Thursday, 2015-01-22

*** drjones has joined #openstack-keystone00:00
*** gordc has quit IRC00:01
*** _cjones_ has quit IRC00:01
*** _cjones_ has joined #openstack-keystone00:05
*** drjones has quit IRC00:05
*** rwsu has quit IRC00:10
*** abhirc has quit IRC00:12
*** rwsu has joined #openstack-keystone00:21
*** tellesnobrega_ has joined #openstack-keystone00:31
*** radez is now known as radez_g0n300:32
*** henrynash_ has joined #openstack-keystone00:32
*** ChanServ sets mode: +v henrynash_00:32
*** henrynash has quit IRC00:33
*** henrynash_ is now known as henrynash00:33
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Surface the user_id and project_id beyond the plugin
*** marg7175 has quit IRC00:51
*** avozza is now known as zz_avozza00:51
samueldmqhenrynash, did you talk about domain-roles during midcycle?01:01
henrynashsameldmq: so we didn’t get enough time…other than it’s for me to drive the spec a bit - and teh general idea is agreed01:01
*** Drago has quit IRC01:03
samueldmqhenrynash, k , I think we will have time for it once we get splits/refactoring merged01:04
*** Drago has joined #openstack-keystone01:04
samueldmqhenrynash, would be great to have it in addition to reseller01:05
*** jasondotstar has joined #openstack-keystone01:07
*** rushiagr_away has quit IRC01:13
*** rushiagr_away has joined #openstack-keystone01:14
henrynashsamueldmq: as an aside, I am experimenting with a data driven test approach for assignment testing….to see if that is any better than what we do now01:25
*** packet has quit IRC01:26
*** henrynash has quit IRC01:26
*** tellesnobrega_ has quit IRC01:29
*** dims__ has joined #openstack-keystone01:38
*** dims__ has quit IRC01:39
*** dims__ has joined #openstack-keystone01:40
*** dims__ has quit IRC01:48
*** dims__ has joined #openstack-keystone01:48
*** dims__ has quit IRC01:54
*** drjones has joined #openstack-keystone01:55
*** _cjones_ has quit IRC01:55
*** d0ugal has quit IRC01:55
*** d0ugal has joined #openstack-keystone01:55
*** d0ugal is now known as Guest8510401:56
*** drjones has quit IRC01:56
*** _cjones_ has joined #openstack-keystone01:56
*** tristanC_ has joined #openstack-keystone01:58
*** kragniz_ has joined #openstack-keystone01:59
*** drjones has joined #openstack-keystone01:59
*** _cjones_ has quit IRC02:00
*** arif-ali_ has joined #openstack-keystone02:01
*** drjones has quit IRC02:01
*** _cjones_ has joined #openstack-keystone02:02
*** amauryme` has joined #openstack-keystone02:05
*** tristanC has quit IRC02:06
*** arif-ali has quit IRC02:06
*** amaurymedeiros has quit IRC02:06
*** kragniz has quit IRC02:06
*** arif-ali_ is now known as arif-ali02:06
*** _cjones_ has quit IRC02:07
*** drjones has joined #openstack-keystone02:07
*** dims__ has joined #openstack-keystone02:09
*** _cjones_ has joined #openstack-keystone02:09
*** drjones has quit IRC02:10
*** zzzeek has quit IRC02:10
*** dims__ has quit IRC02:12
*** drjones has joined #openstack-keystone02:12
*** dims__ has joined #openstack-keystone02:12
*** _cjones_ has quit IRC02:12
*** drjones has quit IRC02:15
*** _cjones_ has joined #openstack-keystone02:15
*** _cjones_ has quit IRC02:17
*** _cjones_ has joined #openstack-keystone02:17
*** tellesnobrega_ has joined #openstack-keystone02:20
*** drjones has joined #openstack-keystone02:20
*** drjones has quit IRC02:20
*** _cjones_ has quit IRC02:20
*** _cjones_ has joined #openstack-keystone02:20
*** dims__ has quit IRC02:20
*** _cjones_ has quit IRC02:25
*** dims__ has joined #openstack-keystone02:28
*** erkules_ has joined #openstack-keystone02:30
*** abhirc has joined #openstack-keystone02:31
*** erkules has quit IRC02:33
*** Drago has quit IRC02:55
*** radez_g0n3 is now known as radez02:59
*** rwsu has quit IRC03:10
*** david-lyle has joined #openstack-keystone03:29
*** david-lyle has quit IRC03:35
*** david-lyle_ has joined #openstack-keystone03:35
*** jasondotstar has quit IRC03:47
*** zhiyan has quit IRC03:48
*** radez is now known as radez_g0n303:48
*** marg7175 has joined #openstack-keystone03:48
*** zhiyan has joined #openstack-keystone03:49
*** marg7175 has quit IRC03:49
*** marg7175 has joined #openstack-keystone03:50
*** samueldmq has quit IRC03:52
*** henrynash has joined #openstack-keystone03:53
*** ChanServ sets mode: +v henrynash03:53
*** Drago has joined #openstack-keystone03:57
*** Drago has joined #openstack-keystone03:57
*** tellesnobrega_ has quit IRC04:01
openstackgerritZhiQiang Fan proposed openstack/python-keystoneclient: Enable hacking rule E122 and H304
*** dims__ has quit IRC04:04
*** david-lyle_ has quit IRC04:04
*** KanagarajM has joined #openstack-keystone04:09
*** KanagarajM has quit IRC04:14
*** chrisshattuck has joined #openstack-keystone04:16
*** vhoward has left #openstack-keystone04:16
openstackgerritwanghong proposed openstack/keystone: fix test_ec2_list_credentials
*** henrynash has quit IRC04:29
*** henrynash has joined #openstack-keystone04:30
*** ChanServ sets mode: +v henrynash04:30
*** ajayaa has joined #openstack-keystone04:32
*** harlowja is now known as harlowja_away04:51
*** Drago has quit IRC05:10
*** _cjones_ has joined #openstack-keystone05:20
*** _cjones_ has quit IRC05:25
*** richm has quit IRC05:35
*** chrisshattuck has quit IRC05:55
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** KanagarajM2 has joined #openstack-keystone06:20
