Tuesday, 2014-09-30

« Monday, 2014-09-29 Index Wednesday, 2014-10-01 »
*** rodrigods has quit IRC00:01
*** rodrigods has joined #openstack-keystone00:03
*** bambam1 has quit IRC00:04
*** lcheng has joined #openstack-keystone00:08
*** lcheng has quit IRC00:12
*** marcoemorais has quit IRC00:19
*** shakamunyi has joined #openstack-keystone00:21
*** marcoemorais has joined #openstack-keystone00:21
*** praneshp has quit IRC00:26
*** andreaf has quit IRC00:26
*** marcoemorais has quit IRC00:27
*** andreaf has joined #openstack-keystone00:27
*** marcoemorais has joined #openstack-keystone00:27
*** praneshp has joined #openstack-keystone00:30
*** dims has joined #openstack-keystone00:32
*** cjellick has quit IRC00:38
*** cjellick has joined #openstack-keystone00:38
*** cjellick_ has joined #openstack-keystone00:39
*** cjellick_ has quit IRC00:39
*** cjellick_ has joined #openstack-keystone00:39
*** bradjones has quit IRC00:40
*** cjellick has quit IRC00:42
*** marcoemorais has quit IRC00:43
*** shakayumi has joined #openstack-keystone00:43
*** shakamunyi has quit IRC00:43
*** cjellick_ has quit IRC00:44
*** gyee has quit IRC00:46
*** bradjones has joined #openstack-keystone00:48
*** bradjones has joined #openstack-keystone00:48
*** rwsu has quit IRC00:49
*** gokrokve has joined #openstack-keystone00:49
*** harlowja_away is now known as harlowja00:49
*** gokrokve has quit IRC00:51
*** gokrokve_ has joined #openstack-keystone00:51
*** praneshp has joined #openstack-keystone00:51
ayoung-afknkinder, done.  +A00:58
ayoung-afkI like the refactoring in that patch00:59
ayoung-afkmorganfainberg, nkinder  lookupd was the answer I was looking for WRT "how do we make mod_lookup_identity work on a mac"01:00
morganfainbergaha01:00
*** marcoemorais has joined #openstack-keystone01:01
ayoung-afkmorganfainberg, so, it leads to the approach of "letting the OS handle LDAP"  and then using federation for the keystone side01:03
*** ayoung-afk is now known as ayoung01:03
morganfainbergmakes sense as long as we get enough of the info.01:05
*** andreaf has quit IRC01:05
morganfainbergwhich we should (and we don't have the *bad* PAM module back)01:06
*** andreaf has joined #openstack-keystone01:06
*** gokrokve_ has quit IRC01:14
*** marcoemorais has quit IRC01:15
*** rwsu has joined #openstack-keystone01:15
*** gokrokve has joined #openstack-keystone01:15
*** wanghong has quit IRC01:18
*** marcoemorais has joined #openstack-keystone01:18
*** marcoemorais has quit IRC01:19
*** gokrokve has quit IRC01:20
*** marcoemorais has joined #openstack-keystone01:20
nkinderayoung: thanks!  That one was sort of the second half of an issue that brant previously fixed.01:20
*** marcoemorais has quit IRC01:24
*** marcoemorais has joined #openstack-keystone01:26
*** wanghong has joined #openstack-keystone01:31
*** cyeoh has joined #openstack-keystone01:32
*** mikedillion has joined #openstack-keystone01:33
*** marcoemorais has quit IRC01:39
*** samuelmz has joined #openstack-keystone01:39
*** mikedillion has quit IRC01:47
*** shakayumi has quit IRC01:49
openstackgerritwanghong proposed a change to openstack/keystone: V2 token from trust cannot be generated with user/password  https://review.openstack.org/11223001:57
*** diegows has quit IRC02:09
*** alex_xu has joined #openstack-keystone02:15
*** shakamunyi has joined #openstack-keystone02:16
*** nkinder has quit IRC02:31
*** nkinder has joined #openstack-keystone02:34
*** lcheng has joined #openstack-keystone02:41
*** dims has quit IRC02:42
*** dims has joined #openstack-keystone02:43
*** dims has quit IRC02:47
*** r1chardj0n3s is now known as r1chardj0n3s_afk02:47
*** shakamunyi has quit IRC02:49
*** shakamunyi has joined #openstack-keystone02:49
*** shakayumi has joined #openstack-keystone02:52
*** shakamunyi has quit IRC02:56
*** shakayumi has quit IRC02:56
*** alexiz has joined #openstack-keystone02:57
*** dims has joined #openstack-keystone02:57
*** lcheng has quit IRC03:00
*** lcheng has joined #openstack-keystone03:01
*** andreaf has quit IRC03:04
*** andreaf has joined #openstack-keystone03:05
*** lcheng has quit IRC03:05
*** zzzeek has quit IRC03:06
*** dims has quit IRC03:07
*** dims has joined #openstack-keystone03:08
*** dims has quit IRC03:12
*** ayoung has quit IRC03:23
*** harlowja is now known as harlowja_away03:26
*** harlowja_away is now known as harlowja03:32
*** andreaf has quit IRC03:33
*** andreaf has joined #openstack-keystone03:34
openstackgerritwanghong proposed a change to openstack/keystone: wrong logic in assertValidRoleAssignmentListResponse method  https://review.openstack.org/11930303:37
*** alex_xu has quit IRC03:38
*** r1chardj0n3s_afk is now known as r1chardj0n3s03:42
*** alex_xu has joined #openstack-keystone03:45
*** lcheng has joined #openstack-keystone03:50
*** marcoemorais has joined #openstack-keystone04:03
*** marcoemorais1 has joined #openstack-keystone04:05
*** KanagarajM has joined #openstack-keystone04:07
*** marcoemorais has quit IRC04:08
*** richm has quit IRC04:13
*** jaosorior has joined #openstack-keystone04:34
*** KanagarajM has quit IRC04:35
*** flwang has quit IRC04:36
*** gokrokve has joined #openstack-keystone04:56
*** alexiz has quit IRC05:00
*** YorikSar has quit IRC05:01
*** YorikSar has joined #openstack-keystone05:03
*** KanagarajM has joined #openstack-keystone05:03
*** KanagarajM2 has joined #openstack-keystone05:19
*** KanagarajM has quit IRC05:20
*** andreaf has quit IRC05:20
*** andreaf has joined #openstack-keystone05:21
*** ajayaa has joined #openstack-keystone05:45
*** andreaf has quit IRC05:46
*** praneshp has quit IRC05:53
*** harlowja is now known as harlowja_away06:05
*** rwsu has quit IRC06:09
*** ajayaa has quit IRC06:17
*** stevemar has quit IRC06:24
*** praneshp has joined #openstack-keystone06:27
*** k4n0 has joined #openstack-keystone06:27
*** praneshp_ has joined #openstack-keystone06:30
*** lcheng has quit IRC06:31
*** praneshp has quit IRC06:32
*** praneshp_ is now known as praneshp06:32
*** ukalifon1 has joined #openstack-keystone06:34
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/12495006:40
marekdmhu: appreciate your eyes on https://review.openstack.org/#/c/124767/1 and https://review.openstack.org/#/c/106751/ ;-)06:50
*** ajayaa has joined #openstack-keystone07:02
openstackgerritwanghong proposed a change to openstack/keystone: use expected_length parameter to assert expected length  https://review.openstack.org/12495707:05
*** lufix has joined #openstack-keystone07:08
openstackgerritwanghong proposed a change to openstack/keystone: V2 token from trust cannot be generated with user/password  https://review.openstack.org/11223007:09
*** alex_xu has quit IRC07:24
*** gokrokve has quit IRC07:26
*** alex_xu has joined #openstack-keystone07:26
openstackgerritwanghong proposed a change to openstack/keystonemiddleware: correct docstring  https://review.openstack.org/12033307:29
*** r1chardj0n3s is now known as r1chardj0n3s_afk07:31
*** alex_xu has quit IRC07:33
*** alex_xu has joined #openstack-keystone07:34
*** alex_xu has quit IRC07:39
*** sunrenjie6 has joined #openstack-keystone07:40
*** alex_xu has joined #openstack-keystone07:43
*** Dafna has joined #openstack-keystone07:53
*** aix_ has quit IRC07:55
*** gokrokve has joined #openstack-keystone07:58
*** lsmola has joined #openstack-keystone07:59
*** gokrokve has quit IRC08:00
*** gokrokve has joined #openstack-keystone08:00
*** YorikSar has quit IRC08:02
*** YorikSar has joined #openstack-keystone08:04
*** gokrokve has quit IRC08:05
mhumarekd, will do, I got to fix one of my patches first :)08:05
*** alex_xu has quit IRC08:07
*** alex_xu has joined #openstack-keystone08:10
*** jaosorior has quit IRC08:13
*** afazekas has joined #openstack-keystone08:18
*** RockKuo_Office has joined #openstack-keystone08:20
*** flwang has joined #openstack-keystone08:21
*** henrynash has joined #openstack-keystone08:21
*** alex_xu has quit IRC08:26
openstackgerritJulien Danjou proposed a change to openstack/keystonemiddleware: Update oslo-incubator and switch to oslo.{utils,serialization}  https://review.openstack.org/12497908:26
