Tuesday, 2014-06-24

« Monday, 2014-06-23 Index Wednesday, 2014-06-25 »
jamielennoxmorganfainberg: yea i'm just picking those ones out as a base for other things00:02
jamielennoxthe last two i just pushed a small change which is why jenkins hasn't psased yet, but they hvaen't seen a review for a while00:02
morganfainbergjamielennox: *nod*00:03
morganfainbergjamielennox: there is also.. i think an issue that is causing check failures00:03
jamielennoxthey have follow on reviews that need rebasing as well00:03
jamielennoxergh, again - pass rate is maybe 50% at the moment00:03
morganfainbergright00:04
morganfainbergthere is a sqlA issue i think.00:04
morganfainbergpending fix00:04
jamielennoxoh, i saw there was a new release00:04
jamielennoxthis is part of the love/hate of python00:04
morganfainbergoh i am working with infra, hope to have middleware repo tonight / tomorrow00:05
morganfainbergonce i confirm it's there and working i'm going to gently -2 the open middleware patches and point them to the new repo, if you don't have an issue with it00:05
jamielennoxi'm good with that00:07
jamielennoxi won't be at the meeting tomorrow but i'll read the logs later00:08
jamielennoxbut i'm happy to have the split00:08
morganfainbergjamielennox: great :)00:08
*** xianghui has joined #openstack-keystone00:09
*** gokrokve has quit IRC00:17
jamielennoxmorganfainberg: also i pu up https://review.openstack.org/#/c/101792/ whicch will impact your logging one, let me know if it makes sense00:19
morganfainbergjamielennox: my logging one is on hold i think...00:19
morganfainbergi need to make sure the django_auth module isn't doing something odd00:20
jamielennoxyea, thats why i added this one now00:20
jamielennoxit doesnt have tests i just want to see if the idea works00:20
morganfainbergjamielennox: ++ i'll look at this one tonight (after dinner prob)00:20
jamielennoxno rush00:20
morganfainbergright-o00:21
*** marcoemorais has quit IRC00:31
*** hrybacki has quit IRC00:54
*** topol has joined #openstack-keystone01:01
*** morganfainberg has quit IRC01:07
*** morganfainberg_Z is now known as morganfainberg01:07
*** browne has quit IRC01:07
*** lbragstad has joined #openstack-keystone01:20
*** stevemar has joined #openstack-keystone01:22
*** amcrn has quit IRC01:38
*** nsquare has quit IRC01:40
*** mberlin1 has joined #openstack-keystone01:42
*** mberlin has quit IRC01:43
*** ncoghlan has joined #openstack-keystone01:43
*** xianghui^ has joined #openstack-keystone02:06
*** richm has left #openstack-keystone02:07
*** fyb3r has joined #openstack-keystone02:10
*** xianghui has quit IRC02:10
fyb3rFound out that my problem was being caused by an issue with MySQL02:10
*** dstanek_zzz is now known as dstanek02:13
*** amcrn has joined #openstack-keystone02:27
*** fyb3r has quit IRC02:28
*** amcrn has quit IRC02:38
*** yfujioka has joined #openstack-keystone02:42
openstackgerritJustin Shepherd proposed a change to openstack/keystone: Adding an index on token.user_id  https://review.openstack.org/10204102:49
*** baffle has quit IRC02:55
*** praneshp has quit IRC02:55
*** baffle has joined #openstack-keystone02:56
openstackgerritwanghong proposed a change to openstack/keystone: trustor_user_id not available in v2 trust token  https://review.openstack.org/10182902:59
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Federating multiple Keystones  https://review.openstack.org/10002303:00
*** nkinder has joined #openstack-keystone03:07
*** amcrn has joined #openstack-keystone03:07
*** nsquare has joined #openstack-keystone03:08
*** dims__ has quit IRC03:13
*** dstanek is now known as dstanek_zzz03:14
*** ncoghlan is now known as ncoghlan_afk03:15
*** ncoghlan_afk is now known as ncoghlan03:16
*** zhiyan_ is now known as zhiyan03:19
*** dstanek_zzz is now known as dstanek03:19
*** hrybacki has joined #openstack-keystone03:20
openstackgerritA change was merged to openstack/python-keystoneclient: Update keystoneclient code to account for hacking 0.9.2  https://review.openstack.org/10015203:27
*** dstanek is now known as dstanek_zzz03:37
openstackgerritwanghong proposed a change to openstack/keystone: delete the tokens when deleting ec2 credential  https://review.openstack.org/8745003:37
*** dims__ has joined #openstack-keystone03:39
topolmorganfainberg, you there?03:40
topolstevemar you there?03:40
stevemartopol, howdy03:40
*** ncoghlan is now known as ncoghlan_afk03:40
topolHi stevemar, quick question. So does devstack now default to starting keystone within apache?  I was looking at the keystone devstack script and it did not appear to be configurable03:41
*** lbragstad has quit IRC03:41
*** dims__ has quit IRC03:41
stevemartopol, whats the error?03:41
stevemartopol, is it something about oslo.db ?03:42
topolstevemar, no error. just wanted to confirm that devstack now runs a s default keystone deployed as part of HTTPD03:42
topolstevemar, cause thats how I interpreted the devstack keystone script03:42
stevemartopol, jeez, i mis-read that...03:43
stevemartopol, i would say that change isn't in yet03:43
stevemarhttps://review.openstack.org/#/c/100747/03:43
*** dstanek_zzz is now known as dstanek03:43
openstackgerritJustin Shepherd proposed a change to openstack/keystone: Adding an index on token.user_id  https://review.openstack.org/10204103:44
stevemartopol, you can start it by default by setting APACHE_ENABLED_SERVICES=key in localrc devstack file03:44
stevemartopol, but no, the change isn't in yet03:45
*** ncoghlan_afk is now known as ncoghlan03:46
topolstevemar so what is throwing me off is KEYSTONE_USE_MOD_WSGI did not appear to be used in http://devstack.org/lib/keystone.html03:46
stevemartopol, i don't think that change is in either, https://review.openstack.org/#/c/101611/03:47
topolstevemar, thanks. I could have sworn that had merged03:48
topolstevemar, I am very close to sending the article to you for you to add your polish03:49
stevemartopol, nope. looks like KEYSTONE_USE_MOD_WSGI will replace APACHE_ENABLED_SERVICES though03:49
topolstevemar, thats fine03:49
stevemartopol, awesome, looking forward to it03:49
stevemartopol, gonna review those patches now :)03:50
topolstevemar, we warned its all xml03:50
topolerr be warned03:50
topolstevemar, its "old man" authoring :-)03:50
stevemartopol, i am hoping to find some time to try out mareks client side changes for federation03:50
stevemartopol, s'all good03:51
topolstevemar, K03:51
*** lbragstad has joined #openstack-keystone03:54
*** hrybacki has quit IRC03:57
*** ncoghlan is now known as ncoghlan_afk03:59
*** dstanek is now known as dstanek_zzz04:10
*** jamielennox is now known as jamielennox|away04:13
*** radez is now known as radez_g0n304:29
*** morganfainberg_L has joined #openstack-keystone04:41
*** dims has joined #openstack-keystone04:42
*** gyee has quit IRC04:42
*** gokrokve has joined #openstack-keystone04:44
*** ajayaa has joined #openstack-keystone04:45
*** dims has quit IRC04:47
*** ajayaa has quit IRC04:58
*** ncoghlan_afk is now known as ncoghlan05:00
*** nsquare has quit IRC05:01
*** praneshp has joined #openstack-keystone05:04
*** ajc_ has joined #openstack-keystone05:07
*** lbragstad has quit IRC05:07
*** praneshp_ has joined #openstack-keystone05:08
*** gokrokve_ has joined #openstack-keystone05:09
*** praneshp has quit IRC05:09
*** praneshp_ is now known as praneshp05:09
*** ajayaa has joined #openstack-keystone05:10
*** gokrokve has quit IRC05:11
*** daneyon has joined #openstack-keystone05:16
stevemarmorganfainberg, always with the punny review comments!05:22
morganfainberg_Lwut?05:25
stevemarmorganfainberg, added 1 more nit!05:26
*** topol has quit IRC05:26
*** daneyon has quit IRC05:26
*** daneyon has joined #openstack-keystone05:27
morganfainberg_Lstevemar: i'm lost05:27
stevemarmorganfainberg_L, just talking about your devstack change, it's also late, so theres that05:32
*** nsquare has joined #openstack-keystone05:36
*** rwsu has quit IRC05:41
*** dims has joined #openstack-keystone05:43
*** dims has quit IRC05:47
*** ncoghlan is now known as ncoghlan_afk05:47
*** nsquare has quit IRC05:48
*** morganfainberg_L has quit IRC05:51
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/9700506:00
*** gokrokve_ has quit IRC06:08
*** jaosorior has joined #openstack-keystone06:20
*** harlowja is now known as harlowja_away06:20
*** stevemar has quit IRC06:25
*** ncoghlan_afk is now known as ncoghlan06:26
*** nsquare has joined #openstack-keystone06:27
*** bvandenh has joined #openstack-keystone06:29
*** praneshp has quit IRC06:40
*** dims has joined #openstack-keystone06:43
*** dims has quit IRC06:48
*** daneyon_ has joined #openstack-keystone06:48
*** daneyon has quit IRC06:52
*** daneyon_ has quit IRC06:57
*** amcrn has quit IRC07:02
*** yfujioka has quit IRC07:03
*** marekd|away is now known as marekd07:04
marekdmorganfainberg: thanks for the sso review, starting to looking at it :-)07:05
marekdmorganfainberg: (not sure if you are still here)07:05
*** daneyon has joined #openstack-keystone07:06
*** openstackgerrit has quit IRC07:10
*** BAKfr has joined #openstack-keystone07:11
*** afazekas is now known as __afazekas07:17
*** gokrokve has joined #openstack-keystone07:19
*** gokrokve has quit IRC07:23
*** andreaf has joined #openstack-keystone07:39
*** nsquare has quit IRC07:39
*** dims_ has joined #openstack-keystone07:44
*** amerine_ has joined #openstack-keystone07:44
*** afazekas has joined #openstack-keystone07:46
*** amerine has quit IRC07:47
*** dims_ has quit IRC07:49
*** amerine has joined #openstack-keystone08:09
*** amerine_ has quit IRC08:12
*** daneyon has quit IRC08:19
*** daneyon has joined #openstack-keystone08:23
*** ncoghlan has quit IRC08:24
*** dims_ has joined #openstack-keystone08:45
*** i159 has joined #openstack-keystone08:46
*** dims_ has quit IRC08:50
*** tziOm has joined #openstack-keystone08:59
marekdmhu: around? :-)09:17
