Monday, 2015-01-12

samueldmqjamielennox, if you'd like to check a role assignment, we should do a HEAD00:00
samueldmqjamielennox, don't know if we have such call from kc00:00
jamielennoxsamueldmq: yes - but what i mean is that the GET to that same URL should either return some information or a 204. the HEAD shouldn't be a seperate path00:01
jamielennoxseparate call00:01
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Add python-memcached to test-requirements
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Add python-memcached to test-requirements
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Add python-memcached to test-requirements
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Add python-memcached to test-requirements
samueldmqjamielennox, so in this case (
samueldmqjamielennox, we should still get 204 from GET (because there is not content)00:05
samueldmqjamielennox, and 200 from HEAD00:05
samueldmqjamielennox, if so, they're not consistent in this case00:05
jamielennoxno - i think if GET returns a 204 then HEAD should return a 20400:05
jamielennoxthe way we discovered this is that apache will handle some of this rewriting for you00:05
jamielennoxif you put a HEAD request to any url then apache will issue it as a GET and then just discard any body00:06
jamielennoxwe need to be consistent with that behaviour from python00:06
bknudsonif GET returns a 204 then HEAD must return 204 (and it will if running in apache httpd)00:06
bknudsonapache converts the HEAD request to a GET request, so wsgi doesn't see it.00:06
*** _cjones_ has quit IRC00:06
samueldmqgot the point, HEAD must always 'follow' the behavior of 'GET', whatever it returns00:07
bknudson(pretty much what jamielennox said)00:07
samueldmqI thought HEAD should always return 20000:07
samueldmqor error00:07
bknudsonsamueldmq: read the spec:
jamielennoxwikipedia: Asks for the response identical to the one that would correspond to a GET request, but without the response body. This is useful for retrieving meta-information written in response headers, without having to transport the entire content.00:08
jamielennoxheh bknudson goes for the way more authoritative source00:08
samueldmqbknudson, ++00:12
samueldmqjamielennox, bknudson got it, thx00:12
samueldmqwill update my patch, and request your review (addind your names there) once I submit it00:13
*** avozza is now known as zz_avozza00:15
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Move to hacking 0.10
jamielennoxsamueldmq: np00:18
samueldmqbknudson, jamielennox reading that spec made me think that we should then have a HEAD for each GET request00:21
jamielennoxsamueldmq: in the case of apache we do implicitly00:21
samueldmqfor all GET request, I mean00:21
bknudsonyes, we must. It's implied.00:22
bknudson(i.e., no need to document it since it's implied)00:22
samueldmqyes, I am just not sure we have HEAD for every GET00:23
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Correct failures for check E122
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Surface the user_id and project_id beyond the plugin
samueldmqbknudson, jamielennox that's what I was talking about: bug #1370335 :)00:25
uvirtbotLaunchpad bug 1370335 in keystone "Keystone should support HEAD requests for all GET actions" [Wishlist,Triaged]
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Enforce check F821
*** dgonzalez has quit IRC00:26
*** dgonzalez has joined #openstack-keystone00:26
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Correct failures for check H238
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Enforce check F821 and H304
*** dgonzalez has joined #openstack-keystone00:31
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Extract the Loadable interface from a plugin
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make session use the Loadable interface
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Correct failures for check H703
*** david-lyle has joined #openstack-keystone00:35
*** dgonzalez has quit IRC00:37
*** dgonzalez has joined #openstack-keystone00:37
*** dgonzale_ has joined #openstack-keystone00:46
openstackgerritBrant Knudson proposed openstack/python-keystoneclient-federation: Move to hacking 0.10
openstackgerritBrant Knudson proposed openstack/python-keystoneclient-federation: Correct failures for check W292
openstackgerritBrant Knudson proposed openstack/python-keystoneclient-federation: Correct failures for check W292
openstackgerritBrant Knudson proposed openstack/python-keystoneclient-kerberos: Move to hacking 0.10
*** david-lyle has quit IRC01:18
*** david-lyle has joined #openstack-keystone01:25
*** david-lyle has quit IRC01:27
*** david-lyle has joined #openstack-keystone01:28
openstackgerritwanghong proposed openstack/keystone: do parameter check before updating endpoint_group
*** diegows has joined #openstack-keystone01:32
*** chrisshattuck has joined #openstack-keystone01:52
*** david-lyle has quit IRC01:59
*** diegows has quit IRC02:01
*** abhirc has joined #openstack-keystone02:05
samueldmqcan we go 'rescope' a scoped token to an unscoped one?02:15
openstackgerritChangBo Guo(gcb) proposed openstack/keystone: Use dict comprehensions instead of dict constructor
morganfainbergsamueldmq, today? no02:18
morganfainbergw/ ayoungs' changes - absolutely not02:18
samueldmqmorganfainberg, nice02:19
samueldmqmorganfainberg, I'm reviewing his 'adding allow rescope config' patch02:19
samueldmqmorganfainberg, and if we could do that, we need to add a new tests as well02:19
*** abhirc_ has joined #openstack-keystone02:28
*** abhirc has quit IRC02:30
*** r-daneel has joined #openstack-keystone02:42
*** erkules has joined #openstack-keystone02:44
*** LinstatSDR has quit IRC02:46
*** erkules_ has quit IRC02:46
*** adriant has joined #openstack-keystone02:52
openstackgerritChangBo Guo(gcb) proposed openstack/keystone: Use dict comprehensions instead of dict constructor
*** abhirc_ has quit IRC03:07
*** chrisshattuck has quit IRC03:20
*** r-daneel has quit IRC03:22
*** r-daneel has joined #openstack-keystone03:23
*** abhirc has joined #openstack-keystone03:25
*** LinstatSDR has joined #openstack-keystone03:33
openstackgerritwanghong proposed openstack/keystone: do parameter check before updating endpoint_group
*** david-lyle has joined #openstack-keystone03:44
*** chrisshattuck has joined #openstack-keystone03:46
*** chrisshattuck has quit IRC03:56
*** samueldmq has quit IRC04:01
*** chrisshattuck has joined #openstack-keystone04:07
*** chrisshattuck has quit IRC04:07
*** chrisshattuck has joined #openstack-keystone04:08
*** david-lyle has quit IRC04:50
*** david-lyle has joined #openstack-keystone04:50
*** chrisshattuck has quit IRC05:05
*** david-lyle has quit IRC05:06
*** adriant has quit IRC05:13
*** abhirc has quit IRC05:23
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** LinstatSDR has quit IRC06:04
*** LinstatSDR has joined #openstack-keystone06:05
openstackgerritwanghong proposed openstack/keystone: remove the Conf.signing.token_format option support
*** r-daneel has quit IRC06:25
*** LinstatSDR has quit IRC06:46
*** ajayaa has joined #openstack-keystone06:57
*** rushiagr_away is now known as rushiagr06:58
*** zz_avozza is now known as avozza07:00
*** henrynash has joined #openstack-keystone07:02
*** ChanServ sets mode: +v henrynash07:02
*** avozza is now known as zz_avozza07:10
openstackgerritwanghong proposed openstack/keystone: let endpoint policy delete api return 404 if not found
openstackgerritMerged openstack/keystonemiddleware: Fix environ keys missing HTTP_ prefix
*** jamielennox is now known as jamielennox|away07:56
*** zz_avozza is now known as avozza08:01
openstackgerritAbhishek Kekane proposed openstack/keystone: Eventlet green threads not released back to pool
*** chlong has quit IRC08:10
*** avozza is now known as zz_avozza08:15
*** links has joined #openstack-keystone08:35
openstackgerritMarek Denis proposed openstack/keystone-specs: Service Provider for K2K
*** henrynash has quit IRC08:37
*** afazekas has joined #openstack-keystone08:39
*** ajayaa has quit IRC08:43
*** henrynash has joined #openstack-keystone08:47
*** ChanServ sets mode: +v henrynash08:47
*** henrynash has quit IRC08:49
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Standardize token scoping workflow.
*** jaosorior has joined #openstack-keystone08:58
*** ajayaa has joined #openstack-keystone09:09
*** zz_avozza is now known as avozza09:18
*** bdossant has joined #openstack-keystone09:25
openstackgerritMarek Denis proposed openstack/keystone-specs: Specify default values for identity providers.
*** jistr has joined #openstack-keystone09:58
*** amakarov_away is now known as amakarov10:07
*** nellysmitt has joined #openstack-keystone10:49
*** henrynash has joined #openstack-keystone10:52
*** ChanServ sets mode: +v henrynash10:52
*** pcaruana has joined #openstack-keystone10:59
*** avozza is now known as zz_avozza11:20
*** andreaf has joined #openstack-keystone11:24
*** samuelms has quit IRC11:31
*** david-lyle has joined #openstack-keystone11:32
*** lsmola_ has quit IRC11:32
openstackgerritMarek Denis proposed openstack/keystone: Identify groups by name/domain in mapping rules.