*** NellyK has joined #openstack-keystone08:29
openstackgerritwanghong proposed a change to openstack/keystone: V2 token from trust cannot be generated with user/password  https://review.openstack.org/11223008:31
*** jistr has joined #openstack-keystone08:31
*** NellyK has quit IRC08:32
*** junhongl_ has joined #openstack-keystone08:34
*** Tahmina has joined #openstack-keystone08:36
*** aix has joined #openstack-keystone08:42
*** alex_xu has joined #openstack-keystone08:43
*** aix_ has joined #openstack-keystone08:46
*** marcoemorais1 has quit IRC08:47
*** garcianavalon has joined #openstack-keystone08:48
openstackgerritJuan Antonio Osorio Robles proposed a change to openstack/keystone: Refactor assignment expansion related functions  https://review.openstack.org/11936308:53
*** junhongl__ has joined #openstack-keystone08:56
*** andreaf_ is now known as andreaf08:59
*** junhongl_ has quit IRC08:59
*** gokrokve has joined #openstack-keystone08:59
*** flwang has quit IRC09:02
marekdmhu: thanks.09:03
*** flwang has joined #openstack-keystone09:04
*** junhongl__ has quit IRC09:04
*** gokrokve has quit IRC09:04
ekarlsonkinder: a q, how you mean by splitting out the ID part of keystone ?09:08
*** alex_xu has quit IRC09:23
*** praneshp has quit IRC09:34
*** nellysmitt has joined #openstack-keystone09:35
*** gokrokve has joined #openstack-keystone09:59
*** gokrokve has quit IRC10:03
*** ajayaa has quit IRC10:05
*** nellysmitt has quit IRC10:12
*** keith_ has joined #openstack-keystone10:12
keith_hi after a power failure keystone is not allowing any user to login,httpd log shows invalid login10:13
keith_no user is able to authenticate.. tried creating new user but its not working.. but keystone commands are working for the user admin,but not throgh dashboard10:14
*** wanghong has quit IRC10:23
*** ajayaa has joined #openstack-keystone10:29
*** jaosorior has joined #openstack-keystone10:35
*** diegows has joined #openstack-keystone10:43
*** flwang has quit IRC10:50
*** RockKuo_Office has quit IRC10:53
mhukeith_, what backend do you use for users ? Could be that the power failure corrupted the user base10:54
keith_mhu: Mysql ,i can perform keystone commands against admin endpoint using admin credentials but in horizon it shows invalid user10:56
mhuthe admin endpoint auth doesn't use the users backend, if I were you I'd check the db state10:57
*** gokrokve has joined #openstack-keystone10:59
*** gokrokve has quit IRC11:04
keith_mhu : db has all the user entries checked in keystone.user11:06
*** bjornar has quit IRC11:06
*** dims has joined #openstack-keystone11:09
*** topol has joined #openstack-keystone11:11
*** NM1 has joined #openstack-keystone11:13
*** bjornar has joined #openstack-keystone11:17
*** NM1 has quit IRC11:17
*** bjornar has quit IRC11:20
*** bjornar has joined #openstack-keystone11:21
mhukeith_, anything in keystone logs ?11:21
keith_mhu : no log is not showing anything11:24
*** topol has quit IRC11:24
keith_mhu: tenant-list shows all the projects11:25
*** jistr is now known as jistr|english11:31
mhukeith_, set logging to DEBUG level11:35
keith_mhu : still no error in logs11:41
*** viklund has joined #openstack-keystone11:42
viklundI think I've found a bug, introduced by the patch to fix bug 134004111:43
uvirtbotLaunchpad bug 1340041 in keystone "OpenLDAP 2.3: naming attribute [...] is not present in entry; Naming violation" [Medium,Fix released] https://launchpad.net/bugs/134004111:43
viklund(nice)11:43
viklunddoes this work for change-id: I1ed3f53d325eb280e036fbbf8e83d2e645db53cd11:44
viklundoh well11:44
viklundanyhow11:44
viklundI have searched the launchpad for this and haven't found anything, thought I'd stop by here first11:45
viklundin line 1672 (keystone/common/ldap/core.py) in the patch for the above bug the ldap.dn.str2dn array gets converted to a string11:45
viklundwhich causes naming_rdn to contain "[" and then I get an exception on line 1675 because the string has length one11:46
*** dhellmann has quit IRC11:48
*** dhellmann has joined #openstack-keystone11:50
*** gokrokve has joined #openstack-keystone11:59
*** gokrokve has quit IRC12:00
*** gokrokve has joined #openstack-keystone12:01
*** gus has quit IRC12:06
*** gokrokve has quit IRC12:06
*** KanagarajM2 has quit IRC12:10
*** dims has quit IRC12:29
*** dims has joined #openstack-keystone12:30
openstackgerritSamuel de Medeiros Queiroz proposed a change to openstack/keystone: Add test for getting a token with inherited role  https://review.openstack.org/11920612:30
*** waterkinfe has joined #openstack-keystone12:33
dolphmviklund: can you open a new bug report with the above?12:34
*** KanagarajM has joined #openstack-keystone12:34
*** waterkinfe has quit IRC12:34
viklunddolphm: yes I can do that12:34
viklundI just wanted to check first12:34
*** waterkinfe has joined #openstack-keystone12:35
dolphmviklund: sounds like a valid concern to me, that perhaps we can address before juno is released12:38
viklunddolphm: yes, that would be nice12:39
*** gordc has joined #openstack-keystone12:44
viklundsubmitted12:48
keith_mhu : disabled selinux and it works12:49
*** miqui has joined #openstack-keystone12:49
mhukeith_, glad you found a solution12:50
marekdmhu: i must say your auth plugins patch looks pretty advanced :-)12:50
mhumarekd, hopefully it'll look pretty merged soon too ! :D12:51
mhumarekd, now I can have a look at your patches12:52
*** jistr|english is now known as jistr12:56
*** NM1 has joined #openstack-keystone12:57
marekdmhu: i am hoping for that too.12:57
marekdmhu: i need to restore crud operations for mappings and protocols.12:57
*** gokrokve has joined #openstack-keystone12:59
*** k4n0 has quit IRC13:01
*** gokrokve has quit IRC13:03
*** nkinder has quit IRC13:13
*** richm has joined #openstack-keystone13:16
jaosorioramakarov: are you around?13:27
*** keith_ has quit IRC13:29
*** KanagarajM has quit IRC13:33
*** topol has joined #openstack-keystone13:42
samuelmzdolphm, now that we are open for kilo dev ... could you approve this patch (https://review.openstack.org/#/c/119206/) ?13:42
samuelmzdolphm, it has 2 +2 for a while ..13:43
dolphmsamuelmz: i'll run a recheck on it first since it's been a couple weeks13:43
dolphmsamuelmz: oh nvm, you just rebased13:43
samuelmzdolphm, I just did a rebase .13:43
dolphmsamuelmz: +A!13:44
samuelmzdolphm, yep :p13:44
samuelmzdolphm, thanks13:44
*** jasondotstar has joined #openstack-keystone13:46
*** radez_g0n3 is now known as radez13:49
*** waterkinfe has quit IRC13:51
afaranhahenrynash, regarding endpoint policy, is there a way to get the date the policy was assigned to the endpoint?13:51
afaranhaWe need to get the date because we plan to use it on Horizon, to remove the copy of the policies it has. For this, we need to get the policy to Horizon and then, in the following actions, just check is the policy is updated13:52
henrynashafaranha: that’s an interesting idea…but right now I don’t think there is a way…let me have a quick look...13:53
openstackgerritA change was merged to openstack/python-keystoneclient: Redact x-subject-token from response headers  https://review.openstack.org/12395413:53
afaranhathanks13:54
henrynashafaranha: what would be the ideal…a notification on change of policy for an endpoint?13:55
rodrigodshenrynash, this would be the ideal, but a last modified approach via a query would be great13:56
henrynashafrarana: Ok, so teh bad news is we don’t have anything there yet…although I’m certainly open to adding it.13:56
henrynashrodrigods: one problem with a datestamp, is that if your policy for an endpoint come by virtue of, say, what region you are in, then there is no datestamp related to an endpoint that you can look at...13:58
