Tuesday, 2014-09-09

*** amcrn has quit IRC00:05
*** cjellick_ has joined #openstack-keystone00:13
*** mitz has quit IRC00:15
*** cjellick has quit IRC00:17
*** mitz_ has joined #openstack-keystone00:18
*** bknudson has joined #openstack-keystone00:22
*** radez is now known as radez_g0n300:28
*** zzzeek has quit IRC00:29
ayoungjamielennox, looking now00:31
ayoungrm_work, you are working to lose me when you write things like "LBaaS Hijacks the user's token"00:32
*** dims has quit IRC00:32
jamielennoxayoung: thanks00:35
*** dims has joined #openstack-keystone00:37
*** saipandi has quit IRC00:40
ayoungjamielennox, +2A all those.  I've looked at them all before at least once00:42
ayoungwell,  the first thre00:42
ayounglet me see the second 300:42
jamielennoxayoung: excellent, there's more if you're that keen :)00:43
jamielennoxi need another core to pop there head up and we can really get somewhere today00:43
ayoungjamielennox, so you sure about project_id?  And not domain_id?00:43
jamielennoxmorganfainberg, gyee, stevemar ^00:43
jamielennoxayoung: not really, i'd prefer to have neither00:44
jamielennoxbut i need a way to construct those old urls that have /v1/{project_id} in them00:44
jamielennoxdomain_id is ignored by pretty much everybody00:44
ayoungI wish there were no difference between domains and projects00:44
*** gokrokve has joined #openstack-keystone00:44
ayoung+2 there00:44
jamielennoxyea, the path from here to there is hard00:45
jamielennoxstevemar: excellent. i have some reviews for you00:45
stevemarjamielennox, link me!00:45
jamielennoxthose ones are easy00:46
stevemarwill do00:46
ayoungjamielennox, so the Kerberos one is in an interesting spot.00:47
ayoungI tried CI and it failed, due to PyKerberos not doing Py3300:47
jamielennoxayoung: i was just looking at that one to see if it was passing now00:47
ayoungbut...it looks like someone submitted a py33 compatable version back in March.00:47
ayoungjamielennox, my RPM is 1.1.4, but the PyPi looks like 1.1.5.  I've built it on a VM un 3.3  and it passes00:48
ayoungwell, it builds00:48
jamielennox1.1.5 is python3 compatible>?00:48
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Make the default cache time more explicit in code  https://review.openstack.org/11358600:48
jamielennoxeasy: https://review.openstack.org/#/c/116757/00:48
ayoungjamielennox, it seems to be00:49
ayoungjamielennox, its not in the upstream SVN repo00:49
ayoungjust the one in PyPi00:49
jamielennox.... - that sounds dodgy00:49
ayoungand the PyPi one doesn't have test.py in it, so....was it tested?00:49
jamielennoxi remember looking at the sources for pykerberos a while ago - i think last time we had this talk00:50
ayounghttp://logs.openstack.org/74/74974/15/check/gate-python-keystoneclient-python33/b369b17/  the  Gate job that failed00:50
jamielennoxthere's a lot of direct c bindings that make it kind of hard00:51
ayoung Downloading/unpacking kerberos==1.1.1 (from requests-kerberos>=0.5->-r /home/jenkins/workspace/gate-python-keystoneclient-python33/requirements.txt (line 16))00:51
jamielennoxayoung: is there another python kerberos library?00:51
jamielennoxayoung: i can replicate requests-kerberos easily00:51
ayoungis it requests_kerberos the failing one?  I thought it was python-kerberos, which was broken in the past00:52
ayoungbut 1.1.1....not 1.1.5?00:52
ayoungIs it bound to an older version of python-kerberos?00:52
jamielennoxthe fail is because of the dependency requests_kerberos -> python-kerberos isn't it?00:53
stevemarjamielennox, done!00:58
stevemarif you guys have time: https://review.openstack.org/#/c/118536/ (ayoung, this one in particular) and https://review.openstack.org/#/c/119159/00:59
ayoungjamielennox, requests>=1.1.000:59
*** dims_ has joined #openstack-keystone01:03
*** stevemar has quit IRC01:04
jamielennoxoh - it's a fixed version01:04
*** dims has quit IRC01:05
*** marcoemorais1 has quit IRC01:05
ayoungjamielennox  I tried hacking that from github and building py3301:06
*** dims_ has quit IRC01:06
ayoungFile "./setup.py", line 50, in <module>01:06
ayoung    version=get_version(),01:06
ayoung  File "./setup.py", line 39, in get_version01:06
ayoung    return matches[0].group(1)01:06
*** dims has joined #openstack-keystone01:06
ayoungI'm guessing this one won't be too bad to deal with01:06
jamielennoxso it's a mostly 'official' requests library, so we can probably pull in some help from sigmavirus24_awa01:06
jamielennoxayoung: looking at the commit history i don't know if there is a consensus on python 301:07
*** wwriverrat has joined #openstack-keystone01:08
jamielennoxthey've reverted the testing01:08
ayoungSo long as there is no real resistance to it...guessing that there was a bit of the same bubble we got trapped in:  python-kerberos01:08
jamielennoxwtf is that get_version function doing?01:10
ayoungjamielennox,  as they say in Madrid NPI01:10
ayoungNo idea01:10
*** joesavak has joined #openstack-keystone01:10
* jamielennox has never seen so many +As all at once01:10
jamielennoxayoung: https://review.openstack.org/#/c/116757/ needs to happen before release as it's a fix for something that already got merged01:12
jamielennoxso will it build for py3?01:13
*** jsavak has joined #openstack-keystone01:14
*** dims has quit IRC01:16
*** joesavak has quit IRC01:18
*** dims has joined #openstack-keystone01:19
*** r-daneel has quit IRC01:22
*** gokrokve_ has joined #openstack-keystone01:23
openstackgerritBrant Knudson proposed a change to openstack/keystone: Stop skipping LDAP tests  https://review.openstack.org/11997001:23
*** dims has quit IRC01:25
*** dims has joined #openstack-keystone01:26
*** gokrokve has quit IRC01:26
*** dims_ has joined #openstack-keystone01:26
*** gokrokve_ has quit IRC01:27
*** nkinder has joined #openstack-keystone01:29
*** dims has quit IRC01:30
ayoungjamielennox, I think I recall the requests-kerberos guy was quick to pull the trigger.  I'll try to line up a tested version for him in the next couple of days.01:36
*** dims_ has quit IRC01:42
*** bknudson has quit IRC01:43
*** dims has joined #openstack-keystone01:47
*** dims has quit IRC01:50
*** dims has joined #openstack-keystone01:50
*** hrybacki has quit IRC01:53
*** dims_ has joined #openstack-keystone01:53
*** dims has quit IRC01:54
*** wanghong has quit IRC01:56
ayoungjamielennox, are these the samething:  https://pypi.python.org/pypi/pykerberos   https://pypi.python.org/pypi/kerberos  ?  Cuz the second is locked to 1.1.1 and that is the problem, but if we can go against pykerberos we are in a better place02:04
*** dims_ has quit IRC02:04
*** dims has joined #openstack-keystone02:04
jamielennoxayoung: looks like a fork02:05
ayoungjamielennox, one test fails02:05
jamielennoxkerberos 1.1.1 was uploaded  2011-04-2702:05
ayoungjamielennox, BTW, I just hacked the version to be "1.1.5" in setup.py.  looks like it is doing pbr type things02:05
jamielennoxayoung: i think that's what the weird get_version regexp was donig02:06
jamielennoxthere's no source for pykerberos though02:06
jamielennoxi'm *guessing* it's https://github.com/02strich/pykerberos02:07
*** wanghong has joined #openstack-keystone02:08
ayoung Package Index Owner: 02strich   yeah, that is a good guess02:08
*** jsavak has quit IRC02:09
*** dims has quit IRC02:09
jamielennoxbut is that bit the problem?02:09
ayoungI think we can work with it02:10
jamielennoxoh - flip over requests-kerberos to use pykerberos instead of kerberos02:10
ayoungand hack the regex to not be a regex02:10
jamielennoxregexp versions is a problem for the rpm maintainer02:10
ayoungyeah, we'll fix that02:11
ayoungOK..someone had to fork it...we can deal with the fork,  so long as we are not the ones adopting it.02:11
ayoungI'll hack on it tomorrow...I think this looks promising02:11
jamielennoxyep, the issue here is that it's got to be requests-kerberos that makes the switch02:12
jamielennoxayoung: if that doesn't work then we will have to look at making pykerberos a dependency directly and do our own plugin handling02:13
jamielennoxit's not too hard, just not something i want to maintain02:13
ayoungwe'll need it in the global requirements...02:14
jamielennoxi was wondering if we can do like a keystoneclient-auth-extras in stackforge or something02:14
jamielennoxthere's no reason this has to be in tree02:14
*** diegows has quit IRC02:15
jamielennoxand we have the same issue with lxml and federation stuff that they don't want for ksc02:15
ayoungI want Kerberos to be a non-issue02:15
ayoungthen again, I want to be able to use Kerberos to set up TLS and that ain't gonna happen02:16
jamielennoxsure, i don't see it being in a different tree making that a problem02:16
jamielennoxhaving to do a = keystoneclient-kerberos.Auth() rather than keystoneclient.contrib.auth.kerberos.Auth() will not be an issue02:17
jamielennoxideally i would like just one -extras repo, but it might need to be many02:18
openstackgerritA change was merged to openstack/keystone: Fix oauth sqlite migration downgrade failure  https://review.openstack.org/11965302:18
ayoungI don't want kerberos in extras, but we are getting into depedency hell here, aren't we.  Anyway, we can deal once we have something that builds02:20
jamielennoxmy issue is that ksc is a very common dependency and we keep adding requirements to it02:20
jamielennoxlxml took it from pure python to having C extensions02:20
jamielennoxhaving kerberos as a dep will do the same thing02:20
jamielennoxand if we don't install requests-kerberos as a dependency and say you should install it if you want to use it, then we may as well just pull the kerberos plugin to its own repo02:21
ayoung so it should be python-keystoneclient-kerberos  and have its own repo02:22
ayoungI'll suggest that at the meeting tomorrow.02:22
ayoungI think that the dependency issue is a clincher on that02:22
jamielennoxyep, i was going to propose this for summit around fereation but i think that kerberos will come up quicker than that02:23
ayoungWe should somehow get all of the the Django-openstack-auth Kerberos dependencies crammed in there as well02:23
jamielennoxwhat are they?02:23
ayoungreally just that it needs to specify the plugin...02:24
jamielennoxI expect the ksc kerberos plugin would be all they should need02:24
jamielennoxyea, that's ok - all the plugins specify a setuptools entrypoint02:24
jamielennoxif it's installed it will be available02:24
ayoungbut if it is a hard dependency it has the same problem..unless we use the config options02:24
ayoungwhich, of course, Django doesn't support02:25
ayoungbecause it is not Oslo config02:25
jamielennoxwhy wouldn't django support setuptools stuff?02:25
ayoungBut rather Django, which means it is a python file read out of ETC instead of a code dir02:25
jamielennoxso, the config option is just a string, send that to stevedore, load needed plugin02:25
jamielennoxback in a bit02:26
jamielennoxbut yes i think we propose this as external repo at meeting tomorrow02:26
*** openstackgerrit has quit IRC02:33
ayoungjamielennox, so beyond "use a session" we need D-O-A to load the plugins via Stevedore...that is OK.  I think I want to avoid doing a configuration option for it, though...the thought was the DOA should be able to tell from the environment.  One thing it will test for is the env vars set for Kerberos02:33
ayoungI think that will still work02:33
*** ayoung has quit IRC02:45
*** annasort has joined #openstack-keystone02:53
*** wanghong has quit IRC02:56
*** KanagarajM has joined #openstack-keystone02:57
*** ayoung has joined #openstack-keystone03:07
*** amcrn has joined #openstack-keystone03:11
*** wanghong has joined #openstack-keystone03:13
jamielennoxayoung: horizon is always going to be kind of funny there because it expects input from users03:16
jamielennoxi don't think we'll be able to have horizon auto generate an interface for a type of auth plugin or anything03:16
ayoungjamielennox, I have a plan there...I'll writew it up tomoorrrow03:16
jamielennoxbut it can at least opportunistically load the library or entrypoint and then do stuff based on whether it's available03:16
