Monday, 2014-12-01

« Sunday, 2014-11-30 Index Tuesday, 2014-12-02 »
*** stevemar has quit IRC00:02
*** diegows has joined #openstack-keystone00:11
*** rdo has joined #openstack-keystone00:13
*** oomichi has joined #openstack-keystone00:16
openstackgerritMerged openstack/python-keystoneclient: Removes confusing _uuid property  https://review.openstack.org/13725300:28
*** rdo has quit IRC00:34
*** rdo has joined #openstack-keystone00:36
openstackgerritMerged openstack/keystone: Update keystone readme to point to specs.o.org  https://review.openstack.org/13459500:36
openstackgerritRodrigo Duarte proposed openstack/keystone: Fixes docstring at eventlet_server  https://review.openstack.org/12849600:44
*** lhcheng has quit IRC01:00
*** nellysmitt has joined #openstack-keystone01:04
*** nellysmitt has quit IRC01:09
*** dims has joined #openstack-keystone01:12
*** ncoghlan has joined #openstack-keystone01:21
*** stevemar has joined #openstack-keystone01:37
*** ChanServ sets mode: +v stevemar01:37
*** stevemar has quit IRC01:47
*** stevemar has joined #openstack-keystone01:51
*** ChanServ sets mode: +v stevemar01:51
jamielennoxi'd love to see a IRC bot similar to openstackgerrit that would message the channel when an email was sent to the ML with [keystone] in the title01:56
morganfainbergjamielennox. so write one?01:56
morganfainbergthough i think it'd be too spammy01:57
jamielennoxmorganfainberg: yea, one of those i'd like to see someone else have done it :)01:57
jamielennoxmorganfainberg: it'd be no where near as spammy as gerrit01:57
morganfainbergjamielennox, maybe maybe not01:57
morganfainbergat the very least *some* projects would be overwhelmed by it01:57
jamielennoxsure, but i think for keystone at least it would result in people answering faster01:58
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: WIP - Improve list role assignments filters performance  https://review.openstack.org/13720202:00
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Use ConfigFilter for auth_token options  https://review.openstack.org/11583002:11
*** diegows has quit IRC02:12
*** ncoghlan is now known as ncoghlan_afk02:13
*** yasu_ has joined #openstack-keystone02:14
*** erkules_ has joined #openstack-keystone02:27
*** sluo_laptop has joined #openstack-keystone02:27
*** erkules has quit IRC02:29
*** arif-ali has joined #openstack-keystone02:29
*** dims has quit IRC02:37
*** samuelms has quit IRC02:52
*** tellesnobrega_ has joined #openstack-keystone02:59
*** nellysmitt has joined #openstack-keystone03:05
*** nellysmitt has quit IRC03:10
*** dims has joined #openstack-keystone03:12
*** dims has quit IRC03:17
*** tellesnobrega_ has quit IRC04:05
*** dims has joined #openstack-keystone04:17
*** dims has quit IRC04:23
*** ncoghlan_afk is now known as ncoghlan04:40
*** nellysmitt has joined #openstack-keystone05:06
*** nellysmitt has quit IRC05:11
*** oomichi has quit IRC05:16
*** ajayaa has joined #openstack-keystone05:29
*** yasu_ has quit IRC05:50
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/13624306:03
*** erkules_ is now known as erkules06:16
*** ajayaa has quit IRC06:20
*** yasu_ has joined #openstack-keystone06:32
*** ukalifon1 has joined #openstack-keystone06:33
*** stevemar has quit IRC06:37
*** ajayaa has joined #openstack-keystone06:54
*** jamielennox is now known as jamielennox|away06:59
*** nellysmitt has joined #openstack-keystone07:07
*** nellysmitt has quit IRC07:11
*** afazekas has joined #openstack-keystone07:24
*** k4n0 has joined #openstack-keystone07:24
*** marekd|away is now known as marekd07:33
*** ncoghlan has quit IRC07:41
*** ukalifon1 has quit IRC07:59
*** afazekas has quit IRC08:17
*** afazekas has joined #openstack-keystone08:27
*** ukalifon has joined #openstack-keystone08:40
*** ekarlso- has quit IRC08:52
openstackgerritAndrey Pavlov proposed openstack/keystone: Handle SSL termination proxies for version list  https://review.openstack.org/13223508:58
*** jistr has joined #openstack-keystone09:00
openstackgerritDave Chen proposed openstack/keystone: More efficient way to build the SQL clauses  https://review.openstack.org/13313509:01
*** Dafna has joined #openstack-keystone09:07
*** nellysmitt has joined #openstack-keystone09:08
*** ekarlso- has joined #openstack-keystone09:08
*** nellysmitt has quit IRC09:12
*** nellysmitt has joined #openstack-keystone09:28
*** tellesnobrega_ has joined #openstack-keystone09:31
*** bjornar has joined #openstack-keystone09:37
*** tellesnobrega_ has quit IRC09:42
*** dims has joined #openstack-keystone09:45
*** dims has quit IRC09:49
*** openstackgerrit has quit IRC09:50
*** openstackgerrit has joined #openstack-keystone09:50
*** henrynash has quit IRC09:57
*** tellesnobrega_ has joined #openstack-keystone10:05
*** nkinder has quit IRC10:21
*** tellesnobrega_ has quit IRC10:35
*** tellesnobrega_ has joined #openstack-keystone10:51
openstackgerritMarek Denis proposed openstack/keystone-specs: Mapping enhancements - direct groups mapping.  https://review.openstack.org/13803510:59
*** tellesnobrega_ has quit IRC11:02
*** diegows has joined #openstack-keystone11:28
*** dims has joined #openstack-keystone11:39
*** andreaf has joined #openstack-keystone11:52
*** aix has joined #openstack-keystone11:55
*** andreaf_ has joined #openstack-keystone11:59
*** henrynash has joined #openstack-keystone12:01
*** ChanServ sets mode: +v henrynash12:01
*** henrynash has quit IRC12:05
*** andreaf_ has quit IRC12:06
*** NM has joined #openstack-keystone12:08
*** raildo has joined #openstack-keystone12:14
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: WIP - Improve list role assignments filters performance  https://review.openstack.org/13720212:17
*** mzbik has joined #openstack-keystone12:20
mzbikMy user is member of group that have _member_ role in project12:21
mzbikbut when I list /v3/users/my_id/projects I see empty list12:22
*** andreaf_ has joined #openstack-keystone12:22
rodrigodsmzbik, you need to check if your user has authorization to perform such query12:24
mzbikI would get auth requerd error I think12:25
rodrigodsmzbik, https://github.com/openstack/keystone/blob/master/etc/policy.json#L36 hmm true12:25
mzbikbtw policy.json is sooo broken when using domains12:26
mzbikanyways I have empty list of projects12:26
mzbikperhaps I missunderstand groups idea12:26
mzbikbut I thought that I only need to grant access to group and people in group will inherit roles12:27
rodrigodsmzbik, you thought is correct12:27
rodrigodswhat happens if you use the role_assignments endpoint with the "effective" query?12:28
mzbik204 No Content12:28
*** andreaf has quit IRC12:28
mzbikI used: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}12:29
mzbikand PUT on it12:29
openstackgerritMarek Denis proposed openstack/keystone-specs: Mapping enhancements - direct groups mapping.  https://review.openstack.org/13803512:29
marekdrodrigods: ^^12:29
*** andreaf has joined #openstack-keystone12:29
rodrigodsmzbik, GET /v3/role_assignments?user.id=<your_user>&effective12:29
rodrigods?12:29
*** andreaf_ has quit IRC12:29
rodrigodsmarekd, nice!12:29
mzbikrodrigods, give me a sec12:29
marekdrodrigods: thanks for the review.12:29
marekdvery helpful12:30
rodrigodsmarekd, np :)12:30
mzbikrodrigods, empty list "role_assignments":[ ]12:31
rodrigodsmzbik, hmm i'd check the group grant then, if it is active (if it is there or if the target project is enabled)12:32
rodrigodsmzbik, you can try to pass just "effective" to check the returned list too12:32
mzbikproject is enabled12:32
rodrigodsmzbik, I remember henrynash found some bugs related to effective/inherited role assignments12:33
marekdyes.12:33
mzbikrodrigods, wklej.org/hash/4a9212d55a8/12:34
rodrigodsmzbik, yeah, looks like a bug to me. Just need to check if it was already reported12:43
