Monday, 2015-01-26

*** stevemar has joined #openstack-keystone00:00
*** ChanServ sets mode: +v stevemar00:00
*** dims has joined #openstack-keystone00:40
*** marg7175 has quit IRC00:53
*** avozza is now known as zz_avozza00:59
*** zz_avozza is now known as avozza00:59
*** chrisshattuck has joined #openstack-keystone01:14
*** dims has quit IRC01:25
*** chrisshattuck has quit IRC01:26
*** dims has joined #openstack-keystone01:26
*** dims_ has joined #openstack-keystone01:27
*** dims has quit IRC01:31
*** dims_ has quit IRC01:34
*** erkules_ has joined #openstack-keystone02:25
*** erkules has quit IRC02:27
*** marg7175 has joined #openstack-keystone02:36
*** topol has joined #openstack-keystone03:08
*** ChanServ sets mode: +v topol03:08
*** chrisshattuck has joined #openstack-keystone03:26
*** samueldmq has quit IRC03:37
openstackgerritChangBo Guo(gcb) proposed openstack/keystone: Add library oslo.concurrency in config-generator config file
*** mitz has quit IRC04:10
*** mitz has joined #openstack-keystone04:11
*** avozza is now known as zz_avozza04:23
*** zz_avozza is now known as avozza04:25
*** avozza is now known as zz_avozza04:34
*** chrisshattuck has quit IRC04:56
*** chrisshattuck has joined #openstack-keystone05:05
*** marg7175 has quit IRC05:09
*** richm has quit IRC05:38
*** dims has joined #openstack-keystone05:52
*** zz_avozza is now known as avozza06:01
*** jaosorior has joined #openstack-keystone06:03
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** MasterPiece has joined #openstack-keystone06:05
*** chrisshattuck has quit IRC06:11
*** stevemar has quit IRC06:12
*** MasterPiece has quit IRC06:14
*** topol has quit IRC06:16
*** afazekas has quit IRC06:18
*** dims has quit IRC06:19
*** dims has joined #openstack-keystone06:19
*** dims has quit IRC06:20
*** avozza is now known as zz_avozza06:26
*** rwsu has joined #openstack-keystone06:54
*** rwsu is now known as rwsu-afk06:54
*** afazekas has joined #openstack-keystone07:01
*** MasterPiece has joined #openstack-keystone07:02
*** marg7175 has joined #openstack-keystone07:10
*** marg7175 has quit IRC07:14
*** dims has joined #openstack-keystone07:20
*** dims has quit IRC07:25
*** mzbik has joined #openstack-keystone07:33
*** marg7175 has joined #openstack-keystone08:17
*** marg7175 has quit IRC08:19
*** marg7175 has joined #openstack-keystone08:19
*** erkules_ is now known as erkules08:22
*** marg7175 has quit IRC08:24
*** marg7175_ has joined #openstack-keystone08:24
*** marg7175_ has quit IRC08:29
*** pnavarro has joined #openstack-keystone08:29
*** f13o has joined #openstack-keystone08:37
*** marg7175 has joined #openstack-keystone08:39
openstackgerritMarek Denis proposed openstack/keystone-specs: Allow for direct mapping in federated authN.
*** dims has joined #openstack-keystone08:48
*** dims has quit IRC08:53
*** bdossant has joined #openstack-keystone08:57
openstackgerritMarek Denis proposed openstack/keystone-specs: Visual Page for WebSSO
*** oomichi_ has quit IRC09:17
*** jistr has joined #openstack-keystone09:22
*** Guest66252 is now known as d0ugal09:22
*** d0ugal has quit IRC09:23
*** d0ugal has joined #openstack-keystone09:23
*** zz_avozza is now known as avozza09:28
openstackgerritChangBo Guo(gcb) proposed openstack/keystone: Add library oslo.concurrency in config-generator config file
openstackgerritDave Chen proposed openstack/keystone: Remove unnecessary code block of exception handling
*** samueldmq has joined #openstack-keystone09:52
*** nellysmitt has joined #openstack-keystone09:53
*** marg7175 has quit IRC10:08
*** marg7175 has joined #openstack-keystone10:09
openstackgerritMarek Denis proposed openstack/python-keystoneclient: Create a framework for federation plugins
*** rushiagr_away is now known as rushiagr10:10
*** bdossant has quit IRC10:19
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements
*** samueldmq has quit IRC10:29
*** aix has joined #openstack-keystone10:30
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements
*** dims has joined #openstack-keystone10:34
*** dims has quit IRC10:39
*** andreaf_ has joined #openstack-keystone10:43
*** avozza is now known as zz_avozza10:55
*** zz_avozza is now known as avozza10:56
*** htruta has joined #openstack-keystone11:01
*** tellesnobrega has joined #openstack-keystone11:02
*** bdossant has joined #openstack-keystone11:04
*** bdossant has quit IRC11:07
*** andreaf_ has quit IRC11:17
openstackgerritYuriy Taraday proposed openstack/keystone: Add a module to work with LDAP filters and DNs
*** nellysmitt has quit IRC11:19
*** samueldmq has joined #openstack-keystone11:19
*** gabriel-bezerra has joined #openstack-keystone11:24
*** MasterPiece has quit IRC11:34
*** andreaf_ has joined #openstack-keystone11:34
openstackgerritMarek Denis proposed openstack/keystone-specs: Visual Page for WebSSO
*** dims has joined #openstack-keystone11:35
*** nellysmitt has joined #openstack-keystone11:38
*** dims has quit IRC11:40
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Check for invalid filtering on v3/role_assignments
*** tellesnobrega_ has joined #openstack-keystone11:54
*** raildo has joined #openstack-keystone12:07
rodrigodsayoung, ping... any agreements regarding the policy enforcement mechanism in the midcycle? (aka
*** samueldmq is now known as samueldmq-away12:25
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Dynamic Policy Overview