*** stevemar has joined #openstack-keystone03:24
*** openstack has joined #openstack-keystone03:41
*** gothicmindfood has joined #openstack-keystone03:46
*** andreaf_ has joined #openstack-keystone03:46
*** cjellick_ has joined #openstack-keystone03:46
*** hrybacki has joined #openstack-keystone03:46
*** dutsmoc has joined #openstack-keystone03:46
*** Ephur has joined #openstack-keystone03:46
*** dolphm has joined #openstack-keystone03:46
*** hockeynut_ has joined #openstack-keystone03:46
*** dtroyer has joined #openstack-keystone03:46
*** KanagarajM has joined #openstack-keystone03:46
*** stevemar has joined #openstack-keystone03:46
*** wanghong has joined #openstack-keystone03:46
*** amcrn has joined #openstack-keystone03:46
*** ayoung has joined #openstack-keystone03:46
*** annasort has joined #openstack-keystone03:46
*** nkinder has joined #openstack-keystone03:46
*** wwriverrat has joined #openstack-keystone03:46
*** mitz_ has joined #openstack-keystone03:46
*** miqui has joined #openstack-keystone03:46
*** Haneef has joined #openstack-keystone03:46
*** arunkant has joined #openstack-keystone03:46
*** tim__r has joined #openstack-keystone03:46
*** gyee has joined #openstack-keystone03:46
*** rodrigods has joined #openstack-keystone03:46
*** afaranha has joined #openstack-keystone03:46
*** htruta has joined #openstack-keystone03:46
*** rkofman has joined #openstack-keystone03:46
*** samuelmz has joined #openstack-keystone03:46
*** Daviey has joined #openstack-keystone03:46
*** bjornar has joined #openstack-keystone03:46
*** rm_work has joined #openstack-keystone03:46
*** henrynash has joined #openstack-keystone03:46
*** boris-42 has joined #openstack-keystone03:46
*** roock has joined #openstack-keystone03:46
*** Morgan_ has joined #openstack-keystone03:46
*** fifieldt_ has joined #openstack-keystone03:46
*** xianghui has joined #openstack-keystone03:46
*** lsmola_ has joined #openstack-keystone03:46
*** jamielennox has joined #openstack-keystone03:46
*** larsks has joined #openstack-keystone03:46
*** arosen has joined #openstack-keystone03:46
*** YorikSar has joined #openstack-keystone03:46
*** morganfainberg has joined #openstack-keystone03:46
*** jimbaker has joined #openstack-keystone03:46
*** afazekas has joined #openstack-keystone03:46
*** kevinbenton has joined #openstack-keystone03:46
*** palendae has joined #openstack-keystone03:46
*** harlowja has joined #openstack-keystone03:46
*** grantbow has joined #openstack-keystone03:46
*** portante has joined #openstack-keystone03:46
*** ekarlso- has joined #openstack-keystone03:46
*** adam_g has joined #openstack-keystone03:46
*** mflobo has joined #openstack-keystone03:46
*** esmute has joined #openstack-keystone03:46
*** dhellmann has joined #openstack-keystone03:46
*** therve has joined #openstack-keystone03:46
*** vishy has joined #openstack-keystone03:46
*** bambam1 has joined #openstack-keystone03:46
*** rushiagr_away has joined #openstack-keystone03:46
*** nonameentername has joined #openstack-keystone03:46
*** ctracey has joined #openstack-keystone03:46
*** sbasam_ has joined #openstack-keystone03:46
*** jraim__ has joined #openstack-keystone03:46
*** x-eye has joined #openstack-keystone03:46
*** mfisch has joined #openstack-keystone03:46
*** dobson has joined #openstack-keystone03:46
*** redrobot has joined #openstack-keystone03:46
*** EmilienM has joined #openstack-keystone03:46
*** hyakuhei has joined #openstack-keystone03:46
*** zhiyan has joined #openstack-keystone03:46
*** mhu has joined #openstack-keystone03:46
*** russellb has joined #openstack-keystone03:46
*** radez_g0n3 has joined #openstack-keystone03:46
*** gus has joined #openstack-keystone03:46
*** serverascode has joined #openstack-keystone03:46
*** chmouel has joined #openstack-keystone03:46
*** notmyname has joined #openstack-keystone03:46
*** rharwood has joined #openstack-keystone03:46
*** sudorandom has joined #openstack-keystone03:46
*** jamiec has joined #openstack-keystone03:46
*** dvorak has joined #openstack-keystone03:46
*** marzif__ has joined #openstack-keystone03:46
*** uvirtbot has joined #openstack-keystone03:46
*** wolsen has joined #openstack-keystone03:46
*** gmurphy has joined #openstack-keystone03:46
*** anteaya has joined #openstack-keystone03:46
*** zigo has joined #openstack-keystone03:46
*** gabriel-bezerra has joined #openstack-keystone03:46
*** achudnovets has joined #openstack-keystone03:46
*** mgagne has joined #openstack-keystone03:46
*** ByteSore has joined #openstack-keystone03:46
*** shufflebot has joined #openstack-keystone03:46
*** csd has joined #openstack-keystone03:46
*** d0ugal has joined #openstack-keystone03:46
*** ChanServ has joined #openstack-keystone03:46
*** dstanek has joined #openstack-keystone03:46
*** sendak.freenode.net sets mode: +o ChanServ03:46
*** hrybacki has quit IRC03:56
*** rm_work has quit IRC04:03
*** HenryG has joined #openstack-keystone04:07
*** rm_work has joined #openstack-keystone04:08
*** rm_work is now known as rm_work|away04:08
*** rushiagr_away is now known as rushiagr04:29
*** ncoghlan has joined #openstack-keystone04:32
*** dutsmoc is now known as comstud04:33
*** gokrokve has joined #openstack-keystone04:46
*** gokrokve has quit IRC04:51
*** stevemar has quit IRC04:52
*** ncoghlan is now known as ncoghlan_afk05:00
*** ncoghlan_afk is now known as ncoghlan05:03
*** ncoghlan is now known as ncoghlan_afk05:03
*** rushiagr is now known as rushiagr_away05:07
*** ayoung has quit IRC05:10
*** gabriel-bezerra has quit IRC05:17
*** rushiagr_away is now known as rushiagr05:21
*** gyee has quit IRC05:22
*** gabriel-bezerra has joined #openstack-keystone05:23
*** gokrokve has joined #openstack-keystone05:46
*** harlowja is now known as harlowja_away05:47
*** gokrokve has quit IRC05:50
*** afazekas_ has joined #openstack-keystone05:55
*** ncoghlan_afk is now known as ncoghlan05:55
*** jaosorior has joined #openstack-keystone06:04
*** ajayaa has joined #openstack-keystone06:18
*** ukalifon has joined #openstack-keystone06:45
*** gokrokve has joined #openstack-keystone06:46
*** gokrokve has quit IRC06:51
jaosoriorhenrynash, are you around?07:02
*** BAKfr has joined #openstack-keystone07:09
*** dguitarbite has joined #openstack-keystone07:22
mfloboSomeone has problems using Tox and the new requirements?07:44
mfloboI have some problems related to cffi library07:44
*** gokrokve has joined #openstack-keystone07:46
henrynashjaosorior: hi07:48
*** gokrokve has quit IRC07:51
*** openstackgerrit has joined #openstack-keystone07:52
mfloboOk, my problem was solved installing libffi-devel library07:54
*** bvandenh has joined #openstack-keystone07:56
*** Alexander has joined #openstack-keystone07:57
*** Alexander is now known as Guest6352407:57
*** Guest63524 has quit IRC07:58
*** amakarov has joined #openstack-keystone07:58
jaosoriorhenrynash: hey, are you acquainted with the module keystone.assignment.controllers? specifically the assignment inheritance stuff? need some help with it08:12
henrynashjaosorior: yes, I’m somewhat famiiar with it08:12
jaosoriorI was refactoring some of those functions (I guess I'll have to wait for Kilo to finish it) and there is some stuff that was there that I would like to understand better, since it was pointed out by someone; And since you're kind of in my timezone I thought you could help; Got some minutes to look at this?08:15
*** andreaf_ is now known as andreaf08:25
*** ncoghlan has quit IRC08:28
*** KanagarajM2 has joined #openstack-keystone08:38
*** KanagarajM has quit IRC08:38
*** xianghuihui has joined #openstack-keystone08:45
*** gokrokve has joined #openstack-keystone08:46
*** gokrokve has quit IRC08:47
*** gokrokve has joined #openstack-keystone08:48
*** xianghuihuihui has joined #openstack-keystone08:49
*** xianghuihui has quit IRC08:49
*** gokrokve has quit IRC08:52
*** aix has joined #openstack-keystone08:53
*** amcrn has quit IRC08:54
*** Dafna has joined #openstack-keystone08:55
*** cjellick has joined #openstack-keystone08:58
*** cjellick_ has quit IRC09:00
*** fmarco76 has joined #openstack-keystone09:19
*** openstackgerrit has joined #openstack-keystone09:19
*** fmarco76 has quit IRC09:19
*** rushiagr is now known as rushiagr_away09:21
openstackgerritAlexander Makarov proposed a change to openstack/keystone: PKI and PKIZ tokens unnecessary whitespace removed  https://review.openstack.org/12004309:28
*** rushiagr_away is now known as rushiagr09:34
*** KanagarajM2 has quit IRC09:39
*** KanagarajM has joined #openstack-keystone09:44
*** gokrokve has joined #openstack-keystone09:46
*** gokrokve has quit IRC09:51
*** aix has quit IRC10:00
*** KanagarajM has quit IRC10:08
*** KanagarajM has joined #openstack-keystone10:11
*** aix has joined #openstack-keystone10:16
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Templated catalog backend V3 not implemented  https://review.openstack.org/12001110:25
*** ukalifon2 has joined #openstack-keystone10:32
*** ukalifon has quit IRC10:32
openstackgerritA change was merged to openstack/keystone: Prevent domains creation for the default LDAP+SQL  https://review.openstack.org/11685810:34
*** xianghuihuihui has quit IRC10:40
*** gokrokve has joined #openstack-keystone10:46
*** topol has joined #openstack-keystone10:49
*** gokrokve has quit IRC10:51
openstackgerritYuriy Taraday proposed a change to openstack/keystonemiddleware: Add a pool of memcached clients  https://review.openstack.org/11977411:01
openstackgerritYuriy Taraday proposed a change to openstack/keystone: Add a pool of memcached clients  https://review.openstack.org/11945211:01
*** dims has joined #openstack-keystone11:11
*** diegows has joined #openstack-keystone11:22
*** wwriverrat has quit IRC11:31
*** wwriverrat has joined #openstack-keystone11:31
*** gordc has joined #openstack-keystone11:32
*** gokrokve has joined #openstack-keystone11:46
*** gokrokve has quit IRC11:51
*** andreaf_ has joined #openstack-keystone11:54
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Templated catalog backend V3 not implemented  https://review.openstack.org/12001111:55
*** andreaf has quit IRC11:56
bjornarHow can I prevent pki token beeing stored in database?11:58
bjornarI mean... does it need to be stored?11:58
*** gothicmindfood has quit IRC12:01
*** gothicmindfood has joined #openstack-keystone12:05
*** raildo has joined #openstack-keystone12:07
*** dims has quit IRC12:11
*** dims has joined #openstack-keystone12:12
*** dims_ has joined #openstack-keystone12:12
*** dims_ has quit IRC12:14
*** dims_ has joined #openstack-keystone12:15
*** dims has quit IRC12:16
*** ChanServ sets mode: +o dolphm12:16
ajayaabjornanr, You can't prevent pki tokens from being stored in db as of now.12:19
ajayaaWork is still going on to make pki tokens non persistent in database.12:20
ajayaabjornar, ^^12:20
*** KanagarajM has quit IRC12:21
bjornarajayaa, ok.. what is the limiting factor?12:40
bjornarAlso, when do you use python-openssl or something instead of launching openssl binary?12:40
bjornarI am struggeling with trying to understand why keystone is spending ~200 msecs logging me in..12:41
*** gokrokve has joined #openstack-keystone12:46
*** gokrokve has quit IRC12:50
bjornarajayaa, ?12:53
ajayaabjornar, limiting factor for?12:53
*** hrybacki has joined #openstack-keystone12:54
*** cdnchris has joined #openstack-keystone12:55
bjornarajayaa, commenting out the INSERT INTO token (id, expires, extra, valid, user_id, trust_id) VALUES (...12:57
ajayaabjornar, I don't understand what you are trying to convey.12:58
*** topol has quit IRC12:58
*** hrybacki has quit IRC12:58
bjornarThe whole point afaik with PKI tokens is they can be verified by each agent locally without needing to query keystone (except revoke polling)12:59
bjornarthen I dont understand why token is inserted into db12:59
ajayaafor revoke polling, I guess. Right now the revoke call returns a list of tokens which are revoked.12:59
ajayaabjornar, If you don't store the pki tokens, you have no way of knowing which pki tokens are revoked.13:01
ajayaadolphm, ^^13:01
ajayaaBut going forward when token revocation events are in place, we won't need to store pki tokens.13:02
bjornarok, so is this planned for Juno?13:02
bjornarAnd also, is using some libssl planned for Juno?13:03
ajayaaI am unaware of release plans. I have pinged the PTL for keystone already. He is the right person to ask this question, imo.13:05
