Friday, 2014-09-19

*** soulxu__ is now known as alex_xu00:00
morganfainbergdstanek, stevemar, bknudson, ayoung-DadMode, gyee, henrynash, ^ the patch from monty, that code is copy/pasta around a lot of places. we might want to get that into the client... but I'm not sure jamielennox 's grand plan.00:01
*** rodrigods_ has joined #openstack-keystone00:02
*** morgan_remote_ has quit IRC00:10
*** rwsu has quit IRC00:11
lbragstadanyone have an objections if I kick through?00:15
lbragstador were we waiting on an A+ for a specific reason?00:15
morganfainberglbragstad, i think we were waiting on jenkins00:16
morganfainberglbragstad, ^ also see above comment re: ksc and copy/paste code00:16
*** rodrigods_ has quit IRC00:16
morganfainbergi'm sure jamielennox had some of that thought out, just not sure what the answer is/00:17
lbragstadmorganfainberg: sounds good, look like has passed Jenkins, so I can A+00:19
morganfainberglbragstad, sure +A that.00:19
lbragstadI tested it, seems to work00:19
*** zzzeek has joined #openstack-keystone00:19
*** henrynash has quit IRC00:20
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Updated from global requirements
bknudsonI had to do keystoneclient manually00:21
lbragstadmorganfainberg: does nova allow you to specify the number of workers in the config?00:21
*** rodrigods_ has joined #openstack-keystone00:22
lbragstador does it always calculate the number of workers based on the system cpu?00:22
*** stevemar has quit IRC00:23
*** stevemar has joined #openstack-keystone00:23
bknudsonmorganfainberg: jamielennox was working on something for that already00:23
bknudsonmorganfainberg: working on a way to build the client from config for example00:24
bknudsonlet me see if I can find it.00:24
morganfainbergbknudson, right. but it seems to only cover part of that code (what is currently in the codebase)00:24
*** ayoung-DadMode has quit IRC00:25
bknudsonmorganfainberg: I will admit that some things seem to be missing from the sessions code, but this seems to be going a different direction00:25
bknudsonI'm just thinking of the look on jamielennox's face if he comes back and it's all rewritten00:26
morganfainbergbknudson, this is mostly centralizing the copy/pasted code in other code bases00:26
*** rwsu has joined #openstack-keystone00:27
lbragstadhappy wedding!! welcome back!00:27
bknudsonmorganfainberg: I think he's got factory function for creating an auth plugin from arguments00:27
bknudsonand he's also got code to do version discovery.00:28
morganfainbergbknudson, yeah i'm trying to figure out how to use the factory stuff and the load from config instead of this.00:28
morganfainbergbknudson, i'll circle back on it when i get back from the gym.00:28
morganfainbergmight have a clearer head then, and easier to read code.00:28
*** jasonsb has quit IRC00:33
*** arborism has quit IRC00:33
morganfainberglbragstad, the patch you approved (processutils) the subsequent patch in the chain is the important one, if you don't mind taking a gander at it00:35
morganfainberglbragstad, yes nova allows it00:40
lbragstadyeah, that was the one I was looking at00:41
lbragstadgotcha, I was just generating the nova.conf00:41
*** zzzeek has quit IRC00:41
*** dims_ has joined #openstack-keystone00:46
morganfainbergbknudson, lbragstad, should get through the gate before the proposal bot's change. we can try and land it (provided it doesn't fail gate) for the release.00:46
*** diegows has quit IRC00:48
*** rodrigods_ has quit IRC00:52
*** dims_ has quit IRC00:57
*** cjellick has quit IRC01:00
*** jasonsb has joined #openstack-keystone01:03
*** jasonsb has quit IRC01:09
*** rodrigods_ has joined #openstack-keystone01:11
*** ayoung has joined #openstack-keystone01:15
*** rodrigods_ has quit IRC01:17
*** charz has joined #openstack-keystone01:23
*** _cjones_ has quit IRC01:26
*** _cjones_ has joined #openstack-keystone01:27
*** _cjones_ has quit IRC01:31
*** achampion has quit IRC01:36
*** achampion has joined #openstack-keystone01:36
*** dims has joined #openstack-keystone01:38
*** rodrigods_ has joined #openstack-keystone01:39
*** marcoemorais has quit IRC01:40
*** ctracey_ is now known as ctracey01:41
*** bobt has quit IRC01:42
*** achampio1 has joined #openstack-keystone01:47
*** achampion has quit IRC01:50
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor extract class for signing directory
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Refactor extract class for signing directory
*** rwsu has quit IRC01:56
ayoungmorganfainberg, I'll look.  I think I have a pretty good grasp of Jamie;s plans02:05
*** rwsu has joined #openstack-keystone02:09
*** rwsu has quit IRC02:11
*** dims has quit IRC02:20
*** dims has joined #openstack-keystone02:21
*** dims has quit IRC02:25
*** rwsu has joined #openstack-keystone02:27
*** topol has joined #openstack-keystone02:28
*** rodrigods_ has quit IRC02:29
*** harlowja is now known as harlowja_away02:29
*** jasonsb has joined #openstack-keystone02:39
openstackgerritA change was merged to openstack/keystone: Add the processutils from oslo-incubator.
openstackgerritA change was merged to openstack/keystone: Safer check for enabled in trusts
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Remove unused cache functions from token.core
*** alex_xu has quit IRC03:02
*** alex_xu has joined #openstack-keystone03:07
*** rushiagr_away is now known as rushiagr03:23
*** gyee has quit IRC03:25
*** vdreamarkitex has quit IRC03:32
*** r1chardj0n3s is now known as r1chardj0n3s_afk03:37
*** topol has quit IRC03:41
*** rushiagr is now known as rushiagr_away03:47
*** KanagarajM has joined #openstack-keystone03:54
*** r1chardj0n3s_afk is now known as r1chardj0n3s04:20
openstackgerritA change was merged to openstack/keystone: Set the default number of workers when running under eventlet
*** nkinder has quit IRC04:52
*** wanghong has quit IRC04:53
*** nkinder has joined #openstack-keystone04:53
*** achampion has joined #openstack-keystone05:04
*** rushiagr_away is now known as rushiagr05:06
*** achampio1 has quit IRC05:07
*** wanghong has joined #openstack-keystone05:09
*** ajayaa has joined #openstack-keystone05:13
*** achampion has quit IRC05:34
*** Daviey has quit IRC05:54
*** Tahmina has joined #openstack-keystone05:59
*** achampion has joined #openstack-keystone06:05
*** rushiagr is now known as rushiagr_away06:11
*** rushiagr_away is now known as rushiagr06:16
*** k4n0 has joined #openstack-keystone06:29
*** henrynash has joined #openstack-keystone06:30
*** lufix has joined #openstack-keystone06:30
*** afazekas has quit IRC06:31
*** afazekas has joined #openstack-keystone06:35
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** henrynash has quit IRC06:39
*** turul_ has joined #openstack-keystone06:44
*** stevemar has quit IRC06:59
*** andreaf has joined #openstack-keystone07:04
*** meker12_ has quit IRC07:13
*** meker12 has joined #openstack-keystone07:13
*** meker12 has quit IRC07:17
*** BAKfr has joined #openstack-keystone07:25
*** garcianavalon has joined #openstack-keystone07:28
openstackgerritA change was merged to openstack/keystone: Updated from global requirements
*** r1chardj0n3s is now known as r1chardj0n3s_afk07:31
openstackgerritMarek Denis proposed a change to openstack/keystone: Add info about pysaml2 into federation docs.
