Monday, 2015-02-09

*** kfox1111 has quit IRC00:12
*** nellysmitt has joined #openstack-keystone00:15
*** henrynash has quit IRC00:17
*** nellysmitt has quit IRC00:19
*** markvoelker has joined #openstack-keystone00:25
*** markvoelker has quit IRC00:30
*** dimsum__ has joined #openstack-keystone00:35
*** dims_ has joined #openstack-keystone00:36
*** jacer_huawei has joined #openstack-keystone00:39
*** jacer_huawei is now known as wnaghong00:39
*** dimsum__ has quit IRC00:39
*** wnaghong is now known as wanghong00:39
*** oomichi has joined #openstack-keystone00:41
*** take has joined #openstack-keystone00:45
*** samueldmq_ has quit IRC00:52
*** take has quit IRC01:14
*** markvoelker has joined #openstack-keystone01:26
*** markvoelker has quit IRC01:31
*** jorge_munoz has joined #openstack-keystone01:34
*** jorge_munoz has quit IRC01:37
*** serverascode has quit IRC01:38
*** jraim has quit IRC01:38
*** briancurtin has quit IRC01:40
*** ctracey has quit IRC01:40
*** zhiyan has quit IRC01:40
*** ctracey has joined #openstack-keystone01:45
*** jraim has joined #openstack-keystone01:45
*** briancurtin has joined #openstack-keystone01:46
*** zhiyan has joined #openstack-keystone01:46
*** amerine has joined #openstack-keystone01:48
*** amerine has quit IRC01:48
*** amerine has joined #openstack-keystone01:48
*** serverascode has joined #openstack-keystone01:52
*** erkules_ has joined #openstack-keystone02:06
openstackgerritMerged openstack/keystone: Improve testing of unicode id mapping
openstackgerritMerged openstack/keystone: Make identity id mapping handle unicode
*** erkules has quit IRC02:08
*** nellysmitt has joined #openstack-keystone02:16
*** nellysmitt has quit IRC02:20
openstackgerritSteve Martinelli proposed openstack/keystone: Add WebSSO support for federation
*** markvoelker has joined #openstack-keystone02:27
jamielennoxstevemar: did you have much to do with the horizon side of the SSO and federation patches?02:29
stevemarjamielennox, enough of it anyway, i just took what they did at CERN and swizzled it02:30
jamielennoxstevemar: i have some changes i did to django openstack auth02:30
jamielennoxto get kerberized login to wokr02:30
stevemarjamielennox, i noticed that, i had tqtran looking at DOA02:30
jamielennoxah ok - so you probably won't know if they'll conflict?02:31
jamielennoxi mean they will conflict for sure - but unworkably?02:31
stevemarthat part i'm not so sure about, he just need to create an unscoped token client instance02:32
*** ctina has quit IRC02:32
*** markvoelker has quit IRC02:32
jamielennoxjust popping it up (should have done this before messaging)02:33
stevemari'll take a look at the DOA stuff in 20 minutes, just in the middle of something02:33
jamielennoxstevemar: no worries - i was just looking through the mailing list and saw tim bell's comments about how you shouldn't see a login page at all02:34
jamielennoxthat's kind of what i was going for, if you just make sure whoever is working on that part of federation knows about this stuff02:35
jamielennox - it's going to fail tests all over the place02:35
jamielennoxhowever i think it is trivially expandable into what my understanding was missing for part of federation - how to make horizon just accept a token that is passed to it02:36
stevemarjamielennox, this is the patch that we had up for DOA02:50
stevemarnot sure how much farther tqtran got02:50
stevemari wish there was a way to change ownership of a patch02:50
stevemarlol # NOTE(jamielennox): HAAACCCCCKKKKKk.....02:51
jamielennoxstevemar: it's a relatively big shift because it means that it will try to authenticate on first request to /auth/login - not just post form submission02:54
*** radez_g0n3 is now known as radez03:01
*** richm has quit IRC03:07
*** markvoelker has joined #openstack-keystone03:28
stevemarjamielennox, hmm, that sounds like the 'discovery service' stuff that cern does03:31
stevemari think there should still be a way to decide if the user is going to go for SAML2 vs other protocol03:32
*** markvoelker has quit IRC03:33
jamielennoxstevemar: there will always need to be a web login aspect03:36
jamielennoxjust saw the ML email and agree that a big part of SSO is not picking at all and that i probably need to have a chat with those guys03:37
stevemarjamielennox, so about why don't you include token?03:43
stevemarand it works by just trying all of AUTH_PLUGINS?03:43
jamielennoxstevemar: i don't have a setup that uses it03:43
stevemari think all that is needed for is to add tokens03:44
jamielennoxstevemar: so there is an abstraction there, it goes through AUTH_PLUGINS and sees for which one there is enough information to try and process03:44
stevemarah okay03:44
*** rushiagr_away is now known as rushiagr03:53
*** lnxnut has quit IRC04:04
*** radez is now known as radez_g0n304:09
*** lnxnut has joined #openstack-keystone04:13
openstackLaunchpad bug 1419114 in Keystone "Nova api 'Authorization failed for token' with federated scoped token" [Undecided,New]04:15
openstackLaunchpad bug 1405726 in Keystone "Federation, getting scoped token results in error. " [Undecided,New]04:16
morganfainbergcc marekd ^^04:16
*** nellysmitt has joined #openstack-keystone04:17
stevemarmorganfainberg, yeah someone internally pinged me about that04:17
stevemarit's weird because it's hitting v2 code04:17
morganfainbergthe is probably nova + neutron04:17
morganfainbergwhich... is stuck on v2 right now04:18
morganfainbergor until jamielennox gets the fix in04:18
morganfainbergwith the new neutronclient04:18
morganfainbergwhich poses an interesting issue for k2k federation + neutron.04:18
morganfainbergwe might need to see if it's at all possible to backport the ugly fix to nova.04:18
morganfainbergjamielennox, ^^04:19
jamielennoxi saw it, i'm just not sure what fix to neutronclient will help federation04:19
morganfainbergfor juno otherwise - federation is broken in a very real deployment mode04:19
stevemarthe catalog in that defect shows it is using neutron04:19
jamielennoxi talked to neutron guys, they said they'd do a release for me at the end of the week04:19
morganfainbergjamielennox, this is making nova not need to use v2 when talking to neiutron04:19
jamielennoxoh, right04:20
morganfainbergjamielennox, so the ugly fix that got the -1's because it was "hacking" the client code in wierd ways may be needed for juno backport04:20
jamielennoxyea i want that to happen in a hurry because i don't like leaving that one too late in the nova cycle04:20
morganfainbergjamielennox, but for K we can use the shiny new neutronclient that isn't busted04:20
stevemarmorganfainberg, but the request that failed was for listing flavors04:20
morganfainbergstevemar, wonder if there is any other similar issues w/ glance04:21
jamielennoxmorganfainberg: someone was asking about that patch just the other day (may have been related) they said that the code in nova is a long way diverged from where it was in juno04:21
morganfainbergor if it's something related to the neutron things04:21
morganfainbergjamielennox, yeah it wont be an easy backport04:21
*** nellysmitt has quit IRC04:21
morganfainbergjamielennox, from what i've gathered04:21
morganfainbergstevemar, can you triage those two bugs for me?04:21
jamielennoxit might not even be possible depending on what client versions are supported at juno release04:21
morganfainbergjamielennox, hence why we might need the dirty hacky-code04:22
* morganfainberg needs to get people to *not* leave bugs in "new" state once priority is set.04:22
jamielennoxso is this trying to make it so that the nova service user uses a federated login?04:22
stevemarluckily for 1405726 the solution is written in the bug report04:23
morganfainbergjamielennox, i think this is any user that needs to touch neutron stuff via nova would break04:23
morganfainbergjamielennox, it's not just service user stuff.04:23
morganfainbergjamielennox, *i think*04:23
*** dims_ has quit IRC04:23
jamielennoxso that patch is just enabling a v3 service user, i'm not sure why it would fix a federation bug04:23
jamielennoxwell not just - it enables a whole bunch of things04:24
morganfainbergwell everything that goes through neutron hits v2 when proxied form nova [including things like get_resources]04:24
morganfainbergfederation tokens are *only* v304:24
*** rushiagr is now known as rushiagr_away04:24
morganfainbergif you try and validate them via v2 it'll probably/does break04:25
jamielennoxbut neutron is dropping the actual user token by that point04:25
jamielennoxit logs in via v2 and talks to nova that way04:26
morganfainbergjamielennox, sounds like we have more digging to do.04:26
*** avozza is now known as zz_avozza04:26
morganfainbergjamielennox, because we have things failing with invalid token when epople try and use domains + nova [not just service users iirc]04:26
morganfainbergwhen neutron is used04:26
jamielennoxfrom memory there is some operations that neutron talks to nova that requires the admin privilege in v204:27
jamielennox(which is just a misconfiguration of policy IMO )04:27
jamielennoxso for some operations it uses the user token04:27
jamielennoxand for some operations it uses an account that is specified in the config file - which is generally the same as the one neutron is configured with for auth_token04:28
jamielennox(again bad)04:28
jamielennoxhowever unless you're trying to have that service user use federation itself then i'm not sure what is v3 specific there04:29
morganfainbergjamielennox, anyway so sounds like there is digging to be done before we can say it's definitely nova + neutron or if it's *something else*04:29
