Friday, 2014-07-18

*** bknudson has quit IRC		00:00
*** dims_ has quit IRC		00:01
*** jamielennox\|away is now known as jamielennox		00:13
*** dims_ has joined #openstack-keystone		00:21
*** amcrn has quit IRC		00:21
*** gokrokve has joined #openstack-keystone		00:28
stevemar	morganfainberg, know much about swift?	00:29
*** gokrokve_ has joined #openstack-keystone		00:34
*** gokrokve has quit IRC		00:35
*** gokrokv__ has joined #openstack-keystone		00:35
*** gokrokv__ has quit IRC		00:37
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: JSON-Home PoC https://review.openstack.org/103983	00:37
*** gokrokve_ has quit IRC		00:39
openstackgerrit	Jamie Lennox proposed a change to openstack/keystone-specs: Auth Specific Data https://review.openstack.org/107325	00:48
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone: Capitalize a few project names in configuring services doc https://review.openstack.org/107869	00:53
*** gabriel-bezerra has quit IRC		01:00
*** gabriel-bezerra has joined #openstack-keystone		01:02
*** gabriel-bezerra has joined #openstack-keystone		01:04
*** gabriel-bezerra has quit IRC		01:10
*** gabriel-bezerra has joined #openstack-keystone		01:11
jamielennox	in the case where i am abstracting the difference between v2 and v3 password authentication, do you think if only a v2 url is available but you give for example a domain_name as a parameter - should a plugin try and ignore that data and attempt to use v2 anyway?	01:13
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Version independent password authentication plugin https://review.openstack.org/81147	01:28
*** topol has joined #openstack-keystone		01:41
openstackgerrit	ayoung proposed a change to openstack/keystone: Do not require method attribute on plugins https://review.openstack.org/107873	01:41
*** xianghui has quit IRC		01:49
*** mberlin has joined #openstack-keystone		01:54
*** mberlin1 has quit IRC		01:55
openstackgerrit	Brant Knudson proposed a change to openstack/keystone: JSON-Home https://review.openstack.org/103983	01:59
jamielennox	oh, that would have been so much nicer with pecan ^	02:00
*** xianghui has joined #openstack-keystone		02:03
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Allow passing kwargs from managers to session https://review.openstack.org/106658	02:05
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Add the 'auth' interface type https://review.openstack.org/104734	02:05
openstackgerrit	Jamie Lennox proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware https://review.openstack.org/104771	02:05
*** hrybacki has joined #openstack-keystone		02:11
*** diegows has quit IRC		02:31
*** hrybacki has quit IRC		02:31
*** gabriel-bezerra has quit IRC		02:31
*** gabriel-bezerra has joined #openstack-keystone		02:32
*** richm has left #openstack-keystone		02:33
*** dims_ has quit IRC		02:35
openstackgerrit	Jeffrey Zhang proposed a change to openstack/keystone: Redirect stdout and stderr when using subprocess https://review.openstack.org/51610	02:49
*** ayoung has quit IRC		02:58
*** dims_ has joined #openstack-keystone		03:01
*** dims_ has quit IRC		03:08
*** mfisch` is now known as mfisch		03:22
*** mfisch is now known as Guest32427		03:23
*** harlowja is now known as harlowja_away		03:28
*** gokrokve has joined #openstack-keystone		04:08
*** gokrokve_ has joined #openstack-keystone		04:13
openstackgerrit	Steve Martinelli proposed a change to openstack/keystone-specs: Specification for OpenID Connect https://review.openstack.org/107890	04:15
*** gokrokve has quit IRC		04:16
jamielennox	stevemar: for your test federation environment what do you use for users?	04:18
morganfainberg	stevemar, no i don't know much about swift	04:21
morganfainberg	stevemar, sorry	04:21
stevemar	morganfainberg, np, i figure it out	04:28
*** renlt has joined #openstack-keystone		04:28
morganfainberg	stevemar cool	04:28
stevemar	jamielennox, i use one that i've actually set up :\	04:29
jamielennox	stevemar: yea, i assumed that, i'm just going to try it and realize i need to base it on FreeIPA anyway	04:29
stevemar	jamielennox, yeah, it's been a PITA to try and figure out how to test this better	04:30
jamielennox	stevemar: stuck trying to set up user accounts in centos :( going to be a long afternoon	04:31
jamielennox	damnit, it's always a selinux problem	04:33
stevemar	haha, aint that true, there was something on the ML about starting keystone with selinux and centos	04:33
jamielennox	not that far yet, just ssh as non-root	04:36
*** amerine has quit IRC		04:40
*** amerine has joined #openstack-keystone		04:40
*** gokrokve_ has quit IRC		04:42
*** gokrokve has joined #openstack-keystone		05:05
*** chandankumar has joined #openstack-keystone		05:16
*** gabriel-bezerra has quit IRC		05:19
*** gabriel-bezerra has joined #openstack-keystone		05:20
*** jaosorior has joined #openstack-keystone		05:21
*** gabriel-bezerra has quit IRC		05:22
*** gabriel-bezerra has joined #openstack-keystone		05:22
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Move token persistence classes to token.persistence module https://review.openstack.org/107561	05:24
*** gokrokve has quit IRC		05:28
*** gokrokve has joined #openstack-keystone		05:29
*** gabriel-bezerra has quit IRC		05:29
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Move token persistence classes to token.persistence module https://review.openstack.org/107561	05:29
*** k4n0 has joined #openstack-keystone		05:30
*** gabriel-bezerra has joined #openstack-keystone		05:34
openstackgerrit	Bob Thyne proposed a change to openstack/identity-api: Update OS-EP-FILTER API https://review.openstack.org/106292	05:34