*** achampion has quit IRC07:41
*** Daviey has joined #openstack-keystone07:53
*** henrynash has joined #openstack-keystone08:01
*** haggan has joined #openstack-keystone08:10
hagganIs there any smart way to create local linux accounts in an instance with information from keystone08:11
hagganI would like to to create a Virtual loginnode for a project there the local unix accounts is the same name as the username in Keystone08:11
*** f13o has joined #openstack-keystone08:18
*** f13o has quit IRC08:27
marekd haggan I think it's more about scripting and reading data from your backend.08:53
*** amakarov_away is now known as amakarov09:11
*** achampion has joined #openstack-keystone09:12
*** vdreamarkitex has joined #openstack-keystone09:30
*** Sharath_ has joined #openstack-keystone09:42
Sharath_Hi ,am new to keystone openstack , am interested to learn and contribute , i have started looking code ,  can anybody explain the any one flow of keystone, Ex: token-get ,09:44
*** aix has joined #openstack-keystone09:54
Sharath_Hi Larw10:02
Sharath_Lars *10:02
*** Sharath_ has left #openstack-keystone10:06
*** bjornar has joined #openstack-keystone10:15
bjornar  return o[0](self, self.expr, op, *(other + o[1:]), **kwargs)10:15
bjornar/site-packages/sqlalchemy/sql/ SAWarning: The IN-predicate on "assignment.actor_id" was invoked with an empty sequence. This results in a contradiction, which nonetheless can be expensive to evaluate.  Consider alternative strategies for improved performance.10:16
bjornar  return o[0](self, self.expr, op, *(other + o[1:]), **kwargs)10:16
hagganmarekd: Yes I so either fixing a cloud-init script on keystone hos and send with user-data to instance ? or open keystone api on host and get the info that way?10:19
*** diegows has joined #openstack-keystone10:27
marekdhaggan: I don't know what and when exactly you want to do :-) I just answered that you can dig directly in keystones backend. Another idea is to list all users through keystone api and basend on that create accounts, but I don't know how to dead the passwords.10:28
marekdonce you have your code and it works from hand you can inject it into cloud-init, or puppetize it or use chef.10:29
marekdmhu: thanks for openstackclient patches, i am reading them now :)10:30
mhumarekd, yw, I hope we can get this merged soon10:35
marekdmhu: me too.10:36
marekdmhu: i had to hack osc to make it work for my federation test purposes.10:36
marekdbut i can now boot machines with my federated tokens :-)10:36
marekdok, gotta go for lunch.10:37
mhumarekd, that's pretty cool :) it'd be nice also to have python-keystoneclient tagged soon so the scoped saml auth plugin is available10:37
mhuyou can't do much yet with the unscoped plugin (but the auth works)10:37
marekdmhu: ++10:37
*** andreaf has quit IRC10:46
*** andreaf has joined #openstack-keystone10:46
*** alex_xu has quit IRC11:00
*** dims has joined #openstack-keystone11:08
openstackgerritA change was merged to openstack/keystone: Update man pages
*** rushiagr is now known as rushiagr_away11:19
marekdmhu: a question, why did you update requirements.txt with stevedore's version It was required for your patch?11:47
marekdah, nvm11:48
*** alex_xu has joined #openstack-keystone11:48
*** KanagarajM has quit IRC11:48
*** topol has joined #openstack-keystone11:52
mhumarekd, yeah, Jenkins yelled at me because of it on my last upload12:08
*** achampion has quit IRC12:12
*** joesavak has joined #openstack-keystone12:28
*** jsavak has joined #openstack-keystone12:35
*** joesavak has quit IRC12:39
*** dims has quit IRC12:40
*** dims has joined #openstack-keystone12:41
*** dims has quit IRC12:41
*** dims has joined #openstack-keystone12:42
*** gordc has joined #openstack-keystone12:51
*** rushiagr_away is now known as rushiagr12:56
*** jsavak has quit IRC13:04
*** achampion has joined #openstack-keystone13:05
*** garcianavalon has quit IRC13:08
*** richm has joined #openstack-keystone13:11
*** nkinder has quit IRC13:15
*** vhoward has joined #openstack-keystone13:27
*** afazekas has quit IRC13:37
*** k4n0 has quit IRC13:40
*** zzzeek has joined #openstack-keystone13:43
*** sigmavirus24_awa is now known as sigmavirus2413:45
*** rodrigods_ has joined #openstack-keystone13:57
*** nkinder has joined #openstack-keystone14:00
*** openstackgerrit has quit IRC14:02
*** ctracey_ has joined #openstack-keystone14:02
*** miqui_ has joined #openstack-keystone14:03
*** stevemar has joined #openstack-keystone14:04
*** amerine_ has joined #openstack-keystone14:05
*** rodrigods_ has quit IRC14:05
*** miqui_ has quit IRC14:09
*** miqui_ has joined #openstack-keystone14:09
*** Diopter has joined #openstack-keystone14:09
*** aix has quit IRC14:10
*** turul_ has quit IRC14:10
*** lufix has quit IRC14:10
*** ajayaa has quit IRC14:10
*** ayoung has quit IRC14:10
*** harlowja_away has quit IRC14:10
*** miqui has quit IRC14:10
*** ctracey has quit IRC14:10
*** amerine has quit IRC14:10
*** Apsu has quit IRC14:10
*** Diopter is now known as Apsu14:10
*** miqui_ is now known as miqui14:10
*** Apsu has left #openstack-keystone14:11
*** rodrigods_ has joined #openstack-keystone14:11
*** ctracey_ is now known as ctracey14:12
*** cjellick has joined #openstack-keystone14:14
*** aix has joined #openstack-keystone14:15
*** turul_ has joined #openstack-keystone14:15
*** lufix has joined #openstack-keystone14:16
*** ajayaa has joined #openstack-keystone14:16
*** ayoung has joined #openstack-keystone14:16
*** david-lyle has joined #openstack-keystone14:22
*** rodrigods_ has quit IRC14:23
stevemaranyone around? bknudson ?14:24
bknudsonstevemar: what's up?14:25
bknudsonjust wondering if you were in a ghost town?14:25
stevemarbknudson, that, and i have something that's confusing me
bknudsonstevemar: what's confusing about it?14:26
stevemari'm not clear on how that oslo.utils import worked, since the author didn't add oslo.utils to either requirements file14:26
bknudsonstevemar: it might be installed on the system for some other reason14:27
bknudsonif you're using oslo.utils it should be in the requirements.txt.14:27
stevemarcurrent req:
stevemaryeah, which is why i'm confused that it even worked14:27
stevemari guess maybe one of the clients installs it too?14:27
bknudsonstevemar: one of the other projects could pull it in transitively14:28
stevemaryeah, novaclient installs it, that's a bold move for us to actually just call it out14:28
stevemarmorganfainberg, you are up way too early for west coast time, go back to bed14:29
bknudsonbold. brash. ballsy.14:29
morganfainbergstevemar, last night migrane 1, morgan 014:29
morganfainbergso, way more sleep than normal.14:29
*** rwsu has quit IRC14:29
stevemarbknudson, okay, i'll make the change, it was too early for me to deal with things working when they shouldn't14:30
morganfainbergi think it was ~9pm i was asleep by14:30
stevemarwell at least you have a full day ahead14:30
morganfainbergyeah. gotta go get some coffee early (in like an hour), and laugh at the insane line at the apple store :P14:31
morganfainbergstevemar, looks like we can get KSC cut today14:32
marekdmorganfainberg: cause you already have your new iPhone or not getting any new ? :-)14:32
morganfainbergstevemar, then we just have a couple reviews for middleware and server14:32
morganfainbergmarekd, because if i order something in that much demand either 1) I pre-order and have it shipped to me (why waste a day in line?) or 2) I wait till there is less demand and it's generally available14:33
morganfainbergmarekd, this time, I opted for #1, last time I skipped the upgrade.14:33
marekdmorganfainberg: i see :-)14:35
stevemarmarekd, morganfainberg just go to any non-apple store, they still sell them:
morganfainbergstevemar, you're obviously not in SoCal :P14:36
marekdstevemar: lol14:37
morganfainbergstevemar, still, why bother going to a store when it can be shipped to my doorstep.14:37
marekdmorganfainberg: ++14:37
*** jjulien has joined #openstack-keystone14:39
*** mflobo_ has joined #openstack-keystone14:43
*** mflobo_ has quit IRC14:43
morganfainbergzigo, ping14:44
zigomorganfainberg: Yes, I'm here.14:44
morganfainbergzigo, re: keystoneclient + git14:44
morganfainbergzigo, so out of curosity how was icehouse packaged?14:45
zigomorganfainberg: What do you mean? I don't think Icehouse has the issue, does it?14:45
morganfainbergzigo, sure does14:45
zigoAt least, I didn't see any unit test errors.14:45
morganfainbergzigo, i mean did you end up using run_tests in icehouse? are you using run_Tests in juno?14:45
zigoI use run_tests in both, but planning to use "testr run" in Juno to avoid the bad unit tests.14:46
