Friday, 2014-10-03

*** HenryG has quit IRC00:05
nkinderekarlso: so it doesn't even advertise v2.0 on 35357 -
dstanekmorganfainberg: migration question...when exactly does the migration_tmp table get created?00:16
remote_morgan_Uhh for what migration? Or you mean the SQLite in mem thing?00:17
dstanekremote_morgan_: i'm messing with test_sql_upgrade and i'm trying to figure out the exact setup/teardown steps00:18
remote_morgan_The in memory schema is created when the db connector connects to the "db"00:18
remote_morgan_Which should be the on setup bit. Then schema is created with reflection.00:19
remote_morgan_I'll be at my desk in 2 minutes and I can like directly to the code00:19
dstanekremote_morgan_: ok00:19
morganfainbergok sec00:20
dstanekmorganfainberg: let me step back and tell you what i want to do00:21
morganfainbergdstanek, ok00:21
dstanekmorganfainberg: i want to delete the db file on teardown if using a file - and then don't drop tables00:21
dstanekeffectively the sqlite verision of drop database00:21
dstanekmy change right now is really simple,but yields crazy results...jas i'll paste00:23
dstanekmorganfainberg: hack ->
morganfainbergok for the migration test: this is where the db is made the path being the special sqlite:// means when we get a DB connection, connect *that* descriptor to in-memory00:25
dstanekmorganfainberg: result ->
morganfainbergdstanek, sql.cleanup() ?00:25
dstanekmorganfainberg: that's how we get a new engine00:26
dstanekmorganfainberg: i few lines up from your link it creates the db_file path...doesn't that get used in these tests?00:27
morganfainbergnot if you're using in-mem db00:27
morganfainbergwhich is the default for everything00:27
morganfainbergif you close the descriptor, it is freed back to the system00:27
morganfainbergthe table.drop stuff *should* be for non-in-mem sqlite dbs00:28
morganfainberge.g. MySQL00:28
morganfainbergor in the case of disk-based sqlite.00:28
dstanekmorganfainberg: so what i wanted to do for non-sqlite is just 'drop database' and 'create database'00:29
morganfainbergi'm wondering if there is some magic addcleanup that was added somewhere00:30
*** gokrokve has quit IRC00:30
dstanekmorganfainberg: i'm in the middle of a bigger change where i'm creating a new db using the process pid so that we can have multiple workers creating/dropping databases00:30
morganfainbergbecause honestly... i've never seen that error you pasted00:30
morganfainbergdstanek, doesn't oslo.db already have something to do that?00:30
morganfainbergopportunistic tests00:30
dstanekmorganfainberg: yeah, maybe i'll unwind my changes and see where the table gets created00:30
dstanekmorganfainberg: not sure, but i'll take a look00:31
morganfainbergit should already exist iirc00:31
morganfainbergfor the in-memory sqlite, it's a non-issue, each descriptor is it's own db schema, free and clear00:31
morganfainbergerm, engine00:31
morganfainbergwhich is why we only create the engine in setup now.00:32
dstanekmorganfainberg: maybe
morganfainbergsomewhere in icehouse it was ugly.00:32
dstanekmorganfainberg: i'll take a deeper look at oslo.db to see if it can help me out - thanks for the pointer00:32
morganfainbergdstanek, zzzeek and dhellmann might have a couple pointers where the opportunistic tests are00:33
morganfainbergfor db schema creation00:33
morganfainbergdstanek, longer term rather than needing a "clean" schema eatch time we should be able to test / cleanup in a given test case (except the migration tests, those need a clean schema)00:33
morganfainbergthat way we can run the tests against any db backend and not need special magic to create the schemas or multiple dbs.00:34
dstanekmorganfainberg: cleanup by deleting created rows?00:35
morganfainbergdstanek, we should know what entiies we create, we should be able to verify they were cleaned up00:36
*** leveldoc has quit IRC00:37
morganfainbergthis is forward thinking for the functional testing (replacement of the RESTful test cases).00:37
dstanekmorganfainberg: i actually don't mind the nuke it approach then reload the fixture data00:37
morganfainbergdstanek, except that it's very expensive and each db engine requires special code to know how to handle multiple active schemas00:38
dstanekmorganfainberg: from the outside you may not alway know what entities are created00:38
morganfainbergbeing able to validate we created the expected entity sounds less like a checking sql thing and more of a checking what methods were called, unit vs functional00:39
dstanekit also means that if you have several processes accessing the database you may introduce intermittent errors00:39
morganfainbergerm, the expected rows00:39
morganfainbergdstanek, if multuple tests accessing the keystone "process" at once would introduce those intermittant errors, so would "Real" runtime00:39
morganfainbergor even multiple keystone processes against a single db00:40
dstanekmorganfainberg: no, i don't mean like that. we have tests that validate counts that you wouldn't have in production00:40
dstanekand other things00:40
morganfainbergthose are the ones that need to be looked at.00:40
morganfainbergis there a real benefit to looking at how many of x items are there vs looking to see if item X or Y is/isnot there?00:41
morganfainbergwith perhaps exception of revocation events.00:41
morganfainbergsince those expire off / are superseded directly00:41
dstaneki don't think those are bad tests necessarily - what if you have a filter and wanted to make sure it worked?00:41
dstaneksure the 4 records you wanted are in there, but you'd still have to check that the other records are not00:42
morganfainbergwouldn't the approach be "Create record X, Y, and Z" where record z doesn't match, check for existence of X and Y but not Z00:42
dstaneki'm not against the idea, but i think we have a lot of work before we are even close to talking in more details00:42
morganfainbergsure, i'm just saying think about this when you're reworking it.00:43
morganfainbergand remember each db engine takes special code to know how to handle multiple schemas / dbs, because giving that super power to mysql is different than pgsql00:43
morganfainbergand i don't know how DB2 would work if we even continued to see ibm test it00:44
morganfainberg1st step: make it better, 2nd step, keep making it better :)00:44
dstanekmorganfainberg: i'm actually working on two different, inter-related things right now - experimenting, so that i can write a spec00:45
morganfainbergsounds good.00:46
*** alex_xu has quit IRC00:46
morganfainbergwhopse sorry wrong window :P00:46
dstanekactually i guess three things :-(00:46
morganfainbergwhat things?00:46
dstaneki'm wading through a pile right now00:46
morganfainberg(not that it doesn't sound good btw, just... was talking dinner to someone :P )00:47
dstanek1. reducing database queries00:47
dstanek2. stopping 404 when we should 400 validation error00:47
dstanek3. run tests on non-sqlite databases00:47
openstackgerritBrant Knudson proposed a change to openstack/keystone: Fix tests using extension drivers
morganfainbergi'd like to revisit -
openstackgerritBrant Knudson proposed a change to openstack/keystone: Avoid multiple instances for a provider
morganfainbergin the query cleanup00:48
morganfainbergor as part of it00:48
morganfainbergthere is a lot of added overhead GC ickyness for just "checking" existence that we throw away.00:48
morganfainberg"is this here, oh yes? ok moving on"00:48
dstanekmorganfainberg: those are going away00:48
morganfainbergah ok00:48
dstanekthat will reduce the number of queries00:49
*** r-daneel has quit IRC00:49
dstaneklet me write this up for you to see :-(00:49
morganfainbergand if we are just checking existence or a single attribute "enabled" we should make sure we're only looking at that.00:49
morganfainbergor doing the partial obj load that SQLA can do00:49
dstanekmorganfainberg: the biggest challenge is coming up with a spec name that has all three components00:49
