Monday, 2014-07-28

« Sunday, 2014-07-27 Index Tuesday, 2014-07-29 »
*** gokrokve has quit IRC00:03
*** topol has joined #openstack-keystone00:12
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Remove mox dependency  https://review.openstack.org/10988700:38
*** diegows has quit IRC01:11
*** mberlin1 has quit IRC01:43
*** mberlin has joined #openstack-keystone01:44
*** xianghui has joined #openstack-keystone01:47
*** dims has quit IRC01:52
*** dims has joined #openstack-keystone01:54
*** hrybacki has joined #openstack-keystone01:58
openstackgerritwanghong proposed a change to openstack/keystone: Do not consume trust uses when create token fails  https://review.openstack.org/10344502:03
*** mtl11 has quit IRC02:04
*** mtl1 has joined #openstack-keystone02:04
*** alex_xu has joined #openstack-keystone02:10
*** dims has quit IRC02:14
*** ncoghlan has joined #openstack-keystone02:53
*** hrybacki has quit IRC02:55
*** gabriel-bezerra has quit IRC03:09
*** gabriel-bezerra has joined #openstack-keystone03:10
*** traz__ has joined #openstack-keystone03:14
traz__Hi, I'm trying to integrate swift with keystone.03:15
traz__The token is generated but I', getting authorization issue when using the token03:17
traz__Please see : http://paste.openstack.org/show/88339/ http://paste.openstack.org/show/88340/03:18
*** arunkant has quit IRC03:18
*** arunkant has joined #openstack-keystone03:18
jamielennoxtraz__: do you have logs from swift?03:23
traz__we are getting following logs: http://paste.openstack.org/show/88608/03:27
jamielennoxtraz__: can you run it with --debug and get the logs again?03:29
jamielennoxalso perhaps the keystone_authtoken part of your swift cnofig03:29
traz__In the request to swift is the URL and token passed correctly ? or there is some problem with syntax ?03:30
jamielennoxtraz__: it looks ok, and i think it is being found in auth token middleware, just want to see what is happening on the swift side that is causing the rejection03:33
jamielennoxi'm *guessing* that it might be how you've configured auth_token in swift to talk to keystone03:33
*** alex_xu has quit IRC03:33
traz__This is the swift configuration file proxy-server.conf : http://paste.openstack.org/show/88609/03:34
jamielennoxi don't think service_host and service_port do anything there but the rest looks ok03:37
jamielennoxalthough i'm not sure exactly what keystone_auth is03:38
jamielennoxit doesn't exist in keystoneclient though03:39
*** gabriel-bezerra has quit IRC03:40
*** gabriel-bezerra has joined #openstack-keystone03:41
*** alex_xu has joined #openstack-keystone03:42
*** dims has joined #openstack-keystone03:54
traz__jamielennox : I removed the keystone from the pipeline -- pipeline = catch_errors healthcheck cache authtoken proxy-server03:54
traz__and it worked, thanks for pointing that out03:55
*** chandankumar has joined #openstack-keystone03:55
jamielennoxtraz__: great, glad i could help03:56
*** ncoghlan is now known as ncoghlan_afk03:57
*** mitz_ has joined #openstack-keystone03:58
*** mitz has quit IRC03:58
openstackgerritJeffrey Zhang proposed a change to openstack/keystone: Redirect stdout and stderr when using subprocess  https://review.openstack.org/5161004:00
*** gabriel-bezerra has quit IRC04:06
*** gabriel-bezerra has joined #openstack-keystone04:07
*** ncoghlan_afk is now known as ncoghlan04:54
*** xianghuihui has joined #openstack-keystone04:57
*** ajayaa has joined #openstack-keystone04:58
*** Guest79468 is now known as gpocentek04:58
*** gpocentek has joined #openstack-keystone04:58
*** xianghui has quit IRC04:59
*** dims has quit IRC05:00
*** xianghuihuihui has joined #openstack-keystone05:05
*** amerine has quit IRC05:06
*** xianghuihui has quit IRC05:07
*** amerine has joined #openstack-keystone05:08
*** jamielennox is now known as jamielennox|away05:11
*** stevemar has quit IRC05:11
*** k4n0 has joined #openstack-keystone05:17
*** topol has quit IRC05:34
*** ncoghlan is now known as ncoghlan_afk05:38
*** jaosorior has joined #openstack-keystone05:42
*** ukalifon has joined #openstack-keystone05:44
*** ukalifon3 has joined #openstack-keystone05:50
*** ukalifon has quit IRC05:52
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/10693906:04
*** ncoghlan_afk is now known as ncoghlan06:20
*** tomoiaga has joined #openstack-keystone06:30
*** afazekas is now known as __afazekas06:33
*** bvandenh has joined #openstack-keystone06:36
*** afazekas_ has quit IRC06:39
*** gabriel-bezerra has quit IRC06:39
*** gabriel-bezerra has joined #openstack-keystone06:40
*** dims has joined #openstack-keystone06:45
*** gabriel-bezerra has quit IRC06:46
*** gabriel-bezerra has joined #openstack-keystone06:46
*** dims has quit IRC06:49
*** henrynash has joined #openstack-keystone07:03
*** afazekas_ has joined #openstack-keystone07:18
*** henrynash has quit IRC07:20
*** henrynash has joined #openstack-keystone07:32
*** henrynash has quit IRC07:44
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Versioned Endpoint hack for Sessions  https://review.openstack.org/9063208:01
*** xianghuihui has joined #openstack-keystone08:07
*** xianghuihuihui has quit IRC08:08
*** bvandenh has quit IRC08:19
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Catch correct oslo.db exception  https://review.openstack.org/10893508:20
*** chmouel has quit IRC08:30
*** bvandenh has joined #openstack-keystone08:31
*** chmouel has joined #openstack-keystone08:32
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: Overwrite get_endpoint in Saml2UnscopedToken.  https://review.openstack.org/10957508:38
*** henrynash has joined #openstack-keystone08:40
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: List federated projects and domains  https://review.openstack.org/10739308:43
*** ajayaa has quit IRC08:44
*** ajayaa has joined #openstack-keystone08:45
*** henrynash has quit IRC08:52
*** dobson has quit IRC09:08
*** dobson has joined #openstack-keystone09:13
*** alex_xu has quit IRC09:14
openstackgerritwanghong proposed a change to openstack/keystone: Do not consume trust uses when create token fails  https://review.openstack.org/10344509:23
