Tuesday, 2014-08-12

*** wwriverrat1 has left #openstack-keystone00:04
*** wwriverrat1 has joined #openstack-keystone00:04
*** nkinder has quit IRC00:10
*** gyee has quit IRC00:25
*** gokrokve has quit IRC00:35
*** joesavak has joined #openstack-keystone00:46
*** joesavak has quit IRC00:51
*** joesavak has joined #openstack-keystone00:52
*** jsavak has joined #openstack-keystone00:57
*** joesavak has quit IRC00:59
*** amcrn has quit IRC01:02
*** gus has joined #openstack-keystone01:03
*** packet has joined #openstack-keystone01:03
*** jsavak has quit IRC01:04
gusRequest for reviews on https://review.openstack.org/#/c/110512/  - simple/obvious fix to issue one sql statement per execute() call01:05
openstackgerritBrant Knudson proposed a change to openstack/keystone-specs: Update JSON Home for docs location  https://review.openstack.org/11341301:09
*** packet has quit IRC01:10
*** hrybacki has quit IRC01:10
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Standardize AccessInfo token setting  https://review.openstack.org/11341501:14
*** xianghuihui has quit IRC01:21
*** xianghui has joined #openstack-keystone01:26
*** richm has left #openstack-keystone01:27
openstackgerritBrant Knudson proposed a change to openstack/identity-api: JSON Home support  https://review.openstack.org/10988101:28
*** gokrokve has joined #openstack-keystone01:29
openstackgerritBrant Knudson proposed a change to openstack/identity-api: JSON Home support  https://review.openstack.org/10988101:34
*** xianghui has quit IRC01:34
*** xianghuihui has joined #openstack-keystone01:34
morganfainberggus, +2 LGTM01:36
gusmorganfainberg: thanks!  (still need a second +2)01:40
morganfainberggus, yep.01:40
morganfainberggus, but it is a clean/easy to read change. and it wont affect anything except enabling mysqlconnector01:40
morganfainberggus, you'll probably get another +2 without too much hassle (** this statement is no guarantee on that)01:41
gusyeah.  Unfortunately this particular piece of code is cut+pasted across ~every openstack project, so I have to repeat this half a dozen times :(01:41
*** nkinder has joined #openstack-keystone01:51
morganfainberggus, heh02:00
*** gokrokve has quit IRC02:14
morganfainbergbknudson, ping we merged the fix for revocation events that reduced the accuracy to 1s right?02:21
morganfainbergbknudson, for revoke by expiration02:21
bknudsonmorganfainberg: in keystone, yes02:21
morganfainbergbknudson, well crap02:21
bknudsonit was also backported to icehouse02:21
morganfainbergbknudson, that is now breaking my work to try and convert to validate_token :(. i guess i could sleep(1) to guarantee a different expires time02:22
bknudsonshould be easy to revert... although it will cause the tests to fail again02:22
morganfainbergnah, i'll add a sleep 1 in the affected tests (2 tests around revocation list)02:22
bknudsonmorganfainberg: the test should control the clock... don't sleep02:22
morganfainbergbknudson, uh.02:22
bknudsonyou can override utcnow()...02:22
morganfainbergbknudson, oh. mock it?02:22
morganfainbergbknudson, sure. *cringes*02:23
bknudsony, I think there's examples in keystoneclient02:23
morganfainbergyeah i've done it before02:23
morganfainbergwe really need to fix the issue w/ mysql's token expires02:23
* morganfainberg shrugs/02:24
bknudsonmorganfainberg: http://git.openstack.org/cgit/openstack/oslo.utils/tree/oslo/utils/timeutils.py#n10602:24
morganfainbergno don't use override02:24
morganfainbergactually use mock and mock out utcnow02:24
morganfainbergi actually went through and removed a bunch of setting that overide value in icehouse iirc02:25
bknudsonmorganfainberg: don't use set_time_override()? or don't use timeutils.utcnow?02:25
morganfainbergdon't use .set_time_override02:25
bknudsonwhat's wrong with it?02:26
morganfainbergit's better to just use mock, since it will automatically undo itself (context manager) etc02:26
bknudsonand if we're not supposed to use it then shouldn't it say to not use it?02:26
morganfainbergyou don't need to remember to clean up, and iirc oslo team wanted to remove it02:26
morganfainbergyeah there might be a missing comment/deprecation warning02:26
bknudsonI'm surprised it wasn't removed in the switch to a lib02:26
morganfainbergyeah i dunno :( i just remeber the conversation02:26
bknudsonI think dhellmann was talking about this at the oslo meeting on Fri.02:27
bknudsonhe mentioned adding a fixture or something.02:27
bknudsonI like the advance_time_delta functions... that's kind of neat02:27
bknudsonour tests should have full control of the clock all the time.02:28
morganfainbergbknudson, yeah it's not hard to do w/ mock, just did:02:33
morganfainbergworks like a charm02:34
morganfainbergthanks for saying don't sleep, made me remember about mock :)02:35
bknudsonsleep is evil02:35
morganfainbergreminds me i'll fix a couple of the slow cache tests that use sleep02:35
morganfainbergshould save us ~10s on test runs (yeah i know 10s isn't *that* much)02:36
morganfainberghm. or .. maybe it was already fixed02:37
bknudson10s is a lot for unit tests02:38
morganfainbergoooh it's not the test that sleeps, it's the actual lock blocking02:38
morganfainbergyeah can still fix this with magic mock stuff02:39
*** david-lyle has joined #openstack-keystone02:44
*** diegows has quit IRC02:49
* morganfainberg taps foot waiting on a merge03:06
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add a URL field to region table  https://review.openstack.org/10693503:12
openstackgerritA change was merged to openstack/keystone: Enhance V3 router class for resources  https://review.openstack.org/11156803:13
openstackgerritA change was merged to openstack/keystone: Remove assignment controller dependency on token_api  https://review.openstack.org/10916203:13
openstackgerritA change was merged to openstack/keystone: add i18n to lxml error  https://review.openstack.org/11291403:13
stevemarmorganfainberg, yay most of it merged03:17
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api  https://review.openstack.org/11342903:18
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add __str__ and __repr__ to KeystoneToken model  https://review.openstack.org/11343003:20
morganfainbergstevemar, lol the next one is "fun"03:21
morganfainbergstevemar, but i think the vision is starting to come together03:21
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api  https://review.openstack.org/10946203:27
openstackgerritwanghong proposed a change to openstack/keystone: remove default check keys in assertValidEntity  https://review.openstack.org/11257303:28
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api  https://review.openstack.org/11342903:29
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api  https://review.openstack.org/10946203:30
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add __str__ and __repr__ to KeystoneToken model  https://review.openstack.org/11343003:30
jamielennoxdo you think people would care if i broke keyring support in shell?03:34
morganfainbergjamielennox, they probably would :(03:35
jamielennoxmorganfainberg: what about if i can keep it in shell, but rip it out of the client - it never belonged there anyway03:35
morganfainbergjamielennox, lots of people use ksc not osc (older installs) and i'm *sure* someone would be vocally unhappy about it03:35
morganfainbergjamielennox, i don't see any issue with that personally. it afact should *only* be shell, if someone is using it otherwise I'd tell them "uhh. store your token another way" though you *might* want to deprecate that with a warning message first03:36
*** rwsu has quit IRC03:38
* morganfainberg needs food badly </gauntlet>03:38
*** KimJ has quit IRC03:42
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Version independent password authentication plugin  https://review.openstack.org/8114703:54
*** chandankumar has joined #openstack-keystone03:55
*** david-lyle has quit IRC04:08
*** david-lyle has joined #openstack-keystone04:08
*** david-lyle has quit IRC04:13
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api  https://review.openstack.org/11342904:13
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api  https://review.openstack.org/10946204:18
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add __str__ and __repr__ to KeystoneToken model  https://review.openstack.org/11343004:18