bjornarAlso, do you have any clues for me where the main bottleneck in posts to v2.0/tokens (or v3) is?13:06
bjornarI am seeing ~200ms now, and I dont really see what is taking time...13:06
bjornaropenssl is using ~ 8ms13:06
bjornarsql token insert is Query_time: 0.004509  Lock_time: 0.00089213:06
*** jasondotstar has joined #openstack-keystone13:07
ajayaaDo you have you users in db or ldap?13:08
ajayaaIs it a local call? if not so, network latency perhaps.13:08
openstackgerritA change was merged to openstack/python-keystoneclient: Allow providing an endpoint_override to requests  https://review.openstack.org/11739913:08
bjornarshould not be, im on 2x 10Gb SFP+13:09
*** radez_g0n3 is now known as radez13:10
*** nkinder has quit IRC13:10
openstackgerritA change was merged to openstack/keystone: Update paste pipelines in configuration docs  https://review.openstack.org/11853313:12
openstackgerritA change was merged to openstack/python-keystoneclient: Handle invalidate in identity plugins correctly  https://review.openstack.org/11244013:12
ajayaabjornar, no idea mate. :(13:13
bjornarTrying to analyse a pcap now13:13
ajayaaWait for an hour or so. It's almost time for keystone cores to be here.13:13
*** vhoward has joined #openstack-keystone13:16
bjornarok, I will..13:17
bjornarSee lots of crap in this pcap, so perhaps someone would like to have a look at it13:18
dolphmajayaa: the legacy token revocation list required tokens to be persisted so that they could be revoked. that's where token revocation events come in... we describe attributes of revoked tokens instead of enumerating the tokens themselves13:19
*** cdnchris has quit IRC13:21
*** hrybacki has joined #openstack-keystone13:23
*** cdnchris has joined #openstack-keystone13:24
*** richm has joined #openstack-keystone13:25
*** stevemar has joined #openstack-keystone13:31
*** wanghong has quit IRC13:32
*** wanghong has joined #openstack-keystone13:33
*** bknudson has joined #openstack-keystone13:35
*** hrybacki has quit IRC13:39
*** r-daneel has joined #openstack-keystone13:43
bjornarajayaa, so, who should I talk to about this?13:45
*** gokrokve has joined #openstack-keystone13:46
*** joesavak has joined #openstack-keystone13:47
ajayaabjornar, dolphm13:48
ajayaaPlease ping him here.13:48
*** cdnchris has quit IRC13:49
bjornardolphm, there?13:49
*** gokrokve has quit IRC13:51
*** sigmavirus24_awa is now known as sigmavirus2413:53
*** sigmavirus24 has joined #openstack-keystone13:53
*** nkinder has joined #openstack-keystone13:59
*** topol has joined #openstack-keystone14:00
BAKfrhi guys14:00
BAKfrI've a question about the behavior of delete_grant() in assignment/core.py14:00
BAKfrIf the method receive a project_id, can we revoke only tokens associated to this project ?14:01
BAKfrI means, Is it safe to modify code, for replacing _emit_invalidate_user_token_persistence() by _emit_invalidate_user_project_tokens_notification() ?14:01
stevemarbknudson, care to revisit: https://review.openstack.org/#/c/119422/14:09
*** ajayaa has quit IRC14:09
*** jimhoagland has joined #openstack-keystone14:10
*** jsavak has joined #openstack-keystone14:15
openstackgerritSteve Martinelli proposed a change to openstack/python-keystoneclient: Use oslo_debug_helper and remove our own version  https://review.openstack.org/12010414:15
*** jimhoagland has quit IRC14:15
*** joesavak has quit IRC14:17
*** joesavak has joined #openstack-keystone14:18
openstackgerritSteve Martinelli proposed a change to openstack/keystonemiddleware: Use oslo_debug_helper and remove our own version  https://review.openstack.org/12010514:19
*** jsavak has quit IRC14:20
*** jorge_munoz has joined #openstack-keystone14:22
bjornardolphm, I am looking a bit into keystone performance, and have some interesting finds, would you care to have a look?14:23
*** david-lyle has joined #openstack-keystone14:25
openstackgerritBrant Knudson proposed a change to openstack/keystone: Add characterization test for cleanup role assignments for group  https://review.openstack.org/11963014:25
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix delete group cleans up role assignments with LDAP  https://review.openstack.org/11963114:25
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix using local ID to clean up user/group assignments  https://review.openstack.org/11962914:25
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix LDAP group role assignment listing  https://review.openstack.org/11948014:25
dolphmbjornar: i read your messages earlier - do you have anything else?14:25
bjornarI am looking at what keystone does through tcpdump, and it has a lot of interesting queries...14:26
dstanekbjornar: one of the things i hate is that we don't allow the sql engine to fail on foreign keys and instead always do a lookup by id14:27
*** gokrokve has joined #openstack-keystone14:27
openstackgerritA change was merged to openstack/python-keystoneclient: Add version parameter to adapter.  https://review.openstack.org/11766914:29
bjornarBetween these "legit" queries are atleast one commit, one rollback, and one select 1...14:29
openstackgerritA change was merged to openstack/keystone: Update the revocation configuration docs  https://review.openstack.org/11853614:29
bjornarso multiply these queries by 414:29
bjornar... this is just a post to v2.0/tokens14:30
bjornarand completely isolated14:30
bjornarI can make the entire tcpdump public if you like.14:31
dstanekbjornar: i was working on reducing the object lookup, but it's a redesign that i haven't figured out enough to write a spec14:31
*** cjellick has quit IRC14:32
bjornarThe way I see it now, keystone is not optimal. Right not using 200ms to provide me a token. Could probably make that number look a little nicer, but the real problem here is in the code14:32
dstanekbjornar: the problem is the design14:33
bjornar17 queries (many of them duplicated) (*4 (query + rollback + commit + select 1)14:33
bjornarthat makes a total of 68 db queries14:34
dolphmbjornar: are you running with caching?14:34
dolphmbjornar: http://docs.openstack.org/developer/keystone/configuration.html#caching-layer14:34
dstanekbjornar: the two main issues are that we have to rely on the select by id queries because we use sqlite in our unit tests and some may be needed because there may be mixed backends (ldap + sql)14:35
dolphmmixed backends are the expensive use case14:35
bjornarSo caching is fine also with distributed keystone-main/admin?14:35
dstanekdolphm: :-) yeah, boo14:35
bjornarNow we are basing this on galera14:36
bjornarand memcache does not have replication afaik14:36
dstanekbknudson: also the commit/rollback shenanagans are probably sqlalchemy or how we are using it14:36
dstanekbjornar: you don't need replication for memcache14:36
dolphmbjornar: yeah, just set your cache expirations appropriately low. we try, but i'm sure we don't invalidate as thoroughly as we could14:36
*** ayoung has joined #openstack-keystone14:37
dolphmmemcache is fast because it's not complicated :)14:37
bjornarbut I guess tokens still have to live in db14:37
openstackgerritAlexander Makarov proposed a change to openstack/keystone: PKI and PKIZ tokens unnecessary whitespace removed  https://review.openstack.org/12004314:37
dolphmbjornar: if you think you need replication, we support other cache backends via dogpile14:37
dolphmbjornar: but i'd recommend pylibmc + memcached as the first choice option14:38
dstanekbjornar: nothing is permanently stored in memcache - it just caches some of the DB calls14:38
bjornar..also, I dont like to introduce cache layer to early. Then you dont find the real bottlenecs ;)14:38
dolphmbjornar: are you running a stable release or master?14:38
bjornaricehouse just now. all wsgi14:38
dolphmbjornar: i'd be curious to hear your experience with icehouse vs master then, both without caching14:39
dolphmbjornar: juno-rc1 will be available in a couple weeks14:39
bjornarWaiting for that...14:39
bjornarYou are probably going to paris aswell, so can perhaps speak to you there14:40
dolphmbjornar: the bug countdown has begun https://launchpad.net/keystone/+milestone/juno-rc114:40
dolphmi will certainly be there14:40
dolphmin fact, i need to book stuff today. you should too, dstanek!14:40
bjornarI can do some more work in publishing the isolated tcpdump of the different keystone api calls, perhaps it will get some performance work into focus14:42
dolphmbjornar: open bugs where you see obvious bottlenecks (and tag them with 'performance' if you don't mind)14:42
dolphmbjornar: https://bugs.launchpad.net/keystone/+bugs?field.tag=performance14:42
bjornaryeah.. Id make a general report I thing, and can add that to the tracker14:43
bjornarIt doesnt take a genious to understand that doing:14:43
bjornarSELECT domain.id AS domain_id, domain.name AS domain_name, domain.enabled AS domain_enabled, domain.extra AS domain_extra FROM domain WHERE domain.id = 'default'14:43
bjornar4 times from the same program is not very smart14:44
bjornar...ofcorse a cachelayer hides that problem...14:44
bjornarbut its even easier to just fix it!14:44
*** mitz has joined #openstack-keystone14:49
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Adds pipeline hints to the example paste config  https://review.openstack.org/11982714:49
dstanekdolphm: yeah, i saw the email this morning14:50
openstackgerritAlvaro Lopez Garcia proposed a change to openstack/python-keystoneclient: auth_token: http_connect_timeout should be an int  https://review.openstack.org/11721314:55
dolphmbjornar: morganfainberg's work on https://blueprints.launchpad.net/keystone/+spec/non-persistent-tokens in part minimizes redundant queries - but it's not feature complete in juno. contributions welcome for kilo :)14:55
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Adds hint about filter placement to extension docs  https://review.openstack.org/11983414:56
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Keystone part of a PoC for Horizon/Keystone WebSSO  https://review.openstack.org/10609614:59
*** wwriverrat has quit IRC15:00
amakarovnkinder, hi! What means attrs='[1.1]' in a call to ldap_connection.search_s()? Found nothing in docs about it ( Is there a field named '[1.1]' in LDAP structure?15:02
nkinderamakarov: 1.1 is a special attribute in the LDAP RFCs that means "no attributes"15:03
morganfainbergdolphm, omg booking travel!15:04
dolphmmorganfainberg: ++15:04
morganfainbergdolphm, i should be landing there on Nov 2 (couldn't swing nov1 due to an appt i couldn't reschedule)15:05
morganfainbergnkinder, ping15:06
dolphmmorganfainberg: probably same for me15:06
morganfainbergnkinder, re https://review.openstack.org/#/c/119578/15:06
nkinderamakarov: see the end of section 4.5.1 in http://tools.ietf.org/html/rfc225115:06
nkindermorganfainberg: pong15:06
*** cdnchris has joined #openstack-keystone15:06
nkinderamakarov: I'd have to track it down in the newer 45xx series of RFCs15:07
morganfainbergnkinder, are the changes in patchset 2/3 covered in the master change?15:07
morganfainbergnkinder, i'll 2x check but before i do i figured i'd ask15:07
nkindermorganfainberg: yes15:07
morganfainbergnkinder, ok. just saw that we had additional patchsets and changes in a backport.15:08
nkindermorganfainberg: I double checked all search_s() calls in the assignment driver in master, and it looks good.15:08
*** jimhoagland has joined #openstack-keystone15:08
nkindermorganfainberg: yes, I should have done an exhaustive search when doing the backport15:08
YorikSarmorganfainberg: Hi.15:08
morganfainbergnkinder, ok i'll run through it as well, but just wanted a 2x check with you first15:09
morganfainbergnkinder, thanks!15:09
nkindermorganfainberg: ++15:09
morganfainbergYorikSar, mornin15:09
YorikSarmorganfainberg: I've been asked to investigate if the same approach to memcached connections can be applied to Havana and there I found that token backend relies on cas() operation.15:09
nkinderamakarov: the '1.1' attribute is also described in the ldapsearch man page15:09
YorikSarmorganfainberg: Is this still the case for Icehouse/Juno?15:09
amakarovnkinder, thanks, didn't know15:10
nkinderamakarov: sure15:10
morganfainbergYorikSar, it wont be accepted for upstream havana15:10
morganfainbergYorikSar, well... it *might* be since it's security associated, but lets work on master / icehouse first15:10