mhumarekd: hi !09:17
marekdmhu: just wanted to check what's up :-)09:18
marekdand if you guys want to take over auth part in OSC :-)09:18
marekdmhu: I understand you are busy with some other work but would like to know if you have any plans for development :-)09:18
mhumarekd, sure ! I was actually looking at what was left to be done, we can actually switch to this now09:19
marekdmhu: great.09:19
marekdas i wrote in the e-mail: IDPs are already merged, Mapping are under review, Protocls were not even started09:19
marekdmhu: after we have it, rearchitecting auth mechanism in OSC would be a nice step.09:20
marekdmhu: i think there is a good place for using your imagination as it can be done in plugable and exendable way, i think :-)09:20
mhumarekd, sweet ! we'd be 2 or 3 people working on it so there's room for plenty of ideas09:21
mhumarekd, is anyone working on protocols or is it up for grabs ?09:21
marekdmhu: i would be happy to serve with code reviews :-) as long as you want it of course :-)09:21
mhumarekd, of course !09:21
marekdmhu: added you as a reviewer to the Mapping CRUD in OSC09:22
marekdmhu: i think you may want to start with that and fix it :-)09:22
mhumarekd, sounds good to me09:22
marekdmhu: well..fix, make it high quality code, because there are some bugs in there :-)09:22
marekdor thing ppl don't like09:23
marekdthings*09:23
marekdmhu: BTW, already started wearing red hat at work ? :-)09:23
mhumarekd, I see the news spread fast :)09:24
marekdmhu: among OpenStack community - yes :-)09:24
*** zhiyan is now known as zhiyan_09:28
mhumarekd, I'll have a talk with the people I work with @CW and let you know how we're advancing09:29
mhuif there's anything else we can help with do not hesitate09:29
marekdmhu: well....reviews of https://review.openstack.org/#/c/83829/ for example.09:32
mhuI've got a big bunch of reviews I need to address, I'll get to that ASAP :)09:33
marekdcool09:33
marekdthanks :-)09:35
tziOmWhere can I find examples of integrating my own endpoint with keystone?09:39
*** dims_ has joined #openstack-keystone09:46
*** openstackgerrit has joined #openstack-keystone09:48
*** dims_ has quit IRC09:51
*** dims_ has joined #openstack-keystone10:46
openstackgerritMarco Fargetta proposed a change to openstack/keystone-specs: Web Authentication for SAML federated Keystone  https://review.openstack.org/9686711:03
*** fmarco76 has joined #openstack-keystone11:30
*** diegows has quit IRC11:42
*** ajayaa has quit IRC11:50
*** diegows has joined #openstack-keystone11:53
dvorakI'm reworking my token flush patchset and I was wondering, is there an easy way to get sqlalchemy to display the queries being run?  The stuff I found online about this didn't seem to work, but perhaps I was doing it wrong12:00
tziOmFor putting the openstack apis public, will I need multiple ips, or is it common to run through some sort of proxy? I mean .. alot of companies have ports blocked out, and it makes it hard to use ports other than 80 and 443 for api12:07
*** stevemar has joined #openstack-keystone12:22
*** gordc has joined #openstack-keystone12:26
*** hrybacki has joined #openstack-keystone12:49
*** ajc_ has quit IRC12:50
*** dstanek_zzz is now known as dstanek12:52
*** erecio has joined #openstack-keystone12:55
*** gordc has quit IRC12:55
*** oomichi has quit IRC12:57
*** richm has joined #openstack-keystone13:03
*** nkinder has quit IRC13:10
*** andreaf has quit IRC13:13
*** dims_ has quit IRC13:13
*** dims_ has joined #openstack-keystone13:14
*** bklei has joined #openstack-keystone13:15
*** bknudson has joined #openstack-keystone13:17
*** joesavak has joined #openstack-keystone13:17
*** dvorak has quit IRC13:18
*** dvorak has joined #openstack-keystone13:20
*** radez_g0n3 is now known as radez13:23
marekdstevemar: thanks for smashing mapping crud in OSC :_13:32
stevemarmarekd, lol13:32
marekd:-)13:32
stevemarmarekd, sorry13:32
marekdstevemar: hehe, no worries.13:32
stevemarmarekd, :) nothing too major!13:32
marekdstevemar: do you know if dolphm is hanging around? Or he is on holiday/sth?13:33
stevemarmarekd, no idea boss13:36
*** lbragstad has joined #openstack-keystone13:37
hrybackiayoung: do we know any of the folks in the Glance community? I'm getting tired of pining their channel about the session stuff only to hear echoes.13:39
hrybackipinging*13:39
ayoungthe way I usually do stuff like that is to look in git to see who has committed, and ping those people directly13:39
ayounga lot of people don;t watch the channel, but will respond to direct pings13:40
ayoungso  git log is your friend13:40
dstanekor git blame13:41
*** Camisa has quit IRC13:41
hrybackidamn people and their odd handles13:43
*** gordc has joined #openstack-keystone13:46
openstackgerritDavid Stanek proposed a change to openstack/keystone: Corrects minor spelling mistakes  https://review.openstack.org/10223713:51
*** nkinder has joined #openstack-keystone13:54
*** gokrokve has joined #openstack-keystone14:01
*** bklei has quit IRC14:03
*** topol has joined #openstack-keystone14:04
*** Kr4zy has joined #openstack-keystone14:08
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: NotImplemented _for_groups functions on LDAP  https://review.openstack.org/10224414:08
Kr4zyI am experiencing internal server error 500 when I host Keystone Icehouse 2014.1-0.9.rc2 on CentOS 6.4 using WSGI on Apache2. Anyone experiencing this issue?14:09
Kr4zyNative Keystone Icehouse works fine14:09
dstanekmarekd: i think he's in the office today - he was yesterday14:11
marekddstanek: ok, thanks :-)14:11
*** daneyon has quit IRC14:21
hrybackiayoung: were you still thinking we should work toward replacing httplib in glanceclient? If so, can you take a gander at the bottom comment of https://bugs.launchpad.net/python-glanceclient/+bug/1255279 and let me know your thoughts as they directly mention you14:21
uvirtbotLaunchpad bug 1255279 in python-glanceclient "glanceclient should use requests" [Undecided,New]14:21
ayoungsure14:22
nkinderayoung: what's the current state of the policy api?14:22
nkinderayoung: do any other services actually use it?14:22
ayoungnkinder, I've heard dark tales14:22
ayoungabout unspeakable things being done with policy14:23
ayoungThese are shrugged off as travellers stories14:23
ayoungdolphm, who is using policy?  I know that we don't yet.14:23
nkinderayoung: I'm assuming the intent is that something like nova would just fetch central policy from keystone instead of requiring policy.json to be managed locally on all compute nodes14:23
dolphmayoung: /v3/policy ?14:23
ayoungnkinder, yes, but it is not usable yet14:23
dolphmayoung: policies*14:24
ayoungdolphm, you mentioned that you knew it was in use.14:24
nkinderayoung: ok, what's missing?14:24
ayoungyeah, poicy API14:24
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216614:24
ayoungnkinder, a way to get the "right" policy14:24
ayoungpolicy gets uploaded and assigned a new ID14:24
dolphmayoung: yes that's the intent. someone from either a stackforge project or 3rd party project was using the API, but that's it14:24
ayoungthere is nothing that says which policy id applies to which endpoint14:24
nkinderok, so the endpoint needs to know the id currently14:25
ayoungnkinder, dolphm and I have been discusing, and henrynash is taking an interest now14:25
ayoungI wrote some BPs/specs, but need to get a clear path forward14:25
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216614:26
*** david-lyle has joined #openstack-keystone14:26
ayoungnkinder, https://blueprints.launchpad.net/keystone/+spec/endpoint-policy was my first stab at it14:26
ayoungbut dolphm realized that we prefeix each rule with the service name14:26
ayoungwell, the "good" name14:26
ayoungso keystone policy rulkes start with "identity"14:27
ayoungand nova with compute14:27
ayoungso they could be deployed side by side in the same file14:27
marekddstanek: https://review.openstack.org/#/c/92166/28/keystoneclient/contrib/auth/v3/saml2.py - i know want to make IdP auth plugins pluggable. By saying IdP plugin I say: the IdP auth step within SAML authN process" How do you like idea of class IdpAuth from the provided link and how do you like idea that such plugin should be initialized and passed before saml2 authN begins (parameter idp_auth_plugin in Saml2UnscopedToken.__init__() ) ?14:28
hrybackiayoung: apparently they started to port but ran into issues with requests not providing the ability to disable ssl compression https://github.com/kennethreitz/requests/issues/1853 and abandoned the blueprint/change https://review.openstack.org/#/c/23424/14:31
ayounghrybacki, yeah, just ignore that14:31
ayoungit turns out it is an operating system configuration14:31
ayoungand it should be14:31
hrybackimmk14:31
ayoungso we can just use requests and things work right14:31
hrybackiit looks like Fabio did a lot of work, why did they abandon the change?14:32
ayounghrybacki, because people got on the "compression" bandwagon before we fully understood the problem14:33
