Thursday, 2014-08-07

hrybackimorganfainberg: I'm talking to jamielennox about the retry logic in auth_token00:04
morganfainberghrybacki, ++00:04
hrybackishould we care about the retry at all?00:04
morganfainbergjamielennox, yeah error with it or something, mine just ... stopped working so i marked it private00:04
jamielennoxmorganfainberg: hrybacki says you had a reason to keep it around00:04
morganfainbergjamielennox, hrybacki, if we can get rid of it that works too00:04
morganfainbergjamielennox, hrybacki, if we can't get rid of the logic we need to test it :) that is my only point (so we don't get a regression or omission if we refactor again)00:05
bknudsonwhy would we remove a behavior that was working?00:05
hrybackimorganfainberg: I'll post a patch with some reasoning in the commit msg00:05
morganfainbergbknudson, if it isn't needed anymore, it's valid to remove the logic.00:05
jamielennoxbknudson: so around line 117000:05
bknudsonI expect I'll start getting calls from customers if that's removed.00:06
morganfainbergbknudson, i *think* it's only needed if the admin token is expired, and session shouldn't need that bit.00:06
jamielennoxwe used to have retry logic that if auth_token had an expired token to fetch a new one and then re-issue the verify00:06
jamielennoxthat request a new one should be handled by the auth plugins now00:06
bknudsonis that the only time we'd retry?00:06
jamielennoxretrying the request should do nothing00:06
jamielennoxbknudson: yes00:06
morganfainbergbknudson, but.. if it isn't needed, we can remove it, if we need to keep it, we should test it. I haven't evaluated any case we need to keep or not at this time.00:06
bknudsonthere's other reasons you might want to retry00:06
bknudsona network glitch00:06
bknudsonor maybe keystone just isn't started up yet.00:07
hrybackiwas/is retry used for anything else00:07
jamielennoxbknudson: this is specifically within the verify_token function, any of that would be handled by the retry logic down at _http_request function00:07
bknudsonif session takes care of it now then we don't need it in auth_token00:07
jamielennoxsession won't handle automatically retrynig things like a network outage - it was suggested but not implemented yet00:08
bknudsonok, then we need it in auth_token00:08
jamielennoxthis specific case is purely for re-fetching a new service token in auth_token so that we can continue to verify UUIDs00:08
jamielennoxthat part is handled by auth plugins00:09
hrybackiconsensus on if it's needed or not?00:13
jamielennoxhrybacki: take it out, let the gate vote, it shouldn't be needed00:14
hrybackijamielennox++ what about the exception itself?00:14
hrybacki401's were being caught by the HTTPError00:15
jamielennoxi'd leave the two log statements, they really should be being picked up in priority to the HttpError one00:15
hrybackiI agree, I was surprised they didn't raise an Unauthorized00:15
bknudsonI could have sworn on commented on this on the original review...00:15
hrybackithe exception code hierarchy is confusing00:16
jamielennoxbut looking at them there is no difference between the two cases so you can probably remove the whole block00:16
jamielennoxbknudson: it's been through a lot of revisions00:16
hrybackibknudson: you likely did -- I had a lot thrown at me, sorry =/00:16
bknudsonso we used to retry on just about every error, and now we only retry on unauthorized00:16
bknudsonwhich jamielennox is saying it's not worth it to retry on anyways00:16
jamielennoxthe exception hierarchy was a bit weird and then the apiclient came along and made it weirder00:17
hrybackinow we don't need to retry and unauthorized exception block should go00:17
jamielennoxbknudson: we continue to have this retry
jamielennoxthis is the traditional behaviour00:18
jamielennoxit would originally not retry http errors00:18
bknudsonjamielennox: which retry? the only retry is for Unauthorized.00:18
jamielennoxbknudson: so that's exactly the same as
bknudsonwhereas originally it would retry for everything other than 200, 40400:19