*** ncoghlan has quit IRC09:30
*** gabriel-bezerra has quit IRC09:43
*** gabriel-bezerra has joined #openstack-keystone09:44
*** xianghuihui has quit IRC09:46
*** gabriel-bezerra has quit IRC09:54
*** gabriel-bezerra has joined #openstack-keystone09:55
*** openstackgerrit has quit IRC10:01
*** mitz_ has quit IRC10:17
*** mitz has joined #openstack-keystone10:18
*** mitz has quit IRC10:18
*** mitz has joined #openstack-keystone10:20
*** gabriel-bezerra has quit IRC11:05
*** gabriel-bezerra has joined #openstack-keystone11:06
*** afazekas_ is now known as afazekas11:21
*** cjellick has joined #openstack-keystone11:32
*** cjellick has quit IRC11:33
*** cjellick has joined #openstack-keystone11:33
*** gabriel-bezerra has quit IRC11:37
*** gabriel-bezerra has joined #openstack-keystone11:37
*** gabriel-bezerra has quit IRC11:39
*** gabriel-bezerra has joined #openstack-keystone11:40
*** Simon_sing has joined #openstack-keystone11:50
Simon_singhey guys, has anyone working ActiveDirectory + Kerberos Keystone via wsgi in apache? Right now I have working Keystone via WSGI and trying to use base auth to later do kerberos, but can't make it work in python-keystoneclient.11:53
*** miqui has quit IRC11:54
*** gabriel-bezerra has quit IRC11:56
*** gabriel-bezerra has joined #openstack-keystone11:57
*** diegows has joined #openstack-keystone12:06
*** chandankumar has quit IRC12:34
*** hrybacki has joined #openstack-keystone12:41
*** gabriel-bezerra has quit IRC12:41
*** erecio has joined #openstack-keystone12:42
*** gabriel-bezerra has joined #openstack-keystone12:42
*** gordc has joined #openstack-keystone12:43
*** vhoward has joined #openstack-keystone12:49
*** k4n0 has quit IRC12:50
*** joesavak has joined #openstack-keystone12:50
*** erecio has quit IRC12:51
*** jasondotstar has joined #openstack-keystone12:52
*** bvandenh has quit IRC12:53
*** erecio has joined #openstack-keystone12:59
*** gabriel-bezerra has quit IRC12:59
*** gabriel-bezerra has joined #openstack-keystone13:00
*** erecio has quit IRC13:05
*** _elmiko is now known as elmiko13:05
*** elmiko has left #openstack-keystone13:06
*** bvandenh has joined #openstack-keystone13:06
*** topol has joined #openstack-keystone13:06
*** lbragstad has joined #openstack-keystone13:15
*** lbragstad has quit IRC13:15
*** lbragstad has joined #openstack-keystone13:16
*** gabriel-bezerra has quit IRC13:17
*** bknudson has quit IRC13:18
*** gabriel-bezerra has joined #openstack-keystone13:19
*** openstackgerrit has joined #openstack-keystone13:32
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes a capitalization issue  https://review.openstack.org/10881113:37
*** bknudson has joined #openstack-keystone13:38
*** stevemar has joined #openstack-keystone13:39
*** xianghuihui has joined #openstack-keystone13:53
*** dims has joined #openstack-keystone13:56
*** hrybacki has quit IRC14:00
dolphmthere's a bug against pretty much every project that tox 1.7.2's random PYTHONHASHSEED causes test failures - but i'm not seeing any. do we have another workaround (?) or have we just written better tests..?14:02
dolphmhttps://bugs.launchpad.net/nova/+bug/134881814:02
uvirtbotLaunchpad bug 1348818 in neutron "Unittests do not succeed with random PYTHONHASHSEED value" [Undecided,In progress]14:02
dstanekbknudson, dolphm: i'm confused by https://review.openstack.org/#/c/108935/2/keystone/tests/test_sql_upgrade.py - will we not know which exception is throw for a give test run?14:03
bknudsondstanek: I believe that oslo.db is in the process of changing which exceptions are thrown14:03
dolphmdstanek: correct14:03
*** zzzeek has joined #openstack-keystone14:04
dolphmbknudson: ++ they're going to stop emitting IntegrityError and start returning DBDuplicateEntry14:04
dstanekso that'll change from one test run to the next?14:04
dolphmdstanek: only if you sync oslo.db in between14:04
dolphmor is oslo.db it's own package now?14:04
*** gabriel-bezerra has quit IRC14:05
bknudsonwe're using oslo.db from pypi14:05
dolphmdstanek: yeah... so it's for backwards compatibility with older releases14:05
*** gabriel-bezerra has joined #openstack-keystone14:05
dstanekdolphm: ah, ok. backwards compat seem odd for tests14:06
dolphmdstanek: it's just like our changes to tempest to support two responses from keystone for a short duration14:06
bknudsondstanek: it is weird that the only change is in test.14:06
dolphmdstanek: once they can release a new oslo.db without breaking everyone, the FIXME can be removed14:07
*** Simon_sing has quit IRC14:07
dolphmbknudson: ++ this shouldn't be Closes-Bug, this is just a partial fix. @handle_conflicts also needs to know about both14:08
*** tristanC_ is now known as tristanC14:10
dstanekbknudson: yep, you beat me to it. i just grepped for IntegrityError and found that too14:11
dolphmdstanek: you mean acked, right? :P http://beyondgrep.com/14:13
dstanekdolphm: i say grep as a habit, but the use the ack plugin for vim14:14
dolphmdstanek: i need to get into the habit of using the plugin. i always use it from bash and then have to jump back and forth, or -C <a-lot>14:15
boris-42dolphm bknudson jamielennox|away hi guys14:19
boris-42dolphm bknudson  jamielennox|away I made one spec for OSprofiler integration, cause it's quite similar for all projects14:19
boris-42https://review.openstack.org/#/c/103825/3/specs/juno/osprofiler-cross-service-project-profiling.rst14:19
boris-42dolphm bknudson  jamielennox|away ^ if you would like to discuss details now there is common place for that14:20
*** joesavak has quit IRC14:23
*** david-lyle has joined #openstack-keystone14:28
*** ukalifon3 has quit IRC14:30
*** diegows has quit IRC14:31
*** topol has quit IRC14:36
*** needscoffee has joined #openstack-keystone14:38
needscoffeemornin14:39
ayoungneedscoffee, you are up early14:40
needscoffeeayoung: not really. usually up about an hour earlier14:40
needscoffeemaybe early for being on IRC.14:40
needscoffeestevemar: so any thoughts on the token stuff... ?14:41
ayoungneedscoffee, you a nkinder .  Early birds by West Coast Coding Cultural Standards (WCCS)14:41
ayoungSorry, that is WC3S14:41
needscoffeestevemar: do we just special case the federated users and not check domain, but only check idp?14:41
needscoffeeayoung: LOL :)14:41
ayoungneedscoffee, check domain where?14:42
ayoungneedscoffee, cuz pretty sure the answer to that is no14:42
needscoffeeayoung: revocation events14:42
*** ajayaa has quit IRC14:42
*** hrybacki has joined #openstack-keystone14:42
needscoffeeayoung: the user in federated tokens doesn't have a "domain"14:42
needscoffeeit breaks revocation events.14:42
ayoungIdP is not yet in Revocation Events14:42
needscoffeeas in.. BOOM can't validate the token14:43
*** lbragstad has quit IRC14:43
ayoungfederated tokens should have a domain14:43
needscoffeeayoung:  they do, the user does not14:43
needscoffeetoken['user']['domain'] == keyerror14:43
stevemarcorrect14:43
ayoungI mean \all users should have a domain.  Period.  Full Stop.14:43
