Thursday, 2014-07-31

« Wednesday, 2014-07-30 Index Friday, 2014-08-01 »
*** alex_xu has joined #openstack-keystone00:05
*** rwsu has quit IRC00:31
*** markwash has quit IRC00:31
*** marcoemorais has quit IRC00:33
*** marcoemorais has joined #openstack-keystone00:33
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Isolate get_discovery function  https://review.openstack.org/10756900:36
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow unauthenticated discovery  https://review.openstack.org/10757000:36
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Control identity plugin reauthentication  https://review.openstack.org/10755500:36
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Use token and discovery fixture in identity tests  https://review.openstack.org/10755400:36
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Version independent password authentication plugin  https://review.openstack.org/8114700:36
*** amerine_ has joined #openstack-keystone00:38
*** amerine has quit IRC00:39
*** hemna is now known as hemna_00:39
ayoungmorganfainberg, it sounds like you are pretty well set against PKIZ tokens.  Do you think they are fatally flawed, or something we can work around?00:43
morganfainbergayoung, I am *not* against having multiple forms of tokens00:43
morganfainbergayoung, I think s/mime is a big issue00:44
morganfainbergi think we need to solve that issue00:44
morganfainbergi think 2-5x the size of the request for auth data is absurd and we need to figure that out00:44
morganfainbergi do not want to remove PKI, i do not want to remove PKIZ.00:44
ayoungmorganfainberg, I don't think any form of authentication document is going to be much smaller.  Its not specific to S/MIME00:45
morganfainberghowever, if most people use UUID in deploymnet because the token size is too big, or SSL shared-state, etc, we have to address that00:45
ayoungthe signature is bascially 500 bytes,  with the rest of the size overhead pretty much either negligable or due to encoding00:45
morganfainbergayoung, let me clarify, authentication document that needs to transit from the end user00:45
morganfainbergif it is an issue on repeated requests for a token, it is an issue for the initial request00:46
ayoungmorganfainberg, right.  But the auth document needs to get to the endpoint somehow.  If it is not from the end user, it is not transparent, and does not lend to distributed scheme.   THat was the direction PKIZ was taking us00:46
morganfainbergso, i am in support of devstack defaulting to uuid (and adding a temptest test that runs w/ PKIZ that is exclusive to keystone patchs)00:46
ayoungIf we do a UUID based scheme, it means that the endpoints know a-priori which keystone to talk to to do everything,  it means persisted tokens, and it means a single point of signing.00:47
ayoungso we either fix the current token approach, or accept those points as fixed00:48
morganfainbergayoung, i honestly don't believe pkiz tokens are the right direction00:48
morganfainbergayoung, but i don't know what *is*00:48
ayoungmorganfainberg, before we make a change, lets figure that out00:48
morganfainbergayoung, but the bulk of the deployers i've talked to have all said they use UUID00:48
morganfainbergbecause PKI is too big, not baked, requires shared-state-of-signing-certs, etc00:49
ayoungthat is fine. There is nothing broken about UUID tokens, but if we change the default, it means the PKIZ will not be tested. The current issues came out because people are actually using them00:49
ayoungmorganfainberg, so, lets break the problem down:00:49
ayoung1.  is horizon.  2. is the size of the tokens when talking to individual services00:49
ayoungI think those are the big ones00:49
morganfainberg3. shared-signing data for multiple keystones. [we have to address this long term either way but right now uuid has no requirement on this]00:50
ayoungmorganfainberg, 4.  how the hell am I going to keep my 8 year old in bed to complete this conversation00:53
ayoungmorganfainberg, there are a few things PKI had foisted on it that UUID tokens side-stepped.  I'm still a little annoyed at all the effort we had to put into revocations.  UUID tokens would be stuck in memcached and never checked for revocation.    But I am OK with making a complete system.  Just don't want to waste time on it if the founding blocks are going to be removed00:54
*** jamielennox has quit IRC00:54
morganfainberg4. popen->openssl is sucky (far far far down the list, but it is legitimate)00:55
morganfainberg#4 i'd say is in the category of "meh fix other things first"00:55
morganfainberg1. is an issue that only a developer issue so far00:55
morganfainbergayoung, i'm going to need to go soon, headed home (had a long couple days this week)00:55
morganfainbergayoung, i think we need to circle up on this a bit later (tomorrow)00:55
*** jamielennox_ has joined #openstack-keystone00:55
ayoungmorganfainberg, that is fine.  And I'm not digging in my heels here: I'm willing to go along with whatever we decide the long term approach should be, but I want that to be deliberate, and well thought out.00:56
*** jamielennox_ is now known as jamielennox00:56
ayoungIf there is any huge gain to be had by making UUID tokens default, I need to understand what it is.00:56
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Version independent password authentication plugin  https://review.openstack.org/8114700:56
morganfainbergayoung, 8 yr olds have a nack of interrupting convos :P00:57
ayoungmorganfainberg, it was spending the morning with him that means I'm working until midnight tonight, too.  Ah, fatherhood.00:57
morganfainbergayoung, my responses on that review were mostly to clarify the specific stakes, notice i didn't +2 the review.00:58
morganfainbergayoung, i want to amke sure as we discuss this we're not adding things to the convo that aren't needed.  (k2k, that is going to be a different beast)00:58
ayoungmorganfainberg, heh.  So Horizon needs memcache for a different reason, I think.  THey need the service catalog no matter what, and they have a hard stop at the 8k limit00:58
morganfainbergayoung, we can figure out the best course, and no i am not advocating signed requests (they have issues)00:59
ayoungmorganfainberg, yeah.  I like signed requests, but I can't say that everything should be based on them.00:59
morganfainbergayoung, also, memcache is optional for all services, most deployments don't use it in auth_token afaict00:59
morganfainbergayoung, ++ they *could* be awesome00:59
morganfainbergbut... uh...00:59
morganfainberglots more convos there if we go down that path00:59
ayoungmorganfainberg, without memcache, auth_token hits keystone for each validation.  That was actually the origianl reason for PKI tokens.01:00
morganfainbergayoung, right01:00
ayoungwithout memcache, the "cookie the session token" thing is out the window anyway01:00