*** afazekas_ has quit IRC15:11
morganfainbergYorikSar, havana is almost EOL so it might not make it, depending on timeing15:11
YorikSarmorganfainberg: We have a customer tied to Havana, so I should at least tell them if we're going to backport that in-house.15:11
YorikSarmorganfainberg: But my question is about I/J... If cas() is used somewhere there we might get troubles with current approach.15:12
openstackgerritPeter Razumovsky proposed a change to openstack/keystone: Refactor LDAP backend using context manager for connection  https://review.openstack.org/11813815:12
dstanekdolphm, morganfainberg: what days are your arriving/leaving?15:12
morganfainbergYorikSar, icehouse *shouldn't* use CAS15:12
YorikSarmorganfainberg: Good :)15:13
morganfainbergdstanek, i'm arriving on thr 2nd, checking out of the conf. hotel on the 8th, i might be staying longer cause... france.15:13
morganfainbergYorikSar, let me 2x check though15:13
YorikSarmorganfainberg: I've already started to think if I'm so lucky that we never ran into problems with it.15:13
morganfainbergYorikSar, however, havana uses cas fairly extensively15:14
morganfainbergoh i mean in one place:P15:14
morganfainberghttps://github.com/openstack/keystone/blob/stable/havana/keystone/token/backends/memcache.py#L189 <<-- YorikSar15:14
YorikSarmorganfainberg: btw, why does it use it?15:14
morganfainbergYorikSar, was used to update the user token list15:14
morganfainbergYorikSar, fixed it in icehouse due to horrible performance.15:14
YorikSarmorganfainberg: Ah, I guess because we didn't use dogpile.cache there :)15:15
morganfainbergYorikSar, that too15:15
dolphmdstanek: arriving Nov 2nd (although I might try to work out how Nov 1st would look)15:15
dolphmdstanek: and staying until the thursday *after* the summit15:15
morganfainbergyeah i want to stay longer but i think i want to airbnb it instead of $$$ conf. hotel if i do15:16
*** cds has joined #openstack-keystone15:18
*** ukalifon2 has quit IRC15:18
*** david-lyle has quit IRC15:19
bknudsonI'm also going to be hanging around paris after the conf.15:24
dolphmmorganfainberg: i'm looking at airbnb too15:24
dolphmbknudson: where are you staying?15:25
*** cjellick has joined #openstack-keystone15:25
bknudsondolphm: i'm going to meet my mom there. she says it's the best western louvre15:25
bknudsondolphm: I didn't try to tell her to use airbnb15:26
*** mikedillion has joined #openstack-keystone15:27
*** zzzeek has joined #openstack-keystone15:31
*** dhellmann is now known as dhellmann_15:38
*** lmtaylor1 has joined #openstack-keystone15:39
*** gokrokve_ has joined #openstack-keystone15:41
*** gokrokve has quit IRC15:44
*** cdnchris has quit IRC15:48
*** david-lyle has joined #openstack-keystone15:48
dstanekhmmm...looks like i need to find a crash course on french15:50
bknudsondstanek: you learn the verbs and I'll learn the nouns15:51
dstanekbknudson: i was thinking something more like 'must pee', 'need food' and 'where's my car?'15:52
bknudsondstanek: Je dois pisser !15:53
bknudsondstanek: besoin de nourriture15:54
*** bvandenh has quit IRC15:55
jaosoriordstanek: if you know some spanish it seems that the parisians don't hate it so much :) :P16:02
*** wwriverrat has joined #openstack-keystone16:03
jaosoriorIf that helps in anything16:03
dstanekjaosorior: i know 'no habla spanish' :-)16:03
jaosoriorHaha damn, well, it's going to be interesting then16:05
*** lvh has joined #openstack-keystone16:05
lvhHello :-)16:05
*** marcoemorais has joined #openstack-keystone16:05
*** wwriverrat has left #openstack-keystone16:20
*** BAKfr has quit IRC16:21
*** rm_work|away is now known as rm_work16:27
rm_workayoung: yes, the use of the term "hijack" is a very specific wording choice on my part... I am trying to spark a debate there16:28
rm_workayoung: I am not sure how else it can be done though, but if people have problems with that, I want to hear it -- not trying to hide or abstract away that interaction in pretty language16:28
*** gokrokve_ has quit IRC16:32
*** jimhoagland has quit IRC16:35
*** david-lyle has quit IRC16:35
*** david-lyle has joined #openstack-keystone16:36
*** bjornar_ has joined #openstack-keystone16:40
*** wwriverrat has joined #openstack-keystone16:40
ayoungrm_work, what are we talking about again?16:42
*** jimhoagland has joined #openstack-keystone16:42
*** gordc has quit IRC16:43
*** rushiagr is now known as rushiagr_away16:49
openstackgerritVictor Sergeyev proposed a change to openstack/keystone: Remove of using session in migration 042  https://review.openstack.org/12014616:49
*** andreaf has joined #openstack-keystone16:53
*** Daviey has quit IRC16:53
*** sigmavirus24 is now known as sigmavirus24_awa16:55
*** Daviey has joined #openstack-keystone17:01
*** rkofman has quit IRC17:04
bjornar_Would be nice if the keystone wsgi file could be updated17:04
*** rkofman has joined #openstack-keystone17:05
rm_workayoung: probably this: http://i.imgur.com/fldU3OW.png17:08
morganfainbergbjornar_, in what way?17:08
bjornar_I dunno, perhaps its my virtualenv that is playing games atm..17:11
*** cdnchris has joined #openstack-keystone17:11
*** dhellmann_ is now known as dhellmann17:13
*** lmtaylor1 has quit IRC17:13
*** rushiagr_away is now known as rushiagr17:14
*** rushiagr is now known as rushiagr_away17:20
*** gokrokve has joined #openstack-keystone17:21
*** rushiagr_away is now known as rushiagr17:21
*** rushiagr is now known as rushiagr_away17:23
*** ukalifon has joined #openstack-keystone17:24
*** cdnchris has quit IRC17:25
*** harlowja_away is now known as harlowja17:25
bjornar_What does this mean:17:28
bjornar_CRITICAL keystone.service [-] 'DomainV3' object has no attribute 'assignment_api'17:28
*** amcrn has joined #openstack-keystone17:28
*** lmtaylor1 has joined #openstack-keystone17:29
*** lmtaylor1 has left #openstack-keystone17:30
openstackgerritAaron Rosen proposed a change to openstack/python-keystoneclient: Sync with latest oslo-incubator  https://review.openstack.org/11945117:31
arosenHi, could I get a few keystone cores to approve this oslo-incubator sync https://review.openstack.org/#/c/119451/ . This fixes a bug that i'm hitting in the python-congressclient :/17:33
openstackgerritBrad Topol proposed a change to openstack/keystone: Keystone local authenticate has an unnecessary pending audit record.  https://review.openstack.org/12016217:36
dstanekdhellmann: you around?17:42
*** gyee has joined #openstack-keystone17:46
*** david-lyle has quit IRC17:50
*** cds has quit IRC17:50
*** sigmavirus24_awa is now known as sigmavirus2417:59
*** wwriverrat has left #openstack-keystone18:01
openstackgerritA change was merged to openstack/keystone: Add rst code-blocks to a bunch of missing examples  https://review.openstack.org/11921018:02
dhellmanndstanek: here18:03
rm_workayoung / nkinder: http://goo.gl/x6oBZu18:09
nkinderrm_work: oooh, fancy... :)18:10
*** dims has joined #openstack-keystone18:11
*** dims_ has quit IRC18:11
*** dims has quit IRC18:12
nkinderrm_work: looks good/accurate from a trust standpoint18:12
*** ukalifon has quit IRC18:13
*** dims_ has joined #openstack-keystone18:16
openstackgerritJamie Lennox proposed a change to openstack/python-keystoneclient: Allow fetching user_id/project_id from auth  https://review.openstack.org/11852018:16
ayoungnkinder, yeah, he does nice work.18:16
ayoungrm_work, letys chat after the Keystone meeting.  I think I can help tweak that a bit18:16
rm_workayoung: ok. I did forget to do the "if Trust doesn't already exist)" part; just fixed it18:18
ayoungrm_work, so, what we really want is "precanned trusts"18:19
rm_workayoung: in a way, yes18:19
ayoungI don't want Barbican, or anyone else, giving me a blank check to sign for them18:19
rm_workthough for security purposes I like that the user has to pass their key to us *at least once* in order for us to make one18:19
ayoungthe trusts should be definied before the user hjas to execute them18:19
ayoungrm_work, orthogonal to my complaint18:20
nkinderayoung: so user creates trust, passes trust ID to LBaaS18:20
rm_workwell, the other option is "to use our service, please create a trust on your account for this user: <lbaas user>"18:20
rm_workand force the user to do it beforehand18:20
nkinderrm_work: yeah, that's the ideal situation from a security POV18:20
ayoungnkinder, sort of...I was thinking an earlier stage which is "post a template of the trust for the world to review"18:20
bjornar_running in virtualenv with master, I get: keystone.common.wsgi ImportError: No module named MySQLdb18:20
ayoungand then, yes, as you wrote it18:21
nkinderbut, ease-of-use often wins out over security... :(18:21
ayoungrm_work, but thereis a keystone meeting now...at 15:00 Eastern (40 minutes) OK?18:21
rm_workyeah, if we could give them a template and all they had to do was say "I accept"... :P18:21
rm_workI'll be around18:21
nkinderbjornar: you pip installed requirements and test-requirements in your virtualenv?18:21
bjornar_nkinder, does not the tools/install_venv.py take care of that?18:22
nkinderbjornar: my workflow is 'virtualenv ./.venv; source ./.venv/bin/activate; pip install -r ./requirements.txt; pip install -r ./test-requirements.txt; pip install -e .'18:23
nkinderbjornar: then ./run-tests.sh18:24
nkinderbjornar: that worked for me with master yesterday18:24
bjornar_hmm.. requrements are installed18:24
nkinderbjornar: you might need some C libs installed for things too18:26
bjornar_Ok.. but does it silently skip?18:26
nkinderbjornar: but you would notice build errors when insttalling the requirements if that was the case (missing headers, etc.)18:26
nkinderbjornar: it should not silently skip18:26
bjornar_could be I dont have mysql dev files..18:28
bjornar_its probably sqlalchemy that should provide the mysqldb stuff?18:29
*** lmtaylor1 has joined #openstack-keystone18:30
*** jaosorior has quit IRC18:32
nkinderbjornar: let me see what I usually install on a new dev system...18:34
*** henrynash has quit IRC18:35
*** jaosorior has joined #openstack-keystone18:35
nkinderbjornar: on Fedora, I usually hav to install 'libxml-devel libxslt-devel sqlite-devel openldap-devel openssl-devel python-repoze-lru python-virtualenv python-tox'18:35
dstanekbjornar: we don't have mysqldb in our requirements files - you have to add that by hand18:36
nkinderbjornar: that list could be out of date though, as I think that was from the icehouse cycle18:36
*** henrynash has joined #openstack-keystone18:36
dstanekdhellmann: re: the pbr issue - that bug you linked to uses a different setting18:36
bjornar_should perhaps be there18:37
dstanekbjornar: our tests don't currently run on a real database :-(18:37
*** amcrn has quit IRC18:40
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Improve list role assignments filters performance  https://review.openstack.org/11668218:58
dolphmi should advertise this too if anyone is interested... this is a list of every keystone review, sorted into "may land in RC1 vs blocked until Kilo" https://gist.github.com/dolph/bddbb047f06431f535c6 i probably won't add new patches to the "may land" list19:01
*** joesavak has quit IRC19:01
ayoungrm_work, OK...let me look again19:02
*** amakarov has quit IRC19:02
jamielennoxalso whilst people are here - i don't intend to be at next weeks (or the following 3) meeting - so if you need anything get me this week19:02
*** openstackgerrit has quit IRC19:02
ayoungjamielennox, any last reviews still burning?19:03
ayoungrm_work, OK,  so how about the following changes:19:04
jamielennoxayoung: i've got a few i want to get through, about a 50% pass rate from gate from yesterday :p19:04
ayoungfirst of all, the trust  should not require impersonation19:04
*** henrynash has quit IRC19:04
ayoungjust do the logic based on "user_id or trustor_id" will work in the policy file, though19:04
rm_workayoung: well, the Barbican side requires two things -- that we "look like the user", but also that we have a service-admin role19:04
rm_workwe need to be "the user, with service-admin19:05
rm_work", which the user won't have19:05
ayoungrm_work, nah19:05
jamielennoxayoung: https://review.openstack.org/#/c/118520/ had a conflict and needs to be sent off again, if you put the +2 back i can +A when check finishes19:05