hrybackiheh14:33
*** Kr4zy_ has joined #openstack-keystone14:34
*** Kr4zy has quit IRC14:34
ayounghrybacki, yeah, its one of the side effects of python, or any application language, working to abstract away the operating system.  The urge then becomes to reinvent everything in the app language14:34
hrybackiinteresting14:34
ayoungI've seen it in depth in Java, Perl, and Python so far.  And a Bit of Ruby, too14:35
dstanekmarekd: at first glance it looks sane14:35
*** fmarco76 has left #openstack-keystone14:35
ayoungdstanek, I thought you were saying Glance looked sane14:35
hrybackiit looks like most of the work I'd need to do has been done already e.g. https://review.openstack.org/#/c/23424/14/glanceclient/common/http.py14:35
marekddstanek: ok, cool.14:35
ayoungthought maybe you were slipping14:35
dstanekayoung: no, i cannot confirm that yet14:35
dstanekayoung: Ruby likes to reinvent everything, including Ruby14:36
ayoungdstanek, Every language does that14:36
ayoungdstanek, its the same thing I've been battling with the Apache HTTPD effort14:36
*** andreaf has joined #openstack-keystone14:37
ayoungPython should be for business logic, with performance intensive stuff optimized to native code14:37
ayoungand that goes quintuple for crypto14:37
ayoungnkinder, so, on policy, here's how far we've got in discussions14:38
ayoungit is the service user that makes the request for policy14:38
marekdheh, within next 10 OS releases there will be at least one OS project written in GO :P14:38
ayoungthe service user has a context14:39
ayoungand we can use that context to select policy14:39
ayoungprobably the right scope is to  do :  look at the service users token.  Chose the project from it.  Use that project to fetch the proper policy file14:40
ayoungso if you have two endpoint for the same service, and you want them to have different policies,  you would have their services users  fetch tokens scoped to different projects14:40
ayounghrybacki, so resurrrect flapper's code14:41
ayoungand lets fine out when the glance team meeting is this week so we can beat them up about it14:42
hrybacki1000 on Thurs.14:42
ayounghttps://wiki.openstack.org/wiki/Meetings/Glance14:42
hrybackimeeting-alt14:42
ayoungcool14:42
ayoungmodify the meeting wiki to put this on the agenda14:42
ayoungetherpad for them14:42
ayounghttps://etherpad.openstack.org/p/glance-team-meeting-agenda14:42
hrybackior 2000 rather?14:43
ayounghrybacki, pingme before hand and we'll make a united front14:43
ayoung14:00 UTC14:44
hrybackiit alternates, 19th was was 14:0014:44
hrybackiright?14:44
ayounghttp://www.timeanddate.com/worldclock/converter.html14:45
*** topol has quit IRC14:45
ayounglooks like it14:45
Kr4zy_I am experiencing internal server error 500 when using Apache2 to host Keystone 2014.1-0.9.rc2 using WSGI. Anyone experiencing this?14:46
dstanekKr4zy_: do you have access to the Apache logs?14:50
Kr4zy_yeah14:51
Kr4zy_I have looked14:51
Kr4zy_dstanek: the logs are not very helpful14:51
Kr4zy_dstanek: I take that back.14:52
openstackgerritJustin Shepherd proposed a change to openstack/keystone: Adding an index on token.user_id  https://review.openstack.org/10204114:52
Kr4zy_dstanek: It said "ImportError: cannot import name deploy"14:53
dstanekKr4zy_: no stacktrace?14:54
Kr4zy_dstanek: here is the log : https://gist.github.com/anonymous/cee580c4f8673cd5c30014:57
*** morganfainberg_L has joined #openstack-keystone14:58
morganfainberg_Lmornin14:59
marekdelo14:59
Kr4zy_dstanek: I currently have python-paste-deploy1.5-1.5.0-5.el6.noarch installed.14:59
dstanekKr4zy_: it appears that not all of the dependencies were installed - PasteDeply seems to be missing14:59
dstanekKr4zy_: what happens if you run python and import it?14:59
ayoungKr4zy_, tokens too big15:00
*** bvandenh has quit IRC15:00
Kr4zy_dstanek: Traceback (most recent call last):   File "<stdin>", line 1, in <module> ImportError: No module named deploy15:00
ayoungKr4zy_, the service catalog gets above 8k and won't fit in the header between mod_wsgi and theapache process15:01
Kr4zy_ayoung: how do I fix this?15:01
ayoungKr4zy_, make a request for a token without a service catalog and see if it works15:02
ayoungKr4zy_, compressed tokens15:02
ayoungendpoint filtering15:02
ayoungKr4zy_, I don';t have a perfect answer yet15:02
dstanekKr4zy_: if you have the package installed that import should work - i have no idea why it wouldn't15:02
ayoungits one of the fires I've been fighting15:02
ayoungKr4zy_, but...15:02
ayoung<Kr4zy_> \ "ImportError: cannot import name deploy" is not that problem15:03
dstanekayoung: what makes you think the catalog is too big?15:03
ayoungdstanek, cuz that is the thing everyone else is hitting in HTTPD15:03
Kr4zy_ayoung: yeah, I was about to ask15:03
ayoungbut in this case, not15:03
dvorakIs there an easy way to get SQLAlchemy to print the SQL queries it's generating?  I'm trying to rework my token expiration patch set and I'd like to be able to see the queries generated so I can run explain n them and validate they're doing what I think15:03
dstanekKr4zy_: in Python 'import paste' and 'print paste.__file__'15:04
dstanekdvorak: yes, the logger...jas15:04
Kr4zy_dstanek: >>> import paste >>> print paste.__file__ Traceback (most recent call last):   File "<stdin>", line 1, in <module> AttributeError: 'module' object has no attribute '__file__'15:04
dstanekdvorak: try this http://stackoverflow.com/questions/2950385/debugging-displaying-sql-command-sent-to-the-db-by-sqlalchemy15:05
dvorakyeap, I tried that, but didn't have any luck15:05
dvorakI didn't know if there was some special keystone/openstack magic needed15:05
dstanekdvorak: hmmm...at one time that did work for me. maybe they changed the name of their logger15:05
*** jsavak has joined #openstack-keystone15:06
dvorakmaybe I'll try it again, perhaps I did something wrong15:06
dstanekKr4zy_: wow, wierd. that works fine for me. what about vars(paste)?15:07
dstanekthat should have a ton of output15:07
Kr4zy_dstanek: {'__name__': 'paste', '__doc__': None, '__path__': ['/usr/lib/python2.6/site-packages/paste']}15:07
openstackgerritDolph Mathews proposed a change to openstack/keystone: the user_tenant_membership table was replaced by "assignment"  https://review.openstack.org/10226615:07
dstanekKr4zy_: look in /usr/lib/python2.6/site-packages and see if you can find paste deploy15:08
*** joesavak has quit IRC15:09
hrybackiayoung: for your review/editing https://etherpad.openstack.org/p/keystoneclient_integration_with_component_clients15:09
Kr4zy_dstanek: I have /usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy directory15:10
ayounghrybacki, link to jamielennox|away 's blog post on sessions15:11
dstanekKr4zy_: i wonder if your missing an entry in your pth file for paste15:11
Kr4zy_dstanek: this is what's inside dir https://gist.github.com/anonymous/f869220602095303387b15:12
*** daneyon has joined #openstack-keystone15:13
hrybackiayoung++15:14
*** gokrokve has quit IRC15:14
dstanekKr4zy_: i don't know much about how redhat installs python code, but there are .pth files in site-packages that usually contain directories to be added to the Python path15:17
dstanekKr4zy_: try this http://dpaste.com/100VV0915:18
Kr4zy_dstanek: Traceback (most recent call last):   File "<stdin>", line 1, in <module> ImportError: cannot import name deploy15:18
*** topol has joined #openstack-keystone15:25
Kr4zy_dstanek: I have actually try to import deploy on a working Keystone Havana node and it is showing the same error, but Keystone on WSGI still works.15:34
dstanekKr4zy_: is there a Python path being set in the Apache file?15:35
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fix the order of assertEqual arguments(pemutils, v3_catalog, etc)  https://review.openstack.org/7751415:36
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Implement SAML2 ECP authentication  https://review.openstack.org/9216615:37
*** gokrokve has joined #openstack-keystone15:39
*** gyee has joined #openstack-keystone15:40
ayoungdstanek, where can I find oslo.db?15:44
ayounglike, where would devstack expect it to be?15:44
Kr4zy_dstanek: yeah. I am using Puppet to lay this down. The configuration is similar to the working havana node.15:46
*** joesavak has joined #openstack-keystone15:46
dstanekayoung: i think it installs it to the system python or in /opt/stack - i don't have a newer devstack15:48
ayoungI just pip installed and worked around it...15:48
ayoungI thin kthat is all it does, but maybe it builds nd installs the pacakge version...guess I really don't care.  But thanks15:48
dstanekKr4zy_: your Apache conf has a Python path?15:48
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Service Token Composite Authorization Specification  https://review.openstack.org/9631515:49
dstanekayoung: :-)15:49
*** jsavak has quit IRC15:49
openstackgerritDolph Mathews proposed a change to openstack/keystone: deprecate LDAP config options for 'tenants'  https://review.openstack.org/10227815:51
morganfainberg_Ldolphm: YAY!15:54
dolphmmorganfainberg_L: long overdue!15:54
morganfainberg_Ldolphm: +++++++1million15:57
*** marekd is now known as marekd|away15:59
*** praneshp has joined #openstack-keystone16:00
*** joesavak has quit IRC16:00
*** joesavak has joined #openstack-keystone16:00
*** jsavak has joined #openstack-keystone16:01
morganfainberg_Lok i need to go get breakfast and run an errand be back for the meeting16:01