morganfainbergyeah01:01
ayoungthat was just an optimization, to try and manage what Horizon is doing as a hack and better manage it01:01
ayoungI am pretty sure that adding 1K to a request for authorization data is negligable.  Its the 8K-blow-out-the-header size PKI tokens that we need to reduce01:02
*** gabriel-bezerra has quit IRC01:02
*** gokrokve has quit IRC01:03
*** gokrokve has joined #openstack-keystone01:03
*** gabriel-bezerra has joined #openstack-keystone01:04
ayoungI want to keep the power in the hands of the end user.  I think we can remove the catalog from the tokens and fix that in most of the services.  It seems that the catalog data does not need to be sent around on every request.01:04
ayoungIf we used SSL client certs of Kerberos, we actually would have much more overhead on the network. It just wouldn't be apparent in the openstack specific payloads.01:05
*** gokrokve has quit IRC01:08
*** LinStatSDR has quit IRC01:15
*** gokrokve has joined #openstack-keystone01:34
*** gokrokve has quit IRC01:36
*** gokrokve has joined #openstack-keystone01:37
*** mberlin has quit IRC01:40
*** gokrokve has quit IRC01:41
*** marcoemorais has quit IRC01:47
*** hrybacki has joined #openstack-keystone01:48
*** xianghui has joined #openstack-keystone01:49
jamielennoxayoung: the client cert thing is debatable, you get overhead sure, but with kerberos i'm having to do 2 calls per request to get the Negotiate to work01:49
ayoungjamielennox, you have to send the client cert01:49
ayoungits just added data01:49
ayoungbuyt at least 1K01:49
jamielennoxright but it happens at https handshake01:50
ayoungthe point is that keystone PKIZ  tokens are probably going to be about as light weight as  we can get things01:50
jamielennoxso you get some benefit there from using connection pooling properly,01:50
jamielennoxnegotiate is happening per request and AFAIK doesn't pool01:50
ayoungif you reuse the session, then the cert doesn't have to go across the wire again.  But with the session cookie hack, things are efficent after the first transmission as well.  Its a wash01:51
ayoungyeah, negotiate is a beast01:51
ayoungand that is why it tends to be done once, and then, again. session cookied01:51
ayoungthat is what IPA does01:51
jamielennoxanyway, haven't even read all the context to that, just the bit that i've played with kerberos and requests Negotiate is a huge burden01:52
ayoungyep01:52
ayoungif the authorization is passed through the user, PKIZ tokens is the smallest we can get it....and it remains a bearer token01:52
*** gokrokve has joined #openstack-keystone01:53
ayoungI think that the size of the reuqest thing is not really an issue here, but I want people to understand the real issues before we go yanking out PKIZ01:53
hrybackiayoung, jamielennox: Brant asked some pretty solid design choice questions in https://review.openstack.org/#/c/105031/9/keystonemiddleware/auth_token.py and I'd like to hear you alls' thoughts if you have time01:54
*** gokrokve has quit IRC01:54
*** gokrokve has joined #openstack-keystone01:54
*** morganfainberg is now known as morganfainberg_Z01:58
jamielennoxhrybacki: agree with pretty much everything01:58
hrybackiremoving the factory methods too?01:59
jamielennoxyea01:59
jamielennoxi don't see that they're doing anything01:59
jamielennoxand it means saving a bunch of things on the object that we never reuse01:59
ayounglet me see...02:00
hrybackiwhat about his comments on 520, 1280, and 1298?02:01
ayoungjamielennox, so the factory methods were there to allow for lazy creation of those objects later02:01
ayounghe did it back when we were going further with this patch02:02
jamielennoxayoung: but we're not lazy loading we're calling them straight away02:02
*** zzzeek has joined #openstack-keystone02:02
jamielennoxso at the very least they're not relevant to thsi patch02:02
ayoungthe goal is to not contact keystone until the first request02:02
ayoungyeah...just churn02:02
jamielennoxayoung: we don't contact keystone02:02
jamielennoxeverything about auth plugins so far is lazy02:02
ayoungI know..but once there is discovery, we will02:02
jamielennoxright - and i would argue that it's a better thing to do the upfront request than deal with all that02:03
ayoungjamielennox, ?02:03
jamielennoxif we need to do discovery i'd prefer to do it in __init__ than on first request02:04
ayoungremember, this is a bring-up time.  We might be bringing things up async, so keystone might not be up yet02:04
ayoungwe don't want to force an ordering to starting the services02:04
jamielennoxfair enough02:05
hrybackihmm02:05
jamielennoxstill not related to this one02:05
*** diegows has quit IRC02:06
hrybackiso should we opt to thin down the patch some more and save this for a discussion/follow up patch?02:07
jamielennoxhrybacki: always thin it down to what you need for this particular feature02:07
ayoungyeah, but the  factory methods is a better organization02:08
ayoungmeh02:08
hrybackijamielennox: is that a general design principle, keystone standard, or your personal preference?02:08
jamielennoxhrybacki: it's what get's patches reviewed quickest02:08
hrybackiayoung: I'm inclined to agree with you on that. I think it leaves everything else looking cleaner02:08
hrybackimodularity++02:09
hrybackijamielennox: haha fair02:09
ayounghrybacki, I'm hardly unbiased here.  I told you to do it.02:09
jamielennoxayoung: i don't mind factory functions when there is something difficult happening, personal opinion if there's no logic going on i'd just prefer to have it inline02:09
ayoungjamielennox, the init function was growin long02:09
ayoungthis pulls like into like, and allows the easy migration of creation when the time calls for it02:10
ayoungI think the code is more organized this way02:10
ayoungI am more interested in the other comment  " but then in the place where there's some logic in creating the object (self._session.auth), there's no factory... weird.02:11
ayoung"02:11
ayounglines 505 to 524...probably should also be in their own function.02:11
hrybackiayoung: that makes sense02:12
hrybackiIdentityServer also has a pretty bulky __init__02:13
hrybackiwhat about his comment on 520?02:13
ayoungjamielennox, I think that question is for you.02:14
jamielennoxoh, yea just posted a response02:14
jamielennoxumm, we're a little bit stuck there02:15
jamielennoxi need to fix the construct() method, it was designed for a very specific purpose but it has grown02:15
jamielennoxyou can't pass auth= to construct() which is why i did it that way originally02:16
jamielennoxfixing things in ksc now will take ages to make it back to middleware though so i don't see a lot of other choices than the way we do now02:16
hrybackioaky02:18
hrybackiokay*02:18
