Tuesday, 2014-07-15

jamielennoxso i'd love to see us do a proper MVC or one of the other derivations in keystone - i was working that way with pecan, and got distracted00:00
jamielennoxmy gut reaction there would be that the representation of roles on the token should also be version independant00:00
morganfainbergwhich is what i'm driving for00:00
jamielennoxand that it's the controller (/view) that should convert those roles into the appropriate format00:00
morganfainbergit'll be a list that is version independant00:00
morganfainbergthe formatter on serializer will need to output the data (eventually perhaps to the controller)00:01
morganfainbergor  the formatter object can consume the token model there00:01
morganfainbergi'm just stumbling on the roles because it's not as ... straightforward as the rest of the stuff00:02
jamielennoxhow so?00:02
jamielennoxa role is just an id and a name00:02
morganfainbergbut it's a list of roles that are derived from groups and user and project combination00:03
morganfainbergdomain is simple, it's an id00:03
morganfainbergsame w/ user00:03
morganfainbergheck all the values on the token for the most part are non-complex when you get down to it, except roles00:04
morganfainbergthere are many of them00:04
jamielennoxright, so you can't just add a role object to a list and expect that to work00:05
jamielennoxbut at some point here the token representation is only a part of keystone and you can force people (because they're us) into using it correctly and change it later if something makes more sense00:05
morganfainbergi'm _thinking_ the right answer is a method that does the role resolution based upon all the other values.00:06
morganfainbergkindof like .populate_roles() on the V3 data helper00:06
jamielennoxthis isn't going to be a public interface, if you say you must use add_role() then that's all there is00:06
*** bknudson has joined #openstack-keystone00:06
* morganfainberg is trying to get it so internally we never look at more than one type of token except when we serialize and emit00:06
morganfainbergit'll make it way easier to get to non-persistent tokens.00:07
jamielennoxyep, i get the vision - and i'd really like if you make a new top level directory called models and put token as the first object in there00:07
jamielennoxmight be pushing my luck00:07
morganfainbergsure. we could do that.00:07
morganfainberginstead of token.core00:07
* morganfainberg doesn't care where it lives00:07
jamielennoxcause i'd like to see models.User, models.Catalog etc00:07
morganfainbergi can put all the descriptor junk in there as well00:08
morganfainbergmight be a bit cleaner00:08
jamielennoxi tried this nearly a year ago and got a -200:08
* morganfainberg was also hoping not to need to dependency inject on the TokenModel itself00:08
morganfainbergbut i think i need to00:09
morganfainbergfor roles.00:09
* jamielennox had a plan to fix that with pecan :(00:09
morganfainberghey, we can get there from here :)00:09
jamielennoxso if you are really worried about how people use the list you can make your own iterable object that cannot be added to00:10
jamielennoxand fetches the available roles on first call or something00:10
jamielennoxI'm concerned at that point about the amount of magic involved, i think you can go too far with python00:11
*** bknudson has quit IRC00:11
jamielennoxalready we have a whole lot of descriptors that will be a pain if you ever need to step through what happens00:12
jamielennoxi don't think i told you but i solved my issue with the generating jsonschema objects and it works nicely - and i'm just not sure if there is a big advantage over simply writing out the jsonschema yourself00:12
*** ayoung has joined #openstack-keystone00:12
morganfainbergjamielennox, right00:14
morganfainbergwell i'm trying to keep this compatible (no migrations) with our current token persistence system for a smooth transition00:15
openstackgerrithenry-nash proposed a change to openstack/keystone: Extension to provide Read-Only REST API access to config  https://review.openstack.org/10655900:15
morganfainbergi don't think i want too much magic going on here.00:16
ayoungjamielennox, novaclient  --debug is showing me that it is asking for   curl -i 'https://ayoungf20packstack.cloudlab.freeipa.org/keystone/main/v3/v2.0/tokens'00:17
jamielennoxalso positional(0) won't work like that because it will want you to pass self as a kwargs and you can't00:17
morganfainbergi'll just make a .populate_roles() call that we can run as part of the setup of the token model object00:17
morganfainbergjamielennox, ah so position(1)?00:17
jamielennoxmorganfainberg: yea00:17
morganfainbergi haven't written tests yet, so, i'm sure i'll have all sorts of things that come out of this00:18
jamielennoxmorganfainberg: so as mentioned i think you don't need to worry too much about things like the role loading yet, it's internal to keystone so it can always be changed later00:18
morganfainbergit was more of an order of operations00:18
jamielennoxjust do the most logical thing for now and worry about on-demand loading later00:18
morganfainbergi'll just make it a method we can call, it'll load the roles up, and on the .from_primitive() call it'll side-band them in.00:19
ayoungRetrying on HTTP connection exception: HTTPConnectionPool(host='', port=35357):00:19
*** dstanek_zzz is now known as dstanek00:19
morganfainbergrather than calling .populate_roles again (since the data will already be serialized)00:19
jamielennoxayoung: you using a session object?00:19
jamielennoxmorganfainberg: yea, you can fairly easily put a flag on whether that has been done or not00:20
jamielennoxayoung: cause there is no v2/v3 hack in session yet00:20
morganfainbergif self.roles00:20
jamielennoxumm, here: https://review.openstack.org/#/c/90632/00:21
*** bknudson has joined #openstack-keystone00:24
bknudsonmorganfainberg: https://review.openstack.org/#/c/101792/5/keystoneclient/auth/identity/v2.py00:25
bknudsonjamielennox also has a fix for it.00:25
morganfainbergbknudson, ahh00:25
bknudsonmorganfainberg: that one does a redact rather than obfuscating the password00:26
bknudsonI knew I'd seen it somewhere.00:27
jamielennoxbknudson: i need to fix that but it feels wrong somehow00:28
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Do not expose Token IDs in debug output  https://review.openstack.org/10689000:29
bknudsonjamielennox: what do you think of this approach? ^00:29
bknudsonIt's only got the v2 plugin.00:30
jamielennoxyea, i was thinking that could work as at least all the logging code is in the same place00:32
bknudsonessentially it's just passing functions around... could have a function to handle headers too.00:33
jamielennoxi was also wondering about passing through a logger object, because then you should be able to add custom filters to it00:33
bknudsonrequest and response headers and body00:33
jamielennoxso you create a log object for each plugin that filters out the sensitive data and then just pass through LOG00:33
bknudsonjamielennox: that sounds nicely pythony00:34
jamielennoxit's a bit more confusing at that point and it means that by the time you get it in the logger it is already a string so you'd have to undo the json to redact it00:34
jamielennoxi don't know if that's an issue considering it's a debug call anyway00:35
bknudsony, don't need to worry much about efficiency here00:35
jamielennoxbknudson: its a fair bit more effort because i think you need to change the logging formatter or something as well - at which point i kind of got lost00:37
bknudsonprobably not worth any extra effort.00:37
jamielennoxyep, i think the function is probably the right way to go00:39
bknudsonjamielennox: I posted comments on https://review.openstack.org/#/c/101792/00:39
bknudsondid you want to change https://review.openstack.org/#/c/101792/ to have a obfuscation function?00:39
jamielennoxbknudson: so rebase it on top of yours?00:40
jamielennoxor just change it to use a function instead00:40
bknudsonjamielennox: just change it to use a function, don't worry about mine00:40
jamielennoxyea, ok - i can do that00:41
ayoungjamielennox, ugh...ok...so yeah, I am using a session00:42
ayoungbut if I call nova client directly, I get the same thing00:43
ayoungV2 url gets a 40100:43
ayoungv3 url...and uglier error00:43
openstackgerrithenry-nash proposed a change to openstack/identity-api: Extension to provide a REST API to read configuration options  https://review.openstack.org/10684200:43
ayoungbut I guess its the V2 one I need for now.00:44
ayoungI'm guessing that the problem is on the auth_token side00:44
*** henrynash has quit IRC00:44
ayoungag..didn't restart nova after changing auth config...00:45
*** dstanek is now known as dstanek_zzz00:54
*** lbragstad has quit IRC00:57
*** dstanek_zzz is now known as dstanek01:02
*** amcrn has quit IRC01:02
*** marcoemorais has quit IRC01:13
*** topol has joined #openstack-keystone01:16
*** nkinder has quit IRC01:22
*** spandhe has quit IRC01:54
morganfainbergjamielennox, ayoung, is this... a bug? https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L274-L276 it looks like if the first role in the trust is not available we bail out? shouldn't we ... see if any other trust roles are valid before bailing?01:55
ayoungmorganfainberg, anything bad, the whole trust is bad01:56
morganfainbergor is that the intention that if any of the trust roles are invalid the trust is bad01:56
stevemarayoung, i'd appreciate a look at: https://review.openstack.org/#/c/83829/01:56
ayoungyou got !01:56
*** spandhe has joined #openstack-keystone01:56
stevemarconsidering you were good with mareks ECP work, that one should be a no brainer (as it's a kinda a pre-req) :)01:56
*** mberlin has joined #openstack-keystone01:57
ayoungstevemar, +2 +A. now leave me alone!01:57
stevemarayoung, woo hoo!01:58
ayoungstevemar, I have my boss breathing down my neck for Kerberized Horizon.  I had to hide out from IRC all day just to get work done01:58
ayoungand it is a mess.01:58
*** mberlin1 has quit IRC01:59
stevemarayoung, i hear ya, i was just told to get a PoC of k2k working in ... 10 days01:59
stevemari'll be afk from life for about a week01:59
ayoungstevemar, joy!01:59
ayoungstevemar, sorry if I made that rough for you.  K2K should be kept minimal, and I was not super thrilled with the "treat it like an IdP" aspect of what I was hearing02:00
*** chandankumar has joined #openstack-keystone02:00
*** dstanek is now known as dstanek_zzz02:01
*** dstanek_zzz is now known as dstanek02:03
*** nkinder has joined #openstack-keystone02:03
stevemarayoung, it's cool dude, are you good with the current proposal? https://etherpad.openstack.org/p/keystone-juno-hackathon line 17602:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add the new KeystoneTokenModel  https://review.openstack.org/10691702:14