*** zz_avozza is now known as avozza11:37
*** chlong has joined #openstack-keystone11:41
*** chlong has quit IRC11:47
*** chlong has joined #openstack-keystone11:47
*** andreaf has quit IRC11:56
*** avozza is now known as zz_avozza11:59
*** samueldmq has joined #openstack-keystone12:04
samueldmqmorning :)12:04
samueldmqhenrynash, ping - need to talk about inherited roles api12:04
henrynashsamueldmq: ok...12:05
samueldmqhenrynash, hi :)12:07
samueldmqhenrynash, it should be a quick discussion12:07
henrynashfamous last words12:07
samueldmqso the api tell us inheritance info should be : "OS-INHERIT:inherited_to": ["projects"]12:08
samueldmqas a list, but we don't have this implemented12:08
samueldmqso the api is inconsistent, technically the code is wrong (because it should follow the api)12:08
samueldmqI propose to fix the api12:09
henrynashI’m trying to remember whether it is a mistake that the api has it as a list…12:10
*** EmilienM|afk is now known as EmilienM12:10
henrynashor whether there was a reason :-)12:10
samueldmqhaha, yep12:10
henrynashI *think* it was to keep some peopel happy…there was at least one person who wanted to be be able to direct inheritance..i.e.:12:12
samueldmqalso applied to the domain itself :12:12
*** andreaf has joined #openstack-keystone12:12
henrynash"OS-INHERIT:inherited_to": ["project_id”: ABC, “project_id”: XYZ]12:12
henrynashand “projects” was shortand for “all the projects in the domain”12:13
henrynashI think that’s pretty scary….and if peopel really did use that kind of “directed” inheritance, you’d pretty soon lose track of what was inhertited to what12:14
samueldmqso it could be inherited to only a branch of the tree (now with hierarchical projs)12:15
samueldmqso let's remove that, before people getting confused12:15
samueldmqsince the weird person who requested that probably is not here anymore lol12:15
henrynash(it’s coming back to me now!)….we had a long argument about whether inheritance by “tree” was the right solution12:15
samueldmqkidding, but I think we have good reasons to not keep that `12:15
samueldmqshould we add a point to tomorrow's meeting and then agree this all together?12:16
henrynashthis is alos the reson why it isn’t jsut a boolean (which is what my original spec said)…i.e. “inherited_to_projects”: Ture12:17
henrynash(True, even)12:17
samueldmqhmm, so you thought it should be as actually I think it should12:17
samueldmqinherited = True12:17
henrynashyes, that’s how I originally had planned it…but the debate was quite heated :-)12:18
*** zz_avozza is now known as avozza12:18
samueldmqnot even inherited_to_projects, because it cannot be inherited by other thing than projects12:18
henrynashwell…lbut et’s think about this….now that we have a tree of projects…and maybe “projects with domain-ness”, might me want more than a boolean?12:19
henrynashmight you want to say (I’m making this up for now):12:19
henrynash"OS-INHERIT:inherited_to": ["projects_but_don’t_cross_a_domain_boundary”12:20
henrynashI think, actually, we don’t want this to be defined by the assignment, but by the domain boundary itself….I think...12:21
henrynashso that’s probably a red herring12:21
henrynashI guess maybe, possibly: "OS-INHERIT:inherited_to": "projects_but_only_immediate_descendants”12:22
samueldmqand it should be the most used option, crossing domain boundaries should be only allow to cloud_admin iI think12:22
samueldmqif not immediate descendants, put the rule in the child projects, and not in the parent12:22
henrynashbut if we really wanted that flexibility….maybe that should be defnined by the projects12:22
henrynashyep, agreed12:23
henrynashso I think we really saying that we think we just want to effectively have:  “inherited”: True/Flase12:23
samueldmqinstead of making possible to define any type of inheritance config12:24
samueldmqmaybe we could add a mechanism to stop inheritance at some project level12:24
henrynashor if we wanted to be predantic, we might say: “assign_to_descendants”: True/False12:24
samueldmqsuppose you have a private 'project', and you dont want inherited roles to be applied there12:25
henrynashbut it may be too late to drop the inheritance word12:25
samueldmqyep, I agree ... inherited may hurt UX I think12:25
samueldmqI had a discussion with dstanek about that a day12:25
samueldmqinherited normally is something that is applied to the parent and children ..12:26
henrynashyeah, I think we might want that blocking power…but would that mean teh “inheritance” stops at that point…or can it hop over that project and go on down to the descendants…(taht sounds too complicated)12:26
samueldmqthe first I think12:27
samueldmqwe should have private trees I think12:27
samueldmqthat's what I meant12:27
samueldmqyou're the manager everywhere (but that room there you cant enter) shh12:27
henrynashyep, agreed12:28
samueldmqI think we can change almost everything (having care on this, sure) on inheritance api12:28
samueldmqsince it's still (not for long time) experimental12:28
samueldmqit's an extension12:28
samueldmqand will probably become stable with the new classification (in-tree, etc)12:28
samueldmqalso, there shouldn't be a lot of people using it so far12:29
*** esmute has quit IRC12:29
*** esmute has joined #openstack-keystone12:32
henrynashlet’s discuss at the meeting tomorrow12:34
henrynashspeak to yoy later12:34
samueldmqk, thanks12:34
*** dims has joined #openstack-keystone12:35
*** diegows has joined #openstack-keystone12:39
*** esmute has quit IRC12:45
*** lsmola has joined #openstack-keystone12:46
*** esmute has joined #openstack-keystone12:48
*** chlong has quit IRC12:55
*** rushiagr is now known as rushiagr_away12:56
*** radez_g0n3 is now known as radez13:03
*** dims has quit IRC13:14
samueldmqsomeone up there? would like to talk about token revocation :)13:17
*** dims__ has joined #openstack-keystone13:18
samueldmqdstanek, ping ^13:18
dstaneksamueldmq: howdy13:18
samueldmqdstanek, had to translate that, had never received this greeting :-)13:19
marekdrodrigods: vsilva: hi. are you planning to touch this in the nearest future? Otherwise I'd be happy to do it.13:19
samueldmqdstanek, howdy !13:19
marekdsamueldmq: TX style13:19
dstaneksamueldmq: :-)13:19
samueldmqmarekd, yep (:13:19
*** abhirc has joined #openstack-keystone13:20
samueldmqdstanek, so what's needed to issue tokens? role assignments, right?13:20
samueldmqdstanek, so I think token revocations should always be triggered by role assignments removal13:22
samueldmqdstanek, then we could have a better control over that13:22
samueldmqdstanek, I mean, when you delete a domain, it triggers role assignments deletion (associated to that domain, and then there (role assignments deletion) we should revoke tokens13:23
dstaneksamueldmq: i think i would agree - but that could also be over reaching13:23
openstackgerritAlexander Makarov proposed openstack/keystone: Trust redelegation
dstaneksamueldmq: do we not revoke tokens in that specific case?13:23
samueldmqdstanek, I think so, was just an example13:23
samueldmqdstanek, I'm talking about new way to organize code, would be clearer IMO13:24
samueldmqdstanek, the feature is ok as it is, I think13:24
dstaneksamueldmq: ok, just getting back into the swing of things13:32
*** rushiagr_away is now known as rushiagr13:33
openstackgerritAlexander Makarov proposed openstack/keystone: Assignment sql backend create_grant refactoring
marekddstanek: hi.13:35
marekddstanek: what's the current status on that: ready for review?13:35
marekddstanek: need some help on that?13:35
samueldmqdstanek, k, thanks13:40
*** avozza is now known as zz_avozza13:41
dstanekmarekd: yeah, can probably start reviewing - have you tried it out?13:43
marekddstanek: not yet.13:43
*** gordc has joined #openstack-keystone13:45
*** jjulien has quit IRC13:46
dstanekmarekd: i have to see if it still works :-)13:47
*** bknudson has quit IRC13:51
amakarovsamueldmq, hi! I need an advice about
samueldmqamakarov, sure, will be glad if I can help13:55
amakarovsamueldmq, there are actually 2 bugs fixed by this patch13:56
amakarovso gerrit didn't pick it up as a fix for 1 of those13:57
samueldmqamakarov, yep13:57
samueldmqamakarov, and I saw lbragstad created a test to expose one of these bugs, didnt he?13:57
amakarovit lead to that patch of lbragstad that confused you as I noticed13:57
amakarovsamueldmq, exactly13:58
amakarovI'm not sure what to do in such cases13:58
*** KnightLord has joined #openstack-keystone13:58
samueldmqamakarov, what I proposed was: lbragstad could keep his patch as it was creating a test to expose the bug13:58
amakarovAsk Lance about abandoning his patch or just ignore it13:58
samueldmqamakarov, he could also add another test to expose the second bug13:59