jamielennoxbecause getting a 404 via the requests library doesn't return an error it returns a response with a 404 status code00:19
bknudsonjamielennox: it's not the same... if you got a 500 error it used to retry00:19
bknudson(not sure how useful it is to retry in that case anyways)00:20
bknudsonam I not reading the code correctly?00:21
hrybackievery day I am more and more impressed by how much info you all track from the various keystone repos00:21
*** amcrn has quit IRC00:22
*** gyee has quit IRC00:22
*** arborism has joined #openstack-keystone00:22
hrybackiit's still retrying on errors in _http_request00:22
jamielennoxbknudson: not through that logic:
hrybackiit's just not a param handed in00:23
hrybackiit's a predetermined number of times form the config00:23
hrybackior up to rather00:23
jamielennoxso that _http_request code from 1.0 won't handle retrying on a 50000:24
jamielennoxbecause no exception is thrown there00:24
jamielennoxthe only things that cause exceptions coming out of requests are things like ConnectionError, SSLError and Timeouts00:24
hrybackiwhat gets returned on a 500?00:25
hrybackiand do we want it to retry on server errors?00:26
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Handle invalidate in identity plugins correctly
jamielennoxhrybacki: so on a 500 we get back a response object with a response.status_code == 50000:29
jamielennoxbut not an exception00:29
hrybackisimple to retry on that as well if we want that behavior00:30
jamielennoxdo we want to retry on server errors? i don't know00:30
hrybackithat's the question I posed :P00:30
jamielennoxi think though what is important around these patches is that we are trying not to change the behaviour of the middleware00:30
jamielennoxif we do want to retry 500 errors that should be a different patch and discussion can happen around that00:30
bknudsony, if we don't have tests around it then it's kind of fair game00:31
hrybackiso, for now, we are opting to remove the Unauthorized exception block as well as the retry param as the former isn't ever raised (401's are caught by HTTPError) and the latter will then be moot00:32
bknudsonhrybacki: do the tests fail if you change it?00:32
jamielennoxi'm surprised the former doesn't get raised, being higher in the list should take priority - but i see no reason to keep it00:32
hrybackibknudson: sec00:32
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Handle invalidate in identity plugins correctly
*** gokrokve has quit IRC00:34
ayoungmorganfainberg, I'll host your blog for you if you want00:36
*** yasukun has joined #openstack-keystone00:36
morganfainbergayoung, i have hosting, just have to fix the thing. i'll get around to it00:36
jamielennoxmorganfainberg: i went static pages on github, it can be a bit more fiddly but never have to worry about it00:38
jamielennoxmeans i can do git and vim as well00:39
*** yasukun has quit IRC00:41
hrybackimmm I've pulled the latest version of keystonemiddleware from github but for whatever reason I'm failing the tox tests00:44
hrybacki32 of them actually00:44
hrybackidid something change recently where we need more than the repo setup for them to run?00:44
*** jasondotstar has quit IRC00:48
bknudsonhrybacki: try rebuild your venv00:50
hrybackibknudson: I ran `tox -repy27` first00:50
hrybackididn't work so I nuked the repo and retried00:50
bknudsonhrybacki: it worked for me... had to get /opt/stack/python-keystoneclient to master first00:54
hrybackithe tox tests are just unit tests local to the repo though, yeah?00:54
hrybackithis isn't running on a full openstack deployment (I haven't done that for patches unless I needed to)00:55
*** marzif_ has quit IRC00:55
*** jasondotstar has joined #openstack-keystone00:55
bknudsonVersionConflict: (python-keystoneclient 0.9.0 (/opt/stack/keystonemiddleware/.tox/py27/lib/python2.7/site-packages), Requirement.parse('python-keystoneclient>=0.10.0'))00:56
bknudsonthat was the error that I got and so I updated /opt/stack/python-keystoneclient00:56