morganfainbergzigo, ah i think there is an option to do an exclusion in testr. My concern is if we do a skip if git isn't available, gate might suddenly pass where it shouldn't (I can say with confidence i want this fixed for sure in Kilo, just too late to really fix it permanently in Juno)14:47
bknudsonthe git clone of the keystoneclient in the keystone tests has been a problem forever14:47
zigoI've just finished all Juno dependencies, currently packaging the latest tags for all projects (so, currently b3).14:47
zigoThere is.14:47
*** joesavak has joined #openstack-keystone14:48
*** zhiyan has quit IRC14:48
*** alex_xu has quit IRC14:48
*** mflobo has quit IRC14:48
*** ayoung has quit IRC14:48
*** serverascode has quit IRC14:48
zigoWell, I don't see how git wouldn't be available in the gate.14:48
bknudsonlet me try a test run without the keystoneclient tests and see if coverage is affected.14:48
morganfainbergbknudson, ++ that was my next step.14:48
*** serverascode_ has joined #openstack-keystone14:49
morganfainbergzigo, i was just surprised you didn't run across this earlier is all, since we really didn't "fix" it, we just covered it up way way way back when14:49
*** serverascode_ is now known as serverascode14:49
*** rodrigods_ has joined #openstack-keystone14:49
*** zhiyan has joined #openstack-keystone14:49
zigomorganfainberg: Then I'm as surprised as you are.14:50
morganfainbergzigo, ok :)14:50
zigoThe thing is, if I build in Sid, I don't see the errors, because I have network access and git available.14:50
*** rodrigods_ has quit IRC14:50
morganfainbergzigo, ah14:50
zigoBut in a Debian automated buildd, there's no network available at all...14:50
zigoIn my Jenkins, I run the build in a chroot, so git shouldn't be available.14:51
*** meker12 has joined #openstack-keystone14:51
zigoBut maybe it was in my Icehouse jenkins.14:51
zigoSo I didn't see it...14:51
zigo(I setup a new Jenkins package build VM for each release of OpenStack)14:51
zigoNever the less, this will fail in a package rebuild in Debian.14:52
morganfainbergzigo, ok, thanks for the info, lets see what is the best solution for J, and in K we'll need to commit to fixing this the "right" way14:52
bknudsonI get this in my vm: error: gnutls_handshake() failed: A TLS packet with unexpected length was received. while accessing
zigomorganfainberg: I have current ./ -N -P || true, so it wont actually fail the build, but that's not the way to go... :(14:52
morganfainbergzigo, i agree, not the best solution.14:52
zigomorganfainberg: I'd love that we didn't just remove these tests, and have them available for my package build...14:53
zigoI do know it works, as I can run it locally with git and network available, but yeah, a "real" fix would be nice.14:53
zigomorganfainberg: Am I right that keystone is just running the keystoneclient unit tests?14:53
morganfainbergzigo, i think the real fix is going to be something akin to making it a separate gate job.14:54
morganfainbergzigo, sortof, this is an integration test really between keystoneclient and keystone14:54
*** jorge_munoz has joined #openstack-keystone14:54
zigoWell, I would prefer to have the tests not removed from keystone itself if possible.14:54
zigoNot sure how though ...14:54
morganfainbergzigo, the problem is we shouldn't be doing integration tests at unit test time.14:55
bknudsonzigo: the tests use keystoneclient. You can point the tests to a local keystoneclient14:55
zigomorganfainberg: Could we implement this as a kind of "sync", where the keystone server would pull the unit tests from the client or something?14:55
*** samuelmz has joined #openstack-keystone14:55
morganfainbergzigo, but yeah you could just point it to a local keystoneclient install. it is a ENV var iirc14:55
morganfainbergbknudson, ++14:55
morganfainbergbknudson, beat me to it. ;)14:55
bknudsonset KSCTEST_PATH to your local keystoneclient14:56
zigomorganfainberg: In my keystoneclient package, the tests folder is there, so it's available for keystone to use.14:56
bknudsonit's not running keystoneclient tests14:57
bknudsonit's running keystone tests through the keystoneclient API14:57
morganfainbergzigo, it's an integration test.14:57
zigobknudson: What is it running then?14:57
zigomorganfainberg: Ok, then why does it need to git clone keystoneclient ?14:57
bknudsonit does import keystoneclient and then keystoneclient.call_this_api()14:57
zigoWhy can't it be done with the packaged (eg: system) version of keystoneclient then?14:58
*** alex_xu has joined #openstack-keystone14:58
bknudsonzigo: it used to check out and run with older versions of keystoneclient.14:58
*** ayoung has joined #openstack-keystone14:58
bknudsone.g., the 0.1 version14:58
bknudsonbut we've gotten rid of that now14:58
morganfainbergzigo, but as bknudson said if you set the path to keystoneclient in KSCTEST_PATH it'll use that version of ksc instead of git14:58
zigoOh ! :)14:58
bknudsonmorganfainberg: zigo: well... it does both.14:59
morganfainbergbknudson, it still uses git?14:59
morganfainbergi thought we changed that...14:59
bknudsonmorganfainberg: yes, it does both the git and the one you point KSCTEST_PATH at14:59
morganfainbergoh. bleh14:59
zigoSo, I should do: export KSCTEST_PATH=/usr/lib/python2.7/dist-packages/keystoneclient15:00
morganfainbergmaybe we should just make an option to skip the git version if KSCTEST_PATH is available15:00
morganfainbergor .. maybe we can make it an option to just use the system installed one?15:00
bknudsonlooks like the coverage drops by ~120 lines (of 15713) when dropping the keystoneclient tests.15:00
zigoThat's not much.15:01
zigomorganfainberg: bknudson: Am I right with my export line?15:01
morganfainbergbknudson, so which makes you feel more comfortable 1) dropping those tests for packaging (skip if no git) or 2) making it use system-installed ksc with an option?15:02
morganfainbergbknudson, or another option?15:02
*** nkinder_ has joined #openstack-keystone15:03
morganfainbergassuming in K we should work on a better "fix"15:03
bknudsonzigo: `KSCTEST_PATH=/opt/stack/pythonkeystoneclient tox -e py27 KcOptTestCase` worked for me15:03
zigoI don't want to use tox !15:04
bknudsonso that should work for you15:04
*** jdennis1 has joined #openstack-keystone15:04
bknudsonyou don't have to use tox. just set the env var15:04
zigo(I can't)15:04
zigoI'll try, thanks for the tip.15:04
zigomorganfainberg: I'm all for using the system version of kclient15:05
bknudsonmorganfainberg: I like the idea of using the system-installed one with the env var. Since we don't test old keystoneclients.15:05
*** nkinder has quit IRC15:05
*** jdennis has quit IRC15:05
morganfainbergbknudson, zigo , it looks like if we set KSCTEST_PATH it doesn't do the checkout15:06
zigoOh, cool! :)15:06
*** _cjones_ has joined #openstack-keystone15:06
morganfainbergoh wait no15:06
bknudsonmorganfainberg: why not? it still runs KcMasterTestCase which does the checkout15:06
morganfainbergi'm wrong. we still run the master case sorry15:06
morganfainbergbknudson, eyah was misreading15:06
morganfainbergbknudson, i think i'll just put an ENVVAR in to skip the master case.15:06
morganfainbergbknudson, KSCTEST_SKIP_MASTER ?15:07
bknudsonmorganfainberg: do we need to run both KcMasterTestCase and KcOptTestCase ?15:08
morganfainbergbknudson, hrm. probably not.15:10
morganfainbergbknudson, i'd be ok with making it an either/or15:10
bknudsonI can see a case for it during development, but not interesting enough to really require running both.15:11
bknudsonI'd be fine with having KcMasterTestCase run with KSCTEST_PATH if that's available and try the checkout if it's not.15:12
bknudsonMaybe print out a tip to use KSCTEST_PATH if the git clone fails.15:12
*** openstackgerrit has joined #openstack-keystone15:14
morganfainberggerritbot had disappeared15:14
*** dims_ has joined #openstack-keystone15:15
morganfainbergbknudson, i'd be ok with skipping if the checkout fails, but i think i'd rather make it explicit so we don't somewhere down the line just "lose" tests without knowning15:15
*** dims_ has quit IRC15:15
lbragstadbknudson: quick question15:15
*** dims_ has joined #openstack-keystone15:16
*** dims_ has quit IRC15:16
openstackgerritMorgan Fainberg proposed a change to openstack/keystone: Do not run git-cloned ksc master tests when local client specified
*** dims_ has joined #openstack-keystone15:17
*** dims has quit IRC15:18
morganfainbergzigo, ^ that plus setting the env var should solve the issue.15:19
zigoSuper cool ! :)15:19
*** dims_ has quit IRC15:19
bknudsonlbragstad: just ask it.15:19
zigomorganfainberg: I'll try this out soon.15:20
morganfainbergzigo, sounds good15:20
lbragstadbknudson: sorry got distracted, I was curious, in your review for the keystoneclient tests, if you need global before git_available?15:20
