Thursday, 2014-07-03

« Wednesday, 2014-07-02 Index Friday, 2014-07-04 »
*** amcrn has quit IRC00:07
*** rodrigods_ has joined #openstack-keystone00:07
*** gokrokve has quit IRC00:15
*** rodrigods__ has joined #openstack-keystone00:15
*** rodrigods_ has quit IRC00:15
openstackgerritA change was merged to openstack/keystonemiddleware: Privatize Everything  https://review.openstack.org/10402700:26
*** packet has quit IRC00:33
*** xianghui has joined #openstack-keystone00:34
jamielennoxso in my auth plugin loading from config file stuff i have two basic options the auth_plugin which is the name of the plugin to use and the auth_section which is an ini [section] to read the values from00:43
jamielennoxthe idea being that if you are like nova and have glance, cinder whatever with multiple connection properties you can point them all to a common [passworddata] section rather than specify that information twice00:44
jamielennoxand ideally that the auth plugin itself should be sharable if it's loaded from the same [section]00:44
jamielennoxmy question is, does it make sense to have the auth_plugin name within that [section] or outside as it is now00:45
jamielennoxwhich i think boils down to the question if you have all your auth data stored in a [section] then does that mean that you want to use the same plugin for that?00:46
jamielennoxor can you read a v2password plugin and a v3password plugin from the same section00:47
jamielennox... crickets - it's fairly easy to support both cases, that saves making a decision :)00:55
*** gokrokve has joined #openstack-keystone00:55
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add oslo.i18n as dependency  https://review.openstack.org/10439901:02
openstackgerritBrant Knudson proposed a change to openstack/keystone: Use oslo.i18n  https://review.openstack.org/10440001:02
*** arosen has left #openstack-keystone01:02
*** mberlin1 has joined #openstack-keystone01:13
*** mberlin has quit IRC01:15
*** gokrokve has quit IRC01:35
*** marcoemorais has quit IRC01:39
openstackgerritNathan Kinder proposed a change to openstack/keystone: Allow LDAP lock attributes to be used as enable attributes  https://review.openstack.org/10440801:42
*** gokrokve has joined #openstack-keystone01:43
*** rodrigods__ has quit IRC01:55
*** rodrigods_ has joined #openstack-keystone01:57
*** daneyon has quit IRC02:02
openstackgerritwanghong proposed a change to openstack/keystone-specs: Revoke tokens when deleting EC2 credential  https://review.openstack.org/10349302:09
*** gokrokve has quit IRC02:11
*** gokrokve has joined #openstack-keystone02:11
morganfainbergjamielennox, ping02:11
jamielennoxmorganfainberg: hey02:11
morganfainbergjamielennox, mind pressing go on https://review.openstack.org/#/c/104208/ [ok reviwwing and]02:12
morganfainbergjamielennox, it's the last outstanding thing we need before middleware release02:12
morganfainbergjamielennox, i just got back. reading the backlog02:13
jamielennoxmorganfainberg: i was looking at that and wondering how it works02:13
morganfainbergjamielennox, the same way it works now w/ ksc and keystone02:14
morganfainbergjamielennox, it's strictly for the generator code (e.g. keystone.openstack.common.config.generator02:14
morganfainbergor well not how ksc works :P02:15
*** junhongl has joined #openstack-keystone02:15
jamielennoxdoes something on the generator side know to only include the ep.name that are depended on for that project02:15
jamielennoxjust doing a pure iterate you'll get options for every library installed on the machine02:16
morganfainberghm?02:16
morganfainbergep.name?02:16
morganfainbergoh entrypoint02:16
jamielennoxendpoint name02:16
jamielennoxsorry, that was in code somewhere02:16
morganfainbergyeah it lets us be more specific as in load the options from auth_token instead of the entire package afaict02:16
jamielennoxso it's marked as oslo.messaging in entry points, the config generator says i import oslo.messaging so lookup the options for that via entrypoitn?02:16
morganfainberglooking for the explicit example for you02:17
jamielennoxhaving said that to you i'm almost sure that's how it would work02:17
morganfainbergso look here: https://github.com/openstack/keystone/blob/master/tools/config/oslo.config.generator.rc02:18
morganfainbergthis lists the packages we're looking for02:18
morganfainbergwell the "EXTRA" ones02:18
jamielennoxoh, nice - that's even better02:18
jamielennoxi'm not a fan of the magic of some of these libraries, if you have to add a name to a list that's better02:18
morganfainbergthen we have the generator script02:19
morganfainberghttps://github.com/openstack/keystone/blob/master/tools/config/generate_sample.sh02:19
morganfainbergwhich passes the library info into the generator02:19
morganfainbergjamielennox, https://github.com/openstack/keystone/blob/master/keystone/openstack/common/config/generator.py#L10902:20
jamielennox+A02:23
morganfainbergjamielennox, cool ty02:24
morganfainbergjamielennox, on the topic of auth plugins02:24
morganfainbergjamielennox, you're asking if we should support any passed in group02:24
morganfainbergor a fixed group name for the auth options?02:24
morganfainbergjamielennox, because i can see one use case for the former... but not sure if we care02:24
jamielennoxmorganfainberg: no, i'm doing that already02:24
*** rodrigods_ has quit IRC02:24
jamielennoxso we are handling loading any plugin right02:25
morganfainbergok02:25
jamielennoxthe options that get registered initially are auth_plugin and auth_section02:25
morganfainbergright02:25
jamielennoxauth_plugin is an entrypoint name02:25
jamielennoxauth_section is a way to point to a different, user defined, [section] of your conf file so that you can share auth data02:25
jamielennoxif section is not provided then it defaults to the same section as we are currently in02:26
morganfainbergok02:26
jamielennoxso my question was if section is provided, should the auth_plugin option be within the section as well or in the initial group02:27
morganfainbergi'd go with section02:27
jamielennoxright, cause i can see you defining a part of your config with02:28
jamielennox[v2Password]02:28
jamielennoxauth_plugin = v2password02:28
jamielennoxusername = xxx02:28
jamielennoxpassword - xxx02:28
jamielennoxyou shouldn't need to specify auth_section = v2password and auth_plugin = v2password02:29
jamielennoxat the moment i'm attempting supporting both in that auth_plugin in initial would overrule auth_plugin provided in section02:30
jamielennoxit's not that hard - i'm just not sure anyone ever wants that level of flexibility in a config file02:30
morganfainbergright02:30
morganfainberg*shrug* i'd go with in-section exclusively02:30
morganfainbergbut thats me02:31