morganfainbergrather than the "load everything and do all the oject/bookeeping stuff"00:49
morganfainbergyou know, you are allowed to have more than one spec ;) and just say "this one requires XXX to be completed first"00:50
dstanekthe primary reason we do the gets is to raise a 40400:50
dstanekmorganfainberg: yes, but they are inter related00:50
morganfainbergsure. i thinke the last one is the easiest one to split out btw.00:50
dstanekfixing one forces me to fix the other and then the other00:51
morganfainbergat face value00:51
dstanekacually i can probably split off the run tests on non-sqlite - i just need part of the fix there to do the others00:52
morganfainbergthat should make writing the spec a little more straightforward00:52
morganfainbergok i need to head to the gym.00:54
morganfainbergbe back a bit later.00:54
*** zzzeek has quit IRC01:00
*** stevemar has joined #openstack-keystone01:06
*** dims has joined #openstack-keystone01:07
*** marcoemorais has quit IRC01:19
*** praneshp has quit IRC01:20
*** ncoghlan has joined #openstack-keystone01:37
*** richm has quit IRC01:50
*** gokrokve has joined #openstack-keystone01:52
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Use openstackclient examples in configuration documentation
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the CLI examples to also use openstackclient
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add v3 openstackclient CLI examples
*** gokrokve_ has joined #openstack-keystone01:55
*** HenryG has joined #openstack-keystone01:56
*** HenryG has quit IRC01:56
*** HenryG has joined #openstack-keystone01:58
*** gokrokve has quit IRC01:58
*** dims has quit IRC01:58
*** dims has joined #openstack-keystone01:59
*** dims has quit IRC02:03
*** NM has joined #openstack-keystone02:05
*** gokrokve_ has quit IRC02:11
nkinderThere's nothing like encountering a bug, filing it, fixing it, then finding it's already been fixed in master...02:14
*** andreaf has quit IRC02:16
*** andreaf has joined #openstack-keystone02:16
nkinderekarlso: the httpd issue you're encountering is
uvirtbotLaunchpad bug 1343579 in keystone "Versionless GET on keystone gives different answer with port 5000 and 35357" [High,Fix released]02:18
nkinderekarlso: bknudson fixed it recently, and it just went into Juno RC1.02:18
*** topol has joined #openstack-keystone02:19
*** gokrokve has joined #openstack-keystone02:21
*** harlowja is now known as harlowja_away02:27
*** gokrokve has quit IRC02:34
*** gokrokve has joined #openstack-keystone02:35
*** zzzeek has joined #openstack-keystone02:39
*** gokrokve has quit IRC02:39
*** amcrn has quit IRC02:40
*** NM has quit IRC02:50
morganfainbergnkinder, hehe02:55
nkindermorganfainberg: at least I arrived at the same fix :P02:55
morganfainbergbknudson woot -1287!!02:55
morganfainbergwe use memorycache?!02:56
*** ncoghlan is now known as ncoghlan_afk02:58
morganfainberg... that is *not* ok02:58
morganfainbergnkinder, i think my isp is sucking tonight... what do you think: 64 bytes from icmp_seq=3 ttl=41 time=807.732 ms02:59
nkinderugg, yeah02:59
nkindermorganfainberg: I had a fun one a month back with 80% packet loss02:59
morganfainbergthats the low end. upwards of 1200ms ping02:59
nkinderit's comcastic...02:59
morganfainbergand getting about 1% packet loss :(02:59
morganfainbergnah charter for me.03:00
morganfainbergyay no options.03:00
nkindercomcast will own them soon enough03:00
morganfainbergoh.. not my isp *sigh*03:00
morganfainberglooks like my router is on the fritz03:01
morganfainberg500ms to the router... wtf.03:02
nkinderrouter reboot time?03:03
morganfainbergoh wow03:03
morganfainberg5G network = not crappy03:03
morganfainberg2.4G network = 500ms to the router03:03
morganfainberg5G: 64 bytes from icmp_seq=65 ttl=64 time=1.004 ms03:03
morganfainberg2.4G: 64 bytes from icmp_seq=18 ttl=64 time=531.654 ms03:03
nkinderthat's strange03:04
morganfainbergprobably a lot of interferance on the 2.4G space03:04
morganfainbergat least 50 networks show up when i scan for wifi03:04
morganfainbergi am guessing i have 1 device that uses 2.4Ghz everything else is 5G so i don't notice :P03:05
*** gyee has quit IRC03:17
*** zzzeek has quit IRC03:21
*** marcoemorais has joined #openstack-keystone03:47
*** amcrn has joined #openstack-keystone04:00
*** gokrokve has joined #openstack-keystone04:06
*** amcrn has quit IRC04:09
*** gokrokve has quit IRC04:13
*** gokrokve has joined #openstack-keystone04:13
*** ncoghlan_afk is now known as ncoghlan04:15
*** r1chardj0n3s is now known as r1chardj0n3s_afk04:15
*** gokrokve has quit IRC04:18
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the CLI examples to also use openstackclient
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add v3 openstackclient CLI examples
*** NM has joined #openstack-keystone04:34
*** NM has quit IRC04:40
*** lhcheng has quit IRC04:42
*** lhcheng has joined #openstack-keystone04:42
*** jamielennox has quit IRC04:43
stevemarmorganfainberg, gotta love living in a condo/building04:47
stevemarinterference for everyone!04:47
*** lhcheng has quit IRC04:47
*** r1chardj0n3s_afk is now known as r1chardj0n3s04:55
*** jamielenz has joined #openstack-keystone05:00
*** jamielenz is now known as jamielennox05:00
*** lhcheng has joined #openstack-keystone05:02
*** andreaf has quit IRC05:32
*** andreaf has joined #openstack-keystone05:33
openstackgerritChmouel Boudjnah proposed a change to openstack/keystonemiddleware: Encode middleware error message as bytes
*** lsmola has joined #openstack-keystone06:09
openstackgerritOpenStack Proposal Bot proposed a change to openstack/keystone: Imported Translations from Transifex
*** lufix has joined #openstack-keystone06:17
*** topol has quit IRC06:17
*** stevemar has quit IRC06:18
*** nellysmitt has joined #openstack-keystone06:19
*** praneshp has joined #openstack-keystone06:20
*** praneshp_ has joined #openstack-keystone06:21
*** jaosorior has joined #openstack-keystone06:22
*** praneshp has quit IRC06:24
*** praneshp_ is now known as praneshp06:24
marekdwhat was all that hassle with XML and federation code?06:33
openstackgerritMarcos Fermín Lobo proposed a change to openstack/keystone: Templated catalog backend not implemented
*** r1chardj0n3s is now known as r1chardj0n3s_afk06:57
*** marcoemorais has quit IRC06:59
*** marcoemorais has joined #openstack-keystone06:59
*** marcoemorais1 has joined #openstack-keystone07:01
*** marcoemorais has quit IRC07:04
*** nellysmitt has quit IRC07:16
*** nellysmitt has joined #openstack-keystone07:17
*** afazekas has joined #openstack-keystone07:21
*** nellysmitt has quit IRC07:21
*** nellysmitt has joined #openstack-keystone07:46
*** swartulv has quit IRC07:46
*** Daviey has quit IRC07:47
*** swartulv has joined #openstack-keystone07:47
*** andreaf has quit IRC07:49
*** andreaf has joined #openstack-keystone07:49
*** jistr has joined #openstack-keystone08:00
*** lhcheng has quit IRC08:04
*** lhcheng has joined #openstack-keystone08:05
*** andreaf has quit IRC08:07
*** andreaf has joined #openstack-keystone08:08
*** lhcheng has quit IRC08:09
*** ukalifon1 has joined #openstack-keystone08:22
*** ncoghlan has quit IRC08:26
*** ukalifon1 has quit IRC08:31
*** henrynash has joined #openstack-keystone08:53
*** henrynash has quit IRC08:54
*** jimbaker has quit IRC08:56
*** marcoemorais1 has quit IRC09:12
*** andreaf has quit IRC09:15
*** andreaf has joined #openstack-keystone09:16
*** jasondotstar has joined #openstack-keystone09:35
*** aix has joined #openstack-keystone09:39
*** ukalifon1 has joined #openstack-keystone09:47
*** andreaf has quit IRC09:49
*** andreaf has joined #openstack-keystone09:50
*** praneshp has quit IRC09:55
openstackgerritAlexander Makarov proposed a change to openstack/python-keystoneclient: Endpoint selection logic fix
openstackgerritAlexander Makarov proposed a change to openstack/python-keystoneclient: Endpoint selection logic fix