*** ajayaa has quit IRC06:47
*** dims__ has joined #openstack-keystone07:04
*** stevemar has joined #openstack-keystone07:05
*** ChanServ sets mode: +v stevemar07:05
*** dims__ has quit IRC07:09
*** mzbik has joined #openstack-keystone07:24
*** chlong has quit IRC07:38
*** mflobo has joined #openstack-keystone07:41
*** Guest85104 is now known as d0ugal07:42
*** d0ugal is now known as Guest7919507:42
*** stevemar has quit IRC07:44
*** stevemar has joined #openstack-keystone07:44
*** ChanServ sets mode: +v stevemar07:44
*** Guest79195 is now known as d0ugal07:48
*** d0ugal has joined #openstack-keystone07:48
*** lhcheng has joined #openstack-keystone07:55
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow saving and caching the plugin auth state
*** jamielennox is now known as jamielennox|away08:01
openstackgerrithenry-nash proposed openstack/keystone: Experimental data-driver assignment testing
*** henrynash has quit IRC08:16
openstackgerritwanghong proposed openstack/keystone: add missing API in docstring of EndpointFilterExtension
*** ajayaa has joined #openstack-keystone08:17
*** mzbik has quit IRC08:24
*** lhcheng has quit IRC08:25
*** lhcheng has joined #openstack-keystone08:26
*** zz_avozza is now known as avozza08:28
*** lhcheng has quit IRC08:30
*** oomichi_ has quit IRC08:40
*** jraim has quit IRC08:50
*** ctracey has quit IRC08:51
*** zhiyan has quit IRC08:55
*** ctracey has joined #openstack-keystone08:58
*** krykowski has joined #openstack-keystone09:01
*** jraim has joined #openstack-keystone09:01
*** zhiyan has joined #openstack-keystone09:01
*** kodokuu has joined #openstack-keystone09:03
kodokuuHi, Maybe someone can help me, I have issue with keystonemoddleware with designate (last version). => keystonemiddleware.auth_token [-] Invalid user token - rejecting request09:04
*** jistr has joined #openstack-keystone09:24
*** krykowski has quit IRC09:31
*** krykowski has joined #openstack-keystone09:32
*** erkules_ is now known as erkules09:32
*** ajayaa has quit IRC09:34
*** ajayaa has joined #openstack-keystone09:38
*** ajayaa has quit IRC09:43
*** afazekas has joined #openstack-keystone09:47
*** krykowski has quit IRC09:49
*** nellysmitt has joined #openstack-keystone09:50
*** kodokuu has left #openstack-keystone09:53
*** krykowski has joined #openstack-keystone09:57
*** chlong has joined #openstack-keystone10:15
*** mzbik has joined #openstack-keystone10:16
*** aix has joined #openstack-keystone10:20
*** chlong has quit IRC10:20
*** krykowski has quit IRC10:24
*** krykowski has joined #openstack-keystone10:29
*** jasondotstar has joined #openstack-keystone10:30
*** jasondotstar has quit IRC10:30
*** chlong has joined #openstack-keystone10:33
*** krykowski has quit IRC10:34
*** chlong has quit IRC10:37
*** jaosorior has joined #openstack-keystone10:39
*** chlong has joined #openstack-keystone10:50
mzbikamakarov_away, Perfect! It is working now :D Thank you!10:51
*** dims__ has joined #openstack-keystone10:51
*** lhcheng has joined #openstack-keystone10:55
*** krykowski has joined #openstack-keystone10:59
*** lhcheng has quit IRC10:59
*** KanagarajM2 has quit IRC11:05
*** marg7175 has quit IRC11:12
*** krykowski has quit IRC11:26
*** wpf1 has quit IRC11:31
*** samueldmq-away is now known as samueldmq11:37
*** aix has quit IRC11:38
*** wpf1 has joined #openstack-keystone11:44
*** kragniz_ is now known as kragniz11:45
*** wolsen_ has quit IRC12:00
*** xianghui has quit IRC12:02
*** stevemar has quit IRC12:03
*** xianghui has joined #openstack-keystone12:04
*** wolsen has joined #openstack-keystone12:05
*** gabriel-bezerra has quit IRC12:17
*** gabriel-bezerra has joined #openstack-keystone12:17
*** samueldmq has quit IRC12:18
*** samueldmq has joined #openstack-keystone12:18
*** radez_g0n3 is now known as radez12:30
*** afaranha has joined #openstack-keystone12:35
*** chlong has quit IRC12:44
*** dims__ has quit IRC12:53
*** amakarov_away is now known as amakarov12:54
*** dims__ has joined #openstack-keystone12:55
*** richm has joined #openstack-keystone13:08
*** marg7175 has joined #openstack-keystone13:13
*** dims__ has quit IRC13:16
*** dims__ has joined #openstack-keystone13:16
*** marg7175 has quit IRC13:18
*** markvoelker has joined #openstack-keystone13:19
*** topol has joined #openstack-keystone13:27
*** ChanServ sets mode: +v topol13:27
*** henrynash has joined #openstack-keystone13:30
*** ChanServ sets mode: +v henrynash13:30
*** topol has quit IRC13:32
*** flwang has quit IRC13:35
*** rushiagr_away is now known as rushiagr13:40
*** aix has joined #openstack-keystone13:40
raildohenrynash, sorry about yesterday, I thought that I had sent the responde but was still as "draft",
henrynashraildo; np :-)13:44
*** adam_g is now known as adam_g_out13:46
*** tristanC_ is now known as tristanC13:47
*** gordc has joined #openstack-keystone13:48
*** flwang has joined #openstack-keystone13:48
*** marg7175 has joined #openstack-keystone13:57
samueldmqhenrynash, ping13:59
henrynashsamueldmq: hi14:00
samueldmqhenrynash, hi, started look at your data-drvien tests experiment14:00
samueldmqhenrynash, so you think the tests I created for role assignments are too complex ...14:00
henrynashsamueldmq: sorry, a bit rough at the moment…and still an experiment14:00
samueldmqhenrynash, np :)14:00
samueldmqhenrynash, I'd like to get your view on that ..14:01