*** jasondotstar has quit IRC00:59
hrybackibut as far as my local repo is concerned there is no python-keystoneclient so shouldn't it be pulling 0.10.0 during insalldeps ?00:59
bknudsonhrybacki: y, I think in that case you get whatever's in pypi01:04
hrybackiyeah 0.10.101:04
hrybackiand that's what's in my site-packages01:04
bknudson".tox/py27/bin/pip freeze | grep python-keystoneclient" says "python-keystoneclient==0.10.1" for me01:05
hrybackihopefully this will magically work in the morning01:07
*** jasondotstar has joined #openstack-keystone01:12
*** diegows has quit IRC01:18
*** marcoemorais has quit IRC01:27
*** gokrokve has joined #openstack-keystone01:34
openstackgerritwanghong proposed a change to openstack/python-keystoneclient: move attributes of v3.client.Client into alphabetical order
*** ncoghlan is now known as ncoghlan_afk01:50
*** ncoghlan_afk is now known as ncoghlan01:52
*** arborism has quit IRC02:18
*** richm has quit IRC02:28
*** spandhe has quit IRC02:41
*** jasondotstar has quit IRC02:42
*** spandhe has joined #openstack-keystone02:51
*** spandhe has quit IRC02:58
*** gokrokve_ has joined #openstack-keystone03:19
*** spandhe has joined #openstack-keystone03:20
*** gokrokve has quit IRC03:22
*** jorge_munoz has quit IRC03:35
*** ayoung has quit IRC03:35
*** ncoghlan is now known as ncoghlan_afk03:37
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Mark auth plugin options as secret
*** spandhe has quit IRC03:46
*** oomichi has joined #openstack-keystone03:58
*** gokrokve_ has quit IRC04:03
*** ncoghlan_afk is now known as ncoghlan04:15
*** gpocente1 has joined #openstack-keystone04:30
*** jgriffit1 has joined #openstack-keystone04:31
*** sbasam has joined #openstack-keystone04:32
*** dvorak_ has joined #openstack-keystone04:34
*** vish1 has joined #openstack-keystone04:34
*** vishy has quit IRC04:35
*** junhongl has quit IRC04:35
*** Guest71676 has quit IRC04:35
*** anteaya has quit IRC04:35
*** gpocentek has quit IRC04:35
*** sbasam_ has quit IRC04:35
*** tristanC has quit IRC04:35
*** dvorak has quit IRC04:35
*** uvirtbot has quit IRC04:35
*** vish1 is now known as vishy04:35
*** dvorak_ is now known as dvorak04:35
*** junhongl has joined #openstack-keystone04:42
*** anteaya has joined #openstack-keystone04:44
*** hrybacki has quit IRC04:45
*** hrybacki has joined #openstack-keystone04:51
*** traz__ has quit IRC04:54
*** k4n0 has joined #openstack-keystone04:56
*** hrybacki has quit IRC04:56
*** hrybacki has joined #openstack-keystone04:57
openstackgerritJamie Lennox proposed a change to openstack/keystone: Fix documentation link
*** jaosorior has joined #openstack-keystone05:02
*** chandankumar has joined #openstack-keystone05:06
*** k4n0 has quit IRC05:21
*** hrybacki has quit IRC05:30
*** hrybacki has joined #openstack-keystone05:30
*** uvirtbot has joined #openstack-keystone05:33
*** k4n0 has joined #openstack-keystone05:34
*** hrybacki has quit IRC05:35
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Remove intersphinx mappings
*** ukalifon1 has joined #openstack-keystone05:53
*** tomoiaga has joined #openstack-keystone05:54
openstackgerritJamie Lennox proposed a change to openstack/keystonemiddleware: Remove intersphinx mappings
*** ajayaa has joined #openstack-keystone06:03
openstackgerritJamie Lennox proposed a change to openstack/keystone: Delete intersphinx mappings
*** k4n0 has quit IRC06:12
*** wolsen has joined #openstack-keystone06:13
*** k4n0 has joined #openstack-keystone06:28
*** ajayaa has quit IRC06:33
*** sijo_ has joined #openstack-keystone06:41
sijo_I want to get a keystone token for interacting cinder service through python..06:42
sijo_How can I achieve it..?06:43
*** ajayaa has joined #openstack-keystone06:45
*** ukalifon1 has quit IRC06:47
tomoiagasijo_: see the readme, at the bottom:
sijo_tomoiaga: thanks, let me see it..06:49
*** ukalifon has joined #openstack-keystone06:51
*** jamielennox is now known as jamielennox|away07:06
*** afazekas has joined #openstack-keystone07:20
*** henrynash has joined #openstack-keystone07:33
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Comparision of database models and migrations.