stevemarthen we have to update the toke issued with a domain key14:44
stevemarthen comes the question of what value do we attach to it?14:45
ayoungstevemar, and we need to associate domains with the IdP.  It can be an implicit relationship if we want:  each IdP is a separate domain,14:45
stevemarthats what i was thinking14:45
needscoffeeayoung: stevemar: https://github.com/openstack/keystone/blob/master/keystone/token/providers/common.py#L490-L500 special case token format14:45
openstackgerritDiane Fleming proposed a change to openstack/identity-api: JSON Home support  https://review.openstack.org/10988114:45
ayoungstevemar, I could see allowing an Idp to support multiple domains, but I would not want to split a domain over multiple IdPs14:45
ayoungstevemar, use the SQL badkend as an example14:45
ayoungit suports multiple domains14:45
ayoungLDAP, OTOH is one backend, one domain14:46
ayoungSAML  would start off like LDAP, but, maybe, allow for two different domains in the future from the same IdP based on a mapped value14:46
needscoffeeayoung: i think multiple domains might make it tricky with the user_id mapping14:46
ayoungfor Kerberos, that makes a lot of sense:  the REALM  is part of REMOTE_USER and user_name would be the user part, domain the REALM part14:47
ayoungfor Kerberos trusts, that is pretty much the model we are expecting to have to support14:47
ayoungBTW, Kerberos trusts are not Keystone trusts....14:48
needscoffeeayoung: hehe14:48
ayoungKerberos is Idp to Idp,  Keystone user2user14:48
ayounglets start with one domain per IdP14:48
needscoffeeayoung: explicit as in in the idp table?14:49
needscoffeeayoung: and how do we manage that migration path?14:49
ayoungneedscoffee, lets start with IdPid == domain id14:49
ayoungthey are in separate backends, right?14:49
needscoffeeayoung: make it an implicit domain?14:49
needscoffeeayoung: yeah separate tables.14:50
needscoffeeayoung: and separate backends14:50
needscoffeeyou know. we could just make it a code-construct domain "federated"14:50
bknudsonthat would be like the default domain14:51
needscoffeebknudson: is that wrong? we could just make this domain a holder for these users. but not a valid target for projects etc14:51
openstackgerritDiane Fleming proposed a change to openstack/identity-api: Cleanup  https://review.openstack.org/10988214:51
bknudsonI don't think it's wrong.14:52
bknudsonbtw, do we support revoking all tokens for an idp?14:52
*** thedodd has joined #openstack-keystone14:52
bknudsone.g., if you disable an idp14:52
needscoffeebknudson: no, that is on the list to fix14:52
bknudsony, thought we punted on that one14:52
needscoffeebknudson: the thought was that was a revocation event thing14:53
dstanekbknudson: you want https://review.openstack.org/#/c/109602/ merged right?14:53
bknudsonmaking the idp id the user domain id would support that.14:53
needscoffeebknudson: btw, i tagged the mysql timestamp issue to j3.14:53
bknudsondstanek: y, all the issues in that chain are to fix issues with revocation events14:53
needscoffeebknudson: yes it would, it's an easy change either way, which provides the most benefit and the least headache is my only question.14:54
*** tomoiaga has quit IRC14:54
dstanekbknudson: ok, i was you did a -1 with a comment about working on the bug separately and didn't know if you removed the -1 on accident by pusing a new changeset14:55
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix revoking a scoped token from an unscoped token  https://review.openstack.org/10938914:55
*** lbragstad has joined #openstack-keystone14:56
bknudsondstanek: I had a patch that was fixing multiple problems and then I noticed I could fix the one problem without the other so I split it out.14:56
bknudsonand then I wound up reordering the patches. I think they're right now.14:57
needscoffeeayoung: stevemar: so are there any real reasons we shouldn't do idpid=domain_id (concerns about collisions, other odd interactions)?14:57
ayoungneedscoffee, we need to test for collisions, I think, but they should be rare.  IdPid and Domain ID are both Keystone specified14:58
stevemarneedscoffee, i think it's fine.14:58
bknudsonneedscoffee: how else would you associate a idp id with a domain ID? something in the mapping?14:58
ayoungif you add a new IdP and it conflicts with an existing domain, you need to reset the IdP14:58
ayoungOr..maybe that should be something explictly required?  A migration path where users were in SQL, and you want to move to SAML?14:59
ayoungthose can be later additions, though14:59
needscoffeebknudson: the way it is currently impemented, idp doesn't associate to a domain, groups associate to a domain via identity backend14:59
needscoffeebknudson:  and you map to a group14:59
needscoffeebknudson: so in theory an idp user could be part of multiple domains14:59
bknudsonI don't think it would make sense to use the groups domains.15:00
bknudsonbut doing a mapping like @us.ibm.com -> domain us and @eu.ibm.com -> domain eu might make sense15:00
needscoffeeright, i'm just feeling out if idpid should be the domain id or we should just call all federated users part of the default-like "Federated" domain15:00
bknudsonI'm fine with idp ID becomes the domain ID15:01
needscoffeeand do revocations on idpid (which is in the token already)15:01
bknudsonwouldn't the token have the idp ID as the user's domain?15:02
needscoffeebknudson: yes and it would also have OS-FEDERATED:idp -> idpid15:02
needscoffeeor well user['OS-FEDERATED']['identity_provider']['id'] it looks like15:04
*** joesavak has joined #openstack-keystone15:05
bknudsonneedscoffee: it's not going into the token values for revocation: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/revoke/model.py#n26715:05
needscoffeebknudson: no not yet15:07
ayoungneedscoffee, I would err on the side of domain being more restrictice than the "Federated Domain" as it is easier to go from smaller to larger.  If we endu p having to combine     @us.ibm.com  and @eu.ibm.com  that is simpler than trhying to chisel all of IBM out of the "IDP DOMAIN"15:07
needscoffeeayoung: i don't *think* that use case would change with either implementation15:09
needscoffeeayoung: federated setup would change and you'd auth against the "new" IDP in the combined case, users would still be part of the federated domain.15:10
*** gabriel-bezerra has quit IRC15:10
*** gabriel-bezerra has joined #openstack-keystone15:10
needscoffeeayoung: i'm still thinking it over, once i get my breakfast and coffee, i'll probably have a clearer thought on this15:11