*** amakarov_away has quit IRC10:14
*** ukalifon1 has quit IRC10:15
*** amakarov has joined #openstack-keystone10:15
*** andreaf has quit IRC10:24
*** andreaf has joined #openstack-keystone10:26
*** lhcheng has joined #openstack-keystone10:28
*** lhcheng has quit IRC10:33
*** henrynash has joined #openstack-keystone10:34
*** nellysmitt has quit IRC10:38
*** nellysmitt has joined #openstack-keystone10:38
*** nellysmi_ has joined #openstack-keystone10:40
*** nellysmitt has quit IRC10:40
*** henrynash has quit IRC10:42
*** andreaf has quit IRC10:42
*** andreaf has joined #openstack-keystone10:43
*** henrynash has joined #openstack-keystone10:56
*** henrynash has quit IRC10:59
*** dims has joined #openstack-keystone10:59
*** henrynash has joined #openstack-keystone11:02
openstackgerritAlexander Makarov proposed a change to openstack/python-keystoneclient: Endpoint selection logic fix
*** henrynash has quit IRC11:15
*** andreaf has quit IRC11:17
*** andreaf has joined #openstack-keystone11:17
*** diegows has joined #openstack-keystone11:18
bretonI am trying to deploy keystone and I'm stuck on
breton[sql] was removed and something else related to oslo is used now11:50
bretonI've opened #1377101 about it11:51
bretoncould someone give me a hint on what to read about how to configure now?11:51
*** nellysmi_ has quit IRC11:54
*** jimbaker has joined #openstack-keystone11:58
*** jimbaker has quit IRC11:58
*** jimbaker has joined #openstack-keystone11:58
mhumarekd: jenkins is giving you a tough time :)12:04
bretonbknudson: git blames you for this change. Could you please update the docs?12:07
*** zzzeek has joined #openstack-keystone12:07
*** zzzeek has quit IRC12:14
openstackgerritDavanum Srinivas (dims) proposed a change to openstack/keystone: Typo olso -> oslo
*** zzzeek has joined #openstack-keystone12:19
*** zzzeek has joined #openstack-keystone12:21
*** zzzeek has quit IRC12:21
*** ukalifon has joined #openstack-keystone12:25
*** lhcheng has joined #openstack-keystone12:30
*** bknudson has quit IRC12:34
*** lhcheng has quit IRC12:35
*** andreaf has quit IRC12:39
*** andreaf has joined #openstack-keystone12:39
marekdmhu: :(12:49
marekdmhu: how is auth plugins in osc patch going ?12:50
marekdi haven't looked there for a while :(12:50
marekdmhu: also this is not a very good news12:50
mhumarekd, I've updated the patch so that --os-auth-plugin is not needed for v3 password auth to ensure backward compatibility, now I am waiting for reviews12:52
mhumarekd, yep, saw that in my mail feed :(12:52
marekdmhu: keeping this backward compatible will lead to something i seen already in ksc and really hated it: some hacks that really have nothing in common with readibility, and turns out i am now to be blamed fo that.12:52
openstackgerritAlexander Makarov proposed a change to openstack/keystone: PKI and PKIZ tokens unnecessary whitespace removed
marekdmhu: ah, that patch with new method _guess_auth_plugin (or similar)12:53
mhumarekd, yep12:53
marekdmhu: so i saw it.12:53
*** dims has quit IRC12:55
*** bknudson has joined #openstack-keystone12:55
*** dims has joined #openstack-keystone12:55
*** thiagop has joined #openstack-keystone12:57
marekdbknudson: o/13:03
bknudsonmarekd: hi13:04
*** joesavak has joined #openstack-keystone13:04
marekdbknudson: i have a question regarding and you -1. When I think about it now I realize we might get into similar problems with other arguments and __init__ signatures should be more generic (**kwargs) and  more standardized. Now, is there any way to drop this backward compatibility or I will need to add some subclases that just reimplement __init__ and rather the args signature?13:06
marekdbknudson: i can imagine one day we would like to remove username/password from those auth plugins, because we may want to introduce more authn methods for authenticating agains IdP (for isntance kerberos or certs)13:07
bknudsonmarekd: just because **kwargs is used doesn't mean that you can make backwards-incompatible changes (like removing functionality that might be in use)13:09
bknudsonmarekd: here's the docs for that stability guidelines --
bknudsonI assume this means no backwards-incompatible api changes without deprecating13:10
ayoungbknudson, marekd  is languishing.  marekd I know Jose would probably like to finally get his patch in13:12
ayoungmhu, link?13:13
bknudsonI have +2 in  openstack/python-keystoneclient-kerberos ? I don't know anything about kerberos.13:13
ayoungmhu, did you try it with Kerberos?13:15
mhuayoung, no, just with available ksc plugins as of 0.1113:15
ayoungmhu, kerberos is in a separate repo.  I havea public, kerberized Keystone13:15
ayoungmhu, you on Ubuntu or Fedora?13:16
mhuayoung, ubuntu atm13:16
ayoungmhu, ok.  I don't have an .deb, just and RPM, but you can get it from the git repo if you want to try it13:17
*** gordc has joined #openstack-keystone13:17
* ayoung checking to see if he has a working client13:17
ayoungmhu, I'm on a sprint to finish up Kerberos for Horizon13:17
ayoungI'll git it a test run after that13:17
marekdayoung: i also doubt i have any powerful right on this kerberos repo.13:18
ayoungmarekd, its a Keystone team repo13:18
marekdayoung: still, not me.13:18
ayounglets just get it reviewed by the people that care about it13:18
openstackgerritDavanum Srinivas (dims) proposed a change to openstack/keystone: Switch LdapIdentitySqlAssignment to use oslo.mockpatch
marekdayoung: uhm.13:19
ayoungmarekd, c'mon, i CERN cares about Kerberos....13:19
dimsbknudson: thanks for the suggestion13:20
ayoungthe actual plugin is trivial13:20
marekdayoung: i do, i saw those patches before, I will reread them again.13:20
ayoungits the rest of the repo stuff that has complicated it13:20
bknudsondims: you going to switch to oslotest.mockpatch ?13:20
ayoungmarekd, thanks13:20
bknudsondims: awesome! ... do we have to update test-requirements.txt?13:21
marekdbknudson: **kwargs simply mean that I don't need to respect arguments ordering, and here it is the whole hassle and this lack of backward compatibility.13:22
dimsdims@dims-mac:~/openstack/keystone$ cat test-requirements.txt  | grep oslotest13:22
dimsoslotest>=1.1.0  # Apache-2.013:22
bknudsongreat. +213:22
dimsalready at the level we need bknudson13:22
*** radez_g0n3 is now known as radez13:25
*** henrynash has joined #openstack-keystone13:26
*** NM has joined #openstack-keystone13:47
*** r-daneel has joined #openstack-keystone13:47
bknudsonmarekd: right, if this function had started with **kwargs then I assume you wouldn't be making the change in .13:49
bknudsonmarekd: btw, if there's some overriding reason to ignore the backwards-compatibility requirement I can be convinced that this is ok.13:50
*** henrynash has quit IRC13:53
marekdbknudson: i really doubt anybody (apart from me) wrote the code using this or any saml plugin.13:53
rodrigodsdolphm, are you there? When I try to rebase our patches with the recent changes in the branch, gerrit shows this list of commits to proceed:
rodrigodsshould I type "yes" ? =)13:54
*** jamielennox has quit IRC13:56
*** jsavak has joined #openstack-keystone13:56
bknudsonmarekd: I don't think that's a good enough reason... the versions that contains the old interface are published out there already and may be packaged up in distros so someone can come along much later and start using it.13:56
*** thiagop has quit IRC13:59
*** topol has joined #openstack-keystone13:59
*** thiagop has joined #openstack-keystone13:59
marekdbknudson: okay then. I will add some classmethods that will reorder the args list.14:00
*** joesavak has quit IRC14:00
bknudsonmarekd: that sounds good.14:01
bknudsonthe old interface can be deprecated14:01
marekdbknudson: how/when ?14:04
bknudsonmarekd: say that it's deprecated in the docstring and then in a couple releases (12 months?) it can be removed.14:05
*** stevemar has joined #openstack-keystone14:11
marekdbknudson: you mean thefunction signature for instance, right?14:12
