Wednesday, 2015-01-28

« Tuesday, 2015-01-27 Index Thursday, 2015-01-29 »
*** henrynash has joined #openstack-keystone00:00
*** ChanServ sets mode: +v henrynash00:00
*** chrisshattuck has quit IRC00:00
morganfainbergjamielennox, hm00:06
morganfainbergi'd like to keep history if possible00:06
morganfainbergbut i don't mind either way00:06
jamielennoxmorganfainberg: it wont work through gerrit i think00:07
openstackgerritSteve Martinelli proposed openstack/keystone: Use lower() correctly in _ldap_res_to_model  https://review.openstack.org/15063100:07
morganfainbergno you need to do it as an import00:07
morganfainbergif we already made the repo in gerrit00:07
morganfainbergdon't worry about saving histyory00:07
morganfainbergit's not *that* important imo00:07
jamielennoxagreed00:07
jamielennoxmorganfainberg: https://review.openstack.org/15062700:07
morganfainbergloooks good at a glance minus pep8 issues00:08
morganfainbergwe also need to get an integration test spun up for both plugins00:08
morganfainbergneed to know it'll even load into ksc00:08
jamielennoxmorganfainberg: so i should put the tests into /unit/ right off the bat?00:10
morganfainbergthose probably need to be hm00:18
morganfainbergunless ksc is loaded into environment it might nee a special test00:18
morganfainbergnot sure00:18
openstackgerritSteve Martinelli proposed openstack/keystone: Use proper string checking  https://review.openstack.org/15063400:21
stevemardear ldap, you stink00:21
stevemarbye!00:21
*** raildo has joined #openstack-keystone00:22
*** drjones has joined #openstack-keystone00:26
*** _cjones_ has quit IRC00:26
*** drjones has quit IRC00:29
*** _cjones_ has joined #openstack-keystone00:30
*** raildo has quit IRC00:31
*** thedodd has quit IRC00:32
jamielennoxdoes anyone know if oslosphinx figured out the autodoc thing00:32
*** david-lyle is now known as david-lyle_afk00:33
openstackgerritLin Hua Cheng proposed openstack/keystone: Add schema for endpoint group  https://review.openstack.org/15029200:34
openstackgerrithenry-nash proposed openstack/keystone: Support data-driven backend assignment testing  https://review.openstack.org/14917800:38
*** gokrokve has quit IRC00:41
*** nkinder has joined #openstack-keystone00:46
*** atiwari2 has quit IRC00:47
openstackgerritJamie Lennox proposed openstack/python-keystoneclient-federation: Copy the existing federation plugins over.  https://review.openstack.org/15062700:48
*** atiwari2 has joined #openstack-keystone00:49
openstackgerrithenry-nash proposed openstack/keystone: Support data-driven backend assignment testing  https://review.openstack.org/14917800:50
openstackgerrithenry-nash proposed openstack/keystone: Support data-driven backend assignment testing  https://review.openstack.org/14917800:51
openstackgerrithenry-nash proposed openstack/keystone: Support data-driven backend assignment testing  https://review.openstack.org/14917800:53
*** henrynash has quit IRC00:53
*** ncoghlan has joined #openstack-keystone01:02
openstackgerritJamie Lennox proposed openstack/python-keystoneclient-federation: Copy the existing federation plugins over.  https://review.openstack.org/15062701:05
openstackgerritSteve Martinelli proposed openstack/keystone: Fix up _ldap_res_to_model for ldap identity backend  https://review.openstack.org/15063101:08
stevemargyee, thanks for reviewing, i combined them into 1 patch, for easier reviewing01:09
stevemartrying to think of a test for this...01:10
lhchenghi folks, quick question on where to write the tests..01:10
lhchengplanning to add some tests for endpoint group schema01:10
lhchengnot sure if this is the right place: https://github.com/openstack/keystone/blob/master/keystone/tests/test_validation.py01:11
stevemarlhcheng, i think it is01:11
lhchengbecause endpoint group is an extension and not core01:11
lhchengstevemar: okay, thanks for confirming!01:12
*** tqtran has quit IRC01:13
stevemarmeh, everything is core now :P01:13
stevemarits 'stable' vs 'experimental' now01:13
lhchenglol01:13
lhchengmakes life easier :P01:14
stevemaryes it does :P01:15
*** Farhan has quit IRC01:16
*** lhcheng has quit IRC01:16
*** r-daneel has quit IRC01:19
*** dtroyer_zz has quit IRC01:20
*** packet has quit IRC01:20
*** arif-ali has quit IRC01:20
*** arif-ali has joined #openstack-keystone01:20
*** dtroyer has joined #openstack-keystone01:21
*** arif-ali has quit IRC01:27
*** arif-ali has joined #openstack-keystone01:27
*** dims has quit IRC01:28
openstackgerritJamie Lennox proposed openstack/python-keystoneclient-federation: Copy the existing federation plugins over.  https://review.openstack.org/15062701:30
*** nellysmitt has joined #openstack-keystone01:30
*** gokrokve has joined #openstack-keystone01:32
jamielennoxhere's a relatively easy review with one +2 already: https://review.openstack.org/#/c/131380/01:33
*** rwsu is now known as rwsu-afk01:33
jamielennoxlongish but not hard01:33
jamielennoxhere's an almost trivial one with a +2 https://review.openstack.org/#/c/140871/01:34
*** nellysmitt has quit IRC01:35
*** arif-ali has quit IRC01:38
*** arif-ali has joined #openstack-keystone01:39
*** gokrokve has quit IRC01:40
*** gokrokve has joined #openstack-keystone01:40
*** timcline has joined #openstack-keystone01:44
*** timcline has quit IRC01:45
*** timcline has joined #openstack-keystone01:46
*** abhirc has quit IRC01:49
*** arif-ali has quit IRC01:50
*** gokrokve has quit IRC01:50
*** arif-ali has joined #openstack-keystone01:51
*** gokrokve has joined #openstack-keystone01:51
gyeestevemar, cool01:55
*** gokrokve has quit IRC01:55
*** gyee has quit IRC01:57
*** atiwari2 has quit IRC01:57
*** marg7175 has quit IRC02:06
*** marg7175 has joined #openstack-keystone02:08
*** _cjones_ has quit IRC02:08
*** abhirc has joined #openstack-keystone02:09
stevemargot your back jamielennox02:17
jamielennoxstevemar: ah reviews ?02:17
stevemar+2s02:18
jamielennoxstevemar: sweet, thanks02:19
jamielennoxstevemar: hey did you see we're going to start using the ksc-federation repo rather than ksc02:19
jamielennoxi posted the first copy over review02:19
*** hugokuo has quit IRC02:21
*** charz has quit IRC02:21
*** erkules_ has joined #openstack-keystone02:21
*** erkules has quit IRC02:24
*** charz has joined #openstack-keystone02:25
*** saikrishna has joined #openstack-keystone02:26
stevemari saw that, neat02:27
stevemardid the refactor go through?02:28
stevemarah it's against ksc-fed now02:28
*** hugokuo has joined #openstack-keystone02:29
stevemarjust one comment02:31
jamielennoxstevemar: was going to add them in the refactor02:33
jamielennoxthe refactor renamed them anyay02:33
stevemarah okay02:34
*** saikrishna has quit IRC02:37
*** saikrishna has joined #openstack-keystone02:43
*** tellesnobrega_ has joined #openstack-keystone02:47
openstackgerritMerged openstack/keystonemiddleware: Fix passing parameters to log message  https://review.openstack.org/14087102:49
*** saikrishna has quit IRC02:52
openstackgerritMerged openstack/python-keystoneclient: Update requests-mock syntax  https://review.openstack.org/13138002:54
*** junhongl has joined #openstack-keystone02:54
*** harlowja is now known as harlowja_away02:57
*** richm has quit IRC03:09
*** marg7175 has quit IRC03:14
*** kfox1111 has joined #openstack-keystone03:18
*** timcline has quit IRC03:19
*** timcline has joined #openstack-keystone03:19
*** oomichi_ has joined #openstack-keystone03:21
*** timcline has quit IRC03:24
*** kfox1111 has quit IRC03:27
*** marg7175 has joined #openstack-keystone03:28
*** nellysmitt has joined #openstack-keystone03:31
*** nellysmitt has quit IRC03:36
*** marg7175 has quit IRC03:39
*** chrisshattuck has joined #openstack-keystone03:50
*** markvoelker has quit IRC03:57
*** markvoelker has joined #openstack-keystone03:57
*** markvoelker has quit IRC04:02
*** rdo_ has quit IRC04:04
*** rdo has joined #openstack-keystone04:05
*** oomichi_ has quit IRC04:07
*** gordc has joined #openstack-keystone04:22
*** abhirc has quit IRC04:24
*** dims has joined #openstack-keystone04:29
*** gordc has quit IRC04:32
*** dims has quit IRC04:33
jamielennoxis there a developer access to one of the public clouds? my 2 factor auth tokens keep getting revoked and i get cut off from running tests..04:36
*** tellesnobrega_ has quit IRC04:37
*** lhcheng has joined #openstack-keystone04:46
openstackgerritSteve Martinelli proposed openstack/keystone: Add a domain to federated users  https://review.openstack.org/11085804:51
*** ajayaa has joined #openstack-keystone04:58
stevemarhey jamielennox - any chance you could look @ my question here: https://review.openstack.org/#/c/142147/3/keystoneclient/tests/v3/test_tokens.py05:10
stevemarit's not like blk-u to make a mistake05:10
stevemari'm trying to earn my citizenship05:12
*** markvoelker has joined #openstack-keystone05:13
stevemarapparently reviewing is the only way to earn it :(05:13
*** wolsen_ is now known as wolsen05:15
*** dims has joined #openstack-keystone05:30
*** nellysmitt has joined #openstack-keystone05:32
*** markvoelker has quit IRC05:34
*** markvoelker has joined #openstack-keystone05:34
*** nellysmitt has quit IRC05:36
*** markvoelker has quit IRC05:39
*** chrisshattuck has quit IRC05:39
*** zzzeek has quit IRC05:43
*** oomichi_ has joined #openstack-keystone05:50
*** rushiagr_away is now known as rushiagr05:52
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/14915806:04
*** dims has quit IRC06:07
*** gokrokve has joined #openstack-keystone06:12
jamielennoxstevemar: i think that the mock will get picked up regardless of the query string06:15
jamielennoxthen later he asserts assertQueryStringContains(nocatalog=None)06:15
jamielennoxwhich i'm not sure exactly, i assume that means just ?nocatalog rather than like /nocatalog=1 or something06:16
openstackgerritSteve Martinelli proposed openstack/keystone: Fix up _ldap_res_to_model for ldap identity backend  https://review.openstack.org/15063106:35
*** markvoelker has joined #openstack-keystone06:35
*** zhiyuan has joined #openstack-keystone06:36
*** KanagarajM2 has joined #openstack-keystone06:36
openstackgerritMehdi Abaakouk proposed openstack/keystone-specs: tokens swift persistent backend  https://review.openstack.org/13151506:38
*** MasterPiece has joined #openstack-keystone06:41
*** markvoelker has quit IRC06:41
openstackgerritMerged openstack/pycadf: Add new CADF taxonomy types  https://review.openstack.org/14901306:48
openstackgerritMehdi Abaakouk proposed openstack/keystone-specs: tokens swift persistent backend  https://review.openstack.org/13151506:50
*** gokrokve_ has joined #openstack-keystone06:52
*** gokrokve_ has quit IRC06:53
*** gokrokve_ has joined #openstack-keystone06:53
*** gokrokve has quit IRC06:56
*** gokrokve_ has quit IRC06:57
openstackgerritSteve Martinelli proposed openstack/keystone: Add WebSSO support for federation  https://review.openstack.org/13617707:06
*** afazekas has joined #openstack-keystone07:07
*** mzbik has joined #openstack-keystone07:12
openstackgerritLin Hua Cheng proposed openstack/keystone: Add schema for endpoint group  https://review.openstack.org/15029207:13
*** avozza is now known as zz_avozza07:20
openstackgerritwanghong proposed openstack/python-keystoneclient: make req_ref doesn't require id  https://review.openstack.org/14849907:24
