Monday, 2014-09-22

*** stevemar has quit IRC00:07
*** dims has joined #openstack-keystone00:59
*** stevemar has joined #openstack-keystone01:22
*** dims has quit IRC01:26
*** rodrigods_ has joined #openstack-keystone01:27
*** sigmavirus24_awa is now known as sigmavirus2401:27
*** dims has joined #openstack-keystone01:30
*** dims_ has joined #openstack-keystone01:31
*** dims has quit IRC01:35
*** sigmavirus24 is now known as sigmavirus24_awa01:40
*** dims_ has quit IRC01:40
*** dims has joined #openstack-keystone01:41
*** dims has quit IRC01:45
*** miqui has quit IRC02:06
*** diegows has quit IRC02:08
*** rodrigods_ has quit IRC03:09
*** shakamunyi has joined #openstack-keystone03:25
*** shakamunyi has quit IRC04:00
*** rushiagr_away is now known as rushiagr04:40
*** dims has joined #openstack-keystone04:41
*** dims has quit IRC04:46
*** topol has quit IRC05:03
*** yasu_ has joined #openstack-keystone05:06
*** ajayaa has joined #openstack-keystone05:24
*** ajayaa has quit IRC05:41
stevemarmorganfainberg i'm pushing bknudson's fix for middleware05:53
stevemarit made jenkins happy05:53
*** ajayaa has joined #openstack-keystone05:54
*** david-lyle has joined #openstack-keystone05:59
*** Clabbe has joined #openstack-keystone06:13
*** k4n0 has joined #openstack-keystone06:20
*** stevemar has quit IRC06:22
*** Sanchit has joined #openstack-keystone06:22
SanchitWhen "allow_account_management" is set to true in "proxy-server.conf" file, the reseller admin is allowed to perform PUT and DELETE operations on an account, but when "allow_account_management" is set to false in "proxy-server.conf" file, the mentioned operations are not allowed.06:23
Sanchit So, in the second case, when "allow_account_management" is set to false in "proxy-server.conf" file , Who(and How) can create and delete an account?06:23
*** henrynash has joined #openstack-keystone06:31
*** mflobo has joined #openstack-keystone06:37
*** lufix has joined #openstack-keystone06:50
*** lufix has quit IRC06:51
*** lufix has joined #openstack-keystone06:51
*** meker12 has joined #openstack-keystone06:52
*** afazekas has joined #openstack-keystone06:53
*** meker12 has quit IRC07:04
*** kashyap has joined #openstack-keystone07:18
kashyapHi, when I try to create a Keystone user (this is with Juno M3):07:20
kashyapProgrammingError: (ProgrammingError) (1146, "Table 'keystone.token' doesn't exist") 'SELECT AS token_id, token.expires AS token_expires, token.extra AS token_extra, token.valid AS token_valid, token.user_id AS token_user_id, token.trust_id AS token_trust_id \nFROM token \nWHERE = %s' ('ADMIN_TOKEN',)07:20
kashyapAny hints here?07:20
kashyapCrap, please ignore me.07:24
*** ukalifon1 has joined #openstack-keystone07:24
*** garcianavalon has joined #openstack-keystone07:26
kashyapHmm, I incorrectly exported the ADMIN token value, now after correctly exporting it, I now seet a "TProgrammingError able 'keystone.domain' doesn't exist"07:26
*** henrynash has quit IRC07:49
*** henrynash has joined #openstack-keystone07:49
*** KanagarajM has joined #openstack-keystone08:20
*** ajayaa has quit IRC08:32
*** k4n0 has quit IRC08:33
*** rushiagr is now known as rushiagr_away08:44
*** rushiagr_away is now known as rushiagr08:45
*** amakarov_away is now known as amakarov08:47
*** ajayaa has joined #openstack-keystone08:48
*** k4n0 has joined #openstack-keystone08:51
*** rushiagr is now known as rushiagr_away08:56
*** david-lyle has quit IRC09:03
*** rushiagr_away is now known as rushiagr09:23
*** k4n0 has quit IRC09:44
*** ajayaa has quit IRC09:50
*** andreaf_ is now known as andreaf10:01
*** ajayaa has joined #openstack-keystone10:02
*** jasondotstar has joined #openstack-keystone10:07
*** aix has joined #openstack-keystone10:16
*** mitz_ has joined #openstack-keystone10:22
*** topol has joined #openstack-keystone10:27
*** k4n0 has joined #openstack-keystone10:30
*** topol has quit IRC10:32
*** zigo has quit IRC10:50
*** zigo has joined #openstack-keystone10:52
*** yasu_ has quit IRC10:54
*** dims has joined #openstack-keystone10:59
*** Daviey has quit IRC11:09
*** shakamunyi has joined #openstack-keystone11:18
*** Daviey has joined #openstack-keystone11:19
*** shakamunyi has quit IRC11:20
*** diegows has joined #openstack-keystone11:25
*** achampion has quit IRC11:58
*** marzif__ has quit IRC12:02
*** KanagarajM has quit IRC12:06
*** openstackgerrit has joined #openstack-keystone12:14
*** wanghong has quit IRC12:18
*** wanghong has joined #openstack-keystone12:18
*** rushiagr is now known as rushiagr_away12:35
*** dims has quit IRC12:38
*** andreaf is now known as andreaf_12:38
*** dims has joined #openstack-keystone12:38
*** gordc has joined #openstack-keystone12:39
*** ajayaa has quit IRC12:45
marekdare we open  with keystone-specs again?12:56
*** alex_xu has quit IRC13:04
*** BAKfr has joined #openstack-keystone13:04
*** achampion has joined #openstack-keystone13:08
*** nkinder_ has quit IRC13:12
*** radez_g0n3 is now known as radez13:19
*** bknudson has quit IRC13:21
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Remove depreacted kvs backends
henrynashmarekd: there’s a kilo directory in specs….that’s always open (well until we finish Kilo :-) )13:24
marekdhenrynash: ok13:27
marekdthanks :-)13:27
henrynashmarekd: I just posted a spec there myself :-)13:28
*** zzzeek has joined #openstack-keystone13:42
*** joesavak has joined #openstack-keystone13:46
*** topol has joined #openstack-keystone13:48
*** victsou has joined #openstack-keystone13:49
garcianavalonjoin #openstack-horizon13:51
*** sigmavirus24_awa is now known as sigmavirus2413:53
*** jaosorior has joined #openstack-keystone13:54
*** victsou has quit IRC13:55
*** bknudson has joined #openstack-keystone13:56
*** victsou has joined #openstack-keystone13:59
*** jsavak has joined #openstack-keystone14:04
*** joesavak has quit IRC14:08
*** ayoung has joined #openstack-keystone14:11
mhumarekd, thx :)14:12