*** markvoelker has joined #openstack-keystone04:29
jamielennoxsure, just letting you know04:31
morganfainbergbknudson: this is LDAP assignment only04:31
openstackLaunchpad bug 1401664 in Keystone "Update role using LDAP backend requires name" [Undecided,New] - Assigned to Brant Knudson (blk-u)04:31
morganfainbergbknudson, right?04:31
*** rushiagr_away is now known as rushiagr04:31
morganfainbergbknudson, because if that is the case, marking it as "won04:31
morganfainbergt fix" since ldap assignment is dead.04:31
*** kfox1111 has joined #openstack-keystone04:32
morganfainbergstevemar, cc ^ the convo i had w/ jamielennox04:33
stevemarmorganfainberg, yeah, i'm seeing that now04:33
stevemari'll ask the bug originator to try nova specific functions, not glance function... see if that helps04:34
stevemarit was reported internally, so i'll be hearing about it04:34
openstackLaunchpad bug 1404073 in Keystone "type should be required for v2.0 service create" [Undecided,New]04:35
morganfainbergi don't want to fix v2 :(04:35
stevemarthen don't04:35
morganfainbergyeah thinking that is the answer we're going wiht04:35
*** markvoelker has quit IRC04:35
stevemari think i opened that one04:35
morganfainbergLin did04:35
stevemarlin did, but we can enforce that at the client level04:36
morganfainbergalready done afaict04:36
*** kfox1111 has quit IRC04:36
*** jasondotstar has joined #openstack-keystone04:36
davechen__stevemar: hi steve,04:37
stevemarhey davechen__04:37
stevemartalking about cascade on delete?04:37
davechen__stevemar: thank for inviting core team to review that patch :)04:37
stevemardavechen__, feel free to do that yourself too, we are slow (or swamped) sometimes04:38
davechen__stevemar: I saw your comment just now, really make sense indeed.04:38
* morganfainberg is always swamped04:38
davechen__stevemar: I will check it shortly and update that patch sooner.04:39
stevemardavechen__, great! :)04:39
davechen__stevemar: thanks steve. :)04:39
jamielennoxmorganfainberg: i'm not sure what to do about this release planned for tomorrow - i thought it would encourage people to do client reviews, it hasn't done that much04:40
jamielennoxthere's still stuff i think should go out, but i still hvae a few stars open04:40
jamielennox(some completely unreviewed)04:40
morganfainbergjamielennox, the last time i looked was before the extra work was done to solve the comments.04:41
jamielennoxstevemar: can you kick off04:41
morganfainbergnotably is the one i'm looking at04:41
jamielennoxmorganfainberg: i've no idea what to do about that one04:42
morganfainbergjamielennox, approvedcx04:42
stevemardamn you morganfainberg - beat me to it04:42
morganfainbergjamielennox, that one actually scares me a little.04:42
jamielennoxmorganfainberg: sent it to stevemar to give you a break04:43
jamielennoxthe allow one?04:43
morganfainberg that is04:43
jamielennoxi agree04:43
*** lnxnut has quit IRC04:43
jamielennoxfeels wrong somehow04:43
morganfainbergcan we punt until March release?04:43
morganfainbergi want that one to bake a little more04:43
morganfainbergif it becomes really imporant we can push a release sooner than march04:44
morganfainbergbut i ... i just don't feel good about letting that one in [and thanks for confirming it's not just me]04:44
jamielennoxmorganfainberg: i've talked to him about it, and i suggested maybe a tuple was a better interface04:44
morganfainbergletting that one in at the last minute*04:44
jamielennoxbut it still feels off04:44
morganfainbergjamielennox, i would agree a tuple would be better04:44
morganfainbergok i'm going to punt on that one04:45
morganfainbergand the whole chain:
morganfainbergjamielennox, how deep are you trying to get in for tomorrow?04:45
jamielennoxso has been unreviewed for a while - and i kind of want it04:45
morganfainbergoh it's only 204:45
jamielennoxi'm hoping for that to be the base of dealing with context objects04:45
morganfainbergi thought that one had more.04:45
morganfainbergjamielennox, let me finish the ksc ones first04:46
morganfainbergthen we talk middleware04:46
jamielennoxif i can combine that with some plugin serialization that i'm still mulling over then it becomes the object that every server can sync around04:46
morganfainbergok this one:
morganfainbergstarting there04:46
stevemarthanks for bug 153922 morganfainberg :P04:47
openstackbug 153922 in nautilus (Ubuntu) "Nautilus hangs on mouse over icons of MP3s" [Medium,Fix released] - Assigned to Ubuntu Desktop Bugs (desktop-bugs)04:47
stevemarerr... bug 1418384 :P04:47
openstackbug 1418384 in python-openstackclient "openstack client help shows domain can be changed for a project" [Undecided,New]
morganfainbergstevemar, NICE04:47
stevemari tossed up
stevemarmorganfainberg, i'm guessing we shouldn't allow users and groups to change domains either :P04:48
morganfainberg looks silly simple04:48
jamielennoxsure, that ones pretty simple it would replace:
morganfainbergstevemar, i *think* we already have _require_matching_id(domain_id, domain)04:48
jamielennoxand it would be useful in heat where they take the keystone.token_info env object to make a plugin from it rather than pull it apart04:49
morganfainbergstevemar in user/groups...and if we don't we *should* like... yesterday04:49
*** lnxnut has joined #openstack-keystone04:49
stevemarmorganfainberg, i'll restrict it from the client side04:49
morganfainbergstevemar, i'd ask you prioritise server in that case if it's not already enforced04:49
morganfainbergstevemar, that is a security issue otherwise.04:50
* morganfainberg checks04:50
morganfainbergi uh...04:51
morganfainbergyeah we do:         self._require_matching_domain_id(04:52
morganfainberg            user_id, user, self.identity_api.get_user)04:52
morganfainbergand:         self._require_matching_domain_id(04:52
morganfainberg            group_id, group, self.identity_api.get_group)04:52
morganfainbergstevemar, we're good on the server side. client should be easy to fix then04:52
morganfainbergjamielennox, so for the AccessInfoPlugin, it's just a nice wrapper to accessinfo right?04:53
morganfainbergthats what it looks like04:53
morganfainbergso middlewarecan do accessinfo -> plugin04:53
jamielennoxpeople are used to the AccessInfo object, i found enough places people consume it that it was just easier to provide it in client04:53
*** lnxnut has quit IRC04:53
morganfainbergi'd like to strongly encourage people to *not* do that04:54
morganfainbergi can see the benefit of having it04:54
jamielennoxmorganfainberg: well, that i have some ideas for on the middleware side....04:54
morganfainbergstevemar, - pretty straightforward04:54
darrencstevemar, if you have a spare second, can you +1 my patch again, I fixed a nit Thanks!04:54
stevemardarrenc, done04:55
darrencThanks stevemar04:55
morganfainbergjamielennox, yeah looks good04:55
morganfainbergjamielennox, pretty straight forward04:55
morganfainbergjust making the header get more explicit04:56
stevemarblah accessinfo04:56
jamielennoxmorganfainberg: it's actually kind of tricky, ideally i would like get_token to rely on get_headers - however that would break compat04:56
jamielennoxi was hoping it would be nicer than it turned out, but i think it's sound04:57
morganfainbergstevemar, you know when you get a song stuck in your head....04:57
*** spandhe has joined #openstack-keystone04:57
morganfainbergand it wont go away04:57
* morganfainberg sighs04:57
jamielennoxmorganfainberg: good song though?04:58
morganfainbergjamielennox, well i like the artist *and* i did the mix of styles: Classical Strings and Electronic/Dance stuff04:58
morganfainbergjamielennox, so basically stupidly catchy *AND* interesting04:59
jamielennoxmorganfainberg: so could be worse04:59
jamielennoxmorganfainberg: shake it off04:59
morganfainbergit's actually been a couple of song in similar style that have really stuck05:00
morganfainbergover the last ~week05:00
morganfainbergjamielennox, is this to support a plugin needs a definitive set of arguments (or can require it):
morganfainbergjamielennox, or is that to prevent non-expected params?05:01
jamielennoxmorganfainberg: yes, but i haven't actually done the implementation so i don't mind as much there05:01
jamielennoxoh - the acceptable bit?05:01
jamielennoxthat's because when you do requests.request() you mix connection params and request params up together05:02
jamielennoxi don't want a plugin given the ability to do that05:02
jamielennoxwell have someone do it then i break compat later05:02
morganfainbergok the beasty of a patch:
morganfainbergthe ksc ones are +2 except the "expiermental/allow" one05:03
jamielennoxthere is an advanced part of requests that lets you build a message and then send to keep those params seperate, there was some stuff missing i had a patch in to fix in requests but it'll be a while before it's something we can rely on05:03
jamielennoxthe connection_params is essentially required for gyee's ssl cert auth plugin - at the moment you can only set those params on the session05:03
morganfainbergjamielennox, sure05:03
morganfainbergmakes sense05:03
jamielennoxthat's why verify, cert and auth05:04
morganfainbergugh i need to write an abstract for a presentation up tonight... crap totally spaced on that.05:04
jamielennoxbut i haven't written that plugin and i don't think he has either so meh05:04
jamielennoxright - so that patch is fairly trivial in terms of work but it does open up a whole new area of public interfaces05:06
openstackgerritSteve Martinelli proposed openstack/keystone: Fix mysql issue with v001 of endpoint-filter
jamielennoxmorganfainberg: i can think of no reason that except exceptions.NoMatchingPlugin as e would need to be in that patch....05:12