*** tellesnobrega_ has quit IRC12:43
*** redrobot has quit IRC12:51
*** redrobot has joined #openstack-keystone12:53
*** redrobot is now known as Guest3647312:53
*** samueldmq has joined #openstack-keystone12:55
openstackgerritDave Chen proposed openstack/keystone: Remove duplicated check
*** richm has joined #openstack-keystone13:13
*** amakarov_away is now known as amakarov13:15
*** dims has joined #openstack-keystone13:23
*** dims has quit IRC13:28
openstackgerritMerged openstack/python-keystoneclient-kerberos: Updated from global requirements
*** tellesnobrega_ has joined #openstack-keystone13:34
*** avozza is now known as zz_avozza13:35
*** zz_avozza is now known as avozza13:35
*** avozza is now known as zz_avozza13:47
*** zz_avozza is now known as avozza13:47
*** samueldmq has quit IRC13:48
*** gordc has joined #openstack-keystone13:50
*** samueldmq has joined #openstack-keystone13:57
*** joesavak has joined #openstack-keystone14:00
openstackgerritMarek Denis proposed openstack/keystone: Implement Service Providers API for OS-FEDERATION
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements
*** sriram has joined #openstack-keystone14:10
*** tellesnobrega_ has quit IRC14:11
*** tellesnobrega_ has joined #openstack-keystone14:14
*** jraim has quit IRC14:15
*** jraim has joined #openstack-keystone14:15
*** mzbik_ has joined #openstack-keystone14:17
*** tellesnobrega_ has quit IRC14:21
*** mzbik has quit IRC14:21
*** tellesnobrega_ has joined #openstack-keystone14:21
*** mzbik_ has quit IRC14:22
*** stevemar has joined #openstack-keystone14:24
*** ChanServ sets mode: +v stevemar14:24
openstackgerritMerged openstack/keystone: Updated from global requirements
openstackgerritMarek Denis proposed openstack/keystone: Implement Service Providers API for OS-FEDERATION
marekdrodrigods: it's a big rebase so I might have missed something :
*** vhoward has joined #openstack-keystone14:30
rodrigodsmarekd, nice, will take a look14:33
stevemarmarekd, i'll take a look too :)14:34
*** mattfarina has joined #openstack-keystone14:36
*** svasheka has joined #openstack-keystone14:37
marekdstevemar: please do, thanks14:37
*** dims has joined #openstack-keystone14:39
*** dims_ has joined #openstack-keystone14:40
*** dims has quit IRC14:40
marekdstevemar: ayoung: for the websso spec ( i need your opinions whether we add an API for list of trusted horizons or we store a list of such URLs in keystone.conf14:40
*** bknudson has joined #openstack-keystone14:40
*** ChanServ sets mode: +v bknudson14:40
marekdi think it was not eventually decided.14:41
marekdrodrigods: hah, i even rememvered i need to change attributes list14:50
marekdand later got distracted.14:51
*** abhirc has quit IRC14:53
stevemarmarekd, not sure we came to a decision14:59
*** radez_g0n3 is now known as radez15:00
marekdstevemar: no, we didn't15:02
marekdi expect some big deployers cannot afford restarting keystone for such a reason.15:03
marekdwhat's your experience?15:03
*** tellesnobrega_ has quit IRC15:03
stevemarmarekd, neither are really good for UX15:03
*** vsilva has quit IRC15:06
marekdstevemar: ok, but it's a must. I think we cannot do it other way round.15:07
marekdwe cannot redirect to any url.15:08
*** vsilva has joined #openstack-keystone15:09
*** topol has joined #openstack-keystone15:09
*** ChanServ sets mode: +v topol15:09
*** tellesnobrega_ has joined #openstack-keystone15:09
*** vsilva has quit IRC15:10
*** Ctina has joined #openstack-keystone15:16
*** tellesnobrega_ has quit IRC15:20
*** samueldmq has quit IRC15:21
marekdtopol: please, find responses to your comments at .15:24
openstackgerritBoris Bobrov proposed openstack/keystone: alembic initial support
topolHi marekd, I will take a look. THANKS15:31
*** EmilienM is now known as EmilienM|mtg15:33
marekdtopol: thanks.15:33
*** henrynash has joined #openstack-keystone15:36
*** ChanServ sets mode: +v henrynash15:36
*** carlosmarin has joined #openstack-keystone15:39
*** Ctina has quit IRC15:40
*** Ctina has joined #openstack-keystone15:41
*** avozza is now known as zz_avozza15:47
*** abhirc has joined #openstack-keystone15:52
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Hierarchical multitenancy basic calls
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Implements subtree_as_ids and parents_as_ids
*** aslaen has joined #openstack-keystone15:59
openstackgerritBoris Bobrov proposed openstack/keystone: Fix dict comprehension in federation utils
*** dims_ has quit IRC15:59
bretonmarekd: hey16:00
*** aix has quit IRC16:02
bretonmarekd: I'd appreciate if you had a look at . We either need this fix, or some tests in are lacking16:03
*** nkinder has joined #openstack-keystone16:03
*** topol_ has joined #openstack-keystone16:04
*** ChanServ sets mode: +v topol_16:04
raildohenrynash, ping, do you think about the clash name problem? any other idea?16:04
*** vishy has quit IRC16:05
henrynashraildo: so, I guess the project naming is all we can really do…obviously there is onlu a name clash between a project and it’s owning Domain…not with someone else’s domain?16:06
henrynashraildo: I assume?16:06
*** Guest36473 is now known as redrobot16:06
*** topol has quit IRC16:06
*** topol_ is now known as topol16:06
rodrigodshenrynash, ping 2: rebased this depending on a patch of yours (, but we have a change in Nova that required this to be merged ASAP, should I rebase against another change?16:06