morganfainbergwow.. rebase *FAIL*04:19
*** chandankumar has quit IRC04:20
morganfainbergbknudson, so, can't control the test w/o a sleep. it's making a restful call, and changing utcnow with a mock isn't affecting the app04:24
jamielennoxif i was starting again with shell do you think it makes sense to provide --os-token04:24
jamielennoxthat time mock should go to upstream fixtures04:24
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Update AuthContextMiddleware to not use token_api  https://review.openstack.org/11342904:31
morganfainbergjamielennox, in this case it wont help04:31
morganfainbergjamielennox, we're doing a restful call, and restful calls will hit code that wont see the mock :(04:32
morganfainberg^^ fix + large todo comment04:32
jamielennoxmorganfainberg: yea, was just an observation in the past04:32
jamielennoxobservation i'd made before that i thought we should do sometime04:32
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove trust dependency on token_api  https://review.openstack.org/10946204:34
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Add __str__ and __repr__ to KeystoneToken model  https://review.openstack.org/11343004:34
morganfainbergjamielennox, no sure about --os-token :(04:34
jamielennoxmorganfainberg: i don't know if i have a choice, it exists04:34
morganfainbergjamielennox, i'm running on a bit low blood sugar so i'm not in an optimal state to make a call on that04:34
jamielennoxmorganfainberg: no worries, tomorrow morning at the meeting i'm going to try and push some client reviews on people - so i'll get you then anyway04:37
jamielennoxs/morning/some time04:37
morganfainbergjamielennox, hehe hey i've been reviewing client stuff!04:37
jamielennoxmorganfainberg: you have, thanks - still need to crack the whip occasionally :)04:37
morganfainbergjamielennox, this is likely a quick review: https://review.openstack.org/#/c/113108/ if you have a second to look at a 1-liner04:41
jamielennoxmorganfainberg: done04:41
morganfainbergjamielennox, thanks04:41
*** ildikov has quit IRC05:03
*** ajayaa has joined #openstack-keystone05:05
*** rharwood has quit IRC05:07
*** jamielen- has joined #openstack-keystone05:07
*** jamielennox has quit IRC05:08
*** rharwood has joined #openstack-keystone05:08
*** wanghong has quit IRC05:15
*** jamielen- is now known as jamielennox05:15
*** chandankumar has joined #openstack-keystone05:16
*** wanghong has joined #openstack-keystone05:16
*** chandankumar has quit IRC05:17
*** chandankumar has joined #openstack-keystone05:17
*** k4n0 has joined #openstack-keystone05:37
openstackgerritA change was merged to openstack/keystone: Clean whitespace off token.  https://review.openstack.org/11310805:42
*** rharwood has quit IRC05:43
*** jamielen| has joined #openstack-keystone05:44
*** jamielen| has quit IRC05:44
*** jasondotstar has quit IRC05:45
*** jamielen| has joined #openstack-keystone05:45
*** jamielen| has quit IRC05:45
*** jamielennox has quit IRC05:46
*** rharwood has joined #openstack-keystone05:46
*** jamielennox has joined #openstack-keystone05:47
*** jasondotstar has joined #openstack-keystone05:47
*** tomoiaga has joined #openstack-keystone05:54
*** rushiagr_away is now known as rushiagr05:54
openstackgerritAjaya Agrawal proposed a change to openstack/keystone: Implemented caching in identity layer.  https://review.openstack.org/11057505:55
*** ukalifon has joined #openstack-keystone05:57
*** abhishekk has joined #openstack-keystone06:01
*** jamielen- has joined #openstack-keystone06:01
*** rharwood has quit IRC06:01
*** jasondotstar has quit IRC06:02
*** portante has quit IRC06:03
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/11192006:04
*** jamielennox has quit IRC06:05
*** portante has joined #openstack-keystone06:06
*** jasondotstar has joined #openstack-keystone06:06
*** rharwood has joined #openstack-keystone06:07
*** wwriverrat has joined #openstack-keystone06:08
*** wwriverrat1 has quit IRC06:09
*** ildikov has joined #openstack-keystone06:15
*** ajayaa has quit IRC06:18
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054206:19
*** amirosh has joined #openstack-keystone06:23
*** ildikov has quit IRC06:27
*** stevemar has quit IRC06:34
*** ajayaa has joined #openstack-keystone06:39
*** bvandenh has joined #openstack-keystone06:44
*** abhishekk has quit IRC06:54
*** abhishekk has joined #openstack-keystone06:54
*** henrynash has joined #openstack-keystone07:14
*** jaosorior has joined #openstack-keystone07:29
*** afazekas has joined #openstack-keystone07:31
*** Krast has joined #openstack-keystone07:55
*** fifieldt__ is now known as fifieldt07:59
*** tomoiaga has quit IRC08:00
*** Krast has quit IRC08:02
*** Krast has joined #openstack-keystone08:06
*** Dafna has joined #openstack-keystone08:07
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert keystone CLI to use auth plugins  https://review.openstack.org/9568008:12
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow unauthenticated discovery  https://review.openstack.org/10757008:12
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768108:12
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert shell tests to requests-mock  https://review.openstack.org/11021008:12
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware  https://review.openstack.org/10477108:12
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Version independent plugins  https://review.openstack.org/8114708:12
*** andreaf has quit IRC08:23
*** andreaf_ has joined #openstack-keystone08:23
*** jamielen- is now known as jamielennox|away08:24
*** abhishekk has quit IRC08:36
*** abhishekk has joined #openstack-keystone08:37
*** andreaf has joined #openstack-keystone08:37
*** Krast has quit IRC08:40
*** andreaf_ has quit IRC08:40
*** Krast has joined #openstack-keystone08:40
*** andreaf_ has joined #openstack-keystone08:42
*** andreaf has quit IRC08:45
*** tomoiaga has joined #openstack-keystone08:46
*** abhishekk has quit IRC08:46
*** abhishekk has joined #openstack-keystone08:47
openstackgerritAlexey Miroshkin proposed a change to openstack/keystone: Enable filtering of credentials by user ID  https://review.openstack.org/11323209:17
*** wolsen has quit IRC09:20
*** wolsen has joined #openstack-keystone09:25
*** andreaf has joined #openstack-keystone09:40
*** andreaf has quit IRC09:40
*** andreaf has joined #openstack-keystone09:41
*** andreaf_ has quit IRC09:42
*** andreaf has quit IRC09:46
*** serverascode has quit IRC09:47
*** zhiyan has quit IRC09:47
*** serverascode has joined #openstack-keystone09:49
*** ctracey has quit IRC09:49
*** jraim has quit IRC09:51
*** zhiyan has joined #openstack-keystone09:52
*** jaosorior has quit IRC09:52
*** serverascode has quit IRC09:53
*** ctracey has joined #openstack-keystone09:53
*** jraim has joined #openstack-keystone09:54
*** jaosorior has joined #openstack-keystone09:57
*** zhiyan has quit IRC09:57
*** zhiyan has joined #openstack-keystone09:59
*** serverascode has joined #openstack-keystone10:00
*** andreaf has joined #openstack-keystone10:04
*** ajayaa has quit IRC10:19
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow registering indeividual plugin CONF options  https://review.openstack.org/11347810:23
*** ajayaa has joined #openstack-keystone10:30
*** andreaf_ has joined #openstack-keystone10:35
*** andreaf has quit IRC10:37
*** andreaf_ has quit IRC10:43
*** Krast has quit IRC10:50
*** RockKuo_Home has joined #openstack-keystone10:51
*** andreaf has joined #openstack-keystone11:01
*** andreaf_ has joined #openstack-keystone11:04
*** andreaf has quit IRC11:08
*** jasondotstar has quit IRC11:18
*** afaranha has joined #openstack-keystone11:33
*** jamielennox|away has quit IRC11:34
*** jamielennox|away has joined #openstack-keystone11:37
*** rushiagr is now known as rushiagr_away11:44
*** andreaf_ has quit IRC11:45
*** andreaf_ has joined #openstack-keystone11:45
*** rushiagr_away is now known as rushiagr11:52
*** diegows has joined #openstack-keystone11:57
*** henrynash has quit IRC11:58
*** cjellick has joined #openstack-keystone12:15
*** cjellick has quit IRC12:18
*** cjellick has joined #openstack-keystone12:19
*** Dafna has quit IRC12:44
*** gordc has joined #openstack-keystone12:47
*** henrynash has joined #openstack-keystone12:49
*** k4n0 has quit IRC12:53
*** vhoward has left #openstack-keystone12:53
*** henrynash has quit IRC12:54
*** bknudson has quit IRC13:09
*** nkinder has quit IRC13:11
*** bknudson has joined #openstack-keystone13:30
*** jasondotstar has joined #openstack-keystone13:32
*** ayoung has joined #openstack-keystone13:32
*** stevemar has joined #openstack-keystone13:44
*** nkinder has joined #openstack-keystone13:56
*** joesavak has joined #openstack-keystone14:04
*** afazekas has quit IRC14:05
*** afaranha has quit IRC14:09
*** raildo has quit IRC14:09
*** rodrigods has quit IRC14:09
*** richm has joined #openstack-keystone14:10
*** jasondotstar has quit IRC14:10
*** raildo has joined #openstack-keystone14:11
*** jasondotstar has joined #openstack-keystone14:15
*** rodrigods has joined #openstack-keystone14:15
*** rodrigods has joined #openstack-keystone14:15
*** afaranha has joined #openstack-keystone14:15
*** joesavak has quit IRC14:16
*** hrybacki has joined #openstack-keystone14:16
marekddolphm: what is a 'federated swift client' from Grizzly version?14:19