ayoungrm_work, how about this19:05
rm_workayoung: no, seriously, it needs that19:05
ayounguser_id == service_user,  trustor_id == key_owner19:05
rm_workthe "register as a consumer" is not a user operation, it's a management operation19:05
rm_workusers can't do it19:05
ayoungrm_work, that is OK...you can say "this  *must* be done with a trust token only19:05
ayoungand use a policy AND rule for it19:06
rm_workah, hmm... ok19:06
rm_workdo you know what the repose rule looks like for that?19:06
rm_workerr, RBAC19:06
*** aix has quit IRC19:06
ayoungmorganfainberg, btw ^^ is a more elegant solution to your "Composite tokens" BP19:06
ayoungrm_work, mumble mumble  uh yeah19:06
ayoungrm_work, OK,  so lets start with the policy code from Oslo...19:07
rm_workright now it's not especially accurate to what we want, I am afraid -- "19:07
rm_workI am not sure that "rule: admin" is actually correct19:07
ayoungNah, not right now....hold on19:07
nkinderayoung, jamielennox, morganfainberg: can we continue the kerberos plugin discussion here?19:08
ayoungrm_work, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/openstack/common/policy.py#n41219:08
ayoungnkinder, looks like it is going to get kicked to a separate repo19:08
jamielennoxnkinder: sure, so i don't think it is a good idea for ksc to have a dependency on pykerberos,19:08
nkinderif a new repo is needed, we would just create it under the keystone/identity program, right?19:09
ayoungnkinder, yes19:09
nkinderjamielennox: sure, understood19:09
jamielennoxnkinder: it's a C plugin and people will get pissy19:09
ayoungnkinder, and a second one for the Fedearted auth plugin19:09
nkinderok, so let's just get a repo creation filed against infra19:09
morganfainbergnkinder, we will need to talk to the TC but that could be where it lands, it might need to go stackforge initially.19:09
ayoungso at least 2 new repos19:09
nkinderayoung: ++19:09
rm_workok, so we'd do  "consumers:post": "containers:get and is_using_trust" or something like that?19:09
ayoungrm_work, let me parse that...19:09
nkindermorganfainberg: it shouldn't need to be stackforge, as it's considered within the identity program, right?19:09
jamielennoxayoung: i'll file those19:09
ayoungrm_work, yeah, although if you put in19:10
morganfainbergnkinder, right, we'll just likely need a governance change to get it attributed to our program19:10
rm_workfor reference, "consumer POST" == "container GET" + "admin operation in DB"19:10
jamielennox(unless you've got a start somewhere)19:10
ayoungtrustor_id == key.user_id19:10
morganfainbergnkinder, it's not a hard sell, but as a backup, we can stackforge it19:10
nkindermorganfainberg: ++19:10
ayoungit implis that a trust is in use19:10
jamielennoxmorganfainberg: ask on -infra19:10
ayoungrm_work, let me show you a rule from keystone19:10
nkindermorganfainberg: the repo request puts it under the program IIRC19:11
rm_workok, I am not an expert at policy rules :P19:11
morganfainbergnkinder, there is a yaml change that is also needed19:11
rm_workin fact I know almost nothing about policy.json, i just kinda copied what other things were doing19:11
nkindermorganfainberg: yes, exactly19:11
morganfainbergnkinder, in the governance repo,19:11
ayoungrm_work, so for creating a trust, we can check the data coming in http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n10819:11
ayoungto get a trust...19:11
nkindermorganfainberg: ah, I know what you're referring to19:11
morganfainbergit shouldn't be a big deal19:12
ayoungrm_work,  hmmm http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n10919:12
nkindermorganfainberg: yeah19:12
morganfainbergbut *worst* case if there is balking at it, we go stackforge19:12
ayoungwe used to have something more interesting than that19:12
nkinderayoung: barbican doesn't support much via policy AFAIK19:12
ayoungrm_work, http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json#n719:12
nkinderayoung: access to secrets is tied to the user ID in the token I believe19:12
nkinderayoung: there it no more flexibility than that19:13
ayoungnkinder, so we have code in keystone you are going to want to grab that fetches an object from the database before enforcing policy19:13
ayoungadmin_or_owner does that19:13
ayoung"(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",19:13
morganfainbergnkinder, ayoung, what is the timeline of getting the new repo spun up, it's not hard to do, just need to plan it. also are we starting from scratch or do we have a repo to base from? in the latter case need to import the code on new repo request19:13
ayoungmorganfainberg, we have a commit in the keystoneclient gerrit that is the basis...19:13
nkindermorganfainberg: ASAP to be honest.  I really am trying to get kerberos to be usable against Juno19:14
morganfainbergayoung, ok, so ideally if that is split into a github repo we can use it as a basis for the new repo19:14
*** dmsimard has joined #openstack-keystone19:14
nkindermorganfainberg: but we don't have a working repo to base it off of19:14
ayoungmorganfainberg, I can do that19:14
rm_workok, so maybe I am not clear on what the "impersonation" part of the "trust with impersonation" does19:14
morganfainbergayoung, :)19:14
ayoungnkinder, I can get one to work19:14
dmsimardHi guys. Bare with me here, trying to find the deprecation notes about XML for Keystone. Is there a blueprint or a specific review for it ?19:14
rm_workthe "trust token" gives you the domain:role combo from the user that you set up the trust with19:14
ayoungnkinder, oooh...so this second repo doesn't need to be gating on python33 to start19:15
nkinderayoung: true...19:15
rm_workand I thought the Impersonation part is what added our service-account's roles to the token as well19:15
morganfainbergayoung, i'm happy to put the reviews up for governance and for infra if you want. if not i'm happy to review the changes19:15
ayoungdmsimard, what are we Baring?  Our Souls?19:15
morganfainbergayoung, py34*19:15
nkinderayoung: you define the jobs when we set up the repo19:15
ayoungmorganfainberg, the python-kerberos stuff right now works Pythion27 only19:15
ayoungwe are working on the 33 support, but this would take the pressure off19:15
dmsimardayoung: s/bare/bear :)19:16
morganfainbergayoung, i'll make the py34 (33 is going away) an expirimental test19:16
ayoungdmsimard, and hear you got me all ready to confess19:16
nkindermorganfainberg: ++19:16
ayoungmorganfainberg, ++19:16
morganfainbergayoung, means you just need to issue an expirmental comment in the review and it'll run that check.19:16
ayoungmorganfainberg, OK...I can do that.19:16
dmsimardayoung: So does that mean you know when XML was deprecated/thrown out the window/killed in a fire? :D19:17
morganfainbergthere shall be no bareing of anything in this channel today :P19:17
nkinderrepos are only created on Friday IIRC, so we should get the request filed and reviewed19:17
ayoungdmsimard, its been a while since we borked XML IIRC19:17
ayoungdmsimard, it has to do with how we marshall19:17
morganfainbergjamielennox, saw the convo. makes it easier19:17
ayoungI know that trusts was broken with XML fairly early on19:17
dmsimardayoung: Trying to reference when the support for XML would've been removed, this third party company has no clue what they're talking about and want to prove them wrong :)19:18
dmsimardI think the last setup they worked against was Folsom or something19:19
ayoungdmsimard, it was never removed, and there are still a slew of tests that check it, but I think there are some APIs that have never been tested against XML19:19
ayoungmorganfainberg, OK, the removal of the Py3* requirement makes my life significantly easier.  I'm all with the new repo thing now.19:20
dmsimardThey're sending a POST to /tokens with an "Accept: application/xml" and they're getting a JSON reply back. They are expecting an XML response.19:21
dolphmmorganfainberg: dstanek: RC1 or kilo? https://review.openstack.org/#/c/113586/19:21
dmsimardv2.0/tokens *19:21
morganfainbergdolphm, i'm fine with that going into K19:21
ayoungrm_work, OK,  the trust policy enforcement code has changed since I last looked at it.  It is more restrictive than it used to be.  But there is a decorator we have that says "fetch the object from the repo first, then apply policy"19:21
dolphmmorganfainberg: any reason to block it for rc1?19:21
morganfainbergdolphm, it's mostly just a "oh this is a bit better than we have now and should prevent the same bug from being re-opened"19:21
* ayoung assumes it is still in the code19:21
morganfainbergdolphm, if it's good to go in, there shouldn't be a reason to prevent it from RC19:22
dolphmmorganfainberg: k19:22
morganfainbergdolphm, it's low on the priority list though, so if we punt that for some other code, it's a good tradeoff19:22
dstanekdolphm: morganfainberg: i agree19:22
ayoungrm_work, I think it is  http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n16119:22
morganfainbergs/other code/other review cycles19:22
rm_workayoung: ok, I am not positive how to translate from "functions in keystone code" to "what does the line in policy.json look like" yet :P19:23
bknudsonmaybe somebody knows this already ... in multi-backends, I assume the assignment table should always have the public ID?19:23
bjornar_someone asked me earlier to try out master (I was looking at keystone api through tcpdump, 68 queries in total to get a token) ... Now I have tried out master... and its about 5 times slower...19:23
ayoungrm_work, yeah, the code bases are very different.  We have a specific "fetch the thing from the driver" approach that we can generalize on19:23
ayoungrm_work,  here it is http://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/controller.py#n11819:24
ayoungrm_work, and that is specific to the controller....so in the case of the trusts_controller it looks like this:19:24
morganfainbergbjornar_, there is a lot of optimisations we can do, it is absolutely on the long list of things we need to be working on19:25
ayoungI lied19:25
ayoungI think this code has been removed19:25
morganfainbergbjornar_, part of the issue is we have subsystems that you can't make unified queries to, so you need to lookup domain in some cases, and then project, and user (separate couldn't be lumped together)19:25
rm_workayoung: ok... i am still very lost though :)19:26
morganfainbergbjornar_, some of this is a hassle of using an ORM, and the extra work required to clean up that usage and make it better19:26
ayoungrm_work, http://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/controllers.py#n35519:26
rm_workI haven't ever looked at the keystone code before, I was hoping digging into the code wouldn't be required to figure out a policy rule :)19:26
rm_workI *can* dig into keystone code, but it will take me a bit to get up to speed, obviously19:27
ayoungrm_work, nah,  forget about the specifics...hear me now and believe me later but understand me next week19:27
bjornar_I used to see ~200ms "token-time", now its 1200ms and more...19:27
morganfainbergbjornar_, what configuration19:27
bjornar_morganfainberg, mysql, no caches19:27
ayoungrm_work, ok...lets start with your diagram19:27
morganfainbergbjornar_, how many tokens in your token table?19:27
morganfainbergbjornar_, that can actually cause significant slowdowns.19:28
morganfainbergbjornar_, also, deployed under eventlet or apache19:28
ayoungrm_work, I would say that the first change is this:19:28
morganfainbergbjornar_, and UUID tokens or PKI?19:28
bjornar_|    53602 |19:28
ayounguser must generate a key and a trust and send them both to Barbican19:28
morganfainbergeh, 53k isn't bad overall as long as mysql has enough ram.19:29
ayoungrm_work, the token that the user sends to barbican should not have the ability to create a trust on it, but that is a different story19:29
rm_workayoung: alright, i think that is a different argument from what we're talking about19:29
bjornar_no performance problems with mysql19:29
ayounglets assume that the user has removed that ability from their token19:29
rm_workat least, what we were talking about right now?19:29
ayoungand instead, they create the trust.  Then Barbican executes the trust19:29
rm_work*LBaaS executes the trust19:29