stevemarmarekd, o/07:26
stevemarmarekd, i rebased and re-submitted a patch for the websso stuff for keystone07:28
stevemartry to take a look :)07:28
openstackgerritguang-yee proposed openstack/keystone-specs: Tokenless authorization with X.509 SSL client certificate  https://review.openstack.org/10591307:28
*** nellysmitt has joined #openstack-keystone07:33
*** stevemar has quit IRC07:33
*** jaosorior has joined #openstack-keystone07:35
*** markvoelker has joined #openstack-keystone07:38
*** nellysmitt has quit IRC07:38
*** zz_avozza is now known as avozza07:40
*** markvoelker has quit IRC07:43
*** erkules_ is now known as erkules07:45
*** avozza is now known as zz_avozza07:50
*** zz_avozza is now known as avozza07:54
mzbik#neutron07:55
mzbikups07:55
*** mzbik has left #openstack-keystone07:56
*** mzbik has joined #openstack-keystone07:56
*** aix has joined #openstack-keystone07:58
*** avozza is now known as zz_avozza08:05
*** oomichi_ has quit IRC08:05
*** jamielennox is now known as jamielennox|away08:09
*** nellysmitt has joined #openstack-keystone08:12
*** markvoelker has joined #openstack-keystone08:13
*** markvoelker has quit IRC08:17
*** krykowski has joined #openstack-keystone08:25
*** zz_avozza is now known as avozza08:35
*** lhcheng has quit IRC08:41
*** lhcheng has joined #openstack-keystone08:42
openstackgerritDave Chen proposed openstack/keystone: Remove local conf information from paste-ini  https://review.openstack.org/13412508:45
*** krykowski has quit IRC08:46
*** lhcheng has quit IRC08:46
*** ncoghlan has quit IRC08:47
*** krykowski has joined #openstack-keystone08:51
*** dims has joined #openstack-keystone09:08
*** pnavarro has joined #openstack-keystone09:09
*** dims has quit IRC09:13
*** markvoelker has joined #openstack-keystone09:14
*** markvoelker has quit IRC09:19
*** jistr has joined #openstack-keystone09:23
*** henrynash has joined #openstack-keystone09:35
*** ChanServ sets mode: +v henrynash09:35
*** rushiagr is now known as rushiagr_away09:47
*** henrynash has quit IRC09:47
*** krykowski has quit IRC09:49
*** rushiagr_away is now known as rushiagr09:52
*** krykowski has joined #openstack-keystone10:00
*** MasterPiece has quit IRC10:03
*** krykowski has quit IRC10:08
openstackgerritwanghong proposed openstack/python-keystoneclient: make req_ref doesn't require id  https://review.openstack.org/14849910:09
*** krykowski has joined #openstack-keystone10:10
*** henrynash has joined #openstack-keystone10:13
*** ChanServ sets mode: +v henrynash10:13
*** markvoelker has joined #openstack-keystone10:15
openstackgerritMerged openstack/keystone: remove invalid note  https://review.openstack.org/14456610:16
*** markvoelker has quit IRC10:22
openstackgerritMarek Denis proposed openstack/keystone: Implement Service Providers API for OS-FEDERATION  https://review.openstack.org/10462310:23
marekdrodrigods: *^^ you can take a look now.10:24
openstackgerritSergey Kraynev proposed openstack/python-keystoneclient: Using correct keyword for region in v3  https://review.openstack.org/11838310:24
*** tellesnobrega_ has joined #openstack-keystone10:36
*** tellesnobrega_ has quit IRC10:43
*** henrynash has quit IRC10:47
*** openstackgerrit has quit IRC10:50
*** openstackgerrit has joined #openstack-keystone10:50
*** tellesnobrega has quit IRC10:58
*** gabriel-bezerra has quit IRC10:58
*** tellesnobrega has joined #openstack-keystone10:59
*** gabriel-bezerra has joined #openstack-keystone10:59
*** htruta has quit IRC10:59
*** htruta has joined #openstack-keystone10:59
*** mflobo1 has joined #openstack-keystone11:00
*** mflobo1 has left #openstack-keystone11:01
*** krykowski has quit IRC11:01
*** mflobo1 has joined #openstack-keystone11:02
*** mflobo1 has left #openstack-keystone11:02
*** mflobo1 has joined #openstack-keystone11:02
*** aix has quit IRC11:06
*** avozza is now known as zz_avozza11:07
*** marg7175 has joined #openstack-keystone11:08
*** zz_avozza is now known as avozza11:08
*** aix has joined #openstack-keystone11:18
openstackgerritMarek Denis proposed openstack/keystone-specs: Allow for direct mapping in federated authN.  https://review.openstack.org/14907111:20
*** henrynash has joined #openstack-keystone11:24
*** ChanServ sets mode: +v henrynash11:24
*** krykowski has joined #openstack-keystone11:24
*** xxj has quit IRC11:26
*** wpf has quit IRC11:26
samueldmqhenrynash, hi11:26
henrynashsamueldmq: hi11:26
samueldmqhenrynash, saw your comments on the refactoring of expected entities on test_v3_assignment, where I introduced regex11:27
samueldmqhenrynash, well, that makes sense to me (your comment)11:27
samueldmqhenrynash, otherwise we'll need to have tests for those tests, and at some point we have to stop being simple enough to ensure we didnt do any mistakes11:28
henrynashsamueldmq: it’s just hard to understand whether the test is correct from looking at it….11:28
samueldmqhenrynash, and it's better to stop that at usual tests, instead of adding additional layers of testing11:28
openstackgerritMarek Denis proposed openstack/keystone: Add WebSSO support for federation  https://review.openstack.org/13617711:29
henrynashsamueldmq: I guess I’m OK with regex if it really is the best way of doing things, but we’d need to make it really clear from reviewers what is going on…..and right now, we don’t…11:30
henrynashsamueldmq: so…either we need to a but more simple…or explain what we are doing better11:30
samueldmqhenrynash, agree11:30
samueldmqhenrynash, in fact that help a lot for new tests I created11:30
*** MasterPiece has joined #openstack-keystone11:30
samueldmqhenrynash, because if I only filter by users, I assert the user I filtered is in the entity, doesnt matter other info11:31
samueldmqhenrynash, I just don't care11:31
samueldmqhenrynash, and then I assert the assignment link matches with user as well ... (saying this just to let you know the reason I did that)11:32
henrynashsammueldmq: yes, I got the gist that this was to stop having to create teh link as a separate item and carry that around for test checking...11:33
henrynashsamueldmq: so it maybe that if you explain that clearly then we’re OK here…..11:34
henrynashsamueldmq: now, my data-driven-tests could be said to suffer the same problem…but I would argue (and I would, ‘cause I wrote them) that in teh data-driven tests it is VERY obvious what scenarios I’m trying to test, but you have to still believe the support code works correctly11:34
henrynashsamueldmq: …oh, and btw, more of those pass now with your latest patch of pushing down the filters into list_role_assignments…but not all, so I think we still have something wrong in your patcj11:35
*** marg7175 has quit IRC11:37
*** marg7175 has joined #openstack-keystone11:38
*** krykowski has quit IRC11:38
*** KanagarajM2 has quit IRC11:42
*** xxj has joined #openstack-keystone11:42
*** wpf has joined #openstack-keystone11:43
samueldmqhenrynash, oh ..  :/11:44
samueldmqhenrynash, I'll do some scrum process now at morning, after this I will take it and fix what is wrong once for all11:45
henrynashsamueldmq: see: http://paste.openstack.org/show/163162/11:45
samueldmqhenrynash, looking11:45
samueldmqhenrynash, strange, domain and project assignments have not the same role id11:46
openstackgerritWu Wenxiang proposed openstack/python-keystoneclient: Add python-memcached in test-requirements.txt  https://review.openstack.org/15075911:46
samueldmqhenrynash, firstly I suspected I could had expanded and forget to remove original entity, but no11:47
henrynashsamueldq: and here is teh test plan:http://paste.openstack.org/show/163164/11:47
henrynashsmaueldmq: http://paste.openstack.org/show/163164/11:47
samueldmqhenrynash, lookin11:47
henrynashsamueldmq: it is the last test that fails, we get back the inherited role as well in non-effective, non-inherited mode11:48
samueldmqhenrynash, nice ... thinking about this case11:49
samueldmqhenrynash, need to see your code, just a minute11:50
samueldmqhenrynash, running tests .. :-)11:51
henrynashsamueldmq: you downloaded my data-driven-test patch?11:52
samueldmqyep11:52
samueldmqhenrynash, looks like it isnt updated :11:53
samueldmq:/11:53
rodrigodsmarekd, looking :)11:55
marekdrodrigods: thanks.12:02
*** krykowski has joined #openstack-keystone12:08
henrynashsamueldmq: ah, sorry, realised I didn’t skp the tests for ldap, you can run teh offending test with: test_backend_sql.SqlInheritance.test_inherited_role_grants_for_user12:08
henrynashsamueldmq: i.e. tox — test_backend_sql.SqlInheritance.test_inherited_role_grants_for_user12:08
*** krykowski has quit IRC12:16
*** MasterPiece has quit IRC12:16
*** markvoelker has joined #openstack-keystone12:19
openstackgerrithenry-nash proposed openstack/keystone: Support data-driven backend assignment testing  https://review.openstack.org/14917812:19
*** krykowski has joined #openstack-keystone12:22
*** markvoelker has quit IRC12:24
samueldmqhenrynash, well, the project data is not in your eexpected entities12:24
samueldmqhenrynash, but they should be12:24
samueldmqhenrynash, let me recheck12:25
henrynashsamueldmq: teh search filter is for teh domain, not project12:27
henrynashsamueldmq: 'params': {'user': 0, 'domain': 0}12:27
samueldmqhenrynash, yes12:28
samueldmqhenrynash, but it has 2 roles on domain12:28
samueldmqhenrynash, lines 7 and 8 of your paste http://paste.openstack.org/show/163164/12:28
henrynashsamueldmq: so shouldn;t we just get back the role on the domain that is not inherited?12:28
samueldmqhenrynash, the default is to get both ... if extension is enabled12:29
henrynashsamueldmq: ahhh…so at the list_role_assignment level, ‘inherited’ doesn’t defaut to False?12:30
samueldmqhenrynash, no, it defaults to None, that means get both12:31
samueldmqhenrynash, makes sense?12:31
samueldmqhenrynash, like: otherwise you tell me specifically what you want, I will consider both for you12:31
henrynashsamueldmq: so that explains teh results (thanks!)….just mull on whetehr that dfault makes sense…12:31
openstackgerritMarek Denis proposed openstack/keystone: Implement Service Providers API for OS-FEDERATION  https://review.openstack.org/10462312:32
samueldmqhenrynash, np, ok let me know if you disagree with this default12:32
*** krykowski has quit IRC12:32
henrynashsamueldmq: meanwhile I’ll update the test, which means they should all pass now12:33
marekdrodrigods: thanks.12:37
marekdapparently my local time and gerrit's one are not compatible: "Updated in the future"12:41
openstackgerrithenry-nash proposed openstack/keystone: Support data-driven backend assignment testing  https://review.openstack.org/14917812:44
henrynashsamueldmq: hi, if you have a moment, I’m still have an issue..maybe still my misunderstanding…12:45
henrynashsamueldmq: here’s the udpated test plan: http://paste.openstack.org/show/163187/12:46
*** krykowski has joined #openstack-keystone12:48
samueldmqhenrynash, sure I have ... looking12:50
henrynashsamueldq: so the last test works fine, but 2nd last test fails12:51
henrynashsamueldmq: the one with filter: {'params': {'user': 0, 'domain': 0, 'effective': True}12:51
henrynashsamueldmq: I was expecting that NOT to return the inherited role, but it does12:52