samuelmzhenrynash, so we could use a sort of hash, right?13:58
henrynashrodigods: …but we could send notifications for all endpoints in a region that wer affected by a new policy being applied to that rgion13:58
*** gokrokve has joined #openstack-keystone13:59
*** sigmavirus24_awa is now known as sigmavirus2414:00
rodrigodshenrynash, so... would be possible for horizon to listen those notifications?14:00
*** nkinder has joined #openstack-keystone14:01
*** sigmavirus24 has left #openstack-keystone14:01
henrynashrodigods: yep14:01
henrynashrodigods: we do a similar thing when, say, a project is deleted, we send a notifcaiton so that, for insance, nova can delete the VMs are are owned by the project14:02
raildohenrynash, In fact, there is a bug for this, because Nova can not consume this notification :P14:03
henrynashraildo: :-) because?14:03
raildohenrynash, https://bugs.launchpad.net/keystone/+bug/96783214:03
uvirtbotLaunchpad bug 967832 in neutron "Resources owned by a project/tenant are not cleaned up after that project is deleted from keystone" [Undecided,In progress]14:03
samuelmzdolphm, regarding the bug for extracting assignment tests from test_v3_identity .. I've created a new file called test_v3_assignment ..14:03
samuelmzdolphm, I'd like to know if I'd add copyright info ..14:04
samuelmzdolphm, https://review.openstack.org/#/c/121653/1/keystone/tests/test_v3_assignment.py14:04
*** kashyap has quit IRC14:04
*** gokrokve has quit IRC14:04
dolphmsamuelmz: since you're just splitting a file in two, i'd copy all the copyright headers from the original file in14:04
dolphmsamuelmz: but copyrights attributed to the openstack foundation are generally wrong and can probably be removed :)14:05
henrynashraildo: ok, looks like we have stuff to talk about in Paris!14:06
raildohenrynash, great!14:06
samuelmzdolphm, ok .. I'm going to keep that ... thanks14:08
samuelmzdolphm, regarding test_backend ... shouldn't we also split that?14:09
*** Tahmina has quit IRC14:09
samuelmzdolphm, I mean tests for assignment and tests for identity ..14:09
dolphmsamuelmz: certainly could!14:09
dolphmsamuelmz: how big is that file now?14:09
samuelmzdolphm, cool ...14:09
samuelmzdolphm, 4.7k14:09
*** ukalifon1 has quit IRC14:09
dolphmsamuelmz: lines?14:09
samuelmzdolphm, yes14:10
morganfainbergyeesh14:10
dolphmsamuelmz: yes, split :D14:10
samuelmz:-)14:10
*** andreaf_ has joined #openstack-keystone14:10
*** htruta has joined #openstack-keystone14:10
dolphmtest_backend_identity, test_backend_identity_sql, test_backend_identity_ldap, test_backend_assignment, test_backend_assignment_sql, test_backend_assignment_ldap, etc?14:11
samuelmzdolphm, exactly14:12
*** andreaf has quit IRC14:13
*** andreaf_ is now known as andreaf14:14
*** andreaf_ has joined #openstack-keystone14:14
dolphmmorganfainberg: how many conflicting summit scheduling etherpads are there? :-/14:21
dolphmmorganfainberg: https://etherpad.openstack.org/p/kilo-keystone-summit-topics14:21
dolphmmorganfainberg: https://etherpad.openstack.org/p/keystone-kilo-summit-sessions14:22
morganfainbergdolphm, those are the only two, use https://etherpad.openstack.org/p/kilo-keystone-summit-topics14:22
morganfainbergi'm slowly getting things moved over (started yesterday)14:22
morganfainbergshould have it done today. but not fully awake yet.14:23
dolphmmorganfainberg: then the other needs to be nuked with a link to the good one14:23
morganfainbergdolphm, yes.14:23
*** ajayaa has quit IRC14:24
morganfainbergdolphm, updated the link in the meeting agenda14:25
*** andreaf has quit IRC14:26
*** gokrokve has joined #openstack-keystone14:27
*** bradjones has quit IRC14:27
*** gokrokve has quit IRC14:30
*** gokrokve has joined #openstack-keystone14:31
*** bambam1 has joined #openstack-keystone14:32
morganfainbergdolphm, so next week i'm travelling14:34
dolphmmorganfainberg: ack14:34
morganfainbergdolphm, i should be mostly around, on Tuesday for the meeting, but Wed->Friday will be busy14:36
samuelmzdolphm, morganfainberg:  regarding the tests (again) ..14:39
samuelmzdolphm, morganfainberg:  I also think having different classes to different entities would help developers to better find and create new tests in right place ...14:39
*** bknudson has joined #openstack-keystone14:39
dstanekmorganfainberg: business or vacation?14:39
morganfainbergdstanek, business14:39
morganfainbergdstanek, defcore conversations on monday/tuesday and then hitting up HP in sunnyvale to talk about keystone14:39
samuelmzdolphm, morganfainberg:  like having DomainTestCase, RoleTestCase etc.. for test_v3_identity ... instead having a single class IdentityTestCase with all tests ..14:40
dstaneksamuelmz: i sorta agree - i wish they were aligned along use case more14:40
samuelmzdstanek, yep .. could be better14:41
dolphmsamuelmz: problem with that level of segregation is that so many of the tests hit several entities in the same backend (for example, EndpointTestCase would require hitting services and regions)14:41
bknudsonI hope we didn't get morganfainberg in trouble.14:41
bknudsonI'm usually in trouble when somebody wants to talk to me about keystone14:41
dolphmmorganfainberg: that's a long interview14:41
bknudsonwhy don't pki tokens work... why don't uuid tokens work14:42
bknudsonwhy doesn't the memcache backend work14:42
samuelmzdolphm, couldn't EndpointTestCase call service and regions setUp() ?14:42
*** andreaf has joined #openstack-keystone14:42
bknudsonand of course they're always asking about grizzly14:42
morganfainberglol. nah this is 100% voluntary, getting to chat about identity at HP and helping to get to know the people doing it.14:42
dstaneksamuelmz: for the last few days i've been reworking all of my test/hacking patches against master - so many changes that have been killing my rebasing :-(14:42
dolphmsamuelmz: yes, but you'd still want to test things like "what happens to the endpoint when i delete the parent service?"14:42
*** openstackgerrit has quit IRC14:42
morganfainbergi don't have faces / names with the people not spending time here in upstream. so figured now was a good time to figure out what they're trying to do etc.14:43
morganfainbergbefore Kilo gets too crazy.14:43
dolphmmorganfainberg: ++14:43
*** bradjones has joined #openstack-keystone14:44
*** bradjones has joined #openstack-keystone14:44
bknudsonmorganfainberg: just be ready... might be a trap.14:44
*** bambam1 has quit IRC14:44
morganfainbergwell at least i shouldn't get corenered by "why doesn't grizzly work" questions ;)14:44
samuelmzdolphm, I don't see any problem in setting up services and regions for EndpoinTestCase .. we'd just replicate the code for creation of services and regions .. but we'd gain a lot of code clarity14:46
samuelmzdolphm, imo14:46
dolphmsamuelmz: i don't totally disagree, just playing devil's advocate. dstanek: can you outline the bucket's you'd have if you organized tests by use case?14:48
morganfainbergdolphm, dstanek, well we should move "unit" tests to "unit" and also stop intermingling the functional vs unit tests14:48
*** ayoung has joined #openstack-keystone14:49
dolphmmorganfainberg: yeah, that'd be a relatively easy change. the unit tests aren't generally well isolated14:50
dolphmself-contained, anyway14:50
morganfainbergdolphm, thats where i'd start.14:51
nkinderThe review notification bot doesn't seem to be working...14:51
nkinderI just proposed a patch for the new LDAP bug that came in last night14:51
nkinderhttps://review.openstack.org/#/c/125083/14:51
*** thedodd has joined #openstack-keystone14:51
morganfainbergit would get us to a much better place when it comes to moving towards functional testing.14:51
morganfainbergnkinder, ah thanks!14:51
dolphmnkinder: oh awesome!14:52
morganfainbergbecuase there is some cleanup that is needed to allow those tests to work more smoothly against "real" backends as well.14:52