morganfainbergbjornar_, is this under eventlet or apache and if under eventlet do you have a lot of queries going to keystone or is it just a token request?19:29
morganfainbergbjornar_, actually even under apache, is keystone under load?19:30
ayoungso, Barbican tells the user "here is the trust you need to create and give to me in order to store your key"19:30
ayoungbasically, delegate to the Barbican service user the "create_key" role19:30
rm_workerrr, again, s/Barbican/LBaaS/ right?19:30
ayoungits all Greek to me19:30
bjornar_no load, nothing19:30
rm_workBarbican in our example is "the other service"19:30
rm_workwe are LBaaS19:31
ayoungLeBarbican as a Service....19:31
rm_workwell, it matters for the diagram :P19:31
bjornar_morganfainberg, this was the only query to keystone at the time.19:31
ayoungEEEt eees fro the Parieee Summit, Non?19:31
morganfainbergbjornar_, ok19:31
bjornar_morganfainberg, and query is from curl, so I have control19:31
morganfainbergbjornar_, well if you had a ton of requests going in and added one more i'm not surprised.19:31
rm_workthis is actually going to hit the mailing-list ASAP19:31
rm_workmight end up being a brown-bag at Paris but that's not the main purpose19:32
rm_workthis is going to drive the code we write in the next few weeks19:32
*** dmsimard has left #openstack-keystone19:32
rm_workwe're at the "actually implement this interaction" stage19:32
ayoungrm_work, what is the Key being used for in this use case?  Access to an encrypted volume?19:33
bjornar_morganfainberg, no, its dev19:33
morganfainbergbjornar_, if you don't mind, can you switch your keystone to use UUID tokens and tell me if it's any faster. 1200ms seems awfully slow.19:33
rm_workayoung: Cert/Key is for TLS Termination on a Load Balancer19:33
bjornar_seems 1200 ms is for special cases, probably during warmup when I dont have connections established..19:33
morganfainbergbjornar_, i've been running a number of things for testing recently and can't remember things taking that long even with tight-loop token issuance19:33
bjornar_morganfainberg, but I keep seeing the ~200ms times, which is _way_ to slow19:33
ayoungrm_work, why "save trust id for later"  in your diagram?19:34
rm_workayoung: there's actually two scenarios, this diagram is the initial one19:34
ayoungwhat is "later" here?19:34
morganfainbergbjornar_, ~200ms is slow, but that is something i can reasonably say we should focus on fixing in K (sorry it's a bit late in J to really get sweeping changes in)19:34
rm_workthe additional scenario is no user interaction -- we need to migrate their load balancer to a different host later because of a failure event or something, we will need to retrieve their cert/key again at some random time without their interaction19:34
morganfainbergbjornar_, under apache (if you're using mod_Wsgi deployment) the first few requests can take a lot longer because mod_Wsgi needs to spin up the child process19:35
bjornar_morganfainberg, I can understand it: Atleast 2 queries are run 4 times just to get the token, and between every "real" query, it is run: rollback .. commit .. select 119:35
morganfainbergbjornar_, the trade off of the slowness for the spinup initially is fine based on the overall benefit of running under apache19:35
rm_workthe scenario in this diagram is the "initial load balancer setup19:35
morganfainbergbjornar_, the select 1 is a keepalive thing in oslo.db i think19:35
bjornar_so I counted a total of 68 (I think) sql queries to generate a token19:35
morganfainbergbjornar_, so lets ignore that one, we may not have any control on that front directly in keystone19:36
bjornar_morganfainberg, I guess... but does it need to keep it alive every ms?19:36
nkindermorganfainberg, jamielennox: I missed the infra discussion.  Is the plan to go ahead with new repos for kerberos and federation, and that py3* is not going to be a gating job?19:36
bjornar_morganfainberg, if you scroll back some 4-5 hours, you find a pastie.org link19:36
morganfainbergnkinder, correct.19:36
nkindermorganfainberg: awesome19:37
morganfainbergnkinder, it'll be expirimental19:37
nkinderjamielennox: are you going to file the repo/governance requests?19:37
morganfainbergnkinder, i'll get to work on this once ayoung has the repo on github split up.19:37
jamielennoxnkinder: i think morganfainberg and i both offered19:37
morganfainbergnkinder, unless jamielennox  wants to do it19:37
nkindermorganfainberg: ah, cool.  Much appreciated!19:37
morganfainbergperfectly happy to let him fight with the config repo to get the data in.19:38
morganfainbergerm s/data/repo19:38
jamielennoxmorganfainberg: i have an infra review that is weeks old and not passing, if it doesn't happen this week i'll still need you to shepherd it19:38
morganfainbergbjornar_, yep see it, that looks *about* right19:39
*** david-lyle has joined #openstack-keystone19:40
*** openstackgerrit has joined #openstack-keystone19:40
morganfainbergbjornar_, looking at the paste19:40
morganfainbergbjornar_, we can *probably* lighten some of that up. i had a patch that aimed to do a lighter weight select when just checking existence of an object in SQL. i'll see about resurrecting it19:41
morganfainbergmay not reduce the queries but may reduce the object housekeeping in-code overhead within SQLA19:41
jamielennoxayoung: do you want to commit the existing kerberos plugin to a new repo (bypass review) or should i submit something empty.19:42
*** csd has quit IRC19:42
ayounghow about empty19:42
ayoungand then we'll do the kerb plugin as the first review still19:42
ayoungtest the workflow19:42
rm_workayoung: did I answer your question? you disappeared for a minute there :P19:43
*** csd has joined #openstack-keystone19:44
bjornar_morganfainberg, here are the timings and complete flow: http://pastebin.com/raw.php?i=ZQMGAK0319:44
*** alee has joined #openstack-keystone19:45
bjornar_morganfainberg, search for "Statement" and jump through the file..19:46
dolphmlbragstad: ttx also suggested we use a juno-rc-potential tag for bugs that are non-blocking nice-to-haves worth tracking. i've moved a couple of the Low bugs from RC1 to that19:46
lbragstaddolphm: cool, good deal19:46
bjornar_morganfainberg, first of all, why do you rollback and commit selects ?19:46
morganfainbergbjornar_, side effect of the session object.19:47
morganfainbergbjornar_, a lot of things are done in transactions in a weird way19:47
rm_workayoung: anyway, if we wanted to make the user do the Trust setup and just pass us the TrustID, we'd need to have them delegate "container:get", "secret:decrypt", and "secret:get", and in "consumers:post" we'd actually just rely on it being a trust?19:47
morganfainbergbjornar_, it's something we can work on cleaning up next cycle19:47
rm_workI'm not sure if relying on "this is a trust" works because they could just set up a trust to some other non-service-admin account, and then would be able to mess with consumers, which we don't want19:48
dolphmlbragstad: these failures look legit btw https://review.openstack.org/#/c/119843/19:48
bjornar_I hope so, because as it is now, its not something you want to show people ;)19:48
ayoungrm_work, you can also enforce based on trustess_user_id19:48
ayoungso a trust works fine there19:48
rm_workok so19:48
rm_workwhat would the actual line in policy.json look like then?19:48
lbragstaddolphm: saw those, I'll work on respinning19:49
morganfainbergbjornar_, out of curiosity, in uuid tokens how fast is the token issuance compared to pki? still ~200ms?19:49
rm_workayoung: right now it is: "consumers:post": "rule:admin"19:49
*** vhoward has left #openstack-keystone19:49
morganfainbergbjornar_, i'm wondering how much overhead the popen adds.19:49
bjornar_morganfainberg, also, I am wondering about status of: 1) /usr/bin/openssl -> pythonlibssl 2) pki tokens not stored19:49
ayoungrm_work, and rule:admin is what?19:49
morganfainbergbjornar_, popen->sopenssl19:49
bjornar_morganfainberg, its about 10ms19:49
ayoungthat the user has the admin role?19:49
morganfainbergbjornar_, ok good to know19:49
bjornar_but should for sure get rid of it19:49
rm_workbut it'd need to be something like: "consumers:post": "rule:container:get and <something about trustee",19:49
bjornar_because its the 10ms it should answer in :)19:50
ayounghmmmmm that is not going to work.  The token will not have the  trustees role in it19:50
dstanekmorganfainberg: bjornar_: but does popen introduce any sort of blocking behavior?19:50
morganfainbergbjornar_, well that is a different issue, i wont say we can or can't get rid of the popen19:50
rm_workayoung: at the moment yes, but ignore that because i'm 99% sure it's wrong19:50
morganfainbergdstanek, it does.19:50
ayoungon the delegated roles from the trustor19:50
morganfainbergdstanek, or can.19:50
rm_workok, so err19:50
bjornar_also, I have experienced hung openssl procs19:50
morganfainbergdstanek, depends on a lot of things.19:50
ayoungrm_work, you could always require two tokens19:50
ayoungone for the trust and one from the service user itself19:50
ayoungrm_work, there have been requests for that kind of thing19:51
ayoungbut...Ug Lee19:51
rm_workI thought that was the purpose of the Impersonation19:51
bjornar_In fact I have implemented more or less this exact thing using lua and libssl (with mysql backend) .. it manages 20k qps19:51
ayoungrm_work, no...impersonation is not going to help either way here19:51
ayoungbut impersonation is always wrong19:51
bjornar_so I find it amazing that a huge group of people, and amazing people, manage to put this shit together19:52
morganfainbergok i need to go get food.19:52
ayoungrm_work, the two token solution is possible.  They would go in separate headers.  THere was some discussion about composite tokens at the last summit, but not sure the status of that req19:53
ayoungrm_work, so an end user can't do this themselves, it must be the combination of end user and service user?19:53
morganfainbergit's long past lunch19:54
bjornar_Will there be any keystone performance spesific meetings in paris?19:56
morganfainbergbjornar_, nothing is specifically slated for paris yet19:56
morganfainbergbjornar_, i expect to see some conversations on it at the very least19:56
morganfainbergeven if it's not in a specific dev session19:56
bjornar_would like to eventually join that conversations..19:56
dolphmtopol: i'm getting notifications anytime you add a reviewer to anything19:57
rm_workayoung: yes19:57
rm_workayoung: end user can't do it on their own containers, and we can't read their containers on our own19:57
rm_workayoung: in the end, it is a combination sort of issue19:57
morganfainbergbjornar_, well look for us at the summit! i'm sure we'll discuss it there19:57
rm_workayoung: and I don't know if we can wait on some new keystone feature to be released in Kilo, we need to figure out a way to get this working with keystone v2 <_<19:58
ayoungrm_work, that was the composite token use case, and ...lets see19:58
ayoungrm_work, two tokens19:58
bjornar_I mean.. its a keystone service..19:58
bjornar_it should behave19:58
ayoungone for the admin user, one as a trust token for the end user19:58
topolI did what now?19:58
dolphmtopol: added reviewers to your audit patch19:58
ayoungrm_work, that is a requirement, I think, no matter who creates the trust.  The trust token will only have roles for the end user, not the admin19:59
topoldolphm, is that normal or sometin special?20:00
dolphmtopol: new to me and i'm now realizing annoying :)20:00
dolphmtopol: especially when you add 8 reviewers at once and i get 8 notifications20:00
*** joesavak has joined #openstack-keystone20:00
topoldolphm, I dont think I did anything to cause this. And I did not personally add reviewers20:01
dolphmtopol: oh, well someone did. i assumed it was you since it was your patch20:01
topoldid stevemar do this perhaps20:01
*** jsavak has joined #openstack-keystone20:01
topoldoplhm, stevemar, can someone please get this bus off me?20:02
rm_workayoung: right, but isn't that what the Impersonation piece does? adds the roles from the service-user?20:02
ayoungrm_work, nope20:02
topoldolphm ^20:02
jamielennoxdolphm: need to set the email filters to get rid of that20:02
stevemaroh that was definitely me20:02