morganfainbergwish i could be more help :P02:31
jamielennoxin openstack - if you can't decide, make it configurable02:31
morganfainberghah02:33
*** diegows has quit IRC02:36
openstackgerritMorgan Fainberg proposed a change to openstack/keystonemiddleware: Mark keystonemiddleware as being a universal wheel  https://review.openstack.org/10442402:56
*** hrybacki has joined #openstack-keystone03:12
*** praneshp has quit IRC03:12
openstackgerritNathan Kinder proposed a change to openstack/keystone: Allow LDAP lock attributes to be used as enable attributes  https://review.openstack.org/10440803:20
*** dims has quit IRC03:32
openstackgerritA change was merged to openstack/keystonemiddleware: Expose an entry point to list auth_token middleware config options  https://review.openstack.org/10420803:40
*** hrybacki has quit IRC03:40
morganfainbergand on that note, ^^03:40
morganfainbergi don't see any reason we're not clear to do a release03:41
morganfainbergdolphm, jamielennox, bknudson, gyee, dstanek, I think we're set to do a middleware release now. everything we need should be merged. lets do one last sanity check :) woo03:42
morganfainbergand get it out the door03:42
*** zhiyan_ is now known as zhiyan03:47
dolphmmorganfainberg: ++03:53
morganfainbergdolphm, and just chatted w/ StevenK we should get docs published when we release03:53
dolphmmorganfainberg: on http://docs.openstack.org/developer/keystonemiddleware/ ?03:54
morganfainbergdolphm, yeah03:54
morganfainbergdolphm, though we should also get it on the proper docs page03:55
morganfainbergdolphm, ooooh maybe we wont publish03:55
* morganfainberg 2x checks03:55
*** dstanek is now known as dstanek_zzz03:57
morganfainbergdolphm, anyway StevenK is looking into this in -dev. gotta go get food. catch ya tomorrow04:02
*** stevemar has joined #openstack-keystone04:07
*** ajc_ has joined #openstack-keystone04:17
openstackgerritZhi Yan Liu proposed a change to openstack/python-keystoneclient: Expose an entry point to list auth_token middleware config options  https://review.openstack.org/10412804:21
*** bvandenh has joined #openstack-keystone04:44
*** gyee has quit IRC05:09
*** achampion has joined #openstack-keystone05:26
openstackgerritA change was merged to openstack/keystone: remove default=None for config options  https://review.openstack.org/9648005:29
*** gokrokve has quit IRC05:30
*** praneshp has joined #openstack-keystone05:41
*** harlowja is now known as harlowja_away05:47
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/10338006:00
*** gokrokve has joined #openstack-keystone06:00
*** ukalifon1 has joined #openstack-keystone06:06
*** henrynash has joined #openstack-keystone06:12
*** gokrokve has quit IRC06:16
*** chandan_kumar has joined #openstack-keystone06:25
*** henrynash has quit IRC06:27
*** tkelsey has joined #openstack-keystone06:38
openstackgerritlawrancejing proposed a change to openstack/keystone: Fix the section name in CONTRIBUTING.rst  https://review.openstack.org/10375806:46
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Modify oauth calls to expect urlencoded responses  https://review.openstack.org/10432006:46
openstackgerritlawrancejing proposed a change to openstack/python-keystoneclient: Add CONTRIBUTING.rst  https://review.openstack.org/10376106:48
*** stevemar has quit IRC06:51
*** marekd|away is now known as marekd07:10
*** gokrokve has joined #openstack-keystone07:12
*** afazekas_ has joined #openstack-keystone07:15
*** gokrokve has quit IRC07:17
*** leseb has joined #openstack-keystone07:37
*** henrynash has joined #openstack-keystone07:50
*** BAKfr has joined #openstack-keystone08:05
*** afazekas_ is now known as afzekas08:05
*** afzekas is now known as afazekas_08:07
*** gokrokve has joined #openstack-keystone08:13
*** gokrokve has quit IRC08:18
*** gokrokve has joined #openstack-keystone08:31
*** henrynash has quit IRC08:32
*** praneshp has quit IRC08:34
*** gokrokve has quit IRC08:35
*** mrda is now known as mrda-away08:39
*** jaosorior has joined #openstack-keystone08:55
*** mitz has quit IRC09:22
*** mitz has joined #openstack-keystone09:26
*** gokrokve has joined #openstack-keystone09:31
*** gokrokve has quit IRC09:36
*** kwss has joined #openstack-keystone09:54
openstackgerritKanagaraj Manickam proposed a change to openstack/keystone-specs: endpoint table is missing reference to region table  https://review.openstack.org/10450009:56
*** dstanek_zzz is now known as dstanek10:14
*** junhongl has quit IRC10:17
*** leseb has quit IRC10:18
*** leseb has joined #openstack-keystone10:19
*** leseb has quit IRC10:24
*** gokrokve has joined #openstack-keystone10:32
*** gokrokve has quit IRC10:37
openstackgerrithenry-nash proposed a change to openstack/keystone: Loggin Test - DO NOT MERGE  https://review.openstack.org/10451210:46
*** leseb has joined #openstack-keystone10:49
*** leseb has quit IRC10:54
*** mberlin1 has quit IRC11:27
*** mberlin has joined #openstack-keystone11:28
openstackgerritKanagaraj Manickam proposed a change to openstack/keystone-specs: keystone: bind endpoint with region in db  https://review.openstack.org/10450011:33
*** gokrokve has joined #openstack-keystone11:33
*** leseb has joined #openstack-keystone11:35
*** gokrokve has quit IRC11:37
*** radez_g0n3 is now known as radez11:43
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: reengineered-federation  https://review.openstack.org/10430111:45
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert keystone CLI to use auth plugins  https://review.openstack.org/9568012:00
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Plugin loading from config objects  https://review.openstack.org/7954212:00
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow loading auth plugins from CLI  https://review.openstack.org/9567912:00
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Provide an __all__ for auth module  https://review.openstack.org/10452912:00
*** dims has joined #openstack-keystone12:04
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert keystone CLI to use auth plugins  https://review.openstack.org/9568012:07
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Plugin loading from config objects  https://review.openstack.org/7954212:07
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow loading auth plugins from CLI  https://review.openstack.org/9567912:07
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Provide an __all__ for auth module  https://review.openstack.org/10452912:07
*** afazekas_ has quit IRC12:07
*** joesavak has joined #openstack-keystone12:09
*** bvandenh has quit IRC12:09
*** jdennis has joined #openstack-keystone12:09
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert keystone CLI to use auth plugins  https://review.openstack.org/9568012:23
