstanekjamielennox: yeah, it doesn't seems to make much sense, but that's probably why it was undone23:24
*** afaranha has joined #openstack-keystone23:30
*** gabriel-bezerra has joined #openstack-keystone23:34
rodrigodsdstanek, did you see my comment over there? gave a 0 because I wasn't sure about the outcome23:35
*** nkinder has joined #openstack-keystone23:41
*** daneyon has quit IRC23:46
*** hipster has joined #openstack-keystone23:47
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Remove _factory methods from auth plugins  https://review.openstack.org/8198523:47
jamielennoxdolphm: please review your comment on https://review.openstack.org/#/c/91216/ when you get a chance23:48
jamielennoxor my reply to your comment23:48
*** hipster has quit IRC23:52
*** gokrokve has joined #openstack-keystone23:53
*** dstanek is now known as dstanek_zzz23:54
morganfainbergrodrigods, i think the comparison assert shouldn't matter on that patchset.23:55
morganfainbergrodrigods, i'd rather not have to verify we're returning the same type - especially if the types act (for the most part) the same in the consuming method23:56
rodrigodsmorganfainberg, makes sense, but i thought that removing a check isn't necessary after the returned type was fixed23:58
*** bobt has quit IRC23:58
morganfainbergrodrigods, it isn't, but i'd argue that the test was incorrect to begin with23:58
morganfainbergrodrigods, so i'd rather remove it at the same time we fix23:58
rodrigodsmorganfainberg, fair enough.23:59
« Sunday, 2014-05-18 Index Tuesday, 2014-05-20 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!