dolphmviklund: ^^14:52
morganfainbergnkinder, there is also this one: https://bugs.launchpad.net/keystone/+bug/1375139 I've gotten an devstack *mostly* stood up14:53
uvirtbotLaunchpad bug 1375139 in keystone "LDAP, non ascii characters in CN field couse error while switching projects" [Medium,New]14:53
morganfainbergturns out we can't run devstack + ldap in ubuntu at the moment14:53
morganfainbergit... uh fails spectacularly14:53
morganfainbergas in, we don't even install slapd.14:53
nkinderYeah, I usually don't use devstack when doing LDAP.  I just set up a real deployment14:54
morganfainbergnkinder, we'll need a way of setting up ldap *sanely* for functional testing.14:54
morganfainbergdevstack or something else eventually.14:54
nkindermorganfainberg: absolutely.  devstack makes the most sense14:55
samuelmzmorganfainberg, when yoy say 'stop intermingling the functional vs unit tests' .. do you mean stop calling assignment_api directly from test_v3_identity, for example?14:55
*** htruta has quit IRC14:55
samuelmzmorganfainberg, and then call everything via url14:55
morganfainbergsamuelmz, no, i mean move anything that isn't a RESTful test case into keystone/tests/unit14:55
morganfainbergsamuelmz, unit tests are not the full-stack tests.14:56
samuelmzmorganfainberg, +114:56
samuelmzmorganfainberg, dstanek, dolphm I'm going to create an etherpad to list test improvements I see (including what we've discussed now)14:57
morganfainbergsamuelmz, cool.14:57
samuelmzmorganfainberg, dstanek, dolphm and then we can have a better discussion14:57
*** joesavak has joined #openstack-keystone14:57
samuelmz:-)14:57
nkindermorganfainberg: so that bug looks to be using the assignment LDAP driver14:58
morganfainbergnkinder, ah ok. that was what i *figured*14:58
morganfainbergnkinder, but since you were around i thought i'd bug you about it.14:58
nkindermorganfainberg: yeah, I'll try to look at it some14:58
marekdmhu: thanks for the reviews!15:00
marekdi will give you more soon :-)15:00
dstaneksamuelmz: see https://blueprints.launchpad.net/keystone/+spec/restructuring-tests and the etherpad for it15:01
mhumarekd, you're welcome ! I need to redeploy a test bed for federation and once I am done, I'll test your patch with mine and see how it goes15:01
marekdmhu: i checked the plugin today on my testbed before i submitted. but obviously you are encouraged to do your tests. i might have skipped something.15:02
samuelmzdstanek, great! taking a look at this .. thanks for this link15:03
dstaneksamuelmz: in addition to making the tests follow a structure that I know my personal goal is to have all of the tests run in less than 60 seconds and not because they are run in parallel15:03
nkindermorganfainberg: I can take that one.  It should be quick to knock out (the fix proposal is correct, but it just needs a test)15:04
morganfainbergnkinder, ok sounds good.15:04
samuelmzdstanek, ++15:04
morganfainbergdstanek, i think we can absolutely do that for unit. I don't think functional should be constrained to 60s.15:05
dstanekmorganfainberg: i'm not saying constrait - like i would force a failure, but the should run much, much faster15:05
*** dims has quit IRC15:06
morganfainbergdstanek, sure.15:06
*** dims has joined #openstack-keystone15:06
dstaneki will be very disappointed if i can't get it close to that this cycle15:06
morganfainbergdstanek, but i think it'll also matter what backend you're running on. e.g. once we get functional tests able to run mysql, pgsql, ldap, etc it'll be different profiles15:07
*** andreaf has quit IRC15:07
morganfainbergdstanek, a lot of the issues with "real" backends is also not needing to rebuild the schema every test.15:07
morganfainbergand not needing to restart the whole eventlet process each test.15:07
*** andreaf has joined #openstack-keystone15:08
morganfainbergs/not//15:08
morganfainbergin both of those15:08
dstanekmorganfainberg: yeah, i've started working on that a little - in one of my environments i only run the tests against maria15:08
dstanekmorganfainberg: the challenge right now is that they don't work15:09
morganfainbergdstanek, its a topic i expect to have open at the summit15:09
morganfainbergdstanek, some real sitdown time (either pod, session, something)15:09
*** david-lyle has joined #openstack-keystone15:09
*** htruta has joined #openstack-keystone15:09
*** dims has quit IRC15:10
*** bambam1 has joined #openstack-keystone15:12
bknudsonbtw, I have had no problem running devstack on ubuntu15:13
samuelmzmorganfainberg, dstanek: on my machine : Ran 4796 tests in 229.958s for all keystone tests15:13
morganfainbergbknudson, ldap?15:13
morganfainbergbknudson, general devstack works fine.15:13
samuelmzmorganfainberg, dstanek: if I run just test_backend_ldap tests :  Ran 1572 tests in 102.614s15:13
bknudsonmorganfainberg: yes, running with ldap backend configured15:14
morganfainbergbknudson, but a clean VM failed pretty specatularly (didn't try and install any ldap utils)15:14
bknudsonMy VM is anything but clean.15:14
morganfainbergbknudson, ldaputils, slapd, etc all wasn't even tried to be installed15:14
morganfainbergsomewhere they removed the call to 'start_ldap' which seems to install ldap packages15:14
samuelmzmorganfainberg, dstanek: I have a feeling that we have too much inheritance on those backend_ldap tests .. and maybe we rerun tests that would not need to15:14
morganfainbergsamuelmz, it's a lot of restructuring that is needed.15:15
samuelmzmorganfainberg, dstanek: yes .. just ldap_backend took almost a half time of all keystone tests15:15
*** gokrokve_ has joined #openstack-keystone15:15
*** gokrokve_ has quit IRC15:15
*** gokrokve_ has joined #openstack-keystone15:16
*** rwsu has joined #openstack-keystone15:16
morganfainbergoooh oooh we ... we might get ourselves under 200 open bugs for keystone here!15:16
dstaneksamuelmz: yes, in my etherpad i think i talk about over use of shared setup15:17
*** cjellick has joined #openstack-keystone15:19
samuelmzdstanek, hmm .. cool .. I'll take a deeper look at that later .. and write some additional ideas on etherpad .. and then I'll be back here :-)15:19
*** gokrokve has quit IRC15:19
*** openstackgerrit has joined #openstack-keystone15:23
*** cjellick_ has joined #openstack-keystone15:24
*** cjellick has quit IRC15:27
openstackgerritTerry Howe proposed a change to openstack/python-keystoneclient: Identity plugin that manages passwords and tokens  https://review.openstack.org/12483015:32
*** stevemar has joined #openstack-keystone15:32
*** zzzeek has joined #openstack-keystone15:34
openstackgerritNathan Kinder proposed a change to openstack/keystone: Convert unicode to UTF8 when calling ldap.str2dn()  https://review.openstack.org/12509715:34
nkindermorganfainberg: there you go ^^^15:34
morganfainbergnkinder, awesome!15:34
*** afazekas has quit IRC15:35
*** gyee has joined #openstack-keystone15:37
*** gokrokve_ has quit IRC15:37
*** gokrokve has joined #openstack-keystone15:38
*** gokrokve has quit IRC15:39
*** gokrokve has joined #openstack-keystone15:39
*** lufix has quit IRC15:40
stevemarmarekd, lol - thanks for the comment "Do not review"15:41
*** gokrokve has quit IRC15:44
*** gsilvis has joined #openstack-keystone15:45
*** wwriverrat has joined #openstack-keystone15:55
*** wwriverrat has left #openstack-keystone15:55
*** lcheng has joined #openstack-keystone15:57
*** dims has joined #openstack-keystone16:00
*** dims_ has joined #openstack-keystone16:01
*** joesavak has quit IRC16:03
*** dims has quit IRC16:06
rodrigodsstevemar, ping16:08
*** gokrokve has joined #openstack-keystone16:08
stevemarrodrigods, pong-ish16:10
rodrigodsstevemar, was having an issue here related to a missing "-----BEGIN CERTIFICATE-----" in the generated certificate by keystone-manager16:12
rodrigodswas trying to find the place to fix it (if necessary)16:13