henrynashsamueldmq: the problem is that I can’t easily see exactly what the tests are doing14:01
henrynashsamueldmq:…I want to be able to see at a galnce..without undertstanding any algorithms or complex python, what we are tetsing and what the expeted out is…so I can say “ yes I agree with the expected results, or no, I don’t"14:02
henrynashsamueldmq: and while your tests are as compact as I can imagine a code-based test being….I can’t do the above14:03
henrynashsamueldmq: to be honest, other cores may not agree with my concerns (or my potential approach for data-driver tests)14:03
samueldmqhenrynash, yes I agree14:03
samueldmqhenrynash, at the same time, we can have 40+ tests in 300 lines ..14:03
samueldmqhenrynash, but I agree we have to find a good tradeoff there  between readability, etc14:03
henrynashsameuldmq: so I’m travelling back from the USA to the UK (so lots of time on planes)…so give me today to carry on experimenting… :-)14:04
samueldmqhenrynash, sure, that's why it's experimental :)14:04
samueldmqhenrynash, sure !14:05
henrynashsamueldmq: I’ll probably put all teh helper methids into a test_helper_class, which  you initialise with the test plam14:05
samueldmqhenrynash, today I'm a little busy as well, new sprint starting etc14:05
henrynashclean it up a bit , then we can both have a proper look at it14:06
samueldmqhenrynash, ++14:06
henrynash(ans ome comments would be good too, henry :-) )14:06
samueldmqhenrynash, :-)14:06
samueldmqhenrynash, when creating data to be testes, why don't we have a model (classes)? isntead of just dicts14:07
samueldmqhenrynash, why dont we have a model in keystone ? like objects, etc14:07
samueldmqhenrynash, maybe this is python .. dont really know14:07
henrynashsamueldmq: hey, I’m a PASCAL guy, so what would I Know…14:08
*** ljfisher has joined #openstack-keystone14:08
samueldmqhenrynash, haha , maybe need to ask someone else :)14:09
samueldmqhenrynash, another point I noticed, why dont you like having a predefined scenario and then tests use it?14:09
henrynashsure we could use class/models etc…..that’s teh sort ofthing we could experiemyt with14:09
samueldmqhenrynash, I think I had a comment of yours somewhere saying you like to create data for each tests14:09
henrynashthat’s what happens14:10
samueldmqhenrynash, I was wondering why :-)14:10
henrynashyou mean why do I like that?14:10
henrynashI guess it’s a context thing…OK what’s teh best data structure for this test….create that, run the test, then dump it14:11
henrynashi can see everything i need right there for deciding if I agree this is a good test…not go look in other places to find our what test data has been created14:11
*** sriram has joined #openstack-keystone14:13
henrynashsamueldmq: oh, actually, I do have a separate question for you14:13
samueldmqhenrynash, sure14:14
henrynashsamueldmq: when the new manager list_role_assignment() returns assignments, if we are in effective mode and there was, say, an inherited role on a domain14:14
samueldmqhenrynash, maybe this is because we dont have a consistent but robust scenario that's used everywhere14:15
samueldmqhenrynash, k, reading your example14:15
henrynashsamueldmq: ….we expand that inherited role and place it on the project…but in the assignment dict we pass back, we include the project and domain ID?14:15
samueldmqhenrynash, the domain id from where the role was inehrited from just goes in the assignment link14:16
raildohenrynash, about the name clashing, I think that we don't need to change the domain or project name, because we always have a way to distinguish them, but if we really need to change a name, I prefer change the domain name in the migration, but as you explained we can't do this due the domain-specific config files...14:16
samueldmqhenrynash, OS-INHERIT/domain/<domain_id>/users/<user_id>/roles/<role_id>14:16
*** bknudson has joined #openstack-keystone14:17
*** ChanServ sets mode: +v bknudson14:17
samueldmqhenrynash, + /inherited_to_projects14:17
henrynashsamueldmq:….ah, right, so we include the place the inherited role came form, so the controller can construct the link?14:17
raildohenrynash, so I don't know what I have to do :P14:17
samueldmqhenrynash, ah sorry14:17
henrynashraildo: you mean you don’t understand my comment or you don’t know how to solve it?14:18
samueldmqhenrynash, yes, it includes both domain_id AND project_id, so the controller can deduce it was inherited14:18
samueldmqhenrynash, for project inherited assignment, it includes both PARENT_ID and PROJECT_ID14:18
henrynashsamueldmq: ah, that’s why my test fails….I hadn’t included domain in the expected result data14:19
*** mzbik has quit IRC14:19
*** marg7175 has quit IRC14:19
raildohenrynash, I do't know how to solve it, since we can't change the domain name, and we can't keep with the clashing name..14:19
samueldmqhenrynash, look at the first two methods in
*** marg7175 has joined #openstack-keystone14:19
samueldmqhenrynash, nice debug :)14:20
henrynashsamueldmq: that’s kind of what I mean….by looking just at data input and output, i can see if the code under test is wroung, or….(as is often the case), my concept of what the code does is wrong!14:22
henrynashraildo: so two options:14:22
henrynashraildo: 1) Change the project name if there’s a clash14:23