raildohenrynash, yes, i think that the problem is just with between a project and your domain.16:07
*** chrisshattuck has joined #openstack-keystone16:07
*** vishy has joined #openstack-keystone16:07
raildos/just with between/ just between16:07
*** tellesnobrega_ has joined #openstack-keystone16:09
henrynashrodigods: so how urgent is?16:10
henrynashrodigods; it?16:10
rodrigodshenrynash, this change here: needs it16:10
rodrigods(the useful part of HMT outside keystone boundaries)16:11
henrynashrodigods: so how about a compromise: if you rebase on: then this means all our core/backends are fine, then I’ll handle teh re-merge with the controller chanegs…16:13
henrynashrodigods: and isn’t dependant on anything…so will try and get that in asap16:13
rodrigodshenrynash, ok, I appreciate that, will rebase against that patch16:14
henrynashayoung, stevemar, lbragstad: any chance of some eyes on - good to get that in somce that our core/backends are now upto date with teh assignment split. Since domain/projects were logically split in the previous patches…this one is just mechanical movement into theire new location16:15
*** markvoelker has joined #openstack-keystone16:17
ayounghenrynash, Looking at it now.  I wonder if, for a huge refactoring like this, we should do something like:  copy the file verbatim to locations X, then hack out everything that should not be in the new version.16:17
ayoungNote that I AM NOT SUGGESTING THIS NOW!16:17
openstackgerritMarek Denis proposed openstack/keystone-specs: Visual Page for WebSSO
henrynashayoung: would that improve the diff output? or somehow let it more easily be reviewed?  If so, I’d be all for it….cause it’s a real pain to check whether the patch as mucked up the mthods being moved...16:18
ayounghenrynash, so one review which states:  duplicates the file  assignment.core as resource.core means that I can do diff assignment/ resourec.core.py16:19
ayoungwon't show up in the code review view, but we could do it locally.16:20
ayoungthen the second commit creates the real changes to the files....16:20
marekdbreton: let me look.16:20
henrynashayoung: oh, I get it…then get rid of what you don’t want….hmm, yeah, next time around that seems like a better plan!16:20
ayoungremoving assingment stuff from core and the opposite.16:20 time.  If there is a next time.16:20
ayoungand there is always a next time16:21
henrynashayoung: just want to make sure nobody get’s confused a gets in an updates the ones that are about to be nixed in between, but we could prevent that16:21
henrynashayoung: well, we could be on the lookout for that16:21
henrynashayoung: and yes, there’s always a next time!16:21
ayounganyway, this one is going to be impossible to confirm as is.  I wonder if I should do something like this:16:22
ayounggit checkout HEAD~1  assignment/core.py16:22
ayoungdiff assignment/  resource/  ?16:22
henrynashI think that’s was dstanek said he usual does16:23
marekdbreton: why do you think tests are lacking?16:26
marekdbreton: the reason why i wrote this line for group in {g['name']: g for g in groups}.values(): was that i just wanted to get rid of groups mentioned multile times.16:28
*** ctracey has quit IRC16:29
*** ctracey has joined #openstack-keystone16:29
ayounghenrynash, that seems to be a good solution for this one16:29
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements parents_as_ids query param
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements subtree_as_ids query param
bretonmarekd: it's normal that group names might appear more than once?16:32
marekdbreton: this is input for mapping rules16:32
marekdso I'd say: yes16:32
*** david-ly_ is now known as david-lyle16:33
marekdif you specify two different rules, and in both of them you map to group named 'X' and luckily you qualify for both of the rules (because you work in IT dep but also work as a manager) that you may be have group mapped twice.16:33
marekdand there i am simply removing duplicates.16:33
bretonunderstood. So, can be closed as invalid I guess16:33
marekdfor group in groupes will not work.16:34
marekdbreton: as long as you claim something is not properly tested.16:34
marekdyou can add a test16:34
marekdhowever i am not sure this deserves a bug.16:34
marekd(well, it does if you provide a test that fails Keystone :-)16:34
marekdbreton: makes sense?16:34
breton> for group in groupes will not work16:37
bretonit works for me now though16:37
*** rwsu-afk is now known as rwsu16:38
*** zz_avozza is now known as avozza16:42
dstanekhenrynash: ?16:42
henrynashdstanek: ?16:47
dstanekhenrynash: you mentioned me earlier, but I didn't see the context16:47
henrynashdstanek: oh. no issue….ayoung and I were discussing techniques for checking pacthes that invlove mots of code moveing aournd…and someone( I think it was you) was describing how you used diff locally….so no action requried :-)16:48
*** abhirc has quit IRC16:48
dstanekhenrynash: ah, ok. 'no action require' is like music to my ears16:49
henrynashdstanek: :-)16:49
bknudsonstanek and nash : no action required16:49
henrynashbknudson: stanekandnash: no action likely!16:49
*** gokrokve has joined #openstack-keystone16:51
*** kfox1111 has joined #openstack-keystone17:03
*** _cjones_ has joined #openstack-keystone17:05
*** EmilienM|mtg is now known as EmilienM|afk17:05
*** jdennis1 has quit IRC17:06
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements parents_as_ids query param