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Plugin loading from config objects  https://review.openstack.org/7954212:23
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow loading auth plugins from CLI  https://review.openstack.org/9567912:23
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Provide an __all__ for auth module  https://review.openstack.org/10452912:23
*** afazekas_ has joined #openstack-keystone12:24
*** henrynash has joined #openstack-keystone12:30
*** ajc_ has quit IRC12:30
henrynashjamielennox: you there?12:31
jamielennoxhenrynash: yea,12:31
jamielennoxsucker for punishment at the moment - just keep going12:31
henrynashhi….a quick question….with today’s keystone (as is)….am I right in thinking that clients can really only hand nova a v2 token...12:32
henrynash(because of issues with neutron etc.)12:32
jamielennoxdepends what you mean by handing, most of the clients do there own authentication and they only support v212:33
jamielennoxtheoretically if you had a v3 token then you could use it i think12:33
*** gokrokve has joined #openstack-keystone12:33
jamielennoxyou would just have to inject it into the client yourself, i think heat does this for example12:34
henrynashso if i’m writing my one UI, say, that is going to talk to OS…12:34
*** afazekas_ has quit IRC12:34
henrynash…,..when you say inject into the client….what do you mean?12:34
jamielennoxso the clients will have the auth token stored somewhere as a string to pass with requests12:35
*** fifieldt has quit IRC12:35
jamielennoxyou can use a v3 token to authenticate with v2 resources and with other services12:35
jamielennoxi think heat does a v3 keystone auth, takes the raw token and manages the catalog, then puts that information into the clients12:36
jamielennoxbut it's really unsupported and a whole lot of trouble12:36
henrynashconversely, I assume I can get a v2 token scoped to a project that is in a different domain to the default….and I assume that’s how everything hangs together right now12:37
*** zigo has quit IRC12:37
henrynashi.e. pass a tenantID of a project in DomainX to get my v2 scoped token12:37
*** zigo has joined #openstack-keystone12:37
jamielennoxumm, i haven't tried it but i assume that would work12:38
*** gokrokve has quit IRC12:38
jamielennoxif you're accessing by id i don't think the keystone code checks that the tenant is in the default domain12:39
*** lbragstad has quit IRC12:40
henrynashi asume that must be true..12:40
*** jsavak has joined #openstack-keystone12:41
henrynashok, thx12:41
*** henrynash has quit IRC12:41
jamielennoxnp12:41
*** zigo has quit IRC12:41
*** zigo has joined #openstack-keystone12:42
*** jaosorior has quit IRC12:42
*** joesavak has quit IRC12:44
*** zigo has quit IRC12:45
*** _elmiko is now known as elmiko12:46
*** afazekas_ has joined #openstack-keystone12:47
*** hrybacki has joined #openstack-keystone12:48
*** hrybacki has quit IRC12:48
*** hrybacki has joined #openstack-keystone12:49
*** jamielennox is now known as jamielennox|away12:50
*** miqui has joined #openstack-keystone12:56
*** dims_ has joined #openstack-keystone12:58
*** achampio1 has joined #openstack-keystone13:01
*** dims has quit IRC13:02
*** achampion has quit IRC13:03
boris-42jamielennox|away ping13:07
*** ayoung has joined #openstack-keystone13:11
*** oomichi has quit IRC13:14
*** chandan_kumar is now known as chandankumar13:18
*** sigmavirus24 has joined #openstack-keystone13:31
*** gokrokve has joined #openstack-keystone13:34
openstackgerritHarry Rybacki proposed a change to openstack/python-keystoneclient: Add tests without optional create endpoint params  https://review.openstack.org/10322913:35
*** achampion has joined #openstack-keystone13:36
*** jdennis has quit IRC13:36
*** achampio1 has quit IRC13:38
*** bobt has joined #openstack-keystone13:38
*** gokrokve has quit IRC13:39
openstackgerritHarry Rybacki proposed a change to openstack/python-keystoneclient: service_id should be random uuid  https://review.openstack.org/10398913:39
*** bobt has quit IRC13:47
*** diegows has joined #openstack-keystone13:49
elmikowhen i create an instance of keystoneclient.client.Client, is it necessary for me to manually call the authenticate() method if i want to get an auth_token?13:53
*** jdennis has joined #openstack-keystone13:53
openstackgerritMatthieu Huin proposed a change to openstack/python-keystoneclient: Improve auth plugins use in v3 client  https://review.openstack.org/10455113:53
marekdmhu hi!13:57
marekdmhu: just saw your uploaded patch ^^13:57
mhuhi marekd !13:57
rodrigodselmiko, not really, once you create the client it already gets a token13:57
openstackgerritSteven Hardy proposed a change to openstack/keystone-specs: Spec for trusts redelegation  https://review.openstack.org/9990813:58
rodrigodselmiko, it does the auth process, i mean13:58
rodrigodsand you get access the token13:58
rodrigodss/get/can13:58
*** zigo has joined #openstack-keystone13:58
elmikorodrigods: ok, when i instantiate with a username, password, and tenant, i get back a keystoneclient object, but auth_token is empty until i call authenticate. am i doing something wrong?13:59
marekdmhu: doesn't your plugin  somehow overlap with those patches :  https://review.openstack.org/#/c/79542/ https://review.openstack.org/#/c/84071/  ?13:59
rodrigodselmiko, which version are you using?14:00
mhumarekd, I wasn't aware of the first one, I'll give it a look14:00
elmikorodrigods: trunk14:00
elmikorodrigods: v3 endpoint14:00
openstackgerritDavid Stanek proposed a change to openstack/keystone: Details the proper way to call a callable  https://review.openstack.org/10455214:00
elmikorodrigods: http://paste.openstack.org/show/85418/ is a snip of what i'm playing with14:01
marekddstanek: hi14:01
dstanekmarekd: hi14:02
marekddstanek: do you have any experience with barbican already?14:02
*** jdennis has quit IRC14:02
rodrigodselmiko, ok will take a look14:02
dstanekmarekd: not really, i looked through the code and did some reviews, but that's about it so far14:02
marekddstanek: nah, ok14:02
elmikorodrigods: thanks for the help :)14:02
dstanekmarekd: next week i'll be at their hackathon though14:02
marekddstanek: ah, ok14:03
*** daneyon has joined #openstack-keystone14:07
*** daneyon has quit IRC14:07
marekddstanek: there are some ideas for sing barbican as a public keys storage for k2k bp, but it looks like current Barbican API allows for keeping secrets grouped by tenants...14:07
*** daneyon has joined #openstack-keystone14:08
*** daneyon has quit IRC14:11
*** bobt_ has joined #openstack-keystone14:12
marekdmhu: on the other hand, i think there are no ongoing works to enhance openstackclient with such smart features  :-)14:15