*** afazekas has joined #openstack-keystone14:20
openstackgerritAlexey Miroshkin proposed a change to openstack/keystone: Enable filtering of credentials by user ID  https://review.openstack.org/11323214:21
*** abhishekk has quit IRC14:23
*** david-lyle has joined #openstack-keystone14:26
dolphmstevemar: boop14:28
dolphmmarekd: i have no idea14:29
marekddolphm: ok i am responding to him in the bug comment14:29
marekddolphm: as i cannot find aby better place to contact him...14:29
dolphmmarekd: i didn't know how else to contact him either14:30
marekddolphm: sure.14:30
*** amirosh has quit IRC14:31
dolphmstevemar: beep14:31
*** amirosh has joined #openstack-keystone14:31
stevemardolphm, boop14:32
dolphmstevemar: bop!14:32
dolphmstevemar: openid connect https://blueprints.launchpad.net/keystone/+spec/openid-connect14:33
stevemardolphm, oh joy14:33
dolphmstevemar: looks to be less important than k2k federation, and less started14:33
dolphmstevemar: bump to k or can you put it into review, like, yesterday?14:33
stevemardolphm, yes, it should in theory just be using mod_openidc instead of mod_shib14:34
stevemardolphm, i'm OK with punting to K, better check with henrynash though14:34
dolphmstevemar: feature proposal freeze is next week14:34
marekddolphm: which means stuff must be passing jenking tests and be in a 'reviewable' state, right?14:35
*** Dafna has joined #openstack-keystone14:35
*** amirosh has quit IRC14:36
dolphmmarekd: yes14:36
*** mrmoje has joined #openstack-keystone14:39
stevemardolphm, it would also depend on the re-engineer federation thing from kent14:39
marekdstevemar: dolphm: they have been quiet recently :/14:40
stevemardolphm, as mentioned here: http://specs.openstack.org/openstack/keystone-specs/specs/juno/openid-connect.html#dependencies14:40
dolphmstevemar: marekd: the linked review is merged, what's missing?14:41
dolphmoh, that's a spec14:41
stevemarthats a spec14:41
dolphmdamn, and i'm not tracking that with a bp14:41
stevemardolphm, `bp generic-mapping-federation1114:42
stevemarthe actual code is here: https://review.openstack.org/#/c/105597/14:42
*** rushiagr is now known as rushiagr_away14:44
stevemardolphm, fwiw, i've had a patch for this since I release :P14:45
dolphmstevemar: it's just set to WIP - do you know how close to being ready to review it is?14:45
dolphmstevemar: i know :(14:45
stevemardolphm, i would need to re-work it for mod_auth_openidc, which i think i have in my dev env14:45
stevemari specifically asked at the summit, if anyone wanted this, and there was silence14:46
marekdstevemar: oidc ?14:46
stevemarhenry brought it up again, but not sure if he needs it for J or K14:46
stevemarwe can bug him at the meeting i suppose14:47
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add openID Connect auth plugin for federation  https://review.openstack.org/6166214:47
dolphmstevemar: thanks ^14:49
dolphmstevemar: should that also be dependent on kristy's change?14:50
*** gokrokve has joined #openstack-keystone14:50
stevemardolphm, i guess so14:51
dolphman interesting look at all of the "starred" reviews in gerrit in keystone repos: http://pasteraw.com/ox2dzcet6u4bn0pw9tuqvbjvihvaqgv14:52
dolphmstarred by *anyone*14:52
*** tomoiaga has quit IRC14:52
dolphmit took 4 hours of crawling the gerrit API to generate that lol14:52
stevemari star a lot of things14:53
bknudsonpretty short compared to the # of reviews14:53
stevemarstar'ed and open?14:53
dolphmstevemar: yes14:54
bknudsonI use star to mark something that I've reviewed.14:54
dolphmbknudson: yeah, my goal was to see if enough people were starring enough stuff to use it as a means of prioritizing reviews for other people14:54
dolphmbknudson: yeah, you had a bunch of stars :)14:54
marekddolphm: i have starred this: https://review.openstack.org/#/c/110542/ and your list is missing. (+ I have some more reviews starred ofc)14:54
dolphmmarekd: hmm, did you star it before yesterday?14:55
stevemardolphm, i've had 'Add example script for oauth1 functions' starred for a looong time now, and it's not on the list :(14:55
*** jorge_munoz has joined #openstack-keystone14:55
dolphmmarekd: i was wondering if i got a complete list of users - this is only based on users that has signed the individual CLA14:55
dolphmthe full list of users is not public in gerrit14:56
marekddolphm: did you put any constraints like: review cannot have -1 from Jenkins or so?14:56
dstanekdolphm: do you have the count of how many times those things got starred?14:56
dolphmmarekd: nothing like that - only that the review be open14:56
marekddolphm: ok, so something is not fully working...14:56
dolphmdstanek: yes- first column is number of stars http://pasteraw.com/47ggjka02kzabdgn1eqt9trbjb9l65d14:56
dstanekah, nice14:57
*** mrmoje has quit IRC15:00
*** radez_g0n3 is now known as radez15:04
ajayaadolphm : https://bugs.launchpad.net/keystone/+bug/1321378. I was going through this bug. I think the problem is assignment_api.delete_user(user_id) is called individually in each driver with some additional logic.15:04
uvirtbotLaunchpad bug 1321378 in keystone "keystone user-role-delete operation fails when user no longer exists in underlying catalog" [Medium,Triaged]15:04
ajayaaIn kvs driver there is no implementation of assignment_api.delete_user(user_id) at all.15:05
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Keystone part of a PoC for Horizon/Keystone WebSSO  https://review.openstack.org/10609615:06
ajayaaI think best way to solve this is to make a call to assignment_api.delete_user(user_id) in core.py with some exception handling.15:06
dstaneklbragstad: ping15:06
lbragstaddstanek: pong15:06
dstaneklbragstad: i was reading one of your comments in a review about the LDAP live tests - did you ever find the env var to make them run?15:07
lbragstaddstanek: this change? https://review.openstack.org/#/c/76002/1915:07
*** ukalifon has quit IRC15:08
dstaneklbragstad: no, i'll see if i can find it again. it was one of the two about running the live tests.15:08
*** afazekas has quit IRC15:08
lbragstaddstanek: ok15:09
dstaneklbragstad: i think you had mentioned that you couldn't reproduce the failure and i think that was because the tests are skipped by default15:09
lbragstaddstanek: oh, right15:10
dstaneklbragstad: https://review.openstack.org/#/c/94668/15:10
lbragstadyeah I *think* I rememeber that15:10
dstaneklbragstad: in case you didn't look into it anymore: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/tests/test_ldap_livetest.py#n4515:11
lbragstaddstanek: perfect15:11
lbragstaddstanek: I can give that a shot15:11
lbragstadI'll put it on my queue for today15:12
openstackgerritMarek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054215:15
dstaneklbragstad: i spent a fair amount of time yesterday fighting with ldap - was not a great day15:15
lbragstaddstanek: lol15:15
dolphmajayaa: yeah, we need to get rid of the KVS backend for that reason (and similar ones)15:16
lbragstaddstanek: that reminds me that I have to get back to your commit and roll them into the jsonschema stuff15:16
ajayaadolphm, That would just be deleting it from backend and document it.15:17
ajayaaor remove the documentation if present.15:17
dstaneklbragstad: i'm planning on fixing a bunch of the other jsd things today :-) it's on my list - currently 4th in the queue15:17
ajayaadolphm, I would be happy to volunteer. :)15:18