samueldmqamakarov, let's say they're for ensure the bugs do occur, right?13:59
amakarovsamueldmq, I agree, but there is a test exposing this bug already :)13:59
samueldmqamakarov, so in a follow on patch (depending on that one that propose the new tests) you fix the bug and tests14:00
amakarovactually, it's a test posted by me, then by Lance, than modified by me ))14:00
samueldmqamakarov, is there? you have a link?14:00
amakarovsamueldmq, 1 sec, doblechecking...14:00
samueldmqamakarov, k14:01
amakarovit's a positive variant of,cm14:01
amakarovsamueldmq, so I say that test in Lance's patch is a prior version of test in my fix )14:03
samueldmqamakarov, checking14:03
samueldmqamakarov, yep, that's why I would suggest you to rebase on his patch14:05
samueldmqamakarov, his patch A introduces a test to show what's wrong14:05
samueldmqamakarov, your patch B get his code, fix the bug and fix his test to show with that test the system is working properly14:05
samueldmqamakarov, is that clear? have you already submitted any patchs with dependency?14:06
amakarovsamueldmq, not exactly: I can't propose a test that fails14:08
samueldmqamakarov, exactly, so the test proposed is the one lbragstad is proposing14:08
samueldmqamakarov, the test passes, but the behavior is wrong14:08
amakarovsamueldmq, test in my patch is an invertion of it's initial version14:08
samueldmqamakarov, you then get his code (as depending on his patch), fix the code and the test, because the test as it is won't pass anymore14:09
samueldmqamakarov, because you've fixed that14:09
samueldmqamakarov, need to go afk for a bit, will be back soon14:10
amakarovsamueldmq, I don't see a purpose of this process: I have a fix, a test for it, what else?14:10
*** Kazazi has joined #openstack-keystone14:14
*** nkinder has quit IRC14:15
amakarovsamueldmq, in fact all you described is already done, I really cant understand what do you want me to do :) Do you want to see intact test provided with the bug (Lance's patch)? It will duplicate provided one...14:16
openstackgerritMarcos Fermín Lobo proposed openstack/python-keystoneclient: Attributes required using token for auth
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a type check to make it work in Python 3
openstackgerritDavid Stanek proposed openstack/keystone: Updates Python3 requirements
openstackgerritDavid Stanek proposed openstack/keystone: Mocks out the memcache library for tests
openstackgerritDavid Stanek proposed openstack/keystone: Adds a fork of python-ldap for Py3 testing
dstaneksamueldmq: all rebased! and thanks for the reviews14:22
samueldmqamakarov, it was just a way to not discard lbragstad's patch, we could then keep both in a valid way14:25
samueldmqdstanek, you're welcome :)14:26
samueldmqdstanek, will review again14:26
amakarovsamueldmq, I see your point, but are you sure we do need them both?14:31
samueldmqhenrynash, added a point to the meeting's main agenda14:33
samueldmqamakarov, we can do it or not,  I just think you and lbragstad should agree on that14:34
samueldmqamakarov, if we keep just your patch, his one needs to be abandoned14:34
samueldmqamakarov, keeping both makes reviewing process worst, makes sense?14:35
*** bdossant_ has joined #openstack-keystone14:35
*** bdossant_ has quit IRC14:35
*** bdossant has quit IRC14:35
henrynashayoung: if you are around, are you OK with re-adding your +2 to
*** joesavak has joined #openstack-keystone14:39
*** samueldmq is now known as samueldmq-away14:41
*** bknudson has joined #openstack-keystone14:45
*** ChanServ sets mode: +v bknudson14:45
rodrigodsmarekd, we are... but not sure when (coming back from vacation today), still going through the pendent reviews list14:49
rodrigodsmarekd, but if you could help with it, we'd appreciate that14:50
marekdrodrigods: OK!14:50
*** mattfarina has joined #openstack-keystone14:51
*** MasterPiece has joined #openstack-keystone14:53
*** mattfarina has quit IRC14:54
openstackgerritDavid Stanek proposed openstack/keystone: Make the default cache time more explicit in code
*** mattfarina has joined #openstack-keystone14:56
dstanekmorganfainberg: i just rebased ; I forgot that is the one i started, but that you had taken over14:56
*** fifieldt__ has joined #openstack-keystone15:00
marekdmorganfainberg: addressed your concerns (and added two sub questions).15:01
MasterPieceKazazi, What is exactly your problem with its definition ? use some paste service like in order to paste multiple lines :)15:02
*** fifieldt_ has quit IRC15:02
*** abhirc has quit IRC15:03
*** nkinder has joined #openstack-keystone15:05
*** jsavak has joined #openstack-keystone15:06
KazaziMasterPiece, Thanks for the reply, when i insert the command of (# keystone tenant-create --name=admin --description="Admin Tenant") at keystone installation, it gives me the error of : keystone unable to establish connection to http://locahost:, im using the official manual and my controller node is on a virtual machine ubuntu 14.0415:07
MasterPieceKazazi, Please use when you wanna tell the commands and output in IRC and to others :)15:08
*** joesavak has quit IRC15:10
*** ajayaa has quit IRC15:10
MasterPieceKazazi, ok, do you checked your keystone configurations again? Seems you have some problem in "locahost" word , this world should be "localhost"15:12
Kazazithe commands i insert and the error i get is
MasterPieceKazazi, Please paste the entire process of the following command :15:12
MasterPiece$ nc localhost 35357 -vz15:12
MasterPiece$ netstat -antlp15:13
KazaziMasterPiece, sorry its localhost15:13
*** mflobo has quit IRC15:14
*** richm has joined #openstack-keystone15:15
MasterPieceok, give me your keystone.conf file ( use ubuntu paste services )15:16
*** mflobo has joined #openstack-keystone15:16
openstackgerritDavid Stanek proposed openstack/keystone: WiP: Script to sync oslo
*** Kazazi has quit IRC15:20
KnightLordMasterPiece, (i event tried controller, instead of localhost which refers to controller node and i can ping it from other nodes)15:25
openstackgerritAlexander Makarov proposed openstack/keystone: LDAP additional attribute mappings description
*** KnightLord has quit IRC15:29
*** MasterPiece has quit IRC15:29
openstackgerritBoris Bobrov proposed openstack/keystone: Fix incorrect session usage in tests
openstackgerritBoris Bobrov proposed openstack/keystone: Fix migration 42 downgrade
openstackgerritBoris Bobrov proposed openstack/keystone: Fix transaction issue in migration 44 downgrade
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable the storing of domain specific configuration in SQL.
amakarovlbragstad, hi! Can we discuss what to do with this duplication: and ?15:37
lbragstadamakarov: o/15:37
openstackgerritBoris Bobrov proposed openstack/keystone: Fix downgrade test for migration 61 on non-sqlite
amakarovlbragstad, am I to rebase my patch somehow, our you just abandon yours?15:38
amakarovlbragstad, there is a confusion already among our reviewers :)15:38
lbragstadamakarov: let me look through yours quick. My patch is pretty trivial, and could be rolled in somewhere else if needed.15:39
amakarovlbragstad, it's a copy of test case provided along with the bug:
uvirtbotLaunchpad bug 1401926 in keystone "Role revocation invalidates tokens on all user projects" [Medium,In progress]15:41
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable the storing of domain specific configuration in SQL.
amakarovlbragstad, it's included in my patch in positive form15:41
openstackgerrithenry-nash proposed openstack/keystone-specs: Enable the storing of domain specific configuration in SQL.
*** abhirc has joined #openstack-keystone15:46
*** bernardo-silva has joined #openstack-keystone15:47
henrynashstevemar, ayoung, morganfainberg: looking to try and kick in the first of the assignment split patches:
*** zzzeek has joined #openstack-keystone15:58
*** LinstatSDR has joined #openstack-keystone16:05
henrynashsamueldmq: ping16:11
*** chrisshattuck has joined #openstack-keystone16:11
marekdmorganfainberg: henrynash can you take a look at: and line ~136ish (and my comment) ? Thanks,16:13
*** ajayaa has joined #openstack-keystone16:14
marekdhenrynash: thanks.16:14
*** stevemar has joined #openstack-keystone16:15
*** ChanServ sets mode: +v stevemar16:15
openstackgerritMarco Fargetta proposed openstack/keystone: Multiple IdP authentication URL
*** samueldmq-away is now known as samueldmq16:17
samueldmqlbragstad, amakarov ping16:19
amakarovsamueldmq, pong16:19
samueldmqamakarov, is lbragstad somewhere? :)16:20
samueldmqamakarov, just saw you were talking about those patches16:20
openstackgerrithenry-nash proposed openstack/keystone-specs: Remove old-style role metadata structures from assignment.