morganfainbergstevemar, *cries a little at the size of the token model change*02:15
morganfainbergi wasn't expecting that to be > 400 lines w/o tests.02:15
dstanekmorganfainberg: that's quite a bit :-)02:17
morganfainbergdstanek, yeah and it's still missing the serializer/deserializer bits02:17
morganfainbergdstanek, but token =  KeystoneTokenModel(token_id, includes_catalog, is_admin)  then just things like token.user = user_id and it loads the data behind the scenes02:18
morganfainbergdstanek, a little magic, but it means we dont have to have 3 places checking the user and extracting the user id from assignment_api when building the token (or is it 2)02:18
dstanekmorganfainberg: that'll be nice to have02:18
morganfainbergsimilar savings on other bits where possible.02:19
morganfainbergthe pieces still missing: serialize, from_serialized, and saml2 token mojo02:19
morganfainbergand it _should_ be compatible with our current token persistence without any migratons (SQL) needed02:19
morganfainbergand should be able to load old persistence data when done.02:20
morganfainbergdstanek, i also added a bunch of logic to prevent accidental changes to the in-memory token, should help us be more defensive overall (can't accidently do token.user['id'] = <something>02:21
morganfainbergs/bunch of logic/used a pre-existing class/02:21
morganfainbergdstanek, i think i need a beer... or three to continue with this :P02:25
dstanekmorganfainberg: i spent a lot of time yesterday messing with AST, so i know exactly what you mean02:26
morganfainbergmore importantly, i'm _really_ not looking forward to writing these tests.02:27
*** chandankumar has quit IRC02:30
*** dims__ has quit IRC02:33
*** topol has quit IRC02:39
*** topol has joined #openstack-keystone02:39
*** openstackgerrit has quit IRC02:42
*** miqui has quit IRC02:42
*** dvorak has quit IRC02:42
*** dstanek has quit IRC02:42
*** dvorak has joined #openstack-keystone02:42
*** miqui has joined #openstack-keystone02:42
*** openstackgerrit has joined #openstack-keystone02:43
*** dstanek has joined #openstack-keystone02:44
*** harlowja is now known as harlowja_away02:54
*** harlowja_away is now known as harlowja02:58
jamielennoxmorganfainberg: i saw your comment about another way to provide the 'auth' interface on get_endpoint - i don't know of a better way to do it03:03
jamielennoxif you specify the full url then get_endpoint is ignored because you obviously know where you are sending things03:03
jamielennoxbut at the manager level where this was happening i don't think you have any way to know the auth_url03:04
jamielennoxayoung: grrr, you pushed that client review on top of an out of date chain and so everything got rebased back to the old patches03:10
*** dstanek has quit IRC03:12
*** mberlin has quit IRC03:12
*** dwaite has quit IRC03:12
*** tellesnobrega has quit IRC03:12
*** hyakuhei has quit IRC03:12
*** csd has quit IRC03:12
*** anteaya has quit IRC03:12
*** morganfainberg has quit IRC03:12
*** openstackgerrit has quit IRC03:12
*** topol has quit IRC03:12
*** Dafna has quit IRC03:12
*** uvirtbot has quit IRC03:12
*** dvorak has quit IRC03:12
*** stevemar has quit IRC03:12
*** jdennis has quit IRC03:12
*** xianghui has quit IRC03:12
*** mfisch has quit IRC03:12
*** gmurphy has quit IRC03:12
*** akscram has quit IRC03:12
*** gpocentek has quit IRC03:12
*** Mikalv has quit IRC03:12
*** ekarlso has quit IRC03:12
*** shufflebot has quit IRC03:12
*** raildo has quit IRC03:12
*** boris-42 has quit IRC03:12
*** nkinder has quit IRC03:12
*** ayoung has quit IRC03:12
*** designated has quit IRC03:12
*** YorikSar has quit IRC03:12
*** mat-lowery has quit IRC03:12
*** amerine has quit IRC03:12
*** zigo has quit IRC03:12
*** therve has quit IRC03:12
*** redrobot has quit IRC03:12
*** arunkant has quit IRC03:12
*** Ephur has quit IRC03:12
*** mgagne has quit IRC03:12
*** radez_g0n3 has quit IRC03:12
*** comstud has quit IRC03:12
*** mhu has quit IRC03:12
*** dolphm has quit IRC03:12
*** toddnni has quit IRC03:12
*** bknudson has quit IRC03:12
*** oomichi has quit IRC03:12
*** tristanC has quit IRC03:12
*** sudorandom has quit IRC03:12
*** baffle has quit IRC03:12
*** jamielennox has quit IRC03:12
*** jraim has quit IRC03:12
*** jimbaker has quit IRC03:12
*** ciypro|afk has quit IRC03:12
*** ChanServ has quit IRC03:12
*** openstackgerrit has joined #openstack-keystone03:20
*** dvorak has joined #openstack-keystone03:20
*** topol has joined #openstack-keystone03:20
*** nkinder has joined #openstack-keystone03:20
*** mberlin has joined #openstack-keystone03:20
*** bknudson has joined #openstack-keystone03:20
*** ayoung has joined #openstack-keystone03:20
*** oomichi has joined #openstack-keystone03:20
*** stevemar has joined #openstack-keystone03:20
*** dwaite has joined #openstack-keystone03:20
*** hyakuhei has joined #openstack-keystone03:20
*** jdennis has joined #openstack-keystone03:20
*** YorikSar has joined #openstack-keystone03:20
*** tristanC has joined #openstack-keystone03:20
*** xianghui has joined #openstack-keystone03:20
*** Dafna has joined #openstack-keystone03:20
*** designated has joined #openstack-keystone03:20
*** mat-lowery has joined #openstack-keystone03:20
*** tellesnobrega has joined #openstack-keystone03:20
*** sudorandom has joined #openstack-keystone03:20
*** morganfainberg has joined #openstack-keystone03:20
*** amerine has joined #openstack-keystone03:20
*** boris-42 has joined #openstack-keystone03:20
*** baffle has joined #openstack-keystone03:20
*** ekarlso has joined #openstack-keystone03:20
*** mfisch has joined #openstack-keystone03:20
*** gmurphy has joined #openstack-keystone03:20
*** zigo has joined #openstack-keystone03:20
*** uvirtbot has joined #openstack-keystone03:20
*** Mikalv has joined #openstack-keystone03:20
*** gpocentek has joined #openstack-keystone03:20
*** akscram has joined #openstack-keystone03:20
*** raildo has joined #openstack-keystone03:20
*** shufflebot has joined #openstack-keystone03:20
*** comstud has joined #openstack-keystone03:20
*** radez_g0n3 has joined #openstack-keystone03:20
*** mgagne has joined #openstack-keystone03:20
*** Ephur has joined #openstack-keystone03:20
*** arunkant has joined #openstack-keystone03:20
*** redrobot has joined #openstack-keystone03:20
*** therve has joined #openstack-keystone03:20
*** toddnni has joined #openstack-keystone03:20
*** dolphm has joined #openstack-keystone03:20
*** mhu has joined #openstack-keystone03:20
*** ciypro|afk has joined #openstack-keystone03:20
*** dickson.freenode.net sets mode: +oo morganfainberg dolphm03:20
*** jimbaker has joined #openstack-keystone03:20
*** jraim has joined #openstack-keystone03:20
*** jamielennox has joined #openstack-keystone03:20
*** csd has joined #openstack-keystone03:20
*** anteaya has joined #openstack-keystone03:20
*** dstanek has joined #openstack-keystone03:22
*** ChanServ has joined #openstack-keystone03:23
*** dickson.freenode.net sets mode: +o ChanServ03:23
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow passing kwargs from managers to session  https://review.openstack.org/10665803:24
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware  https://review.openstack.org/10477103:24
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow passing kwargs from managers to session  https://review.openstack.org/10665803:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Use jsonutils to load adapter response  https://review.openstack.org/10506503:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Add the 'auth' interface type  https://review.openstack.org/10473403:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Test that tenant list function can use auth_url  https://review.openstack.org/10477003:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware  https://review.openstack.org/10477103:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Add v2 Token manager authenticate tests  https://review.openstack.org/10476903:31
*** chandankumar has joined #openstack-keystone03:36
marekdstevemar: any progress with TFIM ?03:52
*** spandhe has quit IRC03:59
stevemarmarekd, not really, we had a 30 minute call, but it was the same result, got a whole bunch of HTML in the idp_response04:00
stevemari'll continue on it tomorrow, the guy i was talking to, had to go04:01
marekdstevemar: understood04:01
marekdgosh i think i am having some problem with re-adjusting to euro tz ;/04:01
marekdsecond day in a row i am waking up ~4 in the morning and cannot really sleep.04:02
*** chandankumar has quit IRC04:05
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Federating multiple Keystones  https://review.openstack.org/10002304:16
stevemarmarekd, ^04:18
stevemarmarekd, eek!04:18
stevemari was just really tired :(04:18
*** amerine_ has joined #openstack-keystone04:18
stevemarmarekd, also https://review.openstack.org/#/c/92166/ should be merged in ..... 2 minutes04:20
*** amerine has quit IRC04:21
*** k4n0 has joined #openstack-keystone04:27
*** dims__ has joined #openstack-keystone04:31
*** dims__ has quit IRC04:36
*** dims__ has joined #openstack-keystone04:57
*** chandankumar has joined #openstack-keystone04:59
*** spandhe_ has joined #openstack-keystone04:59
*** dims__ has quit IRC05:02
*** junhongl has joined #openstack-keystone05:20
openstackgerritA change was merged to openstack/python-keystoneclient: Add CRUD operations for Federated Protocols.  https://review.openstack.org/8382905:27
morganfainbergwell then05:28
morganfainbergi think i found an issue with our dependency injection05:28
morganfainbergi know i know, you're all shocked05:28
*** shausy has joined #openstack-keystone05:30
*** junhongl has quit IRC05:35
stevemarmarekd, yay ^^^^05:39
*** ukalifon has joined #openstack-keystone05:48
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add a URL field to region table  https://review.openstack.org/10693505:49
*** harlowja is now known as harlowja_away05:49
*** dstanek is now known as dstanek_zzz06:00
*** dstanek_zzz is now known as dstanek06:01
stevemarmarekd, do you have an opinion on what library to use for samlizing the keystone token?06:03
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Move auth_token session code to middleware repo  https://review.openstack.org/10503106:03
stevemari think https://pypi.python.org/pypi/ndg-saml and https://pypi.python.org/pypi/pysaml2 are the top 206:03
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/10693906:05
morganfainbergstevemar, don't you hate it when you're too clever for your own good?06:06
stevemarmorganfainberg, it's not a good feeling06:06
morganfainbergjust ran across it.06:06
stevemarmorganfainberg, dependency injection got ya down?06:06
