Thursday, 2014-05-29

*** sbfox has quit IRC00:04
*** arunkant has quit IRC00:16
*** ozialien has quit IRC00:20
morganfainbergstevemar, lbragstad, wow it can take some serious time to put together one of these spec docs00:22
*** praneshp has quit IRC00:24
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Composite Token Spec
*** ncoghlan has joined #openstack-keystone00:37
*** gokrokve has joined #openstack-keystone00:38
*** gokrokve has quit IRC00:42
*** ozialien has joined #openstack-keystone00:43
ayoungmorganfainberg, yep.  Hopefully, though, it will make the api-spec process much smoother00:46
morganfainbergayoung, well it definitely (from a writeup perspective) made it feel like I communicated the idea better than the previous identity-api spec process00:47
ayoungmorganfainberg, on the DB extensions, the idea was to autmatically migrate the default extensions00:47
ayoungyou don't want to migrate extensions that are not enabled.00:48
morganfainbergayoung, why?00:48
ayoungmorganfainberg, dependencies00:48
ayoungthe idea is that an extension is an experiement00:48
morganfainbergayoung, i'm not convinced having to migrate an extension to enable it is reasonable ux00:48
ayoungenableing it should be a deliberate choice, as is removing it00:49
ayoungmorganfainberg, the mistake is that we don't automatically enable the default extensions yet00:49
ayounglets do that first00:49
ayoungfor Juno that would be:  oauth, revoke00:50
morganfainbergayoung, i'm fine with doing it in a couple stages, but i think i need more convincing that it's proper to not migrate the db in all cases.00:50
morganfainbergayoung, inconsistent schemas are ugly things . i actually really really dislike the whole extension model00:50
ayoungmorganfainberg, we don't want to overcommit to an extension.  If we won't guarantee that it is there, we should not guarantee that the scheme is there00:51
morganfainbergayoung, but that is a different battle i don't know if i want to fight.00:51
ayoungmorganfainberg, the reason I pushed for it was to be able to cheaply spin up something like identity, and then split it off.  If we had done it right from the get go, that would be a trivial migration00:51
ayoungbut instead everything is in the galactic repo00:52
ayoungif an extension is really a new, budding service, we should be able to spin it off easily00:52
morganfainbergayoung, not 100% sold, but again, i'm fine with starting it at one place vs everything00:52
ayoungyeah, lets start with the default extensions....what are they?00:53
morganfainbergayoung, lets see for J, federation, revoke... uhm.....00:53
morganfainbergi want to collapse endpoint filtering out of an extension - but that should be default00:53
ayounglets enable it for now00:54
morganfainbergit shouldn't be an extension - because of the special catalog magic.00:54
ayoungeven if it is pout of "extension" the migrations stay in their own repo.00:54
morganfainbergor that part needs to wind up in the base catalog driver00:54
ayoungwhat is 'access'?00:54
ayoungno migration there anyway00:54
morganfainbergold old stuff iirc00:54
ayoungstats non00:55
ayoungcan ec2 go away yet?00:55
morganfainbergbut it has no migrations00:55
ayoungI thought we put it all into credentials00:55
morganfainbergit's backed by credential00:55
morganfainbergthe APIs aren't in credential00:55
morganfainbergand people use those00:55
ayoungsimple_cert has no migrations, but it will shortly, if I have my way00:55
morganfainbergstats is deprecated anyway00:55
ayoungbut that can wait00:55
morganfainberguser_crud.. thats diablo compat right?00:56
ayoungOK  so there is the list, and it is everything with a migration00:56
dstanekwe're not fixing v2.0 garbage right?00:56
ayoungleave it.00:56
ayoungits the only way in v2 to basic admintasks00:56
morganfainbergnot saying remove, was more "it's diablo compat, right?"00:56
morganfainbergoh we totally need to enable example by default /s00:57
morganfainbergwtf is the access extension?00:57
ayoungmorganfainberg, look at it this way, if we get a really, really dumb idea, but we can't figure out how to say no, we say "make it an extension" and we don't really pay any price00:57
morganfainbergayoung, lets save the argument for later :)00:58
ayoung """Writes an access log to INFO."""00:58
ayoungHeh, it is the thing that we are writing now:  if you get a token., log it00:58
morganfainbergbut... it's not an extension.00:58
ayoungnope, but contrib was not just extensions00:58
morganfainbergit's.. middl.. nevermind00:58
ayoungjust all extensions were contrib00:58
morganfainberggonna just pretend i didn't open that bundle of ... code00:59
ayoungmorganfainberg, its deprecated, too01:00
morganfainbergayoung, yeah01:00
ayoungmorganfainberg, we should probably split apart the migrations for identity and for assignment into their own migration repos....policy and catalog too01:01
ayoungif we want to split id into its own service01:01
morganfainbergayoung, you mind writing a quick spec up for that? i'm happy to work on the split. just gonna be a little painful.01:01
morganfainbergthe collapse makes it better though.01:02
ayoungmorganfainberg, will do01:02
morganfainbergayoung, cool01:02
morganfainbergalso added you and nkinder on the composite token stuff specifically (review wise)01:02
morganfainbergayoung, ^01:02
morganfainbergbased on summit conversations it sounds like it has some potential, but it needs some hard looking to make sure it's done right01:03
ayoungmorganfainberg, I think splitting the migrate repos is the right thing to do regardless.  If nothing else, it will reduce migration number clash01:04
morganfainbergnow i jsut need to remember the 2 other specs i planned to write up...01:04
morganfainbergayoung, well. it'll be interesting... thats for sure.01:04
morganfainbergayoung, trying to figure out the right way to do it... i think i know, (version numbering wise)... but it's still gonna be an odd one.01:05
morganfainbergayoung, i might advocate that split occur when we collapse for K.01:06
ayoungmorganfainberg, we have to lock the global repo at a version, and initialize each of the other repos at 1.01:06
morganfainbergayoung, it doesn't matter what number you start at (new repo wise)01:06
morganfainbergayoung, we could keep going from the last version of the global repo01:07
ayoungmigration 1 for identity is checking that the global repo is in its max state01:07
ayoungyou mean like start them all at 44?01:07
ayoungor whereever we are now?01:08
morganfainbergwhy not?01:08
ayoungmy point is that the start state is that the global repo is up to max01:08
morganfainbergactually... maybe convert to alembic when we split.01:08
ayoungwhen we collapse in, say 'L' we drop the global repo01:08
morganfainbergayoung, correct.01:08
ayoungdon't think we are going to alembic01:08
morganfainbergayoung, why not?01:08
ayoungdoesn't matter what the start number is for the individual repos01:09
ayoungwe were only going to alembic when we thought SQL A migrate was dying01:09
ayoungwe are supporting it now, and I don';t know if alembic provides enough benefit to migrate to it01:09
morganfainbergayoung, sql a migrate is still dead01:09
ayoungits pining for the fjords01:09
ayoungbeutiful plumage01:09
morganfainbergand with the author of sqla and alembic working on OS 50% of the time, i think we can get alembic to support what we need01:09
*** chen has left #openstack-keystone01:10
* ayoung looks at how many migrations....01:13
ayoungregions...that goes to policy01:14
ayoungwe collapse for Juno, right?01:14
ayoungwhat can we collapse up to?01:14
ayoungmorganfainberg, we support 2 releases back?01:15
ayoungactually, Icehouse is collapsed up to Havana01:15
morganfainbergfor J we will support H[release migration]->J directly.01:15
morganfainbergfor K we will support last I release migration -> K01:15
*** shakamunyi has quit IRC01:16
ayoungmorganfainberg, so in Juno we can collapse 37-44?01:16
* morganfainberg looks01:16
*** browne has quit IRC01:17
morganfainbergayoung, correct we will start at 44 (just like havana was 36 and the base migration is 036_havana, I will be 044_icehouse)01:17
ayoungcould we collapse now?01:18
morganfainbergno i mean once Juno is cut we do 044_icehouse01:18