*** alex_xu has quit IRC02:19
hrybackiayoung, jamielennox: I'm going to leave in the factory functions. I'd like to pull the session.auth logic into a function as well. Would it make sense for that to be part of the session factory itself? Is there any reason not to?02:21
ayoungI think it belongs in session factory02:21
jamielennoxok, make it part of the session factory02:24
jamielennoxa request though - a factory returns the object, it doesn't set a variable02:25
*** markwash has joined #openstack-keystone02:26
hrybackijamielennox++ okay02:26
hrybackithose are the nits I need :P02:27
*** xianghui has quit IRC02:32
*** xianghui has joined #openstack-keystone02:33
*** lbragstad has joined #openstack-keystone02:37
*** jamielennox is now known as jamielennox|away02:45
*** jamielennox|away is now known as jamielennox02:48
*** zzzeek has quit IRC02:48
hrybackijamielennox: Can I get your thoughts on one more section. On line 1280 Brant has concerns about the new exception handling within _http_request()02:49
*** xianghui has quit IRC02:49
jamielennoxhrybacki: i'd just scrap that section02:51
jamielennoxhrybacki: i'm not sure who's right there02:51
hrybackijamielennox: hrm02:51
jamielennox(so do what he says)02:51
hrybackijamielennox: do you remember your initial motivation for that?02:52
jamielennoxfrom memory when i was doing it initially i was getting errors coming up from session that had nothing to do with the actual request02:53
jamielennoxhowever that would still be caught with what is there so that's not a reason02:53
jamielennoxso no :)02:53
hrybackihaha alright02:55
*** xianghui has joined #openstack-keystone03:02
*** topol has joined #openstack-keystone03:06
*** harlowja is now known as harlowja_away03:06
*** gokrokve_ has joined #openstack-keystone03:07
*** gokrokve has quit IRC03:11
*** xianghuihui has joined #openstack-keystone03:11
*** xianghui has quit IRC03:12
*** gokrokve_ has quit IRC03:12
hrybackijamielennox: it may get caught but it sure does cause test failures03:22
hrybackiI'll dig into that tomorrow morning I suppose03:23
jamielennoxhrybacki: it causes test failures if you don't allow http errors?03:24
hrybackiyep03:24
jamielennoxhrybacki: oh right, of course it does03:24
hrybacki?03:24
jamielennoxso with a standard requests.request it will return a response object with the status_code=400 or something03:24
jamielennoxif you get a http failure03:25
hrybackiok03:25
jamielennoxwith the session we take that response and turn it into a HttpError exception03:25
hrybackiah03:25
hrybackithat's why it was in there03:25
jamielennoxso you need to let those errors go through or they won't be correctly handled at the higher level03:25
jamielennoxso yea the comment is not good03:26
hrybackiI'll update the comment03:26
*** mrmoje has joined #openstack-keystone03:28
*** xianghuihui has quit IRC03:30
*** xianghuihui has joined #openstack-keystone03:34
*** ajayaa has joined #openstack-keystone03:42
openstackgerritHarry Rybacki proposed a change to openstack/keystonemiddleware: Convert auth_token middleware to use sessions  https://review.openstack.org/10503103:46
*** wanghong has quit IRC03:47
*** jaosorior has joined #openstack-keystone03:50
*** lbragstad has quit IRC03:51
*** ayoung has quit IRC03:54
*** boris-42 has quit IRC03:57
*** stevemar has joined #openstack-keystone03:59
*** topol has quit IRC03:59
*** boris-42 has joined #openstack-keystone04:07
*** stevemar has quit IRC04:10
*** gokrokve has joined #openstack-keystone04:11
*** gokrokve has quit IRC04:21
*** gokrokve has joined #openstack-keystone04:22
*** gokrokve has quit IRC04:26
*** ukalifon1 has joined #openstack-keystone04:27
*** zzzeek has joined #openstack-keystone04:28
*** ukalifon1 has quit IRC04:30
*** stevemar has joined #openstack-keystone04:30
jamielennoxstevemar: question, if the mapper gets a match does it continue to find other matches or quit early?04:30
jamielennoxso can you do lots of little 'if role then group' matches that get combined or do you need to write them all as one big statement04:31
stevemarjamielennox, i believe it still goes through all of them, because several rules may apply04:31
jamielennoxcool, that's what i expected - quicker to ask than dig through the code04:32
jamielennoxstevemar: thanks04:32
stevemarthat was one of the requirements of the mapping, if several rules applied, it would get all the results (in particular for group ids)04:32
stevemarif several user ids are matched, then we toss up an error04:32
stevemarnp04:32
*** hrybacki has quit IRC04:33
*** chandankumar has joined #openstack-keystone04:45
*** gokrokve has joined #openstack-keystone04:50
*** wanghong has joined #openstack-keystone04:51
*** alex_xu has joined #openstack-keystone04:52
*** ukalifon1 has joined #openstack-keystone05:23
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert shell tests to httpretty  https://review.openstack.org/11021005:35
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware  https://review.openstack.org/10477105:35
*** RockKuo_Office has joined #openstack-keystone05:45
*** gokrokve_ has joined #openstack-keystone05:50
*** k4n0 has joined #openstack-keystone05:51
*** gokrokve has quit IRC05:52
*** gokrokve_ has quit IRC05:54
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/10693906:05
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add a domain to federated users  https://review.openstack.org/11085806:06
*** alex_xu has quit IRC06:08
*** tomoiaga has joined #openstack-keystone06:11
*** stevemar has quit IRC06:19
*** alex_xu has joined #openstack-keystone06:26
*** bvandenh has joined #openstack-keystone06:33
*** henrynash has joined #openstack-keystone06:34
*** wanghong has quit IRC06:35
*** RockKuo_Office has quit IRC06:35
*** wanghong has joined #openstack-keystone06:35
*** henrynash has quit IRC06:36
*** RockKuo_Office has joined #openstack-keystone06:36
*** mrmoje has quit IRC06:36
*** tomoiaga has quit IRC06:37
*** jamielennox is now known as jamielennox|away06:38
*** krypto has joined #openstack-keystone06:51
kryptohi can some one tell me the need of Public API endpoint for keystone,i have horizon with public IP and for authenticating with keystone it uses private ip,06:53
kryptoi couldn't find any use case other than  CLI for creating instances outside Data centre will fail,am i correct,or any other use case for public API endpoint for keystone06:56
*** alex_xu has quit IRC06:57
*** afazekas has joined #openstack-keystone06:57
*** mtl11 has quit IRC07:04
*** mtl1 has joined #openstack-keystone07:05
*** alex_xu has joined #openstack-keystone07:09
*** jogo has left #openstack-keystone07:11
*** bvandenh_ has joined #openstack-keystone07:11
*** marekd|away is now known as marekd07:13
*** bvandenh has quit IRC07:15
*** henrynash has joined #openstack-keystone07:51
*** mrmoje has joined #openstack-keystone08:02
*** xianghuihui has quit IRC08:45
*** xianghui has joined #openstack-keystone08:45
*** abhishek has joined #openstack-keystone09:06
*** jamiec has quit IRC09:11
*** dtroyer has quit IRC09:12
*** jamiec has joined #openstack-keystone09:14
*** dtroyer has joined #openstack-keystone09:14
*** alex_xu has quit IRC09:23
abhishekhi all, can any one review this patch https://review.openstack.org/#/c/107482/5/09:27