ayoungneedscoffee, just remember that once stuff is in Keystone, it is used by lots of systems out there, and that is the binding we need to respect15:13
dstanekdolphm: i'm looking at assignment validation now...were you saying the other day that i shouldn't be able to update a project with a null domain_id?15:13
bknudsondstanek: domain_id should not be nullable15:14
dstanekbknudson: that makes more sense15:15
*** topol has joined #openstack-keystone15:15
needscoffeeayoung: right and i'm concerned that if we are locking up domain ids from a system that isn't controlled by the domain / assignment backend, we're going to run into issues15:16
openstackgerritDiane Fleming proposed a change to openstack/identity-api: Fix build issue with Identity v2.0  https://review.openstack.org/11001715:16
needscoffeeayoung: so each domain created has to check to see if it's new id is in the idp backend, and vice versa15:16
needscoffeeayoung: it is triggering the thought that it might be a fraglie setup.15:17
ayoungneedscoffee, hmm, I would think the domainid would win out, and we do a migration that all Idp ids go into the domain backend15:17
ayoungadd a new Idp, add the domain id at the same time15:17
needscoffeeayoung: that would be bad. i create a domain, it collides with an idp, now that idp is part of the domain15:18
needscoffee?15:18
ayoungneedscoffee, no15:18
openstackgerritDiane Fleming proposed a change to openstack/identity-api: Cleanup  https://review.openstack.org/10988215:18
ayoungstep one, migrate all Idps to have a domainid15:18
ayoungonly here do we have the possibility of a clash, and that should be fairly early on15:18
needscoffeeayoung: so... idpid is *sortof* a FK [but not in a sql sense]15:19
ayoungstep two, add and Idp,  add the corresponding domainids15:19
ayoungyep15:19
needscoffeeayoung: i think that sounds awful15:19
ayoungneedscoffee, if we make Idps a core concept, we will make them FKs15:19
ayoungneedscoffee, that is the "default"15:19
ayoung needscoffee I would actually do it like this:15:19
needscoffeedoes federation work with ldap assignment?15:20
ayoungeach domain gets and Idp ID value15:20
openstackgerritDiane Fleming proposed a change to openstack/identity-api: JSON Home support  https://review.openstack.org/10988115:20
ayoungif it is None, it is in the SQL backend15:20
ayoungthen, each LDAP source gets a uniqe Identifier15:20
ayoungjust tpo grandfather those in15:20
openstackgerritA change was merged to openstack/keystone: Fixes a capitalization issue  https://review.openstack.org/10881115:21
ayoungbut the rest assume that the IdP id points to the IdP table15:21
ayoungand thuse each Idp can support one or more domains15:21
*** xianghuihui has quit IRC15:21
ayoungNow, for the existing Idps, we can set the domainid value to be the same as the IdP id, if we think that things "out there" are going to be already referrring to the IdP id15:22
*** gabriel-bezerra has quit IRC15:22
needscoffeeayoung: i'm missing something "the rest assume that the idp id points to the idp table"?15:23
*** gabriel-bezerra has joined #openstack-keystone15:23
ayoungneeds cidde domain.idp_id  is a "fkey" to the idp table15:23
dolphmuhh, after upgrading to tox 1.7.2 (i think?): Ran 3978 (+13) tests in 264.692s (-768.156s)15:23
needscoffeeayoung: cidde?15:24
ayoungheh15:24
ayoungneedscoffee, that was supposed to be you15:25
needscoffeeah15:25
ayoungneedscoffee,  domain.idp_id  is a "fkey" to the idp table15:25
needscoffeedolphm: that is worrysome15:25
dolphmerr, has a very short term memory. i just installed tox 1.7.2 but that was running testr directly lol15:27
needscoffeedolphm: ah15:27
needscoffeestill a little odd15:27
dolphmneedscoffee: i'll keep poking around15:28
dolphmneedscoffee: was trying to repro https://bugs.launchpad.net/keystone/+bug/134881815:28
uvirtbotLaunchpad bug 1348818 in neutron "Unittests do not succeed with random PYTHONHASHSEED value" [Undecided,In progress]15:28
needscoffeedolphm: ah15:28
needscoffeedolphm: isn't HASHSEED py3.x only?15:28
needscoffeePYTHONHASHSEED15:29
dolphmneedscoffee: good question; i'm not familiar with it15:29
*** dims has quit IRC15:29
dolphmneedscoffee: https://docs.python.org/2/using/cmdline.html#envvar-PYTHONHASHSEED15:29
needscoffeedolphm: ah15:31
needscoffeedolphm: yep15:31
ayoungneedscoffee, http://martinfowler.com/articles/collection-pipeline/   for tokens  in the not-too-distant-I-hope-future15:35
needscoffeeayoung: Kilo if someone has cycles to work on it i think15:36
ayoungneedscoffee, or maybe it is something that we work into existing features.  I think the Token Provider class in tokens/  could be just that15:36
ayoungthe /providers then become pieces of the pipeline15:37
ayoungas changes go in, like the Federation mapping thing, we make them more explicit pieces of the pipeline15:37
needscoffeeayoung: it isn't happening in Juno.15:37
needscoffeeayoung: there is too much to be done to re-work that too15:37
ayoungneedscoffee, heh,15:37
ayoungneedscoffee, so I would say "don;t make it explicitly externally defined"  but rather "code it in python"  as a first step15:38
ayoungthen we can refactor to a pipeline without exposing to the outside world15:38
ayoungonly once we have a clean pipeline defined in python do we make it something externally composable15:38
needscoffeeayoung: I'm not committing to that.15:38
ayoungand not make it a big band15:38
ayoungbang15:38
needscoffeeayoung: if someone else has the cycles to do that i'm fine with the attempt, but i see it as a pretty low priority at this point15:39
*** david-ly_ has joined #openstack-keystone15:40
*** gyee has joined #openstack-keystone15:40
*** cjellick has quit IRC15:40
ayoungneedscoffee, I think you misunderstand.  I say we do it as part of other features, not a deliberate effort at this point15:41
needscoffeeayoung: we already have it mostly in the v3 token data formatter thing15:41
ayoungjust so long as we have a clear picture of what it should look like in the end, and we can all understand the goal15:41
ayoungyep, and you've pushed that a long way ahead15:42
needscoffeeayoung: i'm still not committing to it, in fact i am not committing to saying the pipeline is the right answer15:42
*** david-ly_ is now known as david-lyle_15:42
needscoffeeneedscoffee: right now i'm staying committed to trying to get non-persistent out the door :)15:42
*** cjellick has joined #openstack-keystone15:42
needscoffees/needscoffee/ayoung15:42
ayoung++15:42
*** david-lyle has quit IRC15:42
ayoungneedscoffee, and I to getting Horizon Kerberized15:43