ayoungwas the collapse already the first commit of Juno?01:18
ayoung44 is pre-reserved.  I'm assuming we will just skip those.01:19
morganfainbergwe wont be able to collapse them until L, otherwise we have skips and SQLA-migrate can't handle gaps01:19
morganfainbergwhen we cut the K release, 45->49 will be rolled up01:20
morganfainbergto whatever the last migration of J will be.01:20
*** marcoemorais has quit IRC01:23
*** ozialien has quit IRC01:26
ayoungmorganfainberg, ok, here is the logic for db_sync01:26
ayoungif an extension is specified, only that extension is migrated, up or down01:26
ayoungif no extension and no version is specified, sync common and all default_extensions to max version01:27
ayoungif no extension and an explicit version are specified, it is for the common repo01:27
ayoungif no extension and an explicit version == 0 are specified downgrade all extensions01:27
ayounger, hmm01:27
ayoungmake that last rule01:27
ayoungif no extension and an explicit version == 0 are specified downgrade common and all default extensions01:28
ayoungthis is why I don't want common treated specially...01:28
openstackgerritayoung proposed a change to openstack/keystone: Migrate default extensions
ayoungmorganfainberg, ok, is it possible to mark WIP with the new view?01:31
morganfainbergayoung, Workflow -1 is WIP01:31
ayoungthen no one looks at it01:32
morganfainbergayoung, no one looked at WIP before :P01:33
ayoungthey might.01:33
morganfainbergayoung, eh not really.01:33
ayoungmorganfainberg, the -1 workflow means that it shows up with a red X on the main page.  You don't see WIP until you clic through01:33
morganfainbergred X for wip is in the Workflow column not the code review01:34
morganfainbergit's about socializing that change (yeah i brought up that bit w/ infra folks, and they agree the scary red x sucks)01:34
ayoungmorganfainberg, anyway, there it is.  Maybe we need an explicit command line switch for working with the common repo, but I'd rather treat common just as another default extension.01:35
morganfainbergayoung, whats your opinion on msata drives used in conjunction with standard drives in laptops?01:35
morganfainbergi'm kindof torn on it.01:35
*** BAKfr has quit IRC01:36
ayoungNone.  THat is the one topic in the whole universe in which I have no opinion....yet01:36
ayoungshould I?01:36
ayoungwhat is msata?01:36
morganfainbergit feels wonky to have both... esp. since most of the time msata is so much less storage01:36
ayoungI haven't been paying attention to hardware01:36
morganfainbergmobile sata interface, the drives are smaller than most trackpads01:36
*** sbfox has joined #openstack-keystone01:36
morganfainbergcompared to most laptop drives01:37
morganfainbergi just don't know how to carve up 32GB msata SSD and 500GB rotational drive.01:37
* morganfainberg likes simple 1 bigger SSD (e.g. how apple is doing it)01:38
morganfainbergi know... totally unrelated.01:40
morganfainbergayoung, downgrade to 0 with the collapse on the common repo will fail01:41
*** gyee has quit IRC01:41
morganfainbergyou're only doing extensions01:41
morganfainbergare you?01:42
ayoungno,  doing the common first01:42
morganfainbergthat will fail in juno01:42
morganfainbergcan't downgrade below 036. explicitly not supported.01:42
ayoungmorganfainberg, should be min version...01:43
morganfainberg*nod* that works.01:43
ayoungbut you should be able to downgrade to 0.  That is how we nuke the database01:43
ayounganyway, that portion of the code is not changed01:43
ayoungbut for more important issues:01:43
ayoungwhy use msata?  What is the usage for it?01:43
morganfainbergin what case would you want to actually nuke the db outside of tests?01:43
ayoungmorganfainberg, I. Don't. Know.01:44
ayoung(said like Shatner)01:44
morganfainbergayoung, i don't have an answer for why msata besides size. but the laptop i just was issued has one01:44
ayoungshould have been.01:44
ayoungI...Don't know.01:44
morganfainbergI ................. Dont'Know01:45
ayoungmorganfainberg, so either msata is faster or slower01:45
morganfainbergor it's just about (legitimately) size.01:45
morganfainbergbut eh.01:46
morganfainbergjust curious if you had run into it yet or not01:46
ayoungNope, haven't run into yet.  My vote would be to avoid anything unnecessary.  Unlesss the drive had some profile that made it more reliable, or perhaps more easily removable, I'd probably leave it off.  But 32GB would make a nice /boot01:49
morganfainbergyeah debating on doing it that way or just doing / as that and converting over the rotational media to mount points (+sync) for the other things01:50
* morganfainberg shrugs01:50
*** gokrokve has joined #openstack-keystone01:51
*** gyee has joined #openstack-keystone01:54
ayoungSo / and /boot off that, and everything else on explicit partitions?  I tend to go with one mega for the laptop01:55
morganfainbergayoung, i need to do whole drive encryption anyway so... meh will need to do post 1st boot work in either case01:56
ayoungPut windows on the mini, and linux on the rest01:56
morganfainberglol nah, i'd run windows in a VM if i _really_ need it01:56
morganfainbergdon't have to reboot that way01:57
*** morganfainberg changes topic to "J1 Milestone June 12th! J2 and beyond blueprints require a formalized spec doc: | Please review the proposed specs."02:02
*** sbfox has quit IRC02:12
*** sbfox has joined #openstack-keystone02:13
openstackgerritA change was merged to openstack/python-keystoneclient: Sync with oslo-incubator caed79d
openstackgerritayoung proposed a change to openstack/keystone: Migrate default extensions
openstackgerritayoung proposed a change to openstack/keystone: Migrate default extensions
*** xianghui has joined #openstack-keystone02:24
ayoungmorganfainberg, this one has malingered, and is the precursor to all the example scripts   you ok with it?02:27
*** dims has quit IRC02:29
*** zhiyan_ is now known as zhiyan02:34
*** rodrigods_ has quit IRC02:38
*** gokrokve_ has joined #openstack-keystone02:42
lbragstadmorganfainberg: yes it can.. most time I've spent on a blueprint02:45
*** gokrokve has quit IRC02:45
stevemardstanek, aren't you supposed to be off this week?02:49
*** marcoemorais has joined #openstack-keystone02:57
*** mberlin1 has joined #openstack-keystone02:59
*** mberlin has quit IRC03:02
*** ukalifon1 has joined #openstack-keystone03:23
*** gokrokve_ has quit IRC03:25
*** jimbaker has quit IRC03:26
*** daneyon has joined #openstack-keystone03:36
*** wpf has joined #openstack-keystone03:38
*** daneyon has quit IRC03:41
*** sbfox has quit IRC03:45
*** zhiyan is now known as zhiyan_03:47
* mfisch wonders if anyone is awake03:48
*** ncoghlan is now known as ncoghlan_afk03:48
*** shakamunyi has joined #openstack-keystone03:49
*** marcoemorais has quit IRC03:50
*** topol has joined #openstack-keystone03:54
*** daneyon has joined #openstack-keystone03:56
*** xianghui has quit IRC03:57
*** daneyon has quit IRC04:02
*** shakamunyi has quit IRC04:05
morganfainbergmfisch, maybe04:09
*** xianghui has joined #openstack-keystone04:09
morganfainbergtopol, shouldn't you be... you know... asleep ?:P04:10
*** zhiyan_ is now known as zhiyan04:10
morganfainbergayoung, oh right we need to clear that one and get some testing in place to exercise those scripts (somehow)04:10
topolHi morganfainberg, how are you04:10
morganfainbergtopol, doing well man, how was vacation? you sufficiently unwound?04:10
topolI am up. Was about to stress over getting a presentation ready for a few VPs on Friday and just saw a request that the VP is traveling and I dont have to worry about it until June 16th or so.04:11
topolmorganfainberg, I am absolutely giddy right now04:12
morganfainbergtopol, hehe04:12
topolmorganfainberg, you at HP yet04:12
topolmorganfainberg, yes I saw that. Get that travel approved for the hackathon04:13
morganfainbergtopol, already working on it04:13
topolmorganfainberg, so vacation was great. Hit Nags Head beach and Myrtle Beach04:14
morganfainbergtopol, still working out the kinks of you know... new job stuff (you know typical shenanigans)04:14
morganfainbergsounds relaxing04:14
*** xianghui has quit IRC04:14
morganfainbergi'll take a vacation some day :P04:14