marekdmhu: no problem.14:12
*** stevemar has joined #openstack-keystone14:13
mhumarekd, I was addressing yours and dean's comments, I am about to upload some changes14:13
marekdmhu: ok, great!14:13
*** nkinder_ has joined #openstack-keystone14:14
*** andreaf has joined #openstack-keystone14:15
*** alex_xu has joined #openstack-keystone14:17
ayoungIn the interest of getting the KC usable by Horizon....  can  get some attention please?14:19
*** k4n0 has quit IRC14:19
*** david-lyle has joined #openstack-keystone14:24
*** david-lyle has quit IRC14:24
*** david-lyle has joined #openstack-keystone14:27
*** david-lyle has quit IRC14:29
ayoungmorganfainberg,   describes what you saw in Galera WRT trust counters14:31
*** andreaf has quit IRC14:31
*** Tahmina has joined #openstack-keystone14:36
*** richm1 has joined #openstack-keystone14:36
*** david-lyle has joined #openstack-keystone14:40
*** samuelmz has quit IRC14:53
*** samuelmz has joined #openstack-keystone14:53
*** diegows has quit IRC14:55
dstanekayoung: that's pretty interesting14:55
ayoungdstanek, yep...Databases are hard.  Lets go NoSQLing14:55
marekdayoung: you serious now?14:56
ayoungmarekd, I am always seriours. All Ways.14:56
dstanekayoung: those are harder because devs think they are easy and don't get the corner cases :-) this is why i don't like mongo any more14:56
ayoungseriouserand seriouser14:56
ayoungdstanek, I couldn't like it any less14:56
marekdayoung: dstanek any experience with redis? (looking for opinions)14:57
dstanekmarekd: redis is nice, but i mostly have used is as a kvs14:57
ayoungmarekd, we have one real choice.  PostgreSQL.  The rest are going to corrupt your data.14:58
dstanekmarekd: i've only used there more complex data structures a tiny bit14:58
marekdayoung: PostgreSQL with NoSQL features?14:58
dstanekmarekd: i have never used it as permanent storage14:58
marekdayoung: or i misunerstood you.14:58
ayoungmarekd, bite your toungue14:58
dstanekmarekd: what features do you need?14:58
marekddstanek: cannot say, just bit my tongue :(14:59
marekddstanek: no i was going to try some database that could be used in a highly scalable environments out of the box.14:59
dstanekayoung: we're not talking about your party habits here :-)15:00
ayoungmarekd, this is why we want to make tokens ephemeral.  The more we can avoid the Database issues, the better off we ll are15:01
dstanekmarekd: SQL can scale nicely with the right architecture - i would only use nosql if you have a specific need like schemaless15:01
marekddstanek: uhm15:02
ayoungdstanek, the only acid I've expereicnes at parties was reflux.  Despite 10+ years living in San Francisco, I've never done any drugs harder than alcohol and tobacco.  Guess Nancy Reagan was successful with me.15:02
dstaneki found mongo to be incredibly hard to scale15:02
marekddstanek: why?15:02
dstanekmarekd: i found it very hard to deal with reworking shards (adding mostly) - working set restriction made running it very, very costly15:03
marekddstanek: btw you once told me that super() would handle calling methods from all the parents: while this code prints 'A' instead of 'AB'.15:04
dstanekmarekd: i started writing a blog post to address your question, but got side tracked15:04
*** joesavak has joined #openstack-keystone15:04
marekddstanek: what's your blog addreess?15:04
marekd(for future)15:05
marekddstanek: thanks.15:06
*** jsavak has quit IRC15:06
dstanekmarekd: i have a local version with a totally new design, but i just haven't had the time :-(15:07
marekdsure thing.15:07
dstanekmarekd: multiple parents is generally a bad thing and that's why other languages like Java forbid it15:08
dstanekmarekd: it's useful (to me) for mixins, but they you would never need super for those since you're not inheriting methods15:09
dstanekmarekd: here is you example fixed
ayoungOnly in OpenStack have I seen a long time developer's patches get derailed by a newcomer non-core making nitpicking, non-essential code review comments.  Something is broken in our process.15:10
dstanekayoung: what patch is that?15:10
ayoungmultiple inheritance is an indication that you should probably be using composition instead15:10
ayoungdstanek, so many...right now it is15:10
dstanekmarekd: the old school way
ayoungIts like ... it sits there for a week, and then someone comes in and snipes...15:11
dstanekmarekd: in the second version of AllTests the TestCase initialized is called twice, which is what testtools was preventing15:11
ayoungdstanek, I'm just a little frustrated trying to Kerberize Horizon...its just such a PITA, as it requires aligning changes across four  projects.  I have patches that don't work on Django due to needing this feature in the client15:15
ayoungand no one pays attention to the client, look at how long jamielennox 's queue is.15:15
ayoungmakes me long for the days when termie could just swoop in and rewrite all of keystone with no code review what-so-ever15:15
dstanekayoung: i find it takes me a long time to review many of the clients reviews out there because i find the general design over engineered and overly complicated15:19
ayoungdstanek, really?  The client/session/auth-plugin structure or something else?15:20
dstanekayoung: yes, session, plugins, etc. there is a lot of code to do what we do in there15:21
*** cjellick has joined #openstack-keystone15:21
marekddstanek: i must confess i didn't really understand why your fixed exmaple prints 'BA'. I guess it has something in common with MRO.15:21
*** jamielennox has quit IRC15:22
ayoungdstanek, so I think the session piece is confusing to someone coding themselves, and really is more of a mechansim for the other clients to use.  I Don;t really like exposing it to Django15:22
ayoungdstanek, here's what I would like it to look like:15:22