*** mrmoje has quit IRC08:03
openstackgerritIlya Pekelny proposed a change to openstack/keystone: Use metadata.create_all() to fill a test database
*** bvandenh has joined #openstack-keystone08:33
*** arunkant has quit IRC08:34
*** ncoghlan has quit IRC08:36
*** mitz has quit IRC08:49
*** mrmoje has joined #openstack-keystone08:49
*** marzif_ has joined #openstack-keystone09:07
*** oomichi has quit IRC09:11
*** henrynash has quit IRC09:15
*** ajayaa has quit IRC09:16
*** ajayaa has joined #openstack-keystone09:31
*** BAKfr has joined #openstack-keystone10:10
*** henrynash has joined #openstack-keystone11:27
*** arunkant has joined #openstack-keystone11:33
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Individual plugin CLI registering
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow registering additional plugins
*** Clabbe has joined #openstack-keystone11:53
ClabbeIf every user would call every API, would the total minimum amount of tokens be for each user = nrOfServices*nrOfTenants ?11:55
ClabbeOr is it possible to use same token for all services?11:56
*** afazekas has quit IRC12:04
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Group related methods for LDAP backend
*** marekd is now known as mareklu12:13
*** mareklu is now known as marekd12:13
*** nkinder has quit IRC12:17
*** afazekas has joined #openstack-keystone12:19
*** henrynash has quit IRC12:21
*** nkinder has joined #openstack-keystone12:24
*** abhishek has joined #openstack-keystone12:27
abhishekdstanek:hi, you around?12:28
dstanekabhishek: hi12:29
openstackgerritwanghong proposed a change to openstack/keystone: remove default check keys in assertValidEntity
abhishekdstanek:i have replied to your review comments on the patch12:29
abhishekdstanek:i guess you are still not satisfied with the moving of listen() call12:30
*** bjornar has quit IRC12:33
dstanekabhishek: i don't see any value in doing that12:35
dstanekdid you see my comments on the bug?12:35
abhishekdstanek:yes, just now I have seen that12:35
abhishekdstanek:my intention is not to reload the configuration file at all12:36
dstanekabhishek: what do you want to do then?12:36
abhishekdstanek:I was just testing wheter sighup signal is working correctly or not12:37
abhishekdstanek:as common service framework has provided this facility and while i tested with nova and cinder I found that keystone is also using this framework12:38
abhishekdstanek:so while testing this, I found this bug12:39
dstanekabhishek: i guess i don't understand why you'd sent it a signal if it doesn't actually do anything12:39
abhishekdstanek:as I told you, i was just testing whether service is getting started or not after receiving the sighup signal12:40
dstanekabhishek: i looked a the oslo framework and i think it is just broken - doesn't make sense to me12:40
openstackgerritJeffrey Zhang proposed a change to openstack/keystone: Redirect stdout and stderr when using subprocess
abhishekdstanek:so, there is no need to fix this issue?12:43
*** henrynash has joined #openstack-keystone12:44
dstanekabhishek: since the fix is so small it's not a big deal, but i don't think anyone will ever send it a SIGHUP because right now it just kills the process and then when fixed it doesn't do anything12:45
dstanekabhishek: did you see my alternate proposal?12:45
abhishekdstanek:yes, i have seen that12:45
abhishekdstanek:its failing because, you can not duplicate the ssl socket12:46
dstanekabhishek: yes, that's why I gave it a -1 - i just wanted to show what i was thinking - i didn't take the time to split the listen method12:49
*** afazekas has quit IRC12:50
abhishekdstanek:ok, i got it12:51
*** nkinder is now known as nkinder_away12:51
abhishekdstanek:thank you for your time12:52
dstanekabhishek: no problem, that's what i'm here for :-) i'm going to abandon my review so that you can fix up yours and we can get it through12:53
*** henrynash has quit IRC12:53
abhishekdstanek:thank you12:54
abhishekdstanek: :)12:54
*** bknudson has quit IRC12:57
*** abhishek has quit IRC12:57
*** k4n0 has quit IRC12:59
*** gordc has joined #openstack-keystone13:01
*** jasondotstar has joined #openstack-keystone13:03
*** bknudson has joined #openstack-keystone13:15
*** afazekas has joined #openstack-keystone13:18
*** saipandi has joined #openstack-keystone13:19
*** saipandi has quit IRC13:21
*** saipandi has joined #openstack-keystone13:21
*** henrynash has joined #openstack-keystone13:27
*** stevemar has joined #openstack-keystone13:40
*** joesavak has joined #openstack-keystone13:41
*** hrybacki has joined #openstack-keystone13:42
*** traz__ has joined #openstack-keystone13:44
*** zzzeek has joined #openstack-keystone13:48
afaranhaHello, does anybody knows whats the difference in assignment between the operations "list_role_assignments" and "list_grants", is it only because the effective parameter? In my opinion what we could do using list_role_assignment we could do using "list_grants" with some modifications. What do you think?13:49
*** shakamunyi has joined #openstack-keystone13:50
*** ayoung has joined #openstack-keystone14:04
*** vhoward has joined #openstack-keystone14:07
*** shakamunyi has quit IRC14:23
*** diegows has joined #openstack-keystone14:24
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: SAML2 federated authentication for ADFS.