topolmorganfainberg, mostly. although my two kids do there best to make it not relaxing :-)04:15
morganfainbergnow that you're back... REVIEW !!!,n,z :P04:15
* morganfainberg snickers.04:15
topolmorganfainberg, thanks to the VP I now have time to review!!!04:16
morganfainbergtopol, good thing too! :) need more smart people looking over these things.04:16
*** ncoghlan_afk is now known as ncoghlan04:16
topolmorganfainberg, so this is the offical spec repo. its up and running04:16
morganfainbergtopol, yep04:16
topolmorganfainberg, thats great.04:16
morganfainbergand prety much everything except token compression (j1 target) needs a spec04:16
morganfainbergsince i doubt any other BPs will finish before j104:17
*** xianghui has joined #openstack-keystone04:26
openstackgerritMatt Fischer proposed a change to openstack/python-keystoneclient: Fix a misspelling in a comment
*** harlowja_ is now known as harlowja_away04:38
*** zhiyan is now known as zhiyan_04:52
*** shakamunyi has joined #openstack-keystone05:03
*** shakamunyi has quit IRC05:14
*** ajayaa has joined #openstack-keystone05:18
*** xianghui has quit IRC05:23
*** zhiyan_ is now known as zhiyan05:29
ajayaa Hi. I want to have a concept of tenant admin other than cloud admin. What is the best way to go about it?05:37
*** marcoemorais has joined #openstack-keystone05:37
*** marcoemorais1 has joined #openstack-keystone05:39
*** shakamunyi has joined #openstack-keystone05:40
*** xianghui has joined #openstack-keystone05:41
*** marcoemorais has quit IRC05:41
*** ajayaa has quit IRC05:47
stevemarmorganfainberg -> can i get quick review of
morganfainberggee i dunno05:47
morganfainbergwhats in it for me?05:48
*** wpf has quit IRC05:48
morganfainbergis topol buying more beer at the hackathon? :P05:48
stevemarmorganfainberg, he may as well05:48
*** wpf has joined #openstack-keystone05:49
topolyes, Im sure I will05:50
topolbeer/good bourbon05:50
*** shakamunyi has quit IRC05:50
topolsmaller corwd05:50
morganfainberglinux for the desktop and me don't seem to want to play nice.05:51
*** sbfox has joined #openstack-keystone05:55
stevemartopol, still catching up on emails?05:55
*** dstanek is now known as dstanek_zzz05:58
topolpretty much done and enjoying life since two VP meetings and a phoenix trip got rescheduled.05:59
stevemarlife is good for topol then06:03
*** ajayaa has joined #openstack-keystone06:05
stevemarmorganfainberg, if i'm cleaning up code from a review, is that bug worthy ?06:06
morganfainberghow much cleany-up-y-code?06:07
stevemara few lines here and there, actually just deletes06:07
stevemarleft an unnecessary setup and init06:07
morganfainbergit doesn't hurt to have a bug to track it.06:08
morganfainbergbut at some point it's just red-tape06:08
morganfainbergjudgement call, make one06:08
morganfainbergyou're a core ;)06:08
stevemarsays who!06:08
stevemardon't put labels or expectations on me06:08
morganfainbergwould you want a bug attached to it if someone else was doing it?06:08
morganfainbergstevemar, oh right it was that stevemar2 guy06:09
stevemaryeah, i would be picky about it06:09
morganfainbergwe made him core :P06:09
topolcomeon stevemar, your a core. make the call dude06:09
*** morganfainberg is now known as stevemar206:09
stevemarhate that stevemar2 guy06:09
topolget engaged maverick :-)06:09
* stevemar2 laughs maniacally 06:10
*** stevemar2 is now known as morganfainberg06:10
morganfainbergok anyway....06:10
stevemarmorganfainberg, hehe, like what topes sent ya?06:15
stevemari was so pissed06:15
morganfainbergi'll stick with my normal run-of-the-mill-and-probably-less-painful stuff :P06:16
morganfainbergseriously sucks dude, take care of that.06:16
stevemarmorganfainberg, i'm trying, quite gimpy atm06:17
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Clean up oauth auth plugin code
*** tomoiaga has joined #openstack-keystone06:21
*** praneshp has joined #openstack-keystone06:21
*** afazekas has quit IRC06:22
*** afazekas has joined #openstack-keystone06:22
stevemarmorganfainberg, i'm out06:22
stevemarsee ya06:22
*** ncoghlan is now known as ncoghlan_afk06:23
*** topol has quit IRC06:27
*** praneshp_ has joined #openstack-keystone06:29
*** stevemar has quit IRC06:31
*** praneshp has quit IRC06:32
*** praneshp_ is now known as praneshp06:32
*** sbfox has quit IRC06:35
*** sbfox has joined #openstack-keystone06:37
ajayaadolphm, morganfainberg, ayoung: Hi. Would it be a problem if I use keystone v3 for authentication and for taking advantage of RBAC policies and point other components to use v2 with the v3 tokens?06:42
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Fixed wrong behavior when updating tenant or user with LDAP backends
*** shakamunyi has joined #openstack-keystone06:47
*** wpf has quit IRC06:52
*** shakamunyi has quit IRC06:59
*** dstanek_zzz is now known as dstanek07:00
openstackgerritSergey Nikitin proposed a change to openstack/keystone: Fixed wrong behavior when updating tenant or user with LDAP backends
*** dstanek is now known as dstanek_zzz07:09
*** gyee has quit IRC07:10
*** roby_ has joined #openstack-keystone07:12
*** sbfox has quit IRC07:17
*** ncoghlan_afk is now known as ncoghlan07:18
*** xianghui has quit IRC07:24
*** shakamunyi has joined #openstack-keystone07:25
openstackgerritAndre Naehring proposed a change to openstack/keystone: Add information regarding HTTPS for SSL enabled endpoints
*** shakamunyi has quit IRC07:36
*** ncoghlan has quit IRC07:37
*** xianghui has joined #openstack-keystone07:42
*** nkinder has quit IRC07:49
*** nkinder has joined #openstack-keystone07:49
*** xianghui has quit IRC07:50
*** morganfainberg is now known as morganfainberg_Z07:54
*** marcoemorais1 has quit IRC08:00
*** xianghui has joined #openstack-keystone08:02
*** shakamunyi has joined #openstack-keystone08:03
*** morganfainberg_Z is now known as morganfainberg08:12
*** shakamunyi has quit IRC08:14
openstackgerritA change was merged to openstack/python-keystoneclient: Fix a misspelling in a comment
openstackgerritA change was merged to openstack/python-keystoneclient: Remove left over vim headers
*** xianghui has quit IRC08:32
*** shakamunyi has joined #openstack-keystone08:40
*** xianghui has joined #openstack-keystone08:44
*** shakamunyi has quit IRC08:52
*** shakamunyi has joined #openstack-keystone09:19
*** leseb has joined #openstack-keystone09:29
*** zhiyan is now known as zhiyan_09:30
*** shakamunyi has quit IRC09:31
*** leseb has quit IRC09:37
*** praneshp has quit IRC09:42
*** BAKfr has joined #openstack-keystone09:49
*** shakamunyi has joined #openstack-keystone09:58
*** shakamunyi has quit IRC10:05
openstackgerritliusheng proposed a change to openstack/python-keystoneclient: Set the iso8601 log level to WARN
*** xianghui has quit IRC10:25
*** afazekas is now known as afazekas_sick_do10:43
*** afazekas_sick_do has quit IRC10:53
*** ajayaa has quit IRC11:05
*** dims has joined #openstack-keystone11:16
*** ajayaa has joined #openstack-keystone11:19
*** leseb has joined #openstack-keystone11:26
*** leseb has quit IRC11:36
*** roby_ has quit IRC11:48
*** lbragstad has quit IRC11:52
*** dims has quit IRC12:00
*** ajayaa has quit IRC12:04
*** leseb has joined #openstack-keystone12:17
*** ajayaa has joined #openstack-keystone12:24
*** dstanek_zzz is now known as dstanek12:41
*** ajayaa has quit IRC12:42
*** gordc has joined #openstack-keystone12:46
*** ajayaa has joined #openstack-keystone12:56
*** dstanek is now known as dstanek_zzz12:56
*** hrybacki has joined #openstack-keystone12:57
*** lbragstad has joined #openstack-keystone13:02
*** dstanek_zzz is now known as dstanek13:08
*** rodrigods_ has joined #openstack-keystone13:09
*** dims has joined #openstack-keystone13:10
*** zhiyan_ is now known as zhiyan13:11
*** shakamunyi has joined #openstack-keystone13:16
*** shakayumi has joined #openstack-keystone13:19
*** shakamunyi has quit IRC13:21
*** leseb has quit IRC13:27
*** bknudson has joined #openstack-keystone13:30
*** shakayumi has quit IRC13:34
*** nkinder has quit IRC13:41
*** gokrokve has joined #openstack-keystone13:46
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements
*** shakayumi has joined #openstack-keystone13:48
*** stevemar has joined #openstack-keystone13:49
dstanekdolphm: Can this be closed as WONTFIX?