marekddstanek: ayoung and lots of **kwargs arguments disappearing somewhere in the clas hierarchy (because they are popped), lots oh inheritance and base.* classes ;/15:22
dstanekmarekd: basically super(X, self) will calculate the mro (so only unique classes) and call the next one in the chain - if that user super then it's rinse and repeat15:23
ayoungyeah, jamies' been battling all the backwards compatibility issues with the old code15:23
ayoungthe session stuff probably should be exposable but not required15:23
dstanekmarekd: if you don't what the parent's version called then you omit the super() call - but super is cooperative so everything should generally use it for it to work as expected15:23
marekddstanek: okay15:24
marekddstanek: makes sense.15:24
dstanekmarekd: that's why i needed Object so that both A and B could call super() and not get a TypeError15:24
marekddstanek: yeah. On the other hand it's makes a diamond class hierarchy with silend method. And often you cannot change parents.15:26
marekddolphm: o/15:26
*** jorge_munoz has joined #openstack-keystone15:27
dstanekhey dolphm - why are you doing?15:27
marekddstanek: what if I cannot change A and B and A.f() and B.f() sets some attributes that I will later need in my Derived(A,B) class?15:28
dolphmdstanek: really well15:28
dstanekdolphm: that's good to hear.15:29
dolphmanyone have a link to that ksc review to fix the options iterator thing?15:30
dolphm ^15:33
uvirtbotLaunchpad bug 1372152 in python-keystoneclient "'help' is not working for several subcommands (version 0.11.0)" [High,In progress]15:33
*** lufix has quit IRC15:38
openstackgerritMarek Denis proposed a change to openstack/python-keystoneclient: SAML2 wrapper plugin for full federation authN
*** r-daneel has joined #openstack-keystone15:50
*** david-lyle has quit IRC15:53
*** _cjones_ has joined #openstack-keystone15:53
*** cjellick has quit IRC15:55
*** david-lyle has joined #openstack-keystone15:55
*** cjellick has joined #openstack-keystone15:55
*** jsavak has joined #openstack-keystone15:56
*** amerine has joined #openstack-keystone15:56
*** joesavak has quit IRC15:56
*** victsou has quit IRC15:57
*** joesavak has joined #openstack-keystone15:58
*** jsavak has quit IRC16:01
*** diegows has joined #openstack-keystone16:06
*** henrynash has quit IRC16:09
*** saipandi has joined #openstack-keystone16:11
*** garcianavalon has quit IRC16:11
kashyap[JunoM3 User question] Hi, In IceHouse, "By default, the Identity Service creates a special _member_ role." -- It isn't the case in Juno? Because:16:12
kashyap$ keystone user-role-add --user=admin  --tenant=admin --role=_member_16:12
kashyapNo role with a name or ID of '_member_' exists.16:12
*** marcoemorais has joined #openstack-keystone16:15
nkinder_kashyap: I see _member_ in my Juno setup16:15
nkinder_kashyap: what does 'keystone role-list' show as admin on your system?16:15
YorikSarmorganfainberg: ping16:15
kashyapnkinder_, One moment.16:16
*** wwriverrat has joined #openstack-keystone16:16
kashyap(These is are on F21/Rawhide.)16:16
YorikSardstanek: Or mb you're around?16:16
kashyapnkinder_, It lists only 'admin' role.16:16
ayoungkashyap, there is a config option that defines what role to user for  add_user-to-project16:17
dstanekYorikSar: hi16:17
*** wwriverrat has left #openstack-keystone16:17
nkinder_kashyap: is this a RDO setup via packstack?16:17
YorikSardstanek: Hi. Do you know if morganfainberg is working on memcache pool CR?16:17
dstanekYorikSar: no idea, i haven't seen him yet this morning16:18
YorikSardstanek: Oh, right, it's Monday morning your time :)16:18
YorikSardstanek: Ok, I'll just do some cleanup there then.16:18
dstanekit's noon here, which mean 9am for morganfainberg16:19
nkinder_kashyap: for my all-in-one, I have admin, _member_, ResellerAdmin, and SwiftOperator16:19
*** Tahmina has quit IRC16:19
ayoungdstanek, dolphm what do you think is the right relationship between KC client sessions  and  Django OpenStack Auth/Horizon?   Does the session abstraction even mean anything there?16:20
dolphmayoung: if you can serlialize the ksc session, why not?16:21
ayoungIf a user sends two requests to DOA, they are going to create clients from scratch, based on the token stored in the HTTP session.  I don't know if a KC session would/should persist across multiple requests to Horizon16:21
ayoungdolphm, well, right now I don;t think we can.16:21
dolphmayoung: probably not (i haven't tried, anyway), but that was one of jamie's original goals16:21
dstanekayoung: i'm not sure what the advantage would be to persist the ksc sesson16:22
ayoungdolphm, I saw a case in one of the patches where serialization failed  to the keyring.16:22
* kashyap 's IRC proxy got dropped briefly. If something was addressed to me, please re-post.16:22
ayoungdolphm, dstanek Why do we have that abstrction?  I understand client and plugin, but not session16:22
ayoungI mean, I know that requests has a session, what is the KC client adding to that abstraction?16:23
ayoungI originally thought it was so that the same rules were applied when talking to each of the endpoints, but they would have to have their own sessions the way it is coded16:23
dstanekayoung: the way i understand it is that it benefits you when constructing with credential that have to be evaluated by keystone (email+password) so that you only have to do it once16:24
dstanekayoung: kind of like a cookiejar when scrapping HTTP sites16:24
kashyapnkinder_, My current DevStack setup has it too, thanks for confirming. I'll investigate my setup more.16:25
ayoungdstanek, So you would expect the session object to be shared across multiple clients (Nova, Glance and the like?)16:25
dstanekayoung: yes, if they are within the same process16:25