samueldmqhenrynash, I agree, and if we had a scenario **really** used everywhere, it would save code and be in accordance with this approach14:23
henrynashraildo: 2) If we are not using domain-specific drivers, then change the domain name, else we change the project name14:23
henrynashraildo: 2) would effect the least number of installations, but is kind of harder to explain14:24
samueldmqhenrynash, maybe always change the project name, so we'd be consistent in both conflicts14:25
*** krykowski has joined #openstack-keystone14:25
raildohenrynash, I prefer this second option... because I don't like to change a object, that in my view, is not part of the process.14:25
henrynashsamueldmq: that’sa valid view…better for it to be easyto explain and obvious, rather than obscure14:26
henrynashraildo: we have to change something…..14:26
raildohenrynash, I'm migrate the domain, and not the projects, right?14:26
raildohenrynash, yes...  I know =/14:27
henrynashraildo: yes, but from a customer perspective, they don’t know that14:27
henrynashraildo: there’s not good answer here, just a least worst answer14:27
raildohenrynash, i agree14:28
henrynashraildo: so I guess there is a 3rd option14:28
henrynashraildo: we make them chaneg the name of the domain-config file if there is a clash…we just can’t do it for them14:29
henrynash(I gotta go off line for a bit, back on later)14:30
samueldmqhenrynash, k14:30
raildoI think tht, for now, we can change the project name when we have domain-config file problems, but as you say that we will change this for the SQL, we will change just the domain name14:31
raildohenrynash, I'll explain better this in the spec14:31
raildohenrynash, thanks14:31
*** mattfarina has joined #openstack-keystone14:34
*** radez is now known as radez_g0n314:34
henrynashraildo:just had an idea so came back!…..actually there is a 4th one for you to think about….(and maybe this was your thought all along?), maybe we allow the naems to clash, and chaneg teh SQL unique constraint. Maybe name+domain_id+domain-ness must be unique…14:35
samueldmqhenrynash, ++14:35
raildohenrynash, ++ I prefer this option :)14:35
henrynashraidlo: we’d have to be careful that we honored this correctly in all these ways we access teh table…and I haven’t quite thought it through….but maybe…14:36
*** joesavak has joined #openstack-keystone14:36
raildohenrynash, that was my original solution14:36
henrynashraildo: if so, then you’re a smarter man than me!14:36
raildohenrynash, hahahaha I dont think so14:37
henrynashraildo: now domain_id is nul for projects with domain_ness, so we’d have to be careful14:38
henrynashraildo: (crazy idea): does the lack of domain_id mean domain-ness?14:38
samueldmqhenrynash, no, you're a wild duck14:38
henrynashraildo: and you don’t need a flag at all?14:39
samueldmqhenrynash, :-)14:39
henrynashsamueldmq : haha14:39
raildohenrynash, no, for project domain-ness the project id is equal to the domain _id14:39
henrynashraildo: but there is only one ID now!14:39
henrynashraildo: isn’t it that there is only one table (the projects table), and some of those projects are also domains?14:40
samueldmqhenrynash, yep, we need to delte domain_id from projects14:41
samueldmqhenrynash, no need to keep FK for a tabl that doesnt exist anymore14:41
henrynashraildo: onlythose that are domains14:41
raildohenrynash, i get it your point, but I'm little concern if we can change this column14:41
henrynashraildo: no - projects still have a domain_Id (but it’s to an ID in the project table_14:42
*** vhoward has joined #openstack-keystone14:42
henrynashraildo: and those projects that are domains, don’t have a domain_id….which tells us they are a domain14:42
raildohenrynash, ok14:43
henrynashraildo: just an idea….i do need to go now….I’ll let you mull it over…if you think it’s wroung, feel free to junk the idea…Im not entirely convinced myslef :-)14:43
raildohenrynash, no, I like the idea :) I'll think about it and we can talk more later14:44
henrynashraildo: i.e. can you (in SQL) list me all the rows for which teh domain_id is null (i.e. to list all doamins)?14:44
*** my_openstack_use has joined #openstack-keystone14:45
raildohenrynash, I believe that I can.14:46
my_openstack_usedoes keystone REST API have a method that accepts username and password and returns the user's tenant ID?14:46
raildohenrynash, ok, thanks a lot, I'll define better this today :)14:46
samueldmqmy_openstack_use, hi, with username and password you should be able to get a token14:48
samueldmqmy_openstack_use, with that token, you can query list role assignments API in order to get all projects (tenant) a user has a role on14:49
samueldmqmy_openstack_use, to see the operations available on the v3 (current) api, take a look at
samueldmqmy_openstack_use, /v3/auth/tokens to get a token14:50
samueldmqmy_openstack_use, /v3/role_assignments to list role assignmetns14:50
*** zzzeek has joined #openstack-keystone14:51
*** nkinder has joined #openstack-keystone14:51
my_openstack_usesamueldmq: we are currently using v2 do you know what is that method's analogue in it?14:53
dims__hi all, anyone familiar with ec2 tokens? (hmac-v4)14:54
*** Drago has joined #openstack-keystone14:55
samueldmqmy_openstack_use, let me check14:55