uvirtbotLaunchpad bug 1294437 in keystone "GET role by name OS-KSADM call not functional" [Undecided,New]13:51
stevemardstanek, bad wording in the docs =\13:59
dstanekstevemar: it looks like the spec really wanted to filter by name, but they didn't finish the example14:02
*** tomoiaga has quit IRC14:10
*** gabriel-bezerra has quit IRC14:11
*** topol has joined #openstack-keystone14:11
*** gokrokve has quit IRC14:14
*** ajayaa has quit IRC14:15
*** yfujioka has joined #openstack-keystone14:19
dolphmdstanek: yeah, go for it14:21
*** diegows has joined #openstack-keystone14:22
dstanekdolphm: done14:27
dolphmdstanek: thanks!14:28
*** david-lyle has joined #openstack-keystone14:28
*** rodrigods_ has quit IRC14:29
*** tomoiaga has joined #openstack-keystone14:29
*** dims has quit IRC14:33
*** nkinder has joined #openstack-keystone14:34
*** rodrigods_ has joined #openstack-keystone14:37
*** topol has quit IRC14:37
*** yfujioka has quit IRC14:39
openstackgerritChristian Berendt proposed a change to openstack/keystone: remove default=None for config options
*** rodrigods_ has quit IRC14:47
*** gokrokve has joined #openstack-keystone14:48
*** thedodd has joined #openstack-keystone14:51
*** zhiyan is now known as zhiyan_14:52
*** praneshp has joined #openstack-keystone14:53
openstackgerritDolph Mathews proposed a change to openstack/keystone: Add v2 & v3 API documentation
*** gokrokve has quit IRC14:57
*** gokrokve has joined #openstack-keystone14:58
*** praneshp_ has joined #openstack-keystone15:00
*** gokrokve has quit IRC15:02
*** praneshp has quit IRC15:03
*** praneshp_ is now known as praneshp15:03
*** nkinder has quit IRC15:04
*** samuelmz has joined #openstack-keystone15:06
*** topol has joined #openstack-keystone15:11
*** samuelmz is now known as samuelmz-hungry15:14
openstackgerritDolph Mathews proposed a change to openstack/keystone: document pki_setup and ssl_setup in keystone.conf.sample
*** nkinder has joined #openstack-keystone15:17
*** gokrokve has joined #openstack-keystone15:19
kierenif i'm using the ldap backend for identity (sql for assignment), and assigning roles to groups (rather than users), is it possible to have it recurse through nested ldap groups?15:27
dolphmbknudson: ayoung: ^15:32
ayoungkieren, I think it depends on the LDAP server15:33
bknudsonkieren: is there an attribute for nested group members?15:33
ayoungkieren, I've been told that it can, at least with 38915:33
kierenayoung: using freeipa - would the memberOf plugin be useful?15:33
ayoungkieren, yeah, althjough with FreeIPA you get that by default15:34
kierenbknudson: i don't think it shows nested group members15:36
kierenadding the ldap group to a role works ok, but only for the users in that group, not in subgroups15:37
kiereni wondered if that was just my config15:37
*** zhiyan_ is now known as zhiyan15:47
*** nkinder has quit IRC15:51
openstackgerritDolph Mathews proposed a change to openstack/keystone: document pki_setup and ssl_setup in keystone.conf.sample
*** gokrokve has quit IRC15:54
*** gokrokve has joined #openstack-keystone15:54
*** gokrokve has quit IRC15:55
stevemardolphm, TIL that you can number things as just 1 all the time15:55
dolphmdstanek: took me awhile to regenerate sample conf because tools/config/ doesn't work on OS X and i have no idea why :(
dolphmstevemar: ++ works in markdown too15:55
dolphmstevemar: the secret is that when it renders HTML, the numbers are discarded in favor of <ol><li>foo</li><li>bar</li></ol> anyway15:56
stevemardolphm, neato!15:56
dolphmmorganfainberg: haghlo15:57
*** zhiyan is now known as zhiyan_15:57
morganfainbergdolphm, ooooh yeah i meant to solve that, but i generated the samples always under linux15:58
*** shakayumi is now known as shakamunyi15:59
morganfainbergstevemar, i'm torn here the .assert_domain_enabled shuold probably occur in the else block, since _lookup_domain already does the assert -- alternatively, we could use _lookup_domain to do the assert16:00
morganfainbergstevemar, or ... am I being too picky here?16:00
stevemarmorganfainberg, i dunno, it works imo cause domain_ref is created in the if and else blocks, handled the same way as project_ref16:01
morganfainbergstevemar, except that if you lookup the domain for project_name based lookup you run the assert_domain code twice16:02
morganfainbergonce in _lookup_domain and once at the end of _assert_project_enabled16:02
dstanekdolphm, morganfainberg: i think i just fixed it16:02
morganfainberg_lookup_domain already calls _assert_domain_enabled16:02
morganfainbergdstanek, awesome! (having pypi errors here atm)16:03
stevemarmorganfainberg, oh i didn't see that lookup_domain already calls assert16:03
morganfainbergstevemar, yeah16:03
stevemarthats silly16:03
stevemarnot that it does that, but adding it in again16:04
morganfainbergstevemar, we need to do an assert if you aren't looking up by project name16:04
dolphmdstanek: how? should i file a bug?16:04
morganfainbergdolphm, ... hate to say it, but it "just worked" for me16:04
dstanekmorganfainberg: once i'm done testing i'll submit a bug and patch against oslo16:04
morganfainbergno changes.16:04
dolphmmorganfainberg: on OS X?16:05
*** sbfox has joined #openstack-keystone16:05
morganfainbergdolphm, yep16:05
*** rodrigods_ has joined #openstack-keystone16:05
dstanekmorganfainberg: there is some syntax issues based on bash version16:05
dstanekdolphm: i'll go ahead and read the bug16:05
dolphmi'm on GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)16:05
dolphmdstanek: read or file?16:06
morganfainbergdolphm, GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)16:06
stevemarmorganfainberg, move assert to the else, and add a comment/todo explaining why it's only needed there16:06
dstanekhmmm...that's odd that you have the same version, but different behavior16:07
morganfainbergdolphm, current master16:07
*** nkinder has joined #openstack-keystone16:07
morganfainbergdolphm, maybe i did something wonky w/ brew though16:07
morganfainbergstevemar, i'll take a crack at this. will take just a moment16:08
stevemarmorganfainberg, cool16:08
stevemarmorganfainberg, i'll comment anyway16:08
morganfainbergstevemar, ++ just making sure i wasn't being too picky here16:09
stevemarmorganfainberg, you got a point16:09
stevemarto play devils advocate... domain lookup is probably the fastest keystone operation16:09
morganfainbergit's not the domain lookup... it's the assert16:09
dolphmmorganfainberg: whats your brew list?