*** gokrokve has quit IRC16:13
*** packet has joined #openstack-keystone16:14
*** packet is now known as Guest5592116:14
*** marcoemorais has joined #openstack-keystone16:17
*** r-daneel has joined #openstack-keystone16:19
*** r-daneel has quit IRC16:20
*** jaosorior has quit IRC16:23
*** bradjones has quit IRC16:24
stevemarrodrigods, the cert file needs to look like ... https://github.com/openstack/keystone/blob/master/examples/pki/certs/cacert.pem16:25
stevemarrodrigods, not much we can do on that issue, we're using pysaml2 to read the files16:25
*** bradjones has joined #openstack-keystone16:26
*** bradjones has joined #openstack-keystone16:26
*** r-daneel has joined #openstack-keystone16:28
openstackgerritNathan Kinder proposed a change to openstack/keystone: Convert unicode to UTF8 when calling ldap.str2dn()  https://review.openstack.org/12509716:28
*** jistr has quit IRC16:28
*** thedodd has quit IRC16:28
*** Guest55921 has quit IRC16:28
*** marcoemorais has quit IRC16:31
*** joesavak has joined #openstack-keystone16:31
*** marcoemorais has joined #openstack-keystone16:31
*** ayoung has quit IRC16:32
*** lcheng has quit IRC16:32
*** lcheng has joined #openstack-keystone16:32
*** nellysmitt has joined #openstack-keystone16:32
*** amcrn has joined #openstack-keystone16:34
*** NM1 has quit IRC16:36
*** marcoemorais has quit IRC16:42
*** garcianavalon has quit IRC16:44
*** ayoung has joined #openstack-keystone16:46
*** dims_ has quit IRC16:49
*** dims has joined #openstack-keystone16:49
*** thedodd has joined #openstack-keystone16:50
rodrigodsmorganfainberg, ping16:54
morgan_remote_rodrigods: pong16:56
rodrigodsmorgan_remote_, we've added a topic regarding HM patches to today's meeting, but unfortunately, we won't be able to be present.16:57
morgan_remote_Ah ok. I'll recommend reviewing the patches? Can you put links to the relevant reviews?16:58
rodrigodsmorgan_remote_, yeah... the link is at the topic =)16:58
rodrigodsmorgan_remote_, also... if you need an environment to test it, we can provide a VM with the full deployment (including keystone, keystoneclient and openstackclient)16:59
morgan_remote_Ok!16:59
rodrigodsmorgan_remote_, thanks, and sorry for not being able to be there =)17:00
morgan_remote_Ok. I think I can probably setup a devstack and test myself as well. If you have any special documentation that is always good.17:00
morgan_remote_I'll definitely encourage reviews so we can get that stuff moving again.17:01
rodrigodsmorgan_remote_, yeah, it should work without any extra pain =)17:01
rodrigodsthanks17:02
morgan_remote_That's the best kind of new feature!17:02
raildomorgan_remote_, we have this patch about the API documentation https://review.openstack.org/#/c/111355/17:02
morgan_remote_Great!17:02
*** marcoemorais has joined #openstack-keystone17:05
*** amakarov has quit IRC17:05
*** NM1 has joined #openstack-keystone17:05
*** thedodd has quit IRC17:09
*** gokrokve has joined #openstack-keystone17:09
dstaneki'm really bad at naming things17:10
rodrigodsdstanek, me too =(17:10
raildodstanek, rodrigods http://minilua.com/wp-content/plugins/wp-nohotlink/cache/664564.jpg17:11
raildohahaha17:11
*** raildo has left #openstack-keystone17:11
*** raildo has joined #openstack-keystone17:12
dstanek:-)17:12
marekdstevemar: well, i marked as WIP but aparently it doesn't really mean 'do not review' :P17:12
afaranhaTo test the policies in the sample policy patch https://review.openstack.org/#/c/123509/ , I would like to know where's the test in keystone that tests policy.v3cloudsample.json17:14
*** gokrokve has quit IRC17:14
*** bradjones has quit IRC17:15
*** gokrokve has joined #openstack-keystone17:16
*** lufix has joined #openstack-keystone17:17
*** harlowja_away is now known as harlowja17:18
*** praneshp has joined #openstack-keystone17:23
stevemarafaranha, i'm not sure it's tested much in keystone17:24
stevemarafaranha, the policy engine is actually oslo-incubator code, so the tests are there17:24
stevemartests: https://github.com/openstack/oslo-incubator/blob/master/tests/unit/test_policy.py17:24
stevemarafaranha, engine code: https://github.com/openstack/oslo-incubator/blob/master/openstack/common/policy.py17:25
stevemarsince many projects use policy, it's owned by oslo (at the moment anyway)17:25
morgan_remote_It should also graduate to a lib in kilo. We (keystone) might adopt it based on some discussions with dhellmann. Depending on who ends up reviewing it most of course.17:26
*** lufix has quit IRC17:27
*** bradjones has joined #openstack-keystone17:27
*** bradjones has quit IRC17:27
*** bradjones has joined #openstack-keystone17:27
*** nellysmitt has quit IRC17:28
stevemarafaranha, there are also some keystone tests: https://github.com/openstack/keystone/blob/9a9f707eb2b4ad7c4a91f30ce2daf3763838f78f/keystone/tests/test_policy.py17:28
stevemarmorgan_remote_, moar projects under the keystone umbrella tree17:28
morgan_remote_Haha17:29
morgan_remote_Totally digging having its access on the phone like this.17:29
morgan_remote_S/its/irc17:30
afaranhastevemar: Let me see... If I want to test a new policy file, I just need to modify this line, right? https://github.com/openstack/keystone/blob/9a9f707eb2b4ad7c4a91f30ce2daf3763838f78f/keystone/tests/test_policy.py#L21417:30
*** nellysmitt has joined #openstack-keystone17:30
*** bambam1 has quit IRC17:31
afaranhaIn Oslo test_policy.py, am I able to test a existing policy file?17:31
stevemarafaranha, nope, that tests to make sure policy.json and policy.v3cloudsample.json have the same content17:32
stevemarafaranha, here we go: https://github.com/openstack/keystone/blob/9a9f707eb2b4ad7c4a91f30ce2daf3763838f78f/keystone/tests/core.py#L33517:32
stevemarafaranha, you will need to create a new test suite probably, and override that option to point to your new file17:33
stevemarthen i guess setup your credentials (roles, projects, domains) properly and then issue requests to see if they work17:33
*** Tahmina has joined #openstack-keystone17:36
*** mflobo_ has joined #openstack-keystone17:40
afaranhastevemar: Is there an easy way to test this? As I see this class is used by many other, if I create a new one I need to create all it's subclasses also17:40
*** mflobo has quit IRC17:43
*** mflobo__ has joined #openstack-keystone17:43
*** gokrokve has quit IRC17:45
*** mflobo_ has quit IRC17:46
*** gokrokve has joined #openstack-keystone17:46
stevemarafaranha, just make a class that extends test_v3.RestfulTestCase, and overrides that option17:46
stevemaryou shouldn't need to create all it's subclasses17:46
afaranhaLot better, thanks :D17:47
*** gokrokve has quit IRC17:49
*** gokrokve has joined #openstack-keystone17:49
*** lsmola has quit IRC17:54
*** NM2 has joined #openstack-keystone18:03
*** david-lyle is now known as david-lyle_afk18:05
*** NM1 has quit IRC18:05
*** gokrokve has quit IRC18:08
*** gokrokve has joined #openstack-keystone18:09
*** gokrokve has quit IRC18:10
*** gokrokve has joined #openstack-keystone18:10
*** Ephur has joined #openstack-keystone18:13
*** aix_ has quit IRC18:13
*** aix has quit IRC18:13
*** gokrokve has quit IRC18:17
*** nellysmitt has quit IRC18:20
*** nellysmitt has joined #openstack-keystone18:20
*** nellysmitt has quit IRC18:21
dolphmbknudson: p.s. you were summoned on https://review.openstack.org/#/c/124715/18:28
bknudsondolphm: I'll try to look at it tonight... too busy during the day lately18:30
*** diegows has quit IRC18:36
*** david-lyle_afk has quit IRC18:38
*** thedodd has joined #openstack-keystone18:41
*** jsavak has joined #openstack-keystone18:42
*** joesavak has quit IRC18:45
*** NM2 has quit IRC18:46
*** openstackgerrit has quit IRC18:47
*** openstackgerrit has joined #openstack-keystone18:47
*** henrynash has quit IRC18:51
*** diegows has joined #openstack-keystone18:53
*** henrynash has joined #openstack-keystone18:53
*** flwang has joined #openstack-keystone18:53
*** NM1 has joined #openstack-keystone18:55
*** flwang has quit IRC18:56
dolphmdstanek: alright, i'm curious what you did with growler? what did you want notifications on beyond starred stuff?19:00