*** gokrokve has quit IRC		05:34
*** shausy has joined #openstack-keystone		05:36
*** topol has quit IRC		05:40
*** ajayaa has joined #openstack-keystone		05:48
*** stevemar has quit IRC		05:55
*** gokrokve has joined #openstack-keystone		05:59
*** gokrokve_ has joined #openstack-keystone		06:01
*** gokrokve has quit IRC		06:04
*** gokrokve_ has quit IRC		06:05
*** dims_ has joined #openstack-keystone		06:05
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex https://review.openstack.org/106939	06:06
*** afazekas has joined #openstack-keystone		06:07
*** navid has quit IRC		06:10
*** dims_ has quit IRC		06:11
openstackgerrit	Christian Berendt proposed a change to openstack/python-keystoneclient: Bump hacking to 0.9.x series https://review.openstack.org/107328	06:24
openstackgerrit	Bob Thyne proposed a change to openstack/identity-api: Update OS-EP-FILTER API https://review.openstack.org/106292	06:24
*** alex_xu has quit IRC		06:26
*** gabriel-bezerra has quit IRC		06:26
*** gabriel-bezerra has joined #openstack-keystone		06:28
*** tomoiaga has joined #openstack-keystone		06:37
*** tkelsey has joined #openstack-keystone		06:39
*** gabriel-bezerra has quit IRC		06:39
*** gabriel-bezerra has joined #openstack-keystone		06:40
*** gokrokve has joined #openstack-keystone		06:59
*** gokrokve has quit IRC		07:04
*** BAKfr has joined #openstack-keystone		07:10
*** ajayaa has quit IRC		07:19
*** ajayaa has joined #openstack-keystone		07:19
*** alex_xu has joined #openstack-keystone		07:23
*** dstanek is now known as dstanek_zzz		07:23
*** BAKfr has quit IRC		07:25
*** ukalifon has joined #openstack-keystone		07:30
*** jamielennox is now known as jamielennox\|away		07:37
*** ukalifon has quit IRC		07:40
*** afazekas has quit IRC		07:54
*** junhongl has quit IRC		07:58
*** gokrokve has joined #openstack-keystone		07:59
*** gokrokve_ has joined #openstack-keystone		08:01
*** gokrokve has quit IRC		08:04
*** Dafna has joined #openstack-keystone		08:05
*** gokrokve_ has quit IRC		08:06
openstackgerrit	Jose Castro Leon proposed a change to openstack/keystone: Initial kerberos plugin implementation. https://review.openstack.org/74317	08:10
*** BAKfr has joined #openstack-keystone		08:12
*** gabriel-bezerra has quit IRC		08:12
*** gabriel-bezerra has joined #openstack-keystone		08:13
*** Dafna is now known as Dafna_away		08:15
*** oomichi has quit IRC		08:15
openstackgerrit	Christian Berendt proposed a change to openstack/python-keystoneclient: Removed keystone.apiclient https://review.openstack.org/107926	08:21
*** alex_xu has quit IRC		08:36
*** ukalifon1 has joined #openstack-keystone		08:40
*** ukalifon1 has quit IRC		08:44
*** ajayaa has quit IRC		08:53
*** gokrokve has joined #openstack-keystone		08:59
*** afazekas has joined #openstack-keystone		09:02
*** gokrokve has quit IRC		09:04
*** BAKfr has quit IRC		09:06
*** dims_ has joined #openstack-keystone		09:08
*** dims_ has quit IRC		09:13
*** alex_xu has joined #openstack-keystone		09:22
*** afazekas has quit IRC		09:31
openstackgerrit	Marek Denis proposed a change to openstack/python-keystoneclient: Scope unscoped saml2 tokens. https://review.openstack.org/99704	09:49
*** Dafna_away is now known as Dafna		09:50
*** ajayaa has joined #openstack-keystone		09:52
*** gokrokve has joined #openstack-keystone		09:59
openstackgerrit	A change was merged to openstack/keystone: Use oslo.i18n https://review.openstack.org/104400	10:00
*** gokrokve has quit IRC		10:04
*** dims_ has joined #openstack-keystone		10:09
*** ukalifon1 has joined #openstack-keystone		10:09
*** dims_ has quit IRC		10:13
*** jimbaker has quit IRC		10:33
*** jimbaker has joined #openstack-keystone		10:33
*** jimbaker has quit IRC		10:34
*** jimbaker has joined #openstack-keystone		10:34
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements https://review.openstack.org/106208	10:37
*** tkelsey has quit IRC		10:39
*** renlt has quit IRC		10:39
*** ukalifon1 has quit IRC		10:39
openstackgerrit	OpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/106210	10:42
*** tkelsey has joined #openstack-keystone		10:51
*** gokrokve has joined #openstack-keystone		10:59
*** mrmoje has joined #openstack-keystone		11:00
*** gokrokve has quit IRC		11:04
*** dims_ has joined #openstack-keystone		11:21
*** afazekas has joined #openstack-keystone		11:22
openstackgerrit	Marcos Fermín Lobo proposed a change to openstack/keystone: CRUD grant don't check user_id and group_id https://review.openstack.org/107973	11:23
*** raildo has quit IRC		11:28
*** tellesnobrega has quit IRC		11:28
*** afaranha has quit IRC		11:29
*** rodrigods has quit IRC		11:30
*** diegows has joined #openstack-keystone		11:32
*** KimJ has joined #openstack-keystone		11:51
*** KimJ has quit IRC		11:52
*** KimJ has joined #openstack-keystone		11:53
*** KimJ has quit IRC		11:55
*** gokrokve has joined #openstack-keystone		11:59
*** gokrokve has quit IRC		12:04
*** erecio has joined #openstack-keystone		12:08
*** renlt has joined #openstack-keystone		12:13
*** afazekas has quit IRC		12:20
*** ajayaa has quit IRC		12:31
*** chandankumar has quit IRC		12:35
*** dims_ has quit IRC		12:36
*** dims_ has joined #openstack-keystone		12:37
*** afazekas has joined #openstack-keystone		12:41
*** chandankumar has joined #openstack-keystone		12:43
*** raildo has joined #openstack-keystone		12:43
*** dstanek_zzz is now known as dstanek		12:47
*** d0ugal has quit IRC		12:53
*** d0ugal has joined #openstack-keystone		12:56
*** andreaf has joined #openstack-keystone		12:57
*** gokrokve has joined #openstack-keystone		12:59
*** gokrokve has quit IRC		13:04
*** joesavak has joined #openstack-keystone		13:05
*** lbragstad has joined #openstack-keystone		13:10
*** lbragstad has quit IRC		13:10
*** lbragstad has joined #openstack-keystone		13:11
*** lbragstad has quit IRC		13:12
*** lbragstad has joined #openstack-keystone		13:12
*** afazekas has quit IRC		13:39
*** gabriel-bezerra