dolphmstevemar: thanks.20:02
ayoungrm_work, impersonation would just set the user_id on the token to the end user, not the service user20:02
stevemardolphm, happy to help20:02
*** alee has quit IRC20:03
*** dolphm changes topic to "Review RC1 blockers plzkthx https://gist.github.com/dolph/651c6a1748f69637abd0"20:03
stevemarjokes aside, i thought that adding 'keystone-core' to a patch was OK?20:03
dolphmstevemar: it is20:03
stevemardolphm, then what was wrong?20:03
dolphmstevemar: just don't all cla-signers20:03
dolphmstevemar: i just got a stream of notifications for each user that was added20:04
jamielennoxmorganfainberg: is it worth setting up ksc-federation at the same time or just do -kerberos for now?20:04
morganfainbergjamielennox, lets not do federation at the same time, we want to preserve history and that is a lot more work20:04
dolphmstevemar: https://review.openstack.org/#/admin/groups/324,members20:04
bknudsonI'm looking at everything in keystone that I can already so no need to add me.20:05
morganfainbergjamielennox, if we didn't care about history, i'd day easy to split it.20:05
*** joesavak has quit IRC20:05
* topol dolphm your apology is accepted :-)20:05
dolphmtopol: your welcome20:05
stevemarbknudson, so you're saying you are operating at 100% capacity?20:06
bknudsonI give 110%.20:06
stevemartime to upgrade your processor(s)20:06
bknudsonso 100% of 110%.20:07
* lbragstad has dibs on bknudson's old processor20:07
dolphmEVERYONE open this review and click on the Closes-Bug https://review.openstack.org/#/c/120043/ thank you20:09
morganfainbergdolphm, LOLOLOLOL20:09
gyeelooks like https://review.openstack.org/#/c/58372/ is a dupe of mine https://review.openstack.org/#/c/117658/20:09
bknudsontoo much whitespace to catch the fish20:11
gyeesince https://review.openstack.org/#/c/117658/ is much further along, I'd say abandon the other one20:11
dolphmgyee: clean up the bugs first20:11
gyeedolphm, let me link that bug too20:11
stevemargood ol fishing bugs20:12
dolphmgyee: there's 3 different bug reports there. if your patch fixes the third bug, or if the third bug is a dupe of one of the others - that needs to be cleaned up first20:12
bknudsondolphm: I hope that's targeted to rc1... need to catch fish20:12
topoldolphm, Bug #1348263  I dont get it. whats the joke?20:13
uvirtbotLaunchpad bug 1348263 in toontowninfinite "Lag is affecting fishing. BADLY" [Undecided,New] https://launchpad.net/bugs/134826320:13
stevemari kinda want to subscribe to that bug20:13
stevemartopol, click it20:13
topolI did its some poem about fishing20:13
dolphmstevemar: you should be like "we have a fix for this here..."20:14
stevemardolphm, haha20:14
gyeedolphm, https://bugs.launchpad.net/keystone/+bug/1254849 is a dupe of https://bugs.launchpad.net/keystone/+bug/136130620:14
uvirtbotLaunchpad bug 1254849 in keystone "Wrong LDAP attribute used in user response bodies" [Medium,In progress]20:14
dolphmstevemar: maybe they can cherry pick it?20:14
morganfainbergdolphm, too bad the launchpad bot is too smart to stick the "patch proposed to master" on that bug >.>20:14
* topol so lost... why is this funny.20:15
dolphmgyee: are you marking them as such?20:15
gyeethey are essentially describing the same problem, one is more AD centric and the other is more generic20:15
dolphmtopol: we finally fixed the fishing lag, duh20:15
gyeedolphm, doing it now20:15
dolphmgyee: thanks20:15
stevemartopol, the author referenced the wrong bug, the bug he referenced is a bug in a game called 'toon town infinite' apparently20:15
dolphmgyee: that's one more off the RC list :)20:15
gyeedolphm, :)20:15
bknudsonI always blame the lag when I can't catch fish20:15
topolgod Im old20:15
ayoungtopol, I'm Young, but we are the same Age.20:16
morganfainbergayoung, no you're A Young.20:16
* morganfainberg sees himself out20:16
ayoungmorganfainberg, what happend with composite tokens?20:16
dolphmbknudson: https://www.youtube.com/watch?v=_fNp37zFn9Q20:16
dolphmliving with lag IRL ^20:16
morganfainbergayoung, it's pending it's a middleware bp20:16
stevemardolphm, thats great!20:17
morganfainbergayoung, https://review.openstack.org/#/c/108384/20:17
samuelmzdolphm, are bug fixes and refactoring being blocked until we open for Kilo development?20:18
dolphmsamuelmz: refactoring is mostly being blocked, yes20:18
samuelmzdolphm, or we're blocking only patches that introduce new features?20:18
samuelmzdolphm, ok20:18
dolphmsamuelmz: list of blocked patches is at the bottom here https://gist.github.com/dolph/bddbb047f06431f535c620:18
*** dims_ has quit IRC20:18
dolphmsamuelmz: anything deemed "risky" for stability is held until kilo20:19
*** dims_ has joined #openstack-keystone20:19
samuelmzdolphm, thanks20:19
dolphmsamuelmz: so yeah, new features, non-trivial refactors, even complex bug fixes that aren't high priority20:19
gyeedolphm, stupid question, how do I close the bug as duplicate?20:20
stevemargyee, you just mark it20:20
samuelmzdolphm, fair enough, I was asking beacause I have a refactoring blocked (https://review.openstack.org/#/c/116682/)20:20
dolphmgyee: Ctrl+F "Mark as Duplicate"20:20
*** topol has quit IRC20:20
stevemardolphm, what was the outcome of the 'add id's to endpoints' bug?20:20
dolphmsamuelmz: yeah, that fell into my non-trivial refactor bucket :-/ looks super intriguing though!20:21
dolphmstevemar: ignoring for juno20:21
gyeestevemar, secrete to secret? :)20:22
stevemargyee, i guess so, someone wanted that in20:23
gyeeMy international version of MS Office said secrete is correct20:23
dolphmgyee: -1!20:23
dolphmgyee: secrete is a word, it's just not the one people assume it is20:23
stevemarsecrete is a word20:23
*** dims_ has quit IRC20:23
stevemari thought it was supposed to be funny, like your password is secreting20:23
dolphmwe do it for security, secret is too easy to guess20:23
bjornar_gyee, the most frightening is that you are in possession of MS Office20:24
dolphmbjornar_: ++20:24
samuelmzdolphm, we depend on this patch (currently on master branch) to efficiently implement list role assignments in the context of hierarchical projects (feature/hierarchical-multitenancy branch)20:24
rm_workayoung: sorry, got pulled away for a few20:24
samuelmzdolphm, so we have 2 options : 1) put this patch on feature/hierarchical-multitenancy branch20:24
dolphmsamuelmz: that should land in both branches then -- master in kilo and feature/hierarchical-multitenancy20:24
rm_workayoung: so, I am trying to chart out exactly what the trust does versus what impersonation does20:24
gyeebjornar_, I only use it on Wednesdays20:25
samuelmzdolphm, yes .. :-)20:25
*** mikedillion has quit IRC20:25
samuelmzdolphm, thanks20:25
ayoungrm_work, impersonation is a factor of a trust that says "change the user_id on the token to be the truess Id"  that is all20:25
ayoungand don't do it20:25
ayoungjust forget that it exists20:25
rm_workok, so it does nothing whatsoever with roles?20:25
ayoungits only there for a Swift use case that doesn't even really need it anymore20:26
dolphmrm_work: correct20:26
rm_workmy original understanding was that it did THAT, but also combined the roles of the two accounts in some way20:26
ayoungno effect on roles20:26
rm_workhmm ok20:26
ayoungrm_work, 2 tokens20:26
rm_workso that's "proposed functionality" or existing?20:26
ayoungtwo tokens?  Its what I am proposint you do20:26
ayoungthe composite token idea has not been implemented yet20:27
ayoungand I don't know that you really need it20:27
bjornar_what is it for?20:27
bjornar_added complexity only=?20:27
ayoungyou send X-Auth-Token with the users trust token, and X-Subject-Token with the service users token20:27
gyeeayoung, https://review.openstack.org/#/c/108384/20:27
bjornar_heat stuff?20:28
ayoungrm_work, see https://review.openstack.org/#/c/108384/20:28
gyeebjornar_, you mean what composite tokens are for?20:28
bjornar_gyee, no, MS Office20:28
gyeeuse case is specified in the spec20:28
rm_workayoung: ok, and RBAC middleware supports dealing with this already?20:29
*** stevelle_ has joined #openstack-keystone20:29
ayoungMS office is used for obfuscating documents and tying you to a vicious upgrade cycle of planned obsolesce and vendor lock in20:29
ayoungrm_work, it will once that one is approved/  Let me look at it now20:29
ayoungits a +609 line change  so  ...20:29
ayoungwill take a bit to review20:30
ayoungmostly it is documentation and tests, though20:30
rm_workayoung: this review is the COMPOSITE token thing, which is different from two token thing? or that is the two token thing20:30
ayoungrm_work, two tokens replaced composite, it looks like20:30
bjornar_Where is the document (is there any), describing the difference between the main and admin proc, and does it need to be a admin proc?20:31
*** henrynash has joined #openstack-keystone20:31
ayoungrm_work, I'd forgotten that we had agreed to that20:31
rm_workayoung: ok, so, even if this is approved, it won't be in until Kilo, right? since we have passed the feature freeze date?20:31
ayoungit will be in Juno20:31
ayoungits in the middleware code, that has a diffferent release cycle20:32
gyeeits a middleware thingy so different release cycle20:32
rm_workayoung: ah, ok20:32
rm_workbut, to use it, people need to be running keystone v3?20:32
rm_workor again, not related20:32
rm_workah, not related i guess20:32
ayoungrm_work, there is no Keystone V320:32
ayoungThere is V3 of the identity API, but that is supported by Keystone now20:33
dstanekdhellmann: i just put up a patch to show a possible solution20:33
rm_workso Identity-v2 vs. Identity-v3 is all just Keystone-v2 anyway20:33
rm_workjust "Keystone20:33
rm_workKeystone provides Identity_v2 and Identity_v320:34
rm_workso I guess what I meant was "this is not related to identity v2 or v3"20:34
rm_workayoung: that is ... more correct?20:34
ayoungrm_work, this will work regardless of v2 or v3 tokens20:35
*** dims_ has joined #openstack-keystone20:35
rm_workthat's all I needed to know then20:35
rm_workso, assuming this goes in, it'll look like....20:35
rm_workerr, well, give me a sec to update this diagram20:35
*** radez is now known as radez_g0n320:37
*** fifieldt_ has quit IRC20:38
bjornar_once again, admin proc vs main proc, what are the differences, and where can I read up?20:39
*** lmtaylor1 has left #openstack-keystone20:41
*** stevelle_ has left #openstack-keystone20:42
rm_workayoung / nkinder: http://goo.gl/6MlhHS20:43
rm_workayoung: updated to move the Trust creation to the User's scope, and to indicate we use TWO tokens for the "Register as Consumer" step20:44
gyeebjornar_, https://github.com/openstack/keystone/blob/master/etc/keystone-paste.ini#L10520:44
bjornar_so apiv3 does not have separate apis?20:45
gyeenope, Keystone v3 have no admin/public separation20:46
bjornar_thats nice20:46
rm_workgyee: apparently there is no Keystone v3 :P20:46
rm_workgyee: ayoung just told me, lol20:46
rm_workI think it's a terminology issue <_<20:47
rm_workbut as someone new to this it is very confusing20:47
bjornar_but once again.. what is admin api used for?20:47
*** gordc has joined #openstack-keystone20:47
*** andreaf has quit IRC20:48
*** dolphm has left #openstack-keystone20:49
bjornar_are all components api-v3 compatible in master now?20:50
*** fifieldt_ has joined #openstack-keystone20:50
gyeebjornar_, that's a historic thing20:52
gyeeKeystone v2 and prior, admin APIs are mostly extensions20:52
bjornar_I see some services are using it..20:52
gyeeservice using it and API extension are two different thing20:54
bjornar_yes... but20:55
gyee"identity management" is one of those things where Keystone can't quite get a good grasp on20:55
bjornar_I see, for example nova list:20:56
*** jasondotstar has quit IRC20:56
gyeeidentity management requirements are different, depending on the vendor and industry20:57
gyeesome require PII protection, some may not, some require life cycle management, some may not20:58
Morgan_gyee: it would be too easy otherwise.20:58
gyeeright, point is, we never quite agree on what is identity management, so opted for the minimum :)20:59
gyeeand hence, integration/federation as the easy way out21:00
bjornar_but again: does all (nova,neutron,glance,cinder,ceilometer,heat) support v3 api now? (juno/master)?21:00