needscoffeeayoung: eyah, so, i think this is a Kilo-ish timeline at best :)15:43
ayoungneedscoffee, Oh, yeah.  just need to have it demo-able for the next summit15:43
ayoungthat should make most of the required work apparent15:43
*** gabriel-bezerra has quit IRC15:44
*** gabriel-bezerra has joined #openstack-keystone15:45
needscoffeeayoung: i mean the pipeline not the kerberize15:46
needscoffeeayoung: because you're busy working on kerberize, etc15:46
ayoungneedscoffee, I would say that it should be a design goal, and we get it when we get it15:46
ayoungnot that it should be something we explicitly push for,  until some asks for it15:46
ayoungjust an understood "this is how tokens really should work"15:46
needscoffeeayoung: i think we need to talk that one through at the summit. and on that note, i'm going to go get coffee and breakfast.15:47
ayoungneedscoffee, for example, I could probably rewrite the PKIZ provider as a specific pipeline, instead of as a subclass, and it would be much cleaner, without affecting how things are implemented15:47
ayoung++15:48
ayounggot for it15:48
*** david-lyle_ is now known as david-lyle15:52
openstackgerritDolph Mathews proposed a change to openstack/keystone: Add workaround to support tox 1.7.2  https://review.openstack.org/11003915:56
*** lbragsta_ has joined #openstack-keystone15:56
dolphmneedscoffee: you should be able to run tox 1.7.2 with that ^15:56
bknudsonisn't the point of the bug that the tests are wrong?15:57
*** marcoemorais has joined #openstack-keystone15:58
*** marcoemorais has quit IRC15:58
*** lbragstad has quit IRC15:59
*** lbragsta_ has quit IRC16:01
*** lbragstad has joined #openstack-keystone16:02
*** needscoffee has quit IRC16:02
*** marcoemorais has joined #openstack-keystone16:03
*** gabriel-bezerra has quit IRC16:06
*** gabriel-bezerra has joined #openstack-keystone16:06
mtl1Hi. Is there a way I can define a self-signed CA file with keystone specifically? I already have OS_CACERT set in my ENV, and every other openstack service I've used it with works, but keystone just keeps giving me "SSL Library Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (SSL alert number 48)" when I do something like keystone endpoint-list.16:10
hrybackidstanek: when mocking a GET response with httpretty in a test classes setUp() -- where should httpretty.activate be called?16:11
dstanekhrybacki: i think it would still be used as a decorator on the test method16:17
hrybackidstanek: interesting -- so the decorator didn't work at either the setUp() or the test method itself.16:22
hrybackiBut, before registering the URI(s)16:23
dstanekhrybacki: can you paste me an example of what you are doing?16:23
hrybacki        httpretty.reset()16:23
hrybacki        httpretty.enable()16:23
hrybacki        self.addCleanup(httpretty.disable)16:23
hrybackiworked16:23
hrybackidstanek: running to a meeting but I will as soon as I get back16:23
dstanekhrybacki: ok16:23
openstackgerritA change was merged to openstack/identity-api: Fix build issue with Identity v2.0  https://review.openstack.org/11001716:24
*** gabriel-bezerra has quit IRC16:24
*** gabriel-bezerra has joined #openstack-keystone16:25
openstackgerritBrant Knudson proposed a change to openstack/identity-api: JSON Home support  https://review.openstack.org/10988116:25
openstackgerritBrant Knudson proposed a change to openstack/identity-api: Cleanup  https://review.openstack.org/10988216:25
openstackgerritBrant Knudson proposed a change to openstack/identity-api: Cleanup  https://review.openstack.org/10988216:25
openstackgerritBrant Knudson proposed a change to openstack/identity-api: JSON Home support  https://review.openstack.org/10988116:26
*** gabriel-bezerra has quit IRC16:28
*** gabriel-bezerra has joined #openstack-keystone16:29
*** jsavak has joined #openstack-keystone16:29
*** joesavak has quit IRC16:32
*** diegows has joined #openstack-keystone16:41
*** bearhands is now known as comstud16:46
*** jdennis1 has joined #openstack-keystone16:47
*** jdennis has quit IRC16:48
*** shakamunyi has joined #openstack-keystone16:54
*** gabriel-bezerra has quit IRC16:59
*** gabriel-bezerra has joined #openstack-keystone17:00
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101717:02
*** vhoward has left #openstack-keystone17:02
*** rwsu has joined #openstack-keystone17:13
*** diegows has quit IRC17:19
*** harlowja_away is now known as harlowja17:20
*** afazekas has quit IRC17:22
openstackgerritA change was merged to openstack/keystone: Add tests related to V2 token issued_at time changing  https://review.openstack.org/10960217:27
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware  https://review.openstack.org/10295817:29
*** mtl1 has quit IRC17:30
*** henrynash has joined #openstack-keystone17:31
*** amcrn has joined #openstack-keystone17:34
openstackgerritBrant Knudson proposed a change to openstack/keystone: JSON-Home for V3  https://review.openstack.org/10398317:37
*** marcoemorais has quit IRC17:37
*** marcoemorais has joined #openstack-keystone17:38
*** gabriel-bezerra has quit IRC17:39
*** gabriel-bezerra has joined #openstack-keystone17:40
*** __afazekas is now known as afazekas17:40
*** thedodd has quit IRC17:41
*** morganfainberg_Z is now known as morganfainberg17:42
morganfainbergdolphm, hm.17:43
*** henrynash has quit IRC17:44
morganfainbergbknudson, yes the bug is the tests are wrong, but we're moving to 1.7.2 in gate (i think), meaning we do this like a hacking check, "band-aid" then work on a real fix17:44
*** lbragstad has quit IRC17:47
*** ukalifon has joined #openstack-keystone17:48
morganfainbergdolphm, it doens't look like we're going to have a hard time fixing the tests for PYTHONHASHSEED17:52
*** gabriel-bezerra has quit IRC17:52
morganfainbergdolphm, only ~19 failures.17:52
*** gabriel-bezerra has joined #openstack-keystone17:53
*** mtl1 has joined #openstack-keystone17:53
*** gabriel-bezerra has quit IRC17:55
*** gabriel-bezerra has joined #openstack-keystone17:56
dolphmmorganfainberg: but there's a chance we could see additional failures with other seeds... unless you saw the same 19 failures on several runs17:57
morganfainbergdolphm, perhaps.17:57
*** shakamunyi has quit IRC17:58
morganfainbergdolphm, i think i see the core issue here, shoudl be easy to fix these failures.17:58
morganfainbergdolphm, not saying don't merge the tox fix, just seeing the LOE on getting it really fixed as well17:58
*** gabriel-bezerra has quit IRC17:58
morganfainbergbasically, looks like our catalog tests are bad (overally)17:59