openstackgerrithenry-nash proposed openstack/keystone-specs: Add support for domain specific roles.  https://review.openstack.org/13385512:49
rodrigodsmzbik, https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/sql.py#L246 it includes the groups in the call...12:52
rodrigodsmzbik, did you check the user is really in the group?12:53
mzbikyes it is12:53
mzbiki did: /v3/users/user_id/groups12:53
mzbikand groups is listed12:53
rodrigodsmzbik, strange... :(12:54
mzbikit is LDAP backend12:54
mzbikand maybe why is this12:55
*** ayoung has joined #openstack-keystone12:59
*** ChanServ sets mode: +v ayoung12:59
rodrigodsmzbik, https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/ldap.py#L446 yeah, looks like a bug (but since is common case, should be a known one)13:00
*** aix has quit IRC13:00
*** dims has quit IRC13:15
*** dims has joined #openstack-keystone13:15
mzbikrodrigods, I will try to investigate it13:21
*** bknudson has quit IRC13:34
*** aix has joined #openstack-keystone13:35
*** gordc has joined #openstack-keystone13:37
dstanekmarekd: heya13:52
marekdhey13:52
marekdback to work after the vacation?13:52
dstanekmarekd: :-) unfortunately13:52
marekdshhh, claco may be online :P13:53
dstanekmarekd: is there some instructions on setting up shib properly?13:53
marekddstanek: what IdP you want to use?13:53
dstanekmarekd: that's a good question. i was planning on using Keystone as the IdP to kill two birds with one stone13:54
dstanekbut maybe that's not a good idea for functional tests13:54
marekddstanek: apart from that I'd say what we have on Keystone docs should be good enough.13:54
marekddstanek: for the functional tests's i'd for with Icehouse federation first.13:54
marekdif you don't have a IdP, I'd simply go with testshib.org13:54
marekdgood enough to have 'something'.13:55
*** jdennis has quit IRC13:55
marekddstanek: do you need some help with setting up a functional tests suite?13:55
rodrigodsdstanek, marekd, the SP config part, shouldn't be too different from the "Keystone as a SP" described here http://rodrigods.com/playing-with-keystone-to-keystone-federation/13:56
marekdrodrigods: dstanek by design SP part is simply Icehouse federation.13:56
rodrigodsmarekd, ++13:56
marekdapart from  security checks turned off :-)13:57
*** bknudson has joined #openstack-keystone13:58
*** ChanServ sets mode: +v bknudson13:58
dstanekmarekd: i'll probably need help with some of the finer configuration - i need to have federation setup and working today :-)13:58
marekdwhy?13:58
marekddstanek: i mean, why today?13:58
marekddstanek: but yeah, no problem.13:58
dstanekmarekd: that's my goal - artificial, but i need something to shoot for13:59
marekddstanek: ah, yes.13:59
*** jimbaker has joined #openstack-keystone14:00
marekddstanek: enable federation extension, configure apache, configure mod_shib, read testshib.org docs and configure shibboleth add idp, mapping, protocol and play with keystoneclient.14:00
openstackgerritMarek Denis proposed openstack/keystone-specs: Mapping enhancements - direct groups mapping.  https://review.openstack.org/13803514:04
marekddstanek: since we are around federation topic ^^ :-)14:06
*** jdennis has joined #openstack-keystone14:12
*** jaosorior has joined #openstack-keystone14:12
*** lhcheng has joined #openstack-keystone14:13
*** NM has quit IRC14:14
*** NM has joined #openstack-keystone14:14
mzbikrodrigods, I found an issue14:16
mzbikrodrigods, or rather what was an issue - group ID was too shord, I ate one letter at the end14:16
rodrigodsmzbik, hmm in which step?14:19
mzbik /v3/groups/{id}14:19
mzbikmy id was 940bbfbb6a889ee2631277b04117913748e5bab676ea820b284a951b1819d0dd14:19
mzbikand I mistaken did 940bbfbb6a889ee2631277b04117913748e5bab676ea820b284a951b1819d0d14:20
mzbikso one d at the end less14:20
mzbikafter this everytings works better ;)14:20
rodrigodsmzbik, great! :)14:20
dstanekmarekd: i'll take a look14:22
marekddstanek: ty14:22
*** mzbik has quit IRC14:31
*** jasondotstar has joined #openstack-keystone14:39
*** yasu_ has quit IRC14:51
*** topol has joined #openstack-keystone14:58
*** ChanServ sets mode: +v topol14:58
*** jdennis has quit IRC14:59
*** andreaf has quit IRC15:16
*** andreaf has joined #openstack-keystone15:16
*** k4n0 has quit IRC15:16
*** jdennis1 has joined #openstack-keystone15:16
*** kobtea has joined #openstack-keystone15:19
*** lhcheng has quit IRC15:25
*** andreaf has quit IRC15:28
*** andreaf has joined #openstack-keystone15:29
*** ukalifon has quit IRC15:31
*** amakarov_away is now known as amakarov15:35
*** thedodd has joined #openstack-keystone15:35
amakarovayoung, good day! Do you know how to find David Chadwick? I've double-checked my precious redelegation for him and eager to continue gathering +'es :)15:41
ayoungamakarov, only via email, but he is fairly responsive15:42
amakarovayoung, thanks, I thought he might be somewhere here15:43
*** jorge_munoz has joined #openstack-keystone15:45
*** nellysmitt has quit IRC15:48
openstackgerritMarco Fargetta proposed openstack/keystone: Multiple IdPs problem  https://review.openstack.org/13810415:54
*** zzzeek has joined #openstack-keystone16:00
*** joesavak has joined #openstack-keystone16:04
*** david-lyle_afk is now known as david-lyle16:06
openstackgerritMarco Fargetta proposed openstack/keystone: Multiple IdPs problem  https://review.openstack.org/13810416:07
openstackgerritMarco Fargetta proposed openstack/keystone: Multiple IdPs problem  https://review.openstack.org/13810416:08
amakarovbknudson, hello! Please review this one: https://review.openstack.org/#/c/118590/ I've returned API back to original state16:08
openstackgerritMarco Fargetta proposed openstack/keystone: Multiple IdPs problem  https://review.openstack.org/13810416:09
*** mzbik has joined #openstack-keystone16:11
*** thedodd has quit IRC16:15
*** nellysmitt has joined #openstack-keystone16:19
*** henrynash has joined #openstack-keystone16:20
*** ChanServ sets mode: +v henrynash16:20
henrynashayoung: ping16:20
ayoungHey henrynash !16:20
ayoungI take it you saw my email?16:20
henrynashayoung: so…domains and projects16:20
ayounghenrynash, yeah...I see domains as like "bridge projects"16:20
henrynashayoung: so i assume what you want is separate backends for domains and projects16:21
ayounghenrynash, yeah,  I was thinking like DNS backed Projects or something LDAP ish16:21
henrynashayoung: so if we got agreemet quickly…this is pretty easy for me to do as part of teh current split16:21
ayoungtreat the project database as read-only for a specific domain16:21
*** stevemar has joined #openstack-keystone16:22
*** ChanServ sets mode: +v stevemar16:22
ayoungyeah, we don't need the 100% solution for "domain specific backend for assignment"16:22
openstackgerritBogun Dmitriy proposed openstack/keystone: FIX multiple SQL backend usage validation  https://review.openstack.org/13811316:22
henrynashayoung: I just did this for assignments…roles had their own backend to the actual assignment model16:22
ayoungor for "project"16:22
ayoungso resource would become the project backend, and domains would go into the domains backend?16:22
henrynashyes16:22
henrynashayoung: we’d have domain_backends/ or something like that16:23
henrynashso one controller, but two backends (each with its own manager(16:23
henrynashmanager)16:23
ayoungthe big thing would be to keep the databases separatable, so no foreign key constraints16:24
henrynashagreed16:24
mzbikCan anyone confirm (Adam?) that when I issue:  /v3/users?domain_id={id_domeny}&name={nazwa_usera} with LDAP backend Keystone will query all and then filter?16:24
ayoungjust like identity, the default for projects would be SQL, but you could pull in an LDAP source for a specific domain.16:25
ayoungmzbik, not without looking at the code16:25
ayoungmzbik, plus, I tend to lie a lot.16:25