*** gokrokve has joined #openstack-keystone14:13
*** jamielennox has joined #openstack-keystone14:15
*** gokrokve has quit IRC14:15
*** gokrokve has joined #openstack-keystone14:16
*** alex_xu has joined #openstack-keystone14:16
marekdmhu: do you have a working federated testbed?14:20
mhumarekd: almost, my test VMs were recently destroyed on the test lab ... Currently rebuilding stuff14:21
marekdmhu: devstack at least?14:22
marekdpure devstack14:22
mhumarekd, yep14:22
marekdmhu: in devstack, you have two users14:22
marekddemo and admin14:22
marekdadmin is like a real admin user?14:22
marekdmhu: should it be able to see all the virtual machines in this cloud setup ?14:23
mhumarekd, it's a matter of roles and policies. The admin user has obviously the admin role, which is allowed pretty much everything in policy.json files14:26
marekdin devstack, right?14:27
mhumarekd, yup14:27
marekdmhu: can you do me a favor and list what you have in env | grep OS | grep -v OS_PASSWORD14:27
marekdi actually want to know what variables you have14:28
marekdnot even a values.14:28
mhuI don't usually have env variables set, I call the CLI like this, for example: OS_USERNAME=admin OS_PROJECT_DOMAIN_NAME=default OS_USER_DOMAIN_NAME=default OS_PROJECT_NAME=admin OS_AUTH_URL= OS_PASSWORD=admin OS_IDENTITY_API_VERSION=3 OS_AUTH_PLUGIN=v3password openstack --debug user list14:29
mhu(this is for v3 password auth)14:30
marekdyeah, i can see that14:30
*** lhcheng has joined #openstack-keystone14:32
marekdmhu: thanks, that helped.14:32
mhumarekd, glad to be of assistance ! also OS_AUTH_PLUGIN is not mandatory14:33
mhuunless you use saml-based auth14:33
*** lhcheng has quit IRC14:36
*** gokrokve has quit IRC14:40
*** zzzeek has joined #openstack-keystone14:41
*** gokrokve has joined #openstack-keystone14:42
*** richm has joined #openstack-keystone14:42
dolphmrodrigods: no, which review are you rebasing?14:43
dolphmrodrigods: gerrit permissions will likely stop you from uploading those merge commits anyway14:43
nkinderayoung: I will try your client patches with kerberos today14:43
ayoungnkinder, awesome14:43
ayoungnkinder, did you see the above about the common client and auth plugins?14:44
nkinderayoung: was just reading that14:45
*** mflobo has quit IRC14:45
*** gokrokve_ has joined #openstack-keystone14:47
nkindermarekd: fyi - I finally got around to setting up federation with mod_auth_mellon and ipsilon14:48
nkindermarekd: I'll be adding some updates to the docs to cover mod_auth_mellon config14:49
*** ukalifon has quit IRC14:49
dolphmrodrigods: instead of rebasing, i updated my local feature/hierarchical-multitenancy branch, checked out HEAD~0, and then cherry-picked all four of your changes onto that branch:
dolphmrodrigods: do you want to try doing the same, or should i upload these changes to gerrit?14:50
nkinderayoung: ok, so the kerberos plug-in and 108325 are needed to allow the CLI to work with kerberos?14:50
ayoungnkinder, yes14:51
*** gokrokve has quit IRC14:51
ayoungnkinder, I've not tested it yet, but it looks like it should14:51
nkinderayoung: ok, I'll review mhu's patch today too then14:51
ayoungnkinder, thanks14:51
nkinderayoung: I have ipa/ipsilon/keystone/mod_mellon config nearly fully automated14:52
ayoungnkinder, I'm glad DOA does not have a physical presense14:53
nkinderayoung: there's one manual step to register keystone as a SP with ipsilon, but I'm looking for a way to do that in automation14:53
ayoungI would be arrested for either murder or Arson14:53
ayoungactually, it is the client  really is not designed for what DOA needs to do, and that needs to change14:54
ayoungIt turns out that, while I had login working, listing projects happened later, and was bypassing the plugin code14:54
ayoungand...the code is just horrible14:54
*** henrynash has joined #openstack-keystone14:55
ayoungand I'm going back to beating it into submission14:55
dolphmrodrigods: i'm assuming you're AFK for the day, so i'm going to go ahead and upload14:57
*** cjellick has quit IRC14:59
marekd nkinder nice :-) di you try it out with a browser or keystoneclient?15:01
nkindermarekd: I was just using a browser15:02
marekdnkinder: hm, does ipsilon already have the ECP imlemented?15:02
ayoungdjammit django15:02
marekdif not, there is no point in trying ksc.15:02
nkindermarekd: No, I don't think it has ECP (could be mistaken)15:03
marekdnkinder: ok.15:03
marekdnkinder: anyway, it's good that you make mod_mellon working.15:03
nkindermarekd: Ipsilon is currently in the middle of adding the ability to pull user info from LDAP to put in the assertion.  I need that do be able to do anything really useful.15:03
marekdnkinder: do you think you will be able to update our docs, so your discovery is also reflected (we only put configs for Apache + shibboleth)15:04
nkindermarekd: So I can identity the user, but I need to be able to customize things to put in group membership and other info that keystone's mappings can rely on.15:04
nkindermarekd: yes, that's my plan15:04
marekdnkinder: great!15:04
nkindermarekd: will you be at the summit?15:04
marekdnkinder: yes.15:08
nkindermarekd: great.  I'll have a set up of it that I can show you15:08
marekdnkinder: awesome!15:08
*** wwriverrat has joined #openstack-keystone15:09
marekdstevemar: o/ do you think you will be able to comment ~now on my e-mail regarding protocols?15:10
stevemarmarekd, o/15:11
*** wwriverrat has joined #openstack-keystone15:12
stevemarnkinder, you owe me docs! :)15:12
*** wwriverrat has left #openstack-keystone15:13
nkinderstevemar: :)15:13
nkinderstevemar: I started reviewing your OSC CLI stuff last night.  Will wrap up today.15:13
nkinderstevemar: looks like great stuff15:13
nkinderI keep steering people to OSC who are just familiar with KSC but want to do v3 stuff15:14
nkinderexamples will save me some typing :)15:14
stevemarnkinder, examples save us all a lot of typing :P15:15
marekdstevemar: so?15:16
stevemarmarekd, i like $ os federation protocol create --identity-provider idp --mapping test_mapping15:17
dstanekso DatabaseAlreadyControlledError is killing my soul15:17
stevemarthe args should have dashes (-) not underscores (_)15:17
stevemarlooking at the wiki now marekd15:18
marekdyeah, but basically e.g identity-provider should be flags15:18
marekdthat was my question15:18
*** david-lyle has joined #openstack-keystone15:18
marekdstevemar: ^^15:18
stevemari think for the same of usability i would make them 'required flags'15:19
marekdstevemar: ok, so i will recode my patch then.15:19
*** henrynash has joined #openstack-keystone15:20
stevemarmarekd, commented15:22
marekdstevemar: thank you sir!15:22
stevemarmarekd, in parser.add_argument() you can set required=True for optional arguments (ones that start with --)15:25
marekdstevemar: good hint15:26
stevemarmarekd, moar comments!15:28
*** thedodd has joined #openstack-keystone15:28
vsilvaping, bknudson15:31
*** dims is now known as dimsum_15:32
vsilvaregarding (Explicit complaint about old OpenSSL when testing). So you´re saying I should grab the version outside the class?15:33
vsilva(and then decorate it with a skipIf)15:33
dstanekVancouver, BC?15:34
bknudsonvsilva: yes, use skipIf15:34
dimsum_dstanek: y15:37
*** cjellick has joined #openstack-keystone15:37
*** ukalifon1 has joined #openstack-keystone15:39
dstanekdimsum_: never been, but the pictures look great15:39
dimsum_dstanek: y looking forwared. i have not been there either15:40
*** bdossant has quit IRC15:40
*** lufix has quit IRC15:44
marekdstevemar: ehhh, when you say args you don't mean metavar?15:48
*** gokrokve has joined #openstack-keystone15:50
*** gokrokve_ has quit IRC15:53
*** thedodd has quit IRC15:55
stevemarmarekd, i use the term too loosely :(15:57
marekdstevemar: i am constantly confused15:59
marekdstevemar: if i make: parser.add_argument('--foo', metava='<name>')15:59
marekdi will later have variable parser.foo15:59
stevemarmetavar is just for the help output16:00
marekdif i make parser.add_argument('--foo-bar', metava='<name>') i will have parser.foo_bar16:00