bknudsonlbragstad: you only need global if you set the variable. otherwise it'll be masked by the local.15:20
bknudsonif you don't set the variable in the function then it'll reference the global15:21
*** dims has joined #openstack-keystone15:21
ayoungmorganfainberg, +215:21
morganfainbergayoung, tyvm15:21
ayoungjust, finally, booked my hotel for Paris.15:22
morganfainbergayoung, which hotel you at?15:22
ayoungmorganfainberg, Balmoral15:22
morganfainbergayoung, ah15:22
ayoungmorganfainberg, when the hotel list came out way back when, we got the "hold off on booking" email that I should know it ignore by now15:23
ayoungMaybe the next one will be in Boston15:24
*** dims has quit IRC15:25
bknudsonBoston would be a good choice.15:25
ayoungmorganfainberg, does it make sense in out client API to expose the Session to the end user?   I understand splitting out the auth plugin, but  wouldn't client/plugin be sufficient?  I need to ask jamielennox when he's back15:26
morganfainbergayoung, not sure.15:26
ayoungbknudson, I heard rumors of Montreal or Quebec, both of which would be drivable for me15:26
*** dims has joined #openstack-keystone15:26
stevemarayoung, definitely ignore :) most hotels have 24 hr cancellation policy, so no harm in booking way in advance15:26
bknudsonwe've already learned french.15:26
stevemarbknudson, ha!15:27
*** dims has quit IRC15:27
ayoungstevemar, in this case it was "We are going to get a company block of rooms...."15:27
morganfainbergstevemar, the paris main ones have a 1-night minimum if you cancel after august something.15:27
stevemarmorganfainberg, ayoung well then, fair enough15:27
ayoungstevemar, nah, you are right, should have just booked it.  Its like Lucy and the Football...15:28
*** dims has joined #openstack-keystone15:28
*** dims has quit IRC15:28
bknudson -- change in devstack to add another service for compute!15:29
stevemarayoung, you're being a good team mate, i would just take the 2 minute walk cause i'm lazy15:29
*** dims has joined #openstack-keystone15:30
*** dims has quit IRC15:30
stevemarbknudson, good comment15:30
*** roock has quit IRC15:31
*** ByteSore has quit IRC15:31
*** arunkant has quit IRC15:31
*** d0ugal has quit IRC15:31
*** tristanC has quit IRC15:31
*** dstanek has quit IRC15:31
*** ByteSore has joined #openstack-keystone15:32
morganfainbergbknudson, ++++++++ on that comment15:32
*** roock has joined #openstack-keystone15:32
*** dstanek has joined #openstack-keystone15:32
*** arunkant has joined #openstack-keystone15:32
morganfainbergdstanek, i think we're a few more hours out (still) on the ksc release15:33
*** tristanC has joined #openstack-keystone15:33
*** dims has joined #openstack-keystone15:33
*** dims has quit IRC15:33
dstanekmorganfainberg: yeah, i'm watching the gate with fingers crossed15:33
stevemardstanek, ahhh progress bar watching15:34
*** jasonsb has quit IRC15:34
*** lufix has quit IRC15:34
*** d0ugal has joined #openstack-keystone15:35
dstanekstevemar: basically, the problem though is it keeps starting over :-(15:35
*** d0ugal is now known as Guest5064815:35
bknudsondstanek: could ask infra to promote it, but probably not worth it.15:35
bknudsonI don't think anyone's needing a keystoneclient release otherwise they'd be yelling.15:36
dstanekbknudson: if there is some yelling we can ask to promote15:37
*** achampion has quit IRC15:38
*** achampion has joined #openstack-keystone15:38
*** dims has joined #openstack-keystone15:38
*** dims has quit IRC15:40
*** dims has joined #openstack-keystone15:43
*** dims has quit IRC15:43
morganfainbergbknudson, thanks for responding with that link for neutronclient to monty's keystoneclient CR15:43
morganfainbergbknudson, that was what i was looking for15:43
bknudsonmorganfainberg: I've got to admit the code that monty posted is nice and easier to understand.15:44
morganfainbergbknudson, i agree.15:44
bknudsonbut it's probably easy to understand because it doesn't do everything either.15:44
*** dims has joined #openstack-keystone15:44
bknudsonand, I think this points to a lack of documentation15:44
morganfainbergbknudson, yep.15:44
*** shuffleb1t has joined #openstack-keystone15:45
morganfainbergok i need to go get some food / coffee be back in a bit.15:45
*** charz_ has joined #openstack-keystone15:45
*** dims has quit IRC15:45
*** achudnovets has quit IRC15:46
*** roock has quit IRC15:46
*** charz has quit IRC15:46
*** dstanek has quit IRC15:46
*** ekarlso has quit IRC15:46
*** shufflebot has quit IRC15:46
*** roock has joined #openstack-keystone15:46
*** dstanek has joined #openstack-keystone15:46
*** ekarlso has joined #openstack-keystone15:46
*** achudnovets has joined #openstack-keystone15:47
*** dims has joined #openstack-keystone15:48
*** BAKfr has quit IRC15:49
*** wwriverrat has joined #openstack-keystone15:49
*** _cjones_ has quit IRC15:51
*** _cjones_ has joined #openstack-keystone15:51
*** drjones has joined #openstack-keystone15:52
*** _cjones_ has quit IRC15:52
*** wwriverrat1 has joined #openstack-keystone15:55
*** wwriverrat1 has left #openstack-keystone15:55
*** dims has quit IRC15:56
*** dims has joined #openstack-keystone15:56
*** dims_ has joined #openstack-keystone15:58
*** wwriverrat2 has joined #openstack-keystone15:58
*** wwriverrat has quit IRC15:58
ayoungbknudson, I've been battling the Django to KC code.  It seems to me that this pattern should be simple:  1.  Get and unscoped token.  2.  Get a list of projects.   3. Select a project.  4.  Get a token from the selected list.     Should I put all of that into KC?  Or is it too much business-logic and should stay in Django?16:01
openstackgerritA change was merged to openstack/python-keystoneclient: Add support for endpoint policy.
*** dims has quit IRC16:01
*** wwriverrat2 has left #openstack-keystone16:01
ayoungits the "select a project" part that bothers me:16:01
ayoungselect first project in list if no default is set...16:01
bknudsonayoung: wouldn't the user have a project they want already?16:02
ayoungbut without that, we have no service catalog16:02
ayoungbknudson, not at login16:02
bknudsonthat's going to require user assistance.16:02
ayoungbknudson, you don't know what set of projects to show until the  user requests a login.  Then you can list projects for user16:02
bknudsonthe "select a project" could be a callback function16:03
ayoungbknudson, the alternative is modifing Horizon to allow for a user with no project selected16:03
bknudsongets called with a list of projects and is expected to return a project16:03
ayoungwhich is not really Keystone's call to make.16:04
bknudsonayoung: I thought horizon allowed you to pick a project?16:04
ayoungit does, but it has already rendered all the screens based on the first project16:04
bknudsonpicking the project from the list would lead to weird behavior since the list might change order.16:05
ayoungthat is what it does now, though16:05
*** turul_ has quit IRC16:05
bknudsonit doesn't require the user to have a default project?16:06
ayoungthe logic flows like this16:06
ayoungget userid and password from the form.  Region and domain are optional based on config params from horizon16:06
bknudsonproject = projects.pop()16:06
ayounguse that to get a token16:06
ayoungif the token is scoped,  use that.  If not, list the projects and select the first one16:06
ayoungand get a token for that project16:07
ayoungits probably maddening to someone that is in both "admin"  and "I need to get real work done"  when they are defaulted to "admin"16:07
bknudsonif we have a callback for "select a project" then it could do pop() or it could prompt the user or whatever.16:08
bknudsonit looks like the code already exists and you're wondering if it should be in keystoneclient?16:09
ayoungbknudson, what if instead of a callback we added yet another param to authenticate16:09
ayoungyeah, if it should be in keystone client16:10
bknudsonI don't object to putting things in keystoneclient... the thing I'm worried about with keystoneclient is when higher level functions are mixed in with the low level, without any layering.16:11
ayoungand, if it shouldn't...what do we do?  THe token serves two very different roles.  First it is the placeholder for userid and password so those don't need to be cached in Horizon, and second it carries all of the authN and AuthZ data for remote services16:11
bknudsonthis would be a higher level function so don't mix it in with the low level functions.16:11
ayoungIf we had clearer workflow that says "only use an unscoped token to get a scoped token"....but we should also have rules like "only an unscoped token can enumerate projects"16:12
bknudsonayoung: I don't have a problem with allowing enumerating projects... not sure why it would be limited to unscoped?16:12