morganfainbergand that isn't exactly heavy code16:10
morganfainbergdolphm, nmapopensslprotobufpypy16:10
morganfainbergdolphm, guess it wasn't brew then :P16:10
*** zhiyan_ is now known as zhiyan16:12
*** marcoemorais has joined #openstack-keystone16:14
morganfainbergstevemar, diff from gyee's patch16:15
morganfainbergstevemar, thoughts?16:15
morganfainbergstevemar, nvm that is right16:16
stevemarmorganfainberg, i was thinking of that too, just crafting a domain_info16:18
morganfainbergstevemar, simplest solution, use code we have16:18
*** marcoemorais has quit IRC16:18
morganfainbergok i'll submit this post testrun16:18
stevemarmorganfainberg, you need name and id for domain though16:19
morganfainbergstevemar, name _or_ id16:19
morganfainberg        domain_name = domain_info.get('name')16:19
morganfainberg.get will return None by default16:19
dstanekmorganfainberg: dolphm: i tried again on my Mac without my fixes and now it works16:21
*** afaranha has left #openstack-keystone16:21
dolphmle sigh16:21
*** zhiyan is now known as zhiyan_16:21
morganfainbergoh. it's super picky about package naming16:21
stevemardolphm, i don't like the title "HTTP API" i feel it's too generic :\16:22
morganfainbergdolphm, was your clone called "keystone" ?16:22
morganfainbergor was it something like keystone_fix_my_docs16:22
morganfainbergthe directory name16:22
morganfainbergthat is16:22
dolphmmorganfainberg: 'keystone'16:22
dolphmstevemar: have an alternative suggestion?16:22
dolphmmorganfainberg: /Users/dolph/Projects/keystone fwiw16:23
stevemardolphm, "History of Keystone - by dolphm"16:23
morganfainbergdolphm, then no idea16:23
morganfainbergstevemar, History of Keystone Part 1 (a dolphm production)16:23
dolphmstevemar: lol i don't know if the history really belongs, but part of the conversation we had for needing this was justification to get people onto v3, so i figured perspective might help16:23
stevemardolphm, then call it 'moving from V2 to V3' ?16:24
dolphmmorganfainberg: just nuked my .tox dir and tried again, no luck
stevemardolphm, HTTP API just sounds like an API, but this is clearly not one?16:25
*** rodrigods_ has quit IRC16:25
dolphmstevemar: ? but it's discussing our HTTP APIs16:25
*** praneshp has quit IRC16:25
*** marcoemorais has joined #openstack-keystone16:26
morganfainbergdolphm, perhaps no change in the at the moment? that looks like a successful run to me.16:26
dolphmstevemar: should i wait on to release 0.9.0?16:26
* morganfainberg might be misreading.16:26
stevemardolphm, no, none of the 'example' scripts are ready16:27
dolphmmorganfainberg: then
stevemardolphm, wait on this one?
dolphmstevemar: +2 but i wouldn't block a release for it16:27
morganfainbergdolphm, how odd16:28
stevemardolphm, yeah, you're right16:28
*** tomoiaga has quit IRC16:28
*** leseb has joined #openstack-keystone16:28
dolphmmorganfainberg: i tried debugging this at some point, and IIRC it was producing a sample conf correctly and then something in the last block was causing it to not write the file16:29
*** rodrigods_ has joined #openstack-keystone16:29
morganfainbergdolphm, that is ... bizzare, not sure why it works for me and not you16:29
*** rodrigods_ has quit IRC16:29
morganfainbergthis stuff bugs me a lot... i don't like inconsistent behavior16:29
* dolphm why is there no
morganfainbergdolphm, i think it falls under oslo proper still16:30
amerineCan anyone explain to me how the policy endpoint has the same docs as the credentials endpoint?
dolphmamerine: bad copy paste? refer to the source of truth instead
*** marcoemorais has quit IRC16:32
*** marcoemorais has joined #openstack-keystone16:32
amerinedolphm: I'm asking because it wasn't this way the other day :-(. I'll pass along the identity-api repo so they use that instead. Thanks.16:33
dolphmamerine: can you file a bug against openstack-manuals?
amerinedolphm: Will do.16:34
dolphmamerine: thanks!16:34
*** leseb has quit IRC16:35
*** rodrigods_ has joined #openstack-keystone16:35
*** devlaps has joined #openstack-keystone16:37
* dolphm apparently when you i write my title as OpenStack Cat Herder but turn it into one word, it looks a lot like catheter instead16:39
*** samuelmz-hungry is now known as samuelmz16:39
amerinedolphm: catheter sounds like a terrible job.16:40
dolphmamerine: so is catherder16:40
amerinedolphm: I'm not a cat fan, so spending my BTUs on them offends my sensibilities.16:40
dolphmamerine: but i agree, catheter is probably worse16:40
dolphmamerine: rofl16:40
*** nkinder has quit IRC16:40
amerinedolphm: Bug filed.
uvirtbotLaunchpad bug 1324607 in openstack-manuals "Identity API V3 Policies endpoint docs are a duplicate of the Credentials endpoint docs." [Undecided,New]16:41
*** leseb has joined #openstack-keystone16:41
htrutastevemar: hello! do you know someone else that could review my patch?
*** gokrokve has joined #openstack-keystone16:42
stevemarhtruta, dtroyer or thowe (not online)16:44
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make sure scoping to the project of a disabled domain result in 401.
*** browne has joined #openstack-keystone16:51
morganfainbergstevemar, ^16:52
stevemarmorganfainberg, ty16:52
*** gabriel-bezerra has joined #openstack-keystone16:53
*** nkinder has joined #openstack-keystone16:53
* morganfainberg pokes topol. 16:54
* morganfainberg makes some bad star trek "worse than that, he's dead jim" reference.16:55
gabriel-bezerraI've sent a new patch to , might you review, please?16:56
gabriel-bezerramorganfainberg, ayoung, jamielennox|away ^16:57
dolphmmorganfainberg: jamielennox|away: i'm ready to push the button for
morganfainbergdolphm, LGTM16:58
morganfainbergdecent amount of fixes in it too!16:58
*** rodrigods_ has quit IRC16:59
dolphmmorganfainberg: waiting for jenkins to push to pypi..17:00
stevemardolphm, morganfainberg lots of cool stuff going in to 0.9.017:00
ayounggabriel-bezerra, working on something kindof time sensitive17:00
* morganfainberg learned the hard way pure uefi laptops need ubuntu mac iso to install correctly.17:01
dolphmmorganfainberg: they make a mac iso now?17:01
morganfainbergdolphm, have for a while17:02
dolphmi guess i gave up on ubuntu desktops before that17:02
*** harlowja_away is now known as harlowja_17:02
stevemargabriel-bezerra, that is a cool change17:02
dolphmoh but that's not a special mac build, is it?17:02
dolphmi mean, i'd use the same build on my PC desktop17:03
gabriel-bezerraayoung: ok, I didn't manage to make it work on CentOS neither before nor after the patch. It could be the instance I got, because it was not a fresh installation of CentOS cloud.17:03
*** rodrigods_ has joined #openstack-keystone17:03
morganfainbergdolphm, yeah.. well slightly different unity default setup i think as well17:03
morganfainbergdolphm, but mostly the same - not anything wildly different17:03
* morganfainberg goes and proposes making it the minimum for global reqs now.17:04
gabriel-bezerraI kept the change because httpd was listening for on the 5000 and 35357 ports, so I hope the change worked there.17:04
gabriel-bezerrastevemar: thanks :)17:04
gabriel-bezerralistening on*17:04
stevemarmorganfainberg, let us know when the change is up :)17:06
*** gokrokve_ has joined #openstack-keystone17:07
stevemarmorganfainberg, so will openstack proposal bot bump it for all the projects that use keystoneclient? (like openstack client) ?17:08
morganfainbergyeah once it's committed17:09
morganfainberg /merged17:09
*** rodrigods_ has quit IRC17:11
*** gokrokve has quit IRC17:12
htrutastevemar: so, let's wait for it, I gues17:12
*** zhiyan_ is now known as zhiyan17:12
stevemarhtruta, for bug fixes i don't mind being the only +2 and +A, but for new functions, I like dtroyer 's opinion too17:14
openstackgerritDolph Mathews proposed a change to openstack/keystone: remove out of date docs for Fedora 15
*** Dontmind has joined #openstack-keystone17:17
*** rodrigods_ has joined #openstack-keystone17:20
DontmindHello, I have query regarding the keystone with LDAP ? I am trying to setup keystone with openldap, but multiple parameter like desc are not present in the openldap, do we require to add any specific schema into ldap ? What all ldap are supported by keystone ? do it support writting new user, tenant in ldap or ldap is used only in read only mode ?17:21