samueldmqhenrynash, you're right, will fix and submit in a couple of seconds :-)12:53
henrynashsamueldmqL blimey, no need to be taht quick!12:53
henrynashsamueldmq: btw, did you also see my comment on whether it makes sense to still include ‘inherited_to_projects’ in teh main body of teh response from list_role_assignments…now that we have the ‘indirect’ key?12:54
*** raildo_away is now known as raildo12:55
marekdhenrynash: samueldmq: https://review.openstack.org/#/c/104623/ feel free to torture this patch whenever you have time :-)12:58
samueldmqhenrynash, L732 https://review.openstack.org/#/c/137202/15/keystone/assignment/core.py12:59
samueldmqhenrynash, I was already checking that ... but that check should be at the beginning of that method ...12:59
samueldmqhenrynash, just rerunning tests12:59
samueldmqmarekd, torture .... nah :p13:00
samueldmqmarekd, will review it soon, thanks :-)13:00
marekdsamueldmq: sure, whenever you can.13:00
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720213:05
samueldmqhenrynash, ^ now I think we'll be both happy with its soundness :D13:05
samueldmqhenrynash, please let me know if it worked or not13:06
henrynashsamueldmq: thx!  I’ll rebase and re-run as well13:06
*** ajayaa has quit IRC13:10
samueldmqnp13:13
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Reseller  https://review.openstack.org/13982413:16
raildohenrynash, ayoung, morganfainberg ^ :)13:16
henrynashsamueldmq: did you think about my question about ‘inherited_to_projects’ ?13:17
samueldmqhenrynash, what question, sorry but dont have it in my cache :/13:17
*** krykowski has quit IRC13:20
henrynashsamuledmq: ah, it feels odd now that ‘inherited_to_projects’  appears in the main body of the response from list_role_assignments, now that we have the ‘indirect’ key added….is ‘inherited_to_projects’  adding anything?13:20
*** markvoelker has joined #openstack-keystone13:20
openstackgerritRakesh H S proposed openstack/python-keystoneclient: handles keyboard interrupt  https://review.openstack.org/12104613:22
samueldmqhenrynash, it should be kept anyway for inherited assignments that are not expanded, right?13:24
henrynashsamueldq: but we also include the ‘indirect’ for those, no?13:25
samueldmqhenrynash, so I decided to keep it for inherited expanded as well, so it is simpler to the controller to see whether it's inherited just checking 'inherited_to_projects'13:25
*** markvoelker has quit IRC13:25
*** krykowski has joined #openstack-keystone13:25
samueldmqhenrynash, for inherited that are not expanded (not effective mode) we dont, no need to have indirect in this case, since it should have none insisde it13:26
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Recursive deletion and project disabling  https://review.openstack.org/14873013:26
henrynashsamueldmq: so it probably feels right that it gets returned in non-effective mode, on those assignmnets that were marked as inherited13:27
henrynashsamueldmq: I’m not sure it feels right for effective mdoe…I’ll have to think on that some more13:28
samueldmqhenrynash, in fact we dont need it13:28
samueldmqhenrynash, in this second case, I do agree with you13:28
samueldmqhenrynash, but when formatting, the controller needs to know if it was inherited or not13:28
samueldmqhenrynash, i) by just checkking inherited_to_projects on every case of ii) checking inherited_to_projects OR 'indirect' in the body13:29
henrynashsamueldmq: well it needs how to generate the links for all combinations of what is in ‘indirect’13:29
henrynashsamueldmq: e.g. group, domain, project etc.13:30
samueldmqhenrynash, yes... look at line 696 https://review.openstack.org/#/c/137202/16/keystone/assignment/controllers.py13:31
samueldmqhenrynash, it should just become if entity.get('inherited_to_projects') OR entity.get('indirect'):13:32
samueldmqhenrynash, well, that would be simple as well, I am ok with changing it13:32
henrynashsameuldmq: I think that makes more sense…it is duplicative otherwise in effective mode13:33
*** bknudson has joined #openstack-keystone13:35
*** ChanServ sets mode: +v bknudson13:35
*** markvoelker has joined #openstack-keystone13:36
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720213:45
samueldmqhenrynash, ^^ done13:45
*** stevemar has joined #openstack-keystone13:46
*** ChanServ sets mode: +v stevemar13:46
*** krykowski has quit IRC13:48
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Reseller  https://review.openstack.org/13982413:48
henrynashsamueldmq: great! I’ll modify the tests and re-run…13:54
henrynashsamueldmq: did you fix up the fact that pep was failing due to “overly complex” method in your patch?13:54
samueldmqhenrynash, oh, need to talk with you13:55
henrynashsamueldmq: ok :-)13:55
samueldmqhenrynash, so that comes with putting all methods inside list_role_assignments scope13:55
henrynashsamueldmq: hmm, ok…yes I feared as much!13:56
samueldmqhenrynash, can I leave them at 'normal' scope and then add a _ at the beginning (as I were doing before)13:56
samueldmq?13:56
samueldmqgreat! will do13:56
samueldmqwell, you agree right?13:57
henrynashsamueldmq: yes, sounds fine…mayge add a NOTE before the first of those methods just to explain why we’ve done it hat way13:57
samueldmqhenrynash, great! just a few seconds more :-)13:59
henrynashsamueldmq: :-)14:00
*** gordc has joined #openstack-keystone14:01
*** krykowski has joined #openstack-keystone14:03
*** Ctina_ has joined #openstack-keystone14:04
*** markvoelker has quit IRC14:11
stevemarmarekd, o/14:14
*** sriram has joined #openstack-keystone14:14
*** richm has joined #openstack-keystone14:15
openstackgerritRakesh H S proposed openstack/python-keystoneclient: handles keyboard interrupt  https://review.openstack.org/12104614:15
*** mzbik has quit IRC14:19
*** marg7175 has quit IRC14:20
*** mattfarina has joined #openstack-keystone14:21
*** krykowski has quit IRC14:21
*** krykowski has joined #openstack-keystone14:24
*** ajayaa has joined #openstack-keystone14:24
*** topol has joined #openstack-keystone14:37
*** ChanServ sets mode: +v topol14:37
*** dims has joined #openstack-keystone14:43
*** joesavak has joined #openstack-keystone14:45
*** r-daneel has joined #openstack-keystone14:48
*** r-daneel has quit IRC14:48
*** r-daneel has joined #openstack-keystone14:48
*** krykowski has quit IRC14:53
openstackgerrithenry-nash proposed openstack/keystone: Move projects and domains to their own backend  https://review.openstack.org/14482414:54
*** EmilienM is now known as EmilienM|afk14:55
*** krykowski has joined #openstack-keystone14:59
*** abhirc has joined #openstack-keystone15:03
openstackgerritMerged openstack/keystone: Move test_utils to keystone/tests/unit/  https://review.openstack.org/13398915:10
*** pnavarro has quit IRC15:11
openstackgerrithenry-nash proposed openstack/keystone: Remove unused pointer to assignment in identity driver  https://review.openstack.org/14502215:16
openstackgerrithenry-nash proposed openstack/keystone: Make controllers and managers reference new resource manager  https://review.openstack.org/13352515:16
openstackgerrithenry-nash proposed openstack/keystone: Make unit tests call the new resource manager  https://review.openstack.org/13095415:18
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller  https://review.openstack.org/13263415:18
*** timcline has joined #openstack-keystone15:25
*** timcline has quit IRC15:25
*** timcline has joined #openstack-keystone15:26
*** bknudson has quit IRC15:27
*** krykowski has quit IRC15:28
*** zzzeek has joined #openstack-keystone15:29
*** abhirc has quit IRC15:32
*** krykowski has joined #openstack-keystone15:32
*** andreaf is now known as andreaf_15:35
*** abhirc has joined #openstack-keystone15:39
*** carlosmarin has joined #openstack-keystone15:41
*** angelamolock has joined #openstack-keystone15:42
*** angelamolock has quit IRC15:43
*** angelamolock has joined #openstack-keystone15:43
*** bknudson has joined #openstack-keystone15:47
*** ChanServ sets mode: +v bknudson15:47
*** markvoelker has joined #openstack-keystone15:47
ayoungrodrigods, what about Dynamic Polices do you want to discuss?  Its not getting into Kilo. I figure we'll beat through the rest of the design in Vancouver15:48
*** harlowja_away has quit IRC15:49
*** krykowski has quit IRC15:50
*** radez_g0n3 is now known as radez15:51
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720215:51
samueldmqhenrynash, ^took some time, I was doing something else :)15:51
henrynashsamueldmq: no problem…I’ll rebase….15:52
*** gokrokve has joined #openstack-keystone15:54
*** dims has quit IRC15:55
samueldmqhenrynash, in fact I need to rebase on yours as well (Make unit tests call the new resource manager)15:55
samueldmqwill do now15:55
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes 'OS-INHERIT:inherited_to' info in tests  https://review.openstack.org/14454215:55
henrynashsamueldmq: np15:56
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Refactor role assignment assertions  https://review.openstack.org/14454315:56
*** krykowski has joined #openstack-keystone15:56
morganfainbergmornin15:57
samueldmqmorning :)15:57
*** EmilienM|afk is now known as EmilienM15:58
samueldmqhenrynash, how do you use to work with a chain of patches ?15:59
samueldmqhenrynash, I prefer renaming branchs as assignments/1, assignments/2, ... so its better to know what comes next when I am rebasing15:59
openstackgerritBrant Knudson proposed openstack/keystone: Use RequestBodySizeLimiter from oslo.middleware  https://review.openstack.org/14469715:59
samueldmqhenrynash, but it looks like that is messing with the patch topic on gerrit :/16:00
henrynashsamueldmq: that’s one way…I just keep a list for myself of the order!16:00
samueldmqhenrynash, might work better, thx16:01
*** david-lyle_afk is now known as david-lyle16:01
*** tqtran has joined #openstack-keystone16:02
openstackgerritSteve Martinelli proposed openstack/keystone: Fix up _ldap_res_to_model for ldap identity backend  https://review.openstack.org/15063116:07
samueldmqhenrynash, and how to you deal with two patches with same topic ? :-)16:09
samueldmqBranch already exists - reusing16:09
*** jistr has quit IRC16:11
*** jistr has joined #openstack-keystone16:12
*** afazekas has quit IRC16:16
rodrigodsayoung, ok, that was what I wanted to know16:16
rodrigodsayoung, even the keystonemiddleware or client bits?16:16
ayoungrodrigods, there are a couple of policy based reviews published16:17
ayoungand at least on that I need to move to the new policy repo that is currently against Keystone16:17
morganfainbergtopol, stevemar, https://review.openstack.org/#/c/150109/ lets not speculate about V416:17
morganfainbergwe're using v3 here16:17
ayoungIn Keystone, we have the default policy, the unified policy file already posted as WIP16:18
ayoungnot unified, but the cleaned up one16:18
openstackgerritMerged openstack/keystone-specs: Tokenless authorization with X.509 SSL client certificate  https://review.openstack.org/10591316:18
rodrigodsayoung, ok, I'm aware of it, just wanted to know where to put efforts next16:18
ayoungrodrigods, I need to modify the one for fetching the file from the server.  dolphm wants it in middleware, and I can't really argue with him;  it certainly needs to be callable from there16:22