bknudsonif I could get a scoped token then I could get an unscoped one.16:13
ayoungKeystone should just reject scoped tokens for all operations except those explicitly for those projects.  Like adding other users to that project.16:13
ayoungIf I hand a scoped token to Nova, and the compute node gets hacked, I don't want an elevation of privs back on Keystone16:13
bknudsonthat does sound a lot safer.16:14
bknudsonwe have the same thing for domains.16:14
ayoungWe need a keystone "secure mode"  that makes all these rules the default16:15
ayoungto include endpoint binding...which we still don't know how were are going to solve16:15 rule:  every endpoint gets a distinct user in the service domain16:17
ayoungNow endpoint bindings are trivial:  use the service user to get to the endpoint ...16:17
bknudsonthat sounds pretty easy to do.16:17
bknudsonthe transition will not be easy16:18
ayoungand it sounds right...and we really couldn't do that until we had henrynash 's multi backend thing working16:18
bknudsonit mostly works... you can't have multiple sql backends16:18
ayoungWell, you need to specify a user when you set up an endpoint anyway.16:18
ayoungbknudson, yeah..that is fine16:18
bknudsonand since auth_token middleware doesn't support v3 auth yet that's kind of a problem.16:18
ayoungwe'll solve that one, but it is not critical for this16:19
ayoungOh, you men for validating tokens?16:19
ayoungI can pass a v3 token to ATM, its the service user must be in the default domain part that is problematic?16:19
bknudsonyou can't set the domain for user in auth_token middlware.16:19
bknudsonayoung: yes, that's what's missing16:20
ayoungend user or service user?16:20
bknudsonservice user16:20
bknudsonyou were saying service users are in a different domain.16:20
ayoungYeah.  I've been putting them in the default domain, since that is what the installer does16:20
ayoungBut what do we need to do to put them in a separate domain?  Its just the create token calls that need to be v3 as we can use a v3 token for any v2 calls16:21
bknudsonI'll make it my project to add v3 auth to the middleware.16:21
ayoungbknudson, that sounds essential16:22
ayounglet me write this up.  I think I can see a step by step plan now to endpoint binding16:22
bknudsonshould be easy with jamielennox's config parser16:23
*** htruta has left #openstack-keystone16:24
ayoungback to horizon, though, would it be really wrong to make the httpclient.authenticate code havea "force_default_project" flag?  Yeah, I guess it would...what I really need is an easy way to say "reset this client from unscoped to scoped"16:24
bknudsonayoung: if they force_default_project=True then if they'd get an unscoped token now they'll get a scoped one?16:26
bknudsonif they would have gotten an unscoped token they'll actually get a scoped token?16:26
ayoungbknudson, I think I just need the "rescope" function16:26
ayoungI don't want Keystone client doing the default project logic.16:27
ayoungCuz it sucks16:27
bknudsongetting a scoped token from a token is one of the low-level APIs that keystoneclient should provide.16:27
ayoungbknudson, I'm tempted to make "rescope" be its own function.16:27
ayoungbknudson, and, if KC holds on to the origianal unscoped token....16:28
ayoungthe whole thing becomes cleaner16:28
*** Guest50648 is now known as d0ugal16:29
*** d0ugal has quit IRC16:30
*** d0ugal has joined #openstack-keystone16:30
*** rwsu has joined #openstack-keystone16:34
*** meker12_ has joined #openstack-keystone16:36
*** gyee has joined #openstack-keystone16:37
*** wwriverrat has joined #openstack-keystone16:37
ayoungbknudson, sent you an email with the bones of the endpoint binding scheme16:37
ayoungbknudson, I think I'm going to add a "rescope" call to httpclient16:37
bknudsonok, let me take a look at the email.16:38
*** meker12 has quit IRC16:38
bknudson(after lunch)16:39
*** wwriverrat has left #openstack-keystone16:41
*** gyee has quit IRC16:48
*** amakarov is now known as amakarov_away16:48
*** ayoung is now known as ayoung-lunch16:49
*** ajayaa has quit IRC16:52
*** meker12_ has quit IRC16:54
*** ayoung-lunch has quit IRC16:54
*** meker12 has joined #openstack-keystone16:54
*** ajayaa has joined #openstack-keystone16:55
*** meker12 has quit IRC16:59
*** cjellick_ has joined #openstack-keystone16:59
*** cjellick has quit IRC17:00
*** stevemar has quit IRC17:01
*** joesavak has quit IRC17:02
*** amcrn has joined #openstack-keystone17:02
*** stevemar has joined #openstack-keystone17:02
*** jasonsb has joined #openstack-keystone17:03
*** rodrigods_ has joined #openstack-keystone17:10
*** drjones has quit IRC17:14
*** _cjones_ has joined #openstack-keystone17:15
*** sigmavirus24 is now known as sigmavirus24_awa17:16
*** gyee has joined #openstack-keystone17:17
*** ayoung has joined #openstack-keystone17:18
*** _cjones_ has quit IRC17:19
*** _cjones_ has joined #openstack-keystone17:19
*** htruta has joined #openstack-keystone17:20
*** gyee has quit IRC17:24
ayoungnkinder_, as I go through the DOA KC integration, a couple things have occured to me:  when we create a session, we stick the auth plugin in there and leave it.  This means that the password stays with the session.  I'd think we'd want to immediately swap to a token.  RIght?17:27
*** rodrigods_ has quit IRC17:29
ayoungwe have the httpclient.authenticate call, which is what DOA currently uses.  That does not hold on to the client, I think, and instead creates a new one when it needs it.  It ols on to the auth_ref, which is the abstraction of the token.17:30
ayoungand, in fact, the code creates two clients in the "unscoped" case, passing the unscoped token in to the second client.17:32
*** jasonsb has quit IRC17:37
*** victsou__ has joined #openstack-keystone17:38
*** rodrigods_ has joined #openstack-keystone17:39
nkinder_ayoung: yeah, it seems like you'd want to clear the password out of there ASAP (unless Horizon counts on it to change project scope)17:41
nkinder_ayoung: if it uses the unscoped token properly instead, then definitely clear it out of there17:42
*** harlowja has joined #openstack-keystone17:42
*** jimbaker has quit IRC17:43
ayoungnkinder_, well, Horizon assumes it has only the token to work with.  It stashes the result of the first authenticate (scoped or unscoped) and then fetches a second token.  At the end of the DOA authenticate call, the password is gone17:43
ayoungit can only use tokens from there on, unless the user re-enters them17:43
*** jasonsb has joined #openstack-keystone17:43
*** rodrigods_ has quit IRC17:43
*** jasonsb has quit IRC17:43
ayoungnkinder_, it seems to me that there is a dual edge sword here17:43
ayoungif we keep the password, we can always reauthenticate17:43
ayoungthat means that there is no real need for unscoped tokens ever17:44
ayoungI'd say that is a bad securiryt decision17:44
ayoungOTOH, it would make short lived tokens a reality.17:44
ayoungReplace password with Kerberos and you have a decent system...but with Kerberos, we know we will alwyas get the userid and password from external17:45
*** cjellick_ has quit IRC17:45
ayoungNow, for Horizon itself, I think the obvious answer is toss the password.  That means, however, toss the session today17:45
ayoungI can hack around this, but it means DOA knows too much ab out the internals of the client....which is where I am at right now17:46
ayoungIt seems that a better approach is this:17:47
ayoungauthenticate becomes a class level call.  It creates a client as a side effect.17:47
*** cjellick has joined #openstack-keystone17:48
ayoungUnder the covers, it uses the password plugin if password is given.  If not, it looks for the env var that indicates it should do Kerberos, and uses the kerberos plugin17:48
ayoungif the kerberos plugin is used, it stays as the auth plugin17:48
ayoungif the password plugin is used, switch to the token plugin upon completion17:48
ayoungclient will now have a "rescope" call,  and rescope uses the auth plugin already in the session.17:49
ayoungput will request a new token with the passed in scope (project or domain...damn wish those were the same thing)17:49
ayounghowever,  the client should always hold on to the original token it received, and use that for all additional rescopes17:50
ayoungnkinder_, if we do this, that means our goal of always going unscope to scoped becomes simpler...for anything using the Keystone client that is.17:50
ayoungI think I can make the "swap password for token plugin"  the exception case.17:51
*** rodrigods_ has joined #openstack-keystone17:51
ayoungFor any other auth plugin, we'll continue to use the one provided.17:51