lbragstaddstanek: awesome, hopefully by the time I get some stuff off my plate and I get to that after you push your fixes to jsd15:18
dolphmajayaa: volunteer to do which part? lol15:18
dolphmayoung: sounds like a critical in pkiz to me https://bugs.launchpad.net/keystone/+bug/135512515:19
uvirtbotLaunchpad bug 1355125 in keystonemiddleware "keystonemiddleware appears not to hash PKIZ tokens" [Critical,Triaged]15:19
ayoungdolphm, looking15:19
ajayaadeleting the file obv :)15:19
dolphmayoung: i'm assuming that's only a bug either in auth_token or in keystone - know which side of the fence it's on?15:19
ayoungauth token15:19
dolphmajayaa: lol we can't just delete it... wrapping it with the oslo deprecator is about the best we can do15:19
ayoungdolphm, its only testing is_asn115:19
dolphmajayaa: have to inform people that we're dropping it before we do, in case someone wants to volunteer support15:20
ayoungmust have not made the transfer over from keystoneclient...15:20
stevemardstanek, thanks for the review on adding url field to regions15:21
ajayaadolphm, okay. What about that bug? Would it need still fixing? I guess, yes.15:21
*** afazekas has joined #openstack-keystone15:21
dolphmajayaa: i think so, yes15:22
*** zzzeek has joined #openstack-keystone15:22
ajayaadolphm, Thanks! I have some code to get reviewed. If you have time, please have a look.15:23
dolphmajayaa: we all do :(15:24
dolphmon the upside, the gate is having a 92% merge rate today :D better than ~46% yesterday15:27
dstanekstevemar: either i am under caffeinated or something is wrong in https://review.openstack.org/#/c/11337815:28
openstackgerritMarek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054215:28
dstanekajayaa: did you get any more opinions on the timeout issue we talked about yesterday?15:29
stevemardstanek, i thought so too, but jenkins and my own dev env seemed happy15:29
dstanekstevemar: wow, i did not know that Python would create a local name for x if you do 'import x.y'15:32
dstanekit makes sense, but i never thought of it that way15:32
stevemardstanek, that was my guess15:32
stevemardstanek, file a bug under to enhance out pep8 tests :P15:33
*** afazekas has quit IRC15:35
*** rwsu has joined #openstack-keystone15:35
ajayaadstanek, nope. morganfainberg had same opinion as you. We would invalidate the cache time to time. By reading the dogpilecache documentation it seems that you can still retrieve a expired key.15:37
*** rushiagr_away is now known as rushiagr15:37
*** wwriverrat has quit IRC15:38
*** wwriverrat1 has joined #openstack-keystone15:38
dstanekWho would invalidate the cache from time to time?15:38
dstanekajayaa: ^15:38
dolphmdstanek: i assume the intent was to have expiring cache values, not someone bouncing memcache or whatever15:39
ajayaaWe would. If the user has not explicitly set a cache_time value, we would set some sensible default value.15:40
dstanekdolphm: the code as written will cache forever which would be bad15:40
ajayaadoplhm: ++15:40
dolphmdstanek: also, your import x.y thing just blew my mind15:40
dolphmdstanek: yeah, that would be bad15:40
*** joesavak has joined #openstack-keystone15:41
ajayaadstanek, I will change it to have some default value if the user has not provided one. :)15:41
dolphmdstanek: also, line breaks by me: http://pasteraw.com/9cxomlke8ztrpa353bus8rw3v41378c15:42
dolphmstevemar: ^15:42
dstanekajayaa: i just added it to today's meeting agenda to see if anyone has any strong opinions on what a default should be15:45
ajayaadstanek, cool. Thanks.15:45
dolphmdstanek: do we not already have default cache timeouts in other places?15:48
dolphmoh weird... all the cache_times are null by default ?!15:50
dstanekdolphm: not that i know of - it looks like assignment and catalog would currently cache forever if left to the defaults15:50
dolphmthat's no good15:50
dolphmwe should definitely have a default!15:50
morganfainbergdolphm, yeah i noticed that we were missing a default in a couple places15:50
morganfainbergdolphm when reviewing that code15:50
dolphmdstanek: put a patch up with a reasonable value before the meeting :)15:51
dstanekdolphm: writing up a bug now - that's my next step :-)15:52
morganfainbergdolphm, i might be a few minutes late to the meeting today15:53
morganfainbergdolphm, my topic is just we should cleanup / plan on abandoning patches that aren't relevant with a comment (since auto-expire doesn't happen)15:53
morganfainbergdolphm, it'll help us keep eyes on the important stuff.15:54
morganfainbergdolphm, and any patch can be restored as needed15:54
dolphmmorganfainberg: ++15:54
ayoungdolphm, you want to finish the discussion on default token format?  I'm only going to be able to make it to the first half of the meeting, and I realize it has the potential to take ver the discussion.15:56
*** zzzeek has quit IRC16:01
*** zzzeek has joined #openstack-keystone16:02
ayoungdolphm, if you want to table it, that is fine, too.16:04
dolphmayoung: that's not on the agenda?16:04
ayoungNah,  too many weeks ago16:04
dolphmayoung: i don't know if we need to spend more meeting time on it anyway16:04
ayoungdolphm, just setting the default in Keystone is not really going to affect anything.  It is the puppet modules that really determine what people get in production.  We just need to plan out what steps we are going to take before moving.16:06
ayoungFor instane, people are going ask about time frame16:06
ayoungI do suspect that it will have the opposite effect from what you want.  I think you are trying to simplify things, and I am sympathetic, but I think it will actually cause more churn16:07
ayoungSo, before we make UUID the defaults, we need to have a plan.16:08
*** joesavak has quit IRC16:08
ayoungBut we don't need to take up any more meeting time.  If you have a feel for how you want it to play out, send it out in an email.16:09
dolphmayoung: the defaults in keystone represent our recommendation for reasonable defaults that other deployments should be running. PKI is not and has never been a reasonable production choice. i don't think there's much to discuss beyond that.16:09
ayoungdolphm, do you foresee it being a reasonable production choice in the future?16:09
*** vhoward has joined #openstack-keystone16:10
dolphmayoung: as of today, i care about what we're shipping in juno16:11
*** ajayaa has quit IRC16:12
dolphmayoung: as for the stability argument, we have a PKI bug tag https://bugs.launchpad.net/keystone/+bugs?field.tag=pki and nothing open for uuid, afaik16:12
*** bvandenh has quit IRC16:14
ayoungdolphm, do you want to stop pursing the PKI approach altogether?16:15
ayoungdolphm, if you were planning on dropping PKI support, I would not have bothered with the effort for revocation events.  I'd just like to get a sense of what direction you are trying to point us.16:19
openstackgerritSalvatore Pinto proposed a change to openstack/python-keystoneclient: Add HTTP_X_AUTH_URI variable for use by the OpenStack service  https://review.openstack.org/11357916:26
ayoungmorganfainberg, does pycharm know about venvs?  I have the python interpreter set to .tox/py27/bin/python2.7  but that doesn't seem to resolve PYTHON_PATH properly.16:34
*** chandankumar has quit IRC16:36
dstanekayoung: i have not used it, but i thought you could tell it where your projects venv was located16:40
dstanekayoung: or you can activate in a shell and start pycharm from that shell and see if it works16:40
ayoungdstanek, It seems to think it has a venv, and it reports one, but running ./setup.py testr   fails on import of iso860116:41
ayoungIf I activate the venv from the shell and run16:41
ayoung python ./setup.py testr  it succeeds16:41
ayoungif I don't activate the venv, it fails in the same way:16:41
ayoung.tox/py27/bin/python2.7 ./setup.py testr16:41
ayoung/usr/bin/python: cannot import name iso860116:41
ayoungmaybe setup.py is returnning python and picking it up from the global env, not local16:42
wwriverrat1ayoung, I typically create my venv manually via command line. When I fire up pycharm against it, I point my interpreter at the local project's venv.16:42
ayoungwwriverrat1, how do you run tests?16:43
ayoungpycharm wants to use Nose for them16:43
wwriverrat1I run nose against them16:43
dstanekayoung: i always install nose into our venvs - no a testr fan at all16:43