*** joesavak has quit IRC16:05
*** marcoemorais has joined #openstack-keystone16:08
*** BAKfr has quit IRC16:12
*** bvandenh has joined #openstack-keystone16:18
*** andreaf has quit IRC16:18
*** andreaf has joined #openstack-keystone16:19
*** i159 has quit IRC16:22
*** gokrokve_ has joined #openstack-keystone16:22
*** afazekas has quit IRC16:24
*** dstanek is now known as dstanek_zzz16:24
*** dstanek_zzz is now known as dstanek16:25
*** gokrokve has quit IRC16:25
*** gokrokve_ has quit IRC16:32
*** __afazekas is now known as afazekas16:41
*** jaosorior has quit IRC16:42
*** Kr4zy_ has quit IRC16:46
*** gordc has quit IRC16:49
*** harlowja_away is now known as harlowja16:55
*** henrynash has joined #openstack-keystone16:57
*** bklei has joined #openstack-keystone16:59
*** henrynash has quit IRC17:07
*** elmiko has joined #openstack-keystone17:09
*** gokrokve has joined #openstack-keystone17:10
elmikohey all, is there more information about trusts than the wiki page(https://wiki.openstack.org/wiki/Keystone/Trusts) ?17:10
*** nsquare has joined #openstack-keystone17:11
lbragstadelmiko: the identity spec contains information https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-trust-ext.md17:11
elmikolbragstad: ahh, tyvm :)17:12
lbragstadelmiko: sure thing, specifically information on the trust API17:12
elmikolbragstad: this looks like what i was looking for, more in-depth api info17:13
lbragstadelmiko: cool, the identity api spec should contain a lot of that information17:13
elmikolbragstad: ok thanks, i'll need to double check that as well17:13
lbragstadelmiko: no problem17:14
dstanekagenda for today's meeting is very sparse!17:17
lbragstaddstanek: sign stevemar up for another improv dance?17:17
stevemarlbragstad, umm i believe it's the person who says the meeting is sparse is automatically signed up17:18
dstaneklbragstad: he better start prepping - i hear he has a performance at the Hackathon17:19
lbragstadin person!?17:19
*** henrynash has joined #openstack-keystone17:19
lbragstadeven better17:19
elmikolbragstad: i was under the impression that you could list a set of endpoints when creating a trust, is that not the case?17:19
dstaneklive streamed over youtube!17:19
lbragstadelmiko: I'm not entirely sure you can do that but ayoung might have more info in it? What are you trying to do?17:20
ayoungelmiko, are you trying to limit a trust token to only a specific set of endpoints?17:21
elmikolbragstad: i would like to delegate a trust from user A to user B allowing access to a specific Swift object17:21
elmikoayoung: yea17:21
ayoungelmiko, its only a blueprint today17:21
lbragstadah, gotcha17:21
elmikoayoung: doh!17:21
ayounghttps://blueprints.launchpad.net/keystone/+spec/endpoint-scoped-tokens17:22
ayoungI know it is obnoxious to say it, but patches welcomed17:22
ayoungthat one, especially, would be stellar17:22
lbragstadI think we kind of touched on this topic a little at the summit to... (maybe the notes are in etherpad)?17:22
elmikoayoung: well, i'll take a look. if i think i can help, i will :)17:23
lbragstadbut that was more along the lines of an end user interacting with Swift through Glance, etc..17:23
elmikoi'm actually looking at this for the sahara project, and i thought it was in place already. but it would really help the problem we are facing lol.17:23
ayoungelmiko, in auth token middleware, when looking to see if a token is valid, we would add the check (subject to a config flag) that the current endpoint is in the token i17:24
ayoungbig problem there is that endpoints don't know their own id17:24
ayoungbut solvable17:24
*** rwsu has joined #openstack-keystone17:25
elmikoayoung: this would involve some level of figuring out how to map endpoints into a token id?17:26
*** daneyon has quit IRC17:29
openstackgerritBrant Knudson proposed a change to openstack/keystone: Regenerate sample config file  https://review.openstack.org/10229417:30
*** gordc has joined #openstack-keystone17:32
*** amcrn has joined #openstack-keystone17:32
dstanekthe amount of specs/reviews i have in next-review is quite staggering ... anyone know of anything critical i should concentrate on17:32
dstanek?17:32
bknudsondstanek: doesn't next-review order them by importance?17:35
*** openstackgerrit has quit IRC17:35
*** openstackgerrit has joined #openstack-keystone17:37
dstanekbknudson: i don't think so - i think just by last updated - gerrit doesn't have a priority (but it should)17:38
bknudsondstanek: oh, I thought it looked at reviewday data17:39
bknudsonhttp://status.openstack.org/reviews/reviewday.json17:39
dstanekbknudson: neat, what is that score?17:40
*** andreaf has quit IRC17:40
bknudsondstanek: reviewday calculates it... http://git.openstack.org/cgit/openstack-infra/reviewday/tree/reviewday/mergeprop.py#n2217:41
dstanekbknudson: fixing next-review right now! thanks for the pointer17:43
dolphmbknudson: ( not yet :-/ )17:46
dolphmdstanek: i have a patch for review day support that isn't merged, if want to start with that17:46
dolphmdstanek: not sure what it needs to merge, but probably not much. i sat on it for a bit comparing sort order with and without review day, and wasn't sure if a reviewday based sort should be the default behavior, or optional17:47
dolphmdstanek: but to answer your original question... i'd say the ones closest to being approved are probably JSON Home https://review.openstack.org/97359 Non-Persistent Tokens https://review.openstack.org/95976 so i'd focus on knocking those out17:48
dolphm(which now that i'm looking at the votes on those, was probably already obvious)17:49
dstanekdolphm: is you patch local or did you push it somewhere?17:49
dolphmdstanek: local at the moment17:49
dstanekdolphm: i +1ed the json home because nobody is assigned to do it, but other than that i think it's good17:50
morganfainberg_Lkeystonemiddleware repo is up and running17:50
dstanekdolphm: i just read over the spec last night and i'm excited to get that in17:50
morganfainberg_Lhttps://github.com/openstack/keystonemiddleware17:50
dstanekmorganfainberg_L: nice17:51
morganfainberg_Ldstanek: ++ is we had someone assigned to JSON Home, I'd +217:51
dolphmmorganfainberg_L: did that have a bp?17:51
dstanekbknudson: if you don't have the time i can take a look at it17:51
bknudsondstanek: I don't think I'll have the time17:52
dstanekdolphm: i don't think so - i think the link was actually invalid - which i took at meaning "this is where it will be"17:52
dolphmdstanek: also, composite tokens looked quite sane last i checked, but i didn't get to take a full pass https://review.openstack.org/#/c/96315/17:52
bknudsondstanek: but if I can get the v3 extension advertisements done then it would probably be somewhat easy to add on17:52
lbragstadhttps://blueprints.launchpad.net/openstack/?searchtext=json-home17:52
bknudsondstanek: really the tricky part is getting it to work with GET / ... GET /v3 and GET /v2.0 should be easier17:53
*** henrynash has quit IRC17:53
bknudsonmaybe JSON-Home would allow GET / to point to GET /v2.0 and GET /v3? That would be easier17:53
dstanekbknudson: have you started to work on that?17:54
dolphmbknudson: what's the challenge with GET / ?17:54
bknudsondstanek: I started work on v3 extension advertisement...17:54
bknudsondolphm: the routers don't see GET / requests17:54
bknudsonmaybe there's a way to have GET / make an internal request to GET /v2.0 and GET /v3?17:55
bknudsondstanek: dolphm: here was a proof of concept for GET /v3 -- https://review.openstack.org/#/c/95389/2/keystone/contrib/ec2/routers.py17:56
*** henrynash has joined #openstack-keystone17:57
dolphmbknudson: that looks like it would work18:00
bknudsonit works for GET /v3 because the extension router is in the pipeline /v3 -- http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini#n10218:00
*** harlowja has quit IRC18:04
*** hrybacki has quit IRC18:06
*** harlowja has joined #openstack-keystone18:07
*** harlowja has quit IRC18:07
*** dims_ has quit IRC18:13
*** dims_ has joined #openstack-keystone18:14
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: auth_token cached token handling  https://review.openstack.org/9678618:16
*** gordc has quit IRC18:22
*** harlowja has joined #openstack-keystone18:26
*** harlowja has quit IRC18:26
*** Kr4zy has joined #openstack-keystone18:26
*** harlowja has joined #openstack-keystone18:26
*** harlowja has quit IRC18:26
*** harlowja has joined #openstack-keystone18:27
*** harlowja has quit IRC18:27
openstackgerritA change was merged to openstack/python-keystoneclient: Imports to fix build warnings  https://review.openstack.org/9974518:28
*** gordc has joined #openstack-keystone18:28
Kr4zyis it a known issue for mod_wsgi to not work with the latest keystone icehouse release?18:28
*** harlowja has joined #openstack-keystone18:28
*** harlowja has quit IRC18:28
*** harlowja has joined #openstack-keystone18:29
*** harlowja has quit IRC18:29
*** harlowja has joined #openstack-keystone18:29
*** harlowja has quit IRC18:29
*** marcoemorais has quit IRC18:33
*** marcoemorais has joined #openstack-keystone18:34
*** harlowja has joined #openstack-keystone18:34
*** harlowja has quit IRC18:34
*** henrynash has quit IRC18:35
openstackgerritA change was merged to openstack/python-keystoneclient: Doc build fails if warnings  https://review.openstack.org/10106118:38