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements subtree_as_ids query param
rodrigodshenrynash, rebased ^ :)17:07
henrynashrodigods: ok, take a look...17:07
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Check for invalid filtering on v3/role_assignments
samueldmq-awayhenrynash, ping -  ^17:08
rodrigodshenrynash, thanks!17:08
*** dims has joined #openstack-keystone17:08
samueldmq-awayhenrynash, I've updating i) the checking for invalid filters ii) tests for invalid filters iii) list role assignments refactoring to allow filtering by domain or inherited in effective mode17:09
*** samueldmq-away is now known as samueldmq17:09
* samueldmq was still away as samueldmq-away :)17:10
*** jdennis has joined #openstack-keystone17:11
*** lhcheng has joined #openstack-keystone17:13
rodrigodsbknudson, ping... thanks for your reviews in, added the tests you requested17:13
*** andreaf_ has quit IRC17:15
*** andreaf_ has joined #openstack-keystone17:16
ayoungdstanek, henrynash was pushing the review for  to merge.  I would appreicate getting it in;  reviewing it for diffs is painful, but it is basically just code moves and adjustments for the new locations;  lets get it in so we don't have to review it again, please.17:20
*** ayoung is now known as adminyoung17:20
adminyoungand now I have to get some admin tasks done.17:20
raildoadminyoung, ping, maybe we can put some topic in the keystone meeting to discuss that problem about idp, domain, project domain-ness...17:28
adminyoungraildo, yes, good idea17:29
adminyoungraildo, I'm wondering how important it really is to treat domains and projects the same, or if we just help out Horizon to deal with them, and continue to treat them as different things in Keystone17:30
rodrigodsadminyoung, and fyi: managed to have a task here so I can take a look in the dynamic policies part so... whenever you have time, lets chat about it (already ping ed you 3 times :P )17:30
adminyoungI mean, what we should have  done 2 years ago and what we can do today are two different things17:30
*** serverascode has quit IRC17:35
*** serverascode has joined #openstack-keystone17:36
samueldmqstevemar, ping - just would like to talk about
samueldmqstevemar, is that just to expose that we dont use oslo.concurrency config options ? why is that so important that we need to do that ...17:38
morganfainbergthis is a beast of a patch:
*** thedodd has joined #openstack-keystone17:39
morganfainbergeven just moving things around... it is a beast17:39
*** tqtran has joined #openstack-keystone17:40
morganfainbergbknudson, topol, i'm seeing some consistent errors on db2 CI17:40
bknudsonmorganfainberg: do you have an example?17:40
topoluggh, hopefully bknudson can look :-)17:41
morganfainbergi am looking through that now to pick out why17:41
morganfainbergwas trying to give more than just "this one" ;)17:41
morganfainbergmight be a sync of a repo needed:17:41
morganfainberg2015-01-22 16:31:55.004 | fatal: not found: did you run git update-server-info on the server?17:41
morganfainbergseeing some of that.17:41
morganfainbergerror is: ERROR: the main setup script run by this job failed - exit code: 1 from main log17:42
morganfainbergmight be pip/requires/grenade/etc - we've had soem issues lately on this front with the main gate.17:43
tqtranmarekd: concerning, could you clarify how the new spec would help prevent a man-in-the-middle attack? Doesn't Horizon end up with a token in the end anyway?17:44
CtinaHey guys, anyone have a minute to answer some dumb ldap questions?17:47
stevemarmarekd, ^ still around?17:48
stevemarCtina, ask away17:48
raildoadminyoung, ++. could you add this topic there? or just formulate here the topic and I can add.17:48
morganfainbergCtina, anytime.17:48
CtinaI'm seeing something similar to what's discussed here: where i set my user_id_attribute=uidNumber but doing a keystone user-list or a keystone user-get shows the cn as the user-id17:49
Ctinai found which puts the fix in Juno. I'm currently running icehouse and thinking of switching to a ldap + mysql backend. Should I wait until we upgrade to Juno?17:49
stevemarsamueldmq, we didn't have to change it, but we should list all the modules are import there ... and leave a reason why we comment it out17:49
rodrigodsstevemar, samueldmq, a new generate of wouldn't erase it?17:50
morganfainbergCtina, looking at the bugs now.17:51
Ctinasince my 'id' isn't an element in my dn17:51
*** tellesnobrega_ has quit IRC17:51
stevemarrodrigods, nope17:52
stevemarCtina, what are the settings in your keystone.conf, can you add them to ?17:53
stevemarjust the ldap ones :) don't include hostname + uname/pass obv :P17:53
morganfainbergCtina, the fix you pointed out does in-fact look like what you need. the DIT isn't controlled so we need to honor the attr map for ID17:54
morganfainbergCtina, so when you user-get, you get a "no such user" or bad data?17:55
Ctinamorganfainberg, I was able to get the user by i had to do a user-get "<cn>"17:56
stevemari think marekd is away for a bit :(17:57
Ctinamorganfainberg: the user i got back though has the email set and the cn for the id, name, and username attributes17:59
morganfainbergCtina, ok this does absolutely look like that bug then.17:59