henrynashif morgan and otehrs are OK with that, it will onlt take me a few hours…can’t do it tonight, but by the time you wake up tomorrow, the patch would be up16:25
mzbikayoung, :P16:26
ayoungmzbik, in fact, I'm lying right now.16:26
mzbiksame thing with groups btw16:26
ayounghenrynash, well, you have my vote for it.16:26
*** jasondotstar has quit IRC16:31
mzbikHmmm... I cant find it in code, will try on launchpad16:34
rodrigodsmzbik, https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L21616:35
*** henrynash has quit IRC16:36
*** radez_g0n3 is now known as radez16:36
mzbikit tells me nothing ;/ Im not good coder :(16:37
*** afaranha has quit IRC16:38
*** afaranha has joined #openstack-keystone16:38
rodrigodsmzbik, for the SQL beckend, it retrieves already filtered. For LDAP, there is some code that I'm not familiar with. Not sure what happens in the internals :(16:40
*** afaranha has quit IRC16:40
rodrigodsmzbik, but I know that LDAP doesn't support different domains for assignment16:41
mzbikrodrigods, thank you. Adam is lying so I cant ask him :P16:41
*** _cjones_ has joined #openstack-keystone16:42
ayoungyou can ask, you just can't trust the response.  Or maybe you can16:43
rodrigodsmzbik, Adam always helped me :)16:44
ayounghttps://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py#L8116:44
rodrigodsayoung, ^16:44
rodrigodsayoung, mzbik, btw... if the driver doesn't support domains, the filter is removed from the query16:44
ayounghttps://github.com/openstack/keystone/blob/master/keystone/common/ldap/core.py#L145116:45
rodrigodshttps://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L61716:45
ayounghttps://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py#L26216:45
ayoungSo that last one is the smoking guy.   Not a typo.  I mean the dude from Xfiles.16:46
ayoungself.get_all()  gets executed first16:46
*** henrynash has joined #openstack-keystone16:46
*** ChanServ sets mode: +v henrynash16:46
ayoungand then it filters16:46
rodrigodsayoung, ++16:46
rodrigodsnice16:46
lbragstadmorganfainberg: when migrating services, if there are two with the same type, how do you want to resolve the conflict in the migration?16:46
ayounglbragstad, cage match16:46
*** _cjones_ has quit IRC16:47
ayoungtwo service enter, one servce leave!16:47
marekdhenrynash: unfortunately, your comment about roles api is valid :(16:47
lbragstadone type to rule them all16:47
henrynashmarekd: :-(16:47
*** NM1 has joined #openstack-keystone16:47
marekdhenrynash: i am not sure if extending role assignment api with some requests with a body is doable?16:48
marekdand acceptable?16:48
ayoungand in the darkness bind them16:49
*** NM has quit IRC16:49
henrynashmarekd: so that has been discussed a few times (in fact the original proposal for role-assignments (as opposed to the extsing grants) was exactly that, e.g. PUT /role-assignment with a bodey that had scope etc.16:51
marekdhenrynash: exactly this was my first thought. And what was the conclusion?16:52
henrynashmarekd: although (apparantly) the original grant apis did this…and the goal was to move away from that and do it “all in the URL”…..16:52
henrynashmarekd: although I don’t think we really had a good debate about it16:52
henrynashI guess you could propose...16:53
marekdhenrynash: but this means not 'extending' but rather converging to PUT role assignments, right?16:53
*** jasondotstar has joined #openstack-keystone16:53
rodrigodsmarekd, henrynash, I'd vote for extending the grants16:53
rodrigodsthink that having two APIs for granting, would be confusing16:53
henrynashPUT /user/<user id>/project/<projectid>/role_name/<role name>16:53
*** _cjones_ has joined #openstack-keystone16:54
rodrigodshenrynash, ++16:54
marekdrodrigods: if you extend then you will confuse.16:54
henrynash…although are all textual role names URL friendly?16:55
marekdhenrynash: role names...i think so?16:55
henrynashI assume we would handle spaces ok?16:56
marekdhenrynash: yeah, we could also try to allow users to assign a role to a group identified by name and domain.16:56
rodrigodsmarekd, disagree... having two ways to do the same thing, and being completely different from each other looks confusing to me16:56
marekdrodrigods: so what are you now talking?16:56
henrynashmarekd: right, sorry I keep getting confused16:56
henrynashmarekd: PUT /group-name/< group name>/project/<proj ID>/ role/<role ID>16:57
rodrigodsmarekd, like that ^16:57
marekdi never said it'd go this way.16:58
*** afaranha has joined #openstack-keystone16:58
henrynashmarekd: now we do have a problem with domain….we could assume it is teh current domain?16:58
rodrigodsmarekd, is better than PUT /role_assignments IMO16:58
*** richm has joined #openstack-keystone16:58
henrynashmarekd: which I am a bit worried about16:58
marekdrodrigods: yes. but i call i don't call it  extending but converging to new way of handling and managing role assignments.16:58
henrynashmarekd: let me see if I can find the original proposal i made….16:59
marekdhenrynash: ok16:59
marekdrodrigods: extending to me means some operations with URL parameters and some via PUT/POST and sending data in a request body.17:00
marekdwhich i think you find confusing, me probably too.17:00
ayoungwhy do we still have  keystone.tests.test_v3_auth.TestAuthXML  if we did in the XML code?17:01
bknudsonthe XML code isn't gone yet...17:01
bknudsonhttps://review.openstack.org/#/c/125738/17:02
*** kobtea has quit IRC17:04
ayoungthanks17:05
lbragstadayoung: more on that here too http://lists.openstack.org/pipermail/openstack-dev/2014-November/051619.html17:05
ayoungbknudson, so, I was working on trying to split auth from the rest of the controllers, and so had a separate paste pipelinefor it.  And JSON home when Kablooie on me.  Is the json home code somehow scraping things out of the controllers?17:06
ayounglbragstad, yeah, I was discussing with David Kranz, too.  In real life, no less.17:06
bknudsonayoung: yes, the extensions are essentially scraping the output to update the JSON-Home response.17:07
ayoungHe has this funny notion that the Tempest code should still test older, stable branches of the XML code....17:07
bknudsonayoung: I thought mtrienish and others decided to just drop it.17:07
ayoungbknudson, scraping the output of what?17:07
ayoungbknudson, they did,  but kranz disagrees with that approach17:07
bknudsonayoung: the extension in the pipeline looks for the JSON-Home response and updates it with its own JSON-Home info.17:08
*** DavidHu has joined #openstack-keystone17:08
ayoungbknudson, so it makes a local call, gets the JSON home for each module, and then makes a composite of all of them?17:09
*** jimhoagland has joined #openstack-keystone17:09
bknudsonayoung: no, as the response travels through the pipeline it gets updated.17:09
ayoungresponse to what?17:09
ayoungwhat pipeline?  THe Paste pipeline?17:09
bknudsonayoung: the response for the request... yes, the paste pipeline17:10
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/controllers.py#n20017:10
ayoungfor router in routers....17:10
ayoungso we've just even more tighly coupled all of the services together17:10
henrynashmarekd: so the essential part of the API is contained in thisi thread (I think actually Guang proposed it): http://lists.openstack.org/pipermail/openstack-dev/2013-June/010337.html17:10
ayoungwe should drop paste17:11
bknudsonayoung: that's where the original response is generated.17:11
bknudsonthe extensions update the original response.17:11
ayoungif we can't really use it, all we are doing is making overhead for ourselves17:11
ayoungbknudson,  ugh17:11
ayoungbknudson, I understand why you did that.  But, ugh17:11
ayoungOK,  here is what I am trying to do:17:12
ayoungI want to be able to specify the /auth  url in paste as a separate thing, maybe multiple times  for different auth mechanisms17:12
bknudsonayoung: in the pipeline?17:12