mfischstevemar: I think I addressed your concerns on the review17:21
mfischDontmind: it supports r/w17:22
mfischDontmind: for r/w you will need a specific schema17:22
*** zhiyan is now known as zhiyan_17:22
mfischDontmind: also for desc you can just leave it commented out if it doesn't make sense for your server17:22
*** browne has quit IRC17:23
Dontmindmfisch : what schema do we need, are these standered schema ?17:23
stevemarmfisch, haha \ for life, that kinda talk will get you in trouble here17:23
*** rodrigods_ has quit IRC17:25
Dontmindbasic query : what all things are stored in ldap (when keystone is configured with ldap) ? do we still  need mysql in this case to store few things like endpoing or catalog ?17:26
*** leseb has quit IRC17:28
Dontmindi want to setup keystone with ldap and use swift with it. Does anybody have the end to end details on how to do it ?17:29
mfischDontmind: when I did r/w I followed some blog posts, but I ended up doing split identity and assignment and r/w17:30
mfischDontmind: look at my blog, I have some posts there17:30
*** browne has joined #openstack-keystone17:30
mfischstevemar: is there a separate channel for the client? I could not find one17:30
Dontmindmfisch : thanks i will have a look into it17:34
stevemarmfisch, not really, there is #openstack-sdks which is as close as you'll get17:37
*** gyee has joined #openstack-keystone17:37
*** praneshp has joined #openstack-keystone17:44
*** rodrigods_ has joined #openstack-keystone17:49
*** ozialien has joined #openstack-keystone17:51
*** sbfox has quit IRC17:56
*** openstackgerrit has quit IRC17:57
stevemardstanek, any reason you didn't +A
dstanekstevemar: jenkins hasn't +1ed it yet17:59
stevemardstanek, we can +A now even if jenkins hasn't passed17:59
dstanekstevemar: good to know - did that change after the upgrade of gerrit?18:00
*** Dontmind has quit IRC18:00
stevemardstanek, it was unofficial before the upgrade, but it's official now18:01
stevemarthe infra did something or other18:01
*** rodrigods_ has quit IRC18:01
dstanekstevemar: oh, interesting - i still see review comments about approving after jenkins18:02
dstanekwe should spread the word18:02
mfischstevemar: I just changed the requirement to 0.9.0 myself, should I roll that back?18:05
stevemarmfisch, yep, i think so18:06
*** sbfox has joined #openstack-keystone18:12
*** zhiyan_ is now known as zhiyan18:13
*** afazekas has joined #openstack-keystone18:14
*** ozialien has quit IRC18:18
*** zhiyan is now known as zhiyan_18:23
*** bobt has joined #openstack-keystone18:25
*** radez_g0n3 is now known as radez18:32
*** morganfainberg is now known as morganfainberg_Z18:33
*** morganfainberg_Z is now known as morganfainberg18:37
*** browne has quit IRC18:37
*** comstud has joined #openstack-keystone18:49
comstudhey all18:49
comstudso, new keystoneclient was just posted to pypi it appears...18:49
comstudand from what I can tell... it's possible certain some API code responses have changed18:49
comstudWe're asserting some things in ironic tests that now fail with the new keystone client18:49
comstudlike getting a 401 where we got a 403 before18:50
comstudideas, comments?18:50
dolphmcomstud: link?18:50
comstudI don't think I have a review up with the failures18:50
comstudbut I can paste the tracebacks18:50
comstudand link to corresponding tests18:50
uvirtbotLaunchpad bug 1324655 in ironic "tests fail with new keystoneclient" [Undecided,In progress]18:51
*** praneshp has quit IRC18:51
bknudsonlooks like a failure in auth_token18:51
dolphmcaching in auth_token, specifically18:52
comstudthe 'time' kwarg missing is our stub of set() in our fake memcache18:52
comstudBut... the tracebacks I get after fixing that is more what I'm concerned about18:52
comstudNow... it's possible that our stub is just still broken after I add the time kwarg18:52
comstudI've just begun to dig into this... but I thought I'd point this out in case it stirred anything in anyone's minds about the keystone client changes18:53
comstudThe link about to is now returning a 40118:54
dolphmbknudson: comstud:
comstudwhere it was a 403 before18:54
comstudmaybe I need additional logic in our fake memcache18:55
*** praneshp has joined #openstack-keystone18:55
bknudsonthat change wasn't meant to change so it's not backwards compatible18:56
comstudit's possible our fake memcache is not expiring something when it should18:56
comstudI wonder if that's the issue18:56
*** browne has joined #openstack-keystone18:57
dolphmcomstud: how are you initializing keystoneclient with your fake cache instance?18:57
comstudi'm not really familiar with this in our tests18:58
dolphmcomstud: i'm sure you're more familiar than i am :)18:58
comstudjust a hair I guess18:59
comstud35         self.environ = {'fake.cache': utils.FakeMemcache()}18:59
bknudsonsetting the environ, and then it does cfg.CONF.set_override('cache', 'fake.cache', group=acl.OPT_GROUP_NAME)18:59
comstudi suspect me just adding 'time' kwarg to our fake memcache set() is not enough :)18:59
comstudi probably need to do something with 'time'19:00
bknudsonso auth_token should use the utils.FakeMemcache19:00
comstudwhat is that arg meant to be?  Is it different than 'timeout'?19:00
dolphmbknudson: what's acl.OPT_GROUP_NAME there?19:00
*** ukalifon1 has quit IRC19:00
bknudsoni have to run to a meeting19:00
comstuddo we have 'timeout' misnamed and it should be 'time'?19:00
* comstud checks memcache19:00
dolphmcomstud: historically, i think swift cache used one of those, and memcached uses the other? although they were meant to be compatible, i think19:01
comstuddef set(self, key, val, time=0, min_compress_len=0):19:01
comstudthat's from python-memcached19:01
dolphmcomstud: maybe you were mocking swift cache then19:01
comstudno idea19:02
comstudbut it appears we have 'timeout' where we should have 'time'19:02
comstudand I should make it expire properly19:02
dolphmcomstud: does that fix the issue?19:02
comstudwe're not tracking the timeout right now in this fake client19:02
comstudadding it now19:03
*** sbfox has quit IRC19:03
comstudat this point, I suspect this is just an issue with our fake client19:03
comstudwrongly named kwarg... and not actually doing anything with the kwarg (expiring the cache entry)19:04
*** rodrigods_ has joined #openstack-keystone19:05
*** openstackgerrit has joined #openstack-keystone19:07
dolphmcomstud: not doing anything with it wouldn't have changed with keystoneclient 0.9.0 though19:08
comstudhm k19:08
comstudso yeah19:10
comstudthis review you linked to19:10
comstudused time=  before already on set9)19:10
comstudon set()19:10
comstudwe must not have been hitting that code path before in keystoneclient, but now we are19:12
*** openstackgerrit has quit IRC19:13
*** zhiyan_ is now known as zhiyan19:14
morganfainbergcomstud, interesting19:18
dolphmcomstud: i wonder if that review just isn't the culprit then?19:18
comstudit's possible something landed before it, yes19:19
comstudthat added this time= usage19:19
comstudto cache.set()19:19
*** gokrokve_ has quit IRC19:20
comstudI don't know at what point in time this broke with keystoneclient commits19:20
comstudit's just obvious now that there's a new release19:20
comstudupstream only pulls in pypi, so19:20
comstuder, gate19:20
morganfainbergcomstud, this is unit tests not temptest right?19:21
comstudcorrect, unit tests in ironic19:21
comstudwhich stub out a fake memcache client19:21
comstudto pass into keystoneclient19:21
*** dims has joined #openstack-keystone19:21
morganfainbergcomstud, hm. ok19:21
comstuda.. somewhat broken fake memcache client, it appears :)19:22
comstudbut i dunno if that's the only problem19:22
comstudwhat's concerning me is our tests showing a switch from a 403 to a 40119:22
comstudit's possible it's just our bogus fake memcache client... it's possible it's something else in keystoneclient, I dunno yet.19:22