has quit IRC		13:39
*** gabriel-bezerra has joined #openstack-keystone		13:40
*** ukalifon1 has joined #openstack-keystone		13:42
*** ayoung has joined #openstack-keystone		13:45
*** k4n0 has quit IRC		13:47
*** shausy has quit IRC		13:53
*** comstud is now known as bearhands		13:54
*** vhoward has joined #openstack-keystone		13:56
*** gokrokve has joined #openstack-keystone		13:57
*** topol has joined #openstack-keystone		14:01
*** ukalifon1 has quit IRC		14:07
*** afazekas has joined #openstack-keystone		14:14
*** andreaf has quit IRC		14:20
*** andreaf has joined #openstack-keystone		14:21
*** andreaf has quit IRC		14:21
*** gokrokve_ has joined #openstack-keystone		14:21
*** gokrokve has quit IRC		14:24
*** dims_ is now known as dimsum		14:25
*** lbragstad has quit IRC		14:32
*** thedodd has joined #openstack-keystone		14:42
*** erecio has quit IRC		14:46
*** joesavak has quit IRC		14:47
dolphm	morganfainberg: you should check this out https://review.openstack.org/#/c/105228/3/specs/swift/service_token.rst	14:49
morganfainberg	dolphm, saw the email about it	14:51
*** nkinder has joined #openstack-keystone		14:52
*** tomoiaga has quit IRC		14:54
*** henrynash has joined #openstack-keystone		14:58
morganfainberg	dolphm, interesting reading that over	14:58
dolphm	morganfainberg: i haven't read it yet, but i'm not sure i buy the premise in the email (it's a valid concern, but just name the role more distinctly?)	14:59
openstackgerrit	ayoung proposed a change to openstack/keystone: Do not require method attribute on plugins https://review.openstack.org/107873	14:59
*** joesavak has joined #openstack-keystone		14:59
openstackgerrit	ayoung proposed a change to openstack/keystone: Make run_tests.sh a wrapper for tox https://review.openstack.org/103282	14:59
morganfainberg	dolphm, yeah	14:59
morganfainberg	dolphm, that sounds correct.	14:59
dolphm	ayoung: this was already approved, why are you proposing another patch? https://review.openstack.org/#/c/103282/	15:00
morganfainberg	it feels like the issue is "we want middleware to enforce something specifically that policy could do"?	15:00
ayoung	dolphm, it was a git review failure	15:00
ayoung	it should not have been pushed...	15:00
*** afazekas has quit IRC		15:00
dolphm	ayoung: uploading another patch is not the solution	15:00
morganfainberg	dolphm, it's in his review chain	15:00
ayoung	I know	15:00
*** lbragstad has joined #openstack-keystone		15:00
morganfainberg	dolphm got rebased in git review it looks like.	15:00
ayoung	I did	15:00
ayoung	git push gerrit HEAD:refs/for/master	15:01
ayoung	specifically to try and get around the G-D- rebase issues	15:01
dolphm	ayoung: git review --no-rebase ?	15:01
ayoung	dolphm, that didn't work for me last time, which is why I tried the direct push	15:01
morganfainberg	dolphm, `git review -R` (same thing)	15:01
ayoung	the push skipped it last time, and for sokme reason did not this time...	15:02
ayoung	and I don't even need the tox patch...	15:02
ayoung	grumble	15:02
openstackgerrit	ayoung proposed a change to openstack/keystone: Do not require method attribute on plugins https://review.openstack.org/107873	15:03
ayoung	OK, mine no longer depends on the run_tests change.	15:03
ayoung	sorry for the churn	15:03
morganfainberg	ayoung, it happens.	15:03
ayoung	morganfainberg, I've been battling the session object out of the client. I was trying to figure out if converting an unscoped token to a scoped token should create a new session, or if it should hold on to both tokens, and just use the scoped tokens for all calls except a call to get a token for a new project	15:07
ayoung	and also how to relate that to Horizon.	15:07
ayoung	It seems to me that Horizon should store the whole unscoped token in a session cookie, and also a memcache key for any scoped tokens	15:08
ayoung	so we need to be able to recreate a session from a set of tokens: one unscoped and (possibly) one scoped	15:08
*** gabriel-bezerra has quit IRC		15:08
morganfainberg	ayoung, but how would that work with the non-horizon uses? would they just not get a session token?	15:08
ayoung	now, that assumes that Keystone gives back an unscoped token	15:08
ayoung	in the case where a user has a default project, there is no way to get an unscoped token today. That is, I think, a bug	15:09
openstackgerrit	Dolph Mathews proposed a change to openstack/keystone: implement GET /v3/catalog https://review.openstack.org/106893	15:09
ayoung	for a CLI or programmatic user, it depends on how they get their initial token	15:09
*** gabriel-bezerra has joined #openstack-keystone		15:09
ayoung	if they send along the project id, or if they have a default project set, they will get a scoped token	15:09
ayoung	I would say "never convert scoped tokens to other tokens"	15:10
ayoung	but until we have a way to issue unscoped tokens, we can't enforce that rule	15:10
* morganfainberg still really dislikes the default project id "magic"		15:14
morganfainberg	but that is a different conversation	15:14
morganfainberg	ayoung, jamielennox\|away was saying we should not make the session stuff "tokens" but make it more uuid based	15:15
morganfainberg	ayoung, so the session is basically a uuid token, we have to maintain it in keystone's DB or something still though	15:15
ayoung	morganfainberg, here is how default projects should work:	15:16
ayoung	1. usre requests a token with credentials only	15:16
ayoung	2. user recieves unscoped token	15:16
ayoung	3. user looks up user data and sees default project it P	15:16
ayoung	4. user request token using unscoped token scoped to project P	15:16
ayoung	we can, if we want, ellide some of these steps	15:17
morganfainberg	why does the user object need to hold the default project id?	15:17
morganfainberg	besides that we had that functionality before	15:17