morganfainbergso... interesting fact, dependency injection doesn't work on class-instantiated objects06:07
morganfainbergin testing that is06:07
morganfainbergcause we clear out the dependencies on setup06:07
morganfainbergand object instantiated at the class level would never get the re-injection.06:08
morganfainbergstevemar, example: https://review.openstack.org/#/c/106917/1/keystone/models/token_model.py line 27406:08
morganfainbergthat object wont get injection in tests06:09
morganfainbergfault in our tests + our dependency injection06:09
stevemarmorganfainberg, better than fault in icehouse + dependency injection =\06:10
*** dstanek is now known as dstanek_zzz06:11
morganfainbergproblem is... i don't know how to fix it. it would work _fine_ in a real run of keystone06:11
morganfainbergbut the whole teardown and re-inject is the issue06:11
morganfainbergand i'm trying to avoid circular imports *facepalm*06:12
*** topol has quit IRC06:15
*** nkinder has quit IRC06:17
*** niteshselkari has joined #openstack-keystone06:26
*** niteshselkari has quit IRC06:26
*** niteshselkari has joined #openstack-keystone06:27
*** henrynash has joined #openstack-keystone06:30
niteshselkarihi all, when we create an user, data goes from horizon to python-keystoneclient, and from keystoneclient to keystone. I know the firrst part ,i.e, horizon to keystoneclient. but i m not getting the second part..06:31
jamielennoxniteshselkari: so what are you not following?06:32
jamielennoxmorganfainberg: i vote we kill off the dependency injection - it doesn't do anything anyway given we will load it all on first call, better to just load at startup06:32
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Extension to provide a REST API to read configuration options  https://review.openstack.org/10655806:33
morganfainbergjamielennox, we should invert the dependency injection06:33
jamielennoxmorganfainberg: they're just singleton's why not just boot them at __init__06:33
morganfainbergjamielennox, sill need a way to lookup the singletons06:33
jamielennoxglobal namespace06:33
morganfainbergjamielennox, so @dependency.requires should just give that object access to the magic global namespace06:34
morganfainbergpretty much, but i'd like to make it so the object registers that it is suppsoed to have access06:34
*** spandhe_ has quit IRC06:35
jamielennoxhave access?06:35
morganfainbergso we can be clear what is using what, and warn (error?) if something isn't supposed to be using say identity_api but uses it06:35
morganfainbergwe don't want drivers -> manager06:35
*** henrynash has quit IRC06:35
morganfainbergso, to help avoid that we should still use the @dependency decorator.06:36
jamielennoxthat seems like a coding standard thing rather than something that  needs to be protected06:36
niteshselkarijamielennox : I want to know, how data, which i entered while creating the user,  gets stored in user table of keystone database. How the data flow happens.06:36
morganfainbergjust not inject the dep,06:36
*** stevemar has quit IRC06:37
morganfainbergjamielennox, right but if we make it a simple decorator to provide access there is less likelyhood we "miss it"06:37
morganfainbergin a review06:37
jamielennoxniteshselkari: so there is a REST API  for keystone, keystoneclient marshals up the data and sends it to the appropriate server06:37
jamielennoxmorganfainberg: miss what? if a driver talks to a manager we're going to notice that, probably with circular imports06:38
morganfainbergjamielennox, i mean identity driver talking to assignment manager06:38
morganfainbergthat would be bad.06:39
morganfainbergfor various values of bad06:39
jamielennoxmorganfainberg: meh, seems like something we can easily be doing in review06:39
jamielennoxmorganfainberg: i'm not worried about fighting you on it - if you've got something that works then that's cool, but it doesn't seem 'necessary'06:40
niteshselkarijamielennox  : I know the flow from https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/admin/users/forms.py#L72  to https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/session.py#L6506:44
jamielennoxso that's as far as it goes, it sends it out to a http server06:45
niteshselkarijamielennox  : what will be the next step..till this point i haven't mentioned the table name anywhere...so how does it finds the appropriate table to store the data (here the table will be users table of keystone database.)06:46
jamielennoxniteshselkari: at that point we are still in the horizon process, keystone is a completely other server06:47
jamielennoxkeystone receives the request, parses the data, everything to do with table names happens on the keystone sid06:47
niteshselkarijamielennox : so how horizon links with keystone database...?06:48
jamielennoxit doesn't, it talks to the keystone REST API and keystone talks to the keystone database06:48
niteshselkarijamielennox : where does horizon talks with keystone  REST API...? I want to the location, where this happens..?06:51
*** oomichi has quit IRC06:51
jamielennoxthat's what keystoneclient does, it creates the packet and then sends it out06:51
jamielennoxthat's what requests.request does06:51
jamielennoxit's a HTTP library06:51
niteshselkarijamielennox : In requests.request(), I m providing url, method and arguments(parameters). How it connects with keystone server06:56
jamielennoxniteshselkari: it's a URL you are sending a HTTP request06:57
jamielennoxniteshselkari: do you know the basic structure of openstack, the different services communicating over http?06:58
*** dims__ has joined #openstack-keystone06:59
*** dstanek_zzz is now known as dstanek07:02
niteshselkarijamielennox : so from there on where does my control jumps(i.e in keystone)07:02
niteshselkarijamielennox : Not that much clear on that...07:03
jamielennoxdepends, what call are you making07:03
jamielennoxwhat's the url07:03
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Change Keystone dependency injection to reference the registry directly  https://review.openstack.org/10695107:04
*** dims__ has quit IRC07:04
morganfainbergjamielennox, ^07:04
niteshselkarijamielennox : Now in my case, I am creating  an user. So where my control will go..?07:04
niteshselkarijamielennox : in keystone07:04
jamielennoxassuming v2 here: https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L6007:05
jamielennoxmore or less07:05
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Change Keystone dependency injection to reference the registry directly  https://review.openstack.org/10695107:07
*** BAKfr has joined #openstack-keystone07:08
*** dstanek is now known as dstanek_zzz07:11
*** oomichi has joined #openstack-keystone07:16
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add the new KeystoneTokenModel  https://review.openstack.org/10691707:17
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add the new KeystoneTokenModel  https://review.openstack.org/10691707:19
*** henrynash has joined #openstack-keystone07:22
*** tkelsey_ has joined #openstack-keystone07:26
*** oomichi has quit IRC07:26
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Change Keystone dependency injection to reference the registry directly  https://review.openstack.org/10695107:27
openstackgerritMorgan Fainberg proposed a change to openstack/keystone-specs: Change Keystone dependency injection to reference the registry directly  https://review.openstack.org/10695107:29
*** henrynash has quit IRC07:29
*** henrynash has joined #openstack-keystone07:30
niteshselkarijamielennox : In https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L82 , where does identity_api is defined07:31
jamielennoxniteshselkari: it's the identity manager, how that get's resolved is somewhat complicated07:34
*** tomoiaga has joined #openstack-keystone07:38
niteshselkarijamielennox  : from there, what wil be the next step..?07:46
*** amcrn has joined #openstack-keystone07:52
*** junhongl has joined #openstack-keystone07:59
*** dims__ has joined #openstack-keystone07:59
*** henrynash has quit IRC08:00
*** bvandenh has joined #openstack-keystone08:02
*** dstanek_zzz is now known as dstanek08:02
*** dims__ has quit IRC08:04
*** henrynash has joined #openstack-keystone08:04
*** dstanek is now known as dstanek_zzz08:13
*** xianghui has quit IRC08:13
*** xianghui has joined #openstack-keystone08:26
*** bvandenh has quit IRC08:33
niteshselkaritomoiaga  : hi,  In https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L82 , where does identity_api is defined08:39
tomoiaganiteshselkari: it will help you a lot if you look at how inheritance works in python. In this case, identity_api since it's not defined anywhere in that file, it means it belongs to the parent class (class User(controller.V2Controller)). The parent class is V2Controller from controller. controller is located in common.py in jeystone (in the file you mentioned you have: from keystone.common import controller)08:42
tomoiaga*common.py in keystone08:43
BAKfrniteshselkari, identity_api is added to the class with the decorator @dependency.requires() at https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L2908:43
tomoiaganiteshselkari: or what BAKfr said, however you still need to have a basic knowlegde on how decorators and inheritance works in python. Otherwise as you can see, you will have to ask a lot of questions08:45
*** ajayaa has joined #openstack-keystone08:45
*** bvandenh has joined #openstack-keystone08:46
tomoiaganiteshselkari: If I'm not mistaken, this is what you are looking for: https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L51208:54
