Wednesday, 2015-02-25

« Tuesday, 2015-02-24 Index Thursday, 2015-02-26 »
*** lhcheng_ has quit IRC00:00
*** abhirc_ has quit IRC00:00
*** abhirc has joined #openstack-keystone00:01
dolphmdstanek: i've seen it more the second way00:01
*** lhcheng has joined #openstack-keystone00:03
*** abhirc has quit IRC00:06
jamielennoxgyee: thanks for that00:07
*** pdesai has joined #openstack-keystone00:13
gyeejamielennox, no problem00:15
*** david-lyle is now known as david-lyle_afk00:25
*** henrynash_ has joined #openstack-keystone00:26
*** ChanServ sets mode: +v henrynash_00:26
*** henrynash has quit IRC00:29
*** henrynash_ is now known as henrynash00:29
openstackgerritMerged openstack/keystone: Rename test_content_types  https://review.openstack.org/15885400:33
*** pdesai has quit IRC00:33
*** nkinder has joined #openstack-keystone00:33
openstackgerritMerged openstack/keystone: Rename test_keystoneclient*  https://review.openstack.org/15885600:34
*** mattfarina has quit IRC00:38
*** dims__ has joined #openstack-keystone00:40
*** jaosorior has quit IRC00:41
*** dims has quit IRC00:42
*** _cjones_ has quit IRC00:51
openstackgerritMerged openstack/keystonemiddleware: Separate exceptions into their own file  https://review.openstack.org/15727700:55
openstackgerritMerged openstack/keystonemiddleware: Extract SigningDirectory into file  https://review.openstack.org/15727800:55
*** abhirc_ has joined #openstack-keystone00:56
*** _cjones_ has joined #openstack-keystone00:57
*** lsmola has quit IRC01:07
*** arif-ali has quit IRC01:08
*** chmouel has quit IRC01:08
*** lsmola has joined #openstack-keystone01:09
*** openstack has joined #openstack-keystone01:11
*** chmouel has joined #openstack-keystone01:11
*** _cjones_ has quit IRC01:16
*** gabrielbezerra has joined #openstack-keystone01:16
*** ccard_ has quit IRC01:16
*** radez_g0n3 has quit IRC01:16
*** cburgess has quit IRC01:16
*** redrobot has quit IRC01:16
*** wolsen has quit IRC01:16
*** tristanC has quit IRC01:16
*** morganfainberg has quit IRC01:16
*** nonameentername has quit IRC01:16
*** gabriel-bezerra has quit IRC01:16
*** abhirc_ has quit IRC01:16
*** ccard_ has joined #openstack-keystone01:17
*** henrynash has quit IRC01:17
*** arif-ali has joined #openstack-keystone01:20
*** cburgess has joined #openstack-keystone01:20
*** radez_g0n3 has joined #openstack-keystone01:20
*** redrobot has joined #openstack-keystone01:20
*** wolsen has joined #openstack-keystone01:20
*** tristanC has joined #openstack-keystone01:20
*** morganfainberg has joined #openstack-keystone01:20
*** nonameentername has joined #openstack-keystone01:20
*** sendak.freenode.net sets mode: +v morganfainberg01:20
*** lhcheng has quit IRC01:30
*** mestery has joined #openstack-keystone01:31
*** sigmavirus24 is now known as sigmavirus24_awa01:31
*** gyee has quit IRC01:35
*** ekarlso has quit IRC01:35
*** haneef_ has quit IRC01:35
*** esp has quit IRC01:35
*** anteaya has quit IRC01:35
*** jogo has quit IRC01:35
*** greghaynes has quit IRC01:35
*** jbonjean has quit IRC01:35
*** dank_ has quit IRC01:35
*** svasheka has quit IRC01:35
*** charz has quit IRC01:35
*** marekd has quit IRC01:35
*** baffle has quit IRC01:35
*** navid_ has quit IRC01:35
*** zz_avozza has quit IRC01:35
*** mestery has quit IRC01:37
*** gyee has joined #openstack-keystone01:39
*** jogo has joined #openstack-keystone01:39
*** greghaynes has joined #openstack-keystone01:39
*** ekarlso has joined #openstack-keystone01:39
*** jbonjean has joined #openstack-keystone01:39
*** esp has joined #openstack-keystone01:39
*** haneef_ has joined #openstack-keystone01:39
*** 92AAALG4Y has joined #openstack-keystone01:39
*** anteaya has joined #openstack-keystone01:39
*** svasheka has joined #openstack-keystone01:39
*** charz has joined #openstack-keystone01:39
*** marekd has joined #openstack-keystone01:39
*** baffle has joined #openstack-keystone01:39
*** navid_ has joined #openstack-keystone01:39
*** zz_avozza has joined #openstack-keystone01:39
*** sendak.freenode.net sets mode: +vv gyee marekd01:39
*** abhirc has joined #openstack-keystone01:40
*** abhirc has quit IRC01:40
*** gyee has quit IRC01:40
*** ekarlso has quit IRC01:40
*** haneef_ has quit IRC01:40
*** esp has quit IRC01:40
*** anteaya has quit IRC01:40
*** jogo has quit IRC01:40
*** greghaynes