samueldmqhenrynash, pong16:20
amakarovsamueldmq, last time he said he'll look into16:20
samueldmqamakarov, k16:20
samueldmqamakarov, nice16:21
*** ajayaa has quit IRC16:21
henrynashsamueldmq: is there a blueprint/spec for the filter performance improvemnts to list role assignments?16:21
samueldmqhenrynash, not yet16:21
samueldmqhenrynash, oh, I need to go back to this and send a 'final' version this week16:22
samueldmqhenrynash, it's already taking too long16:22
henrynashsamueldmq: I think we need one…I’m happy to write it up if needs be….I need that code for this too:
*** ayoung has joined #openstack-keystone16:23
*** ChanServ sets mode: +v ayoung16:23
samueldmqhenrynash, I can write it right now if you haven't start yet :)16:24
henrynashoops, sorrt16:24
*** LinstatSDR has quit IRC16:24
henrynashsamueldmq: no, haven’t starte it16:24
samueldmqhenrynash, nice, can I? never wrote a bp/spec (just an api change)16:25
samueldmqhenrynash, I'll do it right now, and add you as reviewer16:25
samueldmqhenrynash, works for you?16:25
henrynashsamueldmq: sure.   I think we have to improve that perforamcne…so let’s get that one on the table so we can get it approved before m2 (feel free to opy the format of since they are pretty similar scope of change)16:26
samueldmqhenrynash, yep sure16:26
samueldmqhenrynash, I'm putting that patch in my first priority, after bp/spec16:27
henrynashsamueldmq: great16:27
samueldmqhenrynash, I think it took so long because of the role split/hierarchical multitenancy stuff, etc16:28
samueldmqhenrynash, and that changed each time, sorry for delaying16:28
henrynashsamueldmq: no worries16:28
* samueldmq is busy now, working on serious stuff :-)16:28
*** rushiagr is now known as rushiagr_away16:29
amakarovbknudson, greetings! Would you please review ? I've made suggested corrections there16:32
*** blinky_ghost has joined #openstack-keystone16:33
bknudsonayoung: you around? discussion of olso.policy graduation during oslo meeting.16:34
blinky_ghosthi all, can anbody explain me this error: DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. ??16:34
ayoungbknudson, I'm here.  Where's the discussion?16:34
henrynashsamueldmq: I think you slipped that into your barbican mindset :-)16:34
bknudson#openstack-meeting-alt is the oslo meeting.16:35
ayoungsamueldmq, that is  #openstack-meeting-alt16:35
henrynashsamueldmq: …and let’s put that on the list for tomorrow’s meeting as a candiadte for “blueprint that doesn’t need a spec”...16:35
samueldmqayoung, shh :-)16:35
samueldmqhenrynash, done16:39
lbragstadamakarov: I have a couple comments here
*** samueldmq has quit IRC16:39
*** samueldmq has joined #openstack-keystone16:39
lbragstadbut I'd be fine with abandoning my patch that exposes the bug since you're covering that case16:39
henrynashsamueldmq: …you still need to put the blueprint in the keystone bucket, not the barbican bucket, however :-)16:40
samueldmqhenrynash, oh .. sure, just a sec16:40
*** ajayaa has joined #openstack-keystone16:41
lbragstadamakarov: samueldmq had a comment here about including a test (and logic?) for users as well
amakarovlbragstad, looking16:41
*** nkinder has quit IRC16:41
*** dhellmann has quit IRC16:42
*** dhellmann has joined #openstack-keystone16:42
ayoungbknudson, what does it mean that dhellman has quit the Oslo meeting?  He doesn't like me any more?16:42
amakarovlbragstad, understood. I need a pair of minutes16:43
lbragstadamakarov: I'm good with abandoning my review. I'll abandon with a link to yours and we'll continue iterating over what you have16:44
lbragstadcc samueldmq ^16:44
amakarovlbragstad, ++16:44
samueldmqlbragstad, ack, I had proposed that he could add his patch as dependency of yours16:45
samueldmqlbragstad, but both approach works for me16:45
samueldmqlbragstad, just needed to make sure we synchronize things, to clear review process  :)16:45
samueldmqlbragstad, thx16:45
lbragstadsamueldmq: amakarov no problem, let's continue iterating over amakarov's change16:46
samueldmqlbragstad, ++16:46
samueldmqhenrynash, I updated KeystoneMeeting as well16:47
samueldmqhenrynash, wait, first you said I could base my spec on yours ( )16:48
samueldmqhenrynash, and after that we needed to add it to the “blueprint that doesn’t need a spec” section16:48
morganfainbergmarekd: looking at the comment you referenced.16:51
morganfainberghenrynash: looking at the review soon.16:51
*** r-daneel has joined #openstack-keystone16:52
*** _cjones_ has joined #openstack-keystone16:53
openstackgerritAlexander Makarov proposed openstack/keystone: Group role revocation invalidates all user tokens
*** nkinder has joined #openstack-keystone16:55
*** ajayaa has quit IRC16:55
*** ajayaa has joined #openstack-keystone16:56
amakarovlbragstad, I'm done with the patch16:58
lbragstadamakarov: cool, I'll add it back to my queue16:58
*** vozcelik has joined #openstack-keystone16:58
samueldmqamakarov, lbragstad ++ :)16:58
*** LinstatSDR has joined #openstack-keystone17:01
*** mikedillion has joined #openstack-keystone17:02
*** zz_avozza is now known as avozza17:02
*** mikedillion has quit IRC17:06
*** rwsu has joined #openstack-keystone17:09
*** rwsu has quit IRC17:09
*** esp has joined #openstack-keystone17:09
*** vozcelik has left #openstack-keystone17:10
*** esp has left #openstack-keystone17:10
openstackgerrithenry-nash proposed openstack/keystone-specs: Remove old-style role metadata structures from assignment.
*** esp has joined #openstack-keystone17:11
morganfainberghenrynash, +++++++++ on that ^^17:13
henrynashmorganfainberg: :-)17:14
*** nkinder has quit IRC17:14
morganfainberghenrynash, i expect ldap assignment to die next week17:14
morganfainberghenrynash, btw17:14
*** tellesnobrega has quit IRC17:15
henrynashmorganfainberg: oh, I’ll do a special ant-ldap voodoo dance to help it on its way….17:16
morganfainberghenrynash, right?! :)17:16
samueldmqhenrynash, morganfainberg lol17:18
samueldmqjust fell off my chair laughing17:18
morganfainberghenrynash, success17:18
morganfainbergayoung, we need to create an LP project for oslo.policy (or have oslo guys do so)17:19
ayoungmorganfainberg, done17:19
morganfainbergayoung, hm.17:19
morganfainbergoh haha17:19
morganfainbergi see it17:19
morganfainbergi was on the wrong page17:19
morganfainbergwas on the bug tracker :P17:19
ayoungmorganfainberg, I created a group, was just seeding it17:20
morganfainbergpunting the oslo rule thing from keystone over to oslo.policy bugs17:20
morganfainbergthe bug i've left open until we had a real place for it17:20
samueldmqmorganfainberg, that bug regarding rules order evaluation ?17:20
*** ajayaa has quit IRC17:20
ayoungAdded Flavio since he's currently policy maintainer17:21
ayoungmorganfainberg, who else?17:21
morganfainbergbknudson, if he wants.17:22
ayoungNot giving him a choice17:22
morganfainbergprobably stevemar (ping) and possibly dstanek (ping)17:22
henrynashayoung: any chance….you could re-apply your +2 to: (a few minor cleanups from review comments on last version)17:23
ayounghenrynash, looking.17:23
bknudsonayoung: I've looked through the code before and am somewhat familiar with it, so I don't mind being core reviewer there.17:23
dstanekmorganfainberg: pong17:24
ayounghenrynash, done17:25
ayoungdstanek, want to be a reviewer on oslo.poliucy?17:25
henrynashayoung: thx, sir17:25
stevemarmorganfainberg, pong17:25
morganfainbergayoung, added 1.x.x series for oslo.policy17:25
samueldmqayoung, should rodrigods be core or even added as part of other group?17:26
morganfainbergstevemar, ^ are you interested in oslo.policy core?17:26
dstanekayoung: shore - i don't mind17:26
* stevemar checks to make sure there are only 5 new reviews per month...17:26
*** pcaruana is now known as pcaruana|off|17:27
stevemarmorganfainberg, ayoung same answer as dstanek "shore"17:27
samueldmqdstanek, is that part of your tx vocabulary? (as howdy)17:27
ayoungsamueldmq, Not yet.  Want to populate with current cores.17:27
*** rwsu has joined #openstack-keystone17:27
samueldmqayoung, ++17:28
dstaneksamueldmq: no, i'm not from tx :-)17:28
ayoungWas expecting it to be specifically a Keystone/Oslo joint venture. Want to know who is willing to opt in first17:28
samueldmqdstanek, lol but speak as them ? :p17:28
morganfainbergayoung, also seeded the milestone for 1.0.0 for the first release when we're ready17:28
dstaneksamueldmq: i've been doing my best17:29
dstaneksamueldmq: if i start calling y'all partner then we're all in trouble17:29
*** nkinder has joined #openstack-keystone17:29
samueldmqdstanek, haha o/17:30
*** afazekas has quit IRC17:35
morganfainbergmarekd, stevemar, ping - Federation - lets move it from extension -> stable as per
stevemari'm down with that17:37
openstackgerrithenry-nash proposed openstack/keystone-specs: Remove old-style role metadata structures from assignment.