ayoungthat is just a spec, though16:22
ayoungif you want to do the code for that...it would be great16:23
morganfainbergrodrigods, ^ re that one, API changes should be included (the one i linked)16:23
ayoungit needs at least one implementation to make use of it, but dolphm 's  sample service might be the perfect target for that16:23
rodrigodsmorganfainberg, I saw the comments, will upload a new patchset with it in the next couple of hours :)16:24
rodrigodsayoung, which sample service?16:24
henrynashbknudson, ayoung: Updated https://review.openstack.org/#/c/144824/ to fix up suggested changes….be great if you could cast an eye and +2/A if looks OK now.16:25
ayoungrodrigods, he has a service...something like an echo service16:25
morganfainbergrodrigods, yeah otherwise i think you're good on that front.16:25
ayounghenrynash, looks fine16:27
*** avozza is now known as zz_avozza16:28
openstackgerritMerged openstack/keystone-specs: Add a catalog to an unscoped token  https://review.openstack.org/10733316:28
rodrigodsayoung, hmm16:28
rodrigodsayoung, ok... so first will take a look in the default policy16:28
ayoungrodrigods, sure16:29
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Remove URL field from regions  https://review.openstack.org/15010916:33
rodrigodsstevemar, morganfainberg, topol ^16:33
morganfainbergrodrigods, sorry wasn't clear enough in how detailed i wanted this.16:35
morganfainbergrodrigods, added another comment16:35
morganfainbergrodrigods, this is a CYA deal so more details are better16:36
rodrigodsmorganfainberg, you are right, fixing...16:37
morganfainbergstevemar, ping16:37
stevemarmorganfainberg, pongish16:38
morganfainberghttps://review.openstack.org/#/c/150631/4/keystone/tests/test_backend_ldap.py16:38
morganfainberghow do the skiped test fail when enabled?16:38
stevemarmorganfainberg, because of https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap.py#L22316:39
morganfainbergok then my comments i add stand16:39
samueldmqmorganfainberg, +++ (assert the correct behavior, even if failing, instead of skipping)16:39
morganfainbergplease don't add more "blind skips"16:39
morganfainbergassert the expected failure occurs16:39
samueldmqexactly :)16:39
stevemarmorganfainberg, ah okay16:39
morganfainberg:)16:40
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Remove URL field from regions  https://review.openstack.org/15010916:40
morganfainbergmeans that if the behavior changes we know.16:40
samueldmqmorganfainberg, I think we still need to fix this for existing skips16:40
morganfainbergsamueldmq, we do16:40
morganfainbergsamueldmq, that does not need a bug/bp and can be done as someone has timue16:40
morganfainbergtime*16:40
morganfainbergsamueldmq, feel free to help on that front :)16:40
samueldmqmorganfainberg, k, will do once a get some time :) (working o nthe list role assignments performance chain)16:41
morganfainbergof course16:41
morganfainbergno rush16:41
samueldmqk :-)16:41
morganfainbergjust as we get time we should fix it for other tests16:41
*** bknudson has quit IRC16:41
samueldmq++16:42
openstackgerritBrant Knudson proposed openstack/keystone: Consistently use oslo_config.cfg.CONF  https://review.openstack.org/14736716:42
samueldmqmorganfainberg, also, I think we should recheck the classes structure we have for ldap classes16:42
samueldmqmorganfainberg, I did a test and they were taking like 40% of testing time (something like this)16:42
morganfainbergreminds me... let me send a scary email that i'm sure will result in freakout from the community16:43
morganfainbergdeprecation of ldap assignment16:43
morganfainbergsamueldmq, sure i think we should circle back on that with the functional testing dstanek is working on16:43
samueldmqmorganfainberg, yes, I intend to help him as well ...16:44
*** packet has joined #openstack-keystone16:44
morganfainbergsamueldmq, rather than try to fix that before we can run against a real backend. once we have the scenario tests for functional, it'll be much easier to drop bad-in-process keystone tests and focus on "against a real system" tests16:44
samueldmqlooks like I need to work 20/24 to work on everything I'm saying I intend to work on :/16:44
*** andreaf has joined #openstack-keystone16:44
morganfainbergsamueldmq, and no one expects that!16:44
henrynashayoung: thx16:45
samueldmqmorganfainberg, sure ... just need to work constantly ;)16:45
samueldmqmorganfainberg, regarding tests ....16:45
samueldmqmorganfainberg, I was thinking if we could get a standard for keystone: i) functional tests (WIP); iii) unit tests for each controller/manager/driver using mocks16:46
samueldmqmorganfainberg, talked to bknudson and he said he's not sure we can have enough people to meet that standard16:46
samueldmqmorganfainberg, I was planning to look deeper and estimate how hard would be to meet that16:46
samueldmqmorganfainberg, do you think it's worth it?16:47
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720216:49
*** krykowski has quit IRC16:49
openstackgerritAlexander Makarov proposed openstack/keystone: Redis token backend  https://review.openstack.org/15084416:49
stevemarsamueldmq, i expect 20/24 hrs :P16:50
stevemarjust kidding :)16:50
stevemarmorganfainberg rules keystone with an iron first16:50
samueldmqstevemar, "there's a little truth behind every just kidding"16:52
samueldmqstevemar, haha, I am kidding too :-)16:52
samueldmqstevemar, I thought it was just a Brazilian expression, but it looks like we use it in English as well16:53
rodrigodsayoung, ping ... can you review a couple of HMT patches?16:53
ayoungrodrigods, debuggin a devstack failure at the moment16:54
topolmorganfainberg let me park a bus on stevemar.  It was he, not I who mentioned V4 :-)16:55
*** dims has joined #openstack-keystone16:55
stevemartopol, :O you totally did16:55
stevemarmaybe you meant 3.4?16:56
rodrigodsayoung, ok... once you finish it, don't miss to review that wonderful piece of code :P16:56
topolstevemar, I changed my vote to +1. Your answer that it was experimental is very fair. I left mine as a +1 assuming you are a +2 to allow others to review16:56
*** krykowski has joined #openstack-keystone16:57
topolstevemar, I meant 3.4.  My bad. I should fall on my sword now  :-)16:57
stevemarvictory!16:57
topolmorganfainberg please back the bus up onto me16:57
stevemari was wondering why you mentioned it!16:57
morganfainberg+2 rodrigods, stevemar, topol, but holding on +a for a short bit for other core feedback16:59
morganfainbergstevemar, this should go in today barring other feedback saying why it shouldn't16:59
rodrigodsmorganfainberg, thx!16:59
*** zz_avozza is now known as avozza17:01
*** andreaf has quit IRC17:02
samueldmqmorganfainberg, dstanek  could you please give me your opinion on the test standard I just described (like 20 lines above) ?17:03
samueldmqstevemar, ^ you too :-)17:03
samueldmqwell, everyone's opinion would be appreciated17:03
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Reseller  https://review.openstack.org/13982417:04
*** rwsu-afk is now known as rwsu17:05
dolphmstevemar: marekd: i'm looking at a backport in https://review.openstack.org/#/c/150190/2/keystone/contrib/federation/idp.py17:06
dstaneksamueldmq: what do you mean by standard?17:06
dolphmstevemar: marekd: you call check_output() there which doesn't exist in py26 -- are there any other reasons why federation wouldn't be able to support py26?17:06
dolphmstevemar: marekd: check_output() can be trivially replaced with a call to Popen to re-introduce 26 compat17:06
openstackgerrithenry-nash proposed openstack/keystone: Support data-driven backend assignment testing  https://review.openstack.org/14917817:07
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Recursive deletion and project disabling  https://review.openstack.org/14873017:07
*** avozza is now known as zz_avozza17:08
henrynashsamueldmq: sadly it looks like list_role_assignment may still need a bit of tweaking….I still don’t think it is working for user+domain+effective mode - see comment and I can provide results from my data-driven-assignemtn tests if you need them17:08
morganfainbergreally utopic unicorn and now vivid vervet17:09
* morganfainberg sighs17:09
morganfainbergi might need to skip 2 releases of ubuntu now...17:09
morganfainberg:P17:09
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements parents_as_ids query param  https://review.openstack.org/14856717:10
*** jistr has quit IRC17:10
openstackgerritRodrigo Duarte proposed openstack/keystone: Implements subtree_as_ids query param  https://review.openstack.org/14861817:10
rodrigodsmorganfainberg, fun code to review ^ :)17:10
dolphmmorganfainberg: 14.04 for life17:11
dstaneksamueldmq: I'm at lunch now. I'll ping you when I get back17:11
morganfainbergdolphm, i am sad they didn't name it tiger tiger though17:11
morganfainbergdolphm, that was the best option.17:12
dolphmmorganfainberg: i... actually thought that was the name for awhile after release17:12
morganfainbergdolphm, ;)17:12
morganfainbergdolphm, it was an AWESOME name17:12
morganfainbergnot that trusty tahr is bad17:12
*** ajayaa has quit IRC17:12
dolphmpeople had been referring to it as such so i didn't question17:12
*** gyee has joined #openstack-keystone17:13
*** ChanServ sets mode: +v gyee17:13
morganfainberggyee, re: your email about credential api17:13
morganfainberggyee, the public API would need to be changed or the private?17:13
morganfainbergs/private/internal17:13
morganfainbergpublic = REST17:13
morganfainbergunrelated: anyone have a oneplus and invites?17:14
* morganfainberg has had it with bugs / crashes / etc in ios817:14
gyeemorganfainberg, just the interface17:15
gyeepublic API stay the same17:15
morganfainberggyee ok.17:15
morganfainberggyee, don't scare me ;)17:15
gyeewe need to pass the token to the backend17:16
samueldmqdstanek, k17:16
samueldmqdstanek, bon apetit :)17:16
morganfainberggyee, i think this is a sign barbican isn't *really* ready for our consumption on this front17:16
*** andreaf has joined #openstack-keystone17:16
samueldmqhenrynash, will look at your comment17:16
gyeemorganfainberg, they need the user token, service container won't scale17:16
* morganfainberg is still grumpy about bearer tokens17:16
morganfainbergayoung, i think you're right Krb5 is the answer.17:17
morganfainbergayoung, with redelegation17:17
morganfainbergtgt is a nice model.17:17
ayoungI'm not used to hearing that.  Could you say it again?17:17
gyeeI am totally cool with kerberos, just that we need to balance security versus usability17:17
morganfainbergnope17:17
morganfainberg:P17:17
ayoungAh well.17:17
morganfainbergayoung, ^_^17:17
ayoungmorganfainberg, I think there is a theoretical way to do the same thing with X509, but I don't have the time  to develope it17:18
morganfainbergor at the very least our tokens need to be more tgt like [in the case of lacking a krb5 infrastrcture]17:18
morganfainbergor x509 or whatever17:18
gyeeI am working on x50917:18
morganfainbergbut i think it's the only way out of the bearer token hole we're in17:18
ayoungall KRB/S4U2 can tell you, though, is that the users asked the service to do something, not what it asked17:18