*** BAKfr has quit IRC14:30
*** shakamunyi has joined #openstack-keystone14:37
*** richm has joined #openstack-keystone14:39
*** david-lyle has joined #openstack-keystone14:48
*** ajayaa has quit IRC14:50
*** ukalifon has quit IRC14:56
*** tomoiaga has quit IRC15:10
*** tomoiaga has joined #openstack-keystone15:12
nonameentername /SET nicklist_width 2015:15
*** tomoiaga has quit IRC15:16
*** sijo_ has quit IRC15:23
*** hrybacki has quit IRC15:38
*** Morgan__ has joined #openstack-keystone15:39
*** Morgan__ has quit IRC15:40
*** MorganB has joined #openstack-keystone15:40
*** MorganB is now known as morganbird15:41
*** jaosorior has quit IRC15:42
openstackgerritStuart McLaren proposed a change to openstack/keystonemiddleware: Add composite authentication support
*** shakamunyi has quit IRC15:51
*** bvandenh has quit IRC15:53
*** ukalifon1 has joined #openstack-keystone15:54
*** richm has quit IRC15:58
*** afazekas has quit IRC15:58
*** marcoemorais has joined #openstack-keystone15:58
*** andreaf_ has joined #openstack-keystone16:04
*** andreaf has quit IRC16:07
*** ukalifon1 has quit IRC16:08
stevemarso quiet today16:11
*** mrmoje has quit IRC16:12
*** kwss has joined #openstack-keystone16:13
kwssHey :) I was wondering if it was possible to setup the Keystone policy.json so that unauthenticated users can access certain API functions?16:13
stevemarkwss, hey, just don't add the @controller.protected decorator16:29
kwssstevemar, thanks :) so there's no way to configure existing functions without modifying the code?16:30
stevemarkwss, hmm, you might be able to just set the policy to ""16:30
stevemarkwss, like here
kwssstevemar, tried that but no, that just means an authenticated user doesn't need any roles etc.16:31
stevemaryeah, you'd have to tinker w/ the code to remove the decorator16:31
kwssI'd like to let unauthenticated users list available IdPs16:31
kwssstevemar, well thanks a lot for your help :)16:32
openstackgerritMarek Denis proposed a change to openstack/keystone: Refactor serializer import to XmlBodyMiddleware
*** bobt has quit IRC16:33
*** marzif_ has quit IRC16:33
*** richm has joined #openstack-keystone16:36
*** jaosorior has joined #openstack-keystone16:40
*** kwss has quit IRC16:42
openstackgerritAnne Gentle proposed a change to openstack/identity-api: Removes WADL references from Identity v2.0 API
*** chandankumar has quit IRC16:46
*** bvandenh has joined #openstack-keystone16:55
*** marcoemorais has quit IRC16:59
*** marcoemorais has joined #openstack-keystone17:00
*** marcoemorais has quit IRC17:00
*** marcoemorais has joined #openstack-keystone17:01
*** vhoward has left #openstack-keystone17:07
*** hrybacki has joined #openstack-keystone17:22
openstackgerritRodrigo Duarte proposed a change to openstack/keystone: Base methods to handle hierarchical projects
*** gyee has joined #openstack-keystone17:49
*** jsavak has joined #openstack-keystone17:51
*** joesavak has quit IRC17:54
*** jdennis has quit IRC17:54
*** marcoemorais has quit IRC17:56
*** marcoemorais has joined #openstack-keystone17:56
*** marcoemorais has quit IRC18:00
*** marcoemorais has joined #openstack-keystone18:01
*** bknudson has quit IRC18:11
*** jdennis has joined #openstack-keystone18:22
*** bknudson has joined #openstack-keystone18:30
*** ajayaa has joined #openstack-keystone18:34
*** bknudson has quit IRC18:35
*** tpatil has joined #openstack-keystone18:35
ayoungstevemar, nope18:36
ayoungstevemar, "" means "you must have a token, but I don't care what is in it"18:36
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove assignment controller dependency on token_api
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Expose token revocation list via token_provider_api
ayoungAh...yeah, you got that far.18:37
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove ec2 contrib dependency on token_api
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api
ajayaaayoung, morganfainberg,
ajayaaalready polished! :)18:46
morganfainbergayoung, "" means use the default rule iirc18:46
morganfainbergayoung, not no rule18:46
ayoungmorganfainberg, mybe, but regardless, it means you need  a token18:47
ayoungand that should not be the case.18:47
*** bknudson has joined #openstack-keystone18:47
ayoungmorganfainberg, I ran in to that on GET revocation_events18:47
ayoungajayaa, what is different about this version of the patch?18:48
*** jsavak has quit IRC18:48
morganfainbergayoung, my guess is it's cleanup on tests18:48
morganfainbergayoung, there is one more thing needed18:49
*** joesavak has joined #openstack-keystone18:49
morganfainbergajayaa not ayoung18:49