morganfainbergayoung, lets plan to get revoke from extension to stable (same as above)^17:38
morganfainberghenrynash, os-inherit -> stable :)17:38
morganfainbergayoung, trusts -> stable :)17:38
* ayoung was saying Yes for Federation, but even more so for events17:38
stevemarit's all downs and such, not actually moving the code base17:38
*** abhirc has quit IRC17:38
morganfainbergit's mostly docs and minor adjustments17:38
stevemar... i think17:38
*** links has quit IRC17:38
morganfainbergideally we should move things out of contrib as we can, but no rush on that17:39
stevemaryeah, agreed17:39
ayoungmorganfainberg, I would love to have had a "modules" section in the code base, and then each of the top level APIs would go into "modules"17:39
*** abhirc has joined #openstack-keystone17:39
morganfainbergayoung, toss that on the meeting for tomorrow?17:39
morganfainbergayoung, thats probably a good concept to go with.17:39
ayoungI almost did that back during the restructuring *myumbe;le* years ago17:39
samueldmqayoung, ++17:39
*** abhirc has quit IRC17:40
henrynashmorganfainberg: only thing on os-inherit might that for sure the original domain->project inheritacne should be stable….one might question the project->project newer stuff…but not sure we can easily distinquish in terms of responding in JSON home etc.17:40
morganfainberghenrynash, this is where we need to do work.17:40
henrynash(i.e. ideally the newer project->project would be in-tree expermental)17:40
morganfainberghenrynash, some things are easy some are not.17:40
morganfainbergwhen doing the conversion to the new classifiers17:40
morganfainbergstevemar, oauth1 also i think is "Stable" these days.17:41
samueldmqhenrynash, ++ agree17:41
morganfainberghenrynash, ++17:41
*** amakarov is now known as amakarov_away17:41
*** henrynash has quit IRC17:42
morganfainbergrodrigods, re: the way this all works, the reseller bits will be experimental (HMT) for Kilo - so plan for documentation to match.17:42
morganfainbergrodrigods, i'd ping raildo as well but he's not here in channel at the moment17:42
morganfainbergonce we're happy with it, we can make it stable in L cycle.17:43
morganfainbergbah henrynash dropped off17:43
morganfainbergreally need to convince him to get a bouncer17:43
*** gyee has joined #openstack-keystone17:44
*** ChanServ sets mode: +v gyee17:44
morganfainberggyee, ping17:44
morganfainberggyee, endpoint_filter needs some minor adjustments to be moved from extension -> stable
morganfainberggyee, notably, it should be defaulted on and the catalog drivers should be merged.17:44
morganfainberggyee, mind taking that on?17:44
morganfainbergplus doc changes.17:45
openstackgerritayoung proposed openstack/keystone-specs: Visual Page for WebSSO
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Refactor role assignment assertions
morganfainbergayoung, the spec name scares me.17:48
morganfainbergayoung, ;)17:48
ayoungmorganfainberg, Visual?17:48
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve creation of expected role assignments
ayoungThat is the biggest aspect of it17:48
morganfainbergayoung, haha yeah. i know what you're going for though17:48
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Refactor check of targets and actors on RoleV3
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Check for invalid filtering on v3/role_assignments
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests
morganfainbergok i need coffee.17:49
ayoungmorganfainberg, I'm trying to figure out if we could somehow get Horizon to handle the visuals without compromising security17:49
morganfainbergi also would be much better off not being 3-hrs off from most people who work on keystone.17:49
gyeemorganfainberg, sure I'lll work on it17:49
morganfainbergayoung, ++ i would like that a lot17:49
morganfainbergayoung, but i know we weren't sure about it17:49
ayoungmorganfainberg, and without creating yet another service....17:50
morganfainberggyee, thanks.17:50
gyeemorganfainberg, I think Robert is working on endpoint enforcement middleware17:50
gyeebut I'll double check with him so I don't step on his toe17:50
morganfainberggyee, shouldn't be too much craziness to get the filtering stuff merged together17:50
gyeeyeah, pretty straight forward17:50
morganfainbergi think it's just making sure it's in the pipeline and moving the catalog driver (replace the non-filtering one with the filtering one) and change some docs17:51
morganfainbergayoung, i'm guessing simple-cert should be *cringe* stable17:51
gyeeeasy peasy :)17:52
*** bernardo-silva has quit IRC17:53
ayoungmorganfainberg, yes.17:54
*** ayoung is now known as ayoung-lunch17:54
*** tellesnobrega has joined #openstack-keystone18:00
*** jistr has quit IRC18:03
stevemarmorganfainberg, your comment here:
stevemarcan you explain that a bit more? you mean you'd omit 'disabled' SPs or all SPs18:07
stevemarform the service catalog18:07
*** abhirc has joined #openstack-keystone18:07
rodrigodsmorganfainberg, ok, will take a look18:10
rodrigodsayoung-lunch, do we have an official repo?18:10
morganfainbergstevemar, just disabled18:10
openstackgerritDolph Mathews proposed openstack/keystone: Additional test coverage for password changes
morganfainbergstevemar, it also would allow us to omit "enabled" feild from the sC18:11
*** abhirc has quit IRC18:16
morganfainbergstevemar, i dont see a benefit to including "disabled" SPs in the catalog18:17
stevemarmorganfainberg, no no, you have a point18:17
stevemarmorganfainberg, just wondering what else the spec needs in order to be pushed through18:17
bknudsonis the S3Token middleware unmaintained?
morganfainbergthat plus the other things marekd already fixed i think was all i saw18:17
morganfainbergbknudson, we have a bug to add tests but it was unmaintained before18:18
morganfainbergbknudson, some people are using it... i think.18:18
morganfainbergwhich scares me a little18:18
bknudsonthe only thing that looks off is use of v2.0-only:'%s/v2.0/s3tokens'18:19
bknudsonI thought maybe we had to add auth plugin support but doesn't get a token18:20
bknudsonat some point we'll want to deprecate / remove v2.0/s3tokens so then we'll have to make a decision.18:21
morganfainbergbknudson, well i'd like to make anything v2.0 go away *very* soon18:29
morganfainbergstevemar, marekd, ping18:30
morganfainbergstevemar, marekd, have a question re: federation18:30
morganfainbergstevemar, marekd, specifically around k2k. as in - what is the minimum requirement for a SP to consume the k2k identity? Juno? Icehouse?18:30
morganfainbergstevemar, marekd, Kilo? assuming that the IDP is kilo or later, that is.18:31
morganfainberghogepodge, ping - have a question for you, will send pm18:31
*** henrynash has joined #openstack-keystone18:32
*** ChanServ sets mode: +v henrynash18:32
stevemarmorganfainberg, icehouse is the minimum to act as an idp, juno is the minimum to act as an sp18:33
gyeemorganfainberg, stevemar, marekd, I would like to see ECP wrap as part of keystone IdP API instead of external18:33
stevemargyee, agreed18:34
morganfainbergstevemar, i'd say Kilo is minimum to act as an SP, juno is minimum to play around with it18:34
morganfainbergstevemar, remember juno was experimental18:34
morganfainbergstevemar, i'm looking to set clear guidelines on minimum recommended deployments for k2k18:35
stevemarah okay18:35
stevemarthen yes18:35
stevemari thought you were talking about feasability18:35
morganfainbergstevemar, i feel like juno might be the best "recommended" SP.18:35
morganfainbergeven though icehouse *could* do it18:35
stevemaryeah, bump each by 118:35
stevemarnkinder, you owe us docs!18:39
*** harlowja_away is now known as harlowja18:39
stevemarnkinder, i didn't forget (okay i forgot for a while, but i remembered now)18:39
stevemarnkinder, if you just point to the general location i can whip em up for ya if you're busy18:40
*** jraim_ is now known as jraim18:50
*** lhcheng has joined #openstack-keystone18:53
*** bernardo-silva has joined #openstack-keystone18:54
*** bernardo-silva has quit IRC18:58
*** harlowja has quit IRC19:00
*** harlowja has joined #openstack-keystone19:00
*** harlowja has quit IRC19:00
*** bernardo-silva has joined #openstack-keystone19:00
*** raildo has joined #openstack-keystone19:06
*** abhirc has joined #openstack-keystone19:10
*** bernardo-silva has quit IRC19:10
*** raildo has quit IRC19:11
*** abhirc has quit IRC19:16
*** hichtakk has joined #openstack-keystone19:28
*** raildo has joined #openstack-keystone19:35
openstackgerritDolph Mathews proposed openstack/keystone: Additional test coverage for password changes
raildomorganfainberg,  hey rodrigods told me that you say that HMT will be experimental for Kilo, right?19:42
raildomorganfainberg, but itsthe whole implementation, include what its merged to kilo-1 or just the reseller part?19:43
morganfainbergraildo, the reseller and enhancement stuff19:44
morganfainbergraildo, but the stuff in k-1 will be considered stable19:44
*** abhirc has joined #openstack-keystone19:44
*** _cjones_ has quit IRC19:44
morganfainbergraildo, this is to be in line with
*** _cjones_ has joined #openstack-keystone19:44
morganfainbergraildo, specifically any new APIs19:44