ayoungbut that is not in our venvs, and manually adding nose seems to make the venvs not then work for command line.16:43
dstaneki only use testr right before i push16:43
dstanekyou can't tdd with testr16:43
ayoungdstanek, why not?16:44
dstanekit's way too slow - the first thing it does is scan everything to find all possible tests - even when i just was to run a single module's tests16:45
*** amerine has joined #openstack-keystone16:50
openstackgerritDavid Stanek proposed a change to openstack/keystone: Updates the sample config  https://review.openstack.org/11358516:51
openstackgerritDavid Stanek proposed a change to openstack/keystone: Sets a default timeout for cached data  https://review.openstack.org/11358616:51
openstackgerritDavid Stanek proposed a change to openstack/keystone: Sets a default timeout for cached data  https://review.openstack.org/11358616:52
*** joesavak has joined #openstack-keystone17:01
marekdeverybody already on -meet?17:02
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Endpoint policy extension  https://review.openstack.org/9984217:02
dstanekmarekd: i think you are a little early17:03
marekddstanek: oh, meen17:04
*** henrynash has joined #openstack-keystone17:04
*** henrynash has quit IRC17:04
grantbowearly by one hour I think http://www.timeanddate.com/worldclock/17:05
marekdgrantbow: yeah :-)17:05
marekdhow can i access the config options from with my python interpreter/debugger. For instance in the code there is something like CONF = config.CONF ; CONF.federation.assertion_prefix. But doing so from my interpreter (under virtualenv) raises an exception oslo.config.cfg.NoSuchOptError17:07
marekdwhat am i doing wrong?17:07
dstanekmarekd: import keystone.common.config to register the options17:09
dolphmayoung: not looking to drop pki, i'd like to see it become a viable option. in the mean time, we just need to better communicate our stable, recommended defaults17:11
marekddstanek: hm17:11
marekdbut from within the code it raises samle excp.17:11
ayoungdolphm, Understood.17:12
marekddstanek: for instance here: https://review.openstack.org/#/c/110542/6/keystone/contrib/federation/samlgen.py lines 26 and later ~330.17:16
marekddo i use it all correctly?17:16
*** hrybacki has quit IRC17:17
*** andreaf_ has quit IRC17:17
*** andreaf_ has joined #openstack-keystone17:17
dstanekmarekd: how is that code being called? a new command line app?17:18
marekddstanek: http://paste.openstack.org/show/93967/17:19
dstanekmarekd: here is a simple example that should work http://paste.openstack.org/show/93966/17:19
dstanekmarekd: you are not actually registering the options - import config and call config.configure()17:19
*** andreaf has joined #openstack-keystone17:20
marekddstanek: allright, I was simply copying the behaviour from https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/utils.py17:20
dstanekmarekd: keystone-all example http://git.openstack.org/cgit/openstack/keystone/tree/bin/keystone-all#n11517:20
*** ajayaa has joined #openstack-keystone17:20
dstanekmarekd: that works because it gets called in a process that has already called configure at some point17:21
marekddstanek: ok17:21
*** amerine has quit IRC17:21
marekddstanek: what conf file shall i change to setup my own values  (inside the virtualenv)17:22
marekddstanek: something around keystone/etc/keystone.conf ?17:22
*** andreaf_ has quit IRC17:22
marekdi think this will not be /etc/keystone.conf?17:22
dstanekwhat are you tying to do? tests?17:22
marekddstanek: no, make a simple wrapper and actually use this class17:23
marekdi need to generate an assertion and don't want tests atm.17:23
dstanekmarekd: in your own scripts this is how you would specify config files to use https://github.com/openstack/keystone/blob/master/bin/keystone-all#L11917:24
marekddstanek: where config_files is a path to actual keystone.conf, right?17:27
dstanekmarekd: if that's where you want to make your changes yes - you could copy the sample, hack it for what you are doing and then specify it17:28
marekddstanek: ok, thanks.17:29
*** gyee has joined #openstack-keystone17:31
*** stevemar has quit IRC17:34
*** gyee has quit IRC17:34
openstackgerritA change was merged to openstack/keystone: Change V3 router classes to use resources  https://review.openstack.org/11156917:39
*** jsavak has joined #openstack-keystone17:45
openstackgerritA change was merged to openstack/keystone: V3 Extension class  https://review.openstack.org/11157017:47
*** joesavak has quit IRC17:49
*** jsavak has quit IRC17:49
*** joesavak has joined #openstack-keystone17:49
*** spandhe_ has joined #openstack-keystone17:50
*** andrewss has joined #openstack-keystone17:51
andrewsshello - i was wondering if anyone has any experience decoding the keystone token in Java?  or would this be better suited for the 'ask' forum ?17:51
*** gyee has joined #openstack-keystone17:56
*** jsavak has joined #openstack-keystone17:58
marekddolphm: normally when you configure federation, you can specify a IdP's url with it's metadata - something like https://idp.testshib.org/idp/shibboleth . A route /v3/OS-FEDERATION/idp exposing pretty much the same thing  is also acceptable?17:58
dolphmajayaa: the commit message on review 107194 indicates it's only a partial fix - what was missing at the time, and why is that now sufficient to close https://bugs.launchpad.net/keystone/+bug/1294737 ?17:59
uvirtbotLaunchpad bug 1294737 in keystone "Disable domain doesn't remove domain scoped tokens" [Medium,Fix committed]17:59
dolphmmarekd: that sounds fine18:00
marekddolphm: allrighty.18:00
*** joesavak has quit IRC18:00
*** topol has joined #openstack-keystone18:00
dolphmmarekd: amend the spec?18:00
dolphmmarekd: err, api doc?18:00
marekdi think so.18:01
*** jsavak has quit IRC18:02
*** abhishekk has joined #openstack-keystone18:04
*** amirosh has joined #openstack-keystone18:05
*** jamielennox|away is now known as jamielennox18:06
openstackgerritMarek Denis proposed a change to openstack/keystone: Transform a Keystone token to a SAML assertion  https://review.openstack.org/11054218:12
*** jaosorior has quit IRC18:12
ayoungI think that might be a mistake18:12
marekdayoung: what?18:13
ayoung Transform a Keystone token to a SAML assertion18:13
ayoungmarekd, we can talk about it later,18:13
morganfainbergayoung, that is the K2K stuff, SAML (idp originated) was what we decided on at the hackathon.18:14
morganfainbergayoung, but tabled till later (post meeting)18:14
*** rushiagr is now known as rushiagr_away18:15
ayoungmorganfainberg, yeah.  I need to disappear for about an hour,  in 15 minutes.18:15
morganfainbergayoung, sure, but i think this one made the most sense post hackathon (in reality) - when you're back lets discuss but lets not hold things up unless we have a really good reason to18:17
ayoungmorganfainberg, agreed.18:17
*** stevemar has joined #openstack-keystone18:21
*** spandhe_ has quit IRC18:31
*** ayoung has quit IRC18:36
*** spandhe_ has joined #openstack-keystone18:36
*** gokrokve_ has joined #openstack-keystone18:38
*** gokrokve has quit IRC18:41
*** gokrokve_ has quit IRC18:43
abhishekkdstanek:hi, you there?18:47
*** abhishekk has quit IRC18:52
*** gokrokve has joined #openstack-keystone18:52
openstackgerritAlexey Miroshkin proposed a change to openstack/keystone: Enable filtering of credentials by user ID  https://review.openstack.org/11323218:55
jamielennoxgyee: what do you want me to do with https://review.openstack.org/#/c/104771/16 ? it's kind of ugly for sure but i don't know if there's a way to make it better and it's needed before i can do session stuff from the CLI18:57
jamielennoxit's at the head of a 6 or so long patch series18:58
*** spandhe_ has quit IRC18:58
gyeejamielennox, we need to rethink fundamentally how we handle endpoints, especially with federation into the picture19:00
gyeejamelennox, how do you envision the flow for federation?19:01
*** spandhe_ has joined #openstack-keystone19:01
jamielennoxgyee: in general or related to that patch?19:01
gyeeone auth_url for IdP and another for Keystone?19:01
gyeebut 3rd party IdP doesn't know anything about Keystone19:02
jamielennoxgyee: ideally we'd want some sort of lookup flow where you query available idps and go to those links - but i'm not sure what you're asking19:02