*** BAKfr has quit IRC16:26
ayoungkashyap, _member_ was done in a migration way back when we removed direct "membership" of users in projects16:26
ayoungdstanek, so for Horizon, the right approach would be for the session to be persisted, not the token,  in the users cookie?16:26
dolphmayoung: i don't think it was a migration. it's only dynamically created on v2 default tenancy assignments16:26
dolphmif you don't use v2, you'll never have a _member_ role16:26
ayoungdolphm, I wrote it16:26
ayoungit has been collapsed since then16:27
ayoungit was around migration 16 or so,16:27
kashyapayoung, I see,  I'll look up the config option you alluded to above too. I'm just puzzled why I don't see the _member_ role in this fresh setup16:27
ayoungkashyap, do you have that config option set in the keystone.conf?16:27
* kashyap checks16:27
ayoungMy guess is we are finally doing "Member" and not "_member_"16:28
kashyapnotmyname, it's not there:16:28
kashyap$ grep member /etc/keystone/keystone.conf  | grep -v ^$ | grep -v ^#16:28
kashyapecho $?16:28
ayoungkashyap, that looks suspect16:28
kashyapnonameentername, Err, didn't mean to prompt you, bad tab complete :-(16:28
kashyapArgh, notmyname I meant16:29
* kashyap just can't type16:29
ayoungkashyap, what happens when you call the V2 api to add a user to a project?16:29
* notmyname is very familiar with erroneous tab-complete ;-)16:29
*** r-daneel has quit IRC16:29
kashyapayoung, You have a quick handy CLI for that?16:29
ayoungcoming up16:29
ayoungkashyap, you have an RDO set up with the defaults?16:30
kashyapayoung, No, to give you the horror, this is hand configured, just started w/ Keystone.16:30
ayoungkashyap, ah, that is why16:30
*** marcoemorais has quit IRC16:30
samuelmzlbragstad, I replied your comments on bugs #1367480 and #136774016:30
ayoungwe dropped the migration, so you wouldn16:30
ayoung't have it16:31
uvirtbotLaunchpad bug 1367480 in keystone "Add test for grant CRUD on test_backend" [Undecided,New]
uvirtbotLaunchpad bug 1367740 in keystone "Assignment backends raise non-suggestive exception in grant CRUD" [Undecided,New]
samuelmzlbragstad, I'd be glad if you could take a look at them16:31
kashyapayoung, I'm taking good notes, I can quickly post you a URL if you want to see the sequence of commands I ran.16:31
*** marcoemorais has joined #openstack-keystone16:31
lbragstadsamuelmz: sure thing, I'll add them to my queue16:31
kashyapayoung, Ah, so, what you suggest?16:31
morganfainbergayoung, interesting article16:32
ayoungkashyap, you need a role for that16:32
samuelmzlbragstad, thanks16:32
lbragstadsamuelmz: np16:32
ayoungkashyap, I'd suggest making the role name 'Member' as that is what Horizon does16:32
kashyapayoung, Okay, will try16:33
ayoungkashyap, we couldn't do that in the migration for fear of conflicting with that role, which is why _member_16:33
ayoungkashyap, the UUID value for it is probably fine.16:33
*** r-daneel has joined #openstack-keystone16:33
kashyapayoung, Since I'm not going to use Horizon, so shall I just create the _member_ role and be done w/ it? $ keystone role-create --name _member_16:34
* kashyap just tries16:34
ayoungkashyap, no  make it Mmeber and set the config option too16:34
kashyapayoung, Ah, okay.16:35
ayoungthat is the expected approach.16:35
ayoungkashyap, the default is just a case of "make one mistake and support it for the rest of your life"16:35
kashyapayoung, Okay, Member role created; now can you please spell out where do I set this config option16:36
ayoungkashyap, heh16:36
ayoungin /etc/keystone/keystone.conf16:36
kashyapI can take no as an answer to "go do your homework"16:36
ayoungthe option is the member name one16:36
ayoungkashyap, take it as "Adam's 8 year old got up too damn early today and Adam is more grumpy, grouchy and irritable than usual"16:37
kashyapayoung, I appreciate your time, won't leech it more.16:38
openstackgerritMorgan Fainberg proposed a change to openstack/keystonemiddleware: Add an optional advanced pool of memcached clients
kashyapayoung, Thank you, it works. /me moves forward.16:40
morganfainbergdstanek, re: rebased on to the fix16:40
morganfainbergdstanek, it was a test failure in master due to changed in ksc16:40
dolphmmorganfainberg: i was going to suggest discussing bug 1362245 in tomorrow's meeting, but i'm not sure i'll be there. see my comment at the bottom of
uvirtbotLaunchpad bug 1362245 in keystone "Update  Endpoint Filter APIs" [Low,In progress]
morganfainbergdolphm, looking.16:43
dolphmmorganfainberg: thoughts on mark as Won't Fix & dropping from RC1?16:43
*** jsavak has joined #openstack-keystone16:43
morganfainbergdolphm, thinking at the very least dropping from RC16:43
dolphmmorganfainberg: then if it's not fixed in Juno, i'd rather keep the small wart16:43
morganfainbergdolphm, works for me16:44
dolphmalrighty, i'll push buttons16:44
morganfainbergdolphm, it's not a *big* deal, it's a minor "oh bah this is less consistent than we may have wanted but not crazy weird"16:44
ayoungdolphm, OK,  lets assume for the moment that we make Session persistable. Would it then make sense that if a session starts with the Password plugin, it should automatically swap it to a token plugin after authentication?  Or, better yet, you never actually assign the password plugin to the session, just use it to allocate the token?16:45
*** henrynash has joined #openstack-keystone16:45
*** joesavak has quit IRC16:45
ayoungThe only cases where I can see reusing the auth plugin after initial authentication makes sense is X509/Kerberos cases where the client plugins will be setting some aspect of the request outside the payload body16:46
dolphmmorganfainberg: exactly16:47
dolphmayoung: i'll defer to jamie on those :)16:47
*** r-daneel has quit IRC16:49
*** r-daneel_ has joined #openstack-keystone16:49
ayoungdolphm, I don't think he'd want that.  I think he's been working on this in isolation for too long;  we really should all understand and, if not agree on the design, at least agree on the problems16:49