ayoung	morganfainberg, so another option is	15:23
lbragstad	ayoung: for https://bugs.launchpad.net/keystone/+bug/1343709 you want to remove this right? https://github.com/openstack/keystone/blob/1612cb416821f5b3463619fc5f0c3c00c780e884/etc/keystone.conf.sample#L519-L520	15:23
uvirtbot	Launchpad bug 1343709 in keystone "Cannot Use Default Domain with Kerberos" [Undecided,In progress]	15:23
ayoung	when getting a token, either they explicitly ask for unscoped, or they explicitly ask for scoped to default project	15:23
openstackgerrit	Dolph Mathews proposed a change to openstack/keystone: move GET /v3/catalog to GET /v3/auth/catalog https://review.openstack.org/108043	15:23
ayoung	lbragstad, nope	15:23
ayoung	lbragstad, I am just removing the thing that matches that on the auth plugin code itself	15:24
lbragstad	ok	15:24
ayoung	lbragstad, so we have 2 ways to specify the plugins to use for methods	15:24
ayoung	one is to use the short name, like "external" the other is the full python path name	15:24
ayoung	like keystone.auth.plugins.external.DefaultDomain	15:25
ayoung	I don't really like the second, but we have it	15:25
ayoung	so I left it enabled	15:25
lbragstad	gotcha	15:25
ayoung	but I removed the rule that said a plugin had to a have a "method" attribute that matched the name in the config file/ plugins list	15:25
ayoung	that way you can do this in a config file	15:26
ayoung	kerberos : keystone.auth.plugins.external.DefaultDomain	15:26
ayoung	methods: kerberos, password, token	15:26
dolphm	anyone here know jay bryant?	15:27
lbragstad	jay	15:28
lbragstad	dolphm: yes	15:28
lbragstad	his IRC nick is jungleboyj	15:28
dolphm	lawl	15:29
dolphm	from openstack-dev: [Openstack-stable-maint] Propose jsbryant to be a stable maintainer	15:29
lbragstad	no joke, you can find him #openstack-cinder	15:29
lbragstad	maybe he did change his IRC nick?	15:31
ayoung	dolphm, should our new rule be "explicitly request an unscoped token" or "explicitly request a token scoped to the default project"?	15:32
dstanek	lbragstad: i'm working my way through your reviews for validation now - let me know if my comments don't make sense	15:35
lbragstad	dstanek: sounds good, thanks for reviewing. I have to do a couple spec reviews and I'll start looking at your comments.	15:36
*** arunkant has quit IRC		15:37
dstanek	morganfainberg: i think you fixed https://bugs.launchpad.net/keystone/+bug/1123462 with your run_tests.sh changes	15:40
uvirtbot	Launchpad bug 1123462 in keystone "run_tests.sh does not work if keystone is not installed" [Wishlist,Confirmed]	15:40
morganfainberg	dstanek, makes sense, since it uses tox now. didn't realize that was actually a bug	15:41
dstanek	morganfainberg: i've been combing the bugs again and found it this morning	15:41
openstackgerrit	Bob Thyne proposed a change to openstack/identity-api: Update OS-EP-FILTER API https://review.openstack.org/106292	15:41
morganfainberg	dstanek, cool.	15:41
ayoung	morganfainberg, I would like to make it that you have to explicitly request the scope of token, and that default project would be a specific request, but I suspect that would break a lot of automation. So the next best thing is to explicitly request an unscoped token	15:42
ayoung	maybe part of that request could say "give me the domains and projects that I can then scope to" in the body, as well as "tell me my default project"	15:43
morganfainberg	ayoung, yeah	15:43
ayoung	can I fast track through a spec change for that B^D ?	15:44
*** chandankumar has quit IRC		15:45
openstackgerrit	Bob Thyne proposed a change to openstack/identity-api: Update OS-EP-FILTER API https://review.openstack.org/106292	15:45
*** andreaf has joined #openstack-keystone		15:48
*** andreaf has quit IRC		15:49
dstanek	every time i see our API use PUT as a PATCH i nearly cry	15:49
*** andreaf has joined #openstack-keystone		15:49
*** andreaf has quit IRC		15:49
*** gokrokve_ has quit IRC		15:51
ayoung	dstanek, PATCH is a newcomer to HTTP. It will take at least another decade before it catches on	15:52
dstanek	ayoung: even so it is a replacement for a POST usecase - PUT was not supposed to be partial updates	15:53
ayoung	dstanek, POST is wierd	15:53
ayoung	I'm guessing that it was added after the initial draft of the spec	15:53
ayoung	when some told Tim B-Lee that "you don't get to define the identifier" or something	15:54
ayoung	dstanek, maybe we'll rewrite Wierd Al's "Word Crimes" to "REST Crimes"	15:55
*** rodrigods has joined #openstack-keystone		15:55
dstanek	ayoung: sounds like a good project for a rainy day	15:55
*** bknudson has joined #openstack-keystone		16:00
*** arunkant has joined #openstack-keystone		16:00
*** david-lyle has joined #openstack-keystone		16:09
*** gabriel-bezerra has quit IRC		16:11
*** gabriel-bezerra has joined #openstack-keystone		16:12
openstackgerrit	Bob Thyne proposed a change to openstack/identity-api: Update OS-EP-FILTER API https://review.openstack.org/106292	16:13
*** david-lyle has quit IRC		16:21
*** afaranha has joined #openstack-keystone		16:32
*** joesavak has quit IRC		16:33
*** lbragstad has quit IRC		16:40
ayoung	topol, http://adam.younglogic.com/2014/07/committed-to-master/ that is for you.	16:41
*** david-lyle has joined #openstack-keystone		16:44
*** david-lyle has quit IRC		16:44
*** ayoung is now known as ayoung-lunch		16:47
openstackgerrit	ayoung proposed a change to openstack/keystone-specs: explicit request for unscoped tokens https://review.openstack.org/108071	16:50
openstackgerrit	A change was merged to openstack/keystone-specs: Federating multiple Keystones https://review.openstack.org/100023	16:50
*** richm has joined #openstack-keystone		17:00
*** tkelsey has quit IRC		17:03
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Use metadata.create_all() to fill a test database https://review.openstack.org/93558	17:09