ayoungmorganfainberg, not necessarily...17:18
ayoungI think the real answer is better delegation17:18
morganfainbergayoung, anyway - another topic another day17:18
ayoungmorganfainberg, the unified delegation model17:19
ayoungit means that we take a lot of the logic that we are putting in the token and externalize it to auth token middleware:17:19
ayoungbut...let's add that to the schedule for Vancouver17:20
gyee++17:20
morganfainbergayoung, exactly17:20
morganfainberganother topic another conversation17:20
morganfainberg;)17:20
*** keystonelpbug has quit IRC17:20
*** lhcheng has joined #openstack-keystone17:21
gyeemorganfainberg, passing the token to Barbican's not that bad, we just need to pass the context to the backend17:21
*** EmilienM is now known as EmilienM|afk17:22
morganfainbergbug 117:22
*** TempLPBugBot has joined #openstack-keystone17:23
morganfainbergbug 117:23
TempLPBugBotbug 1 in Ubuntu Malaysia LoCo Team "Microsoft has a majority market share" [Critical,In progress] https://launchpad.net/bugs/117:23
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Reseller  https://review.openstack.org/13982417:23
morganfainbergbug 111117:24
TempLPBugBotbug 1111 in gst-plugins0.8 (Ubuntu) "doesn't extract last track" [Medium,Fix released] https://launchpad.net/bugs/111117:24
morganfainberghah17:24
morganfainbergok17:24
morganfainberganyway17:24
morganfainbergi'm going to go get breakfast and coffee17:25
morganfainbergback in a bit17:25
dolphmlooking at diffs of diffs makes my head hurt17:25
*** ajayaa has joined #openstack-keystone17:25
morganfainbergdolphm, but what about diffs of diffs of diffs with a penchant for adding in a diff17:25
samueldmqhenrynash, that's valid ... I'm fixing it, sorry17:25
henrynashsamueldmq: np!17:25
dolphmmorganfainberg: http://pasteraw.com/p6peq0k2z7dpdif1brpfp4tpmw8bare17:26
dolphmmorganfainberg: diff of a master patch vs the backport17:26
morganfainbergdolphm, there are not nearly enough +'s or -'s in that17:26
*** pnavarro has joined #openstack-keystone17:26
morganfainbergi'd probably use opendif17:27
morganfainbergtbh17:27
*** jasondot_ has joined #openstack-keystone17:27
*** atiwari has joined #openstack-keystone17:29
gyeedolphm, thanks for the review https://review.openstack.org/#/c/150190/17:29
gyeedolphm, the existing code uses subprocess.check_output() which is not support in python 2.617:30
dolphmgyee: i asked stevemar and marekd about that above, but no response yet17:30
gyeeI can make another patch to fix the existing code first, or leave the existing on as is, I am fine either way17:30
dolphmmorganfainberg: do you know if/why we opted to not support federation in py26?17:31
gyeedid we drop python2.6 in Kilo? otherwise, that test won't work17:32
morganfainbergdolphm, uhm17:32
morganfainbergdolphm, no i don't remember why.17:32
gyeeyep looks like py26 is gone in Kilo17:33
morganfainbergdolphm, maybe py26 was missing some key lib?17:33
morganfainbergand yes py26 is dead in kilo17:33
gyeew00t!17:33
dolphmmorganfainberg: this is for stable/juno though17:33
* gyee do a moment of silence for py2617:33
gyeeamen17:33
morganfainbergdolphm, so no reason it shouldn't work for 26 in juno17:34
morganfainbergthat i know of17:34
morganfainbergbesides a gap in code17:34
dolphmmorganfainberg: if it's just a single call to check_output that's breaking compat with 2.6, i feel like we should fix that before applying gyee's patch17:34
dolphmmorganfainberg: so gyee's patch doesn't have to skip testing 2617:35
morganfainbergdolphm, ++17:35
morganfainbergdolphm, lets fix it17:35
gyeealrighty then17:35
* gyee back to coding17:35
dolphmgyee: are you going to fix the underlying code or shall i?17:37
dolphmgyee: (considering it's going into stable/* i'd rather be a reviewer)17:37
*** henrynash has quit IRC17:37
gyeedolphm, I can fix the code17:37
dolphmgyee: i'd be happy to file a bug17:37
gyeedolphm, please, let me work on the code, just assign the bug to me17:37
stevemargyee, dolphm we dropped py26 in kilo, whats the issue?17:40
gyeestevemar, this is for backporting to juno17:40
stevemarahhh17:40
dolphmstevemar: is there any real reason we wouldn't support federation in stable/juno on python 2.6?17:41
*** henrynash has joined #openstack-keystone17:41
*** ChanServ sets mode: +v henrynash17:41
dolphmstevemar: the only blocker i saw looks simple to fix17:41
stevemardolphm, aside from any code blockers, im fine with federation being py26 compat in juno17:42
stevemardolphm, gyee someone internally reported a py26 issue probably the same one, let me look17:42
dolphmstevemar: just wanted to make sure there wasn't a bigger issue with 2617:42
stevemardolphm, dont think so17:42
samueldmqhenrynash, http://paste.openstack.org/show/163290/ should fix that bug17:43
samueldmqhenrynash, I'm rebasing and applying your feedbacks in the chain to submit everything together17:43
stevemargyee, dolphm this was an issue we saw: http://paste.openstack.org/show/163291/17:44
stevemarwhere subprocess.check_output(command_list) wasn't py2617:44
gyeeyep17:45
gyeeI am fixing it17:45
stevemargyee, THANKS :) commented!17:46
*** krykowski has quit IRC17:49
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Reseller  https://review.openstack.org/13982417:51
*** r-daneel has quit IRC17:52
*** marg7175 has joined #openstack-keystone17:53
*** marg7175 has quit IRC17:58
*** marg7175 has joined #openstack-keystone17:58
*** Ctina_ has quit IRC17:59
*** Ctina__ has joined #openstack-keystone17:59
*** lhcheng has left #openstack-keystone18:06
*** lhcheng has joined #openstack-keystone18:06
openstackgerritSteve Martinelli proposed openstack/keystone: Fix up _ldap_res_to_model for ldap identity backend  https://review.openstack.org/15063118:12
openstackgerritArun Kant proposed openstack/keystone-specs: Spec for adding Barbican service as Keystone credential backend.  https://review.openstack.org/14867218:12
*** openstackgerrit has quit IRC18:14
*** openstackgerrit has joined #openstack-keystone18:14
*** gokrokve has quit IRC18:16
dstaneksamueldmq: i am back18:16
*** vhoward has left #openstack-keystone18:22
morganfainbergdstanek, LGTM: https://review.openstack.org/#/c/131516/ +218:26
*** nellysmitt has quit IRC18:27
*** harlowja has joined #openstack-keystone18:28
*** bknudson has joined #openstack-keystone18:30
*** ChanServ sets mode: +v bknudson18:30
dstanekmorganfainberg: great, thx18:32
nkinderstevemar: ping, re - https://review.openstack.org/#/c/124638/18:32
nkinderstevemar: how are we handling the transition of policy.py from oslo-incubator to oslo.policy?18:33
stevemarnkinder, well oslo.policy is already up, so i think just make the change there18:35
stevemarand projects should be imported that instead of using the incubator18:35
nkinderstevemar: ok, so we'll just let it die in incubator (and eventually remove it)?18:35
stevemarnkinder, yeah, eventually it'll be removed (like how some the utils are removed), so don't bother posting the change there18:36
nkinderstevemar: ok.  What about getting oslo.policy docs here? http://docs.openstack.org/developer/openstack-projects.html18:37
*** EmilienM|afk is now known as EmilienM18:38
stevemarnkinder, it already exists, http://docs.openstack.org/developer/openstack-projects.html just missing from that index.html18:39
stevemari'll see where it's maintained, probably somewhere in infra18:39
morganfainbergdolphm, FYI just unblocked a bunch of juno backports18:39
morganfainbergdolphm, they should all be gating now.18:39
morganfainbergdolphm, trying to get them through if the look good before we freeze18:40
morganfainberg(tomorrow i think)18:40
morganfainberggyee, ^ the fixes for juno and saml would be good to have in-flight today18:40
gyeemorganfainberg, sure, I should have a new patch up in the afternoon18:41
nkinderstevemar: ok, great.  I'll get a new patch proposed against the right repo for my doc changes.18:51
*** marg7175_ has joined #openstack-keystone18:53
bknudsonsince we haven't done a release of oslo.policy, I don't think there's any docs to point to.18:53
*** TempLPBugBot has quit IRC18:54
*** TempLPBugBot has joined #openstack-keystone18:55
morganfainbergbug 139676318:55
TempLPBugBotbug 1396763 in Keystone juno "user id beginning with 0 cannot authenticate through ldap" [Undecided,In progress] https://launchpad.net/bugs/1396763 - Assigned to Richard Megginson (rmeggins)18:55
*** TempLPBugBot has quit IRC18:56
*** markvoelker has quit IRC18:56
*** TempLPBugBot has joined #openstack-keystone18:56
morganfainbergbug 139676318:56
TempLPBugBotbug 1396763 in Keystone juno "user id beginning with 0 cannot authenticate through ldap" (affected: 1, heat: 14) [Undecided,In progress] https://launchpad.net/bugs/1396763 - Assigned to Richard Megginson (rmeggins)18:56
*** markvoelker has joined #openstack-keystone18:56
*** marg7175 has quit IRC18:57
stevemarnkinder, fyi https://review.openstack.org/15090718:57
*** raildo has quit IRC18:57
stevemarbknudson, it'll have docs eventually18:58
*** jsavak has joined #openstack-keystone18:59
*** angelamo_ has joined #openstack-keystone18:59
bknudsonstevemar: looks like there are already docs... and it's apparently really easy to use.18:59
bknudsonjust import it! http://docs.openstack.org/developer/oslo.policy/usage.html19:00
bknudsonthis must be one of the steps in the graduation process19:00
marekddolphm: reading question for py26 - i think it's already resolved, right?19:00
marekddolphm: i had no special  reason for not supporting federation in py26 except for the fact that it was already (or almos) deprecated in whole OpenStack.19:01
*** markvoelker has quit IRC19:01
stevemarbknudson, well, those steps aren't wrong for most projects! just import!19:02
stevemarnow using the actual enforcement... thats another story19:02
*** joesavak has quit IRC19:02
*** angelamolock has quit IRC19:03
*** angelamo_ has quit IRC19:03
*** angelamolock has joined #openstack-keystone19:03
*** rushiagr is now known as rushiagr_away19:03
*** angelamolock has quit IRC19:04
lhchenghi folks, does User in v3 support 'description' attribute?19:04
lhchengIt is documented here: http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#users-v3-users19:04
lhchengBut I don't see it in the user table.19:04
*** angelamolock has joined #openstack-keystone19:04
lhchengShould that be removed in the docs?19:04
bknudsonlhcheng: it's probably stored in the extras column.19:05
morganfainberglhcheng, what bknudson said. description is not a first-class attribute in the storage backend. it gets stored in the icky json blob19:06
lhchengyeah, it would probably be. But wondering if we should include that in the docs since it is an "official" column19:06
lhcheng*not19:06
morganfainberglhcheng, long term i want extra attrs to die.19:06
morganfainberglhcheng, but we should not remove it from the docs.19:06
bknudsonlhcheng: I don't think we can change the docs now since that wouldn't be backwards compatible.19:06
lhchengah, and keep the description?19:06
samueldmqdstanek, ping - sorry for the delay, I was in a meeting19:06
morganfainbergit's been supported for a loooooong time and people expect it there19:06
samueldmqdstanek, you still around?19:06
morganfainbergremoving from the docs implies we don't need it/support it.19:07