*** zhiyan is now known as zhiyan_19:24
* morganfainberg looks at the tests in question.19:24
*** gokrokve has joined #openstack-keystone19:25
comstudatm, i'm going back in keystoneclient commits19:25
* dolphm is trying to reproduce19:25
comstudto look before this review dolph posted19:26
comstudyeah, if you check out ironic master and just run 'tox', you'll get the failures19:26
morganfainbergcomstud, same, looking at the changes between the releases.19:26
dolphmcomstud: auth_token has a bad habit of turning 500's into 401's19:26
dolphmcomstud: so anything that should be uncaught ends up as a 40119:26
comstudso far, all I did was rename 'timeout' to 'time' in ironic/tests/api/utils.py19:26
comstudand then I get the 403 -> 40119:27
comstuddolphm: aha ok19:27
dolphmi'm pretty sure keystone's contribution to openstack is arbitrarily producing 401's19:28
comstudi suspect that maybe this review is where things broke for us19:29
comstudbut i dunno for sure19:29
*** rodrigods_ has quit IRC19:29
comstudthat's the switch from timeout=foo to time=foo19:30
comstudjust switching our kwarg from timeout to time... causes these 401s19:31
dstanekwasn't that change in 0.8.0?19:32
morganfainbergdstanek, 0.8.0 was apr 16 it looks like19:32
comstudif that's the case, then I guess we were never hitting this self._cache.set() before in our tests19:33
comstudand now we are19:33
comstudmaybe with the pool change19:33
morganfainbergcomstud, ok lets set aside the kwarg issue19:34
morganfainbergcomstud, the change to 401 from 403 seems more of an issue19:34
comstudright, although it doesn't happen until I fix the kwarg19:34
morganfainbergcomstud, *blink*19:34
comstudbecause that problem covers this up19:34
morganfainbergcomstud, what if there was no caching? at all.19:34
*** openstackgerrit has joined #openstack-keystone19:35
comstudshoot, I have to listen to this call I'm on19:35
morganfainbergcomstud, let me go look at the cache mock thing19:35
morganfainbergcomstud, this might be something odd there.19:35
dolphmeven if you change timout to time in ironic.test.utils, i don't see a reason for the subsequent 401 yet19:35
morganfainbergdolphm, unless the mocked cache is munging things up in bad ways19:35
comstudthe mocked cache is just hardcoded to return something we expect to query19:36
comstudit's kinda dumb19:36
morganfainbergcomstud, right but if it's somehow returning broken data now :P19:36
morganfainbergauth_token might turn that into a 40119:37
morganfainbergor well.. subtling broken data19:37
comstudthis only happens when I fix set() but yeah19:37
dolphmthe mocked cache also only holds one key/value19:37
comstudreally we just throw away what set() does19:37
comstudi feel bad having you guys dig into this because it feels like this fake memcache is a bad idea... or poorly implemented.19:38
dolphmoh wow yeah19:38
dolphmmocking always causes strange problems like this, regardless of how well it's done19:39
comstudI thought I'd raise it in here, because I was concerned I started seeing HTTP code changes19:39
morganfainbergdolphm, we've had a number of things touch the caching code lately19:40
morganfainbergdolphm, i wouldn't be surprised if fake memcache was an issue.19:40
*** gokrokve has quit IRC19:40
dolphmmorganfainberg: in ironic? or memorycache?19:40
*** gokrokve has joined #openstack-keystone19:41
morganfainbergthe fake cache they use there19:41
morganfainbergironic's mock19:41
dolphmwhat happens if you remove it..?19:41
comstud1) i really hate we're stubbing something that a 3rd party project is using internally.19:41
comstudthat seems.. wrong19:41
comstud2) what the hell are we testing here anyway? That keystone client is working properly?!19:42
comstud(these questions are more for ironic :)19:42
dolphmcomstud: i suppose you're testing that ironic's default configuration includes something for auth_token, but that's about it?19:43
bknudsonoverriding the cache response seems broken to me.19:43
bknudsonauth_token might decide that we're going to store data differently19:43
comstudyeah, that's why I think this stubbing is.. not the way to go19:43
*** gokrokve has quit IRC19:45
dolphmthe only point of the fake cache that i can see is that it's pre-populating the cache with supposedly valid values19:45
bknudsonmaybe aim at a higher level, mock auth_token rather than auth_token's cache19:45
morganfainbergbknudson, ++19:45
bknudsonwe do actually support the auth_token interface (the env vars that it sets)19:46
bknudsoncomstud: where's your api-paste.ini?19:48
comstudthis is just unit tests19:50
comstudso... whatever is in the ironic tree19:50
dolphmbknudson: dependence on auth_token appears to be hardcoded in ironic.api.middleware19:50
comstudi don't see one19:50
comstuddolphm: Yeah, that's what I get from this fake memcache also... is throwing supposedly valid values in there and returning them with get(). And everything is just stubbed and thrown away19:51
nkinderstevemar: what's the story around saml 1.1 and Keystone?19:51
nkinderstevemar: we only support saml2?19:52
stevemarnkinder, saml2 is the only one supported officially19:52
dolphmjamielennox|away: ironic.api.middleware.auth_token solves your public routes issue ;)19:52
stevemarnkinder, you're welcome to try 1.119:52
*** liranc_ has joined #openstack-keystone19:53
nkinderstevemar: so you're saying it might just work?19:53
dolphmliranc_: o/19:54
liranc_I am using keystone wsgi with apache2 on ubuntu 12.04.4 and it breaks my horizon19:54
liranc_for glance and for neutron19:54
liranc_do you have any idea how can i fixed this now i am using the single thread python for keystone but i can't scale19:55
dolphmliranc_: what is breaking exactly, and how?19:56
liranc_i am using havana so i don't have the workers19:56
liranc_here is my glance trace Paste #8208219:57
liranc_i click the images in the guy and it says Error: Unauthorized: Unable to retrieve image list.19:57
liranc_sorry *GUI19:58
liranc_here is the error i am getting from glance api logs Unable to get version info from keystone: 30119:58
liranc_the CLI is working as expected19:58
dolphmliranc_: what does your auth_token configuration look like for glance, and what does your virtual host configuration look like for keystone?19:59
*** gokrokve has joined #openstack-keystone20:00
*** rodrigods has quit IRC20:01
liranc_i have the following in glance20:01
liranc_all comment out20:02
liranc_# Send headers containing user and tenant information when making requests to # the v1 glance registry. This allows the registry to function as if a user is # authenticated without the need to authenticate a user itself using the # auth_token middleware. # The default value is false.20:02
liranc_seems to be the default20:02
liranc_[keystone_authtoken] auth_host = ctpr-osm01 auth_port = 35357 auth_protocol = https admin_tenant_name = services admin_user = glance20:05
liranc_auth_uri=https://ctpr-osm01:5000/ signing_dir = /var/cache/glance/api20:05
bknudsoncomstud: expires = confirm_token_not_expired(data) -- KeyError: ('expires',)20:05
morganfainbergbknudson, beat me to it!20:06
comstudbknudson: aha20:06
dolphmliranc_: https://ctpr-osm01:5000/ and https://ctpr-osm01:35357/ both work with your apache configuration?20:06
bknudsonso the tokens in the fake cache need a expires20:06
bknudson                'token': {'id': ADMIN_TOKEN, 'expires': '2100-09-11T00:00:00'},20:06
bknudson(for example)20:06
morganfainbergcomstud, i think is what you should use to create the fake token20:07
morganfainbergcomstud, rather than hard-coding it (if you're continuing to fake-out the memcache)20:07
comstudcool, I will look at that20:07
morganfainbergcomstud, that way you're sure to get something that at least resembles the real thing. (it's why we added it)20:07
bknudsonI still don't think it's safe to override auth_token's cache20:08
morganfainbergbknudson, ++20:08
liranc_OK i am lost here20:08
dolphmmorganfainberg: oh that's a good idea20:08
liranc_can you please explain20:08
morganfainbergcomstud, i'd mock all of auth_token for these tests if you legitimately need fixed responses20:09