Ctinamorganfainberg: boo okay thanks. Having a single uuid across zones would save us a lot of headache. Looks like i'll hold off implementing ldap + mysql backend until we go to Kilo (we're skipping Juno)18:02
morganfainbergCtina, well let me see if we can backport to I. this might be a pretty easy backport18:03
morganfainbergthis looks to be the bulk of the change:
morganfainbergit's not massive. and might be worth sneaking into icehouse.18:03
morganfainbergs/sneaking/properly backporting18:03
*** EmilienM|afk is now known as EmilienM18:03
*** gyee has joined #openstack-keystone18:04
*** ChanServ sets mode: +v gyee18:04
Ctinamorganfainberg: that'd be awesome18:04
morganfainbergCtina, infactt......18:04
morganfainberggyee, how painful would backport of be to icehouse?18:05
morganfainberggyee, i know a lot of stuff has shifted in the LDAP driver since then.18:05
gyeemorganfainberg, looking18:06
*** _cjones_ has quit IRC18:06
morganfainberggyee, might be worth fixing that bug in icehouse before it's EOL18:06
rodrigodsmorganfainberg, marekd, stevemar regarding URL field deprecation for regions table, should we just drop it?18:07
raildomorganfainberg, do you if exits some tutorial explain how to install two(or more) keystone in a single cloud?18:07
morganfainbergrodrigods, it was only ever used for K2K right? (cc marekd stevemar )?18:07
adminyoungCtina, so there might be something you want to try:18:07
morganfainbergrodrigods, if so - probably.18:07
stevemarmorganfainberg, right, and it was experimental18:07
stevemarso drop it18:08
morganfainbergthen yes. drop it18:08
morganfainberglike it's hot18:08
stevemarno need to migrate it18:08
morganfainbergi mean... sorry >.>18:08
stevemarlike it HOT!18:08
adminyoungCtina, is the problem only with users/groups for you?18:08
gyeemorganfainberg, should be able to backport, I don't think its that bad18:08
rodrigodsmorganfainberg, stevemar, remove the migration that was adding it, and add a migration to drop it if present? (or just the last one?)18:08
morganfainberggyee, that was my thought. i'm going to run to get coffee/food - follow Ctina and adminyoung's convo - i'm good with proposing that to stable if it sovles that issue18:09
morganfainbergrodrigods, no don't remove the migration adding it18:09
stevemarrodrigods, i mean no need to add a migration 'region_url -> sp_url'18:09
*** adminyoung is now known as ayoung18:09
*** harlowja has joined #openstack-keystone18:09
rodrigodsstevemar, morganfainberg, ++18:09
Ctinaadminyoung: i think so? I was trying out the mysql + ldap backend stuff since i'm a noob at ldap and noticed that i couldn't get the userids to show up18:09
morganfainbergstevemar, hm. actually do we want a migration?18:10
morganfainbergstevemar, that *might* be easy... or are we saying you can't use the old k2k and need to re-setup things?18:10
ayoungCtina, there is some wierdness in the mapping, due to an assumption that the DN was composed of the CN...which is true in only some cases18:10
gyeesorry I missed the whole conversation, so Ctina and adminyoung's having issue with attribute mapping?18:10
Ctinaayoung: i thought with the dual backends it was only users and groups that you used the ldap for?18:10
morganfainbergstevemar, experimental lets us do that, but think of the best experience18:11
ayoungCtina, that is true18:11
ayoungCtina, you want the stuff we have in Juno, for certain18:11
morganfainberggyee, Ctina is having issues with a get-user call without using the CN (vs. using the uid mapped, e.g. id_attr = uidNumber18:11
samueldmqstevemar, great. fair enough (
Ctinagyee: i don't have an id attribute in my dn so when i configure my system for an ldap + mysql backend, it uses the cn for the user id18:11
ayoungon the User side, you want to do queries for the user as opposed to the approach of building the DN straight from CN+Subtree path/18:11
ayoungYou might be doing this already;18:12
samueldmqrodrigods, ^ no, rerunning tox -e sample_config doesnt override it18:12
samueldmqrodrigods, just tested18:12
morganfainbergCtina, ++ better description than mine /me ducks out with the really-LDAP-smart folks on the case.18:12
gyeeldap + mysql in IceHouse? you are doing custom driver right?18:12
rodrigodssamueldmq, great! :)18:12
morganfainbergraildo, as in HA?18:12
morganfainbergraildo, or Keystone-to-Keystone?18:12
ayoungwhat do you have your query_scope set to?18:12
raildoin HA18:12
morganfainbergraildo, sounds like you're asking for HA.18:12
raildomorganfainberg, yes :)18:13
morganfainbergraildo, hm. i think some docs are out there, but we don't have any in-tree because it's outside the scope of keystone.18:13
ayoungCtina, this might not be your problem18:13
Ctinaayoung: i left the default "query_scop=one"18:13
ayoungCtina, try it with sub18:13
morganfainbergraildo, e.g. "you can HA this in many ways, but we don't prescribe a specific method" - you can use HAProxy, Keepalived18:13
morganfainbergraildo, etc18:13
morganfainbergraildo, vrrp18:14
Ctina@gyee yes ldap + mysql in Icehouse using the ldap driver for identity and sql for assignment18:14
*** harlowja has quit IRC18:14
raildomorganfainberg, right, I'll search something about this, thank you.18:14
Ctinaayoung: same result18:14
ayoungOK...different problem then18:15
morganfainbergayoung, it looks like this is that bug linked because the id_mapped attribute is being ignored18:15