bknudsonseparate middleware?17:13
ayoungI want to be able to say, something like /kerb/auth does kerberos and only kerberos, /x509/auth does client cert and so forth17:13
ayoungbknudson, in Keystone server.17:13
henrynashmarekd: and there actuallu stubs teh GET/PUT/DELETE in the assignments controller…but there was not concensus (back in Havana?) as to whether we should go ahead with a more comprehensive API.17:13
ayoungI wanted auth to be its own pipeline;17:13
bknudsonthe difficult thing is talking between pipelines.17:14
bknudsonif you have to do that.17:14
ayoungbknudson, if we were actually making use of paste we would not lump /user,  /token , /assignement etc all into one pipeline17:14
bknudsonthat's where the version oddity comes from, its got its own pipeline17:14
ayoungpaste is somewhat bit rotted17:14
ayoungyeah, and we really should be able to define a filter set as opposed to saying you have to list all of the separate filters each time...but that is a different story17:15
bknudsony, we've got "/ = public_version_api"17:15
ayoungright17:15
ayoungand yet that pipeline still needs sizelimit url_normalize xml_body17:16
ayoungideally we'd do something like17:16
bknudsonso you wanted something like "/v3/auth = auth_api" ?17:16
ayoungbknudson, exactly17:16
ayoungbknudson, I have it working,but not tests running17:16
ayoungwell,  I have it coded but broken, and was working through the issues17:17
*** kobtea has joined #openstack-keystone17:17
*** mzbik has quit IRC17:17
*** henrynash has quit IRC17:18
ayoungbknudson, I had this idea that Keystone could actually be set up to be self testing for middleware etc.  That to do a call to /v3/user, you went to /v3/auth and got a token, and then /v3/user would use auth_token middleware....just as a test case17:18
ayoungbut it means that you can't run auth_token in front of /v3/auth17:19
*** henrynash has joined #openstack-keystone17:19
*** ChanServ sets mode: +v henrynash17:19
ayoungcuz validate token would trigger a call to keystone, and you'd have infinite recursion17:20
*** kobtea has quit IRC17:22
openstackgerritLance Bragstad proposed openstack/keystone: Add migration to make service type unique  https://review.openstack.org/13813017:26
marekdhenrynash: thanks. all in all we can end up with having admins configure groups and add a feature where groups are being mapped automatically17:27
marekdhenrynash: if i start this  PUT role assignments thread again we may spend full cycle discussing it and end up with nothing.17:28
*** marcoemorais has joined #openstack-keystone17:28
henrynashmarekd: although I’d say that have teh groups in existance makes more sense of a cloud provider understanding what he is letting federated uses have access to…17:29
marekdhenrynash: he would whitelist allowed groups either way17:29
marekdhenrynash: ok, for now i will put curent proposal to ''alternatives'' section and change it so it's more doable.17:30
*** tellesnobrega_ has joined #openstack-keystone17:31
openstackgerritLance Bragstad proposed openstack/keystone-specs: Authenticated Encryption Tokens  https://review.openstack.org/13005017:37
*** jistr has quit IRC17:38
ajayaaHi guys. I am running into some issue in neutron with devstack. I think there is some problem with auth. Keystone logs show "ERROR keystone.common.wsgi [-] object of type 'NoneType' has no len()"17:41
ajayaaAny idea what might be wrong? I have verified keystone username and password is good for neutron user.17:42
*** jimhoagland has left #openstack-keystone17:42
ajayaasame goes for nova as well.17:42
*** lhcheng has joined #openstack-keystone17:43
*** lhcheng has quit IRC17:43
*** lhcheng has joined #openstack-keystone17:43
ajayaaayoung, gyee, ^^17:46
bretonajayaa: post full log on http://paste.openstack.org/17:47
*** lhcheng has quit IRC17:47
ajayaabreton, http://paste.openstack.org/show/142761/17:48
*** henrynash has quit IRC17:49
*** harlowja_away is now known as harlowja_17:49
*** lhcheng has joined #openstack-keystone17:50
*** jaosorior has quit IRC17:53
*** henrynash has joined #openstack-keystone17:56
*** ChanServ sets mode: +v henrynash17:56
ayoungajayaa, that looks suspect.  The error there is in SQL Alchemy code17:56
ayoung(user_id)  must be none17:57
ayoungI'm guessing user_id is populated at this step  "/home/aj/stack/keystone/keystone/identity/core.py", line 529,17:58
ajayaaayoung, I think devstack does not fetch the latest code if the folder is already there. I just now checked the git log and last commit was on aug 31. So pulling the new code.17:58
ajayaa:)17:58
ayoungyeah.17:58
ajayaaThanks for the reply.17:58
*** marcoemorais has quit IRC18:01
*** nellysmitt has quit IRC18:01
*** marcoemorais has joined #openstack-keystone18:02
*** henrynash has quit IRC18:11
*** gyee_ has joined #openstack-keystone18:17
*** joesavak has quit IRC18:20
*** r-daneel has joined #openstack-keystone18:24
*** marcoemorais has quit IRC18:27
*** marcoemorais has joined #openstack-keystone18:27
*** jimhoagland has joined #openstack-keystone18:34
*** gyee_ has quit IRC18:39
*** gyee_ has joined #openstack-keystone18:42
*** joesavak has joined #openstack-keystone18:50
openstackgerritLance Bragstad proposed openstack/keystone: Move test_utils to keystone/tests/unit/  https://review.openstack.org/13398918:52
*** tellesnobrega_ has quit IRC18:53
*** tellesnobrega_ has joined #openstack-keystone18:55
*** f13o has joined #openstack-keystone18:58
*** marcoemorais has quit IRC19:04
*** marcoemorais has joined #openstack-keystone19:04
stevemarcan a non-ibm'er +A this one: https://review.openstack.org/#/c/137729/ ayoung lbragstad19:06
lbragstadstevemar: testing it quick19:07
stevemarlbragstad, cool, it should work, just changes to help text19:07
lbragstadI didn't know that's how that worked...19:08
openstackgerritayoung proposed openstack/python-keystoneclient: Example Initialization scripts  https://review.openstack.org/8268719:10
stevemarlbragstad, *the more you know*19:15
lbragstadstevemar: looks good to me19:15
*** amakarov is now known as amakarov_away19:19
*** packet has joined #openstack-keystone19:22
*** aix has quit IRC19:22
*** andreaf has quit IRC19:28
*** andreaf has joined #openstack-keystone19:28
*** NM1 has quit IRC19:28
*** NM has joined #openstack-keystone19:33
*** nellysmitt has joined #openstack-keystone19:38
*** dims_ has joined #openstack-keystone19:39
*** dims has quit IRC19:43
*** marcoemorais has quit IRC19:46
*** marcoemorais has joined #openstack-keystone19:46
*** packet has quit IRC19:47
*** dims_ has quit IRC19:47
*** dims has joined #openstack-keystone19:48
*** marcoemorais has quit IRC19:48
*** marcoemorais has joined #openstack-keystone19:48
*** marcoemorais has quit IRC19:49
*** marcoemorais has joined #openstack-keystone19:50
*** ajayaa has quit IRC19:54
*** jaosorior has joined #openstack-keystone19:59
*** marcoemorais has quit IRC19:59
*** marcoemorais1 has joined #openstack-keystone19:59
*** marcoemorais1 has quit IRC20:01
*** marcoemorais has joined #openstack-keystone20:01
*** jimhoagland has quit IRC20:03
*** packet has joined #openstack-keystone20:11
*** henrynash has joined #openstack-keystone20:14
*** ChanServ sets mode: +v henrynash20:14
openstackgerritWill Foster proposed openstack/keystone: skip assignment rows migrate if duplicate entry exists.  https://review.openstack.org/13694620:14
*** wpf has quit IRC20:14
*** afazekas has quit IRC20:16
*** wpf has joined #openstack-keystone20:16
rodrigodsayoung, morganfainberg, henrynash: code review request :D https://review.openstack.org/#/c/117786/20:16
henrynashrodigods: ok20:17
openstackgerritMerged openstack/keystone: Multiple IdPs problem  https://review.openstack.org/13810420:17
henrynashmorganfainberg: ping20:17
openstackgerritMerged openstack/keystone: Fixes docstring at eventlet_server  https://review.openstack.org/12849620:17