marekdand the naming should be with (-)16:00
marekdfoo-bar, not foo_bar16:00
rodrigodsthanks dolphm , was at a meeting, sorry for not being able to respond16:01
dolphmrodrigods: no worries16:02
dolphmrodrigods: if you have other patch sequences, try cherry picking each patch in order onto an updated branch16:02
dolphmrodrigods: i also recommend working on untracked local branches (git checkout HEAD~0)16:02
dolphmmarekd: ++16:03
rodrigodsdolphm, yeah, thanks... will do that16:04
dolphmdstanek: dimsum_: vancouver is great, especially all the islands in the straight16:04
dimsum_dolphm: nice16:05
morganfainbergVancouver will be a good venue16:13
morganfainbergmeans i'll need to hang out w/ people in Seattle around the trip as well16:14
*** lhcheng has joined #openstack-keystone16:14
*** jistr has quit IRC16:21
*** marcoemorais has joined #openstack-keystone16:22
*** imkarrer has joined #openstack-keystone16:30
*** ayoung is now known as ayoung-runch16:33
dolphmdstanek: morganfainberg: wait, what's in vancouver?16:37
morganfainbergdolphm, May summit16:37
dolphmooh, missed that16:38
dolphmi see the save the date now16:38
raildo_awayVancouver should be cool :)16:38
*** aix has quit IRC16:40
*** raildo_away is now known as raildo16:40
*** richm has quit IRC16:40
*** lhcheng is now known as lcheng16:42
stevemaryay vancouver16:43
*** gyee has joined #openstack-keystone16:50
dstanekstevemar: ++16:52
dstanektravel will be a little better for me16:52
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add v3 openstackclient CLI examples
stevemardstanek, slightly, yes16:53
stevemardstanek, i'm just excited to not have to bring a passport16:54
marekddstanek: stevemar when do you arrive?16:54
marekdto PAris ofc16:54
stevemardstanek, or worry about exchanging money16:54
stevemarmarekd, the 3rd :\16:54
marekdstevemar: and leave?16:55
stevemarmarekd, the 8th :(16:55
marekdshort trip16:55
*** NM has quit IRC16:59
*** jsavak has quit IRC17:03
*** amcrn has joined #openstack-keystone17:04
remote_morgan_stevemar: you should exchange money for Vancouver anyway.17:05
stevemarmorganfainberg, just get smaller denominations :P17:06
*** ukalifon1 has quit IRC17:06
dstanekmarekd: i'm on the Sunday before. maybe the 2nd17:08
dstanekstevemar: money, phone and language are my biggest worries17:08
marekdstevemar: what currency they have in Vancouver?17:09
marekddstanek: oh yes, french ppl don't speak english.17:09
*** NM has joined #openstack-keystone17:09
stevemarmarekd, canadian dollars in vancouver :)17:09
marekdstevemar: and what $$ you have in Toronto?17:10
marekdcanadian i'd say as well?17:10
marekddstanek: and for the money? What is the problem with them?17:10
stevemarmarekd, yep17:10
stevemarmarekd, i think dstanek is worried about euros17:10
dstanekmarekd: it just adds to the hassle; traveling already sucks17:11
marekddstanek: get your US credit card and let your bank do the rest.17:11
marekddstanek: usually bank rates are better then in the cantors.17:12
*** andreaf has quit IRC17:12
* marekd bear in mind American Express might not work in Europe17:12
dstanekmarekd: yes, but i may need cash for incidentals right? or if i'm in a pinch it would be nice to know i have some cash17:12
*** andreaf has joined #openstack-keystone17:12
stevemarmarekd, do alot of places not take amex?17:13
dstanekmarekd: i have read that amex is usually only accepted in high end places and that visa is the most commonly accepted card...but that's just reading travel blogs17:13
stevemari just need it for taxi17:13
stevemardstanek, ++ on cash for incidentals, i'll be taking some out17:13
remote_morgan_Unfortunately I need to use Amex for travel. But I know I can use it to get cash if needed.17:14
marekdstevemar: dstanek you gyus are talking like you never left us before. :-)17:14
marekdstevemar: or CA in your case17:14
stevemardstanek, and you have a nexus phone, so just buy a phone card at the airport and enjoy your unlocked goodness17:14
dstanekmarekd: i havent' been out of the US since we started needing a passport to get into Canada - been a really long time17:15
marekddstanek: get the money from the ATM and you have euros.17:15
remote_morgan_marekd: my experience in Europe has been most credit cards work. Just costs a chunk of change for foreign transactions depending  on the cc17:15
remote_morgan_And yea ATM! :)17:16
marekdremote_morgan_: i am saying Amex can not work everywhere....17:16
marekdmay not work everywhere.17:16
dstanekstevemar: i'm a little paranoid to bring my personal phone after i read about the rate of phone hacking in france17:16
marekddstanek: ?17:16
remote_morgan_marekd: oh yeah. But that is true for some Visa cards etc as well.17:16
*** praneshp has joined #openstack-keystone17:17
marekdremote_morgan_: that also work the other way round. I might have Visa credit card issue by my european bank and it may be rejected in the US17:17
dstanekmarekd: i was reading some security blogs that mentioned the cyber hacking in France, specifically in the larger cities, is very common17:17
marekdremote_morgan_: i would simply assume that Amex will be accepted *everywhere*.17:18
marekdremote_morgan_: i would simply assume that Amex will *NOT* be accepted *everywhere*.17:18
dstanekmarekd: so i've been thinkin about buying somethings like
marekdwe don't use amex in europe, that's all17:19
marekdok, need to run17:19
* dstanek thinks marekd is the international man of mystery17:20
stevemardstanek, he most definitely is17:23
*** afazekas has quit IRC17:26
*** dhellmann is now known as dhellmann_17:29
*** amcrn has quit IRC17:38
*** jamielennox has quit IRC17:43
*** amcrn has joined #openstack-keystone17:45
*** andreaf has quit IRC17:47
*** andreaf has joined #openstack-keystone17:47
*** harlowja_away is now known as harlowja17:48
remote_morgan_dstanek: ++17:49
remote_morgan_Hmm. Quota info in keystone again. Hmm.17:52
remote_morgan_ok so I think I have 3 sessions for keystone definitely in mind (with 4 still open).17:52
remote_morgan_1) client. (Lots to discuss here), 2) object life cycle (dependency injection), 3) authz (tokens, future, something new instead, etc).17:54
*** praneshp has quit IRC17:54
remote_morgan_Next week I'll be trying to line up the sessions a bit more clearly. I think CI might be a pod/meetup-day topic.17:54
remote_morgan_For example.17:54
*** sigmavirus24 has joined #openstack-keystone17:59
*** ukalifon1 has joined #openstack-keystone18:00
*** ayoung-runch has quit IRC18:01
*** gokrokve_ has joined #openstack-keystone18:02
*** lsmola has quit IRC18:03
*** praneshp has joined #openstack-keystone18:05
*** gokrokve has quit IRC18:07
*** gokrokve_ has quit IRC18:07
*** ayoung has joined #openstack-keystone18:09
rodrigodsdolphm, there?18:11
dolphmrodrigods: eating lunch but yes18:11
*** gokrokve has joined #openstack-keystone18:11
rodrigodsdolphm, no problem. you can respond when you have a moment =)... anyway, what did here:18:12
rodrigods1 - checked out the branch origin/feature/hierarchical-multitenancy18:12
vsilvaIs this really what you meant? I'm having a hard time finding it better than before, but I'm happy to send it over if you think it's better (than
*** gokrokve_ has joined #openstack-keystone18:12
*** marcoemorais has quit IRC18:12
rodrigods2 - did a cherry pick with our first patch:
*** marcoemorais has joined #openstack-keystone18:13
*** david-lyle has quit IRC18:13
bknudsonvsilva: put that code to get the openssl version in a function so you can call it.18:13
rodrigods3 - changed the file script 055_add_parent_project to 056_add_parent_project to18:13
*** marcoemorais has quit IRC18:13
rodrigods4 - git checkout HEAD~018:13
*** marcoemorais has joined #openstack-keystone18:13
*** marcoemorais has quit IRC18:13
*** jaosorior has quit IRC18:13
rodrigods5 - git review -R feature/hierarchical-multitenancy18:13
*** marcoemorais has joined #openstack-keystone18:14
rodrigodsdolphm, gerrit still tries to send the huge list of reviews =(18:14