morganfainbergayoung, in favor of the values in the CN18:15
*** harlowja has joined #openstack-keystone18:15
morganfainbergoh. uvirbot. how i miss you18:15
gyeethough by using sub filter, the code will attempt to parse the id from user DN18:16
Ctinaayoung, morganfainberg, gyee: it's not a big deal to wait until we go to kilo for this, but if it's easy to sneak into Icehouse before EOL it'd be very helpful18:16
ayoungmorganfainberg, we can backport that if it is essential,but since there are so many shortcomings of the old code base, would recommend that we not do that back to anything older than maybe Icehouse18:16
ayoungwhat is supported right now?18:16
morganfainbergayoung, icehouse is oldest18:17
morganfainbergayoung, and fix is in juno18:17
morganfainbergayoung, this is a case of "yeah probably makes sense to backport it"18:17
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Remove URL field from regions
Ctinaayoung: would the other shortcomings you reference make you afraid to put it in production with icehouse ldap + mysql?18:17
rodrigodsmorganfainberg, marekd, stevemar first step ^18:17
ayoungyeah...  richm do you think this one is going to mess you up as well:  ?18:17
*** _cjones_ has joined #openstack-keystone18:18
morganfainbergit looks like a small enough change, with a big enough win to fix a real-hits-operators bug, its worth it18:18
ayoungCtina, I was talking older:  read only LDAP not supported if you don't have identity and assignment in two different backends18:18
Ctinaayoung: gotcha18:19
morganfainbergdstanek, talked to dhellmann about strictabc, we're going to move it to it's own lib once we get things all happy w/ it18:19
morganfainbergdstanek, it's likely to be useful for stevedore as well18:19
dstanekmorganfainberg: nice18:20
*** abhirc has joined #openstack-keystone18:20
morganfainberglbragstad, digging up the MySQL tunables for you today18:21
lbragstadmorganfainberg: \o/18:21
morganfainbergdstanek, that review is ready for more eyes. but i think i want to make another tweak - abstract out the @six.add_metaclass needs18:21
morganfainbergso there is a direct decorator to apply to a class @strict_abstract18:22
morganfainbergwhich does all the @six.add_metaclass magic18:22
dstanekmorganfainberg: i added it to today's queue - i didn't realize that it wasnt' a wip anymore18:22
morganfainbergthe only question i have then is do I go one step further and make it possible to automatically mark all methods and properties abstract? /me isn't sure.18:22
morganfainbergdstanek, it was made non-WIP as of thursday, or friday.18:23
morganfainbergno big deal that it wasn't looked at until today18:23
richmayoung: yes, it could, but so far none of us working on puppet-keystone have run into it - I see that it is targeted for juno - has it been backported yet?18:24
ayoungrichm, I don't think it is a backport:  I think it was written for Junoi18:25
richmok - so the fix is already in juno18:25
ayoungI wish it had "merge" instead of "commit" dates in the message18:25
ayoung richm  but the bug update message was generated on 2014-09-13:18:26
ayoungthat was Juno18:26
ayoungrichm, so you are not concerned with Icehouse issues then on the Puppet side of thing, just Juno?18:26
samueldmqtopol, ping - would like to ask a view from a core-reviewer on keystone-specs :)18:27
samueldmqtopol, could please take a look at ?18:28
samueldmqtopol, it's a patch that addresses API changes for 'Add support for domain specific roles ' (, which has tour +1 (could be a +2 :p)18:29
*** amakarov is now known as amakarov_away18:35
*** zzzeek has joined #openstack-keystone18:35
* morganfainberg needs coffee badly [/gauntlet reference]18:36
gyeelight roasted18:38
morganfainberggyee, added icehouse and assigned to you18:39
*** atiwari has joined #openstack-keystone18:39
gyeek, coding day :)18:39
morganfainberglbragstad, can i ask you a huuuuuge favor today?18:40
morganfainberglbragstad, help me knock this list down to something less than... say 5:
lbragstadmorganfainberg: sure18:40
morganfainberg19 new18:40
*** zhiyan has quit IRC18:40
lbragstadwhat happened!18:40
morganfainbergsome of these are dupes i can already see18:40
morganfainberglbragstad, midcycle18:40
*** zhiyan has joined #openstack-keystone18:40
morganfainberglbragstad, i've been keeping it hovering at about 818:41
morganfainbergsome of these are deep in our code and hard to chase18:41
morganfainbergwe also have a number with priority but in "new" status18:41
morganfainbergayoung, we got a bug against LDAP assignment:
morganfainbergayoung, damn.18:42
* morganfainberg really misses uvirbot18:42
*** jistr has quit IRC18:42
gyeethought we have precisely one R/W LDAP deployment out there, according to the survey18:43
morganfainberggyee, this is R/O LDAP assignment it looks like18:43
Ctinamorganfainberg, gyee: thanks!18:44
gyeeCtina, no problem, I love writing code18:45
*** thedodd has quit IRC18:53
*** rushiagr is now known as rushiagr_away18:57
*** harlowja has quit IRC18:57
*** pnavarro has quit IRC18:58
topolHi samuelq,  looks like it has some type of merge conflict18:59
topolsamueldmq, it looks like ? has some type of merge conflict?19:01
*** kfox1111 has quit IRC19:09
*** pnavarro has joined #openstack-keystone19:09
*** atiwari has quit IRC19:11
*** david-lyle is now known as david-lyle_afk19:15
samueldmqtopol, yes .. looks like something were added at same lines I'm adding, but what we propose is there19:16