*** oomichi has joined #openstack-keystone08:59
*** dstanek_zzz is now known as dstanek09:01
*** ajayaa has quit IRC09:02
*** dstanek is now known as dstanek_zzz09:11
*** ajayaa has joined #openstack-keystone09:18
*** dims__ has joined #openstack-keystone09:29
*** dims__ has quit IRC09:33
*** ChanServ has quit IRC09:55
*** oomichi has quit IRC09:55
*** amerine_ has quit IRC09:55
*** dstanek_zzz has quit IRC09:55
*** tomoiaga has quit IRC09:55
*** BAKfr has quit IRC09:55
*** shausy has quit IRC09:55
*** k4n0 has quit IRC09:55
*** mberlin has quit IRC09:55
*** dwaite has quit IRC09:55
*** tellesnobrega has quit IRC09:55
*** hyakuhei has quit IRC09:55
*** csd has quit IRC09:55
*** anteaya has quit IRC09:55
*** morganfainberg has quit IRC09:56
*** niteshselkari has quit IRC09:56
*** tkelsey_ has quit IRC09:56
*** openstackgerrit has quit IRC09:56
*** Dafna has quit IRC09:56
*** uvirtbot has quit IRC09:56
*** bvandenh has quit IRC09:56
*** dvorak has quit IRC09:56
*** jdennis has quit IRC09:56
*** mfisch has quit IRC09:56
*** gmurphy has quit IRC09:56
*** akscram has quit IRC09:56
*** gpocentek has quit IRC09:56
*** Mikalv has quit IRC09:56
*** ekarlso has quit IRC09:56
*** shufflebot has quit IRC09:56
*** raildo has quit IRC09:56
*** boris-42 has quit IRC09:56
*** amcrn has quit IRC09:56
*** ayoung has quit IRC09:56
*** designated has quit IRC09:56
*** YorikSar has quit IRC09:56
*** mat-lowery has quit IRC09:56
*** zigo has quit IRC09:56
*** therve has quit IRC09:56
*** redrobot has quit IRC09:56
*** arunkant has quit IRC09:56
*** Ephur has quit IRC09:56
*** mgagne has quit IRC09:56
*** radez_g0n3 has quit IRC09:56
*** comstud has quit IRC09:56
*** mhu has quit IRC09:56
*** dolphm has quit IRC09:56
*** toddnni has quit IRC09:56
*** henrynash has quit IRC09:56
*** bknudson has quit IRC09:56
*** tristanC has quit IRC09:56
*** sudorandom has quit IRC09:56
*** baffle has quit IRC09:56
*** jamielennox has quit IRC09:56
*** jraim has quit IRC09:56
*** jimbaker has quit IRC09:56
*** ciypro|afk has quit IRC09:56
*** huats has quit IRC09:56
*** xianghui has quit IRC09:56
*** junhongl has quit IRC09:56
*** rwsu has quit IRC09:56
*** zhiyan has quit IRC09:56
*** rodrigods has quit IRC09:56
*** dtroyer has quit IRC09:56
*** serverascode has quit IRC09:56
*** Daviey has quit IRC09:56
*** vishy has quit IRC09:56
*** d34dh0r53 has quit IRC09:56
*** esmute has quit IRC09:56
*** tziOm has quit IRC09:56
*** d0ugal has quit IRC09:56
*** jkappert has quit IRC09:56
*** dhellmann has quit IRC09:56
*** med_ has quit IRC09:56
*** ajayaa has quit IRC09:56
*** ukalifon has quit IRC09:56
*** chandankumar has quit IRC09:56
*** miqui has quit IRC09:56
*** afaranha has quit IRC09:56
*** Chicago has quit IRC09:56
*** chmouel has quit IRC09:56
*** ByteSore has quit IRC09:56
*** harlowja_away has quit IRC09:56
*** dhellmann has joined #openstack-keystone10:03
*** jkappert has joined #openstack-keystone10:03
*** d0ugal has joined #openstack-keystone10:03
*** esmute has joined #openstack-keystone10:03
*** tziOm has joined #openstack-keystone10:03
*** vishy has joined #openstack-keystone10:03
*** Daviey has joined #openstack-keystone10:03
*** d34dh0r53 has joined #openstack-keystone10:03
*** serverascode has joined #openstack-keystone10:03
*** dtroyer has joined #openstack-keystone10:03
*** rodrigods has joined #openstack-keystone10:03
*** med_ has joined #openstack-keystone10:03
*** zhiyan has joined #openstack-keystone10:03
*** rwsu has joined #openstack-keystone10:03
*** junhongl has joined #openstack-keystone10:03
*** xianghui has joined #openstack-keystone10:03
*** huats has joined #openstack-keystone10:03
*** amcrn has joined #openstack-keystone10:03
*** oomichi has joined #openstack-keystone10:03
*** bvandenh has joined #openstack-keystone10:03
*** henrynash has joined #openstack-keystone10:03
*** tomoiaga has joined #openstack-keystone10:03
*** tkelsey_ has joined #openstack-keystone10:03
*** BAKfr has joined #openstack-keystone10:03
*** niteshselkari has joined #openstack-keystone10:03
*** shausy has joined #openstack-keystone10:03
*** k4n0 has joined #openstack-keystone10:03
*** amerine_ has joined #openstack-keystone10:03
*** ChanServ has joined #openstack-keystone10:03
*** dstanek has joined #openstack-keystone10:03
*** anteaya has joined #openstack-keystone10:03
*** csd has joined #openstack-keystone10:03
*** jamielennox has joined #openstack-keystone10:03
*** jraim has joined #openstack-keystone10:03
*** jimbaker has joined #openstack-keystone10:03
*** ciypro|afk has joined #openstack-keystone10:03
*** mhu has joined #openstack-keystone10:03
*** dolphm has joined #openstack-keystone10:03
*** toddnni has joined #openstack-keystone10:03
*** therve has joined #openstack-keystone10:03
*** redrobot has joined #openstack-keystone10:03
*** arunkant has joined #openstack-keystone10:03
*** Ephur has joined #openstack-keystone10:03
*** mgagne has joined #openstack-keystone10:03
*** radez_g0n3 has joined #openstack-keystone10:03
*** dickson.freenode.net sets mode: +oo ChanServ dolphm10:03
*** comstud has joined #openstack-keystone10:03
*** shufflebot has joined #openstack-keystone10:03
*** raildo has joined #openstack-keystone10:03
*** akscram has joined #openstack-keystone10:03
*** gpocentek has joined #openstack-keystone10:03
*** Mikalv has joined #openstack-keystone10:03
*** uvirtbot has joined #openstack-keystone10:03
*** zigo has joined #openstack-keystone10:03
*** gmurphy has joined #openstack-keystone10:03
*** mfisch has joined #openstack-keystone10:03
*** ekarlso has joined #openstack-keystone10:03
*** baffle has joined #openstack-keystone10:03
*** boris-42 has joined #openstack-keystone10:03
*** morganfainberg has joined #openstack-keystone10:03
*** sudorandom has joined #openstack-keystone10:03
*** tellesnobrega has joined #openstack-keystone10:03
*** mat-lowery has joined #openstack-keystone10:03
*** designated has joined #openstack-keystone10:03
*** Dafna has joined #openstack-keystone10:03
*** tristanC has joined #openstack-keystone10:03
*** YorikSar has joined #openstack-keystone10:03
*** jdennis has joined #openstack-keystone10:03
*** hyakuhei has joined #openstack-keystone10:03
*** dwaite has joined #openstack-keystone10:03
*** ayoung has joined #openstack-keystone10:03
*** bknudson has joined #openstack-keystone10:03
*** mberlin has joined #openstack-keystone10:03
*** dvorak has joined #openstack-keystone10:03
*** openstackgerrit has joined #openstack-keystone10:03
*** dickson.freenode.net sets mode: +o morganfainberg10:03
*** Chicago has joined #openstack-keystone10:03
*** chmouel has joined #openstack-keystone10:03
*** ByteSore has joined #openstack-keystone10:03
*** harlowja_away has joined #openstack-keystone10:04
*** oomichi has quit IRC10:04
*** ajayaa has joined #openstack-keystone10:08
*** ukalifon has joined #openstack-keystone10:08
*** chandankumar has joined #openstack-keystone10:08
*** miqui has joined #openstack-keystone10:08
*** afaranha has joined #openstack-keystone10:08
*** ajayaa has quit IRC10:09
*** andreaf has joined #openstack-keystone10:12
*** dstanek is now known as dstanek_zzz10:12
*** ajayaa has joined #openstack-keystone10:12
*** afazekas has joined #openstack-keystone10:19
*** dims__ has joined #openstack-keystone10:29
*** dims__ has quit IRC10:34
*** afazekas has quit IRC10:38
*** andreaf has quit IRC10:39
openstackgerritA change was merged to openstack/python-keystoneclient: Ensure no double slash in get token URL  https://review.openstack.org/10491110:56
*** niteshselkari has quit IRC10:57
*** dstanek_zzz is now known as dstanek11:03
*** i159 has joined #openstack-keystone11:10
*** dstanek is now known as dstanek_zzz11:12
*** dims__ has joined #openstack-keystone11:14
*** k4n0 has quit IRC11:15
*** openstackgerrit has quit IRC11:21
*** tellesnobrega has left #openstack-keystone11:21
*** tellesnobrega has joined #openstack-keystone11:22
*** afazekas has joined #openstack-keystone11:24
*** afazekas has quit IRC11:37
*** diegows has joined #openstack-keystone11:41
*** bvandenh has quit IRC11:44
*** andreaf has joined #openstack-keystone11:48
*** andreaf has quit IRC11:53
*** andreaf has joined #openstack-keystone11:54
*** bvandenh has joined #openstack-keystone11:59
*** dstanek_zzz is now known as dstanek12:04
*** dstanek is now known as dstanek_zzz12:13
*** openstackgerrit has joined #openstack-keystone12:17
*** ajayaa has quit IRC12:19
*** afazekas has joined #openstack-keystone12:30
*** ajayaa has joined #openstack-keystone12:31
tkelsey_hey all, does anyone know about openstack-client in here?12:36
tkelsey_im asking here because im getting an authentication related message from it, probably because I have no idea how to use it properly yet :-)12:37
*** afazekas has quit IRC12:41
*** dims__ has quit IRC12:44
*** dims__ has joined #openstack-keystone12:45
*** ajayaa has quit IRC12:49
*** ayoung has quit IRC12:52
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101712:53
*** ajayaa has joined #openstack-keystone12:54
*** bvandenh has quit IRC12:56
*** dstanek_zzz is now known as dstanek12:58
*** alex_xu has joined #openstack-keystone12:59
*** afazekas has joined #openstack-keystone13:01
*** afazekas has quit IRC13:05
*** andreaf has quit IRC13:11
*** dstanek is now known as dstanek_zzz13:14
*** dims__ has quit IRC13:16
*** dims__ has joined #openstack-keystone13:22
*** vhoward has joined #openstack-keystone13:23
*** dstanek_zzz is now known as dstanek13:24
*** bknudson has quit IRC13:27
*** radez_g0n3 is now known as radez13:28
*** openstackgerrit has quit IRC13:31
*** 17SAAF480 has joined #openstack-keystone13:32
*** joesavak has joined #openstack-keystone13:33
*** lbragstad has joined #openstack-keystone13:33
*** ajayaa has quit IRC13:34
*** 17SAAF480 has quit IRC13:38
*** openstackgerrit has joined #openstack-keystone13:39
*** bknudson has joined #openstack-keystone13:46
*** lbragstad has quit IRC13:47
*** lbragstad has joined #openstack-keystone13:50
*** jsavak has joined #openstack-keystone13:51
dstanekmarekd: hi13:54
*** joesavak has quit IRC13:55
*** topol has joined #openstack-keystone13:56
*** ajayaa has joined #openstack-keystone13:57
*** afazekas has joined #openstack-keystone14:01
*** ayoung has joined #openstack-keystone14:05
*** jimbaker has quit IRC14:05
marekddstanek: hey14:08
dstanekmarekd: looking at that ECP review again now14:08
*** lbragstad has quit IRC14:08
*** lbragstad has joined #openstack-keystone14:11
*** dims__ has quit IRC14:19
*** afazekas has quit IRC14:21
alex_xuayoung, hi14:24
*** david-lyle has joined #openstack-keystone14:30
*** daneyon has joined #openstack-keystone14:38
*** jsavak has quit IRC14:38
*** daneyon has quit IRC14:38
*** daneyon has joined #openstack-keystone14:38
*** stevemar has joined #openstack-keystone14:40
i159bknudson: Hi! I have a question. The https://review.openstack.org/#/c/80630/ patch fell after I had changed an oslo.db version in the requirements file. Why does it fell?14:41
*** richm has joined #openstack-keystone14:41
bknudsoni159: "Incompatible requirement found"14:42
bknudson"Requirement oslo.db>=0.3.0 does not match openstack/requirements value oslo.db>=0.2.0"14:42
bknudsoni159: the change to requirements.txt needs to be made to the openstack/requirements project first14:43
marekddstanek: btw, do you have any opinions on asyncio module in Py3?14:46
dstanekmarekd: in general or with regards to keystone?14:46
marekddstanek: in general.14:47
dstaneki think it's nice to finally have something like it in the stdlib14:47
*** bklei has joined #openstack-keystone14:47
dstaneki have only toyed with it, but it feels pretty nice14:47
*** thedodd has joined #openstack-keystone14:47
dstanekstevemar: do you want to take a look at https://review.openstack.org/#/c/92166/ before i +A it?14:48
openstackgerritDolph Mathews proposed a change to openstack/keystone: implement GET /v3/catalog  https://review.openstack.org/10689314:49