*** marcoemorais has quit IRC18:14
*** marcoemorais has joined #openstack-keystone18:14
dolphmrodrigods: did you update the branch between step 1 and 2?18:15
*** gokrokve has quit IRC18:16
*** amakarov has quit IRC18:16
rodrigodsdolphm, yes18:16
dolphmrodrigods: so then, do step 4 before step 218:17
dolphmrodrigods: and then step 2 is just "git review -x 117784"18:17
dolphmthen make your edits, git commit --amend, and git review -R feature/hierarchical-multitenancy18:18
rodrigodsdolphm, great will try it here18:18
dolphmrodrigods: let me know how it goes18:18
dstanekmorganfainberg: i'm about ready to pull my hair out18:20
vsilvaaight bknudson, sending this over:
bknudsonvsilva: you can post changes to gerrit then it can be reviewed there.18:21
*** gokrokve_ has quit IRC18:22
rodrigodsdolphm, it worked! =DD18:24
openstackgerritDavid Stanek proposed a change to openstack/keystone: WIP: Fixes endpoint_filter
openstackgerritDavid Stanek proposed a change to openstack/keystone: WIP: Force SQLite to properly deal with foreign keys
dolphmrodrigods: awesome, glad to hear18:25
ayoungdolphm, WRT roles and permissions:  if "admin" should  cover all of the permissions of "member"  should we  do role inference or inheritance, where admin implies member?  Or should all of that kind of logic be left to the policy?18:25
dolphmayoung: policy, for sure18:25
dstanekdolphm: in my pursuit to break everything i think i found (err fixed) an interesting bug -
dolphmdstanek: haha18:26
ayoungdolphm, you think its better to have more explicit rules in policy.json?18:26
dolphmdstanek: this sounds like a juno target18:26
dolphmayoung: define more explicit?18:27
*** andreaf has quit IRC18:27
ayoungdolphm, if you want an API to work for admin or member, you need a rule that matches either role18:27
ayoungand that needs to be duplicated for all of the APIs that want it18:27
ayounglike we have admin_or_owner18:27
*** andreaf has joined #openstack-keystone18:27
*** jamielennox has joined #openstack-keystone18:27
dstanekdolphm: yeah i can't find any other reports in our list of bugs18:28
dolphmayoung: correct. i'd like to get to a point where the policy JSON is generated by something (horizon or a CLI) that perhaps expresses those relationships18:28
dolphmayoung: it is unwieldy by hand, for sure18:28
dolphmdstanek: i'm not aware of one either18:29
rodrigodsayoung, what do you think about this proposal: ?18:29
ayoungrodrigods, I think there are some good ideas in there18:30
ayoungrodrigods, I think we are limited today by mechanisms18:30
rodrigodsayoung, awesome... what do you mean about "mechanisms"?18:31
ayoungrodrigods, the issue is that we want those definitions to be common across openstack18:31
ayoungso nova and glance get them, too18:31
rodrigodsayoung, absolutely18:31
rodrigodsthat's why we've submitted to keystone, nova, glance, cinder and neutron18:31
ayoungrodrigods, I was tooling around with this strawman:
ayoungrodrigods, it goes against what dolphm just stated18:32
vsilvabknudson, what I was going to say is that sending this code over to the skipIf means that the tests in that class are skipped without saying anything when you run tox; that takes us back to the problem of old OpenSSL breaking things silently and people not knowing why.18:32
ayoungbut if nothing else, we can leave it up there as an alternative to what we end up actually doing18:32
ayoungrodrigods, there was a proposal to have service specific roles two summits back18:33
vsilvahaving these older versions also mean many tests breaking in other test classes, so I don't think skipping won't do - it's just a matter of catching that and really breaking with a good message somewhere imho18:33
vsilva*will do18:33
ayoungrodrigods, I am not certain that it is the right scope:  I could see and argument for roles and services being coupled, but also for endpoint specific roles and roles for a group of related services18:34
ayoungrodrigods, it all comes down to how granular we want to delegate permissions to do something.   The constraints spec is also related18:34
bknudsonvsilva: setupclass doesn't work then?18:35
rodrigodsayoung, hmm18:35
rodrigodsayoung, maybe a first step would have such type of policies?18:36
*** marcoemorais has quit IRC18:36
rodrigodssplitting admin global role into explicit ones18:36
*** marcoemorais has joined #openstack-keystone18:37
*** marcoemorais has quit IRC18:37
*** marcoemorais has joined #openstack-keystone18:37
vsilvabknudson, I hadn't heard about setupclass but a quick look at the docs tells me it's perfect. thanks!18:37
ayoungrodrigods, first step was the ability to assigne a policy to an endpoint. Next thing we need is for the policy engine to be able to fetch its policy from Keystone18:39
ayoungonce we do that, we can make policy far more granular18:40
ayoungthe assignment part went in to Juno thanks to henrynash , but the fetch part is harder.  It means that an endpoint needs to know its own identity18:41
ayoungalso, the code for policy is not part of keystonemiddleware, but rather oslo, which does not have any way to call to Keystone server to fetch the policy18:41
*** gokrokve has joined #openstack-keystone18:41
ayoungrodrigods, that is really what we need next, I think:  fetch policy for endpoint18:42
rodrigodsayoung, interesting.... right now we are working on a PoC to replace Horizon's policies copies to policies fetched from Keystone via the enpoint-policy API18:44
ayoungrodrigods, so that Horizon can show the right UI to a use based on roles?18:44
rodrigodsayoung, exactly!18:44
rodrigodswe discussed here how it would work in the future18:45
rodrigodsall policies would be stored in keystone?18:45
dstanekwe don't seem to have any non-HTTP exceptions in Keystone18:46
bknudsondstanek: it's crazy... the managers should not be raising HTTP exceptions.18:47
rodrigodsdolphm, the same approach would work to send reviews to keep our branch up-to-date?18:48
dolphmrodrigods: no, you need someone in this group to upload merge commits to the feature branch, otherwise gerrit won't accept them,members18:50
dolphmrodrigods: long term, that'll just be morganfainberg18:50
rodrigodsdolphm, hmm ok, thanks =)18:50
dolphmdstanek: by design! although arguably NotFound should never be exposed to HTTP (but if it is, it can be rendered correctly)18:51
dstanekdolphm: shouldn't the internal parts of keystone raise domain specific, non-HTTP errors and the controller (web) layer translate those into HTTP errors?18:52
bknudsondstanek: that's exactly what it should do.18:54
bknudsondoesn't make sense especially when the backends can be called from cli18:55
raildoayoung, to do that what rodrigods are saying, i need to now how the services(Nova, Horizon...) can use the role "service". How they do that?18:56
ayoungraildo, um...basically, its in the policy file.  I'm not ever sure if they do18:56
ayoungraildo, I think it is just to limit them to only validating tokens.18:57
ayoungOh, and the new apis18:58
ayoung"identity:check_policy_association_for_service"  and the like18:58
vsilvabknudson, hold on a minute, setUpClass is never called when running the tests with tox! It might have something to do with the way we the suite works. Have you seen something like this?19:00
bknudsonvsilva: they use setupclass all the time in tempest code.19:05
*** amcrn has quit IRC19:07
*** amcrn has joined #openstack-keystone19:09
dolphmbknudson: yes, but i find that's prone to programmer error, so i'm in favor of mostly dual-purpose exceptions19:14
dolphmdstanek: ^19:14
dolphmprogrammer error in terms of compromising end-user experience unintentionally. like things aren't caught that should be, and then you end up with a 500 instead of a 400, or whatever19:15
bknudsondolphm: y, I'm not sure what a safe solution would look like.19:15
dstanekdolphm: bknudson: theoretically there should be tests for the known expected exceptions and then anything else by definition would be a 500; we are actually pretty good there19:20