marekdmhu: i think i saw some pieces of code where only token and password were only acceptable authN methods.14:15
marekdmhu: and this should definitely change :-)14:15
rodrigodselmiko, sorry for the delay, i bit busy here14:16
rodrigodsa bit*14:16
*** dims_ has quit IRC14:16
elmikorodrigods: no worries, i appreciate any help :)14:17
mhumarekd, absolutely, but it made more sense to work on keystoneclient first. I'll join in the review of the first patch, which is more thorough than mine14:17
rodrigodselmiko, here is an example: http://paste.openstack.org/show/85422/14:17
rodrigodsthis code works for me14:17
marekdmhu: yeah, thanks :-)14:18
elmikorodrigods: thanks, domain_name is also know as region?14:18
elmiko*known14:18
*** richm has joined #openstack-keystone14:19
*** gokrokve has joined #openstack-keystone14:19
ayounghrybacki, 1705 in the inbox.  Not too bad for 3 days off14:19
*** andreaf has joined #openstack-keystone14:22
hrybackiayoung: see you in another three days :P14:26
rodrigodselmiko, domain is a user container, different from region14:27
elmikorodrigods: ok thanks, i'll need to do a litte more reading14:27
elmikorodrigods: is leaving out the domain parameters what is causing me to need a call to authenticate manually?14:28
rodrigodselmiko, not really, when you get a token, you can get a token scoped for a project or domain14:28
elmikorodrigods: hmm, ok14:29
openstackgerritHarry Rybacki proposed a change to openstack/python-keystoneclient: endpoint_id and service_id should be random uuid  https://review.openstack.org/10398914:29
hrybackiZuul reruns after adjusting a commit message?14:30
*** gokrokve has quit IRC14:32
elmikorodrigods: one more question, about your example, did you import keystoneclient.v3.client as client?14:34
rodrigodselmiko, exactly =)14:35
hrybackiayoung: granted my revocation events middleware integration change is on hold (pending jamielennox's session stuff) how does the move pushing middleware into its own repo affect what I've done?14:35
elmikorodrigods: thanks14:35
ayounghrybacki, good question.  The revocation events API needs to go in first regardless14:36
ayounghrybacki, then the changes to auth_token need to be made in the middleware repo14:36
ayoungon top of jamies14:36
elmikoso, what is recommended practice if i want to use v3. the using v3 docs suggest the discovery method with the version parameter, is that preferred or should i just ask for the v3.client?14:37
ayoungdid he resubmit against the new repo?14:37
hrybackino, I wanted to discuss what to do with you first14:37
hrybackiI think the middleware repo is still awaiting on a patch adding it to the devstack installer14:38
*** mostly_d34dh0r53 is now known as d34dh0r5314:38
ayounglets get the existing patches resubmitted against middleware14:38
*** jsavak has quit IRC14:38
ayoungthose can happen in parallel14:38
*** chandankumar has quit IRC14:38
*** leseb has quit IRC14:38
hrybackiIt sounded like dolphm and morganfainberg didn't want anything new in the middleware repo for it's initial release14:38
hrybackisession stuff would 1.1.014:39
*** leseb has joined #openstack-keystone14:39
ayounghrybacki, can you apply https://review.openstack.org/#/c/74908/  against the middleware repo?14:39
ayoungits ok, we still can submit it for review14:39
ayoungwe'll just hold off on merging until it is stable14:39
hrybackiokay, yeah I can try and come to you when I get stuck?14:40
*** gokrokve has joined #openstack-keystone14:40
hrybackihere's a question actually, how do I set up an env that's setup to use the middleware repo?14:40
ayoungbknudson, you are stealing years from my life.  https://review.openstack.org/#/c/102702/  doesn't have any unit tests because I cannot port them over straight away14:40
ayoungthey are in the follow on patch14:40
bknudsonayoung: ok, I'll try with the follow-on patch14:42
ayoung++14:43
dolphmhrybacki: ++14:43
*** henrynash has joined #openstack-keystone14:43
elmikorodrigods: i tried your example, but i still get NoneType for auth_token after instantiating the client object14:43
*** leseb has quit IRC14:43
hrybackidolphm: ?14:43
dolphmhrybacki: regarding session stuff in 1.114:43
hrybacki++14:43
ayounghrybacki, if you were to start with devstack, you would modify the paste-api.ini file for nova to replace keystoneclient with keystonemiddleware14:43
*** leseb has joined #openstack-keystone14:43
dolphmhrybacki: to use middleware repo, swap your auth_token config in all your services from keystoneclient.middleware.auth_token to keystonemiddleware.auth_token14:44
hrybackidolphm: silly question, how do I locate all of them?14:44
dolphmhrybacki: they probably have *paste* in the name, and they're all in /etc14:45
bknudsonhrybacki: https://review.openstack.org/#/q/status:open+topic:keystonemiddleware,n,z14:45
dolphmgrep authtoken etc/14:45
dolphmor auth_token etc/14:45
dolphmerr /etc14:45
hrybackibknudson, dolphm++14:52
dolphmmorganfainberg: jamielennox|away: bknudson: i'm ready to release 1.0.0 if we have no more blockers14:52
bknudsondolphm: I can't think of any.14:53
bknudsonif you give me a minute I can try it out a little bit14:53
*** ukalifon1 has quit IRC14:55
*** raildo has quit IRC14:56
*** gokrokve has quit IRC14:57
*** thedodd has joined #openstack-keystone15:00
bknudsondolphm: I tried starting devstack with keystonemiddleware and didn't have any probs.15:04
*** dims_ has joined #openstack-keystone15:04
openstackgerritMarek Denis proposed a change to openstack/keystone: Add _BaseFederationExtension class  https://review.openstack.org/10457715:04
hrybackibknudson: dolphm, I did the same the other day via the patch you were trying to get merged. Ran a full tempest suite w/o any errors locally on F2015:04
dolphmbknudson: hrybacki: thanks!15:04
dolphmi think morganfainberg was ready last night, and jamielennox|away probably won't be on anytime soon... so i'll go ahead and push the button15:05
morganfainbergdolphm, :)15:05
morganfainbergdolphm, i'm fair certain we're good.15:06
morganfainbergdolphm, unless anyone has a reason not to15:06
dolphmmorganfainberg: i'm not aware of any15:06
hrybackiwhat exactly is being merged/going live? the middleware repo itself?15:06
*** doddstack has joined #openstack-keystone15:06
dolphmhrybacki: pushing keystonemiddleware to pypi and stamping it 1.0.015:07
hrybackisweet!15:07
dolphmmorganfainberg: but of course, something must go wrong... what happened to our Fix Committed bugs on keystonemiddleware?? https://bugs.launchpad.net/keystonemiddleware15:07
*** thedodd has quit IRC15:08
*** dims_ has quit IRC15:08
morganfainbergdolphm, have we ... had any ksc bug fixes land since the split?15:09
morganfainbergdolphm, that affects middleware15:09
dolphmmorganfainberg: doc bugs?15:09
dolphmprivatize wasn't tracked....15:09