*** wanghong has quit IRC05:15
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Turn our auth plugin into a token interface
jamielennoxdamn, looks like it was part of the old file, got removed and i screwed up a rebase around patch 505:15
*** wanghong has joined #openstack-keystone05:15
openstackgerritMerged openstack/python-keystoneclient: Add name parameter to NoMatchingPlugin exception
stevemarjamielennox, for what'll happen if i use .get_token() ?05:19
stevemarsame as before / deprecation msg / ...05:19
jamielennoxstevemar: essentially it'll have to be supported forever because the only abstract interface on that class is get_token05:19
jamielennoxand lots of clients make use of it05:19
stevemarokay good, yes, lots of clients do05:20
stevemarjust wanted to make sure05:20
jamielennoxi tried to say in the comments that if you're writing a plugin you should support both05:20
stevemari saw that05:20
jamielennoxrealistically there aren't that many plugins that aren't a subclass of identityplugin so it's not too big a deal05:21
jamielennoxi don't think i want to bother with a deprecation warning, because it'd have to go on the base class and not the subclass05:22
*** ajayaa has joined #openstack-keystone05:23
jamielennoxso it makes sense for all the identity plugins to implement get_token, it just shouldn't exist on the base class05:23
jamielennoxi experimented with moving it, but then you can't use the get_token() in the default implementation of get_connection_params05:23
*** dimsum__ has joined #openstack-keystone05:24
*** dimsum__ has quit IRC05:29
stevemari am off to sleep, see y'all in a few hours05:31
*** markvoelker has joined #openstack-keystone05:31
jamielennoxstevemar: thanks for those05:31
stevemarnp dude, happy to help05:32
*** markvoelker has quit IRC05:36
*** stevemar has quit IRC05:41
openstackgerritMerged openstack/python-keystoneclient: Basic AccessInfo plugin
*** lnxnut has joined #openstack-keystone05:50
*** boris-42 has quit IRC05:52
openstackgerritMerged openstack/python-keystoneclient: Add get_headers interface to authentication plugins
*** dflye has quit IRC05:57
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Extract the Loadable interface from a plugin
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Make session use the Loadable interface
*** nellysmitt has joined #openstack-keystone06:18
*** nellysmitt has quit IRC06:22
*** boris-42 has joined #openstack-keystone06:26
*** pcaruana has quit IRC06:28
marekdmorganfainberg: looking at the bug.06:32
*** markvoelker has joined #openstack-keystone06:32
marekdmorganfainberg: about the temp - I will check it cause I don't know it now, but no matter how crazy numbers are I think it is possible here :-)06:34
marekdmorganfainberg: ok, i was away for weekend, and now back in the bussiness.06:36
* morganfainberg is about to sleep06:36
* marekd good night06:36
*** markvoelker has quit IRC06:37
marekdmorganfainberg: we dropped Py26 in Juno, right?06:40
*** lnxnut has quit IRC06:41
*** spandhe has quit IRC06:44
*** josecastroleon has joined #openstack-keystone06:48
*** ncoghlan has quit IRC07:12
*** afazekas has joined #openstack-keystone07:20
*** mzbik has joined #openstack-keystone07:25
*** YorikSar has quit IRC07:30
*** markvoelker has joined #openstack-keystone07:33
*** jaosorior has joined #openstack-keystone07:35
*** stevemar has joined #openstack-keystone07:35
*** ChanServ sets mode: +v stevemar07:35
*** chlong has quit IRC07:37
*** markvoelker has quit IRC07:38
openstackgerritDave Chen proposed openstack/keystone: Fix the syntax issue on creating table `endpoint_group`
*** YorikSar has joined #openstack-keystone07:59
openstackgerritDave Chen proposed openstack/keystone: Fix the syntax issue on creating table `endpoint_group`
*** erkules_ is now known as erkules08:04
*** mzbik has quit IRC08:09
*** mzbik has joined #openstack-keystone08:09
*** pnavarro has joined #openstack-keystone08:13
*** Guest90369 has quit IRC08:14
*** wpf has joined #openstack-keystone08:16
*** mfisch has joined #openstack-keystone08:18
*** mfisch is now known as Guest2281708:18
*** nellysmitt has joined #openstack-keystone08:18
*** stevemar has quit IRC08:20
*** nellysmitt has quit IRC08:23
*** nellysmitt has joined #openstack-keystone08:23
*** henrynash has joined #openstack-keystone08:34
*** ChanServ sets mode: +v henrynash08:34
*** markvoelker has joined #openstack-keystone08:34
*** markvoelker has quit IRC08:39
*** aix has joined #openstack-keystone08:40
*** oomichi has quit IRC08:42
*** karimb has joined #openstack-keystone08:47
*** jistr has joined #openstack-keystone08:49
*** afazekas has quit IRC08:49
*** YorikSar has quit IRC09:02
*** ajayaa has quit IRC09:04
*** zz_avozza is now known as avozza09:05
*** YorikSar has joined #openstack-keystone09:15
*** ajayaa has joined #openstack-keystone09:17
*** aix has quit IRC09:23
*** YorikSar has quit IRC09:33
openstackgerritDave Chen proposed openstack/keystone: Fix the syntax issue on creating table `endpoint_group`
*** markvoelker has joined #openstack-keystone09:35
*** YorikSar has joined #openstack-keystone09:35
ajayaajamielennox, Is the enabled flag for a user used at all?09:39
*** markvoelker has quit IRC09:39
jamielennoxajayaa: it should be - it depends where you are using it from09:41
jamielennox(and not that i've tested it for a really long time)09:41
jamielennoxit should prevent login, it will still show up in a user-list for example09:41
ajayaajaimelennox, okay. It feels like one of those features which is not useful.09:41
ajayaasomthing like extra_attributes.09:41
jamielennoxajayaa: heh - i understand the sentiment09:42
openstackgerritDave Chen proposed openstack/keystone: Fix the syntax issue on creating table `endpoint_group`
jamielennoxajayaa: it's pretty useful from an LDAP perspective though where you often just disable the user rather than delete09:42
jamielennoxand where you shouldn't user-list anyway09:42
ajayaajamielennox, Thanks. That is helpful.09:45
*** dlatt has joined #openstack-keystone09:52
*** dlatt has left #openstack-keystone09:56
ccardI'm trying to get openstack-keystone to use LDAP for its identity data, and I have added what I believe to be configuration that should work to /etc/keystone/keystone.conf. By turning on debug logging in keystone and the ldap server, I can see that keystone is making several requests to the ldap server which work, but the final request it makes always returns LDAP error 49 (Invalid credentials).09:57
ccardI suspect this is because the final request is binding as the admin user, and I have no password defined in the LDAP entry - how can I see which user the LDAP requests are being done as?09:59
*** henrynash has quit IRC09:59
ccardI've added the userPassword to the admin user in the LDAP directory and checked that ldapsearch works binding as this user, but keystone is still getting err 49 for its last request.10:17
*** andreaf_ is now known as andreaf10:21
jamielennoxccard: not an expert here, yes the final bind is being done as the user that is trying to log in so that is a likely cause10:28
jamielennoxi was under the impression that the LDAP logging is very verbose in debug mode - so that should let you see the user s10:30
ccardjamielennox: yes, LDAP logging is very verbose, but I couldn't see anything about the bind user. I'll take another look.10:33
jamielennoxccard: last time i had a problem like this i disabled multi threading and used ipdb to step through the ldap code10:34
jamielennox:( that's a poor answer - sorry10:34
*** markvoelker has joined #openstack-keystone10:36
*** markvoelker has quit IRC10:41
ccardjamielennox: actually the error 49 has gone now, the BIND is working, but "keystone user-list" is now giving the error "Could not find project: admin (Disable debug mode to suppress these details.) (HTTP 401)10:43
jamielennoxccard: ok, so are you using LDAP assignment or SQL?10:43
jamielennoxif you don't pick one then by default you are using LDAP - and you don't want to be10:43
ccardjamielennox: SQL I believe, given that LDAP assignment is going to be deprecated, but maybe it's not explicitly specified10:44
jamielennoxccard: so you'll have: [assignment]10:44
jamielennoxdriver = keystone.assignment.backends.sql.Assignment10:44
jamielennoxin config10:44
ccardjamielennox: yes, that was it, thanks. keystone user-list is now returning the users :)10:48
jamielennoxccard: cool - that always gets me too, unforunately it's one of those default options that is difficult to change10:48
ccardjamielennox: I suspect I still need to add passwords for the other internal users, but I don't know what they are - I set this openstack up before Christmas using packstack, and I don't think I had to supply any passwords, though I must have got the admin password from somewhere. Can I find out what the passwords are, or will it be simpler to change them?10:52
*** jamiec has quit IRC10:55
jamielennoxccard: heh, i'm currently writing up something very similar to what it sounds like you're doing10:56
*** jamiec has joined #openstack-keystone10:56
jamielennoxif you still have the packstack answers file around then the service users passwords are all in there10:56
jamielennoxotherwise you'll have to change them10:57
ccardjamielennox: thank, I see them now. I also just noticed that keystone user-list is returning the users, but the Enabled flag is blank. I've put all the users in a group and set user_enabled_default to False and pointed user_enabled_emulation_dn to a group which has all the users as members.11:00
*** dobson has quit IRC11:01
jamielennoxccard: blank or reversed?11:02
jamielennoxalso is this an IPA deployment?11:02