*** thedodd has joined #openstack-keystone19:21
*** david-lyle has joined #openstack-keystone19:21
*** andreaf has quit IRC19:21
*** andreaf has joined #openstack-keystone19:22
raildoayoung, my doubt is how the service use this role? Internally they create a user, like "nova_user" and grant this role "service"?19:27
ayoungraildo, done at install time19:28
*** gyee has quit IRC19:28
raildoayoung, hum... i get it.19:29
raildoayoung, thanks!19:29
*** sigmavirus24 is now known as sigmavirus24_awa19:34
*** topol has quit IRC19:35
dstanekwhat is the difference between juno-rc-potential and juno-backport-potential?19:50
bknudsondstanek: juno-backport would go in stable/juno19:51
bknudsonwhich there isn't one yet, so no real difference19:51
*** sigmavirus24_awa is now known as sigmavirus2419:52
vsilvabknudson, I looked into the tempest tests and into many others which indeed use setUpClass, but it is simply not called if it's in CMSTest. rodrigods and I have been over this for some time now and our best guess is that it's something about inheriting from both utils.TestCase and testresources.ResourcedTestCase, but had no luck in finding out what.19:53
vsilvaYou can check it out yourself if you want to double check that it is indeed not called - that should be pretty quick. I'll just fix the pep8 issue and update the review, hopefully someone comes up with a suggestion19:55
dstanekbknudson: thx for the info19:55
bknudsonvsilva: I'll try it.19:55
*** vsilva has left #openstack-keystone19:56
*** vsilva has joined #openstack-keystone19:56
*** mfisch has quit IRC19:56
openstackgerritDavid Stanek proposed a change to openstack/keystone: Fixes an error deleting an endpoint group project
openstackgerritDavid Stanek proposed a change to openstack/keystone: Validates controller methods exist when specified
*** dhellmann_ is now known as dhellmann20:04
*** mfisch has joined #openstack-keystone20:06
*** sigmavirus24 is now known as sigmavirus24_awa20:06
*** mfisch is now known as Guest8631820:06
dstanek"Thank you for your bug report" -> You're welcome!20:06
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Use openstackclient examples in configuration documentation
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update the CLI examples to also use openstackclient
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Add v3 openstackclient CLI examples
bknudsonvsilva: that is weird... wonder what the deal is.20:08
vsilvabknudson, tell me about it! I'm glad I'm not crazy.20:08
nkinderayoung: are your rpms on fedorapeople up to date for the kerberos auth plugin?20:12
ayoungnkinder, yes20:12
nkinderayoung: ok, cool20:12
stevemardstanek, errrr my gosh -> Validates controller methods exist when specified, you are my favorite person20:12
dstanekstevemar: :-) so simple, yet so powerful20:13
stevemari know!20:13
vsilvabknudson, what do you suggest then?20:15
dstanekstevemar: it took me an embarrassingly long time figuring out what the endpoint_filter tests were trying to test20:15
bknudsonvsilva: I need to try some more things20:15
vsilvaall right20:15
nkinderstevemar: do you think we should add '=' chars in the section starting at line 1183 here?
nkinderstevemar: not trying to be too nit-picky here... :)20:16
stevemarnkinder, you're not being too nit picky at all, i thought the same thing when writing it up, it was more of a 'meh' for me20:17
nkinderstevemar: yeah, that's my feeling too20:18
nkinderstevemar: I'm cool with it either way, so let me know what you want to do20:18
nkinderstevemar: I've +1'd it as it stands.  If you decide to tweak it, I'll make sure to vote on it again.20:20
bknudsonvsilva: ok, I think we tried hard enough. Let's just do it in init20:23
bknudsonI'll ask lifeless about it if I can find him.20:24
rodrigodsvsilva, bknudson great20:24
stevemarnkinder, the only reason i'd be opposed it because i want it merged, it's had quite a few eyes on it now20:25
nkinderstevemar: me too. :)  There's a whole chain you have waiting for this one too20:26
nkinderstevemar: I'm with you.  Let's get it in as is.  It's correct, and all of the examples work.20:26
*** andreaf has quit IRC20:29
*** Tahmina has joined #openstack-keystone20:29
*** andreaf has joined #openstack-keystone20:29
*** dims_ has joined #openstack-keystone20:31
*** __TheDodd__ has joined #openstack-keystone20:31
*** thedodd has quit IRC20:31
*** dimsum_ has quit IRC20:34
stevemarnkinder, there is actually one outside of the chain that hasn't gotten any love :(20:35
nkinderstevemar: point me at it and I'll review it20:36
stevemarnkinder, YAY -
*** Kui has joined #openstack-keystone20:38
ayoungdstanek, how do I force a compile of a python file?20:38
nkinderstevemar: oh, nice!  Killing 'tenant' references...20:38
nkinderayoung: delete the .pyc?20:38
ayoungnkinder, no,  I mean explicitly compile to see the errors for bad syntax20:38
stevemarrun pep8 :P20:39
ayoungnkinder, I can't just import into the python interpreter, as that errors out on a django config warning20:39
ayoungstevemar, not working on my remote machine where I need this20:39
nkinderayoung: python -m py_compile <file>?20:40
ayoungsame error20:40
ayoungdjango.core.exceptions.ImproperlyConfigured: Requested setting CACHES, but settings are not configured. You must either define the environment variable DJANGO_SETTINGS_MODULE or call settings.configure() before accessing settings.20:40
ayoungwait, OI had it wrong20:41 complaints...20:41
Kui     someone help to review?20:41
ayoungit must be something that is failing at runtime after the  DJANGO_SETTINGS_MODULE  issue,  but Django swallows it20:41
ayoungKui, that looks like it could use a spec20:42
ayoungI'm not certain, as it is fairly simple, but...20:42
ayoungKui, I'd want morganfainberg 's input on that one20:43
*** fifieldt has quit IRC20:44
dstanekayoung: did you get it to work?20:44
ayoungdstanek, the copile, use,  Django, not so much20:45
dstanekmorganfainberg, zzzeek: this seem to cause crazy migration errors:
dstanekmorganfainberg, zzzeek: i'd appreciate any thoughts on where to look20:46
Kuiayoung, morganfainberg had some comment on this bug, and agreed this idea. This change needs review by him too.20:46
zzzeekdstanek: i’d imagine, since sqlalhcemy-migrate probably doesnt support that20:46
ayoungdstanek, yeah I think I'm back to running20:46
dstanekayoung: if you just want to check for compile time errors you can just run the file through python20:46
zzzeekdstanek: they should look into not having that option turned on when migrations run20:46
*** raildo is now known as raildo_away20:47
ayoungdstanek, I tries that, but what I needed was load time errors, and Django was masking them20:47
dstanekzzzeek: that's easy enough - so you think sqlalchemy-migrate has some hard coded assumptions about sqlite?20:47
ayoungit was compiling fine20:47
dstanekzzzeek: it works on databases with real FK support so i just assumed it would work with sqlite too20:48
zzzeekdstanek: sqlite doesnt have any facilities for db migrations so migrate drops whole tables and recreates them20:48
ayoungdstanek, the naming convention where packages sit on the good variable names is really annoying.  session is an object, dangit20:49
*** dimsum_ has joined #openstack-keystone20:51
dstanekayoung: i find django polarizing for experienced developers; some love it and some hate it20:51
dstanekzzzeek: ok that makes sense. i'll re-enable it for these tests20:52
dstanekzzzeek: i'm trying to get the Keystone tests to run under non-SQLite databases, but apparenty some of our tests don't care about foreign keys20:53
dstanekzzzeek: thanks again!20:53
ayoungdstanek, I'm not even really in Django mode, just that if I get a parse error in the plugin, the Horizon code swallows it and doesn't show me the actual problem. I don;t think it is Django, just us.20:54