ayoungdolphm, and he isn't here...he's out getting all spousified16:50
morganfainbergayoung, /me reads the backscroll on this topic16:52
morganfainbergYorikSar, pong16:52
ayoungdolphm, I mean, if we can't understand the rationale,  how do we expect the people that use the client to16:52
YorikSarmorganfainberg: Good morning :)16:53
morganfainbergYorikSar, morning, how are you?16:53
ayoungdolphm, if we persist the session, we can't persist the password.  That would be a security issue.16:53
YorikSarmorganfainberg: I'm doing some cleanup on new version of Keystone  CR.16:53
ayoungAnd the Password plugin has to hold on to the password16:53
YorikSarmorganfainberg: I'm sorry for being absent for so long.16:53
morganfainbergYorikSar, no worries. I was planning on talking to you today about it :)16:53
ayoungIf we don't hold on to the password, however, a client program will not be able to reauthenticate once the token expires16:54
morganfainbergYorikSar, it happens man, we're all busy (which is why i've been trying to help it along)16:54
dstanekmorganfainberg: the 2.6 failure?16:54
morganfainbergdstanek, yep16:54
morganfainbergdstanek, same issue as the composite auth one had with py26/27/3316:54
morganfainbergYorikSar, so the big change I made was just splitting it out as optional rather than default. This is because there is some general concern about the drive time on the code in production/production ready and we don't want to leave people high-and-dry if it doesn't work for them.16:55
YorikSarmorganfainberg: So far I've fixed all comments and removed all timeouts in tests (zeroed them) to not wait at all.16:55
YorikSarmorganfainberg: Yeah, sure. That's reasonable.16:56
morganfainbergYorikSar, ok cool.16:56
morganfainbergYorikSar, sounds good, lets get this wrapped up today if possible :)16:57
YorikSarmorganfainberg: I'll post new changes shortly.16:57
morganfainbergYorikSar, great! thanks for this :)16:57
YorikSarmorganfainberg: unittests are passing, short 'battle' test and we're good :)16:57
YorikSarmorganfainberg: btw, about comment on copyrights. Did I get it right that you prefer to not leave them around at all?16:59
samuelmzdstanek, I replied your comment on bug #1360406 ... I'd be glad if you could take a look at that ..16:59
uvirtbotLaunchpad bug 1360406 in keystone "Wrong return from list role assignments on KVS" [Low,In progress]
samuelmzdstanek, we should decide if we'll merge or abandon the patch .16:59
morganfainbergYorikSar, i prefer they not be there, but there is no reason to remove them if your org requires them. officially we allow them.16:59
morganfainbergin fact, i should probably 2x check to see if I am *supposed* to start adding them.17:00
YorikSarmorganfainberg: I have no idea if Mirantis requires them... So let's leave them to not hold the patch :)17:00
morganfainbergYorikSar, yeah no one should hold up the patch for a company copyright. The only case I would say we have an issue is if someone assigns the copyright to the Foundation and they do not work for the foundation. That doesn't work.17:01
dstaneksamuelmz: i was leaving it open for the likes of dolphm, morganfainberg and other cores to comment17:01
YorikSarmorganfainberg: Yeah...17:01
dstaneksamuelmz: henrynash has plans to kill that code
YorikSarmorganfainberg: Wow, I got commit hash 0010803 - 11 leading 0 bits and digits only! That's a rare one :)17:02
morganfainbergYorikSar, nice!17:03
*** sigmavirus24 is now known as sigmavirus24_awa17:04
morganfainbergsamuelmz, dstanek, basically I don't see a reason to include that in Juno.17:04
morganfainbergsamuelmz, dstanek, if it's not in juno i don't think we need to fix it because KVS is going away in Kilo17:04
dstanekmorganfainberg: samuelmz: that was my thinking as well17:06
*** afazekas has quit IRC17:08
openstackgerritYuriy Taraday proposed a change to openstack/keystone: Add a pool of memcached clients
morganfainbergdolphm, should we remove the milestone from as well?17:09
uvirtbotLaunchpad bug 1362245 in keystone "Update  Endpoint Filter APIs" [Low,In progress]17:09
YorikSarmorganfainberg, dstanek: ^ - it showed even more performance than I remember17:10
YorikSarprobably its queue stuff17:10
dstanekYorikSar: i didn't realize that you were doing performance tests too17:11
dstanekYorikSar: yeah, i would have expected moving the a Queue to perform better - how much better?17:11
YorikSardstanek: I'm verifying if it works with 'ab -c 100 -n 1000' and it shows 'Requests per second' as well.17:12
YorikSardstanek: From what I remember, it was around 80 with previous implementation. Now it's 12317:12
YorikSardstanek: I guess deque and stdlib Queue really wins with high load :)17:13
YorikSardstanek: But that's not an exact benchmark - it's running on a VM, with ab on the same VM, with a lot of moving parts.17:14
dstanekYorikSar: still it's very nice work!17:15
samuelmzdstanek, morganfainberg, I will invalidate the bug and abandon the patch, ok?17:15
dstaneksamuelmz: i marked the bug and won't fix with a link to henry's proposal17:16
samuelmzdstanek, ok thanks17:16
dstaneksamuelmz: once i have a little more time i want to swing back to the rest of the stuff you guys are working on17:16
samuelmzdstanek, np thanks :-)17:17
*** amakarov is now known as amakarov_away17:18
*** harlowja_away is now known as harlowja17:21
*** gyee has joined #openstack-keystone17:21
*** Tahmina has joined #openstack-keystone17:28
ayoungdstanek, does this make sense:  create a new class method on httpclient:  client_factory.  It Takes in: auth_plugin blus the other session level params, but not the full list. It  Uses the auth plugin to get a token, then creates a token plugin  and ensures that the session has that.  We use the "versionless" interface for the auth plugins (not v2 or v3 specific) but allow the factory to explicitly set one:  bypass the forc17:29