*** harlowja has joined #openstack-keystone18:39
*** harlowja has quit IRC18:39
*** harlowja has joined #openstack-keystone18:40
*** harlowja has quit IRC18:40
*** nkinder has quit IRC18:41
*** harlowja has joined #openstack-keystone18:42
*** erecio has quit IRC18:55
openstackgerritA change was merged to openstack/keystone: remove unnecessary word in docs: 'an'  https://review.openstack.org/9921818:56
*** hrybacki has joined #openstack-keystone18:57
*** jaosorior has joined #openstack-keystone18:58
*** dstanek is now known as dstanek_lunch19:00
ayounggyee, so, no hard requirement on PKI, as it just complicates matters.   We an make it optional if you really want, and I have no problem with that19:00
*** kwss_ has joined #openstack-keystone19:01
ayoungbut the question is  "does an endpoint know its own id or does an endpoint work with the identity of the service user only."19:01
gyeeayoung, sure, I was merely brain farting over there, I haven't completely think through the details yet19:01
ayoungand I kindlik that last option19:01
*** morganfainberg_L has quit IRC19:01
ayoungkind of like19:01
*** morganfainberg_L has joined #openstack-keystone19:01
ayounggyee, I have a bp for yourthing19:01
*** morganfainberg_L has quit IRC19:02
gyeeayoung, k, will put some thought into it19:02
*** morganfainberg_L has joined #openstack-keystone19:02
ayounghttps://blueprints.launchpad.net/keystone/+spec/endpoint-cert  gyee19:02
ayounggyee, but I think that the solution is do it as a service user19:02
ayoungthen the keystone server gets a new auth_url that is X509 client cert enforcing19:02
ayoungI have hostname/main  hostname/admin hostname/krbb this would be hostname/x50919:03
ayounggyee, ^^ and then we can let apache do the heavy lifting19:03
ayoungther  need, then, is to make an x509 client plugin19:03
ayounggyee, can you write that?19:03
ayounglike  jose's kerberos plugin?19:04
gyeeayoung, sure19:04
ayounggyee, https://review.openstack.org/#/c/74974/19:04
gyeeayoung, I was thinking cert authorization, no need to issue the token at all19:04
ayounggyee, I know19:04
ayounggyee, two steps19:04
morganfainberg_Lbknudson: ok, so you're proposing doing a soft import if exists in keystoneclient.middleware, but not having an install dep on keystonemiddleware - ok, when would we change that? i don't see a point in doing so, when we would change that why not just remove ksc middleware19:04
gyeecert -> apache -> middleware mapping -> auth context19:04
ayounglets get certs to work to get a token first19:04
ayoungso:19:05
ayounghttps://review.openstack.org/#/c/95989/  gyee19:05
ayoungwe need something like ^^19:05
ayoungOK?19:05
gyeeayoung, yeah, that's an easy one19:05
gyeeayoung, lemme cook one up19:06
ayounggyee, I just don't havea client cert setup right now to make it easy, and my team is currently driving through on the Kerberos side19:06
ayoungbut I'd be happy to review19:06
gyeeayoung, k, I have apache setup locally, with cert and everything19:06
ayoungclient cert is the issue19:06
ayoungyou need a CA to issue it19:07
*** amerine has quit IRC19:07
bknudsonmorganfainberg_L: not a soft import, not sure what the point would be of that?19:07
morganfainberg_Lbknudson: i thought you meant to import the middleware to the same location as it was in keystoneclient19:08
morganfainberg_Lbknudson: is that not what you were saying?19:08
morganfainberg_Lbknudson: if you were saying we just drop the middleware (Eventually) from keystoneclient, that was the plan. just no specific timeline yet19:08
morganfainberg_Lhence the need to do security fixes in ksc middleware until that can/does occur19:09
*** dims_ has quit IRC19:15
*** dims_ has joined #openstack-keystone19:16
*** ayoung has quit IRC19:16
*** dstanek_lunch is now known as dstanek_lunch_zz19:16
*** dstanek_lunch_zz is now known as dstanek19:16
*** praneshp has quit IRC19:22
bknudsonmorganfainberg_L: right, import the middleware. I didn't understand the soft import part? (I thought it meant try the import and don't fail if it doesn't work)19:27
bknudsonmorganfainberg_L: And I also expected that we'd keep the copy for a little while at least... maybe a few releases of ksc.19:28
morganfainberg_Lbknudson: i don't see a reason to even bother importing to the same location as before once we drop the copy19:29
morganfainberg_Lbknudson: i think that is why i was confused.19:29
morganfainberg_Lbknudson: the way i saw it, keep a copy in keystoneclient, eventually drop it completely and don't even bother importing it to keystoneclient.middleware19:29
bknudsonmorganfainberg_L: I figured it would just keep working if we did the import & it doesn't really cost anything.19:30
bknudsonand it would allow us to not have the copy for as long19:30
morganfainberg_Li doubt it, we'll need to keep a copy unless we update stable/* of projects19:30
bknudsonbut this is a ways out so can look at it then.19:30
morganfainberg_Lyeah lets argue about that when we get there ;)19:31
*** harlowja has quit IRC19:31
*** marcoemorais has quit IRC19:31
*** marcoemorais has joined #openstack-keystone19:32
morganfainberg_Ldolphm, bknudson, https://review.openstack.org/#/c/102326/ add to devstack19:32
*** marcoemorais has quit IRC19:32
*** marcoemorais has joined #openstack-keystone19:32
bknudsonAPT::Acquire::Retries "20"; -- wonder where that came from19:34
morganfainberg_Lbknudson: recent change iirc19:35
morganfainberg_Lissues with apt servers being unresponsive19:35
openstackgerritA change was merged to openstack/keystone: deprecate LDAP config options for 'tenants'  https://review.openstack.org/10227819:36
openstackgerritA change was merged to openstack/keystone: Corrects minor spelling mistakes  https://review.openstack.org/10223719:36
*** praneshp has joined #openstack-keystone19:37
*** harlowja has joined #openstack-keystone19:37
*** bklei has quit IRC19:37
*** harlowja_ has joined #openstack-keystone19:39
*** harlowja has quit IRC19:42
bknudsonstevemar: now I'm getting "worlddump.py: error: argument -d/--dir: expected one argument"19:44
bknudson+ git clone git://git.openstack.org/openstack/keystonemiddleware.git /opt/stack/keystonemiddleware master19:44
bknudsonToo many arguments.19:44
bknudsonmorganfainberg_L: ^19:44
morganfainberg_L*blink*19:45
morganfainberg_Lwut?19:45
stevemarbknudson, i had to install oslo.db19:45
morganfainberg_Lstevemar: old venv?19:46
bknudsonstevemar: I've got oslo.db19:46
bknudsonI probably cloned it myself19:46
stevemarmorganfainberg, when i was using devstack19:46
morganfainberg_Lstevemar: oh19:46
topoldolphm, morganfainberg, ayoung, I updated https://wiki.openstack.org/wiki/Keystone to cover all the code review and spec repos19:52
*** kwss_ has quit IRC19:52
bknudsonhttp://docs.openstack.org/developer/keystonemiddleware/ :(19:53
stevemarbknudson, who needs those silly docs anyway!19:54
morganfainberg_Lbknudson: might require a merge19:54
morganfainberg_Ldon't think we run a full test run when initialiing the repo19:54
stevemardstanek, ping!19:54
bknudsonhttp://git-scm.com/docs/git-clone -- as far as I can tell git clone is working as expected19:55
morganfainberg_Lbut i'm sure docs folks would know for sure.19:55
bknudsonI think its -b <name> that should be used19:56
morganfainberg_Loh did I typo it?19:56
bknudsonmorganfainberg_L: I don't see how, it's used the same way everywhere19:57
morganfainberg_Lah i see the issue19:57
morganfainberg_Lgit_clone vs git clone19:57
morganfainberg_L*facepalm19:57
bknudsonhehe19:57
morganfainberg_Lbknudson: ok thatshould solve it19:58
morganfainberg_Lpatchset 2.19:58
elmikoi'm looking through some of the spec docs and i'm noticing that in some of the json requests the ids are truncated to 7 characters. is that just docs or is that an openstack thing?20:02
morganfainberg_Lelmiko: mostly that is for ease of reading20:02
elmikocool, thanks morganfainberg_L20:03
morganfainberg_Lelmiko: if you included 32 or 64 characters it makes it hard to see, truncating to 7 shows the intent w/o making the line silly long :)20:03
elmikoyea, i just wanted to make sure20:03
*** marcoemorais has quit IRC20:04
bknudsonmorganfainberg_L: working now20:04
morganfainberg_Lbknudson:  yay!20:04
*** marcoemorais has joined #openstack-keystone20:04
*** marcoemorais has quit IRC20:05
morganfainberg_Ladded a couple of more bugs to middleware... you know silly things like update README20:05
*** marcoemorais has joined #openstack-keystone20:05
morganfainberg_Land uh.. test cases for ec2_token middleware :P20:05
*** marcoemorais has quit IRC20:06
*** marcoemorais has joined #openstack-keystone20:06
Kr4zyI am getting TypeError: setup_logging() takes no arguments (1 given) when using Apache2 WSGI to host Keystone Icehouse. Anyone experiencing this?20:14
bknudsonpaste.filter_factory = keystonemiddleware.auth_token:filter_factory20:15
*** dstanek is now known as dstanek_zzz20:16
bknudsonKr4zy: http://git.openstack.org/cgit/openstack/keystone/tree/httpd/keystone.py#n4220:16
hrybackidolphm: looking for some LHF to work on while pushing keystoneclient integration with other components with jamielennox|away / ayoung -- saw this bug https://bugs.launchpad.net/python-keystoneclient/+bug/1318436 you'd commented on -- from the comments I can't tell if it's useful to work on. Thoughts?20:16
uvirtbotLaunchpad bug 1318436 in python-keystoneclient "Missing defaults in the create() method in the v2 EndpointManager" [Low,Triaged]20:16
dolphmhrybacki: first of all, what does LHF mean?20:17
hrybackisorry, low hanging fruit20:17