*** morganfainberg changes topic to "Now open for Kilo development! Blocking reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Summit Topics, Think of a Goal/Question for each session: https://etherpad.openstack.org/p/kilo-keystone-summit-topics"19:01
dstanekdolphm: i started with a hack that just looked for 'keystone' in the project name - so i would get a notification for changes i any keystone review19:02
morganfainbergdstanek, i downgraded py33 tests for keystone to expirimental, they're only triggered with a comment now19:02
ayounggyee, MFA issue:  unscoped to scoped drops the methods used to get the initial token.  Is that a problem?19:02
morganfainbergdstanek, because they were *always* failing19:02
ayoungOr is that correct behaviour?19:02
morganfainbergayoung, huh, interesting question19:02
dolphmdstanek: that's how the project originally started for me, filtering on any review that's is:watched -- but it was too much noise19:02
dolphmdstanek: jenkins spam on every change, etc19:03
dstanekdolphm: at certain times i was getting too many hits as yo can imagine, so i started looking for my name in the review and other key phrases i care about19:03
dstanekstill a work in progress - but the thing i was definitely missig was new reviews19:03
morganfainbergnkinder, gyee, i'm still setting up my schedule for next week, i know on 10/8 i'm busy for a couple hours in the morning. - other than that pretty open19:03
dstanekmorganfainberg: i'll get my py33 patches up to date with master - if we can get them merged then py33 would be working19:03
morganfainbergdstanek, we can bump it back to non-vote anytime19:04
*** praneshp has quit IRC19:04
morganfainbergdstanek, super easy, but it wasn't worth the resource consumption at the moment.19:04
*** gokrokve has joined #openstack-keystone19:04
dolphmdstanek: like a notification whenever a review is created on a watched project?19:04
dstanekdolphm: exactly19:04
*** tellesnobrega_ has joined #openstack-keystone19:04
dstanekor if it's a review i've already been engaged in19:04
gyeeayoung, should be fine, MFA should be atomic19:05
gyeemorganfainberg, are we meeting nkinder at a local bar?19:06
dolphmdstanek: hmm... maybe it should have a bunch of flags for which reviews to alert on19:06
*** praneshp has joined #openstack-keystone19:06
morganfainberggyee, nkinder, that works for me.19:06
dolphmdstanek: i.e. --starred being the current behavior19:06
gyeemorganfainberg, nkinder, http://tiedhouse.com/19:06
gyeeif you guys up for beer19:07
nkindertied house is a 3 block walk from my office19:07
morganfainbergnkinder, nice!19:07
gyeeCastro have a bunch of nice food places19:07
dstanekdolphm: that would probably bee good19:07
*** praneshp has quit IRC19:08
nkinderWhat's the history around token flushing?  Why is it handled outside of the keystone server itself?19:09
stevemarnkinder, so folks can make a cron job out of it?19:09
morganfainbergnkinder, historically keystone had 1 worker and eventlet doesn't yeild on mysqldb calls19:10
nkinderstevemar: yeah, I know that's what's typically done19:10
morganfainbergnkinder, so it would lock up keystone (still does with gap lock in MySQL + innodb) while the flush occured19:10
nkindermorganfainberg: ok, so we'd lock up during a large flush19:10
morganfainbergnkinder, but with the new flush batch size code it should be a lot better19:10
nkindermorganfainberg: are there any thoughts of moving this into keystone at some point?19:11
morganfainbergnkinder, it would need a worker-type thread to really be effective19:11
morganfainbergnkinder, and i'm concerned about adding "worker" threads as a pattern in keystone19:11
nkindermorganfainberg: yeah, that makes sense.  I'm trying to see if there is a nice way of avoiding the problem of someone not setting up a cron job19:12
ayounggyee, ok19:12
nkinderI spoke with someone today who had a 42GB token database19:12
morganfainbergnkinder, ouch19:12
nkinder....whoops19:12
morganfainbergnkinder, partition tables19:13
morganfainbergnkinder, *don't hurt me*19:13
morganfainbergnkinder, when they upgrade to juno... recommend they truncate the token table before running the migration(s)19:13
nkindermorganfainberg: a flush has been done for that database, which cut it down to 12MB19:15
morganfainbergway better19:15
*** thedodd has quit IRC19:16
samuelmzdolphm, something went wrong with the patch you have set workflow+1 (https://review.openstack.org/#/c/119206/)19:21
samuelmzdolphm, do we have a re-workflow statement ? :p19:22
dolphmsamuelmz: you need to diagnose the failed build, file a bug if appropriate, and issue a recheck on it accordingly19:23
*** david-lyle_afk has joined #openstack-keystone19:26
*** david-lyle_afk is now known as david-lyle19:26
samuelmzdolphm, I found this related bug #135705519:31
uvirtbotLaunchpad bug 1357055 in nova "Race to delete shared subnet in Tempest neutron full jobs" [Critical,Fix committed] https://launchpad.net/bugs/135705519:31
samuelmzdolphm, should I do `recheck bug 1357055` or `recheck no bug`?19:31
samuelmzdolphm, what's the difference?19:31
dolphmsamuelmz: recheck against the relevant bug19:31
samuelmzdolphm, thanks19:33
dolphmsamuelmz: "no bug" means the failure wasn't due to an issue that can/should be tracked, like "this depended on a change in another project, which has now merged, so the tests should succeed here this time"19:33
bknudsonat some point we should decide if we're getting anything but trouble out of the -neutron- gate tests19:42
*** praneshp has joined #openstack-keystone19:42
dstanekbknudson: was this going to be taken care of on the oslo side? https://review.openstack.org/#/c/55648/19:44
samuelmzdolphm, cool, thanks for this clarification .. :-)19:44
dolphmbknudson: that's a question the nova folks ask every day19:44
bknudsondstanek: that part doesn't look relevant to keystone... not sure why it's there in the first place?19:46
bknudsonis some other oslo thing using it?19:46
bknudsonit's not in openstack-common.conf, so it must be pulled in by some other dependency. http://git.openstack.org/cgit/openstack/keystone/tree/openstack-common.conf19:46
dstanekbknudson: we're tagged on the bug https://bugs.launchpad.net/oslo-incubator/+bug/120873419:47
uvirtbotLaunchpad bug 1208734 in keystone "Drop openstack.common.exception" [Low,In progress]19:47
dstanekmaybe we don't need to be?19:47
bknudsondstanek: the fix needs to be in oslo-incubator.19:47
bknudsonthere must be a module in oslo-incubator that still says it requires exceptions19:47
dstanekbknudson: the review was to delete it, but you mentioned that we can't because the path could be in a config file19:48
bknudsondstanek: I was probably confused and thought the change was made to keystoneclient and not keystone19:49
bknudsonseems like a change that we'd make to keystoneclient19:49
dstanekbknudson: actually we don't have that anymore so i'm marking as fix released19:50
bknudsonthat is a weird comment... maybe it was a different Brant Knudson?19:50
bknudsonI think the thing I had a problem with was that it's referenced in the config file19:51
*** NM1 has quit IRC19:51
bknudsonsee what I mean?19:51
bknudsonit must be gone now from the sample config19:52
bknudsonallowed_rpc_exception_modules isn't even a config option anymore.19:52
*** openstackgerrit_ has joined #openstack-keystone19:54
*** radez is now known as radez_g0n319:55
*** thedodd has joined #openstack-keystone19:58
*** Tahmina has quit IRC19:59
dstanekbknudson: i like it when things melt away20:04
bknudsonit's kind of scary but things in our config file aren't under our control20:05