lhchengbkundson: okay.. kinda weird to have a description on a user :P19:07
bknudsonlhcheng: pretty much every system that stores users supports a description.19:07
bknudsonlhcheng: have you used systems that have users that don't support a description?19:08
lhchengmorganfainberg: okay.  working on adding the user schema at the moment, just found it weird that there is a description attribute but it is not in the table.19:08
morganfainberglhcheng, think of it like "who the heck is this... what if it's a service account' - similar: what is the gecos field in a unix user used for? - "description data"19:08
morganfainbergwe just left it a little more free-form rather than comma delimited19:09
stevemarits definitely needed i think19:09
morganfainbergbknudson, lets hope your slew of backports all pass gate :)19:09
lhchengbknudson: I don't see a description field on both hpcloud and rackspace signup page :P19:09
morganfainbergbknudson, those all look nice and important.19:10
morganfainberglhcheng, the deployer may not expose it to the end user19:10
morganfainberglhcheng, but it's there.19:10
morganfainberglhcheng, well RAX i dunno, they don't use keystone19:10
*** thedodd has joined #openstack-keystone19:10
morganfainberglhcheng, [or didn't yet]19:10
morganfainbergfor public cloud19:10
morganfainbergHP uses some form of keystone with some extras.19:10
morganfainbergso i'm sure the data is there just hiding - but i also know they don't use SQL as the store.19:11
lhchengmorganfainberg: I wrote some of it, don't recall it having a description :P19:12
morganfainberglhcheng, if it has the extra support19:12
morganfainbergdescription is wedged in there19:12
morganfainbergjust hiding19:12
morganfainberg[and yes extra attributes is part of our API :( ]19:12
lhchengmorganfainberg:  not saying having description is wrong, just confirming if the keystone doc is correct :)19:13
morganfainberglhcheng, yeah in this case it's correct :)19:13
morganfainbergstevemar, http://status.openstack.org/zuul/ look at all that keystone in the gate!19:13
*** tellesnobrega_ has joined #openstack-keystone19:14
bknudsongate hogs!19:14
morganfainbergbknudson, who does that keystone team think they are!?19:14
lhchengmorganfainberg: because in other entities, we have an explicit "description" column. so wondered if the doc is accurate.19:14
morganfainbergsadly i think everything in there might fail because library cap issues.19:15
stevemarmarekd, lhcheng is this better or worse for the javascript post back? http://paste.openstack.org/show/163333/19:16
lhchengmorganfainberg: okay, I'll add the "description" in the user schema then.19:16
*** raildo has joined #openstack-keystone19:17
*** marg7175_ has quit IRC19:20
*** aix has quit IRC19:21
*** marg7175 has joined #openstack-keystone19:21
lhchengstevemar: Instead of hard-coding the html, thinking if having a html template file be better.  If the user want to have a different postback mechanism they can override the html template.19:21
stevemarlhcheng, not a bad idea19:23
stevemarmorganfainberg, looks like we earned our citizenship19:25
morganfainbergLOL19:26
henrynashbknudson: if you get a chance, if you could see you are happy with the changes I made in response to your comments on: https://review.openstack.org/#/c/144824/1919:27
morganfainberghenrynash i'm still slogging through the split change19:28
morganfainberghenrynash, i think i need to take another break. it's a beast.19:29
*** tellesnobrega_ has quit IRC19:29
morganfainbergjamielennox|away, https://review.openstack.org/#/c/141944/ is going to merge conflict (cc stevemar since you also +2'd) if the current in-flight ksc changes merge19:29
*** ajayaa has quit IRC19:29
henrynashmorganfainberg: I’ll owe you….you can extract payment in terms of your choice in Vancouver19:30
henrynash(hmm, probably a dangerous offer to make)19:30
morganfainberghenrynash, promise me you'll not do 1400+ lines of change again, i'll be happy with that as the payment19:30
gyeemorganfainberg, dolphm, stevemar, https://review.openstack.org/#/c/150190/19:30
gyeeI roll everything into one19:30
henrynashmorganfainberg: ok, it’s a fair exchange!19:30
marekdstevemar: let me see.19:30
*** marg7175 has quit IRC19:31
gyeemarekd, u 219:31
morganfainberghenrynash, then the next massive change i get to -2? ;)19:31
marekdstevemar: i'd put this JS into some static file19:31
*** tellesnobrega_ has joined #openstack-keystone19:32
*** marg7175 has joined #openstack-keystone19:32
morganfainberghenrynash, also i wont approve that change in either case until the gate is a bit less cranky19:33
morganfainbergstevemar, can i ask you a huge favor if you have a little bandwidth19:34
morganfainbergstevemar, can you look at: https://review.openstack.org/#/c/141944/19:34
morganfainbergerm19:34
morganfainbergsorry19:34
marekdgyee: morganfainberg stevemar dolphm btw i'd really like to be able NOT to call external process.19:34
morganfainbergstevemar, https://bugs.launchpad.net/keystone/+bug/141062219:34
TempLPBugBotLaunchpad bug 1410622 in OpenStack Compute (nova) "nova is still broken with boto==2.35*" (affected: 1, heat: 6) [High,Triaged]19:34
dolphmmarekd: ++19:34
gyeemarekd, me 2!19:34
dolphmbut, ..19:34
*** tellesnobrega_ has quit IRC19:34
morganfainberghey! that bot makes that so much better again.19:34
gyeedo we have a python lib for xml digsig?19:35
marekddigsig ?19:35
morganfainberggyee in-python crypto tends to get reaaaaaaally ugly19:35
gyeedigital signature19:35
raildogyee, can you review the reseller spec? :) https://review.openstack.org/#/c/139824/19:35
marekdmorganfainberg: i am guessing C dependencies wrapped with some Python are a no-go? :(19:35
gyeeraildo, on my todo list19:35
raildogyee, great, thank you :)19:36
morganfainbergmarekd, well it just falls into eventlet doesn't play nice. in keystone less of an issue if it goes elsewhere it becomes yeild-point issues19:36
stevemarmorganfainberg, i'll try looking at it, but i'm short on time these days19:36
gyeem2crypto19:36
* gyee dive under the table19:36
morganfainberggyee, no.19:36
morganfainberggyee, stop it19:36
*** tellesnobrega_ has joined #openstack-keystone19:36
morganfainberggyee, and m2 has the same issue as i just described19:36
morganfainberggyee, :P19:37
* gyee hide under the carpet19:37
morganfainbergstevemar, i'm hoping to have all 20 bugs triaged today19:37
morganfainbergstevemar, but that one is the one that is going to take a bit more time, i'd rather delegate that over to someone to check if possible so i can hit the others19:37
marekdmorganfainberg: what are yield point issues?19:38
morganfainbergmarekd, eventlet does coroutine $stuff$19:38
marekdmorganfainberg: yes.19:38
marekdsingle threaded in generla.19:38
morganfainbergmarekd, when you're hitting c-libs eventlet does a bad job of knowing when it can yield19:38
morganfainbergor at all19:38
marekdmorganfainberg: so dropping eventlet would lead us into a lands where clibs are freely used?19:39
morganfainbergso you can bind things up. CPU intensive and/or c-backed stuff (mysqldb) all causes these issues. Crypto hits both - either CPU intensive [can't yeild] or c-lib [also can't]19:39
*** gokrokve has joined #openstack-keystone19:39
morganfainbergpopen is nice because it's I/O, and i/o can yield.19:39
morganfainbergmarekd, well it trades gil and other issues for the eventlet issues19:40
morganfainbergmarekd, for us, droppiong eventlet would be an overall win19:40
marekdmorganfainberg: in c libs you can release GIL and in fact have realy multi threaded app.19:40
morganfainberga lot of our new functionality is all apache / webserver module driven anyway, and eventlet can't/wont support it19:40
morganfainbergmarekd, assuming not a bad clib19:41
morganfainbergmarekd, that is a BIG assumption19:41
morganfainbergbut yes, it is possible19:41
*** tellesnobrega__ has joined #openstack-keystone19:41
*** tellesnobrega_ has quit IRC19:41
marekdmorganfainberg: well, one can write wrapper as part of patches for Keystone.19:41
marekdc-wrapper19:41
morganfainbergalso dropping eventlet eliminates threadlocal issues19:41
morganfainbergbut in short - I want to deprecate eventlet support in keystone.19:42
morganfainbergto do that, i think we need to cleanup the deployment story w/ apache/nginx/whateveryouareusing19:42
morganfainbergi expect that to be a possibility next cycle fwiw19:42
marekdi'd like to see keystone + nginx19:43
morganfainbergmarekd, i've deployed it19:43
*** tellesnobrega__ has quit IRC19:43
morganfainbergmarekd, it works. the big issue is gunicorn [if you use it] tends to get it's config stomped on by oslo.config19:43
morganfainbergfor some reason i haven't spent more than a couple minutes looking at [this was ~2yrs ago, might not be a problem anymore]19:43
morganfainbergi also would like to see uwsgi as an option19:43
*** angelamolock has quit IRC19:44
marekdlet's rewrite Keystone in Go :-)19:44
morganfainbergmost of it is documentation. then we can play scenario deployment - testing fun :)19:44
morganfainbergmarekd, ha. ha. ha. ha. ha.19:44
morganfainbergmarekd, i vote erlang19:44
marekdwhy?19:45
morganfainbergmarekd, why not?19:45
marekd:-)19:45
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720219:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve creation of expected assignments in tests  https://review.openstack.org/14454419:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests  https://review.openstack.org/13702119:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Refactor check of targets and actors on RoleV3  https://review.openstack.org/14470219:46
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Check for invalid filtering on v3/role_assignments  https://review.openstack.org/14470319:46
morganfainbergthough honestly, in keystone i *really* miss c and c++ isms19:46
samueldmqhenrynash, ^ new chain ... I'd like to ensure the behavior is correct now (with your tests) and you are ok with my regex in tests ..19:46
morganfainbergwe could bake keystone into a c++ lib, then link it into an apache / nginx module -- then place it in-front of all the openstack services [/me stops before someone things i'm serious]19:46
samueldmqhenrynash, once I have that, I'll go to a detailed review on my chain looking for nits, documentation, etc19:47
morganfainbergeven better. we could rewrite it in lua.19:47
henrynashsamueldmq: I’ll take a look over it tonigt, run my tests etc.19:47
rodrigodsmorganfainberg, lol19:47
morganfainbergWAIT I KNOW, it can be one giant oracle stored proceedure!19:47
* morganfainberg wonders who has tried to run keystone with oracle as the db backend.19:48
morganfainbergsomeone must have.19:48
rodrigodsyes, we must have some oracle db deployments19:49
samueldmqhenrynash, great! thanks19:49
morganfainbergrodrigods, does it... work?19:49
rodrigodsmorganfainberg, I think with some hacks in the sqlalchemy part, why not?19:50
*** chrisshattuck has joined #openstack-keystone19:51
*** tellesnobrega_ has joined #openstack-keystone19:51
openstackgerritMerged openstack/python-keystoneclient: Surface the user_id and project_id beyond the plugin  https://review.openstack.org/13203019:53