*** rm_work|away has quit IRC11:02
*** dobson has joined #openstack-keystone11:03
*** rm_work|away has joined #openstack-keystone11:04
*** rm_work|away is now known as rm_work11:04
*** rm_work has joined #openstack-keystone11:04
ccardjamielennox: blank, I think. This isn't IPA at the moment, but at some point in the future it will be.11:06
jamielennoxok - just that  i have an IPA config here11:06
jamielennoxum, only thing i can guess is that the field is wrong but i'm not sure on that one11:07
ccardjamielennox: I've added the passwords to LDAP and the openstack gui is behaving better anyway. Let me double-check the Enabled stuff11:12
ccardjamielennox: I'd missed user_enabled_emulation = True :( Now working ok ...11:15
jamielennoxccard: so many ldap options...11:18
*** afazekas has joined #openstack-keystone11:34
*** markvoelker has joined #openstack-keystone11:37
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance
*** afazekas has quit IRC11:39
*** markvoelker has quit IRC11:42
jamielennoxalright - night all11:47
*** josecastroleon has quit IRC11:49
*** andreaf_ has joined #openstack-keystone11:54
*** jamielennox is now known as jamielennox|away11:56
*** andreaf_ has quit IRC11:58
*** andreaf_ has joined #openstack-keystone11:59
*** josecastroleon has joined #openstack-keystone12:06
*** afazekas has joined #openstack-keystone12:19
*** chlong has joined #openstack-keystone12:25
*** aix has joined #openstack-keystone12:29
*** rushiagr is now known as rushiagr_away12:35
*** chlong has quit IRC12:35
*** henrynash has joined #openstack-keystone12:35
*** ChanServ sets mode: +v henrynash12:35
*** chlong has joined #openstack-keystone12:35
*** raildo has joined #openstack-keystone12:36
*** markvoelker has joined #openstack-keystone12:38
samueldmqhenrynash, hi - thanks for your review. Your comments were addressed and your tests are now passing12:40
henrynashsamueldmq: ok, excellent!  I’ll do another pass today of the patch12:41
samueldmqhenrynash, great! I'm checking your last patch on tests (Test list_role_assignment in standard inheritance tests) to check if there is something else wrong with our refactoring :)12:42
samueldmqhenrynash, some tests are failing there12:42
samueldmqs/some tests are/one test is12:43
henrynashsamueldmq: oh, really? I thought the new ones I added were passing on my machine locally12:43
*** markvoelker has quit IRC12:43
henrynashsamueldmq: the last patch I need to add is where we add support for testing project hierachies with list_role_assignments12:44
henrynashsamueldmq: at the point, list_role_assignments will be at least as well tested (if not more) than the old methods we used to use12:44
*** dimsum__ has joined #openstack-keystone12:44
henrynash(at that point…)12:45
*** dims_ has joined #openstack-keystone12:45
*** karimb has quit IRC12:46
*** dimsum__ has quit IRC12:49
samueldmqhenrynash, nice, makes sense to me.  it will be more tested, for sure :)12:49
samueldmqhenrynash, see my comments on patch 15389712:49
samueldmqhenrynash, something was wrong in the test12:49
henrynashsamueldmq: could well be….:-)12:50
henrynashsamueldmq: ah, sory, yes, I swapped the order of the defintions around, but didn’t change the results…oops12:51
henrynashsamueldmq: I’ll repost12:52
*** lnxnut has joined #openstack-keystone12:53
samueldmqhenrynash, great :)12:55
*** lnxnut has quit IRC12:58
*** markvoelker has joined #openstack-keystone12:59
*** pnavarro is now known as NICK|afk13:06
*** NICK|afk is now known as pnavarro13:07
*** pnavarro is now known as pnavarro|afk13:07
*** krykowski has joined #openstack-keystone13:12
*** rushiagr_away is now known as rushiagr13:16
openstackgerrithenry-nash proposed openstack/keystone: Split the assignments controller
*** ctina has joined #openstack-keystone13:22
*** ctina has quit IRC13:22
*** htruta has joined #openstack-keystone13:31
*** henrynash has quit IRC13:36
*** chlong has quit IRC13:36
*** bknudson has quit IRC13:36
*** gordc has joined #openstack-keystone13:37
*** rushiagr is now known as rushiagr_away13:41
*** afazekas has quit IRC13:47
*** aix has quit IRC13:47
*** bknudson has joined #openstack-keystone13:59
*** ChanServ sets mode: +v bknudson13:59
*** ctina has joined #openstack-keystone14:00
*** david-lyle_afk is now known as david-lyle14:01
*** krtaylor has quit IRC14:03
*** krykowski has quit IRC14:03
*** r-daneel has joined #openstack-keystone14:04
*** rhbear has joined #openstack-keystone14:05
*** ljfisher has joined #openstack-keystone14:10
*** ajayaa has quit IRC14:11
*** krtaylor has joined #openstack-keystone14:16
*** lnxnut has joined #openstack-keystone14:17
*** krykowski has joined #openstack-keystone14:17
*** nellysmitt has quit IRC14:19
*** mzbik has quit IRC14:20
*** lnxnut has quit IRC14:21
marekdbknudson: re: i don't know if the bp should be created in keystoneclient or keystoneclient-federation project?14:23
bknudsonmarekd: probably one for each?14:23
marekdbknudson: ack14:23
bknudsonthere's stuff to do in keystoneclient and stuff to do in keystoneclient-federation14:23
*** ctina has quit IRC14:26
*** samueldmq_ has joined #openstack-keystone14:26
samueldmq_bknudson, dstanek, morganfainberg could you please take a look at backends-tests-restructuration blueprint ?14:28
*** rushiagr_away is now known as rushiagr14:29
*** henrynash has joined #openstack-keystone14:34
*** ChanServ sets mode: +v henrynash14:34
*** karimb has joined #openstack-keystone14:36
*** abhirc has joined #openstack-keystone14:38
*** ctina has joined #openstack-keystone14:39
openstackgerrithenry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing
henrynashsamueldmq_: yes, we need to do that one, I think!14:40
henrynashsamueldmq_: we should add it for approval with a spec for tomorrow’s meeting14:40
*** rhbear has quit IRC14:42
openstackgerrithenry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests
openstackgerrithenry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests
samueldmq_henrynash, with or without a spec? I'm not sure we need one ..14:52
*** pnavarro|afk is now known as pnavarro14:52
henrynashsamueldmq_: I would agree - we should suggest we do this without a spec14:52
samueldmq_henrynash, great! I will add it to tomorrow's meeting, thanks14:53
henrynashsamueldmq_: excellent14:54
*** afazekas has joined #openstack-keystone14:54
*** aix has joined #openstack-keystone14:56
*** richm1 has joined #openstack-keystone14:56
*** radez_g0n3 is now known as radez14:58
*** richm1 is now known as richm14:58
*** lnxnut has joined #openstack-keystone14:58
*** lnxnut_ has joined #openstack-keystone15:01
*** lnxnut has quit IRC15:02
*** ajayaa has joined #openstack-keystone15:04
*** topol has joined #openstack-keystone15:05
*** ChanServ sets mode: +v topol15:05
*** stevemar has joined #openstack-keystone15:08
*** ChanServ sets mode: +v stevemar15:08
*** samueldmq_ has quit IRC15:19
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Improves support for sample data script with ssl
*** carlosmarin has joined #openstack-keystone15:22
*** timcline has joined #openstack-keystone15:22
*** henrynash has quit IRC15:23
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Extract test_v3_resource from test_v3_assignment
*** ljfisher has quit IRC15:29
samueldmqbknudson, could you please review this (
samueldmqbknudson, the point is wheter we should or not support sqlite on the proposed migration15:31
bknudsonsamueldmq: there's several core reviewers on keystone ... you'll probably get a better response by not asking a specific person to review it.15:32
*** afazekas has quit IRC15:32
samueldmqbknudson, it's been there for days .. that's why I pinged you .. I understand your point, and will ping others as well, thanks15:33
samueldmqdstanek, ping - could you please take a look at ?15:34
dstaneksamueldmq: sure15:34
samueldmqdstanek, there is a discussion on whether we should support sqlite on that migration15:34
samueldmqdstanek, ok thanks15:35
*** ljfisher has joined #openstack-keystone15:35
*** afazekas has joined #openstack-keystone15:46
*** jorge_munoz has joined #openstack-keystone15:54
*** joesavak has joined #openstack-keystone15:55
*** Guest22817 is now known as mfisch15:56
*** mfisch has joined #openstack-keystone15:56
*** dims_ has quit IRC15:56
*** aix has quit IRC16:00
openstackgerritBoris Bobrov proposed openstack/keystone: Fix invalid super() usage in memcache pool
*** dimsum__ has joined #openstack-keystone16:01
*** dimsum__ has quit IRC16:08
*** dimsum__ has joined #openstack-keystone16:10
*** dimsum__ has quit IRC16:11
*** dimsum__ has joined #openstack-keystone16:12
*** dimsum__ has quit IRC16:13
*** dimsum__ has joined #openstack-keystone16:13
*** dimsum__ has quit IRC16:14
openstackgerritMarek Denis proposed openstack/keystone: Change user identification in mapping engine
*** dimsum__ has joined #openstack-keystone16:17
*** zzzeek has joined #openstack-keystone16:17
openstackgerritMarek Denis proposed openstack/keystone: Change user identification in mapping engine
*** krykowski has quit IRC16:26
marekdmorganfainberg: stevemar: For this spec: I specified that user can be identified by id AND domain, but looks like it should be more like that:
*** aix has joined #openstack-keystone16:29
*** Farhan_ has quit IRC16:31
*** afazekas has quit IRC16:33
*** gyee has joined #openstack-keystone16:33
*** ChanServ sets mode: +v gyee16:33
lbragstaddavid8hu: you're main objective here is to just get rid of the version specific methods here, right (
*** ayoung has joined #openstack-keystone16:33
*** ChanServ sets mode: +v ayoung16:33
lbragstaddavid8hu: I think this was the review from ayoung that morganfainberg was referencing?