*** samuelmz has quit IRC20:10
*** stevemar has quit IRC20:13
*** joesavak has joined #openstack-keystone20:15
*** ayoung has quit IRC20:16
*** jsavak has quit IRC20:17
*** jsavak has joined #openstack-keystone20:18
*** joesavak has quit IRC20:21
*** jasondotstar has quit IRC20:30
*** NM1 has joined #openstack-keystone20:32
dstanekdolphm: closed this out because it appears to be user error: https://bugs.launchpad.net/keystone/+bug/120496420:32
uvirtbotLaunchpad bug 1204964 in keystone "'extra' columns are nullable" [Low,Invalid]20:32
dolphmdstanek: wow that's old -- cool20:33
morganfainbergdstanek, oooh SO CLOSE TO UNDER 200 active bugs!20:33
dstanekmorganfainberg: check again20:33
morganfainbergdstanek, 200 Open bugs (according to LP)20:33
morganfainbergyes that counts incompletes20:33
morganfainbergso, 19020:34
dstanekmorganfainberg: i've closed out a few today20:34
morganfainbergdstanek, yah so did I20:34
morganfainbergwe were ~208 or so at the start of the day20:34
*** BAKfr has left #openstack-keystone20:35
*** ayoung has joined #openstack-keystone20:35
morganfainbergi think i kindof want to close this one https://bugs.launchpad.net/keystone/+bug/92804220:35
dolphmnice :)20:35
uvirtbotLaunchpad bug 928042 in keystone "clean up some of the various dict.copy() calls so that they don't confuse new developers" [Wishlist,Triaged]20:35
*** BAKfr has joined #openstack-keystone20:35
dolphmmorganfainberg: i've thought the same, but they were actually a problem at one point - different backends behaved differently. it's probably not an issue anymore20:36
dstanekmorganfainberg: so that bug is to stop doing the copy?20:36
morganfainbergdstanek, yeah20:36
dolphmdstanek: stop doing the copy in tests, specifically20:36
morganfainbergyou know, i'm going to close it.20:36
dstanekhmm...i wouldn't expect that to be the confusing part of Keystone :-)20:37
*** stevemar has joined #openstack-keystone20:37
dolphmdstanek: it was just inconsistent20:37
dstanekthere's lots of XML bugs too20:38
morganfainbergclosed.20:38
morganfainbergwe wont be able to remove XML in K20:38
morganfainbergwe will be able to remove it from the pipeline20:38
morganfainbergunless we get special magic put in grenade20:38
morganfainbergto eliminate it on upgrade20:39
*** andreaf has quit IRC20:39
dolphmmorganfainberg: ++20:39
morganfainbergotherwise the upgrade fails because the old system has the files in the pipeline still and *splody*20:39
*** andreaf has joined #openstack-keystone20:39
morganfainberg:(20:39
*** andreaf has quit IRC20:40
morganfainbergwhat? https://bugs.launchpad.net/keystone/+bug/96550220:40
uvirtbotLaunchpad bug 965502 in keystone "lack of service endpoint filtering for token validation can be a security vulnerability" [Wishlist,Triaged]20:40
*** andreaf has joined #openstack-keystone20:40
dstanekthere's things like this where i wonder how much i should care: https://bugs.launchpad.net/keystone/+bug/99221420:40
uvirtbotLaunchpad bug 992214 in keystone "GET /tenants XSD schema validation fails" [Medium,Triaged]20:40
morganfainbergdstanek, i wouldn't care tbh, i'd remove it from the pipeline and say "this is deprecated and slated for removal"20:41
dolphmmorganfainberg: that message is basically already htere, right?20:41
morganfainbergdolphm, yeah. we say it's deprecated when you initalize the XML middleware20:42
dolphmdstanek: veeery little, on that one!20:42
morganfainbergso i'd remove it from the paste pipeline and have that patch close all the XML bugs ? :P20:42
dstaneki love it!20:43
dolphmmorganfainberg: i'd be happy to see them marked as Won't Fix20:43
morganfainbergdolphm, probably better marking20:43
*** gordc has quit IRC20:43
dolphmmaybe mark it as Opinion: You just *think* its broken, when in fact it was actually XML by design.20:44
*** gordc has joined #openstack-keystone20:46
morganfainbergdolphm, LOL20:46
*** topol has quit IRC20:46
morganfainbergdolphm, so.. https://bugs.launchpad.net/keystone/+bug/113159020:46
uvirtbotLaunchpad bug 1131590 in keystone "migration 17: user_project_membership has no column 'project_id'" [Low,Confirmed]20:46
morganfainbergi'm content to mark that as invalid / incomplete?20:47
dolphmmorganfainberg: already done20:47
morganfainbergk20:47
morganfainbergcan't mark this as invalid https://bugs.launchpad.net/keystone/+bug/119468820:49
uvirtbotLaunchpad bug 1194688 in keystone "Devstack uses keystone.middleware.s3_token in swift pipeline" [Wishlist,Confirmed]20:49
morganfainbergfor keystone20:50
morganfainbergi can unset it affecting us.20:50
morganfainbergLP has wierd permissions20:50
morganfainbergand it went invalid20:50
morganfainberg...20:50
morganfainbergoookay20:50
stevemarmorganfainberg, *magic*20:53
*** nellysmitt has joined #openstack-keystone20:53
morganfainbergdolphm, does this not work for you: https://bugs.launchpad.net/keystone/+bug/1324610 ?20:53
uvirtbotLaunchpad bug 1324610 in keystone "tools/config/generate_sample.sh has no effect on OS X" [Low,In progress]20:53
morganfainbergtox -esample_config always works for me20:53
stevemarmorganfainberg, it's the bane of dolphm's existence20:54
*** nellysmitt has quit IRC20:54
morganfainbergi think we decided https://bugs.launchpad.net/keystone/+bug/1331884 was Wont fix a while ago?20:55
uvirtbotLaunchpad bug 1331884 in keystone "A V2 token from trust cannot be generated with user/pass" [Wishlist,In progress]20:55
morganfainbergoh we have an active patch for it20:56
morganfainbergnvm20:56
*** samuelmz has joined #openstack-keystone20:59
dolphmmorganfainberg: you mean, does it still not work for me?21:00
morganfainbergyeah21:00
dolphmmorganfainberg: the python version works for me, but bknudson blocked it21:00
bknudsondolphm: because it was broken!21:00
morganfainbergi have an idea how to gate on sample config being up-to-date actually.21:01
morganfainbergwithout breaking when external libs update21:01
dolphmbknudson: i don't disagree21:01
*** marcoemorais has quit IRC21:03
*** marcoemorais has joined #openstack-keystone21:03
*** r1chardj0n3s_afk is now known as r1chardj0n3s21:03
*** samuelmz is now known as samuelmz-awaw21:03
*** lcheng has quit IRC21:05
*** lcheng has joined #openstack-keystone21:05
ayoungFunniest bug comment you will see all day.  https://bugs.launchpad.net/keystonemiddleware/+bug/137584921:10
*** jsavak has quit IRC21:10
uvirtbotLaunchpad bug 1375849 in keystonemiddleware "RFE: warn or act on expiring self-signed certs" [Undecided,New]21:10
*** lcheng has quit IRC21:10
*** openstackgerrit_ has joined #openstack-keystone21:18
mhuall commit messages should now end with "Love, Dad"21:19
morganfainberghaha21:23
bknudsonseems like it should be love, grandpa21:27
*** dhellmann is now known as dhellmann_21:30
*** henrynash has quit IRC21:33
*** zzzeek has quit IRC21:37
*** andreaf has quit IRC21:39
*** andreaf has joined #openstack-keystone21:40
*** gordc has quit IRC21:51
dolphmmhu: ++21:53
*** r1chardj0n3s is now known as r1chardj0n3s_afk21:53
stevemarayoung, oh that is great21:55
*** bradjones has quit IRC21:55
stevemarbknudson dropped a good joke in there too21:56
*** ayoung has quit IRC22:00
rodrigodstiny patches needing just +A: https://review.openstack.org/#/c/120563/ and https://review.openstack.org/#/c/123619/22:00
*** rkofman has quit IRC22:02
*** rkofman has joined #openstack-keystone22:03
*** lcheng has joined #openstack-keystone22:08
*** bknudson has quit IRC22:08
*** henrynash has joined #openstack-keystone22:08
*** david-lyle_ has joined #openstack-keystone22:11
*** david-lyle has quit IRC22:11
*** NM1 has quit IRC22:12
*** david-lyle has joined #openstack-keystone22:12
openstackgerritA change was merged to openstack/keystone: Add test for getting a token with inherited role  https://review.openstack.org/11920622:12