*** marcoemorais has quit IRC17:59
morganfainbergs/catalog/catlog and versions/17:59
*** marcoemorais has joined #openstack-keystone17:59
*** gabriel-bezerra has joined #openstack-keystone18:00
morganfainbergdolphm, ah it looks like it is mostly around us using .assertEqual instead of .assertDictEqual18:15
morganfainbergdolphm, chasing these down now to make sure we don't have more.18:15
*** jsavak has quit IRC18:15
dolphmmorganfainberg: well that's an easy fix18:15
*** joesavak has joined #openstack-keystone18:16
morganfainbergdolphm, yeah the worst one was the catalog templated one, because the list isn't (for some reason) in the same order, but the id's of the endpoints still match18:16
*** thedodd has joined #openstack-keystone18:17
*** gabriel-bezerra has quit IRC18:25
*** gabriel-bezerra has joined #openstack-keystone18:26
*** gabriel-bezerra has quit IRC18:27
*** gabriel-bezerra has joined #openstack-keystone18:27
*** gabriel-bezerra has quit IRC18:33
*** gabriel-bezerra has joined #openstack-keystone18:33
stevemargordc, thx for the review, going to upload a new patch!18:34
*** gabriel-bezerra has quit IRC18:35
*** gabriel-bezerra has joined #openstack-keystone18:36
*** diegows has joined #openstack-keystone18:39
morganfainbergdolphm, oh boy, so looks like our hashseed stuff goes a bit deeper, we do a lot of dict -> list of things from dict, and that changes order with the hashseed (duh). this might not be an easy fix.18:43
dolphmmorganfainberg: you mean like .values() and .keys()?18:44
*** dims_ has joined #openstack-keystone18:49
*** nkinder has quit IRC18:52
*** gabriel-bezerra has quit IRC18:52
*** gabriel-bezerra has joined #openstack-keystone18:53
*** gabriel-bezerra has quit IRC18:55
*** nkinder has joined #openstack-keystone18:56
*** gabriel-bezerra has joined #openstack-keystone18:56
*** gabriel-bezerra has quit IRC18:59
*** gabriel-bezerra has joined #openstack-keystone19:00
*** thedodd has quit IRC19:02
*** thedodd has joined #openstack-keystone19:03
*** ekarlso has quit IRC19:04
openstackgerritSergey Nuzhdin proposed a change to openstack/keystone: Fix invalid self link in get access token  https://review.openstack.org/10965019:05
*** topol has quit IRC19:06
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101719:08
*** ukalifon has quit IRC19:09
*** mtl1 has quit IRC19:14
*** lbragstad has joined #openstack-keystone19:15
*** ekarlso has joined #openstack-keystone19:16
*** lbragstad has quit IRC19:19
openstackgerritHarry Rybacki proposed a change to openstack/keystonemiddleware: Convert auth_token middleware to use sessions  https://review.openstack.org/10503119:22
morganfainbergdolphm, basically, for i in <dict>, list.append(dict[i])19:25
*** rodrigods has quit IRC19:29
*** rodrigods has joined #openstack-keystone19:31
*** rodrigods has joined #openstack-keystone19:31
dstanekmorganfainberg: what is the problem caused by PYTHONHASHSEED?19:31
openstackgerritA change was merged to openstack/keystone: Sample config update  https://review.openstack.org/10965719:33
openstackgerritDiane Fleming proposed a change to openstack/identity-api: Add create, update, and delete user to admin API v2.0  https://review.openstack.org/10825919:33
*** david-lyle has quit IRC19:34
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/10900219:34
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/11009819:34
stevemargordc, ping19:36
ayoungdstanek, when Horizon calls keystone, it creates a new Client object every time.  Right now, it does not hold on to a session object.  Should it?  How long would a session live?19:36
*** topol has joined #openstack-keystone19:37
stevemarif we do end up using type instead of id for endpoint, do you want it normalized (prefixed with "openstack:")?19:37
openstackgerritClayton O'Neill proposed a change to openstack/keystone: Add pluggable range functions for token flush  https://review.openstack.org/10172619:37
ayoungdstanek, I realize this is kindof a jamielennox|away question, but since kc sessions are based on requests session....what would be the right thing in a straight requests approach19:37
openstackgerritClayton O'Neill proposed a change to openstack/keystone: Add pluggable range functions for token flush  https://review.openstack.org/10172619:37
dstanekayoung: i would expect sessions to be held for as long as the token is valid or for as long as the web session is valid (whatever comes first)19:39
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/10621019:39
*** david-lyle has joined #openstack-keystone19:39
dstanekayoung: can't you recreate a session object from a token?19:39
*** mtl1 has joined #openstack-keystone19:39
ayoungdstanek, yes, I can, so I guess it should be:19:40
ayoungget session, if none, recreate from token,  use session to create client19:40
dstanekayoung: i would expect a session object to be created for every web request to horizon and that horizon would use the same session for anything it does during that web request19:41
ayoungdstanek, I guess I always store the unscoped and scoped tokens in the cookie at a minimum.  I guess I could always fetch those things on demand...if not unscoped token, kick to login19:41
*** gabriel-bezerra has quit IRC19:41
ayoungdstanek, ok, I think I can make that happen.  A lot of Django is done passing around collections of kwargs19:42
*** gabriel-bezerra has joined #openstack-keystone19:42
ayoungand I'm not certain which of those get persisted where across requests to Horizon19:42
dstanekayoung: do you have a link? i'm curious because i wouldn't expect that19:43
ayoungyep 1 sec19:43
ayoungdstanek, http://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/utils.py#n108  gets called via acallback from a template inside Django to populate the "list of projects" dropdown19:44
ayoungwhich is a lovely piece of code, what with embedding the 2.0 auth url, but I digress19:45
ayoungdstanek, so I assume I can stick the session into that dictionary where auth happends19:46
ayoungwhich is19:46
ayounghttp://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/backend.py#n15719:47
*** andreaf has joined #openstack-keystone19:48
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Updated from global requirements  https://review.openstack.org/10900219:48
ayoungdstanek, I have a hacked version in my local repo that does the initial authenitcaiton with a session19:49
ayoungI'm just not certain it makes sense to do   request.session['keystone_session'] = kcsession19:50
dstanekayoung: i don't think it does because that is something that persists across may requests from a user19:51