stevemarhuh, db2 ci just gave me a merge failed warning16:44
*** rwsu has joined #openstack-keystone16:44
*** ajayaa has quit IRC16:44
*** ajayaa has joined #openstack-keystone16:45
*** nicodemos has joined #openstack-keystone16:47
*** afazekas has joined #openstack-keystone16:50
*** timcline has quit IRC16:57
*** Guest69804 is now known as dan_16:58
*** dan_ is now known as dank_16:58
*** Ephur has joined #openstack-keystone16:58
*** tqtran has joined #openstack-keystone17:00
*** joesavak has quit IRC17:02
*** bjornar has quit IRC17:03
*** timcline has joined #openstack-keystone17:03
*** Ephur has quit IRC17:04
*** krykowski has joined #openstack-keystone17:06
*** jistr has quit IRC17:10
*** rwsu has quit IRC17:10
*** rwsu has joined #openstack-keystone17:11
*** EmilienM is now known as EmilienM|afk17:15
*** kfox1111 has joined #openstack-keystone17:16
*** henrynash has joined #openstack-keystone17:17
*** ChanServ sets mode: +v henrynash17:17
stevemarbknudson, morganfainberg so whats up with the domain id not being used here:
kfox1111Odd problem. Just tried adding groups to the ldap config. got this:17:18
kfox1111oh... my dn was wrong. still from the example.17:18
stevemarbknudson, morganfainberg oops, oh it's actually fine, since the id is part of the domain blob anyway17:18
ayounglbragstad, I missed the context, but that is what I am currently working on17:19
lbragstadayoung: david8hu is working on cleaning up the token provider pipeline and morganfainberg referenced that accessinfo commit you had17:19
lbragstadseeing if there was a way we could consolidate work17:19
ayounglbragstad, looking at his review now17:20
ayounglbragstad, yes, that is the kind of code I am trying to support17:21
lbragstadayoung: cool17:21
lbragstadayoung: I need to step through your review, working on david8hu patch a little right now too17:21
*** amerine has quit IRC17:22
ayounglbragstad, cool.  I have not yet gotten all the tests to run.  RIght now I am triggering a circular dependency in the JSON parsing somehow.  jamielennox|away wants to be able to replace the client side of the access_info in the first hack, so it is chewing up much time17:22
lbragstadayoung: ok, makes sense17:23
*** zigo has quit IRC17:29
kfox1111Is there a way to list what groups a user is a member of via the cli?17:35
*** lhcheng has joined #openstack-keystone17:37
*** amerine has joined #openstack-keystone17:39
*** krtaylor has quit IRC17:41
*** marg7175 has joined #openstack-keystone17:51
*** spandhe has joined #openstack-keystone17:51
*** karimb has quit IRC17:52
*** krtaylor has joined #openstack-keystone17:54
*** ajayaa has quit IRC17:58
lbragstadkfox1111: not sure about the cli (cc stevemar ?) but there is a rest call for it
morganfainberglbragstad, kfox1111, for sure you can't get that information with keystoneclient17:59
lbragstadmorganfainberg: kfox1111 checking osc17:59
morganfainbergopenstackclient might be able to.17:59
stevemarmorganfainberg, kfox1111 yeah it should be able to17:59
*** timcline has quit IRC18:00
stevemarlbragstad, point to our pretty docs!18:00
lbragstadstevemar: you beat me to it!18:00
openstackgerritDolph Mathews proposed openstack/keystone: create _member_ role as specified in CONF
lbragstadstevemar: but the code is pretty too!18:00
* morganfainberg is getting ready to release keystoneclient 1.1.018:02
morganfainberganyone have a reason i should avoid doing so?18:02
stevemarlbragstad, for you too ^18:02
stevemarmorganfainberg, no reason not to! but ask jamie :P18:03
lbragstadstevemar: thanks18:03
morganfainbergstevemar, based upon last night, we should be good.18:03
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: refactor: use _get_project_endpoint_group_url() where applicable
samueldmqdolphm, ^just rebased18:03
dolphmsamueldmq: thanks!18:04
*** harlowja has joined #openstack-keystone18:04
samueldmqdolphm, np18:04
openstackgerrithenry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests
*** krykowski has quit IRC18:06
*** afazekas has quit IRC18:07
openstackgerritMerged openstack/oslo.policy: Make use of private modules
morganfainbergkeystoneclient released18:10
openstackgerritMerged openstack/oslo.policy: Do not use global enforcer for tests
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Use oslo.context instead of incubator code
*** timcline has joined #openstack-keystone18:13
david8hulbragstad: is the one Morgan is refering to.  I am looking at I can leverage from 138519, so my patch is more focused and not duplicating the work.18:13
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: Sync with oslo-incubator
lbragstaddavid8hu: ok18:14
*** aix has quit IRC18:15
*** rushiagr is now known as rushiagr_away18:18
openstackLaunchpad bug 1415184 in Trove "Invalid argument in threadgroup.Thread.wait" [Medium,Triaged]18:19
lbragstaddavid8hu: so the keystonetoken class you have in is pretty much the equivalent of the Token class here
openstackgerritMerged openstack/oslo.policy: Stop shouting test attribute names
openstackgerritMerged openstack/oslo.policy: Remove oslo.concurrency from requirements
openstackgerritMerged openstack/oslo.policy: Remove globals that were introduced for compatibility
samueldmqlbragstad, breton just left a comment on your discussion on review #13917418:21
stevemarmorganfainberg, we're nearing a first release of oslo.policy :O18:21
morganfainbergstevemar, cool!18:21
david8hulbragstad:  Yes, very similar except the internal data structure18:21
lbragstaddavid8hu: so is that the part we don't want to duplicate?18:22
lbragstadand if so, we'd be relying on keystoneclient for that structure?18:22
*** atiwari has joined #openstack-keystone18:23
openstackgerritMerged openstack/oslo.policy: Upgrade hacking to >=0.10.0
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements
david8hulbragstad:  The token obj itself if what I do not want to duplicate.  The internal data struture if need to can be enhanced at a later time I hope.18:24
morganfainberglbragstad, the idea is we'd us the same token object class everywehre18:24
morganfainbergrather than needing to have multiple different implementations18:24
lbragstadmorganfainberg: david8hu ok, makes sense18:25
lbragstadmorganfainberg: david8hu and that should live in the client18:25
*** sld has joined #openstack-keystone18:25
lbragstadso we'll have to review the access info stuff and release a version of keystoneclient before fixing the provider logic in keystone18:26
*** krtaylor has quit IRC18:27
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware: iso expires should be returned in one place
richmayoung: ping - re:
richmayoung: is admin_token authentication still valid in juno?18:34
richmayoung: if it is, does it require policy in order to work?18:34
richmayoung: because when I use it, I get "The request you have made requires authentication." 40118:39
kfox1111stevemar: thanks18:40
*** avozza is now known as zz_avozza18:42
larsksrichm: with juno, if I run 'keystone --os-token <token> --os-endpoint http://keystone:35357/v2.0 service-list" it works without error.18:45
ayoungrichm, it depends on the call18:46
ayoungrichm, you need to have it enabled in the config file too.18:47
ayoungrichm, sorry for the slow reply, as I was out dealing with Elsa18:47
* larsks notes that things seem to work with --os-identity-api-version=3, also, with a modified endpoint url.18:48
*** atiwari has quit IRC18:50
lbragstadayoung: I took a pass at,n,z18:50
lbragstadayoung: I can help respin them if needed18:50
ayounglbragstad, thanks18:50
ayoungyes, please18:50
*** arunkant has joined #openstack-keystone18:59
*** zigo has joined #openstack-keystone19:03
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient: Implements subtree_as_ids and parents_as_ids
openstackgerritLance Bragstad proposed openstack/python-keystoneclient: Add data to example data
openstackgerritLance Bragstad proposed openstack/python-keystoneclient: Access Info
*** EmilienM|afk is now known as EmilienM19:12
lbragstadstevemar: ayoung ^ attempted to address some comments19:12
*** zz_avozza is now known as avozza19:17
*** joesavak has joined #openstack-keystone19:22
richmlarsks: I'm trying to use "openstack" instead of "keystone" (for puppet-keystone v3 support)19:23
ayounglbragstad, thanks.  will look19:24
richmayoung: how do I enable it in the config file?  Something other than DEFAULT/admin_token=...... ?19:24
*** gokrokve has joined #openstack-keystone19:25
larsksrichm: using 'openstack --os-token <token> --os-url http://localhost:35357/v3 --os-identity-api-version=3 service list' works, too :)19:25