ayounged discovery.17:29
*** cjellick has quit IRC17:30
ayoungSo we hide the session from the end user.17:30
*** marcoemorais has quit IRC17:31
ayoungBuilds on top of "use session in authenticate" that I started here:
*** marcoemorais has joined #openstack-keystone17:32
*** henrynash has quit IRC17:32
*** joesavak has joined #openstack-keystone17:33
*** jsavak has quit IRC17:35
dstanekayoung: sounds sane, but i don't understand the current design. i'd have to look into how it's used now17:36
ayoungdstanek, client has 3 use cases: CLI,  auth token middleware, Horizon17:36
ayoungWell, four: HEAT etc17:36
*** _cjones_ has quit IRC17:38
*** cjellick has joined #openstack-keystone17:38
*** _cjones_ has joined #openstack-keystone17:38
stevemarmorganfainberg, almost there!17:39
*** _cjones_ has quit IRC17:41
*** _cjones_ has joined #openstack-keystone17:41
morganfainbergstevemar, yessss!17:42
*** gyee has quit IRC17:43
*** david-lyle has quit IRC17:44
*** amcrn has joined #openstack-keystone17:50
openstackgerritBrant Knudson proposed a change to openstack/python-keystoneclient: Fix auth_token for old oslo.config
samuelmzdolphm, do you still want to support pagination on keystone queries? As described on bug  #100902317:53
uvirtbotLaunchpad bug 1009023 in python-keystoneclient "Pagination is not implemented" [Wishlist,Triaged]
*** gyee has joined #openstack-keystone17:53
*** david-lyle has joined #openstack-keystone17:54
*** aix has quit IRC17:55
*** joesavak has quit IRC17:57
openstackgerritA change was merged to openstack/keystone: Add info about pysaml2 into federation docs.
*** joesavak has joined #openstack-keystone17:58
openstackgerritAndreas Jaeger proposed a change to openstack/identity-api: Update to clouddocs-maven-plugin 2.1.3
*** victsou has joined #openstack-keystone17:59
ayoungcan we  merge projects and domains into one object?  Please?18:00
*** sigmavirus24_awa is now known as sigmavirus2418:00
ayoungI want to add rescope(tenant)  to the client18:00
ayoungbut I need to do something like this18:01
ayoungclient.rescope(project_id=None, domain_id=None):18:01
*** jsavak has joined #openstack-keystone18:01
ayoungand then assert only one or the other is set18:01
ayoungor I could make two functions.18:01
*** joesavak has quit IRC18:05
*** harlowja has quit IRC18:05
*** _cjones_ has quit IRC18:05
*** harlowja_ has joined #openstack-keystone18:05
*** _cjones_ has joined #openstack-keystone18:06
*** marcoemorais has quit IRC18:06
*** marcoemorais has joined #openstack-keystone18:06
*** ukalifon1 has quit IRC18:08
*** _cjones_ has quit IRC18:10
*** _cjones_ has joined #openstack-keystone18:11
*** ukalifon has joined #openstack-keystone18:11
morganfainbergayoung, i think we talked about making projects/domains one object before18:14
ayoungmorganfainberg, I should have insisted on it at inception18:15
morganfainbergayoung, eh, in fact this came up with the heirarchy stuff last summit18:15
ayoungand it is too late to do anything about it now...just more whinging on my part18:16
raildoNow it's some late for that :P18:17
*** raildo has left #openstack-keystone18:17
*** raildo has joined #openstack-keystone18:17
*** raildo has left #openstack-keystone18:17
*** raildo has joined #openstack-keystone18:18
raildoayoung, do you know if there is an etherpad for proposals to design summit in Keystone?18:19
ayoungraildo, not that I know of18:20
raildothey are using this etherpad for cross-projects
raildoI thought there would be equal to the keystone18:26
stevemarbah failed to merge18:27
*** cjellick has quit IRC18:30
*** gyee has quit IRC18:30
*** david-lyle has quit IRC18:33
*** david-lyle has joined #openstack-keystone18:34
*** htruta has joined #openstack-keystone18:40
*** david-lyle has quit IRC18:40
*** david-lyle has joined #openstack-keystone18:41
nkinder_hmmm, still no movement on the kerberos plug-in new repo request :(18:45
morganfainbergnkinder_, i think it needs dolphm's nod (as the PTL) to get it18:46
morganfainbergnkinder_, there otherwise were no complaints afaict18:46
nkinder_morganfainberg: ah, ok.  dolphm is out though, right?18:46
morganfainbergnkinder_, he's around on-and-off right now18:47
morganfainbergnkinder_, but it's not consistent18:47
morganfainbergstevemar, so close:
*** david-lyle has quit IRC18:51
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Fix minor spelling issues in comments
morganfainbergnkinder_, see ttx's comment18:53
morganfainbergnkinder_, and i think that is the only thing that would hold up the repo add18:53
morganfainbergnkinder_, *think*18:53
*** openstack has joined #openstack-keystone18:55
*** david-lyle has quit IRC18:55
dstanekstevemar: patience, young one18:55
stevemardstanek, haha18:55
*** david-lyle has joined #openstack-keystone18:55
morganfainbergdstanek, well played18:55
*** victsou has quit IRC18:58
*** _cjones_ has quit IRC19:10
*** rwsu has joined #openstack-keystone19:10
*** _cjones_ has joined #openstack-keystone19:11
*** _cjones_ has quit IRC19:15
*** marcoemorais has quit IRC19:16
*** marcoemorais has joined #openstack-keystone19:16
*** rushiagr_away is now known as rushiagr19:28
*** david-lyle has quit IRC19:29
*** victsou has joined #openstack-keystone19:30
*** david-lyle has joined #openstack-keystone19:30
*** henrynash has joined #openstack-keystone19:33
*** _cjones_ has joined #openstack-keystone19:41
*** _cjones_ has quit IRC19:52
*** _cjones_ has joined #openstack-keystone19:52
*** vhoward has left #openstack-keystone19:56
*** shakamunyi has joined #openstack-keystone19:57
*** gyee has joined #openstack-keystone20:02
openstackgerrithenry-nash proposed a change to openstack/keystone-specs: Add an extension to store domain specific configuration in SQL.