gordcstevemar: my bad.19:51
gordcstevemar: whatup?19:51
stevemargordc, same question - if we do end up using type instead of id for endpoint, do you want it normalized (prefixed with "openstack:")?19:51
ayoungdstanek, right, but I don't think there is a "request local dictionary" available19:51
gordcstevemar: yeah, it's probably safe to keep the namespace i would think... even if what's after is of little value19:52
dstanekayoung: request.keystone_session = kcsession19:53
dstanekayoung: the trick is finding out who creates it first19:53
dstanekand anything calling keystone would need access to the request19:53
*** gabriel-bezerra has quit IRC19:56
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Redact tokens in request headers  https://review.openstack.org/11011719:57
ayoungdstanek, it all goes through django_openstack_auth19:57
*** gabriel-bezerra has joined #openstack-keystone19:58
*** gabriel-bezerra has quit IRC20:00
*** gabriel-bezerra has joined #openstack-keystone20:01
*** marcoemorais has quit IRC20:01
*** marcoemorais has joined #openstack-keystone20:01
*** andreaf_ has joined #openstack-keystone20:03
*** thedodd has quit IRC20:06
*** andreaf has quit IRC20:06
*** thedodd has joined #openstack-keystone20:10
*** gordc has quit IRC20:13
*** lbragstad has joined #openstack-keystone20:13
*** rm_work has joined #openstack-keystone20:13
openstackgerritA change was merged to openstack/identity-api: Add create, update, and delete user to admin API v2.0  https://review.openstack.org/10825920:14
*** doddstack has joined #openstack-keystone20:16
bknudsonlooks like v2.0 can finally create users.20:16
*** thedodd has quit IRC20:16
*** gordc has joined #openstack-keystone20:17
*** andreaf has joined #openstack-keystone20:18
rm_workhey guys, I am not very familiar with keystone, but I am writing RBAC rules for another service (policy.json) and am trying to decide what role to use for the thing I'm doing20:18
rm_workI'm trying to identify whether a token belongs to a "cloud admin" user (as opposed to a user who is the admin on their own project/domain/tenant)20:19
stevemargordc, new patch!20:20
rm_workCan I just use { "service_admin": "role:cloud_service_admin" } and assume that we can get that role created in people's keystone deployments?20:20
rm_workor is there already a role that is commonly used for this purpose?20:20
*** andreaf_ has quit IRC20:20
* gordc tries to think of reason not to review that isn't 'too lazy'20:21
*** fifieldt has quit IRC20:34
*** david-lyle has quit IRC20:36
*** bvandenh has quit IRC20:39
*** gabriel-bezerra has quit IRC20:39
*** gabriel-bezerra has joined #openstack-keystone20:42
*** david-lyle has joined #openstack-keystone20:44
*** fifieldt has joined #openstack-keystone20:46
dolphmrm_work: yes- "admin"20:46
dolphmrm_work: deployers might have their own convention, but "admin" == root, generally20:47
rm_workdolphm: err, except I thought "admin" was a role that any user could have on their own account20:47
rm_workso checking against that role will turn up positive for a whole slew of "end users"20:47
dolphmrm_work: if you treat it that way with default policy.json files, you get root of openstack20:48
rm_workdolphm: like, if i create a new user/tenant, won't that user have role:admin for their tenant?20:49
dolphmrm_work: no, we use "member" (or "_member_") as the default role in that scenario20:49
rm_workah20:49
rm_workok, maybe I am tainted by RS:Identity20:49
rm_workso then my assumption for what "admin" role means was wrong20:50
rm_workand this is way simpler than I was making it out to be20:50
openstackgerritBrant Knudson proposed a change to openstack/keystone: Use config fixture from oslo.config  https://review.openstack.org/10325420:53
*** lbragstad has quit IRC20:58
openstackgerritBrant Knudson proposed a change to openstack/keystone: Remove fixture from openstack-common.conf  https://review.openstack.org/10325521:00
*** marcoemorais has quit IRC21:02
openstackgerritDolph Mathews proposed a change to openstack/keystone: shorter uuid tokens  https://review.openstack.org/11013321:03
*** lbragstad has joined #openstack-keystone21:04
*** gabriel-bezerra has quit IRC21:06
*** rm_work is now known as rm_work|away21:07
*** gabriel-bezerra has joined #openstack-keystone21:07
*** mfainberg_phone has joined #openstack-keystone21:13
*** mfainberg_phone has quit IRC21:13
openstackgerritDolph Mathews proposed a change to openstack/keystone: shorter uuid tokens  https://review.openstack.org/11013321:13
*** gabriel-bezerra has quit IRC21:17
*** gabriel-bezerra has joined #openstack-keystone21:18
*** lbragstad has quit IRC21:19
*** marcoemorais has joined #openstack-keystone21:19
openstackgerritBrant Knudson proposed a change to openstack/keystone: Configurable python-keystoneclient repo  https://review.openstack.org/10328321:22
stevemardolphm, bknudson morganfainberg can i has review: https://review.openstack.org/#/c/109470/ ?21:22
*** jasondotstar has quit IRC21:23
*** gabriel-bezerra has quit IRC21:23
dolphmstevemar: why did you keep all the templating options?21:24
*** gabriel-bezerra has joined #openstack-keystone21:25
dolphmstevemar: do they all need to stay? / can they still override oslo.sphinx?21:25
dolphmstevemar: and does oslo.sphinx not do html_last_updated_fmt for example?21:25
openstackgerritClayton O'Neill proposed a change to openstack/keystone: Add pluggable range functions for token flush  https://review.openstack.org/10172621:26
stevemardolphm, kept the options to minimize the changes, in case things went south21:26
dolphmstevemar: that's what git uncommit is for21:27
stevemardolphm, looking at https://github.com/openstack/oslosphinx/tree/master/oslosphinx it only touches the theme and static options21:28
dhellmannif there are other options oslosphinx should be setting, please submit a bug or patch :-)21:33
*** lbragstad has joined #openstack-keystone21:35
*** gabriel-bezerra has quit IRC21:36
*** gabriel-bezerra has joined #openstack-keystone21:37
stevemardhellmann, i think we're good, not all the projects are using that currently (the html_last_updated option)21:37
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Config fixture from oslo-incubator is not used.  https://review.openstack.org/10399821:43
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Use config fixture from oslo.config  https://review.openstack.org/11013821:43