dolphmhttps://bugs.launchpad.net/keystonemiddleware/+bug/133596515:09
uvirtbotLaunchpad bug 1335965 in keystonemiddleware "project is missing a CONTRIBUTING.rst" [Wishlist,Triaged]15:09
dolphmthey're not fix committed! no bot?15:09
bknudsonit's it just 1333948 and that one?15:09
dolphmbknudson: i think so15:09
dolphmat least there's something on https://launchpad.net/keystonemiddleware/+milestone/1.0.0 now15:10
dolphmjust waiting on zuul now... http://status.openstack.org/zuul/15:12
dolphmrelease job is on the right column15:12
*** ukalifon1 has joined #openstack-keystone15:13
morganfainbergdolphm, doh! sorry :(15:17
morganfainbergdolphm, yah privatize slipped through in the 'lets get this out'15:17
morganfainbergdolphm, http://docs.openstack.org/developer/keystonemiddleware/ yay15:19
openstackgerritgordon chung proposed a change to openstack/keystone-specs: move audit middleware to keystonemiddleware repo  https://review.openstack.org/10458415:19
*** radez is now known as radez_g0n315:20
morganfainbergdolphm, do we want to retoactively make the privatize bug?15:21
morganfainbergdolphm, simply for release tracking purposes?15:21
dolphmmorganfainberg: if you create the bug, i'll stick it in 1.0.015:21
morganfainberg++15:22
bknudsonhttps://pypi.python.org/pypi/keystonemiddleware15:23
*** gokrokve has joined #openstack-keystone15:24
morganfainbergdolphm, https://bugs.launchpad.net/keystonemiddleware/+bug/133738115:25
uvirtbotLaunchpad bug 1337381 in keystonemiddleware "Privatize all middleware modules in keystonemiddleware" [High,Fix committed]15:25
*** jdennis has joined #openstack-keystone15:26
*** david-ly_ has joined #openstack-keystone15:27
morganfainbergbknudson, i issued a recheck on your requirements patch for middleware15:28
bknudsonit should pass now15:28
morganfainbergbknudson, ++15:28
bknudsonluckily middleware wasn't released as an alpha package15:29
morganfainberghehe15:29
bknudsonthat's https://review.openstack.org/#/c/102341/ if people want to +115:29
morganfainbergdolphm, so re http://lists.openstack.org/pipermail/openstack-dev/2014-July/039132.html [http statuses]15:30
openstackgerrithenry-nash proposed a change to openstack/keystone: Loggin Test - DO NOT MERGE  https://review.openstack.org/10451215:30
morganfainbergdolphm, it sounds liek that fix would need to be backported based on QA practices to icehouse as well15:30
morganfainbergdolphm, mtreinish wouldn't be opposed to that if we had wide enough support for it to land in J. What is your opinion15:31
hrybackiayoung: could review https://review.openstack.org/#/c/103989/ and https://review.openstack.org/#/c/103229/ one last time -- I think they are finally ready15:31
*** praneshp has joined #openstack-keystone15:33
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: Simplified Mapping for Federated Authentication  https://review.openstack.org/10028015:34
*** stevemar has joined #openstack-keystone15:37
dolphmdstanek: stevemar: henrynash: k2k g+ https://plus.google.com/hangouts/_/g5rgewkfuzfvymkeqiscm4bqsea?hl=en15:38
stevemarthx15:39
marekddolphm: i will passively join you, may i ? :-)15:40
dstanekdolphm: almost there15:41
dolphmmarekd: absolutely15:41
dolphmwe're discussing using MFA or token binding to eliminate the attack vector of cross-cloud bearer tokens15:42
openstackgerritKristy Siu proposed a change to openstack/keystone-specs: Simplified Mapping for Federated Authentication  https://review.openstack.org/10028015:49
*** kwss has quit IRC15:50
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: HEAD responses should return same status as GET  https://review.openstack.org/10402615:50
*** gyee has joined #openstack-keystone15:52
*** david-ly_ is now known as david-lyle15:54
*** joesavak has joined #openstack-keystone15:58
*** ukalifon1 has quit IRC15:59
*** dhellmann is now known as dhellmann_16:04
*** dims_ has joined #openstack-keystone16:05
*** dims_ has quit IRC16:09
*** praneshp has quit IRC16:11
*** BAKfr has quit IRC16:15
*** hrybacki_ has joined #openstack-keystone16:16
*** tkelsey has quit IRC16:18
*** hrybacki has quit IRC16:19
*** leseb has quit IRC16:19
*** leseb has joined #openstack-keystone16:20
*** bobt_ has quit IRC16:21
*** hrybacki_ has quit IRC16:21
*** dims_ has joined #openstack-keystone16:21
*** leseb has quit IRC16:24
*** zhiyan is now known as zhiyan_16:29
morganfainbergchange id for GET vs HEAD responses (master and stable): https://review.openstack.org/#/q/I13ce159cbe9739d4bf5d321fc4bd069245f32734,n,z change for tempest that would need to land before those do. https://review.openstack.org/#/c/104610/16:36
morganfainbergif we are headed down this path, those two changes need +2s before the tempest change can merge16:37
morganfainbergjust not approval (because they obviously can't merge)16:37
*** dhellmann_ is now known as dhellmann16:44
dstanekmorganfainberg: why are you keeping the original GETs around in https://review.openstack.org/#/c/104026/2/keystone/assignment/routers.py ?16:45
dstanekmorganfainberg: oh, wait. maybe you're not16:46
morganfainbergdstanek, i'm adding in GETs where only HEAD existed before16:46
morganfainberglong term, i'd like to support HEAD and GET together always16:47
*** afazekas_ has quit IRC16:47
morganfainbergbut that is a bit broader scope than i want to deal with here.16:47
dstanekmorganfainberg: what do you mean by that?16:49
morganfainbergdstanek, trying to fix the bug here, if we're going to do an expansion to handle HEAD in all GET locations (that doesn't currently impact anyone) I want to do that separately16:50
morganfainbergdstanek, keep this change as limited to the specific bug as possible.16:50
*** leseb has joined #openstack-keystone16:50
*** leseb has quit IRC16:52
dstanekmorganfainberg: you mean just have keystone.common.wsgi accept all head requests for anything that supports a get?16:52
*** leseb has joined #openstack-keystone16:52
morganfainbergdstanek, it would be a router change not a common.wsgi change to support HEAD wherever GET is done.16:53
morganfainbergdstanek, i mean... we could re-write it in keystone.common.wsgi ?16:53
morganfainbergwould that be better?16:53
dstanekmorganfainberg: i'm not sure what you'd do in the router, but the first thing i think of is Apache style rewrites so the app has not idea it's a HEAD16:54
morganfainbergexcept some cases we have different policy for HEAD vs GET requests [doh!]16:54
dstanekwow really16:54
dstanek?16:54
morganfainbergdstanek, yes16:55
morganfainbergdstanek, token validation16:55
morganfainbergvalidate is more secure than check.16:55
morganfainbergdstanek, maybe the best bet is to just rewrite it all in openstack,common.wsgi16:56
morganfainbergdstanek, the same that apache would have done.16:56
dstanekthat's unfortunate - i would have expected that to be a different URL16:56