dolphmhrybacki: ah20:18
dolphmhrybacki: urban dictionary was no help, as the first hit was for LHFS (learn how to fucking spell) lol20:18
hrybackidolphm: haha, not what I was going for :P20:18
dolphmhrybacki: anyway, i tagged it user-experience which is super high priority for me, but as a bug I think it's technically Low impact20:19
Kr4zybknudson: I am getting this ImportError: cannot import name backends after using the config from the link.20:19
hrybackidolphm: think it's a good one for a novice like me to pick at while other stuff is held up?20:19
dolphmhrybacki: absolutely20:19
hrybackidolphm++ I might have some questions for you later/tomorrow. Was there any other discussion about that bug aside from what is in the comments? Thanks!20:20
bknudsonKr4zy: what release are you on20:20
bknudsonmorganfainberg_L: I tried setting keystonemiddleware in nova api-paste.ini and it says module not found...20:20
bknudsonmaybe I need to put it in nova requirements20:21
Kr4zybknudson: openstack-keystone-2014.1.1-1.el6.noarch. Fixed it using wsgi scripts from http://comments.gmane.org/gmane.comp.cloud.openstack.general/366920:22
*** fifieldt_ has joined #openstack-keystone20:22
topolI've reviewed everything there is in https://review.openstack.org/#/q/status:open+project:openstack/keystonemiddleware%20,n,z  Im going home now :-)20:22
bknudsonKr4zy: weird20:24
dolphmhrybacki: i don't believe there was any other discussion. feel free to leave comments in the bug - that's probably the best way to reach me asynchronously :P20:24
morganfainberg_Ltopol: lol20:24
*** nkinder has joined #openstack-keystone20:24
hrybackidolphm++ Thanks!20:25
morganfainberg_Ldolphm: added some starter text to the middleware etherpad20:25
morganfainberg_Lneed to go get lunch though.20:25
*** fifieldt has quit IRC20:25
*** radez is now known as radez_g0n320:26
openstackgerritA change was merged to openstack/keystone: the user_tenant_membership table was replaced by "assignment"  https://review.openstack.org/10226620:26
bknudsonanyone have a tip how I could "install" the keystonemiddleware?20:27
morganfainberg_Lbknudson: ?20:28
morganfainberg_Lbknudson: pip -e ?20:28
bknudsonI'll try it20:28
morganfainberg_Lbknudson: should work. should also be installed by devstack if you use that patchset i posted20:28
morganfainberg_L_should_20:28
bknudsonmorganfainberg_L: for some reason it wasn't20:29
morganfainberg_Lhmm20:29
bknudsonmorganfainberg_L: I tried adding keystonemiddleware to nova's requirements.txt20:29
morganfainberg_Loh20:29
bknudsonfigured it would just say it's already installed, but it wasn't20:29
morganfainberg_Lhmmm20:29
dolphmbknudson: well it's not on pypi, so requirements.txt won't cause it to be installed, only cause it to fail20:30
morganfainberg_Lbknudson: i might have the install below where nova installs.20:30
morganfainberg_Lso it would (in that case) fail20:30
dolphmbknudson: (or say it's installed if you did pip -e or setup.py develop)20:30
*** marcoemorais has quit IRC20:30
stevemardolphm, bknudson morganfainberg what do y'all think of this flow for multiple keystones?20:30
stevemarhttps://gist.github.com/stevemart/9ed830dd65b6db6bd0d720:30
*** marcoemorais has joined #openstack-keystone20:31
bknudsonI did pip install -e in keystonemiddleware and now it looks like it's working20:31
*** marcoemorais has quit IRC20:31
*** marcoemorais has joined #openstack-keystone20:32
bknudson-e git://git.openstack.org/openstack/keystonemiddleware.git@14d58e849a5ced3f797d43eea260ae62b6194517#egg=keystonemiddleware-master20:32
dolphmstevemar: why do you need a new auth method at cern?20:32
bknudsondoes keystonemiddleware need __version__ = pbr.version.VersionInfo('python-keystoneclient').version_string()20:33
dolphmstevemar: specifically, the new service provider scope shouldn't impact my authentication method20:33
morganfainberg_Lbknudson: hmm. it might?20:34
dolphmbknudson: pbr.version.VersionInfo('keystonemiddleware').version_string() ?20:34
bknudsondolphm: y, keystoneclient has one20:34
bknudsonin __init__20:34
morganfainberg_Lprobably20:34
dolphmbknudson: but 'python-keystoneclient' or 'keystonemiddleware'?20:34
stevemardolphm, i was doing this more for correctness20:35
morganfainberg_Ldolphm: keystonemiddleware would be my guess20:35
bknudsondolphm: I assume it would change to keystonemiddleware.20:35
bknudsonor is that only needed if you're an API?20:36
bknudsonkeystone doesn't have it20:36
* morganfainberg_L isn't sure20:36
bknudsonand keystone seems to work20:37
dolphmbknudson: oh weird... maybe because of named releases?20:37
morganfainberg_Lmiddleware wont be 'named' releases. so it probably needs it then20:37
bknudsonbtw, nova started up with keystonemiddleware.auth_token now that it's installed20:37
dolphmbknudson: fwiw, keystone specifies it's version in setup.cfg (version = 2014.2 in master, readying for juno)20:38
dolphmbknudson: i don't know what pbr does with that though20:38
morganfainberg_Lmaybe setup.cfg is sufficient?20:41
morganfainberg_Lthis might be something weneed to as mordred20:41
morganfainberg_Lor other -infra folks20:42
bknudsonglobal requirements: https://review.openstack.org/#/c/102341/20:44
morganfainberg_Ldon't think that will work till we release20:44
morganfainberg_Looh whoopse20:45
morganfainberg_Lhttps://git.openstack.org/cgit/openstack/keystonemiddleware/tree/setup.cfg#n50 that needs to get fixed20:46
*** marekd|away is now known as marekd20:46
bknudsonI wonder how that even works... apps will have to install the translation domain20:47
bknudsonmaybe auth_token middleware has to do that on startup20:47
morganfainberg_Lbknudson: i don't think it works at all in ksc20:47
morganfainberg_Lwe don't translate20:47
morganfainberg_Lmaybe we should?20:47
morganfainberg_L*shrug*20:47
marekdstevemar: regarding the flow: i was thinking something similar, due to some technical contstraints...but I indeed would keep CERN-auth step as we have not - token, password, external etc. maybe some indication, like flag may be required so the cern keystone returns 'extended' service catalog.20:47
bknudsonoh, we don't have any _() in auth_token middleware?20:48
morganfainberg_Lnope20:48
morganfainberg_Lno where in ksc20:48
openstackgerritJustin Shepherd proposed a change to openstack/keystone: Adding an index on token.user_id  https://review.openstack.org/10204120:48
bknudsonchange to nova: https://review.openstack.org/#/c/102342/20:48
morganfainberg_Lcool!20:49
bknudsonwe essentially do that for each of the projects.20:49
morganfainberg_Ladd to devstack gate https://review.openstack.org/#/c/102340/20:49
morganfainberg_Lthat is needed before we can add to devstack20:49
morganfainberg_Li think20:49
*** dstanek_zzz is now known as dstanek20:49
marekdstevemar: my idea was: local keystone should only receive assertion or assertion-like object, do the mapping and depending on the mapping decide who and what can do on that cloud.20:50
marekdin other words RAX guys still can decide what cern guys can do.20:50
marekdcern's keystone cannot dictate roles, projects...20:50
*** Kr4zy has quit IRC20:56
openstackgerritBrant Knudson proposed a change to openstack/keystone: Regenerate sample config file  https://review.openstack.org/10229420:58
*** wchrisj has joined #openstack-keystone20:58
*** topol has quit IRC20:59
dstanekmorganfainberg_L: you're right _redact is very strange here https://review.openstack.org/#/c/101792/3/keystoneclient/auth/identity/v2.py21:00
*** hrybacki has quit IRC21:00
morganfainberg_Ldstanek: i really had to think about it to get what it was trying to do21:00
morganfainberg_Lwasn't sure if that was brain no-worky (needed caffiene) or just not straight forward21:01
dstaneki don't like how the thing to redact is the first item in path21:01
dstanekmorganfainberg_L: and by first i mean last :-)21:02
*** bvandenh has quit IRC21:06
*** navid has joined #openstack-keystone21:12
*** dims__ has joined #openstack-keystone21:13
wchrisjCould someone tell me if the /auth/tokens call against a Keystone endpoint (devstack) should actually return a response that includes a token, if I pass in ONLY username+password?21:15
wchrisjI'm not seeing a token21:15
*** hrybacki has joined #openstack-keystone21:15
navidI am looking to how find the associated federated users with an idp, so when we delete an idp i know which user's token whould be revoked.21:16
wchrisjthe corresponding call against the v2 API returns an unscoped token; I would expect to see similar behavior from the v3 API.21:16
*** dims_ has quit IRC21:16
*** ChanServ sets mode: +o morganfainberg21:16
wchrisjmorganfainberg_L - do you know?21:16
morganfainbergwchrisj, hrm?21:17
navidAnybody ?21:18
navidknows how to find the list of federated users associated with an idp21:18
wchrisjmorganfainberg_L - I woud expect to get a token back from the /auth/tokens call against the v3 API21:19
wchrisjsee above21:19
dolphmnavid: marekd and stevemar can probably provider better answers, but the answer today is that you have to look per token, and token revocation *events* could match the idp+protocol specified in the token21:20
morganfainbergwchrisj iirc the body should have the token data in it (obviously assuming the correct JSON body in the request), and the X-SUBJECT-TOKEN header should contain the token id21:20
marekddolphm: i was thinking about matching Identity-Provider from unscoped token with *event* like 'IdP was removed'...21:20