morganfainberghenrynash, woo20:02
henrynashmorganfainberg: :-)20:03
gyeehenrynash, nice!20:04
gyeethat's assuming your primary backend is SQL?20:05
*** rushiagr is now known as rushiagr_away20:05
*** topol has quit IRC20:08
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Support service user and project in non-default domain
henrynashgyee: well it is more lined to assignments really (since that’s where domains are)…so it would be perfectly fine to have all LDAP identity, but store domains+domain configurations in SQL20:10
openstackgerritA change was merged to openstack/identity-api: Update to clouddocs-maven-plugin 2.1.3
gyeehanrynash, make sense, I really like that proposal, right now we have to create that domain-specific conf file and bounce keystone20:11
kashyapayoung, Got a moment? Just got back to my Keystone setup. I'm annoyed enough that I want to stay up to see if I can get to the bottom of this20:11
*** _cjones_ has quit IRC20:12
*** _cjones_ has joined #openstack-keystone20:12
kashyapSo, I'm hitting this when I invoke $ keystone --debug token-get:  "Expecting a token provided via either --os-token or env[OS_SERVICE_TOKEN]"20:13
kashyapYes, I did unset the environment variables.20:13
stevemarkashyap, sounds like you unset one too many :)20:13
kashyapstevemar, :-)20:14
kashyapYeah, what irks me is - I never had issues w/ Keystone all this time, Juno-M3, I'm shaving all kinds of yaks20:14
stevemar+1 for just using that expression alone20:14
stevemaryou've got my attention20:14
kashyapThat's my config details -
henrynashgyee: yep20:15
ayoungdolphm the Kerberos auth plugin repo is just awaiting a +1 from you20:15
henrynashayoung: and there was me thinking we had to save yaks…when in reality we had to shave them...20:15
ayoung  dolphm20:16
*** _cjones_ has quit IRC20:17
ayoungkashyap,  remind me to talk to the openstack common client guys so they don't inherit that SERVICE_TOKEN annoyance from us20:17
kashyapayoung, Yes, sir. I added it to my TODO list. But I'm in the midst of moving between continents next two weeks, so it's all mad as hell here :-)20:18
ayoungkashyap, what is your final destination20:18
* ayoung hopes you say Massachusetts20:18
kashyapayoung, Belgium20:18
kashyapI'll visit next year20:18
ayoungOh well.20:19
kashyapstevemar, That's my notes I diligently kept while configuring  -
* ayoung is looking forward to all the L-release conversations that will end with "We'll always have Paris."20:19
*** bjornar_ has joined #openstack-keystone20:20
*** ayoung is now known as ayoung-afk20:20
kashyapayoung-afk,  I met you in Boston 4 years ago. I hope I'll see you Paris summit?20:20
ayoung-afkkashyap, gotta run and pick up someone at the train20:20
ayoung-afkI'll be bac k on line in a second...20:20
kashyapNo rush, see ya.20:20
ayoung-afkwell...little longer than that20:20
kashyapYeah, don't be pedantic :-)20:21
*** andreaf has joined #openstack-keystone20:21
*** jaosorior has quit IRC20:22
stevemarkashyap, try using openstackclient :D20:23
*** _cjones_ has joined #openstack-keystone20:23
stevemarkashyap, you make some mighty good notes20:23
kashyapLessons from past, to be diligent when debugging computers.20:24
kashyapstevemar, So, any clues so far what am I doing wrong? I wonder if should just start over20:26
stevemarkashyap, do other keystone commands work with that CLI?20:27
stevemarlike `keystone user-list`20:28
kashyapIf I explicitly set the env variables on CLI, it does work20:28
stevemarkashyap, that's weird20:30
*** morgan_remote_ has joined #openstack-keystone20:30
stevemarwhat's that command look like?20:30
stevemarand whats' the output of say `env | grep OS` ?20:31
kashyap1 sec20:31
*** joesavak has joined #openstack-keystone20:31
kashyapThere we go -
*** jsavak has quit IRC20:32
kashyapFor that error, I know that there's a patch from Adam 'NoneType' object has no attribute 'has_service_catalog' --
kashyap(I've applied that locally, but I see that's not relevant to _why_ token is not fetched)20:34
openstackgerritgordon chung proposed a change to openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware
* kashyap enables debug logs in keystone.conf & tries20:34
kashyapHmm, no dice.20:36
*** _cjones_ has quit IRC20:38
*** _cjones_ has joined #openstack-keystone20:38
stevemarkashyap, i think it's not advised to have both SERVICE_TOKEN/ENDPOINT and USERNAME/PASSWORD set at the same time20:38
stevemarunset those, (but you mention it earlier that you did)20:39
stevemarunset the OS_SERVICE ones20:39
kashyapYeah, let me try that20:40
stevemarthe service ones should just be needed for setting endpoints / services / and the initial admin user/role/project20:41
stevemarbeyond that, unset them and always use the username / password combo with OS_AUTH_URL20:41
stevemarkashyap, actually my devstack is failing on what appears to be the same message20:42
kashyapHmm, which 'same message'?20:43
*** _cjones_ has quit IRC20:43
openstackgerritA change was merged to openstack/keystone: Update URLs for keystone federation configuration docs
kashyapstevemar, . . . 'has_service_catalog'?20:43
stevemarlooks like it's trying to run keystone token-get20:44