morganfainbergajayaa, there is a test decorator we need to add18:50
morganfainbergajayaa, it's the one that skips if caching is disabled. sorry :( i fogot about it last time18:50
*** amerine_ has quit IRC18:50
ajayaamorganfainberg, ohk! I will do that right away.18:50
*** jsavak has joined #openstack-keystone18:50
*** zzzeek has quit IRC18:50
morganfainbergajayaa, yeah sorry :( i totally spaced on that.18:50
morganfainbergajayaa, thanks!18:50
*** zzzeek has joined #openstack-keystone18:50
*** amerine has joined #openstack-keystone18:50
morganfainbergajayaa, is the decorator18:51
*** david-lyle has quit IRC18:51
ajayaamorganfainberg, thanks.18:51
*** david-lyle has joined #openstack-keystone18:52
*** joesavak has quit IRC18:53
tpatilHi dstanek: Are you there18:56
*** joesavak has joined #openstack-keystone18:56
dstanektpatil: yes18:56
tpatildstanek: I have posted comment on the bug, please take a look at it.18:56
uvirtbotLaunchpad bug 1337850 in keystone "Keystone service outputs error messages when SIGHUP signal is sent" [Medium,In progress]18:56
*** david-lyle has quit IRC18:56
dstanektpatil: yes, we talked about it this morning. the point of my patch was not to replace the one that was proposed, but to show in code what we were talking about the other day. i'll update the bug with the outcome of our discussion18:58
*** jsavak has quit IRC18:59
dstanektpatil: i think for the most part all of my feedback is already on that patch.18:59
dstanektpatil: the odd thing will be that we no longer get a traceback when there is a sighup, but nothing really happens at all19:00
tpatildstanek: Are you testing using devstack?19:00
dstanektpatil: yes19:00
tpatildstanek: it will only work if you are running keystone as a daemon process.19:01
dstanektpatil: define work. what are you expecting it to do?19:02
tpatildstanek: Basically while testing SIGHUP signal we came across the bug reported to the LP. After adding reset method, it failed to start the service for ssl.19:03
dstanektpatil: no, i know that. what do you expect the SIGHUP to do in Keystone?19:04
tpatildstanek: so to address that issue, we ended up with making changes to the listen and start method.19:04
dstanekobviously you don't want it to raise an exception19:04
tpatildstanek: correct19:05
tpatildstanek: reload the configuration files same as other openstack services.19:05
dstanektpatil: i don't think this will actually acomplish that - that's why i asked in the bug report what the real end goal was19:06
dstanekthat's also why i asked how keystone was being run - i am making the assumption that keystone-all is being run on the command-line with a config that defines more than one worker processes19:07
tpatildstanek: Ok, I got it, we are planning to run the keystone-all process as a daemon.19:08
tpatildstanek: _is_sighup_and_daemon method will return True. Also we have confirmed that it is reloading the configuration files and starting the service again for each worker.19:11
dstanekright now using the patch killing the parent seems to kill everything. how are you running it to test?19:12
dstanektpatil: i should say 'kill -1' kills all of the processes for me19:14
tpatildstanek:  On devstack, in the _is_sighup_and_daemon method, simply change return _is_daemon() to return True19:14
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add notifications for role assignment created and deleted events
stevemardstanek, i feel dirty19:17
dstanekstevemar: that's pretty close to what i have right now19:17
stevemardstanek, :( it feels so wrong19:18
stevemari'm sure you have some pythonista stuff in there, instead of 20 if's like i do19:18
tpatildstanek: That's shouldn't happen. I will request Abhishek to check it once again and let you know.19:20
dstanektpatil: i did a real simple test; ran keystone-bin without workers set so i had one process; i hacked the _is_daemon to always return true19:24
dstanektpatil: when i changed the admin token it was not reloaded on SIGHUP19:24
dstanekout config is loaded when keystone-all is executed and i don't think we ever reload it anywhere else19:25
tpatildstanek: After the SIGHUP signal is sent to the keystone process (worker > 1), then it calls Launcher.restart method in which is reloading the configuration files.19:28
tpatildstanek: restarting my machine, please wait..19:29
dstanektpatil: oh, nice. it looks like that worked19:33
*** tpatil_ has joined #openstack-keystone19:33
*** tpatil has quit IRC19:33
dstanektpatil: not for all config options (i can't change ports, etc.), but in general things are loaded19:34
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Merge "Remove `with_lockmode` use from Trust SQL backend."