*** tellesnobrega_ has quit IRC19:54
openstackgerritDolph Mathews proposed openstack/keystone: create _member_ role as specified in CONF  https://review.openstack.org/14289719:55
stevemarmorganfainberg, that bug is dirty19:57
stevemari looked into it19:57
stevemari'll ping mriedemann when hes out of his meeting19:57
openstackgerritMerged openstack/python-keystoneclient: Add fetch revocations for v2.0  https://review.openstack.org/14193520:00
samueldmqeasy review: could some other core take a look at and possible +2+workflow  https://review.openstack.org/#/c/150574/ ?20:01
*** jsavak has quit IRC20:01
*** joesavak has joined #openstack-keystone20:03
*** angelamolock has joined #openstack-keystone20:04
openstackgerritMerged openstack/python-keystoneclient: Add fetch revocations for v3  https://review.openstack.org/14212820:04
*** thedodd has quit IRC20:04
openstackgerritMerged openstack/python-keystoneclient: Allow v3 plugins to opt out of service catalog  https://review.openstack.org/14299120:04
*** angelamolock has quit IRC20:05
*** jsavak has joined #openstack-keystone20:09
*** SpamapS has joined #openstack-keystone20:10
*** r-daneel has joined #openstack-keystone20:11
morganfainbergstevemar, thanks20:11
morganfainbergstevemar, topol: https://etherpad.openstack.org/p/adklfjdsfkj20:11
morganfainbergayoung, henrynash, dolphm, dstanek, gyee, jamielennox|away, bknudson, ^20:11
*** joesavak has quit IRC20:11
ayoungmorganfainberg, ehterpad?20:12
morganfainbergayoung, why not?20:12
topolmorganfainberg... OMG WHAT ARE YOU DOING???  Oh wait let me reread it :-)20:12
morganfainbergbefore i send to the ML20:12
ayoungnah, there were a couple other links above, but I see they are merge messages...etherpad looks good20:12
morganfainbergand this will be cross-posted to operators and main ML as well20:13
bknudsonmorganfainberg: +2 on the etherpad contents20:13
ayoungmorganfainberg, I'm going to try to sneak in an alternate intro....one sec20:13
morganfainbergayoung, sure. i might veto, but ;)20:13
ayoungFeel free to.20:13
morganfainbergayoung, but i wanted feedback before sending so please do add alternatives :)20:14
*** jaosorior has quit IRC20:14
*** r-daneel has quit IRC20:16
morganfainbergseriously, feel free to add stuff in-line like that20:16
morganfainbergi have the original copy saved20:16
openstackgerritMerged openstack/python-keystoneclient: Add auth plugin params to doc  https://review.openstack.org/14168120:17
morganfainbergtopol, ^20:17
ayoungmorganfainberg, how's that?  It is less alarmist, and more to the point.20:17
morganfainbergayoung, sure.20:17
morganfainberglooks good.20:17
morganfainbergfeel free to shuffle things around20:18
morganfainbergthe only thing i ask is that we keep the basic structure, intro/background/problem/FAQ20:18
*** thedodd has joined #openstack-keystone20:19
topolmorganfainberg its looks great to me. I made some very minor suggestions you can feel free to take or leave20:21
morganfainbergi like em20:21
openstackgerritNathan Kinder proposed openstack/oslo.policy: Improve policy documentation  https://review.openstack.org/15095320:22
morganfainbergayoung, added your info stuff in where i think it fits20:24
morganfainbergtopol, ^20:24
topolmorganfainberg. Still looks very good to me20:24
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Add validate token for v2.0  https://review.openstack.org/14194420:25
topolmorganfainberg if the note was any longer you would risk folks not reading it.  So I think we are good20:25
morganfainbergi don't know how many other times we can say "NOT REMOVING LDAP IDENTITY"20:26
morganfainberghow much you want to bet people will freak about ldap identity when this is sent?20:26
topolmorganfainberg. I think its perfect.20:26
ayoungworks for me20:26
morganfainbergsubject is: [Keystone] Deprecation of LDAP Assignment (Only Affects Project/Tenant/Role/Assignment info in LDAP)20:27
topolIf after reading this note you still have concerns Please contact dolphm20:27
morganfainberglol20:27
topol(for the freak outs :-)  )20:27
morganfainbergJoe Heck*20:27
morganfainbergtermie!20:27
topolnoooo. He would be like, um yeah you are totally screwed. Sorry20:28
morganfainbergok20:28
morganfainbergsending20:28
*** nellysmitt has joined #openstack-keystone20:28
* morganfainberg dons flame-proof suit20:28
topol... can I crash at your place <insert foreign city residence here> when I goto <insertforeign country>20:29
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Add validate token for v3  https://review.openstack.org/14214720:29
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Reseller  https://review.openstack.org/13982420:29
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Add API documentation  https://review.openstack.org/15095620:30
morganfainberghmm ok one of these emails went to the wrong place already20:30
morganfainberg*doh*20:30
topolbknudson, whats the over under on a product guy misreading morganfainbergs note and you getting an urgent call? :-) I'm going with 220:32
dstanekmorganfainberg: the top explicitly says only CERN is using LDAP assignment, but the FAQ makes it seem like there are others20:32
morganfainbergdstanek, cern is the only confirmed20:33
morganfainbergdstanek, the FAQ was meant to be more inclusive20:33
*** nellysmitt has quit IRC20:33
morganfainberganyway lets see how many product people freak20:33
mfischsee subject of morganfainberg's email, commence panic! ;)20:34
morganfainbergmfisch, you too!? :P20:34
* morganfainberg fwds to product person saying "OMG LOOK AT THE CRAZY PTL"20:34
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Fix project metadata  https://review.openstack.org/15095720:35
mfischdepreciation is the French word for "work required for mfisch" - true fact20:35
mfischdeprecation I mean!20:35
mfischdepreciation is bad too20:35
morganfainbergmfisch, depreciation?20:35
morganfainberg;)20:35
morganfainbergi mean...20:35
morganfainbergsure!20:35
mfischlike glance changing the backend name from file to filesystem wow thats lots better!20:36
morganfainbergtopol, i guarantee i'm going to get the same call from HP folks20:36
topolmorganfainberg, you need to add the following video to the email.  Kevin Bacon in Animal House... "All is Well"  https://www.youtube.com/watch?v=zDAmPIq29ro20:36
mfischgood, kill LDAP assignment with fire morganfainberg (now that I've read more)20:37
mfischI'm already using an out of tree driver for ident but basic sql for assignment20:37
topolmfisch did you watch me video clip20:39
* topol wonders why no one appreicates my 50 year old movie references20:39
mfischtopol: is this you in the toga?  https://www.youtube.com/watch?v=NqpNQ9AJYgU20:40
topolmfisch that will cost you!!! :-)20:41
mfischlol20:42
stevemarwhat the change we have to make to specify a config setting multiple times...20:43
stevemarlike we do with the notification drive...20:43
stevemarahh cfg.MultiStrOpt20:44
stevemarthanks stevemar20:44
*** nellysmitt has joined #openstack-keystone20:45
*** jaosorior has joined #openstack-keystone20:53
morganfainberghttp://blogs.scientificamerican.com/oscillator/files/2013/07/feynman_algorithm.jpg20:54
stevemarhaha21:00
*** raildo has quit IRC21:01
marekdsimple!21:03
openstackgerritayoung proposed openstack/oslo.policy: Explicit configuration object  https://review.openstack.org/15096921:03
openstackgerritayoung proposed openstack/oslo.policy: Explicit configuration object  https://review.openstack.org/15096921:04
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate LDAP Assignment Backend  https://review.openstack.org/15097021:06
stevemarmarekd, i'm assuming you are cool if i change that option for a trusted horizon to multiString21:07
stevemarso you can do trusted_horizon=x.com then next line, trusted_horizon=y.com21:08
stevemarand i will loop through21:08
openstackgerritMarek Denis proposed openstack/keystone: Implement Service Providers API for OS-FEDERATION  https://review.openstack.org/10462321:08
marekdstevemar: ^^21:08
stevemarmarekd, thank you21:08
marekdstevemar: re: multi string - yes, please.21:08
marekdstevemar: please see comments.21:09
stevemarahhh cool21:09
stevemari missed that21:09
*** dims has quit IRC21:10
marekdsetUp you mean?21:12
marekdstevemar: thanks!21:13
gyeemorganfainberg, sorry for being late to the party, the LDAP deprecation email looks good21:13
gyeejust got back to my desk21:14
marekdmorganfainberg: gyee ayoung: review for K2K: https://review.openstack.org/#/c/104623/21:14
*** breton has quit IRC21:14
gyeemarekd, yes sir21:14
gyeeI'll review it after the reseller thingy21:14
marekdgyee: you have few hours as I will probably logout soon :-)21:15
*** dims has joined #openstack-keystone21:16
gyeeallllrighty then21:17
rodrigodsgyee, ++ Reseleer ;)21:18
*** zz_avozza is now known as avozza21:20
marekda question. Is it possible to dynamically fetch attributes from CONF objects ?21:21
marekdsomething like getattr() in Python, where attribute name doesnt need to be known apriori.21:21
openstackgerritDolph Mathews proposed openstack/keystone: create _member_ role as specified in CONF  https://review.openstack.org/14289721:21
gyeemarekd, I think you'll have to register the attribute first21:21
*** nellysmitt has quit IRC21:22
nkindermorganfainberg: have you received any hate mail yet about LDAP "going away"? ;)21:22
morganfainbergnkinder, not yet21:23
gyeenkinder, LDAP is not going away, it'll just get reincarnated21:25
morganfainbergnkinder, someone will freak i'm sure and i'll get forced to jump on some phone call with someone21:25
morganfainbergor gyee will :P21:26
* gyee hide under the carpet again21:26
marekdgyee: hm, i don't think so - look at keystone.conf [auth] section. You specify new authN method and later add parameter with the driver class.21:26
gyeemarekd, right, but you'll still need to register them at some point21:26
gyeethat's how oslo conf works I think21:27
gyeeeverything needs to be registered21:27
marekdgyee: adding a line  "saml2= auth.plugins.mapped.Mapped" in keystone.conf/[auth] counts as registration?21:28
marekdgyee: maybe we are talking about sth different.21:28
*** marg7175 has quit IRC21:29
marekdanybody ^^ ?21:29
gyeemarekd, oh, that part should work fine, everything in methods are registered21:30
*** radez is now known as radez_g0n321:31
openstackgerritSteve Martinelli proposed openstack/keystone: Add WebSSO support for federation  https://review.openstack.org/13617721:32
stevemarmarekd, lhcheng ^^21:32
marekdyes, but what i want to do is something like http://pasteraw.com/gyg0ze3ylqj4do945011t7onqv2qprf and ofc i don't want to pre register saml2 section in cfg.21:34
marekdmorganfainberg: ^^21:34
stevemarmarekd, isn't remote_attribute_name the same as remote_attribute_id from marco's work?21:35
marekdstevemar: it's the same, whatever...21:36
marekdbut we cannot make one global parameter.21:37
marekdthink a crazy usecase when Keystone must support SAML and OIDC21:37
marekdwe have two parameters.21:37
dstaneki hate the new 'related changes' section of the new gerrit interface21:37
marekddstanek: ++ and lack of dependency tree.21:37
*** markvoelker has joined #openstack-keystone21:38
morganfainbergmarekd, i really dislike the whole auth plugin config section21:38
morganfainbergmarekd, but that aside21:38
gyeeI knew it!21:38