samueldmqtopol, I didnt submitted a new patch set because I'd like to keep the comments in there19:17
samueldmqtopol, I'll rebase it and then re-add comments ...19:17
*** nellysmitt has quit IRC19:26
openstackgerritRodrigo Duarte proposed openstack/keystone: Drop URL field from region table
*** harlowja has joined #openstack-keystone19:41
*** thedodd has joined #openstack-keystone19:42
openstackgerritRodrigo Duarte proposed openstack/keystone: Drop URL field from region table
*** radez is now known as radez_g0n319:46
*** thedodd has quit IRC19:51
*** nellysmitt has joined #openstack-keystone19:51
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone-specs: Add domain roles APIs
*** thedodd has joined #openstack-keystone19:53
samueldmqtopol, ^ new version ... you can refer to previous patch sets to get the discussion that is going on19:53
samueldmqtopol, in summary, whether we should add new apis for domain-role operations or not19:54
samueldmqtopol, thanks :)19:54
samueldmqhenrynash, you around ?19:54
*** pnavarro has quit IRC19:54
*** hichtakk has joined #openstack-keystone19:55
stevemarsamueldmq, henrynash is probably offline, he's london time :)19:58
*** r-daneel has joined #openstack-keystone19:59
samueldmqstevemar, oh sure, thanks :)20:01
henrynashstevemar, samueldmq: but I happen to be just checking in, actually….so what’s up?20:05
samueldmqhenrynash, hey, just woud like to talk about assignments patch, I updated it according to our discussion of last week20:09
samueldmqmorganfainberg, could you please give me your view on the migration being done at ?20:09
henrynashsamueldmq: yes, started to look at it…will review ore later - and rebase my experiemtnal data driven tests on it to see if they now pass20:09
samueldmqhenrynash, great! I will still add more tests and see if I need to update docs20:10
morganfainberghenrynash, sorry about the "this patch is too large" comment on your resource split - but even just moving 1400+ lines is very hard to follow.20:10
henrynashsamueldms: well all my tests are in test_backend…not at the REST level…so if we decide to merge mine in, then they would complement each other nicely20:11
morganfainberghenrynash, doing my best to get through it.20:11
raildohenrynash, ping, i put a topic about clashing names in the tomorrow meeting, ok?20:11
henrynashmorganfainberg: i know, i kno20:11
marekdstevemar: topol morganfainberg rodrigods k2k talk?20:11
samueldmqhenrynash, great! I will review your work as well20:11
samueldmqhenrynash, I will base one patch of mine on your metadata removal patch20:12
samueldmqhenrynash, mines regarding the removal of duplicated inherited logic from several methods in assignments20:12
samueldmqhenrynash, they'll use list_role_assignments instead (just to recap)20:12
stevemarmarekd, i'm prepping an etherpad will send out soon20:13
samueldmqmorganfainberg, is this still valid ? bug #124062520:16
samueldmqis the channel bot on vacancies ?20:16
morganfainbergthe channel bot is gone20:16
morganfainbergi'm looking at fixing that20:16
morganfainbergthe bot owner also dropped from all channels20:16
samueldmqsad, we need it back :)20:17
morganfainbergworking on that20:17
samueldmqnice ! will ask someone else to look at that20:17
morganfainbergand i don't know if we care about that bug. i mean. it is a valid bug.20:17
morganfainbergworking on the bot that is20:17
morganfainbergnot the bug20:17
samueldmqahha ++20:17
morganfainbergs/valid bug/gap in capability of a user20:18
samueldmqso should that be invalid?20:18
samueldmqmaybe ?20:18
morganfainberglike i said, not sure how much we care.20:18
samueldmqI have a patch for that, and wouldnt like to spent efforts if we don't really care :)20:19
samueldmqs/spent/spend more20:19
morganfainbergsamueldmq, hehe so *maybe* the answer is if we go down that path we need to make a "20:19
morganfainberguser can update XXX things about themselves" api, not just password20:20
morganfainbergbut we can't just "fix" the policy in this case.20:20
morganfainbergespecially since changing the defaulty project in v2 has access implicatio9ns20:21
samueldmqlooks like we should not touch that ...20:21
morganfainbergsamueldmq, yeah it gets a bit scary20:21
samueldmqnot this way at least20:21
samueldmqwill abandon my patch and say I got scared20:22
morganfainberghaha you can just abandon the patch w/o saying you're scared ;)20:22
samueldmqwill describe the possible implications you pointed out here :-)20:23
samueldmqabandoning something w/o saying anything is like 'I got scared' for me20:23
*** radez_g0n3 is now known as radez20:29
*** nellysmitt has quit IRC20:35
*** tellesnobrega_ has joined #openstack-keystone20:35
bknudsonbtw - there was some question at the keystone meetup about the barbican meetup -- it's feb 16-18 :
*** kfox1111 has joined #openstack-keystone20:41
*** atiwari has joined #openstack-keystone20:41
richmayoung: ping - If one does not specify /v2.0 or /v3 in front of a REST URI, what happens e.g. http://host:port/users?20:42
dstanekrichm: i'm guessing 404, but i haven't tried that20:42
ayoungrichm, human sacrifice, dogs and cats living together, mass hysteria20:42
dstanekayoung: and a marshmallow man!20:43
ayoungor a 40420:43
richmso it is required to specify /v2.0 or /v320:43