*** gabriel-bezerra has quit IRC21:43
*** andreaf has quit IRC21:44
*** gabriel-bezerra has joined #openstack-keystone21:44
*** gabriel-bezerra has quit IRC21:47
*** gabriel-bezerra has joined #openstack-keystone21:47
*** topol has quit IRC21:48
*** lbragstad has quit IRC21:50
*** dhellmann_ has joined #openstack-keystone21:55
*** harlowja is now known as harlowja_away21:57
*** dhellmann has quit IRC21:57
*** dhellmann_ is now known as dhellmann21:57
*** stevemar has quit IRC22:02
*** harlowja_away is now known as harlowja22:03
*** marcoemorais has quit IRC22:04
*** marcoemorais1 has joined #openstack-keystone22:04
*** marcoemorais1 has quit IRC22:05
*** marcoemorais has joined #openstack-keystone22:05
*** amcrn has quit IRC22:06
openstackgerritBrant Knudson proposed a change to openstack/keystone: Correct revocation event test for domain_id  https://review.openstack.org/10981922:06
*** rm_work|away is now known as rm_work22:06
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix revoking domain-scoped tokens  https://review.openstack.org/10982022:07
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix revoking a scoped token from an unscoped token  https://review.openstack.org/10938922:07
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add a test for revoking a scoped token from an unscoped  https://review.openstack.org/10912522:07
*** harlowja has quit IRC22:10
openstackgerritA change was merged to openstack/identity-api: Cleanup  https://review.openstack.org/10988222:10
*** harlowja has joined #openstack-keystone22:11
*** marcoemorais has quit IRC22:12
*** marcoemorais has joined #openstack-keystone22:13
*** gabriel-bezerra has quit IRC22:13
*** gabriel-bezerra has joined #openstack-keystone22:14
dolphmbknudson: double checkign on bug 1347318 -- too many tokens are being revoked, as opposed to too few, correct?22:15
uvirtbotLaunchpad bug 1347318 in keystone "Revocation events don't handle scoped tokens correctly" [High,In progress] https://launchpad.net/bugs/134731822:15
*** lbragstad has joined #openstack-keystone22:16
*** lbragsta_ has joined #openstack-keystone22:16
bknudsondolphm: y, from the description of that one it's revoking too many tokens.22:18
bknudsondolphm: maybe I should open a separate bug for the fix in https://review.openstack.org/#/c/109820/22:19
dolphmbknudson: can you clarify that in a comment? i don't want it to end up accidentally going down the OSSA road because it's too strict22:19
bknudsondolphm: because that one has a fix for domain-scoped tokens22:19
bknudsonI'll open a separate bug for the domain-scoped token revocations22:20
*** lbragstad has quit IRC22:20
*** lbragsta_ has quit IRC22:21
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware  https://review.openstack.org/10295822:24
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix revoking domain-scoped tokens  https://review.openstack.org/10982022:26
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix revoking a scoped token from an unscoped token  https://review.openstack.org/10938922:26
openstackgerritBrant Knudson proposed a change to openstack/keystone: Correct revocation event test for domain_id  https://review.openstack.org/10981922:26
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add a test for revoking a scoped token from an unscoped  https://review.openstack.org/10912522:26
bknudsondolphm: I opened a separate bug for domain-scoped tokens22:27
dolphmbknudson: thanks22:30
dolphmbknudson: https://review.openstack.org/#/c/109389/13/keystone/token/providers/common.py looks broken to me...22:35
dolphmbknudson: L523 for v3 tokens: project_id = (token.get('tenant') or {}).get('id')22:35
bknudsondolphm: maybe there's a better way to handle the situation...22:35
bknudsonbut token['tenant'] is actually None22:35
dolphmbknudson: why is it trying to get a tenant from a v3 token?22:35
dolphmbknudson: also, isn't it token['scope']['project']['id'] ?22:36
bknudsondolphm: I'll set a breakpoint and see.22:36
dolphmbknudson: although i have no idea why token has a 'token_data' attribute there either22:36
bknudsontoken_data has all the stuff22:36
dolphmbknudson: then what is the outer object for?22:38
dolphmwhat other keys does it have?22:38
*** gordc has quit IRC22:40
bknudsondolphm: http://paste.openstack.org/show/88787/22:40
bknudsondon't steal my token22:40
bknudsondolphm: there's a project in token_data just like there's a domain22:41
bknudsonso I could use token_data for both22:42
*** doddstack has quit IRC22:45
dolphmbknudson: ahh this is the redundant garbage from the token backend22:45
bknudsondolphm: it's pretty wacky22:48
*** gabriel-bezerra has quit IRC22:49
*** gabriel-bezerra has joined #openstack-keystone22:50
*** gabriel-bezerra has quit IRC22:51
*** gabriel-bezerra has joined #openstack-keystone22:51
openstackgerritA change was merged to openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/10621022:53
openstackgerritA change was merged to openstack/keystonemiddleware: Mark keystonemiddleware as being a universal wheel  https://review.openstack.org/10442422:53
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix revoking a scoped token from an unscoped token  https://review.openstack.org/10938922:57
*** vhoward has joined #openstack-keystone23:01
*** marcoemorais has quit IRC23:04
openstackgerritHarry Rybacki proposed a change to openstack/keystonemiddleware: Convert auth_token middleware to use sessions  https://review.openstack.org/10503123:05
*** marcoemorais has joined #openstack-keystone23:05
*** marcoemorais has quit IRC23:06
*** marcoemorais has joined #openstack-keystone23:07
*** joesavak has quit IRC23:08
hrybackijamielennox|away: ping23:08
*** hrybacki_ has joined #openstack-keystone23:17
*** hrybacki has quit IRC23:21
*** hrybacki_ has quit IRC23:22
*** david-lyle has quit IRC23:31
*** gabriel-bezerra has quit IRC23:31
*** gabriel-bezerra has joined #openstack-keystone23:32
*** jaosorior has quit IRC23:32
*** jamielennox|away is now known as jamielennox23:32
*** david-lyle has joined #openstack-keystone23:32
*** bknudson has quit IRC23:36
*** david-lyle has quit IRC23:36
jamielennoxgood morning world, here are two fairly simple reviews that already have at least a +223:37
jamielennoxhttps://review.openstack.org/#/c/107212/23:37
jamielennoxhttps://review.openstack.org/#/c/109887/23:37
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Versioned Endpoint hack for Sessions  https://review.openstack.org/9063223:40
*** fifieldt_ has joined #openstack-keystone23:45
*** fifieldt has quit IRC23:45
« Sunday, 2014-07-27 Index Tuesday, 2014-07-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!