morganfainbergdstanek, i know16:56
*** d34dh0r53 is now known as mostly_d34dh0r5316:56
*** leseb has quit IRC16:57
*** amerine has joined #openstack-keystone16:59
morganfainbergdstanek, ok i'm going to get breakfast. be back shortly, let me know if you think we should just rewrite all HEAD requests to GET in common.wsgi and do magic in there - would be about the same changeset, but would capture the "always support HEAD and GEt the same"17:00
*** mostly_d34dh0r53 is now known as d34dh0r5317:01
dstanekmorganfainberg: for the bug i don't think i'd change it17:01
dstanekmorganfainberg: i was thinking long term17:01
morganfainbergdstanek, ++ ok17:01
morganfainbergmaybe something to discuss at the hackathon17:01
*** leseb has joined #openstack-keystone17:02
*** leseb has quit IRC17:02
*** stevemar has quit IRC17:03
*** leseb has joined #openstack-keystone17:03
*** leseb has quit IRC17:07
*** praneshp has joined #openstack-keystone17:13
*** henrynash has quit IRC17:17
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove `with_lockmode` use from Trust SQL backend.  https://review.openstack.org/9705917:19
bknudsonsome kind of auto-test would be good... like every time you do a get also do a head.17:22
morganfainbergbknudson, ++ i would like that17:23
morganfainbergayoung, i know you liked/wanted run_tests: https://review.openstack.org/#/c/103282/17:24
ayounglooking17:32
ayoungmorganfainberg, let me try that out...17:33
*** radez_g0n3 is now known as radez17:33
ayoung$ ./run_tests.sh17:34
ayoung./run_tests.sh: line 109: NONSUBUNIT_ENVS[@]: unbound variable17:34
ayoungpython-subunit17:35
*** praneshp_ has joined #openstack-keystone17:38
openstackgerritMarek Denis proposed a change to openstack/keystone: Implement Service Providers API for OS-FEDERATION  https://review.openstack.org/10462317:40
ayoungmorganfainberg, nope17:41
*** praneshp has quit IRC17:42
*** marekd is now known as marekd|away17:42
*** praneshp_ is now known as praneshp17:42
ayoungmorganfainberg, ./run_tests.sh: line 109: NONSUBUNIT_ENVS[@]: unbound variable17:43
*** henrynash has joined #openstack-keystone17:43
morganfainbergayoung, ah i am missing a :- in there17:52
ayoungnot my system, then17:52
morganfainbergayoung, if you make line 109: NONSUBUNIT_ENVS=( "pep8" ${NONSUBUNIT_ENVS[@]:-} )17:53
morganfainbergit should solve that issue17:53
morganfainbergayoung, i'll post an update here in a bit.17:53
ayoungmorganfainberg, coo;l17:53
*** stevemar has joined #openstack-keystone17:56
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make run_tests.sh a wrapper for tox  https://review.openstack.org/10328217:56
*** henrynash has quit IRC17:56
morganfainbergayoung, ^ that should fix the issue you were seeing17:57
ayounglooks good on first pass17:57
ayounglet me try some of the more esoteric combincations17:58
morganfainbergayoung, hehe sure17:59
*** d34dh0r53 is now known as mostly_d34dh0r5318:02
*** amcrn has joined #openstack-keystone18:05
dolphmayoung: i'm excited to see your conference talk on Esoteric Combincations18:09
*** doddstack has quit IRC18:19
morganfainbergdolphm, LOL18:25
*** mostly_d34dh0r53 is now known as d34dh0r5318:26
*** hrybacki has joined #openstack-keystone18:28
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: auth_token cached token handling  https://review.openstack.org/10239918:29
nkinder_combincations is the new multiprojectcy18:30
morganfainbergbknudson, i'm not seeing where the .get fails if an external cache is provided in ^18:30
bknudsonmorganfainberg: hmm, if it's not then that would be a bug18:31
openstackgerritDolph Mathews proposed a change to openstack/keystone: Adding an index on token.user_id  https://review.openstack.org/10204118:32
bknudsonmorganfainberg: http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token.py#n151718:32
morganfainbergbknudson, ok let me check on that18:33
bknudsonmorganfainberg: I don't see how external cache makes a difference18:33
morganfainbergbknudson, i might have missed a call.18:33
morganfainbergbknudson, right, like i said, i might have missed a call18:33
morganfainbergbknudson, ok i misread this, i jumped passed _cache_get, sorry18:38
morganfainbergbknudson, you're 100% right in your comment.18:38
bknudsonno problem18:38
morganfainbergthis is complex enough i want to make sure we didn't have an edge case sneaking through :)18:38
bknudsony, hopefully having separate classes will make it less complicated18:38
bknudsonI'll work on adding new tests just for the class.18:39
morganfainbergbknudson, ++18:41
dolphmmorganfainberg: this isn't just wishlist? https://bugs.launchpad.net/keystonemiddleware/+bug/133738118:49
uvirtbotLaunchpad bug 1337381 in keystonemiddleware "Privatize all middleware module methods/properties in keystonemiddleware" [High,Fix released]18:49
*** bobt has joined #openstack-keystone18:50
*** jdennis has quit IRC18:58
*** hrybacki has quit IRC19:07
*** hrybacki has joined #openstack-keystone19:08
*** doddstack has joined #openstack-keystone19:08
*** dims_ has quit IRC19:09
*** nkinder_ has quit IRC19:20
*** nkinder has joined #openstack-keystone19:21
*** hrybacki has quit IRC19:24
*** hrybacki has joined #openstack-keystone19:25
*** jdennis has joined #openstack-keystone19:32
dolphmstevemar: i see that doc bug build bug is still an issue - is there any progress on it?19:36
morganfainbergdolphm, go ahead and switch it to wishlist, but we did hold the release up for it :P19:37
dolphmmorganfainberg: i just don't want people to think they're missing a high priority bug fix by not switching or something19:37
morganfainbergah, ok medium?19:38
dolphmstevemar: ooh found it, says fix released... https://bugs.launchpad.net/openstack-api-site/+bug/133573119:38
morganfainbergor low?19:38
uvirtbotLaunchpad bug 1335731 in openstack-api-site "dox-publish build fails to build for identity-api" [Critical,Fix released]19:38
morganfainbergi won't think it's "wishlist"19:38
morganfainbergs/wont/dont19:38
morganfainbergotherwise i don't see why we would have help up the release ;) [just forward thinking, it doesn't matter really what we set it as]19:39
morganfainberggod i can't type19:39
morganfainbergs/help/held19:39
dolphmanyone know if elastic-recheck makes considerations for queries for non-transient gate failures?19:42
dolphmlike, rechecking will just cause another failure, but it'd still be nice to get the comment noting which bug was encountered19:43
stevemardolphm, look @ the latest comment for the bug, i don't think it fixed everything19:45
morganfainbergdolphm, i don't think elastic recheck cares if a recheck was done, it should comment on _any_ failure it knows about19:46