abhishekthank you09:27
*** xianghui has quit IRC09:36
*** andreaf has joined #openstack-keystone10:02
*** diegows has joined #openstack-keystone10:57
openstackgerritA change was merged to openstack/keystone: Do not consume trust uses when create token fails  https://review.openstack.org/10344511:03
*** vhoward has left #openstack-keystone11:04
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Enable filtering of services by name  https://review.openstack.org/11090411:08
*** RockKuo_Office has quit IRC11:16
*** tomoiaga has joined #openstack-keystone12:13
*** k4n0 has quit IRC12:14
*** jasondotstar has joined #openstack-keystone12:36
*** jasondotstar has quit IRC12:42
*** bknudson has quit IRC12:50
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: List federated projects and domains  https://review.openstack.org/10739312:54
*** jasondotstar has joined #openstack-keystone12:56
*** andreaf_ has joined #openstack-keystone13:01
*** andreaf has quit IRC13:04
*** bknudson has joined #openstack-keystone13:08
*** thedodd has joined #openstack-keystone13:11
*** ByteSore has joined #openstack-keystone13:14
*** shufflebot has quit IRC13:15
*** ByteSore_ has quit IRC13:15
*** junhongl has quit IRC13:15
*** abhishek has quit IRC13:15
*** anteaya has quit IRC13:15
*** chandankumar has quit IRC13:15
*** junhongl has joined #openstack-keystone13:15
*** shufflebot has joined #openstack-keystone13:16
*** chandankumar has joined #openstack-keystone13:16
*** anteaya has joined #openstack-keystone13:17
*** lbragstad has joined #openstack-keystone13:21
*** lbragstad has quit IRC13:22
*** lbragstad has joined #openstack-keystone13:23
*** jasondotstar has quit IRC13:35
*** thedodd has quit IRC13:39
*** krypto has quit IRC13:40
*** gordc has joined #openstack-keystone13:42
*** needscoffee has joined #openstack-keystone13:50
*** needscoffee has quit IRC13:50
*** needscoffee has joined #openstack-keystone13:50
*** ayoung has joined #openstack-keystone13:56
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Filter users by email  https://review.openstack.org/11097013:56
*** joesavak has joined #openstack-keystone14:02
*** needscoffee has quit IRC14:04
*** chandankumar has quit IRC14:05
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Enable filtering of services by name  https://review.openstack.org/11090414:08
jaosoriorhenrynash: fixed the wrong word in the commit message, thanks for the catch14:10
*** toddnni has joined #openstack-keystone14:14
*** stevemar has joined #openstack-keystone14:30
*** rwsu has joined #openstack-keystone14:42
*** thedodd has joined #openstack-keystone14:49
*** morganfainberg_Z is now known as morganfainberg14:51
*** gokrokve has joined #openstack-keystone14:52
*** markwash has quit IRC14:54
*** gabriel-bezerra has quit IRC14:54
openstackgerritJohn Trowbridge proposed a change to openstack/keystone: Adds ability to use policy.json with Keystone V2 API get_endpoints method.  https://review.openstack.org/11098614:55
*** gabriel-bezerra has joined #openstack-keystone14:55
*** jsavak has joined #openstack-keystone14:55
*** lbragstad has quit IRC14:58
*** lbragstad has joined #openstack-keystone14:58
*** joesavak has quit IRC15:00
openstackgerritKristy Siu proposed a change to openstack/keystone: Standardizing the Federation Process  https://review.openstack.org/10559715:01
*** lbragsta_ has joined #openstack-keystone15:02
*** lbragstad has quit IRC15:02
*** kwss has joined #openstack-keystone15:05
*** ukalifon1 has quit IRC15:07
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Filter users by email  https://review.openstack.org/11097015:15
*** lbragsta_ is now known as lbragstad15:17
*** hrybacki has joined #openstack-keystone15:31
*** lbragstad_ has joined #openstack-keystone15:37
*** lbragstad has left #openstack-keystone15:38
*** morganfainberg is now known as morganfainberg_Z15:39
*** thedodd has quit IRC15:40
*** thedodd has joined #openstack-keystone15:41
*** tomoiaga has quit IRC15:41
*** lbragstad has joined #openstack-keystone15:43
*** morganfainberg_Z is now known as morganfainberg15:44
*** lbragstad has quit IRC15:44
*** gyee has joined #openstack-keystone15:45
*** bobt has joined #openstack-keystone15:46
openstackgerritA change was merged to openstack/keystone: Refactor set domain-id and mapping code  https://review.openstack.org/10768015:50
*** bklei has joined #openstack-keystone15:52
ayounggyee, one https://review.openstack.org/#/c/105031/  I think you missed some of the discussion.  We cut down the scope of this patch to specifically aoid some issues brought on by discovery15:58
ayoungthe "factories" were written as part of the larger effort.  They are not specifically needed now, but the are better organization, and I advised him to leave them in.15:59
*** gabriel-bezerra has quit IRC15:59
ayoungSo remove your -1 please and lets get this thing in so we can move on, unless you see anything that is fatal.15:59
hrybackiayoung, gyee++ I was just about to comment on that. Gyee, Brant had similar concerns that I addressed in PS #916:00
gyeeayoung, what about others?16:00
*** gabriel-bezerra has joined #openstack-keystone16:00
gyeelike http timeout?16:00
gyeehrybacki, ayoung, don't worry about the factory comments, that's merely a question16:01
gyeeI didn't understand why we need them, but if can drop a NOTE there that would be helpful16:02
hrybackifair16:02
hrybackiI'm looking back over the timeout thing right now16:02
ayounggyee, timeout is handled by client code now16:02
gyeebut we need it to be configurable right?16:02
ayounggyee, I think I can show you the patch that handles that16:03
ayounggyee, line 101716:05
ayoung timeout=self._conf_get('http_connect_timeout')16:05
ayounggyee, and what did you mean by your comment on line 505?16:05
gyeeayoung, got it16:06
hrybackiayoung: he just caught something that should be private16:06
hrybackimy bad16:06
hrybackigyee: I also submitted  a bug to add discovery here -- that'll be my follow up patch16:07
*** mtl1 has left #openstack-keystone16:07
gyeehrybacki, thanks, I'll probably submit a patch after you to do v3 auth for the service user16:07
*** topol has joined #openstack-keystone16:09
*** lbragstad_ has quit IRC16:13
*** kwss has quit IRC16:14
morganfainberghenrynash, gyee, got a moment to talk policy (specifically policy.json format)16:15
gyeemorganfainberg, sure16:16
*** gabriel-bezerra has quit IRC16:16
*** gabriel-bezerra has joined #openstack-keystone16:16
*** gokrokve has quit IRC16:17
*** marcoemorais has joined #openstack-keystone16:17
morganfainberggyee, https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L4 looks like it already rejects domain scoped tokens16:17