*** dims_ has quit IRC20:55
*** gokrokve has quit IRC20:55
*** mfisch has joined #openstack-keystone21:01
*** fifieldt has joined #openstack-keystone21:01
*** mfisch is now known as Guest4989921:01
*** mfisch` has joined #openstack-keystone21:01
gordcdoes anyone see a oslo.db error when they run keystone-manage db_sync?21:05
vsilvabknudson, all right21:11
*** gokrokve has joined #openstack-keystone21:12
*** andreaf has quit IRC21:15
*** andreaf has joined #openstack-keystone21:15
*** sigmavirus24_awa is now known as sigmavirus2421:17
nkinderayoung: so I have mod_auth_kerb setup for a location of "/krb"...21:18
nkinderayoung: I can access that via browser, and I can see that mod_auth_kerb authenticates me21:19
nkinderayoung: but, keystone returns a 40421:19
nkinderayoung: shouldn't the version discovery details be returned like it does for my "/" location that isn't kerberized?21:19
ayoungusing the right auth url?21:19
ayoungno discovery21:20
ayoungnkinder, you'd need to go in and set the URL correct in the Keystone conf file for the /krb21:20
ayoung404 for what?21:20
*** gordc has quit IRC21:21
ayoungyou mean you should see the version page?  Yes, you should21:21
*** ukalifon1 has quit IRC21:22
*** __TheDodd__ is now known as thedodd21:23
nkinderayoung: yes, I see the version page without kerberos21:24
nkinderayoung: but my /krb url doesn't (it 404's)21:24
ayoungnkinder, past your config21:25
*** r1chardj0n3s_afk is now known as r1chardj0n3s21:25
*** radez is now known as radez_g0n321:25
ayoung"/var/www/cgi-bin/keystone/main"  so  are you getting spnego kicking in  hitting /krb?21:32
*** henrynash has quit IRC21:37
nkinderayoung: yep, let me grab the relevant logs21:39
ayoungnkinder, let me see, I have a machine I converted from packstack that should look like that21:39
*** andreaf has quit IRC21:40
*** andreaf has joined #openstack-keystone21:40
ayoungnkinder, I did away with the virtual hosts, though.  That 5000 thing is insane21:40
*** Dafna has quit IRC21:41
nkinderayoung: here's what I see in access/error for a single request to /krb -
nkinderayoung: I also tweaked the WsgiProcessGroup to just use the same one for kerberos, but no luck there21:41
ayoungnkinder, you could try just converting /main to kerberos21:42
ayoungdo the whole auth url just to see if it works21:42
ayoungyou have ipsilon on port 5000?21:43
ayoungoh, neverming21:44
*** david-lyle has quit IRC21:47
nkinderyeah, ipsilon is on a different server21:49
nkinderayoung: so it doesn't even hit keystone.log with anything.  How can I see if mod_wgsi is calling "main"?21:50
ayoungnkinder, is it in the error log?21:50
ayoungmake that var21:51
nkinderayoung: nope21:51
nkindernone of the error logs (keystone uses a custom one)21:51
ayoungyeah, but if keystone is not triggered it will end up in the main logs21:52
*** dimsum_ has quit IRC22:02
*** dimsum_ has joined #openstack-keystone22:02
*** andreaf has quit IRC22:05
*** rkofman has quit IRC22:05
*** rkofman has joined #openstack-keystone22:06
*** dimsum_ has quit IRC22:07
nkinderayoung: ok, so it's hitting the "main" script in cgi-bin and is calling deploy.loadapp()22:08
ayoungnkinder, is this one of the cases where it errors out on oslo conf because it is already loaded?  You might need a separate WSGI process22:09
nkinderayoung: not sure yet.  I didn't see an error about that...22:10
nkinderayoung: but I had a separate process before, and it didn't work22:10
ayoungnkinder, yeah,  its like programming by side effects22:10
ayoungcoding inside Apache can be frustrating22:10
ayoungif needs be, use rpdb22:10
nkinderayoung: I'm going to start adding logging in paste.deploy...22:10
ayoungselinux disabled?22:11
ayoungshouldn't be an issue22:11
ayoungas there are no new files22:11
*** bknudson has quit IRC22:14
nkinderayoung: sigh....22:15
nkinderayoung: so if I add /krb to keystone-paste.ini, it works22:15
rm_workayoung / nkinder / morganfainberg / whoever: just sent to the openstack-dev ML: "[openstack-dev] [Neutron] Barbican Integration for Advanced Services" if you want to give that a look, very similar to what we talked about here before, and I think I incorporated most of your concerns/comments22:15
rm_workWould love your feedback on that thread if you have any further comments :)22:15
nkinderayoung: I guess the /krb isn't stripped off22:15
nkinderrm_work: cool, will take a look this weekend22:15
ayoungnkinder, huh?  I've not seen that22:15
nkinderayoung: maybe it's related to my doc root or something?22:16
rm_workthanks :)22:16
nkinderayoung: paste your entire wsgi config for me22:16
ayoungnkinder, almost certainly.  As I said, I've a fairly different setup.  I don't like the nonstandard ports22:16
nkinderayoung: so my setup is this...22:17
nkinder'/' - normal keystone22:17
nkinder'/krb' - kerberized keystone22:17
ayoungnkinder, this was an all in one, so I merged in the horizon and keystone configs22:18
*** NM has quit IRC22:18
ayoungfor :5000?22:18
nkinder'/v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth' - federated keystone auth22:18
nkinderayoung: yeah, I have horizon in the same httpd too22:18
ayoungwhat change did you make to paste?22:19
nkinderyes, all 5000.  I have a seaprate wsgi config for 3535722:19
nkinderayoung: one sec...22:19
nkinderayoung: this approach seems fine, though debugging to figure out the 404 sucked22:21
nkinderayoung: the same would need to be done for "admin" too, but I'm just focusing on "main"22:22
*** andreaf has joined #openstack-keystone22:23
ayoungnkinder, BTW< I'm going to recommend that we stop generateing UUIDs for the service IDS, and instead use human readable, standard strings22:24
*** rwsu has quit IRC22:24
ayoungthere is no benefit, and some harm, to generating a different service ID on each install22:24
ayoungnow keystone here is not keystone there....and so forth22:25
ayoung[Fri Oct 03 22:28:32.076429 2014] [core:emerg] [pid 6167] (28)No space left on device: AH00023: Couldn't create the mpm-accept mutex22:29
*** gyee has joined #openstack-keystone22:29
*** zzzeek has quit IRC22:30
*** _1_joseito has joined #openstack-keystone22:31
*** ayoung is now known as ayoung-dad-mode22:32
*** _1_joseito has quit IRC22:32
*** sigmavirus24 is now known as sigmavirus24_awa22:33
*** sigmavirus24_awa is now known as sigmavirus2422:33
*** sigmavirus24 is now known as sigmavirus24_awa22:34
*** richm has joined #openstack-keystone22:38
*** richm has quit IRC22:39
remote_morgan_ayoung-dad-mode: I'm thinking the best bet is service "name" == service id22:42
*** thedodd has quit IRC22:43
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update 'Configuring Services' documentation
stevemarthanks for the review nkinder22:47
nkinderstevemar: sure, looking at the new patch now22:48
nkinderstevemar: you accidentally nuked an 's' at the end of line 113 -
nkinderstevemar: fix that, and it'll get a +1 from me22:50
*** dimsum_ has joined #openstack-keystone22:51
openstackgerritSteve Martinelli proposed a change to openstack/keystone: Update 'Configuring Services' documentation
*** NM has joined #openstack-keystone22:51
remote_morgan_nkinder: did you solve the 404?22:58
openstackgerritRodrigo Duarte proposed a change to openstack/python-keystoneclient: Explicit complaint about old OpenSSL when testing
nkinderremote_morgan_: yep.  paste config needed to be updated23:00
*** amcrn has quit IRC23:00
ayoung-dad-moderemote_morgan_, me too23:04
ayoung-dad-modebut im not really here23:04
nkinderayoung-dad-mode: python-keystoneclient-kerberos seems to require git (though it doesn't have a "requires" for it)23:08
nkinderayoung-dad-mode: even after installing it, I get the typical pbr blow-up23:08
ayoung-dad-modenkinder, um, nah23:08
ayoung-dad-modenkinder, OK,  I'll take a look later this weekend23:09
*** sigmavirus24_awa is now known as sigmavirus2423:10
nkinderayoung-dad-mode: yeah, for later -
remote_morgan_nkinder: ah ok23:11
*** r-daneel has quit IRC23:56
*** cjellick has quit IRC23:56
*** cjellick has joined #openstack-keystone23:57

Generated by 2.14.0 by Marius Gedminas - find it at!