*** krykowski has quit IRC14:55
*** rwsu has joined #openstack-keystone14:56
*** Drago has quit IRC14:56
*** Drago has joined #openstack-keystone14:56
samueldmqmy_openstack_use, so /v2.0/tokens to get a token14:56
openstackgerritgordon chung proposed openstack/keystonemiddleware: make audit event scoped to request session and not middleware
samueldmqmy_openstack_use, I dont think we support such operation in v214:58
samueldmqbknudson, hi - is there a way to get all user's tenants in v2?14:59
dims__we have a "signature check failed" with latest boto (EC2 client)14:59
bknudsonsamueldmq: I think it's /v2.0/tenants but you have to use the public api15:00
my_openstack_usesamueldmq: but I was under impression that horizon takes username and password from token and uses them to provide tenant ID from keysone. Is that wrong?15:00
*** krykowski has joined #openstack-keystone15:00
bknudsonwhy would anyone use the v2.0 api?15:00
my_openstack_usedoesn't Juno use v2?15:01
bknudsonsamueldmq: Here's the v2 reference:
*** nellysmitt has quit IRC15:05
samueldmqmy_openstack_use, I dont know about how horizon uses it, sorry15:11
samueldmqbknudson, looks like my_openstack_use  is using it15:11
bknudsonsamueldmq: I've never heard of my_openstack_user.15:13
openstackgerritBoris Bobrov proposed openstack/keystone: Use migration_cli for db migrations
my_openstack_usea person on my team is trying to call v2's tenants with username and password and receives back token. But when he tries to call it with the returned token to get the tenant ID he gets 401.15:14
my_openstack_useis he doing something wrong?15:15
DragoThat actually sounds like the problem I'm having15:15
DragoI can't get keystonemiddleware/keystoneclient to quit doing endpoint discover no matter what settings I use15:15
samueldmqbknudson, me neither, but he/she is now here in the channel :-)15:16
openstackgerritgordon chung proposed openstack/keystonemiddleware: incorrect reference in enabling audit middleware
my_openstack_usesamueldmq: are you talking about me?15:17
DragoWhen the keystoneclient tries to do discovery, our identity api doesn't return back json for the endpoints it expects so it dies and returns 401 "Token Authorization Failed"15:17
samueldmqmy_openstack_use, yep, see conversation above15:18
bknudsonmy_openstack_use: Here's the v2 reference:
openstackgerritBoris Bobrov proposed openstack/keystone: Use migration_cli for db migrations
my_openstack_usebknudson: Yeah, like I'm saying, tokens doesn't seem to work15:19
*** samueldmq is now known as samueldmq-away15:19
samueldmq-awaymy_openstack_use, sorry need to go afk for a bit15:19
*** topol has joined #openstack-keystone15:19
*** ChanServ sets mode: +v topol15:19
my_openstack_usepassing username and password yields token15:25
my_openstack_useas you can see, somethign seems to be broken in keystone15:26
my_openstack_useI'm a guy by the way15:29
*** carlosmarin has joined #openstack-keystone15:35
*** briancurtin has quit IRC15:57
*** ayoung has joined #openstack-keystone16:02
*** ChanServ sets mode: +v ayoung16:02
*** briancurtin has joined #openstack-keystone16:02
ayoungraildo, you pinged me yesterday-ish and I didn't get to respond until now.  You still working on the migration?16:03
*** thedodd has joined #openstack-keystone16:03
*** krykowski has quit IRC16:09
*** abhirc has quit IRC16:13
*** henrynash has quit IRC16:14
*** krykowski has joined #openstack-keystone16:14
*** chrisshattuck has joined #openstack-keystone16:15
*** samueldmq-away is now known as samueldmq16:29
samueldmqayoung, I'll get him on his chair in a bit  :-)16:30
ayoungsamueldmq, THANKS16:30
raildoayoung, yes, I finished the script but I discuss with henry, what we have to do , when we find some name and id clashing....16:32
ayoungraildo, more than that16:32
ayoungI hjave some work to do16:32
ayoungraildo, there were two decsions,  contradictory, beyond what I submitted in my patch16:32
ayoungfirst:  drop the domain table16:32
ayoungsecond:  keep hte domain table but make the id a foreign key to the project table16:33
ayoungthe second was so we could have an "idp_id"  field for the domain for Federation16:33
ayoungso I don't really know what the migration should look like16:34
raildoayoung,  actually I'm thinking in work in this solution "<henrynash> raildo:just had an idea so came back!…..actually there is a 4th one for you to think about….(and maybe this was your thought all along?), maybe we allow the naems to clash, and chaneg teh SQL unique constraint. Maybe name+domain_id+domain-ness must be unique…"16:34
ayoungI think henry might be right16:34
raildoayoung, so I think that we can drop the domain table and just change the way to Keystone see a domain16:35
ayoungraildo, we need an Idp to own the domain16:35
ayoungwe could do that on every record, but it would be wasteful16:35
ayoungI wonder if we can unify the Idp and domain concepts at the same time.16:36
raildoayoung, hum... this change is bigger than I imagined :P16:37
*** _cjones_ has joined #openstack-keystone16:37
raildoayoung, so we can use the domain_id in the project table to related to this Idp, right?16:39
ayoungraildo, OK,  so this is my take how it should have been done origianlly:16:40
ayoungeverything we have is a namespace:16:40
ayoungdomains, Idp, and projects are just variations16:40
raildoayoung, ok16:41
ayoungin all cases, the things that they store are outside the 'assignement ' services16:41