ayoungthat way, the kerberos one or an X509 plugin that comes from out of tree will continue to work.17:52
*** sigmavirus24_awa is now known as sigmavirus2417:53
ayoungbknudson, morganfainberg read up to where nkinder_ first responded and tell me if this plan makes sense?17:53
morganfainbergayoung, will do17:53
ayoungI'll probably create a new call, not authenticate, to do this.17:54
ayoungmake it a class level call, and only give it the subset of params that KC.httpclient.authenticate takes17:55
*** joesavak has joined #openstack-keystone17:55
bknudsonayoung: so is it always checking if its token is about to expire? what does it do if the token is expiring?17:56
ayoungbknudson, I think it just fails17:56
ayoungwell, if the token is expired17:56
ayoung raise exceptions.KeystoneAuthException(msg)17:57
bknudsonif it's got the username/password (or can reauthenticate by whatever method) then if it's expiring it should get a new token17:57
ayoungbknudson, if it has the username, the token will get a fresh expiry17:57
ayoungso that check is kindof dumb17:57
ayoungbknudson, it does  create a client, authenticate with password, and then check the expiry17:58
ayoungbknudson, so it only keeps the password for the duration of this call17:58
ayoungafter that it only has a token17:59
bknudsonso if we set the token expiry to 2 mins you can only use horizon for 2 mins?17:59
ayoungbknudson, yep17:59
ayoungright now we set it to an hour17:59
bknudsonyou have to be quick and get all your stuff done fast.17:59
ayoungbknudson, now, with Kerberos we would be able to get a new token, but the logic from Django would kick us into this anyway18:00
ayoungbknudson, this is why I origianlly proposed the "Session tokens"  spec.  Unscoped tokens could get an hour,  scoped get 5 minutes.18:00
*** jsavak has joined #openstack-keystone18:01
*** openstackgerrit has quit IRC18:01
*** openstackgerrit has joined #openstack-keystone18:01
ayoungbknudson, so I think the client should hold on to the unscoped token and the scoped token, but with PKI tokens, that is too much data today.   Need to make them both smaller. UUID would work fine, though.18:01
bknudsonayoung: is the client serializing them? 16k is too much data?18:03
*** joesavak has quit IRC18:04
ayoungbknudson, so...there are two approaches.  One is putting the token in a cookie, and letting the browser store it.18:04
ayoungthe other is memcached18:04
bknudsonok, then PKI tokens are a lot of data18:04
ayoungwith memcached, they would still need to put a hash in the cookie18:04
bknudsonthe cookie needs some kind of session ID (essentially their own token)18:05
*** jasonsb has joined #openstack-keystone18:05
ayoungbknudson, an empty CMS doc is just under 1K18:05
bknudsonif you can fetch the session data from memcached all you need is a key18:05
bknudsondoesn't have to be a token hash18:05
ayoungbknudson, what they were doing is the MD5 hash, and tossing the PKI token,18:05
bknudsonthen you can re-use the token18:05
bknudsonwas horizon using memcached or a database at all?18:06
ayoungso the memcached approach is only theoretical...I don't think its been implemented.18:06
ayoungbut they do store the whole auth_ref, which has the exploded data in it.18:07
*** jimbaker has joined #openstack-keystone18:08
bknudsonare they willing to use memcached/sql or do they really want to stick with having the client keep the session info?18:08
stevemarat what point to we bump due to inactivity ?18:09
ayoungbknudson, while the PTL has indicated the memcached is already in use elsewhere and is an acceptable approach, I'm not certain if the whole community agrees.18:09
bknudsonstevemar: somebody else can pick it up if they want to18:09
stevemarbknudson, is it needed?18:10
bknudsonstevemar: looks like it is needed if we want to support r/w LDAP with openldap 2.318:10
bknudsonstevemar: it's your colleagues that are asking for it.18:11
stevemarbknudson, no no, it's *your* colleagues18:11
ayoungstevemar, I'm guessing that testing that against OpenLDAP to ensure it has not broken anything would be the first step...concerned what it would mean, though, for existing deployments18:11
*** bjornar_ has joined #openstack-keystone18:11
bknudsonwe already got half that change from gyee18:12
ayoungI think I'm going to -1 it on that account.18:12
*** f13o has joined #openstack-keystone18:12
*** f13o has quit IRC18:13
bknudsonpart of it was in , but didn't include creating a role assignment18:13
*** jedix has joined #openstack-keystone18:16
jedixWhere does the man/admin (which are links to httpd/ get the URLs it returns?  it is returning /v2.0, and this does not work for me.18:17
jedixwell, $HOST/v2.018:17
ayoungbknudson, does it make any sense that the session and the client are two separate things?  It seems to me that the session  should be hidden from the end user, and only used as an internal component to be shared between, say keystoneclient.httpclient and the nova et alles equivalent.18:18
morganfainbergayoung, or similarly allowed for a developer to use it in the same way [same concept]18:18
ayoungjedix, build out of the config file18:18
morganfainbergi don't know if the session is an end-user thing, it is a developer thing18:18
bknudsonayoung: the session is used by other client libraries, not just keystoneclient18:19
ayoungmorganfainberg, well, I would think that a session should be shared between clients,  although really all they need to share is the token, no?18:19
jedixayoung: which config file? keystone.conf ?18:19
ayoungjedix, if you are askin what I think you are asking, yes18:19
ayoungjedix, man/admin ?18:20
jedixI am running keystone in wsgi/apache18:20
ayoungjedix, ah,  yes,18:20
ayoungok,  so if you hit https://hostname/keystone ?18:20
ayoungok,  so if you hit https://hostname/keystone/main ?18:20
ayoungand that should be the versions page, and the versions don't match what you have on the page...18:21
dstanekmorganfainberg: just about there...18:21
ayoungjedix, the code for that is18:21
*** victsou__ has quit IRC18:21
jedixayoung: I hit https://hostname/keystone/main, and it says <link href="https/hostname/v2.0/" rel="self"/>18:21
*** meker12 has joined #openstack-keystone18:22
jedixI *think* it should say <link href="https/hostname/keystone/main/v2.0/" rel="self"/>18:22
ayoungbase_url is in18:22
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-keystoneclient: Updated from global requirements
jedixI assume I have [composite:main]18:23
jedix(and admin)18:23
ayoungno,you are not wrong18:23
ayoungand this may well be broken18:23
ayoungjedix, but I think you can set18:23
jedixayoung: so it may not be my conf file?18:23
ayoungmain_endpoint  and admin_endpoint in the conf file to whatever you want18:24
bknudsonit's main_endpoint and admin_endpoint.18:24
ayoungjedix, see, I often lie, but bknudson never does18:24
bknudsonpublic_endpoint and admin_endpoint18:24
bknudsonjedix: read the comments on those config options18:25
ayoungif you don't set those values, it deduces from context['host_url']18:25
ayoungwhich might be what you are seeing,18:25
jedixokay, thanks guys18:25
*** jasonsb has quit IRC18:26
bknudsonalso, don't use XML it's deprecated18:26
ayoungrichm, BTW  please make sure we are setting ^^ appropriately :)18:26
ayoungbknudson, it's depraved18:27
jedixbknudson: in favour of?18:27
bknudsonjedix: JSON18:27
jedixbknudson: where do I change that?18:28
ayoungbknudson, we need to return that from the browser18:28
ayounghe's just hitting it from his browser, and the accepts header triggers XML, not JSON18:29
bknudsonjedix: it's how the application requests the data. If it uses Accept: application/json it'll get json.18:29
ayoungbknudson, I think that if we drop the XML renderer from the pipeline it will gonna check18:29
bknudsonayoung: that's unfortunate... seems like the only way that would happen is if the client was actually requesting XML.18:29
ayoungbknudson, it does18:30
jedixit is a browser..18:30
ayoungit is in the accepts header18:30
* jedix files a firefox bug18:30
ayoungbrowser will accept htm, xml,18:30
jedixI really appreciate you guys helping me18:30
ayoungjedix, not a firefox bug, it is ours18:30
ayoungone I complained about and filed a fix for over a year ago which was nixed...18:30
jedixoh, I thouhg ff would request xml18:30
bknudsonif the client doesn't say it accepts JSON then the server should return Not Acceptable response, but I don't think Keystone is doing that.18:31
*** haggan has quit IRC18:31
jedixwsgi keystone returns tthe same answer?18:32
jedixone day, I will meet all you helpful people.18:32
bknudsonI'm pretty sure if you send an Accept header that's not known you'll get JSON.18:33