openstackgerrit	Ilya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations. https://review.openstack.org/80630	17:09
*** joesavak has joined #openstack-keystone		17:20
*** richm1 has joined #openstack-keystone		17:21
*** richm has quit IRC		17:22
*** harlowja_away is now known as harlowja		17:25
openstackgerrit	Sam Leong proposed a change to openstack/python-keystoneclient: Prefer identity api V3 over v2 in auth_token https://review.openstack.org/108106	17:29
*** marcoemorais has joined #openstack-keystone		17:34
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystonemiddleware: Mark keystonemiddleware as being a universal wheel https://review.openstack.org/104424	17:38
* morganfainberg goes and rebases the non-persistent token stuff on the i18n merge.		17:44
*** renlt has quit IRC		17:52
*** lbragstad has joined #openstack-keystone		17:54
topol	ayoung, saw that. Thanks	17:58
*** gokrokve has joined #openstack-keystone		18:07
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Move keystone.token.default_expire_time to token.provider https://review.openstack.org/107219	18:14
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Move token_api.unique_id to token_provider_api https://review.openstack.org/107218	18:14
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Consolidate `assert_XXX_enabled` type calls to managers https://review.openstack.org/107220	18:14
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Move token persistence classes to token.persistence module https://review.openstack.org/107561	18:14
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Mark the 'check_vX_token' methods deprecated https://review.openstack.org/107560	18:14
*** ayoung-lunch is now known as ayoung		18:29
ayoung	dolphm, dstanek is this cool? https://review.openstack.org/#/c/108071/	18:30
*** akscram has quit IRC		18:35
*** gpocentek has quit IRC		18:35
*** Mikalv has quit IRC		18:35
*** Mikalv has joined #openstack-keystone		18:36
*** gpocentek has joined #openstack-keystone		18:36
*** gpocentek has joined #openstack-keystone		18:36
*** akscram has joined #openstack-keystone		18:36
*** amcrn has joined #openstack-keystone		18:39
*** rodrigods has quit IRC		18:41
*** cjellick has joined #openstack-keystone		18:45
cjellick	hi there. when i add the &effective flag to role_assignments call, it doesnt work. the group that is a member of the project goes away but the members of that group are not added	18:46
cjellick	any thoughts? running havana	18:46
cjellick	ldap backend	18:46
lbragstad	quick question, did we come to a conclusion of how to mark specs for re-evaluation in the 'next' release?	18:56
lbragstad	https://review.openstack.org/#/c/100279/ for example?	18:56
*** diegows has quit IRC		18:59
*** rodrigods has joined #openstack-keystone		19:02
*** marcoemorais has quit IRC		19:06
*** marcoemorais1 has joined #openstack-keystone		19:07
*** marcoemorais1 has quit IRC		19:08
*** marcoemorais has joined #openstack-keystone		19:08
*** gabriel-bezerra has quit IRC		19:08
*** gabriel-bezerra has joined #openstack-keystone		19:09
*** hrybacki has joined #openstack-keystone		19:10
*** diegows has joined #openstack-keystone		19:11
*** gokrokve has quit IRC		19:18
dstanek	morganfainberg, ayoung: did you guys see the comment here - https://review.openstack.org/#/c/103282/	19:21
ayoung	looking	19:21
dstanek	it was about the no venv option being removed	19:21
ayoung	ah....	19:22
morganfainberg	why do we need a heavy "wrapper" script to basically do "python ./setup.py testr"	19:22
morganfainberg	?	19:22
ayoung	morganfainberg, can -N do that, and skip tox?	19:22
lbragstad	dstanek: you want the validator to be called using validation.validated() correct, as the decorator? https://review.openstack.org/#/c/86483/23/keystone/common/validation/__init__.py	19:22
morganfainberg	well with non of the other "magic" options	19:22
ayoung	morganfainberg, let me try that....	19:23
morganfainberg	i would rather see run_tests die.	19:23
morganfainberg	a horrible horrible death	19:23
dstanek	lbragstad: that was just a suggestion ... i wouldn't be heart broken if you didn't	19:23
morganfainberg	:P	19:23
dstanek	lbragstad: it was just something i noticed when going through the reviews	19:23
lbragstad	dstanek: your point makes sense	19:23
morganfainberg	dstanek, the reasons run_tests was abandoned for nova was mostly the format stuff. cc ayoung from what i gathr	19:24
lbragstad	validation.validated() versus validation.scheme()...	19:24
lbragstad	yeah... that does sound better...	19:24
ayoung	morganfainberg, -N showing to run testr is what the script is for: making it easy for new devs to run tests	19:24
dstanek	lbragstad: it's all subjective.. the Python way is more declarative like 'i am a classmethod'	19:24
ayoung	let me see...	19:24
dstanek	lbragstad: the keystone way seems to state facts about what the decorator is doing like 'i am protected'	19:25
morganfainberg	ayoung, i am still of the opinion run_tests.sh is a bad idea	19:25
lbragstad	dstanek: yeah... the 'keystone' seems more readable to me, now that you mention it	19:25
ayoung	morganfainberg, nope. It is a documentation of how to run the tests. I didn't know how to do the failfast for example	19:26
ayoung	tox is not there yet	19:26
ayoung	its a tool, not a guide	19:26
morganfainberg	ayoung, no i think run_tests is bad documentation, we should actually document it instead	19:26
ayoung	morganfainberg, maybe, but until we can codify what it is we need to do, we can't document. We missed the -N	19:27
morganfainberg	ayoung, mostly it's bad because there is nothing that uses it from a gate/check perspective.	19:28
morganfainberg	ayoung, i'd rather delete it and spend the time documenting it	19:28