ayoungKeystone's Identiyt backend included16:41
ayoungidentity has many sources, assignment pulls them together16:41
ayoungnamespaces are nested:16:42
ayoungidps own domains16:42
ayoungdomains own projects16:42
ayoungnow...we  could drop domains as a concept,  they really are covered by Idps on the  Identity side16:42
ayoungand on the project side, we don't need them.16:42
ayoungI don't think that any of the other services even make use of domains, they are merely a Keystone concept16:43
raildoayoung, right...16:43
ayoungnow...that is the purist perspective...the question is what do we do from here?16:44
ayoungwe state that the names of projects are unique within a domain,  and I think Henry's take, while counterintuitive, is the right one16:44
ayoungonly because it is an acceptance of what we do now:16:45
ayoungexecpt that it will break what we need to have happend for Horizon:16:45
ayounghmmmm...but that, now thjat I think of it, might be broken already16:46
ayoungraildo, I just found a bug.  Wann hear it?16:46
raildoayoung, yes :P16:47
ayoungOn Horizon, they do a keystone list-projects-for user  to populate the project drop down.  But since a user can get an assignment across domains, they can get an assignement to two projects with the same name, one in each domain16:47
ayoungI haven't tested, but I bet that is the case...16:47
raildobut this list project for user will filter by domain, right?16:48
raildobecause today I can create two projects with the same name in different domains... (and I believe that a user can have a role assignment in this two projects)16:50
*** sriram has quit IRC16:51
raildoso... what I want to say is, this list project should be in a domain scope, so I can't have two projects with the same name16:52
ayoungraildo, except that there is no call to do list project for user by domain16:53
raildoayoung, so, this is a bug :P16:54
raildoayoung,  in fact, a long time ago, I'm worked in a patch to filter user by project
raildobut the federation implementation blocked this patch.16:56
*** dims__ has quit IRC16:57
ayoungraildo, that needs to go away:  with federation we will never know all of the users for a project16:57
ayoungraildo, that is the opposite:  list projects for user means we know who the user is and what groups they are in16:58
raildoayoung, right,this is the reason to i abandoned this patch16:58
raildoayoung, this method right?
*** krykowski has quit IRC17:01
ayoungraildo, yes17:01
*** dims__ has joined #openstack-keystone17:02
*** packet has joined #openstack-keystone17:05
raildoayoung, sorry, this is a old repo.. here its the current implementation
ayoungraildo, the short of it is, put the migration on hold for a bit until we figure out what the implementation is17:07
raildoayoung, i agree. I'll just send the code to you take a look :)17:08
raildoand regarding the namespaces, I think that we can do something like Idp - project domain-ness - just a project17:09
raildoayoung, since the project domain-ness wil be in the top level of the hierarchy17:10
ayoungraildo, not sure if the other devs agree:  that was just my take on it.17:10
raildoayoung, right... we can talk later about this, when morgan, henry, dolph and the other guys :)17:12
*** abhirc has joined #openstack-keystone17:14
*** sriram has joined #openstack-keystone17:24
richmdtroyer: ping - how does one access the keystone v3 trust extension using the openstack client?
*** aix has quit IRC17:27
*** abhirc has quit IRC17:30
*** abhirc has joined #openstack-keystone17:31
dtroyerstevemar: ^^^   richm, not sure I know.  steve has done the vast majority of the Identity v3 work.  I don't see anything other than —os-trust-id in the current source tree.17:32
richmdtroyer: ok - I'll wait for stevemar17:35
*** packet has quit IRC17:42
*** packet has joined #openstack-keystone17:42
*** xxj has quit IRC17:46
*** avozza is now known as zz_avozza17:49
*** david-lyle has joined #openstack-keystone17:50
*** xxj has joined #openstack-keystone17:51
*** ajayaa has joined #openstack-keystone17:58
*** nellysmitt has joined #openstack-keystone18:00
*** nellysmitt has quit IRC18:04
*** lhcheng has joined #openstack-keystone18:07
*** stevemar has joined #openstack-keystone18:09
*** ChanServ sets mode: +v stevemar18:09
*** rushiagr is now known as rushiagr_away18:13
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements parents_as_ids query param
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements subtree_as_ids query param
*** nellysmitt has joined #openstack-keystone18:17
*** zz_avozza is now known as avozza18:17
openstackgerritMerged openstack/keystone-specs: API changes for subtree_as_ids and parents_as_ids
*** harlowja_away is now known as harlowja18:24
*** radez_g0n3 is now known as radez18:24
rodrigodsayoung, ping re: dynamic policies. anything agreed in midcycle?18:26
*** amakarov is now known as amakarov_away18:27
ayoung rodrigods on the phone.18:27
*** ljfisher has quit IRC18:30
*** ajayaa has quit IRC18:32
morganfainbergjamielennox|away, ping re: unscoped token catalog18:43
morganfainbergjamielennox|away, will comment on the review when i have a fww minutes so we can get that merged asap as a spec18:44
morganfainbergjamielennox|away, ayoung, stevemar, dstanek, ksc/middleware releases, where are we / anything we need to get in before a release? I'm ready to do one if we need it. cc: bknudson, topol, dolphm18:45