openstackgerritA change was merged to openstack/keystone-specs: Update JSON Home for docs location  https://review.openstack.org/11341319:03
jamielennoxthe problem for now is that in the case of an unscoped token if you want to do things like list available projects you have to use the AUTH_URL19:03
gyeejamielennox, say I am a federated user, how do I go about authenticating to my IdP, get the saml2 assertion, then take that assertion to Keystone in exchange for a token?19:03
gyeedo it all from CLI19:03
jamielennoxthere's a great big plugin in ksc that handles the interaction19:04
jamielennoxit takes a lot of parameters that i would like to have been discoverable but it apparently works for now19:04
marekdgyee: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py19:05
marekdgyee: https://gist.github.com/zaccone/509136cfa1c4efca692619:06
jamielennoxas we add more plugins i think parts of that will be common and get refactored19:06
gyeeso there are two endpoints19:06
marekdstevemar: something is signing the assertion19:06
marekdstevemar: but i cannot make one thing19:07
morganfainbergbknudson, dolphm, do we have revocation events enabled by default?19:07
bknudsonmorganfainberg: I believe they are... I think it's just in the pipeline19:07
stevemarmarekd, oh?19:07
morganfainbergdolphm, bknudson, i think revocation events are getting in the way of https://review.openstack.org/#/c/113429/ *again*19:07
bknudsonmorganfainberg: http://git.openstack.org/cgit/openstack/keystone/tree/etc/keystone-paste.ini#n8819:08
bknudsonmorganfainberg: it's the revocation list that can be disabled... that's also enabled by default.19:08
marekdThere should be <Assertion  ID=<hash> > and later <Reference URI="#<hash>" to indicate that assertion should be signed19:08
dolphmmorganfainberg: yes and how?19:08
gyeejamielennox, so either that hack or catalog for unscoped token?19:08
marekdstevemar: ^^19:08
morganfainbergdolphm, bknudson, basically... they cause weird token behavior (in part due to limited resolution on expiry)19:08
marekdstevemar: I don't know if its crucial, but i cannot make it work with those ids :-)00000000019:08
dolphmmorganfainberg: oh that19:08
dolphmmorganfainberg: bknudson had the best fix for that19:08
jamielennoxgyee: we'll need to carry the hack anyway, but a catalog would be nice here19:08
morganfainbergdolphm, basically. i think we can't enable them w/o all sorts of edge cases :(19:09
marekdstevemar: see the patch: https://review.openstack.org/#/c/110542/19:09
jamielennoxgyee: it's not pretty but it's actually better than the existing code IMO19:09
bknudsondolphm: I think morganfainberg is complaining about my "fix"19:09
gyeejamielennox, alrighty then, lgtm19:09
morganfainbergbknudson, i am, but not because your fix is wrong19:09
gyeejamielonnox, but Jenkins doesn't seem happy on that one19:09
morganfainbergbknudson, because revocation events are doing something bad in this case. the chain-revoke (child tokens revoked) and parent tokens revoked when child tokens are revoked is just bad19:10
gyeenm, you rechecked it19:10
dolphmmorganfainberg: equally scoped tokens? or differently scoped tokens?19:11
jamielennoxgyee: yea, it's transient19:11
bknudsonmorganfainberg: are you saying that the "fix" introduced a transient failure?19:11
dolphmmorganfainberg: differently scoped tokens should not be revoked - that was specifically discussed in the HK summit19:11
gyeejamielennox, I think we may need a test or two on that change19:11
bknudsondolphm: revoking an unscoped token revokes the scoped tokens.19:11
morganfainbergbknudson, not too transient, but yes, i'm tyring to fix things to always be checked against revocations (everything goes through the provider)19:12
*** marekd is now known as marekd|away19:12
morganfainbergbknudson, dolphm, also revoking the scoped token revokes the unscoped token19:12
bknudsonmorganfainberg: no, it shouldn't work that way19:12
morganfainbergbknudson, it does it based on expiration time19:12
morganfainbergbknudson, in revocation events19:12
morganfainbergbknudson, the expiration time is the same for both tokens19:12
bknudsonthe revocation event should have the scope of the token19:12
jamielennoxgyee: the auht_interface one?19:13
*** amirosh has quit IRC19:13
bknudsonand it shouldn't match the scope of an unscoped token19:13
gyeejamielennox, this one https://review.openstack.org/#/c/104771/1619:13
morganfainbergbknudson, the other issue is what happens if you have a scoped token, get another scoped token, then revoke the first token19:13
*** amirosh has joined #openstack-keystone19:13
morganfainbergbknudson, does it chain revoke?19:13
bknudsonmorganfainberg: no, it doesn't19:13
jamielennoxgyee: it's fairly well tested already, and there were a couple of reviews that got lost in the rebase that already merged to test the changeover in behaviour - let me look19:13
morganfainbergbknudson, something wonky is going on still19:14
bknudsonmorganfainberg: y, if that's happening then there's something wonky going on19:14
jamielennoxgyee: https://review.openstack.org/#/c/104767/19:14
bknudsonmorganfainberg: add a test19:14
jamielennoxgyee: ah, not that one19:14
morganfainbergbknudson, well that is how it used to work. unless you changed that, it's still how rev events work19:15
morganfainbergbknudson, when you revoke a token by id, it issues a revocation based on expiration time only19:15
bknudsonmorganfainberg: well, nothing worked when using sqlite db19:15
bknudsonmorganfainberg: y, that's what it used to do19:15
bknudsonmorganfainberg: https://review.openstack.org/#/c/109389/19:17
morganfainbergbknudson, maybe this is two unscoped tokens being issued in rapid succession19:17
morganfainbergbknudson, and revoking one is causing the other to be revoked?19:17
bknudsonmorganfainberg: those would both be revoked19:17
gyeejamielennox, i need to step out for an hour, if you can drop a note in the commit msg indicating its been tested else where that should be fine19:17
*** amirosh has quit IRC19:18
morganfainberghm. but that doesn't make sense with the error i'm seeing, i'm seeing an issue deleting a tenant, invalid token19:18
bknudsonmorganfainberg: even if it was based on a millisecond timestamp they could get the same time.19:18
jamielennoxgyee: will do19:18
bknudsonjust depends on how fast your computer is19:18
dolphmajayaa: don't know if you responded earlier (was in the keystone meeting), but just noticed you updated the status on that bug. thanks!19:18
morganfainbergbknudson, this is a tempest test.19:18
jamielennoxgyee: found one https://review.openstack.org/#/c/104770/19:19
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware  https://review.openstack.org/10477119:20
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Change unscoped token fallback to be session aware  https://review.openstack.org/10477119:20
morganfainbergbknudson oh. uh.19:21
morganfainbergbknudson, nvm i think i know what it is.19:21
morganfainbergoh wait no this should be far wider spread if its that issue... hmm19:22
*** stevemar has quit IRC19:22
bknudsonmorganfainberg: I can imagine tempest getting messed up when its tokens get revoked unexpectedly19:25
bknudsonfor example if it's running in parallel and it gets 2 tokens for admin user19:25
bknudsonbut I don't think that tempest invalidates its tokens?19:25
*** gokrokve has quit IRC19:26
*** stevemar has joined #openstack-keystone19:34
stevemarmarekd|away, thanks for the info, i'll take a look19:36
*** ayoung has joined #openstack-keystone19:46
*** david-lyle has quit IRC19:49
*** david-lyle has joined #openstack-keystone19:49
*** david-ly_ has joined #openstack-keystone19:52
*** david-lyle has quit IRC19:53
*** gokrokve has joined #openstack-keystone19:57
*** stevemar has quit IRC20:03
*** ajayaa has quit IRC20:07
*** andreaf has quit IRC20:10
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change V3 router classes to provide JSON Home data  https://review.openstack.org/11157620:11
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance V3 extensions to provide JSON Home data  https://review.openstack.org/10398320:11
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change the sub-routers to provide JSON Home data  https://review.openstack.org/11157720:11
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change OS-INHERIT extension to provide JSON Home data  https://review.openstack.org/11157820:11