raildomorganfainberg, ok, that was what I was thinking19:45
morganfainbergraildo, :)19:45
morganfainbergstevemar, i think we should see if we can do cool RST/sphinx things w/ the apis so we can do something like ..EXPERIMENTAL::19:45
morganfainbergstevemar, or something and have the same warning/text included for anything new19:45
raildoand i saw the deadline for the specs :)19:46
morganfainbergi can bug annegentle about that if you think it's a good idea19:46
morganfainbergraildo, yeah plenty of time still.19:46
stevemarmorganfainberg, i thought of the same thing when you first proposed the idea of fixing the docs19:46
morganfainbergstevemar, hehe :)19:46
raildomorganfainberg, yeah I think that we can approve the two specs related to HMT in time :)19:46
* morganfainberg goes back to bug triage19:47
morganfainbergneed to send an email first19:48
*** harlowja has joined #openstack-keystone19:52
openstackgerritBrant Knudson proposed openstack/keystone: Change oslo.config to oslo_config
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Change oslo.config to oslo_config
morganfainbergayoung-lunch, dolphm, bknudson, stevemar, henrynash, gyee, lbragstad, bknudson, jamielennox|away, -19:59
morganfainbergdstanek, ^19:59
openstackgerritBrant Knudson proposed openstack/keystonemiddleware: Change oslo.config to oslo_config
morganfainberg^^ that is the survey for LDAP Identity, please look it over19:59
morganfainberglet me know if any changes need to be made before i send it out19:59
bknudsonmorganfainberg: it would be good to say what the config setting is they need to check.20:01
morganfainbergbknudson, ok20:01
bknudsonyou might get more accurate results20:01
*** david-lyle has quit IRC20:02
gyeemorganfainberg, looks fine20:03
gyeebut I agree with bknudson, on the "specifics" part, it would be nice to know their config20:06
morganfainberggyee, i don't want to force them to put config values in the form. if we want to dig in - i'd rather contact them directly20:07
morganfainbergi worry about asking deployment config values as people tend to see those as private (vs. a little bit of prose about why ldap meets their deployment needs)20:07
gyeemorganfainberg, that's fine as long as we get some intel on the use cases20:08
morganfainbergthats what the other pages are for.20:08
bknudsonask what their root password is and the hostname then we can just take a look.20:08
morganfainbergbknudson, ++20:08
gyeeultimately if this result in some use cases specific documentation that would be awesome20:09
morganfainbergbknudson, it's either hunter2 or 1234520:09
bknudsoncrap, now I need to change my password20:09
morganfainbergbknudson, don't wory it's all *'s on my end20:09
bknudsonahh, now I need to change it again.20:09
gyeebest password I ever came across, 1SaysBadM0F020:10
*** chrisshattuck has quit IRC20:12
morganfainberggyee, my hope is that we're not seeing wide spread use of read/write ldap20:13
morganfainberggyee, so it can be deprecated as well as the ldap assignment20:13
gyeemorganfainberg, yeah, I am kinda curious to see how many out there use r/w ldap20:14
*** chrisshattuck has joined #openstack-keystone20:14
bknudsonmorganfainberg: you could also pose the question if they have other tools for updating LDAP... e.g., if they're using AD then they have windows tools.20:15
gyeeand which IT person they have to shoot in order to touch ldap20:16
bknudsonso you could get info on why they don't use r/w ldap -- they have other tools, they don't want to give keystone write access.20:16
morganfainbergbknudson, sure i'll add it to the read/only page20:16
morganfainbergok updated the 1st question to specify the config option20:17
morganfainbergplease 2x check / see if i need to rephrase it20:17
bknudsonand, maybe get info on why they use r/w ldap -- only reason I can think of it's convenient20:17
morganfainbergbknudson, that question is already there20:18
morganfainbergbknudson, added question to what tools they use on the R/O ldap page20:18
morganfainbergif you answer r/w you get sent to a r/w specific page20:19
morganfainbergif you answer r/o you go to a r/o specific page20:19
bknudsonmorganfainberg: the r/w setting is a different one -- e.g., user_allow_update = true20:19
morganfainbergoh you mean that.. yeah sec.20:19
bknudsonmorganfainberg: I see the tools question ... great.20:19
dstanekmorganfainberg: I'd also find it interesting to know what ldap server they use; not sure if that helps your goal20:21
*** mflobo has quit IRC20:21
morganfainbergdstanek, i think that is out of scope for this survey.20:21
morganfainberglets keep it narrow to get clear responses20:21
*** ayoung-lunch is now known as ayoung20:22
*** mflobo has joined #openstack-keystone20:23
*** jamielennox|away has quit IRC20:23
*** lbragstad has quit IRC20:23
*** serverascode has quit IRC20:23
ayoungmorganfainberg, heh, I don't know it that will actually do us any good.  I just meant to have an Identity section in the origianal, assignment focused survey to give people a place to answer questions about that, to avoid muddying the water.  But the outcome will be interesting to read regardless20:23
morganfainbergbknudson, i'm not going to add options to the question answers, because it *could* be that ldap server doesn't allow writes and keystone just errors vs. uses the config options20:24
morganfainbergbknudson, i clarified a little on the yes answer selection though20:24
morganfainbergayoung, i was hoping to keep the assignment deprecation information really independant of identity20:25
*** dims__ has quit IRC20:25
*** radez is now known as radez_g0n320:25
*** jaosorior has quit IRC20:25
*** boris-42 has quit IRC20:25
*** flwang has quit IRC20:25
*** rm_work has quit IRC20:25
morganfainbergayoung, because identity r/w may not be able to go away if it's really used20:25
morganfainbergbut assignment in LDAP may completly go away20:25
*** dims__ has joined #openstack-keystone20:26
*** vishy has quit IRC20:26
ayoungmorganfainberg, oh, yes.  and this is all good data.  Just that we had people answering the assignment survey that had no interest in the assignment side of they were making it an identity survey20:26
morganfainbergwe'll need to suss out the identity answers from that survey20:26
*** Guest58319 has quit IRC20:27
*** serverascode has joined #openstack-keystone20:27
morganfainbergbut i *think* based on answers we can remove it as stands.20:27
*** jraim has quit IRC20:28
*** dims__ has quit IRC20:28
*** dims__ has joined #openstack-keystone20:29
*** mgagne has joined #openstack-keystone20:29
*** lbragstad has joined #openstack-keystone20:29
*** jraim has joined #openstack-keystone20:29
*** rm_work has joined #openstack-keystone20:29
*** LinstatSDR has quit IRC20:29
*** rm_work has quit IRC20:30
*** rm_work has joined #openstack-keystone20:30
*** mgagne is now known as Guest3658020:30
*** boris-42 has joined #openstack-keystone20:30
*** flwang has joined #openstack-keystone20:30
ayoungmorganfainberg, So,  Federation and the WebUI.  If Keystone could give Horizon all of the information it needs to generate the request to the Identity provider, including some Nonce, and then Horizon could hand the SAML assertion back to Keystone,  Keystone could safely issue a token.20:30
*** jaosorior has joined #openstack-keystone20:30
ayoungI don't know how practical that is20:30
ayoungand it means that the Nonce has to be part of the request that goes to the IdP, get signed, and come back in the SAML assertion20:31
ayoungso, I think the short of it is "possible, but not worth the effort"20:31
*** jamielennox|away has joined #openstack-keystone20:32
*** jamielennox|away is now known as jamielennox20:32
*** ChanServ sets mode: +v jamielennox20:32
morganfainbergayoung, sure.20:33
*** vishy has joined #openstack-keystone20:34
*** _cjones_ has quit IRC20:35
rodrigodsayoung, fyi: pypi repo for oslo.policy is registered, but unaccessible since we don't have any packages yet20:44
morganfainbergrodrigods, did you set the maintainer as the openstack-infra [or whatever user that is]?20:45
rodrigodsmorganfainberg, yes, openstackci20:45
*** raildo has quit IRC20:49
*** nellysmitt has quit IRC20:51
*** nellysmitt has joined #openstack-keystone20:54
samueldmqso I'm getting 5 'AssertionError: There is no script for 62 version' errors20:57
samueldmqalready rebased20:57
samueldmqdeleted .venv20:57
samueldmqany idea?20:57
*** _cjones_ has joined #openstack-keystone20:57
*** david-lyle has joined #openstack-keystone20:57
dolphmsamueldmq: clear pyc files: find . -name "*.pyc" -delete20:57
dolphmsamueldmq: you probably have a pyc for migration 61 from a different branch20:58
samueldmqdolphm, and why it says There is no script for 62 version ?20:59
dolphmsamueldmq: because there's a pyc file, but when it goes to load the py directly, it doesn't exist20:59
*** radez_g0n3 is now known as radez20:59
samueldmqdolphm, so probably I was in a branch that had 62 migration, and the .pyc was generated21:00
samueldmqdolphm, and the branch I'm doesnt have it (the .py file)21:00
dolphmsamueldmq: yes, exactly21:00
samueldmqdolphm, nice, makes sense21:01
samueldmqdolphm, tests are running21:01