*** marcoemorais has quit IRC21:01
gyeebjornar_, yes, most service support v3 api now21:01
*** marcoemorais has joined #openstack-keystone21:01
Morgan_bjornar_: most of the services don't care what keystone API is used. The middleware is the important part. If it translates the data in a way the services can read it will work.21:01
bjornar_I dont care if trove does not support..21:01
bjornar_admin_auth_url ...21:01
gyeebjornar_, there are still a couple of loose ends to tie21:02
*** jaosorior has quit IRC21:02
Morgan_gyee: and the whole role policy thing.21:02
gyeeyes, that policy thing too21:02
gyeebut policy is customizable21:03
Morgan_Nova seems to handle non matching projects decently. At least a sane error for domaine scoped tokens21:03
Morgan_Policy is a big bit of tech debt we have across openstack.21:04
gyeeMorgan_, oh, get implemented match any for oslo policy?21:04
Morgan_gyee: nope no changes needed. It says something like "project doesn't match context"21:04
gyeek, cryptic error, but works :)21:05
Morgan_Yeah. Going to submit a doc change to nova (this week I hope)21:05
Morgan_Just to cover our bases21:05
openstackgerritAaron Rosen proposed a change to openstack/python-keystoneclient: Sync with latest oslo-incubator  https://review.openstack.org/11945121:06
bjornar_So you guys know the best.. What services can I deploy now with only v3 keystone api enabled21:06
*** gordc has quit IRC21:08
gyeebjornar_, none, till we fix this last one, https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token.py#L104421:08
gyeeso you'll have to run both v2 and v3 for now21:09
gyeetill we close the loop on these21:09
gyeeI think there's a patch pending on the keystonemiddleware side already21:10
gyeeif not, I'll work on it21:10
bjornar_is this juno ready, then?21:10
dstanekdobson: what do you think about my comment here https://review.openstack.org/#/c/110904/ on aug 8th?21:10
gyeebjornar_, keystonemiddleware is on a different release cycle21:11
gyeeit is released on-demand21:11
dstanekhmmmm...no dolphm?21:11
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Improve list role assignments filters performance  https://review.openstack.org/11668221:11
dstaneksorry dobson! mistype21:11
Morgan_dstanek: a real concern21:12
Morgan_dstanek: table scans suck.21:12
dstanekMorgan_: if the table is small and static it could be OK, but i hate to advertise a feature that could significantly slow down someone's cloud21:13
Morgan_I def want to see stuff like that cleaned up for kilo. But I'd hope that table isn't too bad (a few hundred rows to few thousand wouldn't e the end of the world)21:13
dstanekis that call admin only?21:14
*** meker12 has joined #openstack-keystone21:15
*** topol has joined #openstack-keystone21:15
dstanekMorgan_: what's up with the new name?21:15
Morgan_dstanek: on my phone at a coffee shop for lunch21:15
Morgan_This is through irc cloud21:15
Morgan_dstanek: if that call is admin only I'm much less worried about the code btw.21:16
*** gordc has joined #openstack-keystone21:18
dstanekMorgan_: yeah, that's why is asked :-) otherwise it could be a real easy way to get DOSed21:18
dstanekMorgan_: how do you like irc cloud? i look a while back, but decided not to try. do they still have a free tier?21:19
Morgan_If it isn't admin only let's punt to kilo saying we need to address dos issues. Even if it is aim only, maybe punt21:19
*** dims__ has joined #openstack-keystone21:19
Morgan_dstanek: yep. But you can't stay connected for more than 2hrs idle after the first 7days21:20
Morgan_So it's good in a pinch just not for everyday use unless you pay21:20
*** dims__ has quit IRC21:20
*** dims__ has joined #openstack-keystone21:21
dstaneki'll probably stick with my combo of weechat and androirc21:22
*** dims_ has quit IRC21:23
Morgan_I don't see weechat for iOS.21:23
Morgan_Or I'd move to it.21:24
rm_workayoung: talked to our other project members, and while I know it isn't ideal from Keystone's perspective (and probably from a security purist's perspective) we're probably going to stick with something more like the original design, in which LBaaS creates the Trust using the Token the user sent in: http://goo.gl/uXKyjs21:24
*** dims__ has quit IRC21:25
dstanekMorgan_: androirc is pretty good on my android, but i'd love to find something better21:25
*** jsavak has quit IRC21:28
rm_workdstanek: I use AndChat, it works well, HoloIRC looked good but i had an issue where messages just *didn't show up* from some users in some cases (still no idea WTF) so I stopped using it21:29
rm_workbut maybe it is better now? :/ it definitely looked slick21:29
rm_workAndroIRC was my least favorite, I think <_<21:30
*** TheDodd has joined #openstack-keystone21:33
*** TheDodd has quit IRC21:39
*** amcrn has joined #openstack-keystone21:39
*** joesavak has joined #openstack-keystone21:39
*** dims_ has joined #openstack-keystone21:39
*** jsavak has joined #openstack-keystone21:40
*** dolphm has joined #openstack-keystone21:43
*** ChanServ sets mode: +o dolphm21:43
*** joesavak has quit IRC21:44
*** dims_ has quit IRC21:45
*** dims_ has joined #openstack-keystone21:45
*** aix has joined #openstack-keystone21:46
*** henrynash has quit IRC21:49
samuelmzdolphm, thanks for your comment on 'Making KvsInheritanceTests use backend KVS' (https://review.openstack.org/#/c/118466/)21:51
samuelmzdolphm, I just replied21:52
dolphmsamuelmz: you're reasoning is testing a backwards compatibility for legacy configurations though21:52
dolphmsamuelmz: if you want to test KVS assignments, i don't see why you shouldn't explicitly set the assignments driver to KVS21:53
samuelmzdolphm, so if I want to test kvs assignment with kvs identity I should set both drivers.. even if kvs identity loads kvs assig by default21:55
dolphmsamuelmz: yeah, if you want to test both, definitely set both explicitly. that backwards compatibility over a year old, and i could see it being dropped soon. then we'll be back to testing the wrong driver :(21:56
dolphmis* over21:56
*** jsavak has quit IRC21:56
*** topol has quit IRC21:56
bknudsonsamuelmz: in the near future the assignment driver won't get its class from the identity driver.21:56
*** joesavak has joined #openstack-keystone21:57
samuelmzdolphm, bknudson, I got it :)21:57
dolphmsamuelmz: i knew there was more to that patch than i suspected :) thanks for clarifying21:57
samuelmzdolphm, bknudson, in this case, soon we'd be testing kvs identity with <somehting> assignment21:58
bknudsonprobably sql21:58
morganfainbergdstanek, responded to your comment about admin-only21:58
dolphmhttps://review.openstack.org/#/c/110904/ ^ dstanek21:58
samuelmzdolphm, changing to set explicitly set the assignment driver .. even if we're about to drop the kvs backend21:59
samuelmzdolphm, just to make things work as they are supposed to :-)21:59
*** jsavak has joined #openstack-keystone22:00
*** stevemar has quit IRC22:01
*** nkinder has quit IRC22:02
*** joesavak has quit IRC22:05
ayoungrm_work, that does not solve your problem22:05
ayoungthe trust token will not have the admin privs on it22:05
jamielennoxmorganfainberg, ayoung: https://review.openstack.org/120261 - i don't know any way to test it than let the gate do it's job so let me know if you see a problem22:06
ayoungas far as LBaaS creating a trust, yeah, that sucks, but do what you feel best.22:06
morganfainbergjamielennox, pretty much22:07
morganfainbergjamielennox, need to let the gate do it's thing22:07
*** bknudson has quit IRC22:08
ayoungjamielennox, good start22:08
morganfainbergjamielennox, ayoung, are we not sourcing from githubg?22:10
jamielennoxmorganfainberg: i could throw together a cookie cutter base repo, but i figured we could just as easily do that in review22:10
ayoungmorganfainberg, I was still pulling the code together.22:10
jamielennoxputting the base plugin into github and bringing it in that way is a bit like cheating22:10
morganfainbergdolphm, dstanek, if the admin-only concern on the list_services filter by name22:11
morganfainbergdolphm, dstanek, i'm good to press go on it22:11
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Making KvsInheritanceTests use backend KVS  https://review.openstack.org/11846622:11
samuelmzdolphm, ^22:11
rm_workayoung: yeah, note I also ported over the part where we use *both* tokens to do the Container Registration22:13
rm_workLBaaS->Barbican: Register as a Consumer on ContainerID22:13
jamielennoxayoung, dolphm: this had a previous +A and needed rebasing: https://review.openstack.org/#/c/119261/22:13
rm_worknote right of LBaaS: using Trust Token *and* LBaaS Token22:13
rm_workayoung: ^^ which is the CR you linked me, right?22:13
rm_workayoung: so, next steps are: wait for that CR to make it through, and then update Barbican's middleware code, and then fix the rule in policy.json in Barbican to check for the right things22:14
rm_workayoung: right?22:14
rm_workstill need to figure out what "the right things" to check for are though, but I'll get there22:15
*** sigmavirus24 is now known as sigmavirus24_awa22:15
rm_workI guess I will just have to stall that one piece until that stuff makes it in22:15
*** ayoung has quit IRC22:16
*** bjornar_ has quit IRC22:16
jamielennoxmorganfainberg: can you look at https://review.openstack.org/#/c/116757/ and https://review.openstack.org/#/c/116760/ - same sides of the same problem which means HEAD keystonemiddleware tests won't pass with HEAD keystoneclient22:17
jamielennoxtwo sides of the same problem22:17
morganfainbergjamielennox, in a couple will look22:17
jamielennoxmorganfainberg: no problem - sharing things around22:17
*** jorge_munoz has quit IRC22:30
*** jsavak has quit IRC22:31
*** gordc has quit IRC22:32
*** joesavak has joined #openstack-keystone22:34
jamielennoxgyee: can you look over https://review.openstack.org/#/c/117709/ when you get a minute22:38
gyeejamielennox, sure, I am in review mode22:39
jamielennoxgyee: in that case...22:39
gyeeuh oh22:39
jamielennoxthere's the two i was trying to give to morgan https://review.openstack.org/#/c/116757/ and https://review.openstack.org/#/c/116760/22:40
jamielennoxgyee: none of these are hard yet22:40
jamielennoxgyee: mostly i'm just trying to clear up the easy ones that have sat unreviewed22:40
jamielennoxgyee: if i can do that then i'll try and get people to tackle the ones with actual new features tomorrow22:40
*** joesavak has quit IRC22:41
gyeeyeah, those looks like nobrainers22:41
jamielennoxhttps://review.openstack.org/#/c/119261/ has had a previous +A but needed a small fix22:41
*** dims_ has quit IRC22:42
*** dims_ has joined #openstack-keystone22:43
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Document mod_wsgi doesn't support chunked encoding  https://review.openstack.org/12027422:45
*** dims_ has quit IRC22:47
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Document mod_wsgi doesn't support chunked encoding  https://review.openstack.org/12027422:47
*** dims_ has joined #openstack-keystone22:49
*** amerine has joined #openstack-keystone22:52
morganfainbergjamielennox, +2 on both of the ones you pointed me at22:57
jamielennoxmorganfainberg: thanks22:57
dolphmgyee: you're on a roll :)22:57
gyeedolphm, I am in review mode today22:58
*** dims_ has quit IRC23:00
*** dims_ has joined #openstack-keystone23:00
dolphmgyee: thanks :)23:00
*** dims_ has quit IRC23:05
dolphmjust had a heart attack: git status -> oh shit all my changes are gone?! -> pwd -> wtf?! -> ls -> ?! oh i'm in the same repo on the same cwd in two terminals on two different hosts23:09
gyeeneed color-coded prompts :)23:11
*** david-lyle has quit IRC23:15
*** gordc has joined #openstack-keystone23:17
*** nkinder has joined #openstack-keystone23:18
*** ncoghlan has joined #openstack-keystone23:19
*** ayoung has joined #openstack-keystone23:28
*** david-lyle has joined #openstack-keystone23:34
*** zzzeek has quit IRC23:40
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Fix return from list role assignments on KVS  https://review.openstack.org/11848223:49
samuelmzdolphm, ^ related to those bugs of inheritance and kvs backend23:51
*** samuelmz is now known as samuelmz-zzz23:57
jamielennoxgyee: still reviewign?23:58
*** oomichi has joined #openstack-keystone23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!