*** atiwari has joined #openstack-keystone19:26
*** atiwari has joined #openstack-keystone19:28
ayoungrichm, I'm  looking...there is a nother config option, too19:28
ayoungrichm, ah, I think it is in the paste pipeline19:28
richmlarsks: <token> is the DEFAULT/admin_token?19:28
larsksrichm: right.19:29
morganfainbergHrm. I wonder if we could improve the keystone bootstrap story.19:29
larsks(this is on a largely stock f21/rdo juno)19:29
richmlarsks: ok - the thing is, that works fine until I enable the v3 policy and v3 multiple domains19:29
ayoung  richm see admin_token_auth in there?19:29
larsksrichm: interesting. I *do* have multiple domains (I have heat installed and using a 'heat' domain).19:29
morganfainbergThe admin token story is ok but lacking (needing to do a restart of keystone and reconfigure it to bootstrap is not wonderful)19:29
larsksBut I'm not sure about the v3 policy.19:29
ayoungrichm, yes, the DEFAULT/admin_token is  what you need to set19:30
richmayoung: ok - admin_token is set19:30
openstackgerritLance Bragstad proposed openstack/keystone: Remove unused test case
ayoungrichm, and look in the paste file to make sure the admin_token_auth  filter is in place19:30
richmayoung: where is that?19:30
morganfainbergAnd that ^^ is why this is a less wonderful story for bootstrapping.19:30
richmayoung: where is the paste ini file?19:31
richmthere isn't one in /etc/keystone in my deployment19:31
ayoungrichm, this an RDO install?19:31
morganfainbergrichm: paste ini file. Usually in the keystone config dir (etc/keystone/paste-ini.conf ?)19:31
richmayoung: yes19:31
ayoungTHe paste file is probably under /usr/share19:31
richmmorganfainberg: not there19:31
ayounglook in the config file for the pasteentry19:32
morganfainbergayoung: oh RDO does /usr/share ? I ... *shakes head* but... Config-stuff...19:32
stevemarhmph, who knew it places it there19:32
ayoungstevemar, I did19:32
larsksmorganfainberg: the stuff in /usr/share is default configs, meant to be overridden by stuff in /etc.19:32
morganfainbergstevemar: if it's a dist example file that's fine19:33
ayoungstevemar, there is a general trend to having the non editable versions of the files in places other than /etc, and putting overrides only in etc19:33
stevemarahhh okay19:33
ayoungfor example, firewalld puts all the defautls somewhere under lib19:33
stevemarhey morganfainberg can i get you to look at something thats bugging me for 1 sec19:33
morganfainberglarsks: ayoung I disagree with this being non-editable and overridden but that is personal taste.19:33
morganfainbergstevemar: dunno. What's in it for me ;). Yeah of course.19:34
ayoungmorganfainberg, yeah, its the dist baseline, so to modify the paste we'd expect someone to copy to etc and edit the line...not a stellar experience19:34
stevemarwhy is it that this works for icehouse: but this one doesn't:
morganfainbergayoung: the "expect people to copy it" is what I disagree with. Again, personal taste.19:34
ayoungmorganfainberg, its an RPM standard thing, and I avoided tilting at that particular windmill19:34
richm. . . and fail - still not working19:35
*** stevemar has quit IRC19:37
morganfainbergOh he left.19:37
*** stevemar has joined #openstack-keystone19:38
*** ChanServ sets mode: +v stevemar19:38
morganfainberg*pokes stevemar's lifeless connection with a stick* yep, dead Jim19:38
morganfainbergstevemar: a zuul get error it looks like. Not a oslo.context error.19:38
stevemarmorganfainberg, oh it was a zuul error19:38
stevemarmorganfainberg, every now and then my isp just died19:39
morganfainbergLooks like to me it's Zuul in this case19:39
morganfainbergAt least it isn't a Vince Clortho error >.>19:39
morganfainbergbah. Not even a snicker for that one :(19:40
stevemarmorganfainberg, neat... feel free to review those guys :D19:40
*** afazekas has joined #openstack-keystone19:40
stevemarsorry, that one went way over my head19:40
morganfainbergNot a ghostbusters fan?19:41
*** openstackgerrit has quit IRC19:41
*** openstackgerrit has joined #openstack-keystone19:41
stevemarah, google is telling me stuff now19:41
morganfainbergVince Clortho and Zuul. Summon gozer the gozarian.19:41
morganfainbergYou had to google that?19:41
stevemarmaybe, shhhh19:42
dank_We aren't all a mine of 80's trivia information sir :)19:42
morganfainbergdank_: but... Ghostbusters !!19:43
morganfainbergI didn't make a reference to a Sloar or anything else that was a one-off line in that movie.19:43
ayoungmorganfainberg, how many comedies do you remember from the 1960s.19:44
ayoungstevemar, when were you born?  1990 or later?19:44
morganfainbergayoung: depends, do you mean comedy as in a Greek comedy? :P.19:44
ayoungHerbie goes to Monty Carlo?19:45
morganfainbergI am a bad example in most cases. I have a degree in theatre and film. I watched more crappy (and good) movies than I care to admit19:45
morganfainbergFrom all eras.19:46
*** thedodd has joined #openstack-keystone19:46
morganfainbergSo to answer, I have a hard time remembering comedies from any decade, ghostbusters only being relevant due to the naming scheme used for our tools... Zuul is the gatekeeper.19:47
morganfainbergAnd if we were to redo kite, it should be called "Vince" as he is the key master. >.>19:47
morganfainbergAaaannnnnnny way19:49
*** abhirc has quit IRC19:52
*** afazekas has quit IRC19:56
*** afazekas has joined #openstack-keystone19:58
*** krtaylor has joined #openstack-keystone19:59
*** atiwari has quit IRC20:03
*** abhirc has joined #openstack-keystone20:05
*** afazekas has quit IRC20:07
*** abhirc has quit IRC20:07
*** afazekas has joined #openstack-keystone20:07
*** gyee has quit IRC20:07
morganfainbergeventlet makes my head hurt20:10
bknudsonI noticed that keystone wasn't shutting down cleanly in devstack when using eventlet... similar error "Calling waitall() from within one of the GreenPool's greenthreads will never terminate"20:13
bknudsonand I think some tests are dumping that too.20:14
morganfainbergbknudson, that isn't a shutodwn in that case20:14
morganfainbergbknudson, that is actually a runtime error aparantly, where Thread.wait() is being called somehow which is resulting in an exception20:14
morganfainbergi *think* this is strictly oslo.concurrency issue20:14
stevemarmorganfainberg, are you thinking about a keystonemiddleware release soon?20:18
morganfainbergstevemar, yes, looking at bugs and open reviews before i push the release20:18
morganfainbergthe plan is today unless i have a reason to hold off20:18
stevemarmorganfainberg, i would really like gordc's stuff in the next release20:19
stevemarblah, it's in merge conflict now20:19
*** bjornar has joined #openstack-keystone20:21
ayoungDoes it make sense that JSON utils would report a cycle if two keys pointed to the same string?  Do I need to make a copy of the string to prevent that dstanek ?20:28
*** bjornar has quit IRC20:29
*** timcline has quit IRC20:29
*** timcline has joined #openstack-keystone20:30
bknudsonwhen running devstack in eventlet, if I hit CTRL-C, it prints "AssertionError: Calling waitall() from within one of the GreenPool's greenthreads will never terminate."20:30
bknudsonand then keystone eventually shuts down.20:30
morganfainbergbknudson, weird.20:31
bknudsonfor some reason it logs the config again.20:31
bknudsonadd it to the list of weird stuff.20:32
*** timcline has quit IRC20:34
*** timcline has joined #openstack-keystone20:37
*** Ephur has joined #openstack-keystone20:39
*** bjornar has joined #openstack-keystone20:43
dolphmlbragstad: is there an implementation of AE tokens in gerrit at all?20:43
*** afazekas has quit IRC20:44
lbragstaddolphm: yes,,n,z20:44
lbragstadbut that has been squashed and worked since those were proposed.20:44
*** tqtran is now known as tqtran_afk20:44
dolphmlbragstad: can you post something more recent?20:45
*** radez is now known as radez_g0n320:46
openstackgerritLance Bragstad proposed openstack/keystone: Remove unused test case
*** afazekas has joined #openstack-keystone20:50
*** andreaf_ has quit IRC20:51
dolphmlbragstad: there's got to still be some v2 code acknowledging that API and returning 501 in
lbragstaddolphm: yeah, I just saw that20:55
lbragstadits in the v2 controller20:55
lbragstadbut we still return a list of roles for a user if the request has a tenant supplied20:55
stevemarlbragstad, yeah seems like there is more to rip out? maybe?20:57
lbragstadstevemar: well, it looks like we support returning a users roles if a tenant or domain is supplied20:58
stevemarbut thats a different API call20:58
morganfainbergstevemar, jamielennox|away, lbragstad, any idea what this bug report is trying to accomplish?