morganfainberggyee, am i mis-reading it?16:17
*** lbragstad has joined #openstack-keystone16:18
morganfainbergi mean we can't stop admins, but the explicit (project_id) bit means we're already no accepting domain scoped tokens16:18
morganfainbergi *think*16:18
henrynashmorganfainberg: so the default policy file doesn’t really work for domains...16:19
gyeemorganfainberg, its a problem, Nova only cares about the 'admin' role, regardless of scope16:19
morganfainbergso we need to fix that bit to *require* a project scope?16:19
henrynashmorganfainberg: ah sorry, this is nova’s policy file...sorry16:19
morganfainberghenrynash, yes, nova :P16:19
gyeemorganfainberg, we can't, or otherwise we break backward compatibility16:20
gyeemorganfainberg, but its a security concern16:20
morganfainbergwell16:20
morganfainbergthis was an ask from nova to move to v316:20
morganfainbergspecifically they want to reject domain scoped token16:21
* morganfainberg is trying to figure out if we can do that in the policy.json16:21
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Filter users by email  https://review.openstack.org/11097016:23
openstackgerritDiane Fleming proposed a change to openstack/identity-api: Remove ATOM responses for list versions and get version details.  https://review.openstack.org/11077716:25
gyeemorganfainberg, before we get to rejecting domain-scoped token, Nova needs to decide what does 'admin' mean16:26
gyeein fact, OpenStack needs to decide what 'admin' means16:26
morganfainberggyee, for now, we need to just say "project scoped tokens only"16:26
gyeethis question's being around for over 2 years now :)16:26
morganfainberggyee, the other questions are still valid, they are not relevant for this conversation.16:27
*** bobt_ has joined #openstack-keystone16:27
openstackgerritHarry Rybacki proposed a change to openstack/keystonemiddleware: Convert auth_token middleware to use sessions  https://review.openstack.org/10503116:28
gyeemorganfainberg, looks like we may nave to enhance policy engine to match *any*16:32
gyeethen we can do something like this16:32
gyee"admin_required": "role:admin and not domain_id:*",16:32
gyeeassuming * match any16:32
morganfainberggyee, yeah that was my thought16:33
morganfainberggyee, i'm ok with that.16:33
gyeemorganfainberg, lemme dig into policy engine code to see what we can do16:34
morganfainberggyee, i can help if needed. i was looking at this but wanted a second pair of eyes16:34
*** jasondotstar has joined #openstack-keystone16:34
*** jasondotstar has quit IRC16:38
*** jasondotstar has joined #openstack-keystone16:38
*** gokrokve has joined #openstack-keystone16:43
*** jasondotstar has quit IRC16:44
*** lbragsta_ has joined #openstack-keystone16:44
*** thedodd has quit IRC16:49
morganfainberggyee, ok i need to go get breakfast. be back in a little bit. do you want to dig into the policy stuff or want me to? i'm fine in either case16:50
*** thedodd has joined #openstack-keystone16:53
*** jasondotstar has joined #openstack-keystone16:57
gyeemorganfainberg, I am working on other stuff right now, probably won't have time to look at the policy stuff till afernoon17:02
*** gokrokve has quit IRC17:03
morganfainberggyee, ok i'll see what needs to be added to the policy rules engine to match like any(project_id)17:03
*** gokrokve has joined #openstack-keystone17:04
*** lbragsta_ has quit IRC17:05
*** henrynash has quit IRC17:06
*** amcrn has joined #openstack-keystone17:10
*** mrmoje has quit IRC17:13
dstanekis there an easy way to rebase a stack of changes when a commit you depend on changes?17:16
*** henrynash has joined #openstack-keystone17:21
*** joesavak has joined #openstack-keystone17:21
ayoungmorganfainberg, that is, I think, the best justification for dolphm 's goal of shipping a single policy file:  lets get a common set of base rules for definingh what adminness means.17:22
*** morganfainberg is now known as reallywantscoffe17:23
*** jsavak has quit IRC17:23
*** reallywantscoffe is now known as morganfainberg17:23
ayounggyee, can you bless https://review.openstack.org/#/c/105031/1217:23
ayoungdstanek, if you do a rebase -i, you can change the commit ID17:24
morganfainbergayoung, once i'm back from food i'll review that one as well.17:24
ayoungmorganfainberg, cool17:24
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add a domain to federated users  https://review.openstack.org/11085817:26
gyeeayoung, patch looks good, will let morganfainberg push the button17:27
ayounggyee, ++17:28
dstanekayoung: thx17:28
dstaneklbragstad: you around?17:28
*** lbragsta_ has joined #openstack-keystone17:36
*** thedodd has quit IRC17:39
*** lbragsta_ has quit IRC17:40
*** lbragsta_ has joined #openstack-keystone17:44
*** lbragsta_ has quit IRC17:47
*** gabriel-bezerra has quit IRC17:48
*** gabriel-bezerra has joined #openstack-keystone17:49
*** gabriel-bezerra has quit IRC17:49
*** gabriel-bezerra has joined #openstack-keystone17:50
*** afazekas has quit IRC18:00
*** lbragsta_ has joined #openstack-keystone18:13
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101718:15
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101718:19
*** thedodd has joined #openstack-keystone18:24
morganfainbergjamielennox|away, ayoung, dolphm, any idea why 'verify_token' in auth_token middleware isn't a private method?18:25
ayoungmorganfainberg, cuz nothing in middleware was private origianlly and we haven't gotten them all18:25
ayoungmorganfainberg, everything in auth token should be private18:26
ayoungitsnot meant to be extended18:26
morganfainbergayoung, oooh looks like it was bknudson 's refactor - the class that method is on is private, the method is public18:26
morganfainbergnvm18:26
morganfainbergit's correct.18:26
ayoung++18:27
bknudsonmorganfainberg: jamielennox|away made the change to have everything private18:28
bknudsonoh, you're asking about the methods in the new classes18:29
morganfainbergbknudson, right, and your change made the class private but the method public on tht class _IdentityServer18:29
morganfainbergbknudson, yeah it confused me for a second18:29
morganfainbergbknudson, once i looked at the class and saw the clss was private (separate class) it all made sense18:29
bknudsonwe actually did get a request to make the options public18:29
*** doddstack has joined #openstack-keystone18:33
*** thedodd has quit IRC18:33
ayoungmorganfainberg, so, internally we had a problem where the DBA had been tuning the Keystone database (adding indexes and the like) that broke the migrations.  I am wondering if keystone-manage db_sync should have a "create a backup" option.18:34
ayoungOur DBA did a backup, fortunately, but...18:34