morganfainberg	ayoung, if you and the other cores would accept that I'll happily convert this over to "here is how you should run tests and this is how gate does it"	19:28
morganfainberg	instead	19:28
ayoung	morganfainberg, I want to get it right in this review first. THen remove if all agree	19:29
ayoung	I think it is a good tool. People use it, and until we have a proof of how to do all of these things in code, I don't trust the documentation	19:29
*** diegows has quit IRC		19:30
morganfainberg	well i just -2'd the review. if people are that adamant about this i'll let them submit fixes for it etc.	19:31
*** marcoemorais has quit IRC		19:32
morganfainberg	i really feel like i've spent too much time on it as is already (we all have)	19:32
*** marcoemorais has joined #openstack-keystone		19:32
*** marcoemorais has quit IRC		19:32
*** marcoemorais has joined #openstack-keystone		19:32
morganfainberg	if we need to keep the functionality, it isn't worth re-writing it unless tox can support that.	19:33
morganfainberg	so, lets document the removal or have fixes to make it less bit-rot-y	19:34
morganfainberg	document + remove, but having it do 50% one way 50% the other way is even worse than we have now imo	19:34
ayoung	morganfainberg, would it be running:	19:36
ayoung	testr -e${envs_list} ${recreate} ${testrargs} ${testropts} \| subunit-2to1 \| tools/colorizer.py	19:36
dstanek	supporting 'extra' fields seems more confusing to end users than anything else - are there a lot of cases where they are being used?	19:36
ayoung	dstanek, yeah, we can';t remove extra. Its a way for people to load up their own custom data	19:36
ayoung	regions were origianlly in extra, for example	19:37
morganfainberg	ayoung, and uhm -e{envs_list} would be wrong with testr i think	19:38
morganfainberg	that's tox notation	19:38
morganfainberg	ayoung, lets just agree to disagree on run_tests ;)	19:38
ayoung	testr ${testrargs} ${testropts} \| subunit-2to1 \| tools/colorizer.py	19:38
morganfainberg	dstanek, i've had some people asking about LDAP + extra specs	19:38
ayoung	morganfainberg, we can remove, but lets close out this patch first	19:38
ayoung	dstanek, , oooh, yeah, tell them I'll -2 anything along those lines	19:39
dstanek	ayoung: anything along what lines?	19:39
morganfainberg	ayoung, nah, 50% via testr 50% through tox (or any %) makes it even worse. lets work on documenting instead.	19:39
ayoung	dstanek, more use of extra and LDAP	19:39
morganfainberg	ayoung, yeah i had to tell them "well, no, don't do that"	19:39
dstanek	morganfainberg: i wish that we were explicit and made extra a first class key in the entity	19:40
morganfainberg	unless they want to map specific attributes	19:40
morganfainberg	ayoung, dstanek, extra is dirty, but we can't remove it, we need to figure out how to do that better (if we're changing it)	19:40
*** lbragstad has quit IRC		19:41
morganfainberg	and it would be nice to be able to support that kind of stuff across all the backends, but well... LDAP	19:41
ayoung	AHHH morganfainberg unabandon that right now dagnabit	19:41
ayoung	I was about to post the -N change	19:41
ayoung	you can re-abandon it after I repost, deal?	19:41
morganfainberg	you can unabandon ;) you're core! :)	19:41
ayoung	yeah, but it was your call and your patch	19:41
openstackgerrit	ayoung proposed a change to openstack/keystone: Make run_tests.sh a wrapper for tox https://review.openstack.org/103282	19:42
morganfainberg	ayoung, if you really really want that patch, i'll un-2 it as well	19:42
morganfainberg	but i think it's even worse than before if it conditionally uses tox and testr	19:42
ayoung	morganfainberg, lets leave it for now, don't have to approve or abandon until we have a decision	19:42
morganfainberg	k	19:42
morganfainberg	works for me	19:43
morganfainberg	leaving -2 on it then.	19:43
ayoung	morganfainberg, I would never be able to figure out how to run testr based on the code in the repo. I think run_tests.sh even with the else hack is better than not having anything. tox and venvs are pretty annoying and a case of python-like magic that feels so wrong to me coming from other languages.	19:44
morganfainberg	ayoung, so lets not convert to tox.	19:44
ayoung	morganfainberg, that water has been passed	19:45
morganfainberg	no i mean convert run_tests to tox	19:45
ayoung	morganfainberg, its the venv that is strange, tox just adds an additional level of confusion. Lets at least document what the main developers do with run_tests.sh. I think you did a good job converting, and putting a non-tox option onto run_tests.sh is logical	19:46
*** diegows has joined #openstack-keystone		19:46
ayoung	the python33 conversion will require more logic in the future, especially on RHEL where python2 is going to be the default, and you'll need to do something to run with python33. THat might be venv, might be something else, I don't yet know	19:47
*** gokrokve has joined #openstack-keystone		19:52
*** joesavak has quit IRC		19:55
*** rwsu has quit IRC		19:55
*** Mikalv has quit IRC		19:55
*** jimbaker has quit IRC		19:55
*** xianghui has quit IRC		19:55
*** joesavak has joined #openstack-keystone		19:55
*** jimbaker has joined #openstack-keystone		19:55
*** rwsu has joined #openstack-keystone		19:55
*** jimbaker has quit IRC		19:55
*** jimbaker has joined #openstack-keystone		19:55
*** xianghui has joined #openstack-keystone		19:55
dstanek	ayoung: tox is your best bet if you need to run the tests across multiple versions of python	20:00
ayoung	dstanek, not if you want to test a deployment using system tools, and just want to use the alternative installed python33 toolkit	20:01
ayoung	I've not much looked into collections, and it may use venv, but I don't think so	20:01
dstanek	ayoung: collections?	20:03