openstackLaunchpad bug 1405717 in keystonemiddleware "region_name is not in keystone client auth_token config" [Undecided,New]21:00
dolphmlbragstad: so just return the if block?21:01
dolphmlbragstad: we've made it from essex to juno without implementing that21:01
stevemarmorganfainberg, looks like he wants a region option for middleware21:01
dolphmlbragstad: i think we can drop any acknoledgement that there was an API there at some point in diablo21:02
lbragstaddolphm: yeah,21:02
morganfainbergstevemar, uh... yes, but i'm not sure what benefit that is providing?21:02
lbragstaddolphm: I looked for anything that could possibly test get_user_roles(context, user_id, tenant_id=<some_tenant>) but nothing21:02
lbragstadso I'm not sure we test that either?21:02
dolphmlbragstad: i recall people using that in keystoneclient21:03
dolphmlbragstad: there'd be a test_keystoneclient test for it if anything21:03
richmayoung: still fails - this is the keystone.log output -
ayoungrichm, if you are making an API call that needs RBAC then it should fail21:04
ayoungadmin token is for setup only21:04
ayoungrichm, list what?21:04
richmayoung: so curl -i -X GET -H "X-Auth-Token: $tok" http://localhost:35357/v3/users21:04
dolphmlbragstad: look at the test above that21:04
lbragstadI'm wondering how that is passing21:05
dolphmlbragstad: it's a unit test in the client21:05
lbragstadbecuase that should get a 50121:05
*** bjornar has quit IRC21:05
samueldmqfor someone interested on hierarchical projects and inherited roles implementation on horizon21:08
dolphmlbragstad: also, the only thing that's unbounded in AE tokens is group IDs, right?21:08
lbragstaddolphm: yes, I believe so21:09
samueldmqthere is a new blueprint proposing those functionalities:
lbragstaddolphm: let me find the call21:09
samueldmqmorganfainberg, ^ just to let you know we are starting hmt support on horizon21:09
dolphmlbragstad: i was just wondering if we know the maximum number of group IDs we could support without going over 255 chars?21:09
dolphmlbragstad: and what the effect would be of shorter IDs21:10
lbragstaddolphm: something like that ^21:11
*** andreaf_ has joined #openstack-keystone21:12
*** andreaf has quit IRC21:12
*** andreaf_ is now known as andreaf21:12
lbragstad^ dolphm that's the one the marekd referenced in the spec proposal21:13
*** andreaf_ has joined #openstack-keystone21:13
*** gyee has joined #openstack-keystone21:14
*** ChanServ sets mode: +v gyee21:14
*** afazekas has quit IRC21:14
*** atiwari has joined #openstack-keystone21:15
openstackgerritLance Bragstad proposed openstack/python-keystoneclient: Remove get user roles without tenant
openstackgerritLance Bragstad proposed openstack/keystone: Remove unused test case
*** tqtran_afk is now known as tqtran21:22
*** nicodemos has quit IRC21:27
morganfainberghenrynash, ping - let me know when you have a few minutes21:30
morganfainberghenrynash, want to discuss something with ya21:30
*** sld has quit IRC21:31
openstackgerritSteve Martinelli proposed openstack/keystone: Remove XMLEquals from tests
stevemar^^ should be easy21:33
openstackgerritLance Bragstad proposed openstack/keystone: AE Tokens
lbragstadstevemar: none of that xml stuff is used by the federation tests?21:38
lbragstadhmm doesn't look like it21:40
lbragstaddolphm: ^ updated WIP that still needs lots of work21:40
dolphmlbragstad: cool21:40
openstackgerritTAHMINA AHMED proposed openstack/keystone: ABAC based role computing
stevemarlbragstad, nope, we don't match, thats too fancy21:41
*** afazekas has joined #openstack-keystone21:41
lbragstadstevemar: gotcha21:41
lbragstadstevemar: looks good, thanks for catching that21:41
ayoungOK...jsonutils is detecting a circular reference in one of my simple Data transfer objects....very little to this object21:46
ayoung,cm  Endpoint21:46
openstackgerritTAHMINA AHMED proposed openstack/keystone: Testing...
*** afazekas has quit IRC21:53
stevemargordc, rebaseeee
openstackgerritSteve Martinelli proposed openstack/keystonemiddleware: move add event creation logic to keystonemiddleware
stevemargordc, did it for you21:57
gordcstevemar: ....21:58
* gordc goes back to bed.21:58
stevemargordc, you took too long, i waited a whole minute21:58
stevemargordc, not even going to ask21:59
*** ctina has quit IRC22:01
gordci'm hoping to expense a bed for the office... doable?22:01
*** arosen has joined #openstack-keystone22:02
ayoungso...overriding iteritems to fake I can be a dictionary does it....ok....makes sense, I think22:03
arosenHi, I noticed that keystone no longer includes a tenantId in the body of the response for user-list22:03
arosenis this intended? This actually broke the integration I had with keystone as I was expecting this value to be returned :/22:03
morganfainbergarosen. why would user-list have a tenantid?22:03
ayoungarosen, you fell victem to one of the two classic blunders22:03
arosenmorganfainberg:  it did in havana22:03
stevemararosen, maybe it has tenant_id now?22:03
ayoungthe first is "never get involved in a land war in Asia"22:04
morganfainbergarosen, in v2? or v3?22:04
*** afazekas has joined #openstack-keystone22:04
morganfainbergarosen, oh v222:04
ayoungbut only slightly lesser known is "don't expect there to be a tenantid associated with a user object"22:04
* ayoung dies22:04
morganfainbergagain... besides "it was there in havana" why would user-list have a tenantid?22:04
ayoungarosen, LDAP?22:04
morganfainbergayoung, yeah thats my confusion user object doesn't tie to a tenant22:05
ayoungmorganfainberg, its the default tenant issue22:05
morganfainbergayoung, oh gah22:05
* morganfainberg glares menacingly at "default tenant"22:05
aroseneven in devstack22:06
richmdefault tenant is the fly in the ointment, the pain in the a$$, the monkey in the wrench22:06
arosenI noticed the congress test here started failing so I did this to fix it:22:06
*** oomichi has joined #openstack-keystone22:06
arosenI'm pretty sure tenantId was being returned via the API before22:07
ayoungarosen, it depends, but there is no hard requirement that there be a tenant id for a user, so don't depend on it22:07
arosenanyways if it should be there i'm fine removing it just wanted to double check with you guys.22:07
arosenokay gotcha22:07
morganfainbergit may or may not be there22:07
ayoungbut, in devstack with SQL, I would expect there to be one, but it is not a hard requirement even there.22:07
arosenthat's what i was looking for.22:07
morganfainbergarosen, what ayoung said22:08
ayoungarosen, I just got tow pathces merged which should make this clearer22:08
ayoungthey bascialyl amount to "always start with an unscoped token" and "only conver an unscoped token to a scoped tokne, never convert a scoped one22:08
*** afazekas has quit IRC22:09
ayoungjamielennox|away, is working on getting a default service catalog into unscoped tokens that will let us "list projects for user" uin a clean way22:09
ayoungso, while a user might be owned by a domain, the idea of default project is not something we are going to handle in the identity backend, since we are moving toward Identity being readonly22:10
openstackgerritMorgan Fainberg proposed openstack/keystone: StrictABC Implementation
morganfainbergayoung, a quick +2 [easy] here22:13
richmstevemar: dtroyer: is there some flag or env. var. I can set to tell openstack "show me the full auth request and response and the token - don't redact anything"22:13
morganfainbergayoung, LDAP assignment deprecation22:13
stevemarrichm, --debug might help22:13
morganfainbergrichm, the token data is likely sitll "redacted"22:14
richmstevemar: --debug shows everything except the auth request/response and the auth token22:14
morganfainbergfor $reasons22:14
stevemarohh the authN request, not the actual request22:14
stevemarblahh... i don't think we have anything for that22:14
richmthe data that gets POSTed to /v3/auth/tokens, and the full response22:14
*** abhirc has joined #openstack-keystone22:15
*** afazekas has joined #openstack-keystone22:15
ayoungstevemar, so  on the id/json reivew...22:15
ayoungthe reason why the binaries need to be updated is they are generated from the JSON docs22:15
ayoung"not sure if you have to do anything to update .pem and .pkiz"22:16
ayounghe reran the example code generating script to incorporate the changes. stevemar lbragstad can I consider that as 2+2s from Core now?22:17
stevemarayoung, oh okay, just wanted to make sure lbragstad re-ran the stuff he needed to22:17
stevemarayoung, link me! i'll +2 again22:17
openstackgerritArvind Tiwari proposed openstack/keystone-specs: HMAC signature based token