has quit IRC01:40
*** jbonjean has quit IRC01:40
*** 92AAALG4Y has quit IRC01:40
*** svasheka has quit IRC01:40
*** charz has quit IRC01:40
*** marekd has quit IRC01:40
*** baffle has quit IRC01:40
*** navid_ has quit IRC01:40
*** zz_avozza has quit IRC01:40
*** dims__ has quit IRC01:40
*** tqtran_ has quit IRC01:40
*** david-lyle_afk has quit IRC01:40
*** gyee has joined #openstack-keystone01:41
*** jogo has joined #openstack-keystone01:41
*** greghaynes has joined #openstack-keystone01:41
*** ekarlso has joined #openstack-keystone01:41
*** jbonjean has joined #openstack-keystone01:41
*** esp has joined #openstack-keystone01:41
*** haneef_ has joined #openstack-keystone01:41
*** 92AAALG4Y has joined #openstack-keystone01:41
*** anteaya has joined #openstack-keystone01:41
*** svasheka has joined #openstack-keystone01:41
*** charz has joined #openstack-keystone01:41
*** marekd has joined #openstack-keystone01:41
*** baffle has joined #openstack-keystone01:41
*** navid_ has joined #openstack-keystone01:41
*** zz_avozza has joined #openstack-keystone01:41
*** sendak.freenode.net sets mode: +vv gyee marekd01:41
*** gyee has quit IRC01:56
*** jamielennox is now known as jamielennox|away01:58
*** ayoung has joined #openstack-keystone01:59
*** dims__ has joined #openstack-keystone01:59
*** david-lyle_afk has joined #openstack-keystone01:59
*** jamielennox|away is now known as jamielennox02:06
*** harlowja has quit IRC02:07
*** harlowja_ has joined #openstack-keystone02:07
*** ayoung has quit IRC02:10
*** dims__ has quit IRC02:10
*** david-lyle_afk has quit IRC02:10
*** ayoung has joined #openstack-keystone02:16
*** dims__ has joined #openstack-keystone02:16
*** david-lyle_afk has joined #openstack-keystone02:16
*** abhirc has joined #openstack-keystone02:16
*** jamielennox is now known as jamielennox|away02:17
*** erkules has joined #openstack-keystone02:19
*** erkules_ has quit IRC02:21
*** mestery has joined #openstack-keystone02:22
*** mestery has quit IRC02:23
*** jamielennox|away is now known as jamielennox02:27
*** mestery has joined #openstack-keystone02:33
*** jamielennox is now known as jamielennox|away02:38
*** himangi has joined #openstack-keystone02:42
*** richm has quit IRC02:42
*** jamielennox|away is now known as jamielennox02:47
*** dims__ has quit IRC02:48
*** browne has quit IRC02:49
*** jacer_huawei has joined #openstack-keystone02:54
*** jacer_huawei is now known as wanghong02:54
*** markvoelker has quit IRC02:56
*** markvoelker has joined #openstack-keystone02:57
*** stevemar has joined #openstack-keystone02:57
*** ChanServ sets mode: +v stevemar02:57
jamielennoxstevemar: i caught up to your +2s on the split auth_token middleware reviews03:00
stevemarjamielennox, \o/03:00
*** markvoelker has quit IRC03:01
*** alex_xu has quit IRC03:10
*** alex_xu has joined #openstack-keystone03:13
*** devlaps has joined #openstack-keystone03:14
*** jamielennox is now known as jamielennox|away03:22
openstackgerritwanghong proposed openstack/keystone: move region and service exist checks into manager layer  https://review.openstack.org/14197703:24
*** jamielennox|away is now known as jamielennox03:33
*** hogepodge has quit IRC03:34
openstackgerritwanghong proposed openstack/keystone: remove useless nocatalog tests of endpoint_filter  https://review.openstack.org/14494603:36
*** hogepodge has joined #openstack-keystone03:39
openstackgerritwanghong proposed openstack/keystone: apply endpoint_group filters on token catalog  https://review.openstack.org/14418703:39
*** devlaps has quit IRC03:40
*** sacharya has joined #openstack-keystone03:41
morganfainbergstevemar, about to rebase the other notification ones.03:45
*** sacharya has left #openstack-keystone03:45
openstackgerritMorgan Fainberg proposed openstack/keystone: Add CADF notifications for trusts  https://review.openstack.org/15186703:49
*** dims has joined #openstack-keystone03:49
*** dims has quit IRC03:54
morganfainberghmm04:02
morganfainbergnot sure how to handle https://review.openstack.org/#/c/156905/4/keystone/notifications.py04:02
morganfainbergi *guess* we could move this into a context manager?04:03
morganfainbergthat fires notification for success or failure if an exception is raised?04:03
morganfainbergbut that feels wierd04:03
morganfainbergstevemar, ^ cc04:03