morganfainbergayoung, so what does generic backup look like for mysql, postgres, db2, and sqlite?18:35
morganfainbergayoung, just playing devils advocate, not saying it shouldn't be there18:35
morganfainbergayoung, and any other DB someone has managed to wedge keystone into18:35
*** bklei has quit IRC18:36
morganfainbergbknudson, they are public just not in the place you'd expect18:36
ayoungmorganfainberg, the fact that you are dumping passwords....18:36
morganfainbergbknudson, https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/opts.py#L2818:36
morganfainbergayoung, i'm inclined to say db_sync can't know how to do backups because the backups are *really* a RDBMS specific case and any one of them is likely very different than others18:37
bknudsonmorganfainberg: ok... maybe the bug submitter should use that... there's a bug for it18:37
morganfainbergbknudson, i think i commented on that bug already. let me 2x check18:38
ayoungmorganfainberg, yeah, but we really need to warn people to backup their DBs before doing migrate.  This could have been a disaster18:38
morganfainbergbknudson, https://bugs.launchpad.net/keystonemiddleware/+bug/1347304 marked as invalid and confirmed it does the job18:39
uvirtbotLaunchpad bug 1347304 in keystonemiddleware "Need a way to allow user to register config opts locally" [Undecided,Invalid]18:39
*** lbragsta_ has quit IRC18:39
bknudsonmorganfainberg: great, thanks18:39
morganfainbergbknudson, np18:40
*** lbragsta_ has joined #openstack-keystone18:40
*** lbragsta_ has quit IRC18:40
*** ukalifon1 has joined #openstack-keystone18:40
morganfainbergayoung, sure we should document it... but if you're mucking around adding indexes in the db outside of the migrations... I don't know if we canr eally protect against this18:41
*** lbragsta_ has joined #openstack-keystone18:41
ayoungmorganfainberg, oh, agreed, but adding indexes and the like are a common tool for DBAs.18:41
ayoungthey just need to know that they are likely to break migrations18:41
morganfainbergdolphm, ayoung, look what stevemar did! http://specs.openstack.org/openstack/keystone-specs/18:42
stevemarmorganfainberg, it's actually live for all official projects that have specs :)18:43
bknudsonstevemar: http://specs.openstack.org/openstack/nova-specs/ ?18:43
stevemarthe *-specs project just have to push a dummy patch to start the upload18:43
stevemarbknudson ^18:43
bknudsonok18:43
stevemarhttp://specs.openstack.org/openstack/ lists the current ones18:43
stevemarwe need a landing page :(18:44
ayoungstevemar, I give you full credit anyway18:44
stevemarajaeger helped too, knows his infra stuff18:44
*** lbragsta_ has quit IRC19:03
morganfainberghrybacki, next time please submit cleanup the cleanup patch separate from the code change patch, https://review.openstack.org/#/c/105031/12/keystonemiddleware/auth_token.py has been a bit of a beast to review because of the changes for cleanup and session lumped into one19:03
morganfainbergayoung, gyee, could _safe_quote on line 1173 bite us? https://review.openstack.org/#/c/105031/12/keystonemiddleware/auth_token.py previously we didn't pass the safe-quoted token to verify19:07
gyeemorganfainberg, I don't think it matters as token are base64 encoded anyway19:08
morganfainberggyee, then why do we even safe_quote anywhere?19:08
morganfainbergbase64 != urlsafe19:08
hrybackimorganfainberg: will do19:08
ayoungwe use urlsafe base64 encoding19:09
gyeeyeah, for token at least19:09
morganfainbergayoung, so why do we explicitly safe_quote in the auth_token middleware for the token?19:09
morganfainbergayoung, and/or why are we changeing what we safe-quote and pass to .verify_token19:09
gyeeto make it really really safe? :)_19:09
morganfainberggyee, lol19:10
ayoungmorganfainberg, what line?  I don't see safe quote on 117319:10
morganfainbergayoung, in the new code user_token is safe_quoted on 114319:10
morganfainbergold code safe quoted as needed19:10
ayoungmorganfainberg, well, it might be needed for PKI but not PKIZ.  PKIZ uses the python lirary. let me pull that up, though19:11
bknudsonwe should have a tempest run where we set revoke_by_id=false19:11
morganfainbergbknudson, ++ once middleware supports it19:11
bknudsony, middleware is going to need it for a full run19:12
ayoung URL-encode user-supplied tokens (bug 974319)19:13
uvirtbotLaunchpad bug 974319 in python-keystoneclient "auth_token does not quote token to validate" [Low,Fix released] https://launchpad.net/bugs/97431919:13
ayoungmorganfainberg, blame chmouel19:14
ayounghttps://bugs.launchpad.net/keystone/+bug/97431919:14
uvirtbotLaunchpad bug 974319 in python-keystoneclient "auth_token does not quote token to validate" [Low,Fix released]19:14
morganfainbergayoung, then how has it been working before?19:14
ayoungmorganfainberg, it works fine.  This is defensive programming against bogus data19:14
morganfainbergayoung, ok.19:15
* gyee is hungry, going to do some defensive eating against fat19:15
*** ukalifon1 has quit IRC19:17
morganfainbergayoung, found an issue that might cause us to endlessly loop on retrying a token19:20
ayoungin the new code, or pre-exisiting19:20
morganfainbergayoung, new code19:21
ayoung?19:21
morganfainberghttps://review.openstack.org/#/c/105031/12/keystonemiddleware/auth_token.py 117219:21
morganfainbergwe don't check retry anymore19:21
morganfainbergif we get unauthorized we'll loop indefinitely retrying the token19:21
morganfainbergwell until we hit call stack depth limit19:21
bknudsonmorganfainberg: looks like it calls with retry=False19:23
morganfainbergbknudson, but if you look at the old code, it "if retry:" before calling self.verify_token(token, false)19:23
bknudsonoh, but it never checks the retry variable19:23
morganfainbergyep19:23
openstackgerritwerner mendizabal proposed a change to openstack/keystone-specs: Allow optional xml middleware configuration  https://review.openstack.org/11104819:23
bknudsonwe still haven't gotten rid of that crappy xml middleware!19:24
bknudsonwe need to get rid of stuff so we don't keep getting reviews for it.19:24
morganfainbergayoung, hrybacki, i set -1 workflow on that so it cannot merge without a new patch (don't want to use a sticky blocking -2)19:24
morganfainbergayoung, hrybacki, but we need to check the retry before retrying. :( sorry19:25
ayoungmorganfainberg, good catch19:25
hrybackimorganfainberg: yep19:25
hrybackidamn19:25
morganfainberghrybacki, please also fix the docstring -> comment in the next patch :)19:25
hrybackinods19:25
morganfainbergi think this also means we have a testing gap19:26
hrybackiright on time for an intern meeting19:26
*** hrybacki is now known as hrybacki-afk19:26
gyeemorganfainberg, good catch! that's a big one19:27
*** harlowja_away is now known as harlowja19:27
morganfainbergi think setting WIP might be a good approach to block a patch but not sticky-block it19:29