* kashyap git pulls his DevStack (and has RECLONE=yes, so I'm sure, it'll do a fresh checkout)20:44
stevemarkashyap, i just did the same :(20:45
stevemarmight need
stevemarbut thats just tests...20:46
stevemarsomething weird is up20:47
kashyapAh, good. So, it's just me going bonkers.20:47
kashyapit's *not*20:48
*** david-lyle has quit IRC20:49
*** samuelmz has quit IRC20:49
stevemarits funny because i thought i removed all references to keystone token-get in devstack20:50
*** victsou has quit IRC20:50
stevemarand replaced them with openstack ones20:50
*** david-lyle has joined #openstack-keystone20:51
kashyapI see. Will let you know if I can reproduce the issue here20:52
* kashyap watches DevStack invoke: $ keystone-manage db_sync20:54
*** _cjones_ has joined #openstack-keystone20:57
kashyapstevemar, Hmm, it doesn't faile for me here. I can post my devstacklog.txt if you prefer21:03
stevemarmagic of devstack kashyap, magic of devstack21:05
kashyapnotmyname, just a test monkey here21:06
kashyap(Err, I prompted you again :-(21:06
kashyapstevemar, Those are the commits I am at:21:08
kashyapDevStack commit: 8fe3f70efd6c74479d2f17b789976fb3dfb8efd221:08
kashyapKeystone commit: 641381aec54ad93320c1d38b1d96a61dccc6c1b321:08
kashyappython-keystoneclient: 0b06683be6d13d21dfffa19be46e1159edb9fce021:08
*** henrynash has quit IRC21:08
*** _cjones_ has quit IRC21:08
stevemarkashyap, are the CLI commands working for you now?21:09
kashyapIf you mean on the DevStack instance, testing. . .21:09
kashyapstevemar, Yes, works like a charm.21:10
kashyapThere we go, also posted my local.conf --
* kashyap now hits the hay, thanks all for the help, will try to check scroll tomorrow.21:12
openstackgerritBrant Knudson proposed a change to openstack/keystonemiddleware: Fix auth_token for old oslo.config
*** radez is now known as radez_g0n321:14
*** _cjones_ has joined #openstack-keystone21:15
*** bjornar_ has quit IRC21:19
*** jasondotstar has quit IRC21:28
*** joesavak has quit IRC21:32
*** amcrn has quit IRC21:36
morganfainbergbknudson, apt issue on the fix for options21:47
bknudsonmorganfainberg: ?21:47
morganfainbergbknudson, looks like your fix even hits the wierd edge cases like that. +2 on it and the middleware version21:47
morganfainbergbknudson, nic had a version installed from apt, namespace got wonky21:48
morganfainbergso old oslo.config was being loaded21:48
bknudsonmorganfainberg: that's what I was thinking must be happing.21:49
*** harlowja_ has quit IRC21:49
*** harlowja has joined #openstack-keystone21:49
morganfainbergayoung-afk, stevemar, gyee, lbragstad, dolphm, could someone look at and +2/+A if it looks good to you?21:51
*** rkofman has quit IRC21:52
*** rkofman has joined #openstack-keystone21:53
*** dims_ has joined #openstack-keystone21:56
*** ukalifon has quit IRC21:56
*** dims_ has quit IRC21:58
*** gokrokve has joined #openstack-keystone21:58
*** dims_ has joined #openstack-keystone21:58
*** amcrn has joined #openstack-keystone21:58
*** rodrigods_ has joined #openstack-keystone21:59
gyeemorganfainberg, there's a -1 on that review21:59
*** dims has quit IRC21:59
gyeesorry I got stuck in a meeting, just got back to my desk22:00
*** ukalifon1 has joined #openstack-keystone22:02
morganfainberggyee, the -1 is dhellmann's due to concern about not validating non-string options22:03
morganfainberggyee, in this case that is exactly the behavior we're looking for if the option doesn't have a type attribute (fall back to the old logic)22:04
morganfainberggyee, s/logic/behavior - that is to say, everything was previously treated as a string22:04
gyeemorganfainberg, I see22:05
morganfainbergbknudson, ^ correct? just 2x checking my understanding22:05
bknudsonmorganfainberg: gyee: yep, good explanation22:05
stevemarmorganfainberg, lgtm22:11
stevemarbeat gyee to the punch!22:11
*** _cjones_ has quit IRC22:12
*** _cjones_ has joined #openstack-keystone22:12
gyeestevemar, I need a new mouse :)22:12
*** sigmavirus24 is now known as sigmavirus24_awa22:13
*** rodrigods_ has quit IRC22:29
*** gordc has quit IRC22:35
*** morgan_remote_ has quit IRC22:40
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix enabled emulation naming attribute calculation
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix create and user-role-add in LDAP backend
*** saipandi has quit IRC22:50
*** wwriverrat has joined #openstack-keystone22:51
*** wwriverrat has left #openstack-keystone22:51
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix create and user-role-add in LDAP backend
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix create and user-role-add in LDAP backend
bknudsonok, I think it's ready.22:55
*** amcrn has quit IRC23:00
*** wwriverrat has joined #openstack-keystone23:01
*** bknudson has quit IRC23:02
*** nkinder_ has quit IRC23:07
openstackgerritMorgan Fainberg proposed a change to openstack/keystonemiddleware: Fix auth_token for old oslo.config
*** cjellick has joined #openstack-keystone23:47
*** cjellick has quit IRC23:47
*** cjellick has joined #openstack-keystone23:48
*** gokrokve has quit IRC23:51
*** Tahmina has quit IRC23:58

Generated by 2.14.0 by Marius Gedminas - find it at!