liranc_yes i use both admin and main in apache20:09
dolphmliranc_: can you paste the responses you get when you curl https://ctpr-osm01:5000/ and https://ctpr-osm01:35357/ ?20:09
morganfainbergdolphm, yeah jamielennox|away did a bunch of work to make soem awesome fixtures for this stuff.20:09
morganfainbergwith that ...20:10
morganfainbergfood time.20:10
comstudbkudson: Yeah, I think I'm going to come up with short term fix first20:10
comstudAnd then suggest we... do something completely different20:10
bknudsoncomstud: the short term fix is add the 'expires' to the tokens... worked for me20:11
liranc_root@ctpr-stk01:/var/log# curl --insecure https://ctpr-osm01:5000 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://ctpr-osm01:5000/horizon/">here</a>.</p> </body></html>20:11
bknudsoncomstud: and set time=None rather than timeout20:11
gabriel-bezerraFederation people: please have a look at this bug
uvirtbotLaunchpad bug 1320140 in keystone "Federation documentation is not clear about" [Undecided,New]20:11
comstudbknudson: yep, got that one already20:12
comstudcool, thanks... that did work for me :)20:12
liranc_root@ctpr-stk01:/var/log# curl --insecure https://ctpr-osm01:35357 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://ctpr-osm01:35357/horizon/">here</a>.</p> </body></html>20:12
comstudRan 849 (+776) tests in 2.284s (+1.827s)20:12
comstudPASSED (id=4, skips=24)20:12
comstudthanks a lot!!20:12
*** hrybacki has quit IRC20:12
*** sbfox has joined #openstack-keystone20:14
*** sbfox1 has joined #openstack-keystone20:14
*** zhiyan_ is now known as zhiyan20:15
dolphmyay :)20:17
bknudsonauth_token needs better logging20:18
morganfainbergbknudson, ++20:18
morganfainbergbknudson, auth_token needs a lot of things20:18
*** sbfox has quit IRC20:19
-openstackstatus- NOTICE: Gerrit is going offline to correct an issue with a recent project rename. ETA 20:45 UTC.20:20
*** ChanServ changes topic to "Gerrit is going offline to correct an issue with a recent project rename. ETA 20:45 UTC."20:20
*** openstackgerrit has quit IRC20:25
dstanekgabriel-bezerra: that's interesting. based on what you said, all of the examples should have a username component in the local section20:26
*** zhiyan is now known as zhiyan_20:26
dstanekliranc_: i'm a little late to the party - did you already post your apache config?20:27
dstanekliranc_: getting a redirect to horizon is troubling20:27
liranc_will do 1 sec20:27
liranc_Paste #8210120:29
liranc_this is for the main20:29
liranc_do you need the admin ?20:29
liranc_the strange thing here is that the CLI is working20:30
dstanekliranc_: ? i'm getting a server error20:32
liranc_working for me can you try again20:33
liranc_here is a new one Paste #8210220:34
liranc_looking in horizon log i can see very short token used for auth before it fail20:34
dstanekliranc_: got it - had to clear an old lodgeit lookie20:34
liranc_for example DEBUG glanceclient.common.http curl -i -X GET -H 'X-Auth-Token: f75de54e2a708ae5e786e11b2b388fc6' -H 'Content-Type: application/json' -H 'User-Agent: python-glanceclient'
liranc_when i try this  with a new token its working20:35
*** gokrokve has quit IRC20:35
dstanekliranc_: yes, admin too. that's where the redirect is coming from20:36
liranc_admin Paste #8210320:37
*** ChanServ changes topic to "J1 Milestone June 12th! J2 and beyond blueprints require a formalized spec doc: | Please review the proposed specs."20:39
-openstackstatus- NOTICE: Gerrit is back online20:39
dstanekliranc_: i don't see the word horizon in there at all20:39
dstanekliranc_: do you have a redirect for horizon in another file?20:39
*** radez is now known as radez_g0n320:39
liranc_i will check20:39
liranc_wow it was fixed20:41
liranc_just remove all of my horizon files conf from apache20:42
liranc_we use to have the horizon and keystone wsgi on the same instance20:42
dstanekthat HTML returned with the 301 looks like the Apache boilerplate so my guess is your Apache config is weird20:42
liranc_now its working20:42
dstanekliranc_: you still need to run them on the same instance?20:43
liranc_i move the horizon to a new server20:43
liranc_no i don't have to20:43
liranc_this is great20:43
liranc_we have a very big production deployment20:43
liranc_which we fail to scale after moving to havana20:43
liranc_in grizzly we put some patch that gave us the option to run workers20:44
liranc_multi workers20:44
liranc_but its not working in havana so we had to use wsgi and now its working thanks20:44
*** nkinder has quit IRC20:45
dstanekliranc_: ma pleasure20:46
liranc_thanks bye its late i have to get some sleep20:46
*** gokrokve has joined #openstack-keystone20:47
*** gokrokve has quit IRC20:50
*** shakamunyi has quit IRC20:51
dstanekliranc_: yw20:52
*** shakamunyi has joined #openstack-keystone20:52
*** liranc_ has quit IRC20:53
*** hrybacki has joined #openstack-keystone20:53
*** topol has quit IRC20:53
*** ozialien has joined #openstack-keystone20:54
*** gokrokve has joined #openstack-keystone20:58
*** jimbaker has joined #openstack-keystone21:02
*** leseb has joined #openstack-keystone21:02
*** gokrokve has quit IRC21:06
*** shakamunyi has quit IRC21:14
*** zhiyan_ is now known as zhiyan21:18
*** sbfox1 has quit IRC21:20
*** hrybacki has quit IRC21:24
*** zhiyan is now known as zhiyan_21:27
*** marcoemorais has quit IRC21:30
*** marcoemorais has joined #openstack-keystone21:31
*** marcoemorais has quit IRC21:31
*** marcoemorais has joined #openstack-keystone21:32
*** openstackgerrit has joined #openstack-keystone21:34
*** gokrokve has joined #openstack-keystone21:37
*** gokrokve_ has joined #openstack-keystone21:38
*** gokrokve has quit IRC21:41
*** gokrokve_ has quit IRC21:43
*** openstackgerrit has quit IRC21:47
*** sbfox has joined #openstack-keystone21:50
*** browne has quit IRC21:54
*** dims has quit IRC21:58
*** browne has joined #openstack-keystone21:59
*** gokrokve has joined #openstack-keystone22:01
*** gokrokve has quit IRC22:06
*** shakamunyi has joined #openstack-keystone22:11
*** lbragstad has quit IRC22:12
*** BAKfr has quit IRC22:14
gabriel-bezerradstanek: yes, or the code should allow it without username22:14
*** nkinder has joined #openstack-keystone22:14
*** leseb has quit IRC22:14
gabriel-bezerrabut docs show examples without and iirc says it is optional, and code doesn't allow it22:15
*** zhiyan_ is now known as zhiyan22:18
*** gordc has left #openstack-keystone22:21
*** shakamunyi has quit IRC22:22
*** shakayumi has joined #openstack-keystone22:22
*** sbfox has quit IRC22:22
*** dims has joined #openstack-keystone22:24
*** sbfox has joined #openstack-keystone22:25
*** zhiyan is now known as zhiyan_22:27
*** bknudson has quit IRC22:31
*** marcoemorais has quit IRC22:32
*** marcoemorais has joined #openstack-keystone22:32
*** marcoemorais has quit IRC22:32
*** marcoemorais has joined #openstack-keystone22:33
*** marcoemorais has quit IRC22:34
*** marcoemorais has joined #openstack-keystone22:34
*** gokrokve has joined #openstack-keystone22:35
*** thedodd has quit IRC22:41
*** leseb has joined #openstack-keystone22:45
*** leseb has quit IRC22:57
*** rodrigods has joined #openstack-keystone23:06
*** david-lyle has quit IRC23:17
*** zhiyan_ is now known as zhiyan23:19
*** leseb has joined #openstack-keystone23:24
*** leseb has quit IRC23:26
*** leseb has joined #openstack-keystone23:26
*** zhiyan is now known as zhiyan_23:28
*** marcoemorais has quit IRC23:31
*** marcoemorais has joined #openstack-keystone23:32
*** leseb has quit IRC23:32
*** browne has quit IRC23:35
*** schofield has quit IRC23:37
*** browne has joined #openstack-keystone23:42
*** marcoemorais has quit IRC23:43
*** schofield has joined #openstack-keystone23:43
*** marcoemorais has joined #openstack-keystone23:43
*** sbfox1 has joined #openstack-keystone23:46
*** sbfox has quit IRC23:49
*** sbfox has joined #openstack-keystone23:53
*** gokrokve has quit IRC23:54
*** gokrokve has joined #openstack-keystone23:55
*** gokrokve has quit IRC23:55
*** sbfox1 has quit IRC23:55
*** rodrigods has quit IRC23:57

Generated by 2.14.0 by Marius Gedminas - find it at!