morganfainberga little more forceful than a -119:29
*** harlowja has quit IRC19:30
*** lbragsta_ has joined #openstack-keystone19:34
*** lbragsta_ has quit IRC19:38
*** hrybacki-afk has quit IRC19:39
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add a domain to federated users  https://review.openstack.org/11085819:47
stevemarmorganfainberg, ^19:48
stevemarbknudson, if we get rid of too much, then we have nothing left to review19:49
stevemarwe'll just be a wrapper for apache modules and oslo libraries19:49
morganfainbergstevemar, lol19:52
*** gabriel-bezerra has quit IRC19:52
*** gabriel-bezerra has joined #openstack-keystone19:53
bknudsonI think that's our goal19:55
*** lbragsta_ has joined #openstack-keystone20:01
*** markwash has joined #openstack-keystone20:03
*** lbragsta_ has quit IRC20:05
boris-42bknudson hi there20:06
bknudsonboris-42: hi20:06
boris-42bknudson as far as I remember you said me that osprofiler requires BP20:06
boris-42bknudson so I finally decided to make a spec for it20:06
boris-42bknudson but I putted it to oslo20:06
boris-42bknudson https://review.openstack.org/#/c/103825/20:06
*** gabriel-bezerra has quit IRC20:06
bknudsonit is good to have a spec for it then we can make sure it's in the release notes20:06
boris-42bknudson could you pls take a look20:07
boris-42bknudson I put in oslo-spec cause it's the similar for all projects20:07
bknudsonit's got a lot of +1 already!20:07
boris-42bknudson ya=)20:07
boris-42bknudson I wanna make sure that everybody is ok with it20:07
*** gabriel-bezerra has joined #openstack-keystone20:07
boris-42bknudson as it's cross project stuff at least one core from that team should +120:07
bknudsonboris-42: is the work going to be done in oslo?20:08
boris-42bknudson hm nope there is nothing related to oslo20:08
boris-42bknudson as you already see we have to add 2 patches in all projects20:08
boris-42bknudson 1 in python client 1 in main project20:08
bknudsonboris-42: so this might show if I'm using nova that keystone took x seconds to validate the token? that kind of cross-project profiling?20:10
boris-42bknudson yep20:10
boris-42bknudson so you are getting one trace that goes through all services20:11
boris-42of all projects20:11
bknudsonI think someone tried to do this before but it didn't get too far20:11
boris-42bknudson Yahoo! guy20:11
bknudsonit didn't involve ceilometer notifications20:11
boris-42bknudson that was working on tomograhp20:11
boris-42tomograph*20:11
boris-42bknudson that uses zipkin20:11
*** jsavak has joined #openstack-keystone20:12
*** raildo_ has joined #openstack-keystone20:12
boris-42bknudson I just use the similar idea but make it integrable in OpenStack20:12
*** jaosorior has quit IRC20:12
bknudsonI think there already is some trace middleware in oslo20:12
boris-42bknudson nope20:12
bknudsonthat's why I was asking if the work is in oslo20:12
boris-42bknudson there is no tracing middleware20:12
bknudsonI mean a request ID, not tracing.20:12
bknudsonmaybe the request ID middleware can go away with this20:12
bknudsonboris-42: http://git.openstack.org/cgit/openstack/oslo-incubator/tree/openstack/common/middleware/correlation_id.py20:13
boris-42bknudson yep there is request-id20:13
bknudsonit's pretty fancy20:13
boris-42bknudson but it's another storry20:13
boris-42bknudson it is as well super important feature20:13
boris-42bknudson but it is different20:13
boris-42=)20:13
boris-42bknudson it put's to logs request-ids20:14
boris-42bknudson so you are able to grep all logs related to request20:14
boris-42bknudson and it is very useful in such cases when you gat failure in request20:15
*** joesavak has quit IRC20:15
bknudsonboris-42: I like that there's security consideration in your proposal20:15
boris-42bknudson and wanna find what the hell happen20:15
boris-42bknudson but it want help you in case when you would like to find what works slow20:15
boris-42bknudson and it doesn't support this nested stuff, and as well this extra info, like what was SQL requests, arguments of called method and so on=)20:16
boris-42bknudson yep security in such stuff is quite important20:16
boris-42bknudson cause this stuff is for production cloud, and should be turned on20:17
boris-42bknudson so there must not be security issues20:17
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add an OS-FEDERATION section to scoped federation tokens  https://review.openstack.org/11107020:19
stevemarmorganfainberg, ^20:19
*** joesavak has joined #openstack-keystone20:20
*** jsavak has quit IRC20:22
openstackgerritDiane Fleming proposed a change to openstack/identity-api: Remove ATOM responses for list versions and get version details.  https://review.openstack.org/11077720:23
*** mrmoje has joined #openstack-keystone20:25
*** mrmoje has quit IRC20:25
*** jsavak has joined #openstack-keystone20:31
*** topol has quit IRC20:32
dstanekbknudson: any reason to not +A this? https://review.openstack.org/#/c/103998/ i just realized that you have 3 +2s20:32
bknudsondstanek: I don't know why it isn't +A, but even if it was the review it depends on isn't +A.20:33
dstanekah, that may be why...i'll start looking at the one it depends on to get this moving20:34
*** joesavak has quit IRC20:34
*** joesavak has joined #openstack-keystone20:34
dstanekbknudson: nm, i already +2ed that one20:35
bknudsondstanek: you did your part.20:35
*** jsavak has quit IRC20:37
morganfainbergbknudson, https://review.openstack.org/#/c/110138/ rebase needed, tried to +A it20:40
bknudsonmorganfainberg: ok, I'll try to do that today.20:40
bknudsonmorganfainberg: looking at revocation events with mysql20:40
morganfainbergbknudson, if it's a trvial rebase conflict consider my +2 to stand20:40
*** raildo_ has quit IRC20:47
*** ajayaa has quit IRC20:53
*** gabriel-bezerra has quit IRC20:54
*** gokrokve has quit IRC20:54
*** openstackgerrit has quit IRC21:01
*** openstackgerrit has joined #openstack-keystone21:02
*** openstack has joined #openstack-keystone21:08
dolphmdstanek: i don't have long chains too often, but checkout the last in the chain, and rebase it onto the one that was updated underneath you?21:15
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: Config fixture from oslo-incubator is not used.  https://review.openstack.org/10399821:18
openstackgerritDolph Mathews proposed a change to openstack/python-keystoneclient: Use config fixture from oslo.config  https://review.openstack.org/11013821:18
openstackgerritJohn Trowbridge proposed a change to openstack/keystone: Adds RBAC to Keystone V2 API get_endpoints method.  https://review.openstack.org/11108821:19
*** gabriel-bezerra has joined #openstack-keystone21:21
*** joesavak has quit IRC21:21
lbragstadnonameentername: https://github.com/openstack/oslo-incubator/blob/master/openstack/common/importutils.py#L6821:23