openstackgerritMerged openstack/keystone: Fix the copy-pasted help info for db_version  https://review.openstack.org/13772920:17
ayoungrodrigods, test_v3_identity really needs to be split.  Maybe after this and henrynash 's patch gets in.20:19
rodrigodsayoung, yep, samuelms-away fault :(20:20
rodrigodshe managed to ship this split before the HM code20:20
rodrigodswe already accepted the defeat in the rebase race against henrynash as well :(20:21
*** _cjones_ has quit IRC20:22
henrynashrodigods: so graceful, too :-)20:24
openstackgerritLance Bragstad proposed openstack/keystone: region.description is optional and can be null  https://review.openstack.org/11761120:24
*** amcrn has joined #openstack-keystone20:25
*** marcoemorais has quit IRC20:25
openstackgerritLance Bragstad proposed openstack/keystone: Move test_utils to keystone/tests/unit/  https://review.openstack.org/13398920:31
*** raildo_ has joined #openstack-keystone20:35
morganfainbergayoung, lets let the test split happen as we refactor tests ( lbragstad and dstanek are doing a lot of that work )20:39
morganfainbergayoung, splitting it now doesn't make sense until we know where / how it's landing.20:39
ayoungmorganfainberg, are you OK with what I suggested to henrynash this morning:  splitting domains from projects?20:40
morganfainbergunless the test split occurs before HM.20:40
ayoungyeah, agreed on the test stuff20:40
dstanekmorganfainberg: i agree...i've have some help today from marekd in getting an example federation functional test20:40
morganfainbergayoung, nope. i am against splitting things further - i'd rather be very conservative about splitting things up.20:40
ayoungmorganfainberg, I think this one should have happened already20:40
ayoungI would argue it is more important than splitting off roles from assignment20:41
ayounger20:41
ayoungprojects from assignment20:41
morganfainbergayoung, i'd rather split assignment from resource, then evaluate if we *need* to split roles from assignment or projects from domain20:41
dstanekmorganfainberg: i've also done some work to split out the v3 tests that we have in keystone.tests to run against a real keystone instance instead of an in-process one20:41
ayoungmorganfainberg, resource is a horrible name, and that reflects that we have something wrong here20:41
lbragstaddstanek: sweet!20:41
morganfainbergbut it's a grey enough area, i'm willing to let it go either way provided there is enough reviewer/deployer support20:41
morganfainbergayoung, then fix the name.20:41
ayoungthat something is that domains and projects should be separate20:42
morganfainbergayoung, adding another split is *not* the answer to fixing this.20:42
ayoungso domains go into the domain backend, and projects into domain specific storage20:42
ayoungyes, the point is that domain is like a mountpoint20:42
*** jimhoagland has joined #openstack-keystone20:42
morganfainbergayoung, i am almost catagorically against that.20:42
ayoungmorganfainberg, I sense much fear in you20:42
raildo_morganfainberg, so, we have some patches about HM merged on our branch, so to merge to the master, we have to create a dependence to this change?20:42
morganfainbergayoung, until we see a more conservative split *if* we're doing it.20:42
morganfainbergraildo_, yeah.20:43
morganfainbergraildo, lets stop piling things on that branch and get it merged to master sooner vs later.20:43
ayoungmorganfainberg, I say we pay the price now, and pay it once20:43
morganfainbergayoung, so the only thing i'm adding is - if we split it we can't collapse it.20:43
ayoungthat is fine.  It will be like domains and sql:20:44
morganfainbergi don't see domains and projects being separate. - i see them becoming closer20:44
raildo_morganfainberg, ++20:44
morganfainbergand i am almost 100% sure we're going to find that the split is just awful deployer experience20:44
ayoungdomains are a keystone namespace for other things20:44
ayoungin identity, it is the IdPs.  In Assignment, it is the project databases20:44
morganfainbergayoung, domains and projects are *both* keystone things20:44
ayoungso are users20:44
ayoungexcept where they come from somewhere else20:44
ayoungsame should be true for projects20:45
morganfainbergayoung, so i'll be frank, i will -2 a split on domain and project until i see a clear use case that is a separate patch from what henry is working on20:45
raildo_My fear is this will delay the merge our code to the master to kilo-2... and this can impact the rest of the implementation20:45
ayoungmorganfainberg, that is just being stubborn20:45
ayoungraildo_, that is legit20:45
morganfainbergayoung, did you read the second part of that statement20:45
morganfainbergayoung, *separate patch*20:45
ayoungmorganfainberg, I laid it out for you before.20:45
ayoungDNS and LDAP based project Databases20:46
morganfainbergayoung, and i'm unconvinced.20:46
morganfainbergayoung, so it needs to be separate from henry's work.20:46
ayoungmorganfainberg, I understand the HTM concern20:46
morganfainbergayoung, in fact i'd argue it's a separate spec.20:46
morganfainbergayoung, it also drastically changes everything we agreed upon with domains == projects20:47
ayoungI should have done it back when I split identity20:47
morganfainbergayoung, so separate spec.20:47
ayoungI was tempted to...20:47
ayoungnah20:47
morganfainbergayoung, make the case there.20:47
ayoungit is a trivial extension20:47
morganfainbergayoung, then it's a -2 from me.20:47
ayoungnot a radical departure20:47
morganfainbergi *don20:47
morganfainberg't* see it as trivial20:47
raildo_I have to agree with morganfainberg...20:47
ayoungmorganfainberg, I think it would still take more work to do the domain specific backends for projects, just that we are muddying the namespace by calling things resource20:48
morganfainbergi'm willing to entertain it, but it's *not* what henry proposed and it is tangentially related.20:48
raildo_although we can not take a -2 hahaha20:48
ayoungraildo_, you are not objective...you are trying to get a feature in.  I sympathized.20:48
raildo_I can*20:48
ayoungSympathize even20:48
*** nellysmitt has quit IRC20:49
morganfainbergayoung, so - i've laid out what it takes for me to consider it. am willing to be stubborn about it needing to be a spec and needs a clear use-case laid out in the spec / problem space20:49
ayoungmorganfainberg, it was what I originally understood his rationale to be for splitting things in the first place, and it shows why we are so convoluted in naming things20:49
morganfainbergayoung, i also am against splitting roles from assignment (see my comment on henry's patch)20:49
ayoungthen we should cancel henrynash 's split at all, as it is a half measure20:49
morganfainbergi'm *not* blocking it.20:49
ayoungif your concern is just schedule, I understand20:50
morganfainbergayoung, so - write a spec, lay out the problem space, lay out the use-case20:50
bknudsonseems like we accepted that we were going to do HMT before any discussion of splitting backends...20:50
morganfainbergayoung, i'm not willing to entertain this as an irc conversation meaning approval.20:50
bknudsonso HMT shouldn't depend on a split now20:50
morganfainbergHMT is also more important than splitting project/domain20:50
ayoungbknudson, does that mean HMT goes in before henrynash 's split of assignment?20:51
ayoungI thought we were going to opposite...20:51
ayoungmorganfainberg, agreed20:51
morganfainbergso, at this point i'd like to, if henrynash is opke with it. resolve the current HMT branch20:51
bknudsonI would have preferred it for HMT goes in before the split20:51
morganfainbergand get that merged20:51
ayoungdeal.20:51
morganfainbergit's goign to take i think either dolphm's time or mine to resolve that anyway20:51
morganfainbergraildo_, if you don't mind helping out and rebasing your patches against master20:52