stevemardstanek, i'm completely cool with it going in, if there are changes in my IdP, i'll supply a patch14:49
dstanekstevemar: sounds good to me14:50
openstackgerritDolph Mathews proposed a change to openstack/keystone: implement GET /v3/catalog  https://review.openstack.org/10689314:50
marekddstanek: thanks!14:51
ayoungstevemar, BTW  be aware of https://git.fedorahosted.org/git/ipsilon.git as a better way of doing Federation14:52
*** dims__ has joined #openstack-keystone14:53
i159bknudson: Oh... Thanks you!14:54
*** ajayaa has quit IRC14:55
marekdayoung: regarding ipsilon i  have a guy who checks various IdP with our keystone14:56
marekdipsilon is also on a list.14:56
marekdayoung: so i will handle this and in case some problems get back either to you or Simo14:56
ayoungmarekd, sounds good.14:57
*** ukalifon has quit IRC14:58
ayoungmarekd, give a shout if you need help getting it set up.  I know simo went through it recently with one of our QA members14:58
marekdayoung: sure14:59
marekdayoung: thanks.14:59
*** dims__ has quit IRC15:04
*** jsavak has joined #openstack-keystone15:06
*** ajayaa has joined #openstack-keystone15:07
*** chandankumar has quit IRC15:14
*** ajayaa has quit IRC15:20
*** openstackgerrit has quit IRC15:21
dstaneksomeone is having a bad day - https://review.openstack.org/#/c/9676315:23
morganfainbergdstanek, wow yeah.15:25
bknudsonI don't see the point of accepting anything other than security fixes to the keystone CLI15:30
morganfainbergbknudson, maybe a quick topic for today's meeting?15:31
dstanek++ that would be good to talk about15:32
*** doddstack has joined #openstack-keystone15:32
*** thedodd has quit IRC15:32
dolphmour agenda is really full btw :(15:33
morganfainbergwe could discuss it now!15:33
morganfainbergor hit the ML w/ it15:33
tomoiagacourious about the reasons behind not accepting anything other then security fixes. Is there a new client (e.g. like openstack client) or something else going on ?15:33
morganfainbergif openstackclient can do the work, i don't see a benefit to ksc getting the update cli wise.15:34
morganfainbergtomoiaga, yeah, openstackclient should replace the CLI for all the python-*client libraries15:34
morganfainbergnow, if openstackclient doesn't fit the bill (yet) we should ask why it doesnt and if it will soon enough to avoid needing to change the cli in keystoneclient15:35
tomoiagamorganfainberg: as far as I see, openstackclient uses keystone v2 client right now15:35
morganfainbergtomoiaga, it uses the library parts, which is different than the shell parts iirc (*** I might be wrong here, but that was my understanding)15:35
tomoiagapersonally I wanted to use openstackclient but I dropped it since there is no reason to use a wrapper for keystoneclient15:35
tomoiagamorganfainberg: ah, sorry, this was related to the shell part. Indeed, the shell part is implemented in openstackclient15:37
morganfainbergtomoiaga, no worries at all :)15:37
*** bobt has joined #openstack-keystone15:37
morganfainbergbknudson, for DI, would you prefer to just reference the single-ton-like thing? or would you rather everything just have it's own instantiation of the controller object? (wasn't clear on your comment)15:38
dolphmtomoiaga: openstack --identity-api-version=315:38
morganfainbergbknudson, erm DI removal15:38
bknudsonmorganfainberg: for DI, pass in the object that the other object needs15:39
morganfainbergbknudson, hm. oh to the constructor?15:39
bknudsonwe don't need to have more than one instance, just pass it around15:39
morganfainbergright. ok15:39
dolphmtomoiaga: the reason for using openstackclient is to present a unified interface to end users, rather than a bunch of disparate projects with inconsistent UX15:39
bknudsony, pass in the object to the constructor15:39
dolphmbasically the same argument has been made for openstacksdk as well15:40
morganfainberga little different than my proposal, because we have the whole "when does this get instantiated" concept.15:40
tomoiagadolphm: yes, if this is related to the shell part it makes sense. For some reason I thought this was related to keystoneclient as a whole, my mistake15:40
bknudsonmorganfainberg: I didn't read the proposal. stopped where it said to.15:40
dolphmtomoiaga: if keystoneclient's python api doesn't support updating a user's default project then we should DEFINITELY fix that - but i don't think that's the case15:41
marekdmorganfainberg: btw, did you see websso PoC ?15:41
morganfainbergbknudson, my proposal was just make the @dependency decorator apply an @property that looked at the global registry15:41
dolphmc.users.update(user, default_project_id=new_project) # i think, for a v3 client15:41
bknudsonmorganfainberg: since I think globals are an abomination I would prefer to get rid of it.15:41
morganfainbergbknudson, the concern would be cases where objects are instantiated on a class level, e.g. descriptors15:42
tomoiagadolphm: looking at the patch, it's not the case. Only the shell part had the missing argument to update a default user tenant, the library is ok15:42
morganfainbergbknudson, you don't re-build those ever, so in the case of tests, they may get stale managers.15:42
dolphmtomoiaga: cool15:42
*** i159 has quit IRC15:43
morganfainbergmarekd, haven't looked in depth at it.15:43
morganfainbergmarekd, but i saw work on it. :)15:43
bknudsonmorganfainberg: get rid of globals and there's no stale anything.15:43
dstanektomoiaga: dolphm: right the lib is fine - the cli was missing a way to pass the info15:43
*** bobt has left #openstack-keystone15:43
morganfainbergbknudson, so if a descriptor needs idenity_api, how does that work?15:44
morganfainbergbknudson, the descriptor is instantiated at import time, not at runtime15:44
marekdmorganfainberg: that's not the point. If we go this way I should *soon* propose a bp (if that's not too late) to fit into J.15:44
*** shausy has quit IRC15:44
*** tomoiaga has quit IRC15:44
dolphmmorganfainberg: dstanek: tomoiaga: abandoned the patch & won't fixed the bug15:44
bknudsonmorganfainberg: a file descriptor? what does that mean?15:44
morganfainbergbknudson, a python descriptor15:44
*** andreaf has joined #openstack-keystone15:44
bknudsonnever heard of it. seems unnecessary15:44
marekdapparently the other websso bp is not progressing very much and I don't push for that as I don't like that idea 100%15:45
morganfainbergthey are used in cases of validation, etc.15:45
dolphmanyone want to review my super awesome GET /v3/catalog spec so i can land an impl this week? :D https://review.openstack.org/#/c/106854/15:45
morganfainbergthey implement __get__ and __set__ magic methods, it allows you to act on the bind action to the variable for instantiations of the class15:45
dstanekmorganfainberg: do you have an example of that?15:45
morganfainbergdstanek, i do!15:45
dstaneki'm not a fan of globals either and i hate singletons15:46
bknudsonI knew dstanek would agree.15:46
morganfainbergdstanek, bknudson, https://review.openstack.org/#/c/106917/3/keystone/models/token_model.py look at line 253, and the related class on 19115:46
dstanekmorganfainberg: with descriptors i haven't seen a dep like that15:46
bknudsoneven the design patterns folks think singletons was a mistake15:46
morganfainbergdstanek, bknudson, when you assign to <instantiation of KeystoneTokenModel>.project = project_id, the reference to .project is loaded from the assignment_api15:47
morganfainbergand made available from <instantiation>.project, it was an attempt to limit the token.project = assignment_api.get_project(project_id) or assignment_api.get_project() done in a number of places when building the token15:48
morganfainbergi'm happy to scrap that concept.15:48
morganfainbergif it's hard to read/too complex.15:48
dstanekmorganfainberg: so you have 'model.project = "some_id"' and then when you get model.project it's the actual project ref?15:49
morganfainbergdstanek, yep.15:49
*** andreaf has quit IRC15:50
morganfainbergdstanek, mostly it was a concept i was running with to help make a serialization for token_persistence (we can't get rid of it for a while) lighter weight15:50
*** andreaf has joined #openstack-keystone15:50
morganfainbergright now we serialize everything to a json blob and shove it into the DB, and duplicate a lot of data.15:50
morganfainberg(same with memcached)15:50
morganfainbergdstanek, it's a little magical, but we seem to do a lot of "shove data into a dict and pass that around".15:53
dstanekmorganfainberg: i have to think about that for a little bit...feels weird to be asymmetrical like that15:53
dstanekmorganfainberg: you could always have the descriptor get the instance or *_api from the instance itself15:54
morganfainbergdstanek, hm. yeah we do have instance don't we? good point15:55
morganfainbergdstanek, meh, descriptors are overkill. i'll refactor them out of the next patch.15:56
*** bklei has quit IRC15:56
morganfainbergdstanek, i don't particularly like the design pattern we're using in the v3token data helper, which was what i was trying to avoid. I think i can get around it another way15:57
morganfainberg.build_token() calling ._populateXXX, then .populateXXX, then ...15:58
*** vhoward has left #openstack-keystone15:58
marekddstanek: since you approved SAML unscoped token do you think you can also take a look at: https://review.openstack.org/#/c/99704/ (way easier to review IMHO)15:59
marekdayoung: same for you ^^ since you know what's going on16:00
dstanekmarekd: sure, i'm almost done with the one i'm working on16:01
marekddstanek: thanks, appreciated16:01
*** lbragstad has quit IRC16:02
*** iartarisi has joined #openstack-keystone16:04
*** lbragstad has joined #openstack-keystone16:06
*** afazekas has joined #openstack-keystone16:09
*** BAKfr has quit IRC16:09
*** chandankumar has joined #openstack-keystone16:09
*** richm has quit IRC16:11
*** richm has joined #openstack-keystone16:15
*** richm has quit IRC16:15
*** stevemar has quit IRC16:16
*** bvandenh has joined #openstack-keystone16:16
*** stevemar has joined #openstack-keystone16:16
*** lbragstad has quit IRC16:19
*** dims__ has joined #openstack-keystone16:21
stevemardolphm, you good with current k2k spec?16:23
stevemaror want me to push a new one16:23
*** arosen has joined #openstack-keystone16:24
arosenHi, I was wondering if anyone has run into this error http://codepad.org/WCQMGwnq ?16:25
stevemararosen, update your keystoneclient?16:28
arosenstevemar:  i still get this if i rm /opt/stack -fr16:28
arosenstevemar:  it looks like  keystone is using apache now as it's webserver?16:29
arosenin devstack16:30
morganfainbergarosen, yes.16:30
stevemararosen, yes, in devstack we run apache now16:30
stevemarinstead of eventlet16:30