ayoungjedix, edit your keystone-paste.ini file and remove any references to XML in the pipelines at the bottom and you will exocize the XML daemon18:33
*** rodrigods_ has quit IRC18:33
ayoungbknudson, should I make that change?18:33
bknudsonthe only accept header that would change the response is xml.18:33
bknudsonayoung: sure. It's a configuration we should be supporting already.18:34
ayoungbknudson, file the bug, I'll file the fix18:34
bknudsonwe should have some tests for it.18:34
jedixayoung: confirmed.18:34
bknudsonwe can't remove it now, we can remove it for K.18:34
bknudsonin the sample paste config18:34
*** rodrigods_ has joined #openstack-keystone18:34
jedixsouldn't we jsut swap the positions?18:34
jedix s/xml_body_v2 json_body/json_body xml_body_v2/18:35
jedixfor fallback?18:35
bknudsonthat wouldn't work since the xml translator needs a json doc.18:35
ayoungbknudson, OK.  It will also break all  of the XML unit tests18:36
dstanekwow. this just happened:
dstanekthe gate said 2 mins left when that was pushed18:38
ayoungjedix, what we really need to do is fix the XML marshalling.  We currently have a braindead approach that converts python to json, and then json to XML.  We should be going Python direct to XML...but it should not be the Keystone project that writes that code:  we should be using a standard framework.  Problem is, we have people that coded to the old XML approach, and if we change the marshaller, we'll break their code18:38
ayoungso, for now we deprecate, then we replace18:38
*** Tahmina has quit IRC18:38
ayoungbknudson, as soon as Kilo is open for commits, that one is going in18:39
*** victsou__ has joined #openstack-keystone18:39
* ayoung makes pie in the sky promises18:39
bknudsondstanek: proposal bot stole my commit. Should have put it as a co-author.18:39
*** rushiagr is now known as rushiagr_away18:40
ayoung BUH?18:41
ayoungproposal bot is broken.  There is no way that was a uuid collision18:41
ayoungbknudson, shouldn't we stop that commit, make sure the commit id is the origianl, and resubmit proposal bots...while figuring out who broke what?18:42
*** _cjones_ has quit IRC18:43
*** _cjones_ has joined #openstack-keystone18:43
*** ayoung is now known as ayoung-afk18:43
bknudsonayoung: I'm not sure why proposal bot reproposed it... we know why it didn't automatically propose the change earlier.18:43
*** jasonsb has joined #openstack-keystone18:43
ayoung-afkbknudson, what is proposal bot?18:44
bknudsonmaybe proposal bot keeps track of the projects it has or hasn't updated and since it failed to update keystoneclient earlier it decided to update now.18:44
bknudsonayoung-afk: it automatically proposes changes when global requirements change.18:45
*** ayoung-afk is now known as ayoung18:45
*** jasonsb has quit IRC18:45
bknudsonayoung: there was some discussion of this on the -dev mailing list...18:45
ayoungbut how'd it get the changeid messed up?18:45
*** harlowja has quit IRC18:46
*** harlowja_ has joined #openstack-keystone18:46
bknudsonayoung: the change id is the same.18:46
*** marcoemorais has joined #openstack-keystone18:46
ayoungbknudson, it should be autogenerating its own change id, but obviously grabbed one that was already active18:47
ayoungcould it be some sort of rebase script error?18:47
bknudsonayoung: y, it looks for its existing review and reuses the change id.18:47
bknudsonayoung: it's probably me that should have used a new change ID rather than stealing the proposal bot... but that did make it easier to compare.18:47
ayoungoh, then it was your fauly18:47
bknudsonayoung: my bad18:48
ayoungbknudson, /me going to take a walk, clear my head, and come up with an approach to the KC-DOA integration18:48
*** morgan_remote_ has joined #openstack-keystone18:51
*** ayoung has quit IRC18:53
*** jsavak has quit IRC19:01
*** joesavak has joined #openstack-keystone19:05
*** aix has quit IRC19:06
*** jasonsb has joined #openstack-keystone19:16
*** sigmavirus24 is now known as sigmavirus24_awa19:17
*** sigmavirus24_awa is now known as sigmavirus2419:18
*** zzzeek has quit IRC19:18
*** jasonsb has quit IRC19:20
*** _cjones_ has quit IRC19:22
*** _cjones_ has joined #openstack-keystone19:23
*** _cjones_ has quit IRC19:27
*** zzzeek has joined #openstack-keystone19:34
*** marcoemorais has quit IRC19:40
*** marcoemorais has joined #openstack-keystone19:41
*** marcoemorais has quit IRC19:41
*** bjornar_ has quit IRC19:45
morganfainbergbknudson, dstanek, stevemar, lbragstad, need some eyes on middleware reviews if you can and the memcache pool for keystone.19:47
morganfainbergthe memcache pool is important as we need to port that to middleware19:48
morganfainbergbefore we can release middleware19:48
dstanekmorganfainberg: i'm halfway throught the memcache pool in keystone now19:50
morganfainbergdstanek, ++ awesome just was poking people :)19:50
* morganfainberg grumbles at the proposal bot.19:52
morganfainbergit was *so close*19:52
*** morganfainberg is now known as CaptainMorgan19:52
*** rodrigods_ has quit IRC19:53
*** _cjones_ has joined #openstack-keystone19:54
stevemarbknudson, blah, where does this test go for the ldap patch?19:55
stevemarbknudson, best I can think of so far, is to change add_s() in fakeldap to look some role operations and then checks to make sure mod_list is has those values19:56
bknudsonstevemar: I would think test_backend_ldap19:56
CaptainMorganbknudson, thats where i'd put it19:56
bknudsonor if you can write a unit test19:56
*** _cjones_ has quit IRC19:57
*** _cjones_ has joined #openstack-keystone19:57
bknudsona unit test just for RoleApi with mock19:57
bknudsonstevemar: also, changing FakeLdap add_s to require the naming attribute would be neat.19:57
*** victsou__ has quit IRC19:57
stevemari was thinking that19:58
stevemarbut that might have unexpected issues come up, and i'm worried i might be fixing them19:58
bknudsonthat might wind up being a lot of work if the tests aren't doing it correctly, but would be more accurate19:58
stevemarding ding ding19:58
bknudsonI'd try to write a unit test19:58
*** ayoung has joined #openstack-keystone20:02
openstackgerritBrant Knudson proposed a change to openstack/keystone: Mock doesn't have assert_called_once()
CaptainMorganbknudson, oh haha and i see wny that would pass.20:03
CaptainMorganbknudson, +220:03
*** htruta has quit IRC20:08
*** david-lyle has quit IRC20:13
-openstackstatus- NOTICE: Gerrit will be offline from 20:30 to 20:50 UTC for project renames20:15
*** ChanServ changes topic to "Gerrit will be offline from 20:30 to 20:50 UTC for project renames"20:15
*** gyee has joined #openstack-keystone20:15
*** marcoemorais has joined #openstack-keystone20:15
*** htruta has joined #openstack-keystone20:17
*** htruta has quit IRC20:18
bknudsonCaptainMorgan: this came up during the
CaptainMorganbknudson, aha20:21
*** dims_ has quit IRC20:26
*** dims has joined #openstack-keystone20:26
*** jsavak has joined #openstack-keystone20:29
*** dims has quit IRC20:30
*** marcoemorais has quit IRC20:31
*** Tahmina has joined #openstack-keystone20:32
*** marcoemorais has joined #openstack-keystone20:33
*** joesavak has quit IRC20:33
*** ayoung is now known as MadamImAdam20:35
MadamImAdamI see it is casual nick Friday20:35
*** dstanek is now known as kenatsd20:37
*** marcoemorais1 has joined #openstack-keystone20:40
*** marcoemorais has quit IRC20:40
*** marcoemorais1 has quit IRC20:40
*** marcoemorais has joined #openstack-keystone20:40
*** achampion has quit IRC20:45
*** ChanServ changes topic to "Review RC1 blockers plzkthx"20:51
-openstackstatus- NOTICE: Gerrit is back online20:51
*** jsavak has quit IRC20:53
*** openstackgerrit has quit IRC20:55
*** openstackgerrit has joined #openstack-keystone20:55
*** ajayaa has quit IRC20:56
bknudsonsee this from keystonemiddleware tests?21:00
bknudson/opt/stack/keystonemiddleware/.tox/py27/local/lib/python2.7/site-packages/requests/packages/urllib3/ SystemTimeWarning: System time is way off (before 2014-01-01). This will probably lead to SSL verification errors21:00
*** morgan_remote_ has quit IRC21:00
bknudsonmaybe it's related to the new version of requests21:01
sigmavirus24MadamImAdam: Bob Dylan reference?21:01
*** gyee has quit IRC21:03
bknudsonI don't get the warnings with requests==2.3.0, but do get it with requests==2.4.0 and requests==2.4.121:03
*** marcoemorais has quit IRC21:03
*** marcoemorais has joined #openstack-keystone21:04
*** marcoemorais has quit IRC21:05
MadamImAdamsigmavirus24, yeah, sure, why not.21:05
*** marcoemorais has joined #openstack-keystone21:05
sigmavirus24bknudson: that's a warning in urllib3 that shows up on unverified connections21:05
sigmavirus24There's a bug to allow the user to turn those off21:06