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance V3 extension class to integrate JSON Home data  https://review.openstack.org/11157920:11
*** andreaf has joined #openstack-keystone20:12
openstackgerritRaildo Mascena de Sousa Filho proposed a change to openstack/keystone-specs: Hierarchical Multitenacy  https://review.openstack.org/10101720:17
*** andreaf_ has joined #openstack-keystone20:23
*** andreaf has quit IRC20:26
*** amcrn has joined #openstack-keystone20:28
*** stevemar has joined #openstack-keystone20:44
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change V3 router classes to provide JSON Home data  https://review.openstack.org/11157620:52
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance V3 extensions to provide JSON Home data  https://review.openstack.org/10398320:52
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change the sub-routers to provide JSON Home data  https://review.openstack.org/11157720:52
openstackgerritBrant Knudson proposed a change to openstack/keystone: Change OS-INHERIT extension to provide JSON Home data  https://review.openstack.org/11157820:52
openstackgerritBrant Knudson proposed a change to openstack/keystone: Enhance V3 extension class to integrate JSON Home data  https://review.openstack.org/11157920:52
*** jasondotstar has quit IRC21:06
morganfainbergbknudson, in this case it's explicitly deleting a tokne, so it is invalidating the token :(21:06
bknudsonmorganfainberg: that's going to be dangerous now...21:07
morganfainbergbknudson, yeah digging into the test specifically to figure out *why*21:07
morganfainbergbknudson, it might be a side effect of a tenant delete21:08
morganfainbergor.. no.. wtf.21:08
bknudsonmorganfainberg: I don't know what the correct fix might be... make tempest tolerant to having its tokens revoked?21:08
morganfainbergbknudson, http://logs.openstack.org/29/113429/4/check/check-tempest-dsvm-postgres-full/c20a3d2/logs/screen-key.txt.gz#_2014-08-12_05_11_25_327 is where i'm seeing21:08
bknudsonif we want keystone to have a very short token expiration then clients will have to handle that anyways21:08
morganfainbergand one of those following invalid token lines is where i'm failing tempest21:08
morganfainbergbknudson, yeah21:08
bknudsonmorganfainberg: it's trying to invalidate a token and it's already invalid.21:10
morganfainbergthe failure is in setupclass following that as well21:10
bknudsonmorganfainberg: doesn't seem like tempest should fail if it's already doing what it wanted to do.21:10
morganfainbergbknudson, http://logs.openstack.org/29/113429/4/check/check-tempest-dsvm-postgres-full/c20a3d2/console.html#_2014-08-12_05_11_25_54521:10
bknudsonmorganfainberg: I probably meant to bring this up at a meeting and forgot it, but we do have to decide if revoking by timestamp is the right thing to do.21:11
morganfainbergbknudson, i think it clearly is not the right thing to do.21:12
bknudsonit's too similar to trying to compare floating point numbers for equivalency21:12
bknudsonwhich is evil21:12
bknudsonbut the alternative is to have what is essentially a revocation list21:12
morganfainbergbknudson, we might *want* to put a non-token-id unique string in the token data that we can use to revoke on.21:12
morganfainbergbknudson, some data that can't be used for auth, but could also be maintained in unscoped->scoped transition (for parent token information)21:13
morganfainbergmaybe just uuid.uuid4? (i hate putting random crap in tokens, but....)21:13
bknudsonmorganfainberg: I think that would work21:14
bknudsonbut then as you say it's more crap in the token21:14
morganfainbergbknudson, it's not a hard change. i can propose that, fix revocation events to use that instead expires, then layer my changed on top. I *bet* that is really what we need, some uuid or such as a "unique token chain identifier"21:14
morganfainbergbknudson, but without a change i think revocation events might be effectively doa.21:15
bknudsonmorganfainberg: you think that revoking other tokens is going to be too painful? this seems like something that clients really have to handle already anyways.21:16
bknudsonclients have to handle their token becoming invalid at unexpected times21:16
*** radez is now known as radez_g0n321:17
morganfainbergbknudson, i think that we'll get a lot of "my token wasn't expired but it ended up revoked and i *know* it wasn't supposed to be revoked" complaints21:17
bknudsondue to other potential changes, such as a user being disabled or password change.21:17
morganfainbergbknudson, especially if we run in revoke-by-id compatible mode (and people revoke specific tokens not "classes" of tokens, e.g. by user_id)21:18
bknudsonthen they can fix their app correctly or disable revocation events21:18
morganfainbergbknudson, sure, doesn't mean we wont have to continuously tell people "go fix your app"21:18
bknudsonanyway I'm just playing devil's advocate...21:18
morganfainbergbknudson, sure, i'm fine with that. i'd rather have someone point out the flaws than just agreeing21:19
bknudsonif we can come up with something that works more like someone would expect then let's21:19
morganfainbergbknudson, i think the *easiest* is to put some unique-id in the token (not a hash, but a random id) that persists on the token chain21:19
bknudsondo we have to keep the entire chain in the token?21:20
morganfainbergbknudson, nah, only the unique id i think21:20
openstackgerritA change was merged to openstack/keystone: remove unused import  https://review.openstack.org/11337821:20
morganfainbergbknudson, it should isolate any revocations to a specific chain (and with your fix chain + scope unless it's tyring to revoke the chain)21:20
morganfainbergno bleed because extra data matched (e.g. expires and project scope)21:21
bknudsonmorganfainberg: so it'll still hit extra tokens just not outside the chain21:21
morganfainbergfor two unrelated tokens21:21
morganfainbergbknudson, it *can* hit extra tokens if you want to revoke the whole chain. i think with your fix it wouldn't unless you went unscoped -> scoped(project X), then unscoped -> scoped(project X), and revoked one of the project X tokens21:22
morganfainbergthen both project X tokens would be revoked.21:22
bknudsonmorganfainberg: right... tempest probably doesn't do that21:22
morganfainbergbknudson, i *hope* tempest isn't doing that. it would be silly21:22
* morganfainberg is looking at the code and it *shouldn't* be doing that with isolated creds.21:22
*** amerine has joined #openstack-keystone21:23
morganfainbergunless... setupClass is only run once.21:23
morganfainbergoh. maybe it is.21:23
morganfainbergcrap it's that they're using setupClass21:25
morganfainbergnot just setUp21:25
bknudsonmorganfainberg: y, they need to do so much setup that it would take forever if it was per test21:25
morganfainbergbknudson, which means if anything revokes the token, and it hits revocation events, they'll 401 where previously it would be fine21:26
bknudsonmorganfainberg: I wouldn't assume it would work fine before since the token could have been revoked for other reasons, or expired21:27
morganfainbergsomething it looks like is doing an explicit delete on the token is where i think we're stumbling21:27
bknudsonmorganfainberg: I wrote a test that verifies deleting a token works as expected.21:28
bknudsonI don't think that operation was even available before I added it.21:28
bknudsonmorganfainberg: no, in the tempest client reimplementation21:28
*** nkinder has quit IRC21:28
bknudsonwell, I know I added functions to get a scoped token from an unscoped one.21:29
bknudsonmaybe revoke token was already there21:29
bknudsonI'm going to head home and will be back online when I get there.21:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Convert shell tests to requests-mock  https://review.openstack.org/11021021:31
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Make keystoneclient use an adapter  https://review.openstack.org/9768121:32
*** topol has quit IRC21:34
*** bknudson has quit IRC21:35
*** andrewss has quit IRC21:38
* morganfainberg goes an sets up a devstack to run tempest in...21:41
*** jorge_munoz has quit IRC21:41
*** amerine has quit IRC21:42
*** amerine has joined #openstack-keystone21:43
dolphmwell that shut him up http://i.imgur.com/fsMJQmz.png cc- stevemar21:46
stevemardolphm, hehe21:47