stevemarmorganfainberg, i was anticipating some of these config problems with apache :(16:30
arosenbrb coffee time16:31
morganfainbergarosen, i've... never seen that before16:32
morganfainbergis keystoneclient not installed?16:32
arosenmorganfainberg: it is16:34
arosen>>> import keystoneclient16:34
*** jsavak has quit IRC16:34
morganfainbergarosen, yeah i've never seen anything like that before16:36
morganfainbergit's like you have a partial or mismatched keystoneclient install16:36
morganfainbergarosen, when you do import keystoneclient like that16:37
morganfainbergwhat does keystoneclient.__file__ say?16:37
arosenmorganfainberg:  i restarted apache and now it's able to start.16:37
arosenmorganfainberg: but i'm getting this weird error : http://codepad.org/agiGvUjU16:37
*** nkinder has joined #openstack-keystone16:38
arosenIn [4]: keystoneclient.__file__16:38
arosenOut[4]: '/opt/stack/python-keystoneclient/keystoneclient/__init__.pyc'16:38
morganfainbergarosen, it honestly sounds like you have mismatched requirements16:38
morganfainbergarosen, keyring had that issue in one of the versions...16:39
morganfainberg3. uh.. 3.3?16:39
*** richm has joined #openstack-keystone16:39
*** jaosorior has joined #openstack-keystone16:39
*** richm has quit IRC16:40
morganfainbergarosen, what version of keyring do you have installed?16:42
*** richm has joined #openstack-keystone16:42
morganfainbergarosen, it should be keyring>=2.1,!=3.316:43
morganfainbergso, greater than 2.1 but not 3.316:43
arosenmorganfainberg: I just rm /usr/lib/python2.7/dist-packages  /usr/local/lib/python2.7/dist-packages and i'm letting devstack pull all the packages down again.16:43
arosenwe'll see if that does the trick16:43
morganfainbergarosen, ok16:43
arosenmorganfainberg:  thanks for your help16:43
morganfainbergarosen, sure thing16:43
arosenmorganfainberg:  just curious what the reason for switching to apache? I'm guessing apache is faster?16:43
morganfainbergarosen, it's been our preferred method of deployment for a while.16:44
morganfainbergarosen, it provides concurrency (multiple workers) and allows us to use modules like mod_shib for federation16:44
*** iartarisi has quit IRC16:44
morganfainbergarosen, also, eventlet is a royal PITA16:45
arosenmorganfainberg:  the only reason I asked is I just recently stole the eventlet webserver from  keystone for a new openstack project i'm trying  to boot strap https://review.openstack.org/#/c/105882/16:45
morganfainberga lot of edgecases / weird issues / pain to debug16:45
morganfainbergand it didn't buy us a lot since a lot of our blocking was/is mysqldb which is _not_ eventlet aware/friendly16:45
arosenmorganfainberg:  makes sense. I'll have to check out what's needed to run with apache for neutron and congress then :)16:45
morganfainbergsimilar for ldap16:46
morganfainbergneutron, a lot more work since it was based on nova iirc16:46
morganfainbergin ancient times16:46
arosenmorganfainberg:  we have that similar problem in neutorn16:46
morganfainbergcongress i haven't got an answer since i've never looked at it beyond "I'm concerned with a service that needs to be asked for each policy decision"16:46
*** marcoemorais has joined #openstack-keystone16:47
morganfainbergi haven't heard enough about how congress will work and not be a bottleneck (that we as keystone are trying to dig ourselves out of) that requires each action to say "am I allowed to do this". But to be fair, that was mostly the original proposal and i haven't heard much since16:48
boris-42morganfainberg bknudson hi guys16:48
morganfainbergboris-42, hello there16:48
boris-42morganfainberg bknudson I just finished new virtualization tool16:48
boris-42for profiler16:49
* morganfainberg is going to run off for coffee before meeting time16:49
arosenmorganfainberg: yea we're still trying to figure it out :), our first version we're gearing to just enforce policy retroactively16:49
morganfainbergarosen, uh.. how does that work?16:50
arosenmorganfainberg:  i think we need to have a middleware component similar to keystone when we want to do proactive.16:50
morganfainbergarosen, ELI5 :), i don't know how you'd say "so uh I already did this action, now undo it"16:50
morganfainbergor am i misunderstanding retroactively? ;)16:50
arosenmorganfainberg:  just now it will just report back monitoring data that a policy is in violation16:51
morganfainbergi could see it as being more of an audit processor?16:51
arosenmorganfainberg:  yup, also a useful thing for querying.16:51
arosenRight now if you want to write something that tells you if a specific disk-image is running on a vm that is uplinked to a network that's uplinked to a router connected to the internet it's very hard to do because you have to query all these components for different things.16:52
arosenmorganfainberg:  btw i'm up and running now with keystone+apache16:53
morganfainbergarosen, cool.16:53
arosenmorganfainberg:  btw I just got keystone integration added to congress here: https://review.openstack.org/#/c/106911/16:53
morganfainbergarosen, ther eis a bug still in devstack, i need to fix how apache is restarted (known issue where apache is slow to stop so a start fails)16:54
morganfainbergarosen, are you using keystone as a data source? or as you're using auth_token middleware?16:55
arosenauth for now.16:55
* morganfainberg doesn't see the addition of the middleware for auth_token but i could also be sans caffination :P16:55
arosenmorganfainberg:  i guess in v3 there are some data-source stuff?16:55
morganfainbergarosen, so you're looking to use the keystone token as authorization to act on congress APIs?16:56
arosenmorganfainberg:  https://review.openstack.org/#/c/106911/1/etc/api-paste.ini  line 25?16:56
arosenmorganfainberg:  right now yes.16:56
morganfainbergah switch to keystonemiddleware16:56
morganfainbergdon't use keystoneclient :)16:56
arosenmorganfainberg:  When i started on this last week i don't think keystonemiddleware was out?16:56
aroseni will switch to that though.16:57
morganfainbergarosen, it was merged last week into global requirements16:57
arosenmorganfainberg: okay i'll check it out16:57
morganfainbergalso make sure you add it to your requirements.txt16:57
*** amerine_ is now known as amerine16:57
dstanekhrm...my Python2.6 tests seem to be having all sorts of issues16:57
arosenmorganfainberg:  will do. Would be awesome if i could get a review from you guys on it later in the week :) still a wip'ish16:57
morganfainbergarosen, https://review.openstack.org/#/c/102355/ for example converting cinder over to it16:58
arosenworking on adding python-congressclient support and keystone+congress at the sametime just to test it all16:58
morganfainbergdstanek, there is an issue iwth wheels and versions of virtualenv gate was stumbling on stuff16:58
morganfainbergdstanek, not sure what the fix was, but finding issues getting packages installed?16:59
dstanekmorganfainberg: that makes sense - i just check and it's much more than mine that failing16:59
morganfainbergfrom pip16:59
morganfainbergdstanek, so ... if i want to avoid the pattern of ._populate_XXXX() ._populate_XXXX() from the token data stuff... how should i approach it?17:01
*** jimbaker` has joined #openstack-keystone17:01
morganfainbergdstanek, i guess TokenModel.set_project(project_id) ?17:01
morganfainbergsomething where we just set the values we want so it's way way easier to understand what is going on.17:02
dstanekmorganfainberg: looking at the original code now17:02
*** jimbaker` is now known as jimbaker17:02
morganfainbergits the whole "make a dict, pass it to the data helper, then build the token_data, then "create the token"17:03
dstanekmorganfainberg: what's the likecycle of the object? it appears that is can be created once and get_token_data() can be called many times with different args17:05
morganfainbergdstanek, that is how it works now. the issue is we interact with the token after it's built and setup to be sent out from keystone17:06
morganfainbergthere is a bunch of "if this is a token that looks like X do Y"17:06
morganfainbergI was hoping to make the token we interact with a model we can setup and interact with the same way internally across the board17:06
morganfainberguser is always at "token.user"17:07
morganfainbergproject is always at token.project17:07
*** amcrn has quit IRC17:07
morganfainbergnot token['token_data']['project'] or [access][token_data][project] (not even thinking about trusts OS-TRUST, vs [trust]17:07
morganfainbergthe json-ish format should be only for emitting on an interface that needs it.17:08
*** harlowja_away is now known as harlowja17:08
*** doddstack has quit IRC17:08
* morganfainberg can scrap this part of the plan as well, but it's a lot of work to consolidate token storage w/o a unified "format".17:09
dstanekmorganfainberg: that would definitely be cleaner17:09
*** lbragstad has joined #openstack-keystone17:10
*** thedodd has joined #openstack-keystone17:10
dstanekmorganfainberg: if you can separate it out it would make it easier to provider versioned tokens17:10
*** lbragstad has quit IRC17:10
morganfainbergdstanek, that is the thought17:10
*** lbragstad has joined #openstack-keystone17:11
*** joesavak has joined #openstack-keystone17:12
*** lbragstad has quit IRC17:13
*** lbragstad has joined #openstack-keystone17:14
*** gokrokve has joined #openstack-keystone17:19
*** richm has quit IRC17:21
dstanekbknudson: jamielennox: on line 86 - https://review.openstack.org/#/c/101792/5/keystoneclient/auth/identity/v2.py - i think it's better to just remove the entire passwordCredentials subtree. thoughts?17:24
bknudsondstanek: what's wrong with the username?17:31
*** tkelsey_ has quit IRC17:32
dolphmtopol: morganfainberg: rax stock is down 1.7% today. your move.17:32
bknudsondstanek: are you working on updates to https://review.openstack.org/#/c/101792 ?17:32
morganfainbergdolphm, hehe17:33
dstanekbknudson: i was going to do a quick push to address your comments17:33
bknudsondstanek: I had posted an update to another review that passed in a function for the response...17:33
bknudsonand I think jamielennox was ok with that approach.17:33
bknudsonwe have several proposals to fix the problem.17:34
bknudsondstanek: https://review.openstack.org/#/c/106890/17:34
bknudsonactually it was the request, not the response.17:36
bknudsonbut it would have to handle the response also17:36
bknudsonand also handle headers17:36
bknudsonand also handle v3 auth request17:36
bknudsonbut I'm fine with anything as long as it fixes the problem.17:36
dolphmbknudson: dstanek: can one of your review https://review.openstack.org/#/c/106496/17:37
dstanekclasse sounds french17:38
dstaneksomeone's ready to go to paris17:38