tpatil_dstanek: That is true, But we are ok with that.19:37
tpatil_Dstanek: Please give your comments on the patch and Abhishek can take care of it. Thanks for your time.19:37
dstanektpatil_: i'm going to change the title and description to be more genericly about the problem being solved. when i talked to Abhishek this morning it sounded like the configuration reloaded was not expected19:39
tpatil_dstanek: That's true, our intention is fix the raised exception issue because reloading of configuration file logic is already been called in the service framework when you SIGHUP signal.19:41
tpatil_stank: That's true, our intention is to fix the raised exception issue because reloading of configuration file logic is already been called in the service framework when you send SIGHUP signal.19:42
tpatil_dstanek: Apart from adding reset method, we have made several other changes because we were getting "cannot dup ssl socket" issue. I will request Abhishek to add this information to the bug and commit message.19:44
dstanektpatil_: i think my biggest issue with the patch is the elimination of the listen method19:46
tpatil_dstanek: We can keep the listen method but will move the ssl related code to the start method.19:50
tpatil_dstanek: The main reason why we have eliminated listen method is that it not being used by other OpenStack services.19:52
openstackgerritAnne Gentle proposed a change to openstack/identity-api: Removes WADL references from Identity v2.0 API
dstanekthe more reviews i do the more email i get and the more i feel like i'm drowning!19:57
*** jorge_munoz has joined #openstack-keystone20:01
*** afazekas has joined #openstack-keystone20:09
*** jraim__ is now known as jraim20:09
*** jorge_munoz has quit IRC20:16
morganfainbergstevemar, ping20:20
stevemarmorganfainberg, pong20:20
morganfainbergstevemar, re: is henrynash 's comment something we need to address before  merging?20:21
*** jorge_munoz has joined #openstack-keystone20:21
stevemari thought i did..20:22
morganfainbergabout roles section in the token?20:22
stevemarmorganfainberg, i think it's fine, we might need yet another patch to insert role's names, too20:22
morganfainbergstevemar, ?20:23
stevemarthe roles section is in the scoped federation token, normally, it just doens't line up perfectly with the main API's format20:23
stevemarwith the main API, the token also contains role names20:23
stevemarfor federated tokens we just put in role ids20:24
morganfainbergnot according to the review you have20:24
morganfainbergwe put the whole role ref?20:24
*** jorge_munoz has quit IRC20:24
morganfainbergstevemar, i have no idea where you're getting the id only part.20:24
*** jorge_munoz has joined #openstack-keystone20:25
stevemarmorganfainberg, wtf did i write there20:25
morganfainbergstevemar, ok, so now you see what i'm asking about20:26
*** morganbird has quit IRC20:26
stevemarmorganfainberg, give me a sec... let me run a federation test20:28
stevemarmorganfainberg, OK, so the role section that comes back from a federation token includes enabled/name/description/id20:30
morganfainbergok so your review is correct?20:30
stevemarhenry was concerned that it doesn't match w/ the main API (just name and id), and we're missing "links"20:30
stevemarmorganfainberg, yes, but the description and name are both a uuid20:31
*** jorge_munoz has quit IRC20:31
stevemari think it's worth fixing that20:31
*** jorge_munoz has joined #openstack-keystone20:32
*** hrybacki has quit IRC20:33
morganfainbergstevemar, so are you going to roll a new review on that one?20:33
*** jorge_munoz has quit IRC20:33
stevemaryes, in about 1 second20:33
openstackgerritSteve Martinelli proposed a change to openstack/identity-api: Add OS-FEDERATION section to scoped federation tokens
stevemarmorganfainberg, ^20:35
*** joesavak has quit IRC20:51
*** gokrokve has joined #openstack-keystone20:53
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Implemented caching in identity layer.