morganfainbergonce we merge the branch away20:52
raildo_I agree that we need the domains roles stuffs to coverage the Reseller use case, in HM implementation.20:52
morganfainbergthen have henrynash's land.20:52
henrynashso I’ll admit that part of the rationale for splitting assignments was to give a nice landing place for HM20:52
*** NM has quit IRC20:52
ayoungmorganfainberg, ah, it is a topic branch, isn't it.  So we are going to do the whole "merge a branch" thing there, not rebase?20:52
rodrigodsmorganfainberg, so we need a ff in HM branch20:52
morganfainbergayoung, yes20:52
rodrigodsthan we can rebase it20:52
morganfainbergayoung, thats why it's going to be unfun.20:53
morganfainbergrodrigods, yes.20:53
raildo_rodrigods, morganfainberg ++20:53
henrynashso I’d have prefered the split first….but, if we want to do the other way round, I don’t mind doing the work on mine20:53
rodrigodshenrynash, we can help with your rebase as well20:53
rodrigodsif you don't mind having partial patchsets20:54
*** jimhoagland has left #openstack-keystone20:54
ayoungmorganfainberg, ok, yeah, let's clear that up,  and then loop back around on the domain/project split.  I think it should not be a stand alone spec, but should instead be an update to the existing assignemnt split spec20:54
*** marcoemorais has joined #openstack-keystone20:54
ayoungbut I'll try to lay it out clearly20:54
morganfainbergayoung, and then we can work on henry's patch and i'm not unwilling to see project/domain split, but i want a spec for it. just like henry's spec is splitting assignment. if the project/domain split is *needed* we can place it in line before/after henry's20:54
morganfainbergayoung, my -2 is "this is not an IRC conversation approval" point. not a "nope never".20:55
ayoungmorganfainberg, that is my point: it should be *part* of henry's split or it muddies the water.  I can work with henrynash on that.20:55
morganfainbergayoung, ok then it can exetend his spec (I wasn't clear how you got it into specs)20:55
morganfainbergayoung, but it needs to be outlined, problem space, use-case, etc20:55
morganfainbergayoung, that work for you? [and realize this cycle is already *very* full]20:56
ayoungmorganfainberg and I guess what I was asking is if you understand the rationale for it, and in general supported it, not that we were going to bypass the spec process20:56
morganfainbergayoung, so - outline it clearly. we've had ~4 different conversations on it, and i'm still unclear what it wins us.20:56
morganfainbergand getting it in a spec makes it easier to hammer out details rather than trolling eavesdrop logs ;)20:57
morganfainbergrodrigods, raildo_, let me see how hard the FF on the feature branch is going to be.20:57
raildo_morganfainberg, ok. thanks20:57
morganfainbergrodrigods, raildo, hopefully clean - then we can FF that, then merge to master20:57
ayoungmorganfainberg, I felt the same way about the split of the assignment from projects.20:58
ayoungAnd, might I add, a few other specs, too....20:58
morganfainbergayoung, we can revisit the whole spec. if we want.20:58
morganfainbergayoung, and recind if it doesn't make sense.20:58
morganfainbergayoung, specs are *not* written in stone.20:58
raildo_morganfainberg, for rodrigods and me, we can start do that tomorrow.20:58
ayoungmorganfainberg, I think the split makes sense if the goal is to let two things vary independently20:58
*** tellesnobrega_ has quit IRC20:59
ayoungfair enough.  I'll work with henrynash on this one20:59
morganfainbergayoung, so - lets get HMT in. lets look at either separate spec or addendum to henry's for your case. i'm leaning towards a dependent spec, but thats my preference. - i'd rather see less splits done in a single fell swoop, [make them separate work items at least?]21:00
morganfainbergi wont say no to adding it to henry's spec, but i want it to be clear what we're aiming for and how we're getting there.21:01
morganfainbergand the problemspace/use-cases21:01
*** _cjones_ has joined #openstack-keystone21:05
*** chrisshattuck has joined #openstack-keystone21:07
*** raildo_ has quit IRC21:08
*** henrynash has quit IRC21:09
* ayoung slowly turning into termie?21:12
morganfainberghttps://review.openstack.org/#/c/138182/21:15
morganfainbergayoung, nah.21:15
morganfainbergayoung, you [or if you're referencing me, same thing applies] don't -2 and leave / refuse to revisit21:16
ayoungValerie:  Think it'll work?  MAX:It'll take a miracle.  Both :Buh Bye!21:16
ayoungmorganfainberg, nah, just my desire to rewrite everything in a vacuum21:17
*** zzzeek has quit IRC21:17
morganfainbergayoung, keystone extra-lite?21:17
ayoungI prefer the review process, but hate the status quo of so much of our code21:17
morganfainbergayoung, and sadly, a lot of our code has to be fixed incrementally.21:17
morganfainbergayoung, we're waaaaaay ahead of a few cycles ago. take it as a win, but we have to be slow moving :(21:17
ayoungmorganfainberg, OTOH more people have run code I've written in Keystone than the rest of my career combined21:18
*** zzzeek has joined #openstack-keystone21:18
morganfainbergayoung, ++21:18
ayoungand more people have learned to curse my name.  Win-win as I see it21:18
ayoungmorganfainberg, OK, on to another thing you and I have argued about...21:18
morganfainbergayoung, just don't turn into linus and the mail threads21:18
ayoungI was trying to split out just /auth  from the rest of the services21:19
morganfainbergayoung, i'm limited in my capacity to work on this today - i have a ton of $those_people_who_pay_my_paycheck$ work to follow up on21:19
ayoungNP21:19
morganfainbergayoung, so hopefully back at full focus tomorrow for meetings / continued convos.21:20
morganfainberg:)21:20
ayoungI just meant that I was switching gears myself to something you and I will spar about at a future date...Thursday maybe?21:20
morganfainbergyeah - thursday is better.21:20
*** alexiz has joined #openstack-keystone21:20
morganfainberg:)21:21
ayoungthis one shouldn't be too bad, as it will likely be primarily a code clean up21:21
morganfainbergraildo, rodrigods, https://review.openstack.org/#/c/138182/ i *think* this is going to be easy.21:21
ayounglooks like I need to do some work around the other extensions that do things under /auth before I can get tests to pass, though21:21
morganfainbergwhich case we can possibly get the HM branch merged in today.21:21
*** mzbik has joined #openstack-keystone21:21
ayoungmorganfainberg likes to tempt fate21:22
morganfainbergayoung, damn straight.21:22
morganfainbergat the very least there were *no* conflicts.21:22
* morganfainberg might be able to do the merge the otherway actually...21:22
*** gordc_ has joined #openstack-keystone21:24
openstackgerritMorgan Fainberg proposed openstack/keystone: Merge remote-tracking branch 'remotes/origin/feature/hierarchical-multitenancy' into HEAD  https://review.openstack.org/13818621:24
mzbikayoung, can you try to not lie this time ;) and tell me if LDAP queries are or are not filtered? I mean if I want v3/users?name=myUserName LDAP will query all and then filter or it will be filtered on LDAP query lvl?21:26
*** amcrn_ has joined #openstack-keystone21:26
*** tellesnobrega_ has joined #openstack-keystone21:27
*** svasheka_ has joined #openstack-keystone21:27
*** wpf1 has joined #openstack-keystone21:27
*** bknudson1 has joined #openstack-keystone21:29
morganfainbergraildo, rodrigods, ^ working with -infra to verify, but that might be the change needed.21:29
ayoungmzbik, how would you know if I were to lie or not?21:29
morganfainbergrodrigods, rodrigods, once it passes check we'll push it through and then remove the feature branch.21:29
morganfainbergraildo, ^21:29
ayoungmzbik, but look at the code I linked to earlier21:29
ayoungit looks pretty clear to me that the filtering happens afterwards, like you feared21:30