ayoungdstanek, we have a project in house called Staypuft.20:43
* richm runs . . .20:43
ayoungrichm, you making a direct URL call?20:43
ayoungdstanek, I want to toast it20:43
*** tellesnobrega_ has quit IRC20:44
richmneed a project S'Mores20:44
richmayoung: someone in #puppet-keystone is asking if we even need to have /v2.0 or /v3 in some urls, due to something called "service discovery"20:44
*** kfox1111 has quit IRC20:45
*** abhirc has quit IRC20:48
*** abhirc has joined #openstack-keystone20:49
*** abhirc has quit IRC20:54
*** _cjones_ has quit IRC20:59
*** _cjones_ has joined #openstack-keystone20:59
*** markvoelker has quit IRC21:00
*** Ctina_ has joined #openstack-keystone21:01
*** Ctina has quit IRC21:04
*** Ctina_ has quit IRC21:06
*** gabriel-bezerra has quit IRC21:07
*** samueldmq has quit IRC21:07
*** tellesnobrega has quit IRC21:07
*** raildo has quit IRC21:07
*** htruta has quit IRC21:07
*** evilrob has joined #openstack-keystone21:07
evilrobI'm going through the steps at and am to the creating the tenant point.  I don't have any processes listening on the indicated port in the config example.  Did I miss a step or is something not going right?21:08
*** raildo has joined #openstack-keystone21:12
*** htruta has joined #openstack-keystone21:12
*** gabriel-bezerra has joined #openstack-keystone21:13
evilrobyeah... just getting constant restarts "init: keystone main process (19642) terminated with status 1"21:14
*** tellesnobrega has joined #openstack-keystone21:15
*** dims has quit IRC21:16
*** dims has joined #openstack-keystone21:16
*** dims has quit IRC21:21
*** dims has joined #openstack-keystone21:27
openstackgerritayoung proposed openstack/keystone-specs: certmonger
topolhi marekd, I just reviewed I think its close21:35
*** david-lyle_afk is now known as david-lyle21:40
*** packet has joined #openstack-keystone21:50
*** atiwari has quit IRC21:55
*** atiwari has joined #openstack-keystone21:56
*** _cjones_ has quit IRC21:58
*** _cjones_ has joined #openstack-keystone22:00
*** sriram has quit IRC22:14
*** samueldmq has joined #openstack-keystone22:21
*** radez is now known as radez_g0n322:22
*** jasondotstar has joined #openstack-keystone22:28
*** bknudson has quit IRC22:30
*** kfox1111 has joined #openstack-keystone22:34
*** mattfarina has quit IRC22:39
*** jamielennox|away is now known as jamielennox22:41
*** topol has quit IRC22:43
morganfainbergFYI, working with Infra to re-enable bug XXX -> bot showing the info about that bug:
*** abhirc has joined #openstack-keystone22:56
*** thedodd has quit IRC22:59
*** mriedem has joined #openstack-keystone23:07
mriedemsomeone please photoshop bknudson's new evil face on this
jamielennoxmriedem: 'new' evil face?23:08
mriedemwell, evil face 2.023:08
* jamielennox just got here - missed something23:09
*** andreaf_ has quit IRC23:09
mriedembknudson's newish goatee23:09
*** abhirc has quit IRC23:09
jamielennoxmriedem: haven't seen him23:09
*** andreaf_ has joined #openstack-keystone23:10
jamielennoxbut i'll look out for it23:10
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add get_communication_params interface to plugins
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add get_headers interface to authentication plugins
*** jaosorior has quit IRC23:14
*** _cjones_ has quit IRC23:18
*** joesavak has quit IRC23:18
*** stevemar has quit IRC23:19
*** henrynash has quit IRC23:19
morganfainbergstevemar, marekd, is there anything left to do on this bp:
*** tellesnobrega_ has joined #openstack-keystone23:29
*** gordc has quit IRC23:29
*** david-lyle is now known as david-lyle_afk23:31
jamielennoxmorganfainberg: i am not a channel operator, can you set topic:23:35
jamielennoxRelease Blockers: << please review |
*** carlosmarin has quit IRC23:36
morganfainbergLOL "you're not a channel operator"23:36
jamielennoxwho the hell is a channel operator?23:36
morganfainbergjamielennox, try: /msg chanserv topic #openstack-keystone Release Blockers: << please review |
morganfainbergjamielennox, want to see if you have permission to do that23:37
*** ChanServ changes topic to "Release Blockers: << please review |"23:37
morganfainbergjamielennox, there ya go all current core can do that23:37
jamielennoxhuh - ok23:37
* morganfainberg actually setup permissions right initially23:37
jamielennoxthat's reasonable23:37
jamielennoxmorganfainberg: my release on the 1st target is going to fail miserably at this rate23:38
morganfainbergjamielennox, now that i'm back home i actually have time for reviews23:39
morganfainbergwhole last week kinda made things icky23:39
jamielennoxmarekd: are you here?23:41
morganfainbergjamielennox, is missing23:41
morganfainbergsomething weird with that one23:42
jamielennoxmorganfainberg: i wrote the original impl - marekd's been doing the work23:42
morganfainbergbut no bp.23:42
morganfainbergin lp?23:42
morganfainbergor.. uh..23:42
jamielennoxdidn't realize i still was author23:42
morganfainbergthat was a direct link from the blocking reviews gist23:42
*** ChanServ changes topic to "Release Blockers: << please review for client release on Feb 1st |"23:43
*** abhirc has joined #openstack-keystone23:43
openstackgerritayoung proposed openstack/keystone:  member for assignment policy
*** chlong has joined #openstack-keystone23:55

Generated by 2.14.0 by Marius Gedminas - find it at!