ayoung	dstanek, RH software collections: our way of dealing with multiple versions of all the languages etc	20:03
ayoung	http://wiki.centos.org/AdditionalResources/Repositories/SCL	20:04
dstanek	ayoung: ah, ok. even with a way to install multiple versions you have to maintains python deps for each - that's what tox is good at	20:04
morganfainberg	ayoung, yeah lets see what the comments for run_Tests ends up being .	20:05
ayoung	++	20:05
morganfainberg	did RH solve the "pip shoves python installed stuff over the top of the system-installed stuff"?	20:06
morganfainberg	you know how ubuntu places things in usr/local/lib/.... but RH (at least a bit ago) put things in the same place the RPM installed the python libs	20:07
*** rwsu has quit IRC		20:09
*** lbragstad has joined #openstack-keystone		20:11
*** lbragstad has quit IRC		20:12
*** lbragstad has joined #openstack-keystone		20:12
*** dstanek is now known as dstanek_zzz		20:12
*** dstanek_zzz is now known as dstanek		20:12
*** rodrigods has quit IRC		20:15
*** rwsu has joined #openstack-keystone		20:21
morganfainberg	ayoung, ping https://review.openstack.org/#/c/81166/ [revocation events]	20:23
morganfainberg	ayoung, there are a couple issues before we can merge it	20:23
morganfainberg	ayoung, notably, a few lines changed and we introduces a mutable default argument	20:23
morganfainberg	ayoung, that (especially in these events) has a risk of causing all sorts of badness if we're not careful.	20:24
*** Mikalv has joined #openstack-keystone		20:28
*** jaosorior has quit IRC		20:42
*** henrynash has quit IRC		20:42
ayoung	morganfainberg, looking	21:03
ayoung	morganfainberg, ++	21:04
ayoung	hrybacki, you dealing with those ^^?	21:05
morganfainberg	ayoung, mutable defaults scare me :)	21:05
hrybacki	ayoung: ++	21:05
hrybacki	yep	21:05
ayoung	morganfainberg, hrybacki good thinking there.	21:05
hrybacki	morganfainberg, ayoung: what about the possible KeyError?	21:05
morganfainberg	ayoung, hrybacki, it's probably ok, but i also tend to prefer more defensive coding (meaning in this case, handle the edge cases and throw 'known' errors when things go wrong)	21:06
morganfainberg	i wouldn't block the change based upon not catching a KeyError there.	21:07
hrybacki	I'm happy to add it	21:07
ayoung	if it is easy enough to do, lets do it. I can't think of any reason not to, but juan then dings us on untested code.	21:07
hrybacki	ayoung: off to meet family, will make changes (late) tonight or first thing in the AM -- if you have another thoughts shoot on it shoot me an email please :)	21:10
morganfainberg	hrybacki, thanks for keeping at this stuff!	21:10
ayoung	hrybacki, if I do, I'll add to the review	21:11
*** bknudson has quit IRC		21:11
ayoung	dolphm, why do you -2 things that should be -1s? https://review.openstack.org/#/c/107873/ was straight out of a design discussion from last week. If the bug isn't clear, I'll clarify, but come on.	21:12
hrybacki	morganfainberg: ayoung++	21:12
*** hrybacki has quit IRC		21:12
morganfainberg	ayoung, i'd give a comment like that the benefit of the doubt. i've been guilty of mis-clicking -1 and -2 before.	21:13
morganfainberg	or being overzealous on the -score :P	21:14
*** marcoemorais has quit IRC		21:15
morganfainberg	ayoung, so, quick question before i duck out for a late lunch, any thoughts on if we should just do something like what ksc is doing with AccessToken (can't use that class directly at the moment in keystone it has some client-specific-logic in it) for provinding compat across both token versions?	21:15
*** marcoemorais has joined #openstack-keystone		21:16
morganfainberg	or should there be something a bit more 'extract the data and shuffle it around'?	21:16
ayoung	morganfainberg, I don't want to retroactively change V2 or V3 tokens to require a version field	21:16
ayoung	but jamielennox\|away wanted to use AccessInfo here	21:17
ayoung	and I think we can do that, just as afollow on patch	21:17
ayoung	you and jamielennox\|away can come to an agreement on how AccessInfo is supposed to work before we make that change	21:18
ayoung	so we can unify token handling	21:18
morganfainberg	++	21:19
*** rodrigods has joined #openstack-keystone		21:20
*** rodrigods has quit IRC		21:20
*** rodrigods has joined #openstack-keystone		21:20
openstackgerrit	ayoung proposed a change to openstack/keystone: Do not require method attribute on plugins https://review.openstack.org/107873	21:22
*** dims_ has joined #openstack-keystone		21:25
*** dimsum has quit IRC		21:26
openstackgerrit	Morgan Fainberg proposed a change to openstack/keystone: Do not require method attribute on plugins https://review.openstack.org/107873	21:29
morganfainberg	ayoung, ^ fixed your commit message formatting	21:29
openstackgerrit	ayoung proposed a change to openstack/keystone: Do not require method attribute on plugins https://review.openstack.org/107873	21:29
*** dims_ has quit IRC		21:31
*** dims has joined #openstack-keystone		21:32
*** mrmoje has quit IRC		21:46
*** marcoemorais has quit IRC		21:46
*** rodrigods has quit IRC		21:46
*** marcoemorais has joined #openstack-keystone		21:47
*** marcoemorais has quit IRC		21:47
*** marcoemorais has joined #openstack-keystone		21:47
morganfainberg	dolphm, topol, dstanek, re: https://review.openstack.org/#/c/106010/ if keystone raises a HTTP 500 to the middleware when trying to validate a token, should nova return a 500 to the end user or is that a 401 because the middleware couldn't validate the token?	21:48
nkinder	morganfainberg: if you get some time, would you mind reviewing this for me? https://review.openstack.org/#/c/103325/	21:50
morganfainberg	nkinder, sure.	21:50
nkinder	morganfainberg: thx!	21:50
morganfainberg	nkinder, ^ that question i just posed any thoughts?	21:50
topol	morganfainberg I think it should be a 401	21:50