ayoungmorganfainberg, clue ATM18:46
rodrigodsmorganfainberg, HMT features? :(18:46
ayoungmorganfainberg,  I don't think I have anything incipient myself18:47
morganfainbergayoung, right so checking before we do anything - if you don't know, i'd say we don't have anything you need atm18:47
morganfainbergrodrigods, do we have code up for review for it?18:47
*** nellysmitt has quit IRC18:47
rodrigodsmorganfainberg, yes, just need some follow up in the reviews18:47
rodrigodsmorganfainberg, I can do that18:47
morganfainbergrodrigods, k18:47
bknudsonmorganfainberg: I don't see anything that can't wait for the next release.18:48
morganfainbergbknudson, ++ k18:48
*** Drago has left #openstack-keystone18:49
topolmorganfainberg, what bknudson said18:50
morganfainbergtopol, thanks.18:50
*** gyee has joined #openstack-keystone18:54
*** ChanServ sets mode: +v gyee18:54
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Hierarchical multitenancy basic calls
rodrigodsmorganfainberg, bknudson ^18:54
bknudsonrodrigods: we can do a release tomorrow or whenever that gets merged.18:56
bknudsoneven if we do a release today18:57
*** jistr has quit IRC18:58
rodrigodsbknudson, fair enough, just receiving some demands to it :)18:58
*** lsmola has quit IRC18:59
bknudsonrodrigods: then they should review the change.18:59
rodrigodsbknudson, they already did :)18:59
rodrigodsunfortunately, not cores18:59
*** atiwari has joined #openstack-keystone19:04
*** lsmola has joined #openstack-keystone19:11
*** jaosorior has quit IRC19:14
lbragstaddstanek: so the consensus for the token api clean was to start with a spec, right?19:15
lbragstads/clean/clean up/19:15
*** packet has quit IRC19:23
richmstevemar: ping - I don't know if you saw the previous discussion about how to use the keystone v3 trust extension with the openstack client - I'm looking for documentation or examples19:28
stevemarrichm, simple answer - no support for that as no one asked for it :)19:28
lbragstadmorganfainberg: I'm doing some digging on
morganfainberglbragstad, that is the spec to do the cleanup19:36
lbragstadmorganfainberg: and wondering if there were any patches pushed for that already. I'm not seeing any but wanted to check with you first.19:36
morganfainbergon the provider19:36
morganfainbergonly 1:19:36
morganfainbergand it's the prototype one19:36
lbragstadmorganfainberg: can I build off of it?19:36
morganfainberglbragstad, the strictABC is the only thing i've pushed, but i was just looking at the cleanup of v2 issue pipeline19:37
morganfainbergbut please build on that functionality, i need to fix the pep8 and document that new functionality19:37
lbragstadthe strictABC stuff is the first work item listed19:37
lbragstadmorganfainberg: was there any other reasons this was a WIP patch?19:38
morganfainberglbragstad, because i wrote it at the summit :P and hadn't even tried running the tests yet19:38
lbragstadmorganfainberg: ok19:38
morganfainbergfixing the commit and fix pep8 + minor documentation changes = ready to be un wip'd19:39
morganfainbergi'm just in  ameeting at the moment and can't push that.19:39
lbragstadmorganfainberg: ok19:39
lbragstadmorganfainberg: I'll work on it19:39
morganfainbergsure, let me un-2 it19:39
morganfainberglbragstad, done19:40
*** nellysmitt has joined #openstack-keystone19:42
*** _cjones_ has quit IRC19:43
*** andreaf has quit IRC19:47
*** thedodd has quit IRC19:48
richmstevemar: EmilienM:
stevemarrichm, hmm okay... we're probably support create/lits/delete/get19:54
stevemarsince, that is whats supported here:
EmilienMrichm: thanks19:55
stevemarrichm, also, i think you will be able to authenticate with trusts as a freebie, since we use keystone authN plugins19:55
richmstevemar: ok19:56
*** _cjones_ has joined #openstack-keystone20:14
*** Ephur has quit IRC20:16
*** henrynash has joined #openstack-keystone20:17
*** ChanServ sets mode: +v henrynash20:17
*** thedodd has joined #openstack-keystone20:24
openstackgerritayoung proposed openstack/keystone: Explicit Unscoped
openstackgerritayoung proposed openstack/keystone: Explicit Unscoped
rodrigodsbknudson, doubt about :type in docstrings, how can I specify that an argument can be from two types? (for example, :py:class:`` and str)20:31
rodrigods(googled without success)20:32
*** vhoward has left #openstack-keystone20:32
morganfainberglbragstad, just talked with dhellmann, we're going to make strictabc it's own library [but it'll land in keystone first]20:35
*** junhongl has quit IRC20:35
lbragstadmorganfainberg: ok,20:35
morganfainberglbragstad, have some enchancements for this down the line20:36
lbragstaddo you have an eta on that timeline?20:36
morganfainbergland it in keystone first20:36
morganfainbergwe'll worry about separate lib stuff soon™20:36
lbragstadmorganfainberg: it will be a part of the oslo libraries I assume?20:36
morganfainbergwont be oslo namespace/named but oslo will own it20:36
morganfainbergit'll be proposed as openstack/strictabc20:36
lbragstadfair enough20:36
morganfainbergor similar20:37