*** fifieldt_ has joined #openstack-keystone20:59
*** fifieldt has quit IRC21:02
*** bobt_ has joined #openstack-keystone21:03
*** jasondotstar has quit IRC21:04
ajayaamorganfainberg, ayoung,
*** raildo has left #openstack-keystone21:08
*** morganbird has joined #openstack-keystone21:11
openstackgerritGabriel Assis Bezerra proposed a change to openstack/identity-api: API documentation for Hierarchical Multitenancy
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update CADF auditing example to show non-payload information
*** bvandenh has quit IRC21:25
*** henrynash has quit IRC21:38
*** henrynash has joined #openstack-keystone21:38
*** henrynash has quit IRC21:39
*** ajayaa has quit IRC21:44
*** jorge_munoz has joined #openstack-keystone21:47
stevemarmorganfainberg, lbragstad, dstanek ^ hopefully an easy review21:51
*** jorge_munoz has quit IRC21:53
*** turul_ has joined #openstack-keystone21:55
*** afazekas is now known as __afazekas21:55
*** turul_ is now known as afazekas21:56
*** saipandi has quit IRC22:02
*** marcoemorais has quit IRC22:06
*** marcoemorais has joined #openstack-keystone22:06
*** marcoemorais has quit IRC22:07
*** marcoemorais has joined #openstack-keystone22:07
*** marcoemorais has quit IRC22:08
*** marcoemorais has joined #openstack-keystone22:08
*** oomichi has joined #openstack-keystone22:08
*** marcoemorais has quit IRC22:10
*** marcoemorais has joined #openstack-keystone22:10
*** rwsu has quit IRC22:10
*** rwsu has joined #openstack-keystone22:15
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Individual plugin CLI registering
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Individual plugin CLI registering
bknudson could use a review22:30
*** marcoemorais has quit IRC22:31
*** marcoemorais has joined #openstack-keystone22:31
*** marcoemorais has quit IRC22:31
*** marcoemorais has joined #openstack-keystone22:32
bknudson that's funny22:34
*** morganbird has quit IRC22:34
*** jorge_munoz has joined #openstack-keystone22:40
dstanekbknudson: :-)22:42
dstanekbknudson: lots of that old code needs some love22:42
bknudsondstanek: I'd love to +2 it but I didn't like the new name.22:42
bknudsonthink of how much faster keystone would be if the names were all 1 letter22:42
dstanekbknudson: i'm fine with data; what did you mean with your comment about format_url all over the place?22:42
bknudsondstanek: keystone/contrib/endpoint_filter/backends/catalog_sql.py22:43
*** jorge_munoz has quit IRC22:43
dstanekbknudson: we should try it!22:43
bknudsondstanek: those22:43
bknudsondstanek: those 222:43
bknudsonMaybe "all over the place" was overstating it.22:43
dstanekbknudson: i see what you mean - they use d as well22:44
bknudsondstanek: well, it is a dict, so it makes sense22:44
dstanekbknudson:  would you rather be leave the orignal d and just change o->catalog?22:45
bknudsondstanek: no, change d22:45
bknudsondstanek: that was a joke22:45
bknudsonalthough "data" isn't especially descriptive either...22:46
dstanekbknudson: it's hard to tell with you sometimes :-P22:46
bknudsonthat's why I suggested replacement_values or something.22:46
bknudsonformat_url could also be changed from "data" to whatever name you pick22:46
*** gordc has quit IRC22:47
*** ayoung has quit IRC22:53
dstanekbknudson: i just realized that format_url is basically Python's string.Template22:59
*** dhellmann is now known as dhellmann_23:00
bknudsondstanek: supposedly it's safe...23:00
bknudsonbut it doesn't look like it does any URL escaping.23:01
dstanekbknudson: yeah, no sure what's so safe about it23:01
dstanekbknudson: i'll create a failing test and a patch to actually make it sae23:03
dstanekor safe23:03
*** bobt_ has quit IRC23:08
*** morganbird has joined #openstack-keystone23:10
*** marcoemorais has quit IRC23:13
*** marcoemorais has joined #openstack-keystone23:13
*** marcoemorais has quit IRC23:14
*** marcoemorais has joined #openstack-keystone23:14
*** morganbird has quit IRC23:15
*** shufflebot has quit IRC23:18
*** shufflebot has joined #openstack-keystone23:18
*** jaosorior has quit IRC23:22
*** jamielennox|away is now known as jamielennox23:23
jamielennoxgyee: do you know david hu's irc nick?23:23
gyeejamielennox, I don't see him at his desk, he may not be on irc at the moment23:26
jamielennoxgyee: oh, you've got line of sight? useful. what's his nick so i can look for him?23:27
jamielennoxfoir later23:27
gyeek, I'll hurl an angry bird plush at him once I see him23:28
gyeethat's our flintstone ping :)23:28
openstackgerritDavid Stanek proposed a change to openstack/keystone: Refactor names in catalog backends
*** gokrokve has quit IRC23:45
jamielennoxhey whoever's around, can we approve it's messing with the gate on keystoneclient stuff23:45
dstanekjamielennox: was the mapping setup just-in-case or was there a point where we linked docs?23:56
jamielennoxdstanek: the same link exists in keystone and keystonemiddleware23:57
jamielennoxi expect it was c&p-ed from somewhere initially and then just kept getting propogated23:57
openstackgerritMorgan Fainberg proposed a change to openstack/keystonemiddleware: Add composite authentication support
*** Dafna has quit IRC23:58
gyeejamielennox, pressed the button23:59

Generated by 2.14.0 by Marius Gedminas - find it at!