morganfainberg	topol, that is my gut feeling	21:50
nkinder	yeah, 500 is never good to expose I think	21:50
topol	morganfainberg, as a user 500 is misleading. Not good seviceability	21:51
nkinder	for auth, you also don't want to give away information about why something failed	21:51
morganfainberg	if you guys could toss your feedback on that review (either for or against the 500 to the end user) i'd appreciate it	21:51
nkinder	500 could expose an attack venue vs. generic 401	21:51
topol	401 gives them a chance to realize whats going on morganfainberg	21:51
morganfainberg	i am fine going either direction as long as we have good justification to use that response (though, my view is 401 is more correct)	21:52
morganfainberg	topol, nkinder, thanks	21:52
*** gabriel-bezerra has quit IRC		21:52
morganfainberg	and the attack concern is very valid	21:53
openstackgerrit	Clayton O'Neill proposed a change to openstack/keystone: Add pluggable range functions for token flush https://review.openstack.org/101726	21:53
*** gabriel-bezerra has joined #openstack-keystone		21:53
topol	morganfainberg I just -1 and added acomment	21:54
morganfainberg	thanks	21:54
*** joesavak has quit IRC		21:55
topol	dstanek, sorry about the tweet	21:56
morganfainberg	nkinder, for that change https://review.openstack.org/#/c/103325 would the fakeldap impl explode in the same way?	21:56
dstanek	morganfainberg, topol: agreed on the 401	21:57
*** thedodd has quit IRC		21:57
dstanek	topol: no worries, i was just messing with you	21:57
morganfainberg	nkinder, or is it only a real ldap backend that would error like that?	21:57
topol	dstanek, for giggles I may try and python 3-ize a test case. Is there an easy one you dont have on your list to do right away	21:57
topol	this weekend	21:58
nkinder	morganfainberg: IIRC, it will blow up either way	21:58
dstanek	topol: i don't have any on my list right now - most of them should be pretty easy	21:58
morganfainberg	nkinder, ok, i thought so, but since it was a new test...	21:58
morganfainberg	nkinder, just 2x checking :)	21:58
dstanek	topol: i would just add in a test_*.py to the tox.ini and fix any resulting errors	21:58
nkinder	morganfainberg: it came about from someone tweaking the config in the wrong way	21:59
dstanek	topol: i'll be around most of the weekend so feel free to ping me if you have questions	21:59
morganfainberg	topol, python3-ize the ldap backend test-case >.>	21:59
topol	dstanek, cool I'll just pick one then. I assume you add it to tox.ini and then run tox just for 3.0 and looks for flareups?	21:59
morganfainberg	topol ducks	21:59
* morganfainberg stops being evil.		21:59
topol	morganfainberg, ouc. the bus you just parked on me hurts	21:59
dstanek	topol: yep 'tox -e py33'	21:59
* morganfainberg needs lunch and to run up to Santa Barbara		22:00
topol	dstanek, cool I'll give it a whirl, thanks	22:00
morganfainberg	before traffic is awful	22:00
* topol topol sick of building chart decks...		22:01
*** gabriel-bezerra has quit IRC		22:01
morganfainberg	nkinder, last question https://review.openstack.org/#/c/103325/1/keystone/tests/test_backend_ldap.py line 638, is that supposed to use the config fixture?	22:01
*** marcoemorais has quit IRC		22:01
*** gabriel-bezerra has joined #openstack-keystone		22:02
morganfainberg	actually, not sure it matters	22:02
morganfainberg	nvm	22:02
nkinder	morganfainberg: that line is basically removing 'default_project_id' from the list of attributes to ignore (and it's mapped to None by default)	22:03
morganfainberg	right	22:03
nkinder	morganfainberg: you tell me if it should be using the config fixture...	22:05
morganfainberg	nkinder, i think it's fine as is	22:05
*** gabriel-bezerra has quit IRC		22:05
morganfainberg	nkinder, the ldap backends are wonky when it comes to config	22:05
*** gabriel-bezerra has joined #openstack-keystone		22:06
morganfainberg	nkinder, but i haven't figured out how to fix it so they aren't copying config values to themselves (w/o breaking other things)	22:06
*** gokrokve has quit IRC		22:20
*** kevinbenton has joined #openstack-keystone		22:24
*** topol has quit IRC		22:24
kevinbenton	hello, does anyone know if there is current work to upgrade neutron to use the v3 API?	22:24
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Initial implementation of validator https://review.openstack.org/86483	22:28
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Policy V3 API https://review.openstack.org/104065	22:28
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Catalog V3 resources https://review.openstack.org/96266	22:28
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Assignment V3 resources https://review.openstack.org/86484	22:28
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Trust V3 API https://review.openstack.org/104066	22:28
openstackgerrit	Lance Bragstad proposed a change to openstack/keystone: Implement validation on Credential V3 https://review.openstack.org/98522	22:28
*** morganfainberg is now known as morganfainberg_Z		22:33
*** lbragsta_ has joined #openstack-keystone		22:36
*** marcoemorais has joined #openstack-keystone		22:37
*** lbragstad has quit IRC		22:39
*** lbragsta_ has quit IRC		22:40
*** dims_ has joined #openstack-keystone		22:50
*** dims has quit IRC		22:50
*** marcoemorais has quit IRC		23:07
*** marcoemorais has joined #openstack-keystone		23:07
*** marcoemorais has quit IRC		23:07
*** marcoemorais has joined #openstack-keystone		23:07
*** marcoemorais has quit IRC		23:27
*** marcoemorais has joined #openstack-keystone		23:29
*** mrmoje has joined #openstack-keystone		23:31
*** marcoemorais has quit IRC		23:48
*** dims_ has quit IRC		23:51
*** marcoemorais has joined #openstack-keystone		23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!