*** henrynash has joined #openstack-keystone19:46
dolphmstevemar: i'm running a logstash query now ... http://logstash.openstack.org/#eyJzZWFyY2giOiJtZXNzYWdlOlwiY29tLnJhY2tzcGFjZS5jbG91ZC5hcGkuZG9jcy5waXBlbGluZS5QaXBlbGluZUV4Y2VwdGlvbjogbmV0LnNmLnNheG9uLnM5YXBpLlNheG9uQXBpRXhjZXB0aW9uOiBQcm9jZXNzaW5nIHRlcm1pbmF0ZWQgYnkgeHNsOm1lc3NhZ2UgYXQgbGluZSAtMSBpbiBudWxsXCIiLCJmaWVsZHMiOltdLCJvZmZzZXQiOjAsInRpbWVmcmFtZSI6IjE3MjgwMCIsImdyYXBobW9kZSI6ImNvdW50IiwidGltZSI6eyJ1c2VyX2ludGV19:46
dolphmydmFsIjowfSwic3RhbXAiOjE0MDQ0MTY2Njc1OTl919:46
dolphmmorganfainberg: yeah, but will they approve the query if it's not a transient?19:46
morganfainbergdolphm, bitly is your friend when pasting those queries :(19:46
morganfainbergoh19:47
morganfainberguhm19:47
morganfainberggood question19:47
dolphmmorganfainberg: yeah... or you can decode the b64, trim the fat from the json encoded request, and then re-encode for a much shorter url!19:47
morganfainbergyeah!19:47
morganfainbergbitly sounds like less work :P19:47
dolphmmorganfainberg: stevemar: http://bit.ly/1zaZr8619:48
*** henrynash has quit IRC19:48
stevemar33 hits, not bad19:49
morganfainbergdolphm, LOL19:50
morganfainbergdolphm, well played, well played19:50
dolphmstevemar: in 48 hours.19:51
*** dims_ has joined #openstack-keystone19:53
dolphmmorganfainberg: stevemar: submitted to elastic-recheck https://review.openstack.org/#/c/104664/19:54
morganfainbergdolphm, i think this is reasonable to have. but i dunno what infra/ER's stance on this is19:55
dolphmmorganfainberg: eventually we'll have to recheck/reverify all the failures against that bug to get them to land - seems sensible & helpful to me.19:56
dolphmhell, i kept losing track of the bug... not knowing if it was fixed or not19:57
morganfainbergdolphm, ++19:57
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: HEAD responses should return same status as GET  https://review.openstack.org/10402619:59
dstanekyesterday someone seemed to imply that the bug was caused by a change in identity-api itself. has that been proven to be true?20:03
openstackgerritBob Thyne proposed a change to openstack/keystone-specs: Propose Specification for Endpoint Group Filter  https://review.openstack.org/10202320:03
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor auth_token, move identity server members to class  https://review.openstack.org/10240220:04
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240320:04
openstackgerritBob Thyne proposed a change to openstack/keystone-specs: Propose Specification for Endpoint Group Filter  https://review.openstack.org/10202320:07
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor auth_token, move identity server members to class  https://review.openstack.org/10240220:18
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240320:18
openstackgerritA change was merged to openstack/python-keystoneclient: Add a fixture for Keystone version discovery  https://review.openstack.org/9984620:21
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor auth_token, move identity server members to class  https://review.openstack.org/10240220:24
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240320:24
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor auth_token, move identity server members to class  https://review.openstack.org/10240220:26
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor auth_token revocation list members to new class  https://review.openstack.org/10240320:26
hrybackibknudson: you are breaking all of my work :P20:30
bknudsonhrybacki: hopefully the refactoring makes it easier to work with20:30
hrybackibknudson: probably20:31
dolphmstevemar: curl http://paste.openstack.org/raw/85451/ | git apply20:33
*** daneyon has joined #openstack-keystone20:34
stevemardstanek, nah, it's independent of any identity-api changes20:35
stevemarwelp, time to review some bknudson changes20:35
stevemardolphm, i take it you are not pushing a patch for k2k? I can add in your changes20:38
dolphmstevemar: i am not. there's some good conversation that i didn't want to stomp on before it's resolved20:40
stevemardolphm, so I should hold off on stomping too?20:41
dolphmstevemar: please! i just wanted to post because i know i'm not going to be able to follow up quickly enough20:41
dolphm(post the diff)20:41
stevemarfair enough20:42
*** daneyon_ has joined #openstack-keystone20:42
morganfainbergdolphm, stevemar, sorry didn't mean to de-rail the convo from mfa earlier today20:42
dstanektempest has a surprising about of line coverage for the few tests that it runs20:42
dolphmmorganfainberg: no-no, we had brought up your question twice before anyway, and kept deferring it... it needs to be covered20:43
*** daneyon has quit IRC20:43
morganfainbergdolphm, it feels like that issue is an elephant in the room each time this is brought up20:43
dolphmmorganfainberg: just like the issue today - there's two ways to go about a solution, and it's not obvious which is better20:44
morganfainbergdolphm, yeah20:44
dolphmmorganfainberg: waht type is resp.headers.get('Content-Length') ?20:44
morganfainbergalways a string afaict20:45
morganfainbergall headers are a string from what i can see20:45
dolphmk20:45
morganfainbergat least we prevously always compared with "0" for a zero-length content20:45
morganfainbergdolphm, will check that the 204 change != 'head' isn't breaking anything the whitespace change is ... well dumb and will be fixed20:51
morganfainbergdolphm, and i'll move to .upper() cause "meh" ;)20:51
dolphmmorganfainberg: comparisons to 'head' and 'get' might be slightly more self-explanatory that way :-/20:54
morganfainbergsure.20:55
rodrigodsis anyone managing to apply dolphm patch? here i get: fatal: corrupt patch at line 640 =/20:56
dolphmso we got a bug report that concludes with "Everything works perfectly!" and then reiterates with "everything is working properly"20:57
dolphmrodrigods: uh oh20:57
morganfainberglol20:57
morganfainbergdolphm, GREAT! BUG SOLVED!20:57
dolphmlet's break something! FIX RELEASED20:57
morganfainberghehe20:58
morganfainbergLOL *facepalm*20:58
* morganfainberg remembers to change 'head' to 'HEAD' in tests20:59
dolphmrodrigods: doesn't work for me either!20:59
rodrigodsdolphm, added a blank line in the end, looks like it worked21:00
dolphmrodrigods: i was about to try that too21:00
rodrigods=)21:00
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: HEAD responses should return same status as GET  https://review.openstack.org/10402621:01
*** raildo has joined #openstack-keystone21:01
*** marekd|away is now known as marekd21:02
dolphmrodrigods: looks like paste.openstack.org is trimming the input or something? anyway:21:05
dolphm$ curl http://pasteraw.com/sfh8luetcvdumpbw93n5ingqzst7thf | git apply21:05
dolphmsame diff ^ plus a blank line at the end21:06