bknudson1topic branches don't seem to work all that great21:30
mzbikdamn it :/21:30
morganfainbergbknudson1, they are .. bizzare21:30
mzbiktoo bad21:30
morganfainbergbknudson1, well topic branches in gerrit21:30
morganfainbergmzbik, there is / was some effort to push that filtering down the ldap driver - it isn't complete though21:31
mzbikI think it might be very usefull when querying huge LDAP databases without privilgles to paging (like I have)21:33
ayoungmzbik, you can do filtering, you need to do it in the config file21:34
morganfainbergmzbik, ayoung is correct you can add some extra filtering in config21:34
ayounglike for groups you can specify a filter etc21:34
mzbikI know21:34
rodrigodsmorganfainberg, great! thanks21:35
*** amcrn has quit IRC21:35
*** wpf has quit IRC21:35
*** bknudson has quit IRC21:35
*** gordc has quit IRC21:35
*** shakayumi has quit IRC21:35
*** svasheka has quit IRC21:35
*** russellb has quit IRC21:35
*** tellesnobrega has quit IRC21:35
mzbikperhaps my use case is shitty21:35
morganfainbergrodrigods, this means you could rebase your changes directly on henrynash's once his rebase on master21:36
morganfainbergrodrigods, get the same "nice landing place" so to speak.21:36
morganfainbergor... race him to the rebase ;)21:36
rodrigodsmorganfainberg, heh cool21:36
ayoungmzbik, if you keep using those technical terms none of us will be able to follow the conversation21:36
mzbikuh ok...21:37
mzbiksorry :(21:37
ayoungmorganfainberg, or we could collapse all of the changes in the feature branch into a single patch and force it onto the stack at the front21:37
*** lhcheng has quit IRC21:38
morganfainbergayoung, the merge commit does that21:38
morganfainbergayoung, except without breaking the history21:38
morganfainbergayoung, i meant the *next* patches21:38
*** lhcheng has joined #openstack-keystone21:38
morganfainbergthat haven't been approved on the topic branch yet21:38
ayoungwhy'd you -1 workflow the merge commit?21:38
morganfainbergayoung. wanted infra to look it over 1st21:38
morganfainberggoing to un -1 it.21:38
morganfainberg-infra says "looks good as long as jenkins doesn't complain"21:39
mzbikthanks for help21:39
* morganfainberg is *very* leery of merge commits.21:39
morganfainbergthey can break things in awful terrible no-good ways21:40
ayoungmorganfainberg, yeah...it really should be an explicit rebase and single patch21:40
*** mzbik has quit IRC21:40
morganfainbergayoung, except losing the history21:40
morganfainbergayoung, we *don't* want to lose the HM history.21:40
ayoungmorganfainberg,  meh21:40
openstackgerritWill Foster proposed openstack/keystone: skip assignment rows migrate if duplicate entry exists.  https://review.openstack.org/13694621:40
morganfainbergayoung, ok i don't want to.21:40
ayoungI should have pushed for hierarchical back when gyee was pushing for domains.  The rest is commentary21:41
morganfainbergayoung, sure. but that ship sailed.21:41
ayoungactually, it floated out of the harbor, got stuck on a sandbar, and has been sitting there for us all to look at, but its the same21:41
morganfainbergayoung, and yes it would have been a lot easier back then ;)21:41
*** packet has quit IRC21:41
ayoungand by that I mean that we still have people avoiding using domains due to auth tokenb middlewars support21:42
* ayoung goes to look at client reviews21:42
*** henrynash has joined #openstack-keystone21:49
*** ChanServ sets mode: +v henrynash21:49
*** packet has joined #openstack-keystone21:50
*** samuelms has joined #openstack-keystone21:55
*** kobtea has joined #openstack-keystone21:56
*** kobtea has quit IRC22:01
*** packet has quit IRC22:02
*** aix has joined #openstack-keystone22:08
samuelmshenrynash, ping .. do you agree that the operations the assignment (mapper) backend  has to provide are like: list_<actor>_capabilities_on_<target> ?22:11
samuelmshenrynash, that's needed when issuing a token ..22:12
samuelmshenrynash, or  list_<actor>_global_roles_on_<target> .. as they're represented today22:15
henrynashsamuelms: so you’re asking just about naming? If so, I’d probably go with the roles one…since that’s what we really support today….and whether a role is really a capability is up to how the policy file is written22:23
samuelmshenrynash, ok .. so let's take list_<actor>_global_roles_on_<target> .. that's what the assignment controller should provide ..22:24
samuelmshenrynash, independently on how we evaluate that (using roles, attributes, etc) ..22:25
samuelmshenrynash, right?22:25
henrynashsamuels: yes…which is pretty much whatwe have today, e.g. get_roles_for_user_and_project()22:26
samuelmshenrynash, so my point on your review was to create an interface (a contract) to be implemented by the managers ..22:26
henrynashso the manager would stay, but the driver would do someting totally different than it does today22:26
samuelmshenrynash, so our manager impl is according that interface .. and if you'd like to plug another manager ... just make it accordingly that interface22:26
henrynash…to satisfy those reuestes22:27
*** henrynash has quit IRC22:29
*** henrynash has joined #openstack-keystone22:30
*** ChanServ sets mode: +v henrynash22:30
henrynash…then that controller would have its own manager…but that would call the same driver as used by the assignement manager….22:30
henrynashso a new assignment engine would supply:22:30
henrynash1) a new controller (in addition to the assignment one) that supported whatever new APIs it wanted22:30
henrynash2) A new manager that supported that conrtoller22:30
henrynash3) a new driver that replaced the existing assignment driver, but also supported the api calls of the new manager22:31
henrynashand the roles manager/driver would not be touched22:31
henrynashthat roles stay defined in whataver backend you had before swapping in a new assignment engine22:32
*** jamielennox|away is now known as jamielennox22:32
openstackgerritWill Foster proposed openstack/keystone: skip assignment rows migrate if duplicate entry exists.  https://review.openstack.org/13694622:33
samuelmshenrynash, this is what I think http://paste.openstack.org/show/142963/22:33
openstackgerritayoung proposed openstack/python-keystoneclient: Revocation event API  https://review.openstack.org/8116622:33
samuelmshenrynash, so your point 1 is the controller for the 'connectors' (such as roles)22:37
samuelmshenrynash, and 2 the manager for that controller, obviously22:37
*** topol has quit IRC22:39
henrynashsamulems: so not sure I understand your example22:44
henrynashsamuelms: what is the use case you are tyring to show?22:45
samuelmshenrynash, did you take a look at the paste?  http://paste.openstack.org/show/142963/22:45
samuelmshenrynash, I'm trying to figure out how a complete plug of a new assignment mapper would be ..22:45
*** joesavak has quit IRC22:45
henrynashsamuelms: yes, and that didn’t help make me feel any better :-)22:45
samuelmshenrynash, haha22:46
samuelmshenrynash, I'll try to plug my own dummy assignment mapper ..22:46
samuelmshenrynash, to show the things we're doing makes easier to plug a custom assignment backend22:47
henrynashsamuelms: so part of the spec was that I would provide an example :-)22:47
samuelmshenrynash, and we don't have one, right? :p22:48
*** palendae has quit IRC22:48
henrynashsamuelms: although I’m not sure where to put, now that we don;t have extensions….22:48
henrynashsamulems: haven’t written it yet22:48
henrynashsamuelms: but I think it is not as complicated as you thinking….22:49
*** nellysmitt has joined #openstack-keystone22:49
samuelmshenrynash, I hope so :p22:50
samuelmshenrynash, what I was thinking is that we maintain assignment.mapper.controller and replace assignment.mapper.manager/driver22:50
henrynashsamuelms: for your new assignment mapper, you will write a controller, manager and driver22:51