*** thedodd has quit IRC22:13
*** david_lyle__ has joined #openstack-keystone22:14
*** david-lyle_ has quit IRC22:16
*** david-lyle has quit IRC22:17
*** david_lyle__ has quit IRC22:20
*** dims_ has joined #openstack-keystone22:20
*** zzzeek has joined #openstack-keystone22:21
*** r1chardj0n3s_afk is now known as r1chardj0n3s22:21
*** dims_ has quit IRC22:22
*** dims_ has joined #openstack-keystone22:23
*** dims has quit IRC22:23
rm_workAre Trusts only in the identity API v3? or are they in v2 as well? they're listed on http://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html but not on the v2 page22:24
stevemarrm_work, they are only supported for v322:31
rm_workhmm, crap22:31
*** praneshp has quit IRC22:31
rm_workso if we rely on Trusts we will be introducing a hard-dependency on keystone identity v322:31
*** praneshp has joined #openstack-keystone22:36
*** zzzeek has quit IRC22:38
*** david-lyle has joined #openstack-keystone22:39
*** david-lyle_ has joined #openstack-keystone22:41
*** david-lyle has quit IRC22:44
stevemarrm_work, unofficially v2.0 tokens can use trusts, but like i said, we don't support that22:49
stevemarrm_work, https://bugs.launchpad.net/keystone/+bug/1331884 some info here22:50
uvirtbotLaunchpad bug 1331884 in keystone "A V2 token from trust cannot be generated with user/pass" [Wishlist,In progress]22:50
*** alex_xu has joined #openstack-keystone22:52
*** andreaf has quit IRC22:57
*** stevemar has quit IRC22:57
*** andreaf has joined #openstack-keystone22:58
*** david-lyle_ has quit IRC23:02
*** leonchio_ has joined #openstack-keystone23:06
*** NM1 has joined #openstack-keystone23:06
leonchio_hello, I try to get some help from someone who had setup keystone as federation service provider23:07
leonchio_I am currently getting the following errors when creating a new identity provider23:07
leonchio_[Tue Sep 30 16:04:12.379660 2014] [:error] [pid 5346:tid 139949496039168] 2014-09-30 16:04:12.375 5346 TRACE keystone.common.wsgi OperationalError: (OperationalError) attempt to write a readonly database u'INSERT INTO identity_provider (id, enabled, description) VALUES (?, ?, ?)' (u'sam_idp_id', 1, u'Stores AD/Ldap identities.')23:07
dstanekleonchio_: does the user you use to access your database have access to write to tables?23:08
leonchio_I'm using ADMIN as the token for now23:09
leonchio_I follow the steps from this doc http://docs.openstack.org/developer/keystone/configure_federation.html23:09
leonchio_try to create groups giving me the same issue23:10
dstanekleonchio_: no not the token, the user that Keystone uses to access your database23:11
dstanekleonchio_: what rdbms are you using?23:11
leonchio_I start apache as root23:12
leonchio_sqlite23:12
dstanekhmmm..are the permissions of the db file OK?23:13
*** dims_ has quit IRC23:13
leonchio_yeah, i tried if using using the federation extension with apache, but just the "plain" keystone, everything is fine23:14
dstanekleonchio_: when you say plain keystone do you use mod_wsgi?23:15
leonchio_with the federation extension configured, creating groups and indentity providers, all those operations shuold be valid, right?23:15
*** stevemar has joined #openstack-keystone23:16
dstanekshould be just find - i think the issue is the permissions of your db file23:16
leonchio_I meant 'plain' refers to start keystone like 'keystone-all'23:16
dstanekleonchio_: who do you run that as root?23:16
dstanekleonchio_: who owns the db file and what are the permissions on it?23:17
leonchio_that's a different user, let me change it's permissions ..23:17
*** NM1 has quit IRC23:18
openstackgerrithenry-nash proposed a change to openstack/keystone: Ensure sql upgrade tests can run with non-sqlite databases.  https://review.openstack.org/12522823:20
rm_workthanks stevemar, I will give that a look23:25
stevemarnp rm_work23:25
rm_workoh, that's actually not too bad if it works... one extra round-trip, but... it *works*23:26
openstackgerrithenry-nash proposed a change to openstack/keystone: Ensure sql upgrade tests can run with non-sqlite databases.  https://review.openstack.org/12522823:27
leonchio_dstanek: it seems it does not matter the permission of the db file, it has the permission rw-rw-rw and I changed the owner to the root later, the result is the same though ...23:28
leonchio_dstanek: do you know if anyone succefullly set up the federation with keystone? just curious ...23:28
dstanekleonchio_: probably not with sqlite - are you trying keystone-to-keystone federation?23:29
leonchio_no, keystone-AD/Ldap23:29
dstanekleonchio_: are you trying to use AD as an IDP or do you really just want to use an LDAP backend?23:30
leonchio_beside this link, http://docs.openstack.org/developer/keystone/configure_federation.html23:30
nkinderdolphm, morganfainberg: intersting (possible RC) issue related to the user enabled invert setting23:30
leonchio_do you know any other links can be references, including the configurations on the AD/Ldap side?23:31
dstanekleonchio_: if you just want to use LDAP you don't need to do anything with federation23:31
nkinderdolphm, morganfainberg: I'll file a bug shortly, but the issue has to do with the returned value sometimes being a bool and sometimes being a string23:31
nkinderI have a fix, but I need to write some tests to cover the failure case23:32
dstanekleonchio_: http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider23:32
dstanekleonchio_: i'm not sure i understand exactly what you are looking to do.23:32
leonchio_dstanek: I basically try to setup a federation service with keystone(sp) and ad/ldap(isp) and I found this doc http://docs.openstack.org/developer/keystone/configure_federation.html23:34
leonchio_dstanek: and I just got stuck in the end when creating groups and providers ...23:35
*** stevemar has quit IRC23:35
dstanekleonchio_: the error message seems to imply a permission issue, but did you sync after adding the federation plugin?23:36
dstanekleonchio_: i haven't configured federation before - i've only used LDAP as a backend that allows a user to login using LDAP23:37
*** alex_xu has quit IRC23:37
dstanekthrough keystone23:37
leonchio_dstanek: yeah, I did restart all the servers and sync the db ... and yeah, I aleady setup LDAP as the backend with keystone ...23:38
leonchio_dstanek: thanks for your help! I will try to play around if the permissions is the issue ...23:40
dstanekleonchio_: what about the directory the DB is in?23:40
leonchio_it is in /etc/keystone and keystone.conf has reference to it23:41
dstanekleonchio_: is that writable by root? your database is in /etc/keystone?23:41
*** gus has joined #openstack-keystone23:41
nkindermorganfainberg, dolphm: https://bugs.launchpad.net/keystone/+bug/137605323:41
uvirtbotLaunchpad bug 1376053 in keystone "user_enabled_invert does not properly handle string values" [Undecided,In progress]23:41
leonchio_dstanek: yeah, -rw-rw-rw-   1 root root 68608 Sep 30 15:34 keystone.db23:42
dstanekwhat's the perms on the directory?23:42
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes a spelling error in hacking tests  https://review.openstack.org/11946123:43
openstackgerritDavid Stanek proposed a change to openstack/keystone: Adds missing log hints for level E/I/W  https://review.openstack.org/11888323:43
openstackgerritDavid Stanek proposed a change to openstack/keystone: Extends hacking check for logging to verify i18n hints  https://review.openstack.org/11888423:43
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes aggressive use of translation hints  https://review.openstack.org/12523323:43
morganfainbergnkinder, ah i see how that bug can occur23:44
nkindermorganfainberg: yeah, though I'm not sure why the tests don't catch it23:45
nkindermorganfainberg: I have it fixed and tested it with a real LDAP server, but want to write tests that trigger the bug before proposing anything23:45
morganfainbergk23:45
morganfainbergmarked it as "medium" and fixed the tag for you23:46
*** andreaf has quit IRC23:46
*** andreaf has joined #openstack-keystone23:47
*** henrynash has quit IRC23:54
« Monday, 2014-09-29 Index Wednesday, 2014-10-01 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!