marekdmorganfainberg: what can i do....:-)21:38
morganfainbergmarekd, you can [in theory] use the config options in the plugin itself21:38
morganfainbergwhen it's loaded it'll read the values from the config file21:39
morganfainbergif the opts aren't there they aren't presented21:39
morganfainbergbasically you can register opts *after* config file read and use the values that were in the config file21:39
morganfainbergthe only downside is the opts don't appear in the sample config that way based on how we generate21:39
marekdmorganfainberg: so http://pasteraw.com/gyg0ze3ylqj4do945011t7onqv2qprf should work even if I don't register section named saml2 in the code.21:40
marekdcause today somebody uses name saml2, tomorrow saml_just_becase_i_can21:40
morganfainbergmarekd, as long as you register the options *somehow*21:40
morganfainbergbefore you use conf21:40
marekdmorganfainberg: shit...21:41
morganfainbergmarekd, if the option data is in the config file, it becomes available as soon as you register the opt, you can register opts at run time21:41
openstackgerritSteve Martinelli proposed openstack/keystone: Fix up _ldap_res_to_model for ldap identity backend  https://review.openstack.org/15063121:41
morganfainbergbut you still need to register the opt before referencing it21:41
henrynashmorganfainberg, stevemar, gyee: talking of LDAP, at some point could I get a few eyes on https://review.openstack.org/#/c/147551/5 and its dependant patch…this pushes filtering down into teh LDAP driver (I guess we can argue whether we actually include this for projects as per teh deprecation plan - but really improtant for users/groups)21:41
stevemarthanks nkinder21:41
marekdmorganfainberg: btw we cannot stuf that param in the Protocol object, as PRotocols are tied to IdP objects :-)21:41
marekdmorganfainberg: thanks for explanation.21:42
gyeehenrynash, sure21:43
marekdmorganfainberg: things may get screwy, but either we get very limited (and then static), or we hardcode some names in auth plugins (differenct plugin for shib, different for mellon and new patchset if something new comes in) or we dynamically store it in cfg.21:43
morganfainbergyeah21:43
morganfainberg:(21:44
marekdmorganfainberg: hm, i am thinking about dynamic cfg registering.21:45
marekdsay i added something in keystone.conf which is not yet registered21:45
marekdsection called saml221:45
*** tqtran is now known as tqtran_afk21:46
marekdnow i execute some code and figure out that i need section saml2 and there parameter foo_bar21:46
marekdi can register it21:46
morganfainbergyep21:46
marekdbut...how i am supposed to read the value from keystone.conf?21:46
morganfainbergit's automatically read when keystone.conf is read21:46
morganfainbergit just isn't presented in the CONF object until the opts are registered21:46
marekdok, so after i register it, it will become present.21:47
morganfainbergyep21:47
marekdmorganfainberg: ok21:47
*** jsavak has quit IRC21:48
*** marg7175 has joined #openstack-keystone21:50
*** vhoward has joined #openstack-keystone21:57
openstackgerritMarek Denis proposed openstack/keystone-specs: IDP ID registration and validation  https://review.openstack.org/14822922:00
marekdstevemar: morganfainberg ^^22:00
marekdhopefully this will be mergable now.22:00
morganfainbergmarekd, we have to wait for grenade to be happy22:02
morganfainbergmarekd, so probably not today :(22:02
*** briancurtin has joined #openstack-keystone22:03
*** mattfarina has quit IRC22:03
*** topol has quit IRC22:03
marekdmorganfainberg: i meant mergable from meritorical point of view :-)22:06
marekdmorganfainberg: so we are all happy and nobody has any issues.22:07
stevemarmarekd, looking now22:09
marekdstevemar: thanks22:09
stevemarmarekd, whaa, we haven't merged this one yet?22:10
*** Ctina__ has quit IRC22:11
marekdstevemar: no, there was this one thing i was not sure how to do right.22:15
marekdnow i know, so tomorrow i am going to start implementing it.22:15
marekdok, going to bed. good night.22:18
stevemarmarekd, o/ gnite22:22
*** jasondot_ has quit IRC22:23
*** marekd has left #openstack-keystone22:28
*** bknudson has quit IRC22:29
*** marekd has joined #openstack-keystone22:34
*** marekd has left #openstack-keystone22:34
*** marekd has joined #openstack-keystone22:34
openstackgerritMatt Riedemann proposed openstack/python-keystoneclient: Fix type in Ec2Signer class docstring  https://review.openstack.org/15102022:34
openstackgerritMatt Riedemann proposed openstack/python-keystoneclient: Fix typo in Ec2Signer class docstring  https://review.openstack.org/15102022:35
*** pnavarro has quit IRC22:43
stevemargordc, you think you can do a minor release of pycadf?22:45
stevemarso i can pull in those changes i made22:45
openstackgerritgordon chung proposed openstack/pycadf: add helper module  https://review.openstack.org/14970622:48
gordcnow? or tomorrow morning?22:49
gordcstevemar: ^22:49
stevemargordc, whenever22:49
gordcstevemar: i'll just do it now i guess... i'll be on for a bit (to see the world implode)22:49
*** joesavak has joined #openstack-keystone22:50
*** bknudson has joined #openstack-keystone22:51
*** ChanServ sets mode: +v bknudson22:51
stevemargordc, mehhh should be harmless22:52
stevemarthats what we said about the last one22:52
*** sriram has quit IRC22:53
*** henrynash has quit IRC22:59
*** jorge_munoz has left #openstack-keystone22:59
*** openstackgerrit has quit IRC23:06
*** openstackgerrit has joined #openstack-keystone23:06
*** EmilienM is now known as EmilienM|afk23:08
*** carlosmarin has quit IRC23:13
*** jodah has joined #openstack-keystone23:16
jodahI'm experiencing sporadic auth failures via keystone middleware using a brand new token. For example, over a 10 second period I'll have auth requests alternate between succeeding and failing - same token. Any pointers?23:17
jodahex output: http://paste.openstack.org/show/163400/23:17
*** carlosmarin has joined #openstack-keystone23:21
bknudsonjodah: what token backend are you using?23:21
*** gordc has quit IRC23:22
jodahbknudson: not sure if this is what you mean: driver = keystone.assignment.backends.sql.Assignment23:23
*** carlosmarin has quit IRC23:24
*** tellesnobrega_ has joined #openstack-keystone23:24
*** jsavak has joined #openstack-keystone23:27
*** joesavak has quit IRC23:28
gyeerodrigods, not trying to stall, I am trying to get some detail requirements from our product management before diving into reviewing reseller spec23:33
*** thedodd has quit IRC23:33
gyeehopefully I'll get some answers today23:33
*** gokrokve has quit IRC23:33
rodrigodsgyee, nice, use cases are always good in this cases :)23:34
gyeeyeah man, I want to see what their expectations are23:34
rodrigodsgyee, you can review some code though: https://review.openstack.org/#/c/148567/ and https://review.openstack.org/#/c/148618/23:35
rodrigods:)23:35
*** timcline_ has joined #openstack-keystone23:38
*** timcline_ has quit IRC23:38
*** jsavak has quit IRC23:39
*** timcline has quit IRC23:42
jodahbknudson: Seems to have been an issue related to system time. The keystone server's system clock was 2 hours behind where the middleware was deployed. Not sure if that matters. The behavior is certainly a corner case to consider though.23:43
*** jell has quit IRC23:43
jodahGetting the system time straight, the issue disappears.23:43
morganfainbergjodah, it could23:43
bknudsonstevemar: don't we have rules against approving changes from all-IBM ? https://review.openstack.org/#/c/147639/23:43
jodahI would expect if anything, the token would expire and stay expired. What I was seeing was success, fail, success, fail, etc.23:44
morganfainbergjodah, not sure tbh23:44
stevemarbknudson, d'oh!23:44
morganfainbergjodah, but i could see odd behavior23:44
jodahThis happened previously on a new system that didn't have ntpd running23:44
jodahI had just forgotten the fix :)23:44
morganfainbergyou might have significant jitter in the clock23:44
bknudsonmaybe we could have keystone / auth_token middleware protect themselves from clock skew.23:45
jodahyea, possible23:45
morganfainbergbknudson, ^23:45
morganfainberg s/^/yes23:45
stevemarmorganfainberg, https://review.openstack.org/#/c/147639/23:45
jodahAll I could point out - New ubuntu VM, devstack installed, start hitting nova and trove with requests via Curl and this is what I hit.23:45
bknudsonall it would require is if one or the other knows the time on the other side -- which I think is in headers.23:45
gyeebknudson, how about just ask operators to run ntpd :)23:46
jodahgyee: I think that's a fair request to avoid unexpected auth failures, but not the flapping back and forth23:47
bknudsongyee: apparently not as easy as it sounds.23:47
gyeebknudson, really? what's not easy about it?23:47
gyeeatomic clock baby!23:47
bknudsonthere's still problems with relativity and speed of light delays.23:48
stevemarhehe23:48
bknudsonof course if they used a client cert they wouldn't need a token.23:48
gyeedamn straight!23:48
bknudsonSSL handshake would have problems with clock skew too since the cert would show up as expired.23:49
jodahTrying to reproduce this again now and I can't. The clock was off by 2 hours for my time zone. Installed and started ntp. Now even if I stop ntp and force the clock back I can't reproduce.23:49
bknudsonjodah: the auth_token middleware has problems with caching the token in different threads... I've seen issues where the token works or not going against nova api.23:51
gyeebknudson, my favor SSL error, the certificate is not yet valid23:51
bknudsonI think if you set up auth_token middleware to use memcache to cache tokens instead of the in-memory one it'll be more consistent.23:52
*** tqtran_afk is now known as tqtran23:52
jodahwill try, tnx23:52
gyeebknudson, in theory, only way the token is not valid is there exist an entry in memcache which cached the token as invalid23:53
jodahin this case the middleware thought the tokens were expired23:53
gyeeif token does not exist in memcache, it'll call back to keystone to validate23:53
gyeeif it expired, it will disappear from memcache23:53
gyeeat least in theory anyway23:54
jodahhttp://paste.openstack.org/raw/163418/23:54
bknudsongyee: I don't think the memcache entry sets the cache line expiration time to the token expiration time... this was something I was going to look into.23:54
*** jaosorior has quit IRC23:54
gyeebknudson, no shit! really?!!23:54
gyeeI thought we do that23:55
jodahstill - if the memcache or in memory token cache had a diff initial time for an entry than was correct - it' could see the thing as expired23:55
bknudsongyee: http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token.py#n1893 -- it always uses self._cache_time, not the token expiration time.23:56
gyeebknudson, I thought we take the min(cache_time, expire)23:58
bknudsongyee: if the token expires and it's not in the cache then auth_token would have to go back to the server which would make more traffic.23:58
bknudsonso maybe it's better to keep the token in the cache after the expiration time.23:59
gyeebknudson, k, make sense, I think that might explain what jodah's seeing23:59
« Tuesday, 2015-01-27 Index Thursday, 2015-01-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!