dolphmsamueldmq: i nuke pyc files every time i switch branches, or check anything out of gerrit21:01
samueldmqdolphm, how to check anything out of gerrit ?21:02
dolphmsamueldmq: git-review -d <change-number>21:02
samueldmqdolphm, oh, sure :)21:03
samueldmqdolphm, tests are ok, thanks :)21:03
marekdgyee: regarding ECP - what do you mean?21:03
dolphmsamueldmq: cool, good to hear21:03
*** Guest36580 is now known as mgagne21:04
*** mgagne has joined #openstack-keystone21:04
marekdmorganfainberg: pong. (kind of late)21:05
samueldmqdolphm, does .pyc files also affect git versioning (rebases, etc)?21:06
lbragstadsamueldmq: it shouldn't
ayoungrodrigods, good enough21:07
samueldmqlbragstad, nice thanks21:07
lbragstadwe don't track them in the project21:07
dolphmsamueldmq: pyc files are excluded from version control via .gitignore, so they're not version controlled at all. they'll be left behind by any operation that removes their corresponding py files from disk21:07
samueldmqdolphm, got it, nice. thx21:08
ayounggit clean is your friend on those types of issues21:09
ayounghow do we create the openstack git repo...21:15
*** toddnni has quit IRC21:15
*** david-lyle has quit IRC21:16
*** david-ly_ has joined #openstack-keystone21:16
gyeemarekd, I mean we should have an api to return ECP content21:16
*** toddnni has joined #openstack-keystone21:16
*** chrisshattuck has quit IRC21:18
ayoungrodrigods, so where are we one the checklist?  We've done this:  right?21:19
ayoungbut not
*** toddnni has quit IRC21:25
marekdgyee: in Icedouse Federation or K2K ?21:28
gyeemarekd, K2k21:28
marekdgyee: maybe...21:28
marekdgyee: are you going to be on a meetup next week?21:29
gyeemarekd, from usability standpoint, we should provide a complete solution21:29
gyeemarekd, yes, I'll be there21:29
gyeenot sure if they let me bring whiskey though :)21:29
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve creation of expected role assignments
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Refactor check of targets and actors on RoleV3
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Check for invalid filtering on v3/role_assignments
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Refactor role assignment assertions
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes 'OS-INHERIT:inherited_to' info in tests
marekdgyee: from usability point of view we never said what we expect from the Service Provider point of view.21:32
marekdwhether we will mimic websso or ecp.21:32
samueldmqbknudson, thx for your +2 on "Fixes 'OS-INHERIT:inherited_to' info in tests"21:33
gyeemarekd, say I want to write an app to utilize K2K, I wouldn't expect to do the ECP treatment right?21:34
*** toddnni has joined #openstack-keystone21:34
gyeeI should be able to just call the keystone APIs21:34
samueldmqDaveChen, ping - could you please revisit
marekdgyee: i am hoping to clarify this next week21:35
ayoungmorganfainberg, ^^ infra changes for policy.  Please review21:35
gyeemarekd, k, sounds good21:36
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: Upgrade hacking to 0.10.0
*** _cjones_ has quit IRC21:40
*** david-ly_ has quit IRC21:40
*** david-lyle has joined #openstack-keystone21:41
morganfainbergayoung, reviewed, a couple in-line comments before it goes through21:42
ayoungmorganfainberg, thanks.  Figured there would be21:42
*** chrisshattuck has joined #openstack-keystone21:45
marekdmorganfainberg: stevemar: hi. your comments about that (around line 931) - this is an example of response after listing of registered Service Providers, this is not an example of Service Catalog.21:48
morganfainbergoh blah i mis-read that then21:48
morganfainbergmarekd, sorry!21:48
stevemarmorganfainberg, haha, i thought you might have mis-read it :)21:48
morganfainbergthis is what happens pre-coffee21:48
stevemarmarekd, can you mention that anyway? I don't think you mention the catalog listing anywere21:49
marekdstevemar: no, i didn't.21:49
rodrigodsayoung, updated the bp with the openstack-infra review21:49
morganfainbergmarekd, ^^ that is what i think confused me21:49
*** david-lyle has quit IRC21:49
morganfainbergof course and being sans morning caffiene21:49
marekdstevemar: i will add it.21:49
stevemarmarekd, awesomeo21:49
morganfainbergmarekd, otherwise i think this looks pretty good21:49
*** david-lyle has joined #openstack-keystone21:50
marekdmorganfainberg: ok, thanks.21:50
ayoungmorganfainberg, I want the notifications in #openstack-keystone.  Keystone is pretty much going to own this, and it simplifies the discussion.  I won't see it in other channels21:50
ayoungdropped the 2.6 req21:50
morganfainbergayoung, it may also need to be in oslo21:51
morganfainbergi'd ask dhellmann about that21:51
morganfainbergi'm not opposed to it being here since a lot of us are on the core team (and it ties to keystone closely)21:51
blinky_ghosthi can anybody help me with keystone tokens?21:56
marekdmorganfainberg: stevemar: if you could take a look at this: , line 136 and add your opinion.21:56
rodrigodsblinky_ghost, you are in the right place :)21:56
*** toddnni has quit IRC21:56
marekdi'd like to have this patch review-ready by the end of the week and discuss the follow-up during the meetup.21:57
morganfainbergmarekd, done. i agree with you and henry btw, list seems better21:57
marekdmorganfainberg: stevemar: as i actually think we need multiple remote_id values per identity_provider object.21:58
ayoungmorganfainberg, I thought I put it in both?21:58
morganfainbergayoung, hm i only saw it in merges and keystone when i -1'd it21:58
ayoungnot sure why it is manilla21:59
ayoungthat looks strange, but it is where the others are21:59
*** toddnni has joined #openstack-keystone21:59
*** adriant has joined #openstack-keystone21:59
morganfainbergright but is there also openstack-oslo for some?21:59
morganfainbergmerges is fine21:59
morganfainbergkeystone is fine21:59
morganfainbergbut i think you're missing -oslo21:59
marekdmorganfainberg: do you think it deserves a separate set of APIs? Something like POST /v3/OS-FEDERATION/identity_provider/BLAH/remote_id (and remote_id value in a request body), or we should simply be able to modify identity_provider object and edit remote_ids list being a new attribute?22:00
ayoungOK..I'll add that.  Thanks.22:00
morganfainbergmarekd, hm.22:01
morganfainbergmarekd, i think it's all part of the identity provider - if we make it a separate url, my concern is we're assuming SQL-relationalisms based upon the URL structure22:02
morganfainbergmarekd, it could go either way imo22:02
ayoungtypically an ID by itself is not enough to have its own API marekd22:02
morganfainbergmarekd, but i don't want the API to back us into a SQL centric view22:02
morganfainbergunless the rmote_id has lots of metadata associated with it, which doesn't seem to be the case here22:03
ayoungI would keep it as an attribute if it is only a remote_id, make it a full api if there are other attributes associated with the remote_id22:03
morganfainbergayoung, ++22:03
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve creation of expected role assignments
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Refactor check of targets and actors on RoleV3
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Check for invalid filtering on v3/role_assignments
marekdmorganfainberg: ayoung this makes things much easier  - and yes, currently remote_id is just a string, typically a URL.22:04
marekdmorganfainberg: ayoung at some point we started with a super generic appriach (let's make a framework that can handle every protocol) and somehow we must continue this patch I gues.22:05
marekdand path :)22:05
*** toddnni_ has joined #openstack-keystone22:05
*** toddnni has quit IRC22:07
*** toddnni_ is now known as toddnni22:07
blinky_ghostrodrigods: I'm having a problem about 2 days that's driving me crazy. I have an HA setup based on haproxy/keepalived with 3 keystone nodes that use mysql backend. The problem is that api requests fail randomly, specially in glance and nova. This happens mostly when I reboot one of the servers. This is the error I'm getting:
*** chrisshattuck has quit IRC22:08
*** _cjones_ has joined #openstack-keystone22:11
marekdEasy review:
marekdmorganfainberg: ayoung ^^22:11
ayoungmarekd, +A22:12
morganfainbergby seconds beat me to it ayoung22:12
openstackgerritDavid Stanek proposed openstack/keystone: Fixes a type check to make it work in Python 3
openstackgerritDavid Stanek proposed openstack/keystone: Updates Python3 requirements
openstackgerritDavid Stanek proposed openstack/keystone: Mocks out the memcache library for tests
openstackgerritDavid Stanek proposed openstack/keystone: Adds a fork of python-ldap for Py3 testing
ayoungblinky_ghost, 504 Gateway Time-out  is not Keystone itself.  Keystone does not return that value22:13
marekdrodrigods: thanks to you too :-)22:14
morganfainbergblinky_ghost, are you doing HAPRoxy to mysql or in-front of keystone?22:14
blinky_ghostayoung: I get that value when in glance and nova, I wonder if it's something related with haproxy?22:14
ayoungblinky_ghost, It sure sounds like it22:14
openstackgerritMerged openstack/keystone-specs: Specify default values for identity providers.