marekddolphm: yet i don't know exactly how revocation events work and how those events are defined.21:21
wchrisjmorganfainberg_L - weird - that's EXACTLY right. Didnt know to look in the headers... any idea why return it in the header rather than the body as in v2?21:21
dolphmmarekd: you'd have a revocation event that looked something like {"idp_id": "abc123"} and that's pretty much it21:22
dolphmmarekd: auth_token would then reject any tokens coming from that idp21:22
morganfainbergwchrisj, design choice.21:22
morganfainbergwchrisj i don't know all the details of why that was chosed, predates my work on keystone21:22
dolphmmarekd: there's also a timestamp involved, though21:22
morganfainbergwell predates my heavy involvement21:22
wchrisjmorganfainberg_L: ok, thanks!21:23
*** amcrn has quit IRC21:23
bknudsonglance change for keystonemiddleware: https://review.openstack.org/#/c/102352/21:23
marekddolphm: so i guess that's it - keystoneclient will get that  revocation event and match idp_id with OS-FEDERATION['Identity-Provider'] value from the tokens..21:23
marekddolphm: it's keystoneclient that should do the work, right?21:24
navidso it should check the tokens and revoke the ones that has the deleted idp @@dolph21:24
navidmarekd: Can i ask what do you mean by keystoneclient?21:26
morganfainberg_Ldolphm, stevemar, bknudson, topol, dstanek, https://etherpad.openstack.org/p/dev_keystonemiddleware_anouncement obviously needs some more work, input welcome21:26
marekddolphm: morganfainberg_L: it's keystoneclient that fetches revocation events and invalidates tokens, right?21:27
stevemarmarekd, good to know that the CERN auth should stay the same, but there should be an indicator to return 'extended' service catalog, like you said21:28
dolphmmarekd: yes, in auth_token (cc- ayoung)21:28
marekddolphm: thanks!21:28
morganfainberg_Lmarekd: yes that is the idea21:28
bknudsonmorganfainberg_L: the announcement looks good to me21:28
dolphmnavid: https://github.com/openstack/python-keystoneclient21:29
marekddolphm: ++21:29
stevemarmarekd, the 'extended' service catalog is normal catalog + whatever we add to service provider?21:29
marekdstevemar: i have some issues with that....21:29
morganfainberg_Lbknudson: ok needs a little work on the impact list for sure. let me see about that21:29
navid@dolphm: thanks21:30
marekdstevemar: i think morganfainberg_L can also have some, since the service catalog can grow easily...think about 'k2k' federation consisting of 10 clouds...21:30
openstackgerritLance Bragstad proposed a change to openstack/keystone: Initial implementation of validator  https://review.openstack.org/8648321:30
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Catalog V3 resources  https://review.openstack.org/9626621:30
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources  https://review.openstack.org/8648421:30
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Credential V3  https://review.openstack.org/9852221:30
marekdstevemar: what do you think about service catalog with all endpoints from all 10 clouds?21:30
marekdstevemar: it will not help to keep pki tokens small :-)21:30
stevemarmarekd, i think taht would suck, but i'm having trouble getting an alternative21:31
marekdstevemar: list of federated keystones...21:31
marekdstevemar: still grows, but slightly slower.21:31
bknudsonwe could put sizelimit middleware in middleware21:31
bknudsonor oslo21:31
bknudsoncinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory has the same21:32
*** jaosorior has quit IRC21:32
marekdstevemar: but then we don't have that 'transparency', where client is not aware of anything and simply sends request to external nova-api asking for new VM.21:32
marekdbecause there is no external nova-api in the SC.21:32
marekdclient would need to send request to external keystone, asking for new token. and this is *exactly not* what Joe wants...21:33
marekd:)21:33
*** marcoemorais has quit IRC21:33
*** amerine has joined #openstack-keystone21:34
*** marcoemorais has joined #openstack-keystone21:34
marekdhm, maybe we should propose a topic for next keystone meeting ;/21:34
morganfainberg_LOk updated the impact section, feel free to markup, muck around with / fix typos, in that draft email21:35
morganfainberg_Li'd like to send it out today if everyone likes it21:35
stevemarmarekd, if we have a flag in the auth request, we can have multiple values ... 'regular service catalog, include all external endpoints in SC, or include all federated keystones'21:35
*** harlowja_ has quit IRC21:36
marekdstevemar: good point, but then we will need to implement all the workflows.21:36
*** harlowja has joined #openstack-keystone21:36
*** amcrn has joined #openstack-keystone21:36
marekdstevemar: more - design, implement and bugfix them.21:36
jsavaki like token scoped to local endpoints + federated-keystones...21:36
marekdstevemar: and they all lead us to the same result.21:36
marekdjsavak: Hey Joe!21:37
jsavakand i have to hit federated keystones to get what endpoints i can access there...21:37
openstackgerritLance Bragstad proposed a change to openstack/keystone: Implement validation on Credential V3  https://review.openstack.org/9852221:37
jsavakhi! : )21:37
marekdjsavak: but I think this will have some impact on the client.21:37
marekdkeystoneclient.21:37
jsavakas long as the local keystone can scope the token appropriately and that is understood by the federated ones21:37
jsavakyes - but the client change is smaller.21:37
*** hrybacki has quit IRC21:38
marekdjsavak: scope to project/domain?21:38
stevemaryeah, should be small change21:38
bknudsonwe really do need to do something about the size of the token21:38
bknudsonPKI is essentially broken on large clouds21:38
jsavakyes, scope to product/domain and potentially role21:38
dstanekbknudson: take the catalog out of it21:39
marekdjsavak: i saw you had some ideas with namespaces etc. I must confess i don't see the big picture how you want to make it work.21:39
marekdjsavak: but...21:39
bknudsondstanek: I think that's the answer too21:39
marekdjsavak:  remote keystone would need to validate if the token can be scoped either way. do you agree?21:39
dstanekbknudson: i've always thought that having it in there is a mistake - it's just an optimization that makes other things worse21:40
stevemarbknudson, we already have an option to remove the catalog21:40
jsavakyes - there's like a dual validation...21:40
marekdstevemar: how?21:40
jsavak1 from the remote keystone to the issuing keystone to verify that the token was issued and is still valid21:40
bknudsonthere's a ?nocatalog on auth21:40
stevemarCatalog Opt-Out: 'POST /v3/auth/tokens?nocatalog'21:40
dstanekmarekd, stevemar, jsavak: how will the remote keystone validate the local keystone's token? a new keystone federation plugin like SAML?21:40
jsavak2 in the remote keystone itself to veirfy role/project/domain exists as indicated21:40
bknudsonbut then the client still needs to get a catalog somehow21:40
*** hrybacki has joined #openstack-keystone21:40
morganfainbergdstanek, bknudson ++ yes, the catalog shouldn't be in the token, if we want to enforce what endpoints you can talk to based upon what is in the token, we should be using ids not the whole url (besides the endpoint doesn't know the url anyway)21:40
marekddstanek: hah, good question.21:41
jsavakdstanek - yes21:41
morganfainbergii was thinking the catalog should be provided separate from the token data in either case.21:41
bknudsondstanek: keystone uses auth_token middleware21:41
marekdjsavak: but, again...saml by design wants the client to weigh in.21:41
bknudsonauth_token would have to be smarter about which keystone to talk to21:42
marekdjsavak: we can somehow 'change' the workflow, but it may bring us some problems.21:42
jsavaksure and the "client will be the remote keystone in this case21:42
jsavakperforming the federation flow with the issuing keystone21:42
marekdjsavak: which basicaly means 'keystone impersonates me, Marek Denis'.21:42
jsavakyes - ish!21:42
bknudsonmorganfainberg: it also bloats the token table. I'm not sure if it would be an API to get the catalog for the token or maybe it would be a catalog ID in the token that could be fetched.21:43
jsavaki "joe" authorize local keystone to act on my behalf to assert my identity to remote-keystone21:43
dstanekjsavak: and then remote keystone gives local keystone a token that it gives back to the user?21:44
*** hrybacki has quit IRC21:44
marekdi'd rather say: I 'marek' authorize remote keystone to login as me, 'marek' and get an assertion.21:44
morganfainberg_Lbknudson: x-catalog header?21:44
marekdthat's the bigger problem.21:44
jsavakyes - with local keysotne senidng a federation assertion21:44
marekdjsavak: ++21:44
jsavakmarek- cern would not want rackspace to login as you and get an assertion...21:45
bknudsonmorganfainberg_L: that seems ok, closer to how it's done today21:45
jsavakbut you would authorize your cern keystone to act on your behalf and assert your identity to rackspace21:45
*** hrybacki has joined #openstack-keystone21:45
morganfainberg_Lthis comes back to the token version stuff, we probably need a v4 token that specifies catalog isn't in the token itself21:46
marekdjsavak: wait...it's rax keystone that wants, by using *my* token, get a saml assertion.21:46
jsavakyes - but cern keystone must trust rackspace as a service provider to permit that assertion to be sent21:46