*** joesavak has quit IRC21:07
dolphmwould we ever return 203 for anything?21:08
morganfainberg203..21:09
morganfainbergreally?21:09
morganfainberguhm.21:09
dolphmtruncated collection..?21:09
* morganfainberg has no idea21:09
morganfainbergah21:09
morganfainbergwas that what we determined21:09
morganfainbergthe hard-set "limit" bit?21:09
dolphmmorganfainberg: yes21:11
dolphmi don't see where we create a 203 anywhere21:11
dolphmbut i found this, which git blames to dstanek, but looks like a refactor https://github.com/openstack/keystone/blob/master/keystone/tests/rest.py#L119-L12121:11
morganfainbergyeah21:12
morganfainbergjust saw the same21:12
morganfainbergi don't see anyplace we actually respond with a 20321:12
dstanekdolphm: ?21:12
dolphmdstanek: you made a refactor here https://review.openstack.org/#/c/54209/ is all21:13
dstanekdolphm: ah, ok21:13
dolphmdstanek: that means you're on the hook for explaining why the example uses a 20321:13
dstanekdolphm: ha, i can deflect21:15
*** radez is now known as radez_g0n321:16
afaranhaWhat's required to use OS-INHERIT in order to inherit roles?21:17
dstanekdolphm: the dark ages https://github.com/openstack/keystone/commit/2124890821:19
ayoungdolphm, OK, I think we have a catch 2221:20
ayoungV3 Api21:20
ayoungif you request a token with no project name or id, you get an unscoped token21:20
ayoungthis does not have a service catalog21:20
ayoungif you then attempt to request the project list, you get "keystoneclient.exceptions.EmptyCatalog: The service catalog is empty."21:21
ayoungwhat the client should be doing is using the AUTH_URL as the management url  to make that call21:21
dolphmayoung: that sounds like a new bug then, and doesn't sound specific to v3?21:22
ayoungsince v2 auth request as for default project, I don't think it has this problem21:22
*** 77CAAPLE4 has joined #openstack-keystone21:22
dolphmayoung: both v2 and v3 have similar behaviors there21:23
openstackgerritA change was merged to openstack/python-keystoneclient: Modify oauth calls to expect urlencoded responses  https://review.openstack.org/10432021:23
ayoungdolphm, I don;t think V2 has that problem21:24
ayoungdolphm, I'm still digging, but it might  be specific to the Session code, too21:24
ayoungin the past, we've created a client with AUTH_URL as one of the kwargs21:25
*** marekd is now known as marekd|away21:33
morganfainbergafaranha, you need to enable OS-INHERIT in your config, and when creating the grant you need to use the OS-INHERIT api not the standard grant api21:36
morganfainbergafaranha, i think you were creating the grant via the normal method instead of /OS-INHERIT/ directly21:36
morganfainbergafaranha, in the previous conversation21:37
openstackgerritBrant Knudson proposed a change to openstack/keystone: Correct docstring for assertResponseSuccessful  https://review.openstack.org/10469321:38
*** elmiko has quit IRC21:39
*** doddstack has quit IRC21:44
*** hrybacki has quit IRC21:48
openstackgerritDolph Mathews proposed a change to openstack/keystone: update example with a status code we actually use  https://review.openstack.org/10469921:53
*** mrda-away is now known as mrda21:53
dolphmbknudson: i +2 your trivial doc fix, and raise you an even more trivial doc fix ^21:54
bknudsondolphm: now all the docstrings are clear and concise.21:56
bknudsonayoung: I think that might have changed because I'm pretty sure that's how the client worked at some point21:57
dolphmbknudson: for some value of 'all'21:57
openstackgerritBoris Pavlovic proposed a change to openstack/python-keystoneclient: Add profiling support to Keystone  https://review.openstack.org/10336722:02
david-lylein policy.v3cloudsample.json, what is the admin_domain_id intended to be?22:06
morganfainbergdavid-lyle, i think the global admin domain, e.g. what the cloud operator would use.22:07
david-lyleI get the concept, just wasn't sure if default was the intended admin domain22:07
morganfainbergdavid-lyle, though... i uhm. need to 2x check to be sure22:07
david-lyleor a new domain22:07
david-lyledefault seems problematic22:07
morganfainbergdavid-lyle, ah, uhm. not sure22:07
*** nkinder has quit IRC22:07
morganfainbergdavid-lyle, it might be that making someone admin in the default domain was intented22:07
david-lyleok, that could make sense22:08
* morganfainberg is unsure intention atm.22:08
david-lyleI can play with that to make it work for now :)22:08
*** sigmavirus24 has quit IRC22:08
david-lylethanks morganfainberg22:08
*** daneyon_ has quit IRC22:13
*** dims__ has joined #openstack-keystone22:13
*** dims_ has quit IRC22:15
*** richm has left #openstack-keystone22:31
*** d34dh0r53 is now known as mostly_d34dh0r5322:31
*** andreaf has quit IRC22:37
david-lyledid anyone ever use the policy.v3cloudsample.json as even a test?22:40
*** rodrigods_ has joined #openstack-keystone22:54
*** henrynash has joined #openstack-keystone22:57
*** david-lyle has quit IRC22:57
*** henrynash has quit IRC22:57
*** david-ly_ has joined #openstack-keystone22:58
*** david-ly_ has quit IRC23:03
*** jamielennox|away is now known as jamielennox23:04
*** gokrokve has quit IRC23:12
*** gmurphy has quit IRC23:13
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert keystone CLI to use auth plugins  https://review.openstack.org/9568023:14
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Plugin loading from config objects  https://review.openstack.org/7954223:14
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow loading auth plugins from CLI  https://review.openstack.org/9567923:14
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Provide an __all__ for auth module  https://review.openstack.org/10452923:14
*** gmurphy has joined #openstack-keystone23:14
jamielennoxdolphm: this one's waiting on (specifically) your approval https://review.openstack.org/#/c/100776/23:17
*** rodrigods_ has quit IRC23:35
ayoungjamielennox, I need to go to dinner here in a sec, bu:  if I create a client using a session, and don't specify any scope, (no project) I get a token with no catalog, right?23:38
ayoungso I would need to somehow tell it that it should use the AUTH_URL as the management url...how?23:39
jamielennoxyes, you'd get an unscoped token and they don't contain a catalog (though i've proposed we change that)23:42
jamielennoxayoung: currently in client there is a management=False boolean that is passed to the request - i think it should work with sessions23:43
jamielennoxthat will tell it to use the auth_url23:43
openstackgerritA change was merged to openstack/keystone: Correct docstring for assertResponseSuccessful  https://review.openstack.org/10469323:45
*** oomichi has joined #openstack-keystone23:59
« Wednesday, 2014-07-02 Index Friday, 2014-07-04 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!