*** doddstack has quit IRC21:25
*** doddstack has joined #openstack-keystone21:26
*** doddstack has quit IRC21:34
bknudsondolphm: we may have to revert  https://review.openstack.org/#/c/109747/ ... somehow the gate is now unstable.21:34
dolphmbknudson: because of that? is there a bug filed?21:35
bknudsondolphm: https://bugs.launchpad.net/tempest/+bug/135102621:35
uvirtbotLaunchpad bug 1351026 in tempest "IdentityError in TokensV3TestJSON.test_rescope_token" [Undecided,New]21:35
bknudsonI don't understand why it would be intermittent21:35
bknudsonmaybe all these changes have to go in together rather than splitting it up.21:36
dolphmbknudson: if we have gate-fixing bugs, we can ask infra to prioritize them in the gate21:37
bknudsonprobably just https://review.openstack.org/#/c/109820/ and https://review.openstack.org/#/c/109389/ have to go in tgether21:37
dolphmgate-fixing patches*21:37
*** andreaf_ has quit IRC21:41
*** andreaf_ has joined #openstack-keystone21:43
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add a domain to federated users  https://review.openstack.org/11085821:47
*** thedodd has joined #openstack-keystone21:49
morganfainbergstevemar, ^ looks like it was bad verbiage in the commit message that was throwing things off. fixed21:49
*** andreaf_ has quit IRC21:53
stevemarmorganfainberg, cool, my bad on the wording21:58
morganfainbergstevemar, meh21:58
morganfainbergstevemar, it happens21:58
stevemarnot my forte21:58
*** topol has joined #openstack-keystone22:01
dolphmbknudson: +2 on https://review.openstack.org/#/c/109389/22:02
*** gokrokve has joined #openstack-keystone22:07
*** markwash has quit IRC22:10
*** nkinder_away has quit IRC22:10
*** nkinder_away has joined #openstack-keystone22:11
*** ayoung has quit IRC22:13
*** markwash has joined #openstack-keystone22:24
dolphmbknudson: wow, thanks for your last comment on bug 1347961! that makes sense now :(22:24
uvirtbotLaunchpad bug 1347961 in ossa "Revocation events are broken with mysql" [Undecided,Incomplete] https://launchpad.net/bugs/134796122:24
bknudsondolphm: y, I wasn't sure after the other changes if it still applied... working on a change to workaround it now22:25
bknudsonessentially just always truncating the expires_at time.22:26
dolphmbknudson: this also means we can't deploy on mysql < 5.6 now at all, right?22:26
dolphmbknudson: or, i guess we could. wed22:26
dolphmwe'd have seconds accuracy on both sides of the comparison22:26
*** gabriel-bezerra has quit IRC22:26
morganfainbergdolphm, not sure what happens with DATETIME(6) on mysql < 5.622:27
bknudsondolphm: can't deploy with revocation events or in general?22:27
*** henrynash has quit IRC22:27
*** gabriel-bezerra has joined #openstack-keystone22:28
morganfainbergbknudson, we are also losing resolution (i think) on normal token expiry/issued_at22:28
dolphm"MySQL 5.6.4 and up expands fractional seconds support for TIME, DATETIME, and TIMESTAMP values, with up to microseconds (6 digits) precision"22:28
dolphm.4 is quite specific for such a feature22:28
morganfainbergi don't think we publish a minimum mysql version for openstack22:28
morganfainbergthough, i'd laugh if someone tries mysql 422:29
bknudsonwhen I ran the tempest test the token seemed to be revoked properly (couldn't create a new token), unless I set revoke_by_id=false22:29
dolphmmorganfainberg: if you deployed on 5.5 for example, both your token's expiration and revocation event's expiration should both be in full seconds?22:30
morganfainbergdolphm, or mysql will barf when you say datetime(6)22:30
morganfainbergand break everything22:30
dolphmmorganfainberg: it just truncates22:31
morganfainbergoh then it should be fine22:31
morganfainbergyeah, though it means we need to truncate our internal resolution as well22:31
dolphmprior to 5.6.4: "when MySQL stores a value into a column of any temporal data type, it discards any fractional part and does not store it."22:31
morganfainbergwell sure22:31
morganfainbergbut i wonder if migrating to DATETIME(6) will cause issues.22:31
dolphmmorganfainberg: changing the column type?22:32
morganfainbergdolphm, yeah thats how you "fix" the issue22:32
morganfainbergdatetime defaults to datetime(0) in mysql5.6.422:32
morganfainbergwhich is opposite of the SQL standard22:32
dolphmwell that's not convenient22:32
morganfainbergwe could move to string columns22:33
bknudsony, store an iso string22:33
morganfainbergbut somehow i think we're the only ones who *really* care about microseconds22:33
bknudsonbut then it's hard to compare?22:33
morganfainbergbknudson, not nearly as efficient22:33
*** stevemar2 has joined #openstack-keystone22:34
*** stevemar has quit IRC22:36
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix revocation event handling with MySQL  https://review.openstack.org/11110622:48
morganfainbergdolphm, re: federated user domains, happy to have that be a -spec as well22:50
dolphmmorganfainberg: yeah, that was a discussion we started in icehouse and never finished. definitely worth having22:51
morganfainbergdolphm, my opinion is federated users belong to no domain.22:51
morganfainbergbut tokens should be uniform22:51
morganfainbergbut i'm def. not hard-line on that stance.22:51
openstackgerritwerner mendizabal proposed a change to openstack/keystone: Making import lxml optional  https://review.openstack.org/11110822:53
*** bknudson has quit IRC22:58
*** gabriel-bezerra has quit IRC22:59
*** gordc has quit IRC22:59
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove `with_lockmode` use from Trust SQL backend.  https://review.openstack.org/9705923:00
*** gabriel-bezerra has joined #openstack-keystone23:01
*** hrybacki has joined #openstack-keystone23:18
*** bknudson has joined #openstack-keystone23:18
*** marcoemorais has quit IRC23:18
*** bknudson has quit IRC23:22
*** marcoemorais has joined #openstack-keystone23:22
openstackgerritBrant Knudson proposed a change to openstack/keystone: Revert "Fix for V2 token issued_at time changing"  https://review.openstack.org/11111623:25
*** bknudson has joined #openstack-keystone23:37
bknudson'm hoping that https://review.openstack.org/#/c/111116/ will get the gate working again...23:39
bknudsonnot sure how it got in considering postgresql tempest seems to be failing all the time now23:39
*** topol has quit IRC23:40
*** gabriel-bezerra has quit IRC23:48
*** gabriel-bezerra has joined #openstack-keystone23:48
*** gyee has quit IRC23:48
*** marcoemorais has quit IRC23:51
*** jamielennox|away is now known as jamielennox23:53
*** marcoemorais has joined #openstack-keystone23:53
*** stevemar2 is now known as stevemar23:55
*** gabriel-bezerra has quit IRC23:57
*** gabriel-bezerra has joined #openstack-keystone23:57
stevemarmorganfainberg, sry about the duplicate bugs, launchpad was acting all sorts of funny23:58
« Wednesday, 2014-07-30 Index Friday, 2014-08-01 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!