*** richm has joined #openstack-keystone17:40
*** amcrn has joined #openstack-keystone17:40
*** richm has quit IRC17:44
*** richm has joined #openstack-keystone17:46
dstanekbknudson: are you going to add the other things that need to be obfuscated?17:47
bknudsondstanek: I should have time to work on it later and I'll look into adding those things.17:48
bknudsonso I'd either work on https://review.openstack.org/#/c/106890/ or https://review.openstack.org/#/c/101792 whichever seems further along.17:48
bknudsonI don't mind working on something and then abandoning it17:49
dstaneki've addressed your comments (except for the test) on https://review.openstack.org/#/c/10179217:51
dstaneki'll push it up for you to take a look17:51
morganfainbergdstanek, HAH i didn't even see that typo17:56
*** marcoemorais has quit IRC18:01
*** marcoemorais has joined #openstack-keystone18:02
*** daneyon has quit IRC18:03
*** marcoemorais has quit IRC18:04
*** marcoemorais has joined #openstack-keystone18:04
arunkantayoung or ?: I am trying to add ldap live test for pool changes. Some of ldap live tests add domain_id attribute in user data in LDAP (openLdap), do I need to add custom schema and/or attribute in my local ldap instance to run existing ldap tests locally? Is there any doc related to live test setup18:06
ayoungarunkant, you should be able to use the existing LDAP schema defitnionws for lilvetest.  All you are doing is pooling.  Devstack sets up openLDAP with RFC based schemes.18:08
arunkantI am running existing livetest in master branch with local openldap and its failing..so it appears missing some needed setup18:08
arunkantThere are 8 tests which are failing couple of them associated with domain_id attribute passed to user which maps to inetOrgPerson class and that does not have domain_id attribute18:10
arunkantayoung: Where ldap live test run with enabled flag? In normal built, I am guessing that the needed environment variable is not set so live test does not run every time.18:14
ayoungarunkant, no, they must be run by hand18:14
ayoungarunkant, wanted CI around them for a long time, but its been provibitive18:14
*** vhoward has joined #openstack-keystone18:15
arunkantoh..okay. So its quite possible that some of these tests may have existing failures in master as well. Is there a way to check as I see failures locally with master branch18:16
*** marcoemorais has quit IRC18:19
*** marcoemorais has joined #openstack-keystone18:20
*** marcoemorais has quit IRC18:21
-openstackstatus- NOTICE: python2.6 jobs are failing due to bug 1342262 "virtualenv>=1.9.1 not found" A fix is out but there are still nodes built on the old stale images18:22
*** ChanServ changes topic to "python2.6 jobs are failing due to bug 1342262 "virtualenv>=1.9.1 not found" A fix is out but there are still nodes built on the old stale images"18:22
ayoungarunkant, keystone meeting now...18:22
*** marcoemorais has joined #openstack-keystone18:22
*** marcoemorais has quit IRC18:22
*** marcoemorais has joined #openstack-keystone18:22
*** david-lyle has quit IRC18:34
*** marcoemorais has quit IRC18:35
bknudsondolphm: https://bugs.launchpad.net/nova/+bug/1342274 opened for auth_token middleware move to keystonemiddleware18:35
uvirtbotLaunchpad bug 1342274 in nova "auth_token middleware in keystoneclient is deprecated" [Undecided,New]18:35
*** marcoemorais has joined #openstack-keystone18:35
*** marcoemorais has quit IRC18:36
*** marcoemorais has joined #openstack-keystone18:36
*** marcoemorais has quit IRC18:36
*** marcoemorais has joined #openstack-keystone18:36
*** chandankumar has quit IRC18:38
*** hrybacki has joined #openstack-keystone18:38
afaranhahenrynash: Hello, could you help me with some questions in OS-INHERIT extension?18:38
morganfainbergbknudson, added some more projects to that bug report for you18:39
bknudsonmorganfainberg: I was wondering where they came from118:39
henrynashafaranha: sure..but in keystone meeting right now so may be slow to respond…18:39
*** chandankumar has joined #openstack-keystone18:39
morganfainbergcan't seem to add cinder though, it's LP being bitchy though i think18:39
bknudsonLP is a bitch18:39
vishymorganfainberg: have you seen this/18:41
vishy2014-06-27 02:32:58.334 969 TRACE keystone IntegrityError: (IntegrityError) (1215, 'Cannot add foreign key constraint') "\nCREATE TABLE assignment (\n\ttype ENUM('UserProject','GroupProject','UserDomain','GroupDomain') NOT NULL, \n\tactor_id VARCHAR(64) NOT NULL, \n\ttarget_id VARCHAR(64) NOT NULL, \n\trole_id VARCHAR(64) NOT NULL, \n\tinherited BOOL NOT NULL, \n\tPRIMARY KEY (type, actor_id, target_id, role_id), \n\tFORE18:41
vishyKEY(role_id) REFERENCES role (id), \n\tCHECK (inherited IN (0, 1))\n)\n\n" ()18:41
afaranhahenrynash: No problem :)18:42
afaranhaI'm trying to extend the extension to also make a role assigned to a project to be inherited18:42
morganfainbergvishy, you're finding all the awesome db issues.18:42
*** vhoward has left #openstack-keystone18:42
morganfainbergvishy, i'll dig on this post meeting18:43
henrynashafaranha: ok18:43
*** david-lyle has joined #openstack-keystone18:45
afaranhaI made some changes (removed this "If" https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/sql.py#L144 ) and added the routes for project. The API is executed and no error is shown, but the database are not being updated. Is there any other place where I need to make adjustments?18:46
afaranhahenrynash: I also have the same problem when I tried to assigned a inherit role to a domain different from the default with a new user, new project and new role, maybe this is a bug or just issues in my server?18:48
henrynashafaranha: so we certainly tests non-default domains…18:49
henrynashafaranha: I’ll look at this at the top of teh hour….18:50
*** marcoemorais has quit IRC18:51
*** marcoemorais has joined #openstack-keystone18:51
vishymorganfainberg: so i think that one is fixed in stable already18:57
morganfainbergvishy, hm.18:58
morganfainbergvishy, i haven't seen that issue though before and if it's fixed in stable, how is master broken? :P18:58
vishymorganfainberg: this was the cause https://review.openstack.org/#/c/95601/18:59
morganfainbergvishy, ah so.. it's fixed everywhere?18:59
morganfainbergvishy, or that was only merged to icehouse *is confused*18:59
morganfainbergit's both places19:00
morganfainbergsorry was split-attention here and meeting19:00
*** gabriel-bezerra has quit IRC19:00
vishyyes we are running icehouse but hadn’t updated to stable recently19:00
*** gabriel-bezerra has joined #openstack-keystone19:01
morganfainbergalso have the other utf-8 one proposed to stable/icehouse19:01
jamielennoxso this: https://review.openstack.org/#/c/84071/ and this https://review.openstack.org/#/c/105065/  are just short a single +2 or +A so it would be good to include them19:01
morganfainbergwaiting for eyes19:01
morganfainbergvishy, https://review.openstack.org/#/c/106486/19:01
morganfainbergvishy, that was already merged to master19:01
jamielennoxdolphm: those ^ would be good, particularly the doc one - everything else can wait for another release19:02
henrynashafaranha: so is this the same thing as vishy is discussing with morganfainberg19:03
*** gabriel-bezerra has quit IRC19:03
*** gabriel-bezerra has joined #openstack-keystone19:04
dolphmmorganfainberg: where is the infra team?19:04
afaranhahenrynash: Is this a bug?19:04
dolphmmorganfainberg: i'm tempted to conduct their meeting for them19:04
morganfainbergdolphm, germany19:04
morganfainbergdolphm, for a meetup19:04
dolphmmorganfainberg: then i shall do the honors...19:04
morganfainbergdolphm, heheheh19:05
morganfainbergdolphm, +++++++19:05
henrynashafaranha: so not that I am aware of….although see the issues that were fixed with the table definition in https://review.openstack.org/#/c/95601/  - even with this fix does it still fail?19:05
dolphmmorganfainberg: is jeblair on twitter?19:06
afaranhahenrynash: sorry, have to go now, I'll check that later, thank you19:07
morganfainberghmmm. i know sdague is, and mordred is19:07
morganfainberglet me check19:07
henrynashafaranha: ok19:07
morganfainbergdon't see him, but i may not know his handle19:07
*** lbragstad has quit IRC19:08
*** gabriel-bezerra has quit IRC19:10
*** gabriel-bezerra has joined #openstack-keystone19:10
morganfainbergdolphm, bknudson, ayoung, jamielennox, dstanek, https://review.openstack.org/#/c/106951/  changed to reflect direct passing of dependencies to the managers instead of via decorators19:17
morganfainbergopenstack-gerrit bot has disappeared19:18
*** henrynash has quit IRC19:25
*** bklei has joined #openstack-keystone19:29
dolphminfra is falling apart19:30
*** bklei has quit IRC19:31
dolphmi keep getting signed out of gerrit19:32
*** chandankumar has quit IRC19:34
morganfainbergdolphm, that sounds like a launchpad issue :P19:34
*** gabriel-bezerra has quit IRC19:40
*** gabriel-bezerra has joined #openstack-keystone19:41
bknudsondolphm: I think that was happening to me yesterday.19:42
bknudsonit seemed to be happening because I had 2 tabs open, so I started over.19:42
*** openstackgerrit has joined #openstack-keystone19:43
*** ukalifon has joined #openstack-keystone19:44
*** rharwood has joined #openstack-keystone19:45
*** jaosorior has quit IRC19:52
dolphmbknudson: i always have like 20 tabs open :(19:55
dolphmmorganfainberg: bknudson: dear GET /v3/catalog -spec reviewers, herein lies API https://review.openstack.org/#/c/106854/19:57
openstackgerritHarry Rybacki proposed a change to openstack/python-keystoneclient: Revocation event API  https://review.openstack.org/8116619:58
dolphmopenstackgerrit: morganfainberg: \o/19:58
hrybackiit lives yet again19:59
ayounghrybacki, run tox coverage and you can see the lines of the patch that don't have tests.  Sopme of the v2 vs v3 code was uncovered, which is the comment in model.py  previous revision20:06
*** daneyon has joined #openstack-keystone20:06
hrybackiayoung: damn, okay20:06
dolphmmorganfainberg: thanks20:07
*** ukalifon has quit IRC20:08
*** arosen has quit IRC20:09
openstackgerritA change was merged to openstack/identity-api: The Most Obvious Way to Get a Service Catalog That You Have to See to Believe  https://review.openstack.org/10685420:10
*** topol has quit IRC20:11
*** arosen has joined #openstack-keystone20:12
stevemarmarekd, dolphm morganfainberg dstanek confirmed keystoneclient patch with TFIM!20:12
*** arosen has quit IRC20:12
*** arosen has joined #openstack-keystone20:12
stevemaryay ECP!20:12
stevemaron the idp side, my saml guy just enable http-basic-auth support20:13
stevemarand i had to make a small change to the headers that were used20:13
morganfainbergdstanek, ok so i think i'll need to keep a little of the magic dependency stuff for the managers themselves. (controllers etc are easy)20:13