*** marcoemorais has quit IRC21:06
*** marcoemorais has joined #openstack-keystone21:06
bknudsonsigmavirus24: we don't need to see those when running tests.21:07
sigmavirus24No one's had the opportunity to work on it. Pull requests are more than welcome21:07
*** jasonsb has joined #openstack-keystone21:08
bknudsonlooks like it uses python warnings so I should be able to turn it off already.21:10
*** cjellick has quit IRC21:15
CaptainMorganMadamImAdam, casual nick? Nay, it be talk like a pirate day.21:16
MadamImAdamCaptainMorgan, guess it is time to work on my Somali, then21:16
*** jorge_munoz has quit IRC21:16
CaptainMorganMadamImAdam, hehe21:16
MadamImAdamWaxaan ahay kabtanka hadda.21:17
CaptainMorganoh no what have i started...21:17
*** andreaf has quit IRC21:17
*** andreaf has joined #openstack-keystone21:18
CaptainMorganMadamImAdam, lol oh dear21:19
*** gordc has quit IRC21:19
MadamImAdamOh look, a teapot shaped planet is orbiting in my Basement.21:20
*** cjellick has joined #openstack-keystone21:22
MadamImAdamI am the Flying Spaghetti Monster. Thou shalt have no other monsters before Me. (Afterwards is OK; just use protection.) The only Monster who deserves capitalization is Me! Other monsters are false monsters, undeserving of capitalization.21:26
stevemarMadamImAdam, even Nessie? shes a pronoun.21:27
*** cjellick has quit IRC21:27
MadamImAdamstevemar, Nessie Nae be na Monster.  She's a dear, she be.21:27
*** _cjones_ has quit IRC21:27
stevemarMadamImAdam, but it's in her name :(21:27
*** cjellick has joined #openstack-keystone21:28
stevemarthere are no other monsters in Loch Ness21:28
MadamImAdamstevemar, that statement is unverifiable21:28
stevemarya got a point there21:28
*** CaptainMorgan is now known as morganfainberg21:28
MadamImAdamThere is a teapot shaped monster circling Loch Ness even as we speak21:28
MadamImAdambut it is not worthy of capitalization21:29
*** _cjones_ has joined #openstack-keystone21:29
*** MadamImAdam is now known as CaptainYoung21:30
CaptainYoungtechnically I earned this title.21:30
CaptainYoungBut only in the reserves21:30
*** david-lyle has joined #openstack-keystone21:30
*** david-lyle has quit IRC21:30
*** rushiagr_away is now known as rushiagr21:32
*** cjellick has quit IRC21:32
morganfainbergstill earned it!21:32
*** saipandi has joined #openstack-keystone21:37
*** CaptainYoung has quit IRC21:38
*** _cjones_ has quit IRC21:45
*** _cjones_ has joined #openstack-keystone21:46
*** rkofman has quit IRC21:48
*** rkofman has joined #openstack-keystone21:49
*** _cjones_ has quit IRC21:50
*** _cjones_ has joined #openstack-keystone21:58
*** harlowja_ has quit IRC22:00
*** harlowja has joined #openstack-keystone22:00
*** sigmavirus24 is now known as sigmavirus24_awa22:00
*** rodrigods_ has joined #openstack-keystone22:00
*** marcoemorais has quit IRC22:04
*** marcoemorais has joined #openstack-keystone22:04
*** marcoemorais has quit IRC22:04
*** marcoemorais has joined #openstack-keystone22:05
*** marcoemorais has quit IRC22:05
*** marcoemorais has joined #openstack-keystone22:05
*** nkinder_ has quit IRC22:07
stevemarugh, finally done with that test for ldap ... just making sure the entire suite passes22:12
stevemarbknudson, heads up for ya22:12
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Fix user-role-add in LDAP backend
morganfainbergstevemar, woot 15x lines of code for testing!22:17
morganfainbergoh, not 15, uh, 14 :P22:18
stevemarbknudson, morganfainberg err anyone else ^22:18
stevemarmy normal amount of tabbing isn't working22:18
stevemarmorganfainberg, i *think* that does the trick22:18
morganfainbergstevemar, this *looks* reasonable22:19
morganfainbergstevemar, assume all unit tests are happy?22:19
stevemarthe other backend_ldap tests all pass22:20
stevemari ran them locally22:20
*** cjellick has joined #openstack-keystone22:21
*** saipandi has quit IRC22:23
bknudsonchange in devstack for auth_token options:
*** cjellick has quit IRC22:25
bknudsonI added you all to it22:25
*** cjellick has joined #openstack-keystone22:25
bknudsonso when we add new options for v3 auth I'll only have to do it in 1 place.22:25
kenatsdmorganfainberg: are you comfortable saying the pooled memcached backend should be the default?22:26
morganfainbergkenatsd, for using memcached? yes22:26
morganfainbergkenatsd, haha i was wondering where you went22:26
morganfainbergkenatsd, if it isn't the default for token, we open up the DOS scenario :(22:26
*** cjellick has quit IRC22:27
morganfainbergfor caching, the deployer must pick a backend anyway, so the config docs should be sufficient22:27
*** saipandi has joined #openstack-keystone22:27
kenatsdmorganfainberg: i'm just a little worried since it's not really tested in a production like environment22:30
*** kenatsd is now known as dstanek22:30
morganfainbergkenatsd, we could create a new token-backend for it.22:31
*** cjellick has joined #openstack-keystone22:31
morganfainbergmy condern is that if we are supporting memcache in eventlet, we need to resolve the thread.local bit22:31
morganfainbergdstanek, i'm happy to say it needs to be a new-token backend, and see about an OSSN being published for it instead of making it default for the token persistence backend22:35
morganfainbergand then we can make the pool an option in middleware with a similar oosn22:36
dstanekmorganfainberg: yeah, i really don't know what to do here. do you think people just haven't run into this issue or people are not using the caching?22:36
morganfainbergfor the token persistence backend, i think people don't look at socket usage when talking to memcache or haven't had people try and abuse it in an HA/loadbalanced scenario where you really see the high connection count22:38
morganfainbergfor caching, i think very few companies use it.22:38
stevemarbknudson, re your comment, if make it a new unit test, i'd have to fake out another 2 functions22:38
morganfainbergand similarly, you tend to not have people attempting to kill the services this way.22:38
morganfainbergdstanek, i think with auth_token it is less common (except for swift) to use memcache22:39
bknudsonstevemar: it doesn't belong in test_backend_ldap because it doesn't depend on different backend configurations.22:39
morganfainbergdstanek, the reason this is all medium prio is because it's not required deployment and *most* people afaict don't deploy with it.22:39
bknudsonmorganfainberg: they just complain that tokens are filling up their database22:40
morganfainbergbknudson, yeah :(22:41
*** topol has quit IRC22:43
*** rodrigods_ has quit IRC22:44
morganfainbergdstanek, so i'm not opposed to either approach just as long as we decide the way we're solving it :)22:46
*** achampion has joined #openstack-keystone22:46
morganfainbergdstanek, that way we can give an option to avoid eventlet + memcache ick scenarios.22:47
*** saipandi has quit IRC22:48
*** saipandi has joined #openstack-keystone22:48
dstanekmorganfainberg: yeah, i agree. i'm just worried that while functional and passing tests that we haven't really put this through it's paces.23:04
morganfainbergdstanek, so lets make it a secondary driver that people can opt into.23:04
morganfainbergdstanek, and for middleware similar, option to deploy. then we cover our bases and we can talk with the security team to see if an OSSN is worth doing / get one out.23:05
dstanekmorganfainberg: i feel much more comfortable with that23:06
morganfainbergdstanek, cool. works for me, should be an easy thing to do23:06
bknudsonI think we had an ossa for a similar auth_token issue23:10
*** jasonsb has quit IRC23:10
bknudsonin that case it could confuse tokens23:10
bknudsonso you could potentially get admin role23:11
*** achampio1 has joined #openstack-keystone23:16
*** achampion has quit IRC23:19
*** meker12 has quit IRC23:22
*** zzzeek has quit IRC23:23
stevemarbknudson, i'm now mocking 4 things, still proceed?23:25
stevemari now have to mock the value of a mock23:25
stevemarit's getting silly pants23:26
*** _cjones_ has quit IRC23:29
*** _cjones_ has joined #openstack-keystone23:30
*** _cjones_ has quit IRC23:35
*** dims has joined #openstack-keystone23:36
*** amcrn has quit IRC23:39
*** dims has quit IRC23:41
stevemarbknudson, i'm out, it's getting silly, i added a paste in the review comments, maybe you know whats going on, i'm stumped23:44
morganfainbergdstanek, bknudson, ok about to post the updated memcache_pool, splitting it to it's own token backend23:46
morganfainbergadded another ..WARNING in the documenation as well23:46
morganfainbergjust running tests/doc build/pep8 before posting23:46
*** stevemar has quit IRC23:49
*** richm has quit IRC23:49
*** cjellick has quit IRC23:51
*** _cjones_ has joined #openstack-keystone23:56

Generated by 2.14.0 by Marius Gedminas - find it at!