morganfainbergblinky_ghost, it sounds like haproxy isn't failing the node out correctly22:14
morganfainbergblinky_ghost, if it's in-front of keystone22:14
blinky_ghostmorganfainberg: Yes I use haproxy in front of keystone22:15
blinky_ghostmorganfainberg: for mysql I use mariadb galera with keepalived22:15
morganfainbergyeah sounds like haproxy isn't detecting keysotone is failed out - and therfore 504 until it hits a new keystone/fails the dead one out22:15
blinky_ghostmorganfainberg: can I show you the confs ?22:15
morganfainbergblinky_ghost, sure, but i'll be honest i'd need to read up on haproxy again, haven't used it recently so not fresh in my head on what it's config should look like22:16
*** toddnni has quit IRC22:17
*** toddnni has joined #openstack-keystone22:18
morganfainbergit looks sane at a glance22:18
*** stevemar has quit IRC22:18
marekdayoung: how can i actually serialize a list to a SQL (using our current code).22:19
marekdayoung: is it handled automatically now?22:19
ayoungmarekd, please don't22:19
ayoungnormalize it if it is a list.22:19
ayoungjust doesnt' need its own API22:19
marekdayoung: allright.22:19
blinky_ghostmorganfainberg: what I see is that it will start working after a while22:19
morganfainbergmarekd, sql-a can load relationshops easily22:19
morganfainbergblinky_ghost, what does haproxy say (log wise) when it's failing?22:20
marekdmorganfainberg: ayoung so you are ok with creating another table, relaitonships, but don't want to have a separate API for that.22:20
morganfainbergmarekd, yeah, that makes logical sense.22:20
marekdmorganfainberg: got it.22:20
marekdi am guessing it needs a spec as it changes how identity_provider objects look like.22:20
morganfainbergmarekd, make sure that extra table is loaded via SQL-A and the releationship, not by the manager, so that if someone wanted to say use NoSQL, it's on the NoSQL object to contain the list vs. a separate call22:21
morganfainbergif that makes sense22:21
morganfainbergget_identity_provider(id) should be the call not get_identity_provider, get_remote_ids_for_idp(idp_id)22:22
morganfainbergmarekd, yeah probbably should be a spec.22:23
marekdi don't even think it'd be transactional :-)22:23
marekdtwo separate calls in a memory22:23
*** r-daneel has quit IRC22:23
morganfainbergSQL-A can just load it directly and/or split the list up automatically22:23
morganfainbergso should be really easy to write22:24
blinky_ghostmorganfainberg: I see this:
morganfainbergyeah looks like the health check isn't doing what it's supposed to then.22:25
blinky_ghostmorganfainberg: you mean in 5000 port?22:26
morganfainbergyeah. it shouldn't fail 504 is a proxy failure22:27
marekdayoung: WebSSO. So, listing a list of trusted WebUIs is doable (to avoid phishing attacks) ?22:27
marekdayoung: probably in kestone.conf for now.22:27
morganfainbergi am guessing here since i am not 100% sure of what is going on there. :(22:27
*** bknudson has quit IRC22:27
morganfainbergkeystone doesn't return a 50422:27
blinky_ghostmorganfainberg: do you have some conf I can test?22:27
ayoungmarekd, I'd like it to be a value on the IdP itself:  visible or public or something22:28
morganfainbergblinky_ghost, i do not have one at the moment. but i do know a lot of people use haproxy22:28
marekdayoung: e.g. admin needs to specify a list of trusted WebUIs where a response redirect to (with a token).22:28
ayoungblinky_ghost, maybe one of the 3 keystone servers is misconfigiured, and the errors come from asking on the wrong host22:28
marekdayoung: i am not talking about IdP now.22:28
ayoungmarekd, Ah22:28
marekdayoung: I am talking about list of Horizons where I can actually initiate websso22:28
*** nellysmitt has quit IRC22:28
blinky_ghostmorganfainberg: if you could provide me I would appreciate it :)22:29
ayoungmarekd, again, lets try to keep in the DB, so we don;t need to restart the server if there is a change?22:29
ayoungblinky_ghost, the fact that it sometimes works means it is likely something in the rotation that is broken22:29
morganfainbergblinky_ghost, unfortunately i don't have an haproxy config for this - or even have an environment that it would be easy to add haproxy into.22:29
*** mattfarina has quit IRC22:29
blinky_ghostayoung: you mean one of the servers is not working?22:30
morganfainbergblinky_ghost, if it is happening when you reboot a server - that tells me something is wrong with (probably?) the haproxy healthcheck22:30
ayoungsounds like it blinky_ghost22:30
morganfainbergor it's causing mysql to crap out until the server comes back in22:30
ayoungthis is all guesswork22:30
morganfainbergare you losing quorum / functionality on mysql while the server is rebooting (e.g. is the controller node *also* a mysql server? in the cluster?)22:30
blinky_ghostayoung: ok I'll remove the server from haproxy conf and test again22:31
morganfainbergthere is a lot of guesswork on what it could be.22:31
ayoungblinky_ghost, I know very little about HA proxy. Good luck22:31
blinky_ghostmorganfainberg: no, I use keepalived, when I reboot the server the VIP goes to the other node, I have a vrrp_script22:32
morganfainbergso, mysql is running on the same node as keystone?22:32
morganfainbergor is it separate hardware?22:33
morganfainbergand if it is, does mysql work on the other node while that rebooting server is down22:33
morganfainbergalso waht version of oslo.db / keystone are you running22:33
blinky_ghostmorganfainberg: yes, mysql works fine, this only happens with nova and glance services22:33
morganfainbergthere was a bug in a release of oslo.db where keystone wouldn't drop connections to dead servers correctly22:34
morganfainbergoh wait, so keystone continues to work?22:34
morganfainbergjust glance and nova don22:34
morganfainberg't work?22:34
* morganfainberg is confused.22:34
blinky_ghostmorganfainberg: yes, that's right, I can access everything but nova and glance give me random errors 50422:35
morganfainbergthat sounds like an issue with nova or glance then. not keystone22:35
morganfainbergor an issue with haproxy + nova/glance22:35
blinky_ghostmorganfainberg: but I think it's something related with tokens22:35
blinky_ghostbecause when I run the glance command sometimes I get token errors22:36
morganfainbergbut not always? it sounds to me like something is problematic with your setup. i recommend removing haproxy from glance and nova and seeing what errors you get22:36
morganfainbergi'm sorry but i can only guess, the best thing you can do is eliminate the HA parts one at a time until you know what the real errors are22:37
morganfainbergnot the obscured 504s that haproxy is giving you22:37
blinky_ghostmorganfainberg: yes I guess I'll try that22:37
morganfainbergyou can also look at nova/glanc logs and see if there is something to add22:37
morganfainbergsome specific issues buit it might also be obscured in wierd ways22:38
blinky_ghostok, I'll test that, thanks22:39
openstackgerritMerged openstack/keystonemiddleware: Adds Memcached dependencies doc
blinky_ghostmorganfainberg: another question: can I use keystone with memcached in an HA setup? I have 3 memcached services running on my controllers22:41
*** henrynash has quit IRC22:43
morganfainbergblinky_ghost, so memcached has no good HA story for deployment22:44
*** mhu has quit IRC22:44
*** mhu has joined #openstack-keystone22:44
morganfainbergblinky_ghost, you could use it, but i don't have any recommendations on best practices when it comes to using memcached like that22:44
blinky_ghostmorganfainberg: ok thanks22:46
*** raildo has joined #openstack-keystone22:48
*** _cjones_ has quit IRC22:48
*** _cjones_ has joined #openstack-keystone22:48
blinky_ghostmorganfainberg: in fact it seems to be problem with haproxy, because If I restart the haproxy service in all the controllers it will start working. I saw this:
uvirtbotLaunchpad bug 1391180 in fuel/5.1.x "Deployment of Ha nova-flat cluster failed with (/Stage[main]/Osnailyfacter::Cluster_ha/Nova_floating_range[]) Could not evaluate: Oops - not sure what happened: 757: unexpected token at '<html><body><h1>504 Gateway Time-out</h1>" [Critical,Fix released]22:51
morganfainbergblinky_ghost, ah there ya go22:51
blinky_ghostmorganfainberg: I don't use fuel, I use RDO centos 7 but that seems the issue22:52
morganfainbergit could be related22:52
*** gordc has quit IRC22:52
morganfainbergit sounds like an haproxy issue22:52
blinky_ghostmorganfainberg: thanks I'll do some more tests22:54
*** telemonster has quit IRC22:59
*** raildo has quit IRC23:01
*** lhcheng has quit IRC23:02
*** andreaf has quit IRC23:03
*** lhcheng has joined #openstack-keystone23:03
*** jsavak has quit IRC23:12
*** jaosorior has quit IRC23:13
*** blinky_ghost has quit IRC23:13
*** telemonster has joined #openstack-keystone23:13
*** dims__ has quit IRC23:14
*** nkinder has quit IRC23:14
*** raildo has joined #openstack-keystone23:14
*** dims__ has joined #openstack-keystone23:15
*** chrisshattuck has joined #openstack-keystone23:15
*** abhirc has quit IRC23:16
*** dims__ has quit IRC23:19
*** samueldmq_ has joined #openstack-keystone23:20
*** david-lyle has quit IRC23:20
*** chrisshattuck has quit IRC23:21
*** abhirc has joined #openstack-keystone23:22
*** dims__ has joined #openstack-keystone23:25
*** mattfarina has joined #openstack-keystone23:27
*** chlong has joined #openstack-keystone23:29
*** dims_ has joined #openstack-keystone23:32
*** bknudson has joined #openstack-keystone23:34
*** ChanServ sets mode: +v bknudson23:34
*** dims__ has quit IRC23:35
*** dims_ has quit IRC23:36
*** abhirc has quit IRC23:41
*** chrisshattuck has joined #openstack-keystone23:42
bknudsonoslo.utils has both tests and oslo_utils/tests -- which one should I use?23:42
*** chrisshattuck has quit IRC23:43
*** mattfarina has quit IRC23:44
*** abhirc has joined #openstack-keystone23:47
*** mattfarina has joined #openstack-keystone23:50

Generated by 2.14.0 by Marius Gedminas - find it at!