stevemari'll tell marekd about that, hope we can find one that works for both20:14
dolphmi wish i had a saml guy20:14
morganfainbergdstanek, managers will get instantiated and then iterate through and say "set attributes" no "dependency injection" or hard to follow stuff, just a "we're alive, now go do this"20:14
morganfainberganything else with dependency needs will just consume the registry20:14
dstanekmorganfainberg: that's a good start20:16
dolphmstevemar: what was the bug number of the py26 gate blocker?20:16
morganfainbergdstanek, i really want optional stuff to die :(20:17
dolphmstevemar: nvm https://bugs.launchpad.net/openstack-ci/+bug/134226220:17
uvirtbotLaunchpad bug 1342262 in openstack-ci "virtualenv>=1.9.1 not found for py26 environments" [Undecided,In progress]20:17
morganfainbergdstanek, i wonder if i can figure out a clean way to make it go away.20:17
dstanekdolphm: is that fixed now so we can start rechecking?20:17
dolphmdstanek: yes20:17
morganfainbergdstanek, it was mostly fixed, just some old nodes were lingering20:17
stevemardolphm, i gotta admit, a good saml guy is pretty helpful20:17
dwaitedolphm, stevemar: would either of you like to review my slide deck for Cloud Identity Summit on OpenStack/Keystone/Federation?20:27
dwaiteand wait, you have another good SAML guy? :-(20:28
* dwaite feels replaced20:28
stevemardwaite, sure20:28
dwaitemsg me an email address. I’ll figure out whether PDF of ppt are better for sharing (I used keynote)20:29
stevemardwaite, my guy knows nothing about openstack, and he doubles as a product guy too :)20:29
dwaitethe nice thing about federation protocols like SAML and OIDC are that they are abstractions on the authentication mechanism. So rather than having to support everything under the sun in keystone, you can just outsource it ;-)20:30
dwaitesame way the other components in the system are outsourcing authentication/authorizatino to you20:30
*** doddstack has joined #openstack-keystone20:31
marekddwaite: correct20:31
stevemardstanek, is rechecking crazy bugs :( https://bugs.launchpad.net/ubuntu/+source/hal/+bug/9970420:31
uvirtbotLaunchpad bug 99704 in hal "Hardware Information crash (dup-of: 99362)" [Undecided,New]20:32
uvirtbotLaunchpad bug 99362 in hal "[apport] hal-device-manager crashed with DBusException in __call__()" [Undecided,Fix released]20:32
dstanekstevemar: oops that was a cut-n-paste error me things20:32
*** david-lyle has quit IRC20:32
*** thedodd has quit IRC20:33
dstanekso i currently have 15 open tabs for code reviews....this is going to be a long night20:34
*** tomoiaga has joined #openstack-keystone20:34
dwaitemy current role has me doing about two core reviews a year20:35
dwaiteI tend to be really good at spotting things, so I used to get sucked into every code review20:35
dstanekdwaite: i'm just waiting for my eyes to start bleeding -  at least the code is generally in good shape20:41
*** david-lyle has joined #openstack-keystone20:44
*** david-lyle has quit IRC20:44
*** david-lyle has joined #openstack-keystone20:44
stevemardstanek, i hope one of those tabs is my patch to make revocation migrate by default :(20:45
stevemardwaite, i liked your pres!20:45
dstanekstevemar: not sure...got a link? i can always open another tab for you20:46
stevemardstanek, https://review.openstack.org/#/c/96326/ (under adam) then go down the rabbit hole of dependencies20:46
tomoiagaI believe there is a small issue with keystoneclient when using keystoneclient.client.Client without passing in a session object. The problem appears when get_endpoint is called in httpclient which needs an auth plugin. No auth plugin exists and the client complains about missing an endpoint url in the end.20:47
dwaitestevemar: thanks! did I miss anything?20:49
dwaiteis free ice cream being added in the Juno timeframe?20:49
dolphmbknudson: err, did a miss the bug number for the keystonemiddleware swap?20:58
bknudsondolphm: https://bugs.launchpad.net/nova/+bug/134227420:59
uvirtbotLaunchpad bug 1342274 in neutron "auth_token middleware in keystoneclient is deprecated" [Undecided,In progress]20:59
openstackgerritDolph Mathews proposed a change to openstack/keystonemiddleware: prefer identity API v3 over v2 in auth_token  https://review.openstack.org/10681921:01
dstanekstevemar: did you see the ML thread about Alliance from last week?21:03
dolphmbknudson: thanks!21:04
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: SAML2 ECP auth plugin  https://review.openstack.org/9216621:04
marekdstevemar: ayoung dstanek dolphm : text/xml header also worked with pure shibboleth idp21:04
marekdstevemar: ayoung dstanek dolphm: so I need again two +2 and +A for /usr/lib/python2.6/site-packages/keystoneclient21:05
marekdfor https://review.openstack.org/9216621:05
dstanekmarekd: did you see Alliance on the ML?21:05
marekddstanek: i did see the thread, didn't read it carefully yet :(21:05
marekdanything really interesting?21:05
openstackgerritA change was merged to openstack/python-keystoneclient: Use jsonutils to load adapter response  https://review.openstack.org/10506521:06
*** mhu has quit IRC21:07
*** dolphm has quit IRC21:07
*** toddnni has quit IRC21:07
ayoungmarekd, done21:07
dstanekyeah, i think so. he says it has nothing to do with k2k federation, but i'm pretty sure that's exactly what it is - https://wiki.openstack.org/wiki/Inter_Cloud_Resource_Federation21:07
*** mhu1 has joined #openstack-keystone21:07
*** dolphm has joined #openstack-keystone21:07
*** ChanServ sets mode: +o dolphm21:07
*** mhu1 is now known as mhu21:07
*** toddnni has joined #openstack-keystone21:07
marekdayoung: thank you.21:08
marekddstanek: ok, i will read it now, otherwise no way i will fall asleep....21:08
stevemarmarekd, thanks!21:08
marekdstevemar: my pleasure.21:08
*** lbragstad has joined #openstack-keystone21:09
*** hrybacki has quit IRC21:10
*** marcoemorais has quit IRC21:10
openstackgerritA change was merged to openstack/keystone: Make sure unit tests set the correct log levels  https://review.openstack.org/10649621:10
*** marcoemorais has joined #openstack-keystone21:10
*** radez is now known as radez_g0n321:12
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens.  https://review.openstack.org/9970421:13
*** tomoiaga has left #openstack-keystone21:16
dstanekmarekd: it may not put you to sleep - it's pretty short and simple - but he appears to somewhat address catalog discovery and some other things we've talked about21:16
marekddstanek: i said that i will not be able to sleep if I don't read it. I am in the middle now.21:17
dstanekmarekd: ah, when i saw it i actually thought it would put me to sleep and it's the middle of the day here21:17
marekddstanek:do you know what "ICFS service." is? I think Google doesnt...21:19
dstanekmarekd: i think inter cloud federation service - i think he coined a new term21:20
marekdah, ok21:20
marekdmakes sense.21:20
*** lbragstad has quit IRC21:26
*** jsavak has joined #openstack-keystone21:27
*** joesavak has quit IRC21:30
dolphmbknudson: there's no warning on __init__ that keystoneclient auth_token is deprecated, is there?21:32
bknudsondolphm: I don't think that's been added.21:32
bknudsonI haven't seen it21:32
*** henrynash has joined #openstack-keystone21:33
*** hrybacki has joined #openstack-keystone21:34
*** henrynash has quit IRC21:34
*** hrybacki has quit IRC21:35
*** hrybacki has joined #openstack-keystone21:35
marekddstanek: most of what was described here looks like we already wanted to do, but instead of creating another service enhance Keystone. Separater service might even make sense in a long term solution, but I dont see why not make Alliance a part of Keystone directly. Also, in particular one use case would make joesava super happy, namely "Resource Access Across Clouds", but they assume remote service would contact their Keystone in case 'fore21:36
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: add deprecation warning for auth_token  https://review.openstack.org/10718221:39
dolphmbknudson: fixed &21:39
*** dims__ has quit IRC21:48
*** bklei has joined #openstack-keystone21:49
*** afazekas has quit IRC21:50
*** marekd is now known as marekd|away21:52
*** bklei has quit IRC21:54
*** gabriel-bezerra has quit IRC21:59
*** gabriel-bezerra has joined #openstack-keystone22:00
*** stevemar has quit IRC22:02
*** daneyon has quit IRC22:03
*** jsavak has quit IRC22:05
*** richm has left #openstack-keystone22:07
*** joesavak has joined #openstack-keystone22:08
*** lbragstad has joined #openstack-keystone22:11
*** lbragstad has quit IRC22:13
*** lbragstad has joined #openstack-keystone22:16
*** marcoemorais has quit IRC22:19
*** marcoemorais has joined #openstack-keystone22:20
*** marcoemorais has quit IRC22:21
*** marcoemorais has joined #openstack-keystone22:22
*** marcoemorais1 has joined #openstack-keystone22:24
*** lbragstad has quit IRC22:24
*** marcoemorais1 has quit IRC22:25
*** marcoemorais2 has joined #openstack-keystone22:26
*** marcoemorais2 has quit IRC22:27
*** marcoemorais has quit IRC22:27
*** marcoemorais has joined #openstack-keystone22:27
*** marcoemorais has quit IRC22:27
*** marcoemorais has joined #openstack-keystone22:28
*** jsavak has joined #openstack-keystone22:28
openstackgerritSam Leong proposed a change to openstack/keystone: Disable a domain will revoke domain scoped tokens  https://review.openstack.org/10719422:28
*** mfainberg_phone has joined #openstack-keystone22:28
*** joesavak has quit IRC22:29
*** dstanek is now known as dstanek_zzz22:29
*** doddstack has quit IRC22:33
*** mfainberg_phone has quit IRC22:35
*** jsavak has quit IRC22:37
*** david-lyle has quit IRC22:39
*** stevemar has joined #openstack-keystone22:42
*** marcoemorais has quit IRC22:43
*** dims__ has joined #openstack-keystone22:45
*** dims__ has quit IRC22:49
*** dstanek_zzz is now known as dstanek22:50
*** gokrokve has quit IRC22:51
*** marcoemorais has joined #openstack-keystone22:59
*** stevemar has quit IRC23:02
*** dwaite has quit IRC23:03
alex_xuayoung, hi23:06
*** dwaite has joined #openstack-keystone23:09
ayoungalex_xu, sorry to ignore, but I'm on deadline23:15
alex_xuayoung, it's fine, if you are busy I can ping you next time23:15
alex_xuayoung, I will ping you next week :) thanks23:16
*** harlowja is now known as harlowja_away23:16
*** ayoung has quit IRC23:19
*** alex_xu has quit IRC23:20
*** bknudson has quit IRC23:24
*** diegows has quit IRC23:38
*** diegows has joined #openstack-keystone23:40
*** stevemar has joined #openstack-keystone23:52
openstackgerritSam Leong proposed a change to openstack/keystone: Disable a domain will revoke domain scoped tokens  https://review.openstack.org/10719423:53
*** marcoemorais has quit IRC23:54
*** gabriel-bezerra has quit IRC23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!