marekdjsavak: yes yes.21:48
dstanekjsavak: is there an example in the spec of this interaction?21:49
jsavakdstanek - yes - it's use case 1 -21:49
jsavakstill lots to discuss - but i need to go rescue my kddo from daycare.. :)21:49
stevemari gotta head out, but i'll leave my machine on, feel free to chat, i'm going to update the spec tonight21:49
jsavakstevemar - thanks for being on top of that. : )21:50
stevemarjsavak, np, get to rescuing21:50
marekdjsavak: stevemar i think we should all bring in on the table during next keystone meeting.21:50
openstackgerritMorgan Fainberg proposed a change to openstack/keystonemiddleware: Update setup.cfg to remove keystoneclient ref  https://review.openstack.org/10236021:50
stevemarmarekd, bah, i don't want to wait a week21:50
marekdstevemar: sure, let's organise something this week!21:50
stevemari'd rather floor -keystone all week21:50
stevemarflood*21:50
stevemarthe spec is there, add comments there!21:51
stevemar:D21:51
marekdstevemar: :D21:51
marekdya know it doesn't work that way :P21:51
stevemarit should!21:51
morganfainbergnow lets see what actually breaks tryin to run tests in gate/ci with middleware21:51
stevemarmarekd, bbl21:51
dstanekstevemar: the hard thing about the spec process is that it would be much easier with diagrams or whiteboarding21:51
marekddstanek: or if we all worked in one openspace ;/21:52
stevemardstanek, then we put the flow into words or something, that really helped me out21:52
marekddstanek: btw, you did a great job reviewing SAML2 auth plugins. Waiting for more.21:53
marekd:-)21:53
dstanekstevemar: words are good, but often imprecise and hard to get a good overview21:53
dstanekmarekd: flattery will get you nowhere :-)21:53
marekddstanek: beer, than? :-)21:53
marekdthen*21:54
dstanekmarekd: yes. beer always works21:54
*** hrybacki_ has joined #openstack-keystone21:54
*** hrybacki has quit IRC21:55
*** amcrn has quit IRC21:58
*** amcrn_ has joined #openstack-keystone21:58
elmikohey folks, still doing some exploration with trusts and i've got to a jam21:59
elmikoi created a trust between user A in project A and user B in project B22:00
marekddstanek: btw, did you have a change to take a look at this spec: https://review.openstack.org/#/c/96867/ ?22:00
marekdchance&22:00
marekd*22:00
elmikoand i've consumed the trust by user B22:00
elmikonow, how do i get a token based on the trust in project A?22:00
elmikotrustor=A, trustee=B22:00
bknudsonI proposed changes to a bunch of the projects for the switch from keystoneclient.middleware to keystonemiddleware -- https://review.openstack.org/#/q/status:open+topic:keystonemiddleware,n,z22:00
marekddolphm: still here, btw22:02
marekd?22:02
*** jsavak has quit IRC22:03
*** marekd is now known as marekd|away22:15
*** bknudson has quit IRC22:18
*** elmiko is now known as _elmiko22:24
morganfainberg_Ldolphm, stevemar, topol, dstanek, gyee, anteaya, lbragstad, any final thoughts on draft email before i send to -dev? https://etherpad.openstack.org/p/dev_keystonemiddleware_anouncement22:25
gyeemorganfainberg_L, are we providing migration path similar to how we move the ec2 and s3 middleware from keystone to keystoneclient?22:29
morganfainberg_Lgyee: the migration is "use the new package" we're not removing the old code, just not providing new development (security fixes only) for the transition22:30
morganfainberg_Lgyee: for the middleware sourced frmo keystone (ec2_token) keystone will just import the new package once it's released for transition22:30
gyeeI remember we did some import magic22:30
morganfainberg_Lwe can't for auth_token due to circular dependencies22:31
morganfainberg_Lauth_Token relies on code in keystoneclient22:31
gyeeouch!22:31
*** daneyon has joined #openstack-keystone22:31
morganfainberg_Lyeah, best option was to freeze the middleware in keystoneclient and deprecate it once the new package is released22:31
morganfainberg_Lbut no removal of code until down the line22:31
gyeek, should be fine then22:32
morganfainberg_Lyep22:32
* morganfainberg_L has macbook pro back.22:32
morganfainberg_Lyay!22:32
gyeehopefully we get some formal endorsement22:33
gyeedon't want to imagine we have to undeprecate later22:33
morganfainberg_Lnahwe wont have to22:33
morganfainberg_Lwe're not removing the code or breaking anyone22:33
*** dstanek is now known as dstanek_zzz22:36
*** dstanek_zzz is now known as dstanek22:38
dstanekmorganfainberg_L: looking22:39
morganfainbergdstanek, feel free to make chnges22:43
*** daneyon has quit IRC22:43
morganfainbergdon't need to just put in parens :)22:44
*** boris-42 has quit IRC22:46
*** wchrisj has quit IRC22:46
dstanekmorganfainberg: keystoneclient when talking about the Python package and Keystoneclient when talking about the project right?22:52
morganfainberguh22:52
morganfainbergsure?22:52
morganfainberg:P22:52
morganfainbergprobably python-keystoneclient when talking about the package22:52
dstanekk, there are a few places where i'll make that change then22:53
morganfainbergand Keystoneclient when the project22:53
morganfainbergsure22:53
*** marcoemorais has quit IRC22:53
*** marcoemorais has joined #openstack-keystone22:53
*** marcoemorais has quit IRC22:54
*** marcoemorais has joined #openstack-keystone22:54
*** marcoemorais1 has joined #openstack-keystone22:55
morganfainbergwoohoo py33 passed22:55
morganfainberg>.>22:55
*** marcoemorais2 has joined #openstack-keystone22:56
*** marcoemorais2 has quit IRC22:56
dstanekmorganfainberg: passed?22:56
*** marcoemorais2 has joined #openstack-keystone22:56
morganfainbergi hadn't tested the middleware with py33 until the patch i put up22:57
morganfainbergthe whole middleware package that is22:57
*** marcoemorais has quit IRC22:59
morganfainbergdstanek, let me know when you're done22:59
*** marcoemorais1 has quit IRC22:59
*** gordc has quit IRC23:00
*** lbragstad has quit IRC23:01
*** boris-42 has joined #openstack-keystone23:02
dstanekmorganfainberg: i'm all done23:17
dstanekmorganfainberg: looks good23:18
gyeedstanek, how do I make tox recognize python3?23:18
gyeeERROR:   py33: InterpreterNotFound: python3.323:18
gyeeI have python3 installed but tox can't see it for some reason23:18
morganfainberg_Lgyee: not sure23:19
morganfainberg_Lgyee: i had it working at one point, haven't re-set thatup yet23:20
gyeemorganfainberg_L, you don't run into that error23:20
morganfainberg_Lgyee: i did, don't remember how i fixed it23:20
morganfainberg_Li also was running in a VM23:20
gyeelemme muck around with tox.ini to see what's up23:21
morganfainberg_Ldstanek: ok .. about to click send23:22
dstanekgyee: is python3 on your path?23:22
gyeedstanek, yes23:23
morganfainberg_Ldstanek: subject:[Keystone] Announcing Keystone Middleware Project23:24
morganfainberg_Ldstanek: look good?23:24
gyeek, I think this is my problem23:24
dstanekmorganfainberg_L: lgtm23:24
gyeels -al `which python3`23:24
gyeelrwxrwxrwx 1 root root 9 Mar 23 01:17 /usr/bin/python3 -> python3.423:24
morganfainberg_Lclicking send!23:24
gyeeits pointing to python3.4 instead of python3.323:24
dstanekgyee: i think you need to have python3.3 on your path23:24
dstanekpoint it to 3.4 and you should be all good23:25
gyee3.3 ou mean23:25
gyeeits currently pointing to 3.423:25
dstaneki think you can just create a python3.3 link that points to python3.423:25
dstanekgyee: i think tox just translates py33 to python3.323:26
morganfainberg_Ldstanek: bah found a typo23:26
morganfainberg_L"Global requirements update <...> will be updated23:26
dstanekmorganfainberg_L: lol, that always happens23:26
morganfainberg_L*facepalm*23:26
morganfainberg_Lsooo close23:27
gyeedstanek, k, symlink does the trick, but failed to install httpretty package23:34
gyeeseem like there are packages that are not python3 compatible23:34
dstanekgyee: yes, lots23:36
dstanekgyee: what are you trying to do?23:36
*** daneyon has joined #openstack-keystone23:36
gyeedstanek, just trying to get rid the unpleasant warnings23:36
gyeeoh well23:36
dstanekgyee: :-) i'm pretty close to having something that can run under python3 and be useful23:37
dstaneki have a few reviews for it in gerrit and a couple more locally once those get through23:38
gyeedstanek, excellent! love to have py33 working locally so I can weed out any py33 issues before pushing the stuff to gerrit23:40
dstanekgyee: the biggest problem is that we have a ton of dependency projects that are not py3 friendly yet23:41
*** david-lyle has quit IRC23:41
*** david-lyle has joined #openstack-keystone23:42
*** lbragstad has joined #openstack-keystone23:43
*** oomichi has joined #openstack-keystone23:45
*** marcoemorais2 has quit IRC23:45
*** marcoemorais has joined #openstack-keystone23:45
*** marcoemorais has quit IRC23:46
*** marcoemorais has joined #openstack-keystone23:46
*** david-lyle has quit IRC23:46
*** gokrokve has quit IRC23:47
*** jamielennox|away is now known as jamielennox23:47
*** marcoemorais has quit IRC23:52
*** marcoemorais has joined #openstack-keystone23:52
dstanekgyee: this block is what does the magic https://bitbucket.org/hpk42/tox/src/cefc0fd28dda72ac76a9170b4c586e0eb3f1d124/tox/_config.py?at=default#cl-1823:53
dstanekdo we have a standard way to show  params that will be modified by reference in do ccomments?23:57
*** harlowja_ has joined #openstack-keystone23:58
« Monday, 2014-06-23 Index Wednesday, 2014-06-25 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!