*** junhongl has joined #openstack-keystone20:37
*** drjones has joined #openstack-keystone20:42
*** _cjones_ has quit IRC20:42
*** nkinder has quit IRC20:43
*** _cjones_ has joined #openstack-keystone20:51
*** drjones has quit IRC20:54
*** _cjones_ has quit IRC20:58
*** _cjones_ has joined #openstack-keystone20:58
*** flwang2 has joined #openstack-keystone20:59
flwang2greetings, when I install openstack with devstack, recently I got this error 'Could not find user: admin (Disable debug mode to suppress these details.) (HTTP 401)'?21:00
flwang2as a result, the other service can't get token from keystone21:00
flwang2any idea? thanks a lot21:00
*** _cjones_ has quit IRC21:00
*** _cjones_ has joined #openstack-keystone21:01
lbragstadflwang2: can you verify the user was created?21:01
flwang2lbragstad: hey man21:01
flwang2how are you21:01
lbragstadflwang2: doing well!21:02
flwang2checking the user in db...21:02
flwang2lbragstad: nope, the table is empty21:03
*** ayoung has quit IRC21:04
flwang2lbragstad: any suggestion?21:06
lbragstaddid devstack execute correctly?21:08
*** raildo has quit IRC21:08
*** _cjones_ has quit IRC21:08
flwang2nope, devstack failed since glance can't get token from keystone21:09
flwang2but before that, there is no failure21:09
*** _cjones_ has joined #openstack-keystone21:10
flwang2yep, i have tried to remove/clean everything, no lucky21:10
lbragstadflwang2: are you pulling the latest devstack?21:11
lbragstadcc stevemar ^21:11
*** carlosmarin has left #openstack-keystone21:12
*** topol has quit IRC21:13
flwang2lbragstad: yes21:13
flwang2lbragstad: i even tried icehouse and juno21:13
flwang2lbragstad: i think it's a devstack issue, but I just can't find a way to work around it21:16
lbragstadflwang2: interesting, I'll see if I can recreate in a bit,21:22
lbragstadflwang2: but the keystone service is up and running?21:22
flwang2lbragstad: yes21:22
flwang2so I don't think it's a keystone issue21:22
lbragstadso can you create a user against it?21:23
flwang2good point, let me try21:23
flwang2feilong@feilong-ThinkPad-X1-Carbon-2nd:~$ keystone user-create --name a21:24
flwang2Could not find user: admin (Disable debug mode to suppress these details.) (HTTP 401)21:24
*** tellesnobrega_ has joined #openstack-keystone21:24
flwang2seems I need to fix the admin issue firstly :)21:24
flwang2never mind, I will go though all the devstack log to see if i can find something21:25
lbragstadflwang2: you could try going directly to keystone with cURL21:25
flwang2lbragstad: ok, thanks a lot21:25
lbragstadflwang2: or something similar, you don't need all those parameters21:26
lbragstadand that's using v321:27
flwang2lbragstad: awesome, cheers man21:27
lbragstadflwang2: you too, hope it helps!21:27
*** ayoung has joined #openstack-keystone21:36
*** ChanServ sets mode: +v ayoung21:36
*** fifieldt__ has quit IRC21:37
*** fifieldt__ has joined #openstack-keystone21:38
*** raildo has joined #openstack-keystone21:40
lbragstadmorganfainberg: where do you want the StrictABC stuff documented?21:42
openstackgerritgordon chung proposed openstack/keystonemiddleware: make audit event scoped to request session and not middleware
*** pnavarro has quit IRC21:47
*** flwang2 has quit IRC21:51
openstackgerritgordon chung proposed openstack/keystonemiddleware: move add event creation logic to keystonemiddleware
*** Tahmina has joined #openstack-keystone21:58
*** raildo has quit IRC22:01
ayoungdstanek, I like the idea of the scripts that I am proposing being run via a functional test.22:13
*** flwang1 has joined #openstack-keystone22:14
ayoungCoupld things:  the client will need a way to do a devstack run22:14
*** sriram has quit IRC22:15
ayoungand the initialization script actually assumes a blank database, whereas devstack puts some sample data in there22:15
*** joesavak has quit IRC22:21
openstackgerritLance Bragstad proposed openstack/keystone: StrictABC Prototype
openstackgerritLance Bragstad proposed openstack/keystone: Switch the token provider to use strict_abc
*** mattfarina has quit IRC22:26
*** ayoung has quit IRC22:26
openstackgerritLance Bragstad proposed openstack/keystone: Switch the token provider to use strict_abc
openstackgerritLance Bragstad proposed openstack/keystone: StrictABC Prototype
*** henrynash has quit IRC22:30
*** vhoward has joined #openstack-keystone22:30
flwang1lbragstad: still around?22:39
flwang1now i'm running into the six.wraps issue,
*** packet has joined #openstack-keystone22:47
*** abhirc has quit IRC22:50
*** ayoung has joined #openstack-keystone23:01
*** ChanServ sets mode: +v ayoung23:01
*** jamielennox|away is now known as jamielennox23:01
jamielennoxmorganfainberg: i was hoping for a release around the first23:02
jamielennoxthe gist has gone from the irc title but that had things marked23:03
jamielennoxthere weren't exactly a lot of reviews happening though23:03
*** nkinder has joined #openstack-keystone23:09
*** dims__ has quit IRC23:10
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Surface the user_id and project_id beyond the plugin
*** bknudson has quit IRC23:25
*** tellesnobrega_ has quit IRC23:31
*** jasondotstar has joined #openstack-keystone23:34
*** zzzeek has quit IRC23:38
*** briancurtin has quit IRC23:41
*** briancurtin has joined #openstack-keystone23:41
*** thedodd has quit IRC23:42
*** briancurtin has quit IRC23:49
*** gordc has quit IRC23:50
*** david-lyle is now known as david-lyle_afk23:56
*** radez is now known as radez_g0n323:58
*** chlong has joined #openstack-keystone23:59

Generated by 2.14.0 by Marius Gedminas - find it at!