ayoungstevemar, just that I have a change that depends on that one, and it is easier if it is merged than having to keep rebasing22:19
stevemarayoung, that's fine, did you get a chance to look at my other comment (re: abandoning a patch)22:19
ayoungstevemar, I need to refresh that one, and some other things, but not abandon22:20
ayoungsince the current assumes it is PEM encoded, not DER, that other one might actually break things22:20 really should be done that way22:20
stevemarokay, just saw that it was similar and wanted to call it out22:20
*** afazekas has quit IRC22:23
ayoungyeah...different issue.  But...I think I want to drive on to getting rid of tokens all together.  I think we can do it.22:23
ayoungI need to think through some corner cases22:23
morganfainbergatiwari, thanks for understanding my view on that spec.22:25
atiwarimorganfainberg, thanks for raising that22:25
atiwaribut now it is true non persistent22:25
morganfainbergatiwari, yeah it's not a bad idea, i just want to make sure we're not repeating the same issues we have today22:25
morganfainbergcool i'll take another look at it shortly.22:26
atiwarigreat thanks22:26
atiwariI am sure there are place to improve which I think we can do.22:28
atiwariayoung,  appreciate a review on HMAC signature based token please22:29
*** gokrokve has quit IRC22:29
*** gokrokve has joined #openstack-keystone22:29
*** timcline has quit IRC22:34
*** timcline has joined #openstack-keystone22:35
*** thedodd has quit IRC22:36
*** timcline has quit IRC22:37
*** timcline has joined #openstack-keystone22:38
*** atiwari has quit IRC22:40
*** topol has quit IRC22:40
*** atiwari has joined #openstack-keystone22:43
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy: Updated from global requirements
*** atiwari has quit IRC22:46
*** marg7175_ has joined #openstack-keystone22:49
*** marg7175 has quit IRC22:49
*** gordc has quit IRC22:51
*** atiwari has joined #openstack-keystone22:52
openstackgerritMerged openstack/python-keystoneclient: Add data to example data
*** jaosorior has quit IRC23:02
*** gordc has joined #openstack-keystone23:02
*** spandhe has quit IRC23:02
*** timcline has quit IRC23:03
*** jamielennox|away is now known as jamielennox23:05
*** diegows has joined #openstack-keystone23:10
jamielennoxmorganfainberg: i can only guess with that middleware region_name bug that they must have multiple keystones in multiple regions and they want to do things like validate against one in a specific region23:10
*** thedodd has joined #openstack-keystone23:10
*** thedodd has quit IRC23:10
jamielennoxmorganfainberg: interesting but maybe23:10
openstackgerritBob Thyne proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware
*** spandhe has joined #openstack-keystone23:11
dolphmlbragstad: tried to deploy your AE tokens change directly from gerrit and discovered that you need ansible 1.9 to do that (or just use raw commands in 1.8) ... 1.9 is still in dev :(23:14
*** joesavak has quit IRC23:14
ayoungmorganfainberg, OK,  so  while I am all for Kerberos and X509, I can accept that they are too much infrastructure for some people.  And since we don't want people passing passwords to Nova, glance, etc.... I gues the only way we could kill tokens (ye kill tokens) and still do remote auth ourselves is with some sort of home-baked PKI?  Signed requests?23:15
jamielennoxhey, this one is not super important but a really easy client review - given release is soon:
* jamielennox goosebumps23:15
bknudsonwasn't there just a release of keystoneclient?23:16
ayoungjamielennox, home-baked PKI?  Yeah, me too.23:16
ayoungI just can't think of a way around it23:17
jamielennoxbknudson: oh? morganfainberg's done it?23:17
openstackgerritMerged openstack/keystone: Change oslo.serialization to oslo_serialization
dolphmbknudson: 1.1.0 was released today23:17
morganfainbergbknudson, i haven't sent the announcmeent email23:17
ayoungit would have to be like SSH:  copy the public key up to keystone23:17
ayoungjamielennox, any others on the short list23:17
morganfainbergbknudson, yep 1.1.023:18
morganfainbergjamielennox, sorry!23:18
bknudsonof course, nothing stopping morganfainberg from releasing again tomorrow or later today.23:18
jamielennoxok - there's this one left with a star on middleware:
jamielennoxmorganfainberg: nah - mentioned it wasn't an important one23:18
bknudsonhave we decided that bugs, blueprints, and docs aren't required for middleware or client?23:19
morganfainbergbknudson, most of the ones i've been puyshing through have bugs attached23:20
morganfainbergbknudson, and yes we need bugs and bps23:20
morganfainbergjamielennox, ^23:20
morganfainbergmakes it *really* hard to write up release notes without them23:20
jamielennoxbknudson: that one is deserving of a blueprint that's a bit longer running23:20
bknudsonwhere does the README stuff on pypi come from?
openstackgerritMerged openstack/keystone: Change oslo.messaging to oslo_messaging
bknudsonwould be nice to update it for v3.23:22
morganfainbergbknudson, sphinx23:23
morganfainbergi think23:23
morganfainbergi also want to ditch: This code is a fork of Rackspace’s python-novaclient which is in turn a fork of Jacobian’s python-cloudservers. python-keystoneclient is licensed under the Apache License like the rest of OpenStack.23:23
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements
openstackgerritMerged openstack/keystonemiddleware: Remove custom string truth handling
bknudsonah, it just uses
morganfainbergaha so it does23:24
bknudsonI'll put it on my list.23:25
morganfainbergbknudson, rebase issue23:26
morganfainbergbknudson, the whole chain should be easy rebase/reapprove though23:26
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Turn our auth plugin into a token interface
bknudson got the bird!23:26
bknudsonI hate that thing.23:26
bknudsonwill work on it when I get home.23:26
jamielennoxayoung, stevemar: added a blueprint to can you reaffirm?23:27
ayoungPatch in Merge Conflict  jamielennox23:27
*** EmilienM is now known as EmilienM|afk23:28
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Turn our auth plugin into a token interface
jamielennoxayoung: i think it's been in merge conflict for a while...23:29
openstackgerritMerged openstack/keystonemiddleware: fallback to online validation if offline validation fails
*** bknudson has quit IRC23:31
jamielennoxgoing to go MIA for a couple of hours, thanks for the reviews - middleware is cleaning up nicely23:34
morganfainbergjamielennox, so how important is the plugin one for the release today?23:35
morganfainbergjamielennox, as in... would it be awful to wait until march?23:35
jamielennoxmorganfainberg: I kind of want to push the approach ASAP and look at the oslo.context integration particularly - however it's not completely useful till i figure out how to serialize all this stuff23:36
jamielennoxdid you have a look at the bp?23:36
morganfainbergjamielennox, i have glanced at it23:36
morganfainbergjamielennox, i'm going to push this release as soon as the last couple things merge23:37
morganfainbergjamielennox, we can get this rolling in 2 weeks or so when march rolls around23:37
morganfainbergshould be early enough to meet the agenda.23:37
jamielennoxmorganfainberg: ok - let's aim for start of march23:37
morganfainbergjamielennox, cool23:37
jamielennoxmorganfainberg: i want to look at putting the service token into oslo.policy - and this is the first step23:37
morganfainbergsounds good.23:37
jamielennoxalright - gotta run for a bit23:38
*** henrynash has quit IRC23:38
*** gordc has quit IRC23:40
ayoungjamielennox, in KC tests, when I do a token validate, where does it get the body to stick with the UUID/hash of the PKI token?23:44
ayoungI think the data from the validate call is missing something, but I can't seem to find where it is set.23:45
ayoung{u'access': {u'token': {u'issued_at': u'2010-01-01T00:00:10.000123Z', u'expires': u'2020-01-01T00:00:10.000123Z', u'id': u'ba6fcfb2f7db58d0b902d7457e5894c5'}, u'user': {u'id': u'user_id1', u'roles': [{u'name': u'role1'}, {u'name': u'role2'}], u'name': u'user_name1', u'tenantName': u'tenant_name1', u'tenantId': u'tenant_id1'}}}23:47
ayoungjamielennox, token_info looks like ^^23:48
ayoungthere should be a deliberate tenant section under the token23:48
*** dimsum__ has quit IRC23:54
*** dimsum__ has joined #openstack-keystone23:55
*** dimsum__ is now known as dims23:57
*** dims is now known as Guest7024723:58
*** Guest70247 has quit IRC23:58

Generated by 2.14.0 by Marius Gedminas - find it at!