samuelmshenrynash, as well as the entire assignment.connector part22:51
henrynashsamuelms: so I’m not quite on board with your terminology22:51
henrynashdon’t let’s use new names for things, let’s use the existing names22:52
henrynashin my patch we have:22:52
henrynashassignment.controller22:52
henrynashsorry..need to drop off…be back in a bit22:52
samuelmshenrynash, ok22:52
openstackgerritMerged openstack/keystone: Use true() rather than variable/singleton  https://review.openstack.org/13236822:52
*** gordc_ has quit IRC22:53
*** nellysmitt has quit IRC22:54
*** radez is now known as radez_afk22:56
jamielennoxhere are a list of things in keystoneclient that already have one +222:56
jamielennoxhttps://review.openstack.org/#/q/project:openstack/python-keystoneclient+is:open+label:Code-Review%253E%253D%252B2+-CodeReview-1+-CodeReview-2+Verified%253D1,n,z22:56
jamielennoxand middleware: https://review.openstack.org/#/q/project:openstack/keystonemiddleware+is:open+label:Code-Review%253E%253D%252B2+-CodeReview-1+-CodeReview-2+Verified%253D1,n,z22:56
jamielennoxcan someone please clean a few of these up22:56
*** palendae has joined #openstack-keystone22:57
ayoungjamielennox, I'll take a look after kids are in bed22:59
*** andreaf has quit IRC22:59
jamielennoxayoung: slightly screwed up the url - the syntax seems to have changed23:00
*** andreaf has joined #openstack-keystone23:00
jamielennoxhttps://review.openstack.org/#/q/project:openstack/python-keystoneclient+is:open+label:Code-Review%253E%253D%252B2+-label:Code-Review-1+Verified%253D1,n,z23:02
jamielennoxhttps://review.openstack.org/#/q/project:openstack/keystonemiddleware+is:open+label:Code-Review%253E%253D%252B2+-label:Code-Review%253D-1+Verified%253D1,n,z23:02
*** _cjones_ has quit IRC23:10
*** _cjones_ has joined #openstack-keystone23:12
*** arif-ali has quit IRC23:12
*** jaosorior has quit IRC23:13
*** arif-ali has joined #openstack-keystone23:19
*** tellesnobrega__ has joined #openstack-keystone23:20
*** jasondotstar has quit IRC23:21
morganfainbergjamielennox, went through most of those and hit the really quick ones through into gate23:24
morganfainbergjamielennox, you might need to babysit them now.23:24
jamielennoxmorganfainberg: thanks, there weren't as many as it felt like when i was looking yesterday23:24
morganfainbergjamielennox, if there was a -1 i skipped because i need to get back to some internal $place_that_signs_my_paycheck$ things.23:25
bknudson1morganfainberg is like a laxative unblocking reviews!23:25
morganfainbergbknudson1, lol ;)23:25
morganfainbergbknudson1, i had a question on one of your docstring fixes, looks like you missed a :py:class:23:25
bknudson1morganfainberg: I'll take a look at it... need to generate the docs and see what it looks like23:26
morganfainbergbknudson1, ++23:26
*** arif-ali has quit IRC23:26
morganfainbergbknudson1, you did it for the next 2 :type: bits, just not that one, so it stood out as "hmm, maybe this is wrong"23:26
morganfainbergbknudson1, jamielennox, henrynash, ayoung, dstanek, lbragstad, https://review.openstack.org/#/c/138186/23:27
morganfainbergi could use a couple +2 and a +A on that23:27
morganfainbergwe can close down the topic branch then.23:27
morganfainberggyee, dolphm, ^ cc23:27
bknudson1morganfainberg: it might be a difference between how :type: and :rtype: are handled.23:27
dstanekmorganfainberg: that's just a merge?23:28
morganfainbergbknudson1, if it's a non-issue i'll reverse my -1 and push it through.23:28
samuelmsmorganfainberg, ++23:28
morganfainbergdstanek, yep. it's the collapse of HMT code to master, so we can kill the topic branch23:28
morganfainbergdstanek, was a clean merge too.23:28
morganfainbergdstanek, the outstanding reviews on the topic branch will be moved to master.23:29
dolphmmorganfainberg: gerrit doesn't show you a final diff?23:29
rodrigodsmorganfainberg, is this finally happening? \o/23:29
morganfainbergdstanek, not on a merge commit.23:29
bknudson1not sure how to review it?23:29
morganfainbergdolphm, ^23:29
dstaneki assume it's just a FF since there is no diff...23:29
bknudson1check the spelling in the commit message?23:29
morganfainbergdstanek, it was a merge, but it was a clean merge.23:29
morganfainbergbknudson1, hehe pretty much.23:30
morganfainbergbknudson1, you can try the same thing i did: take the parent and git merge remotes/origin/feature/hierarchical-multitenancy23:30
morganfainbergbknudson1, see if you come up with the same result23:30
bknudson1could check it out and do a diff?23:30
dolphmbknudson1: git diff master..feature/hierarchical-multitenancy23:31
morganfainbergbknudson1, i think i want to avoid topic branches if at all possible in the future.23:31
morganfainbergbknudson1, though in this case i think it worked out fairly well.23:31
*** zzzeek has quit IRC23:32
*** yasu_ has joined #openstack-keystone23:32
morganfainbergbknudson1, here was the merge: http://paste.openstack.org/show/142991/23:32
dstanekmorganfainberg: is ayoung's related to what you were discussing earlier?23:33
morganfainbergdstanek, hm?23:33
dstanekmorganfainberg: about functional testing23:33
morganfainbergdstanek, oh uh... the ML topic23:34
morganfainberghaven't read it yet23:34
*** arif-ali has joined #openstack-keystone23:34
morganfainbergdstanek, yeah i told him i'd chat on thursday about it23:34
morganfainbergML works as well.23:34
morganfainbergit's related to auth split out stuff.23:35
*** zzzeek has joined #openstack-keystone23:35
bknudson1oh, it's got a migration... scary23:36
bknudson1at least it's the only new one.23:36
bknudson1morganfainberg: the reviews couldn't be moved from topic branch to master?23:41
*** jimhoagland has joined #openstack-keystone23:41
morganfainbergbknudson1, not the merged ones.23:42
morganfainbergbknudson1, and the old reviews will need to be reproposed, since gerrit tracks per-branch iirc23:42
morganfainbergbknudson1, =/ it's crummy.23:42
morganfainberghence why i think we should avoid topic branches unless we really need them.23:43
*** palendae has quit IRC23:44
morganfainbergjamielennox, bknudson1, when should we release the nest KSC and Middleware?23:44
morganfainbergjamielennox, bknudson1, any thoughts?23:44
morganfainbergi'm leaning towards next week if nothing major is still outstanding.23:45
jamielennoxmorganfainberg: i want the any auth plugin thing in first23:45
jamielennoxfor middleware23:45
morganfainbergjamielennox, ++ ok23:45
jamielennoxthat's a good time to release that23:45
morganfainbergjamielennox, lets try and target end of next week or early the following.23:45
* morganfainberg plans a release on friday... at 10pm... pacific... -- oh wait no *not* releaseing at 10pm pacific on friday.23:46
morganfainbergjamielennox, i should be back in LA/available on thursday so i'll check in w/ you then. [barring we get everything done this week[23:46
morganfainbergjamielennox, next week that is.23:47
openstackgerritMerged openstack/keystonemiddleware: Adding audit middleware to keystonemiddleware  https://review.openstack.org/10295823:47
jamielennoxok, there's one of two things i want to propose to ksc still as well23:47
morganfainbergjamielennox, i'll plan to do the releases at the same general time.23:47
*** bknudson1 has quit IRC23:48
*** palendae has joined #openstack-keystone23:51
openstackgerritMerged openstack/python-keystoneclient: Curl statements to include globoff for IPv6 URLs  https://review.openstack.org/13632723:55
openstackgerritMerged openstack/keystonemiddleware: Auth token supports deprecated names for paste conf options  https://review.openstack.org/12865623:58
openstackgerritMerged openstack/keystonemiddleware: Fix paste config option conversion for auth options  https://review.openstack.org/13191423:58
« Sunday, 2014-11-30 Index Tuesday, 2014-12-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!