stevemaror he had to pick up children or something21:47
stevemardolphm, xml is a standard library in python? neat.21:51
jamielennoxgyee: https://review.openstack.org/#/c/104771/21:52
stevemardolphm, oh btw ... did we end up deciding if a federation token user section should have a domain?21:54
jamielennoxstevemar: an idp id from memory21:55
stevemarjamielennox, i remember the options were idp id, 'federated' dummy value, or fix clients/revoke/token model21:55
stevemardon't remember what we decided, moreover, if we decided21:55
jamielennoxstevemar: these 'fixes' are a wonderful idea, somehow we always seem to end up hacking something21:56
stevemarjamielennox, sadly it happens too often :(21:56
*** rkofman has joined #openstack-keystone21:56
dolphmstevemar: etree?22:01
stevemardolphm, yes22:02
dolphmstevemar: etree is an api - there's no standard implementation in python22:02
dolphmstevemar: lxml provides an etree implementation22:02
dolphmunless that changed recently / is changing22:02
*** bknudson1 has joined #openstack-keystone22:02
stevemardolphm, maybe i'm wrong22:07
* stevemar shrugs22:08
stevemardolphm, doing the spec for role assignment notifications now, blah22:08
*** gordc has quit IRC22:10
*** cjellick_ has joined #openstack-keystone22:10
*** cjellick has quit IRC22:13
*** cjellick_ has quit IRC22:14
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Move openID Connect support to Kilo release  https://review.openstack.org/11366622:16
stevemardolphm, ^22:16
dolphmstevemar: tempted to just approve that since it's just procedural22:17
dolphmstevemar: but +222:17
stevemardolphm, please wait til henry has voiced his opinion22:17
dolphmstevemar: oh ++22:17
*** amerine has quit IRC22:22
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Role assignment notifications  https://review.openstack.org/11366922:36
stevemardolphm, and last one for today... ^22:36
dolphmstevemar: woot!22:36
stevemardolphm, you'll get the real joy of being PTL for the next month or so :P22:37
dolphmstevemar: it feels like we just released icehouse yesterday22:38
*** david-ly_ is now known as david-lyle22:41
*** cjellick has joined #openstack-keystone22:41
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: DO NOT MERGE - DEBUGGING CHECK SPECIFIC FAILURE  https://review.openstack.org/11367022:42
* morganfainberg grumbles about being unable to debug a check failure locally 22:42
dolphmmorganfainberg: +222:44
morganfainbergoh is zuul down...22:44
stevemarlol @ morganfainberg very specific instructions22:45
stevemarDO NOT MERGE22:45
stevemarwe should totally merge it22:46
* morganfainberg is elbow deep in revocation events and can't duplicate this tempest failure...22:46
morganfainbergsomething stupid is happening :(22:46
* morganfainberg greatly dislikes the tree search thing.22:47
morganfainbergstevemar, i don't think it'll pass check :P22:49
stevemarmorganfainberg, screw that, i;m merging it anyway22:49
*** cjellick has quit IRC22:50
*** gokrokve_ has joined #openstack-keystone22:52
*** gokrokve has quit IRC22:56
openstackgerritSteve Martinelli proposed a change to openstack/keystone-specs: Role assignment notifications  https://review.openstack.org/11366923:07
shufflebotkeystone server in icehouse can failover to sql over ldap without the custom hybrid driver correct/23:12
openstackgerritBob Thyne proposed a change to openstack/keystone-specs: Endpoint policy extension  https://review.openstack.org/9984223:17
*** diegows has quit IRC23:26
bknudson1jamielennox: got a minute?23:31
jamielennoxbknudson1: of courrse23:31
bknudson1jamielennox: http://git.openstack.org/cgit/openstack/nova/tree/nova/network/neutronv2/__init__.py#n4123:32
bknudson1this is nova creating the neutronclient23:32
bknudson1you can have CONF.neutron.admin_user_id23:32
bknudson1jamielennox: but the v2 password auth plugin doesn't allow user_id23:33
bknudson1it only has username23:33
bknudson1jamielennox: so is there some reason v2 auth plugin doesn't allow user_id?23:34
jamielennoxbknudson1: ah, yes - i have noticed this with the version independant one i just did23:34
jamielennoxbknudson1: i don't know if it was ever defined23:34
jamielennoxpicking a really old client: https://github.com/openstack/python-keystoneclient/blob/0.4.0/keystoneclient/v2_0/client.py#L168 is what i used as the basis of the auth plugin23:35
jamielennoxuser_id simply doesn't exist there23:35
jamielennoxand it's not defined as an option to https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v2_0/tokens.py#L3823:36
jamielennoxand it's not defined: http://docs.openstack.org/api/openstack-identity-service/2.0/content/POST_authenticate-v2.0__v2.0_tokens_identity-auth-v2.html#POST_authenticate-v2.0__v2.0_tokens_identity-auth-v2-Request23:37
jamielennoxhowever somewhere along the way i saw someone else has a v2 userid field23:38
jamielennoxit's also not a CLI option to keystoneclient shell23:38
bknudson1that's the neutronclient code to generate the request23:38
*** hrybacki has joined #openstack-keystone23:40
jamielennoxhowever here it is defined in keystone: https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L265-L28823:41
bknudson1jamielennox: y, we have test for it too23:41
jamielennoxso i don't know how that happened23:41
bknudson1so it works if you configure nova to use a user_id for neutron connection23:41
jamielennoxso we really have no choice but to add userId to the password plugin23:42
jamielennoxwhich is a little annoying because it messes with the parameters23:42
bknudson1jamielennox: the parameters were very clean23:42
bknudson1jamielennox: maybe a new class? UserPassword or something23:43
bknudson1looks like tenant_id is supported in addition to tenant_name23:43
jamielennoxyep, so i don't know how we make username an optional value there and add id23:43
openstackgerritA change was merged to openstack/keystone: Enhance V3 extension class to use resources  https://review.openstack.org/11157123:43
openstackgerritA change was merged to openstack/keystone: Change V3 extensions to use resources  https://review.openstack.org/11157223:43
jamielennoxi think this is about where i got to once before :)23:44
bknudson1I don't think that Nova23:45
bknudson1's going to accept a change that breaks user_id.23:45
jamielennoxno, i don't think they will either23:45
bknudson1this change is already going to be a little half-assed23:45
bknudson1since for some reason neutronclient accepts an auth_strategy option23:46
jamielennoxbknudson1: yea, i don't know who was responsible for that auth_strategy thing but it was badly implemented and badly adopted23:46
jamielennoxit came out of nova and depending on when you forked your client might have it or not23:47
bknudson1it only has 1 other option.23:47
jamielennoxjust enough to make it really difficult to do a clean changeover23:47
jamielennoxi was having the same problem with novaclient/shell23:47
jamielennoxbknudson1: so what if we make all 3 parameters optional and then enforce it __init__23:48
bknudson1username and password?23:48
bknudson1and, enforce that one of username or user_id is given?23:49
bknudson1I think that's backwards compatible.23:49
jamielennoxi think so, just looking now23:52
jamielennoxthe only thing i can see is that if you had explicity passed username or password as None23:52
*** andreaf has joined #openstack-keystone23:53
bknudson1jamielennox: why would password=None be a prob with the change?23:54
*** andreaf_ has quit IRC23:56
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow passing user_id to v2Password plugin  https://review.openstack.org/11371223:56
jamielennoxbknudson1: ^ untested and raises TypeError which is probably bad23:56
*** andreaf has quit IRC23:56
jamielennoxuntested as in no explicit test cases23:57
jamielennoxpasses existing test23:57
*** andreaf has joined #openstack-keystone23:57
bknudson1another difference with neutronclient's regular client vs session client is that the regular client takes a endpoint_url whereas it looks like session gets the endpoint from the catalog (via the name)23:57
bknudson1jamielennox: is there any way around that ^ ?23:59
jamielennoxhmm, that was something i though about earlier today in regards to that auth_token patch that uses session23:59
jamielennoxwe switched from using the explict URL to the service catalog23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!