openstackgerritwanghong proposed openstack/keystone: make trust manager raise formatted message exception  https://review.openstack.org/14955004:03
stevemarmorganfainberg, yep, looking (and eating / watching tv)04:03
stevemarmorganfainberg, why is it weird?04:04
stevemarexception is fired off if it fails04:04
*** abhirc has quit IRC04:04
morganfainbergi guess it would work in the __exit__04:05
stevemari thought we were going to do a try/catch to handle the failures04:05
morganfainbergit feels like we're going to run into similar issues as with the decorator04:05
morganfainbergwith notification.Audit.created(args):04:05
morganfainberg  do thing04:06
*** markvoelker has joined #openstack-keystone04:06
*** harlowja_ is now known as harlowja_away04:06
morganfainbergif it has an exception i guess it could just fire off as a FAILED instead of a SUCCESS04:06
*** sluo_wfh has joined #openstack-keystone04:08
morganfainbergstevemar, i'm trying to avoid needing to do try: thing: except:04:09
morganfainbergand having to put the same exact notify code in both places.04:09
morganfainbergi guess maybe try except finally?04:09
morganfainbergbut doesn't a context manager make more sense then?04:09
stevemaras mentioned earlier, the failure notifications are add-ons, the regular notifications didn't do that04:10
openstackgerritwanghong proposed openstack/keystone: use tokens returned by delete_tokens to invalidate cache  https://review.openstack.org/15350104:11
*** sluo_wfh has quit IRC04:15
morganfainbergstevemar, something like: http://paste.openstack.org/show/181600/04:16
stevemarmorganfainberg, agree to the try/except/finally stuff04:17
morganfainbergso we don't need to duplicate it everywehre context seems to be the right approach04:17
stevemarmorganfainberg, so make the change to notifications.py to use contextmanager, but in the manager classes they'll call `with blah`04:19
morganfainbergstevemar yes.04:19
morganfainbergstevemar, seeing if this works as I think it'll work if it does it becomes easy to make this all happy.04:21
*** sluo_wfh has joined #openstack-keystone04:23
stevemarmorganfainberg, i could rework some of the authN audit events to do the same thing04:26
morganfainberghmm. ok this isn't working like i expect it to.04:26
morganfainbergi need to test @classmethod + contextlib04:26
morganfainbergmight do some silly things04:26
lbragstadok, I have a dumb question for all my smart Keystone friends...04:32
lbragstadwhere in the world is tenant_bar declared https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v2.py#L210 ?04:32
* lbragstad sits in the corner wearing the Dunce cap04:33
*** himangi has quit IRC04:33
jamielennoxlbragstad: load_fixtures in unit/core.py04:36
lbragstadjamielennox: ahhh, gotcha04:39
*** sluo_wfh is now known as sluo_laptop04:44
lbragstadjamielennox: thanks!04:47
jamielennoxlbragstad: np, i know that one cause i searched for it for ages once04:47
lbragstadjamielennox: same.. I've been grepping like crazy04:48
stevemarlbragstad, yep there are quite a few things in the tests that are magically setup from unit/core.py04:48
lbragstadstevemar: it looks like it04:48
stevemarthere is some crazy inheritence in the tests04:48
stevemarprobably not all that good04:48
lbragstadstevemar: well, the funny thing is that when you work in the test_v3* stuff you get really use to just following the restful test case04:49
lbragstadbut https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v2.py#L32 doesn't inherit anything04:50
lbragstadat least not that I am aware of,04:50
lbragstadbut yet it has class variables that are not created within the test module04:50
*** krtaylor has quit IRC04:51
morganfainbergstevemar, this might actually look better04:56
morganfainberg        with notifications.Audit.created(self._SERVICE, service_id, initiator):04:56
morganfainberg            return self.driver.create_service(service_id, service_ref)04:56
stevemarlbragstad, i think the restful test cases (rest.py) even leverage core.py too?04:57
lbragstadstevemar: they probably do,04:58
stevemarmorganfainberg, err, feels weird to have a return statement in the with04:58
morganfainbergstevemar, it works though :P)04:58
lbragstadstevemar: maybe it's because there is more data created in each v3 test versus all up front?04:58
*** krtaylor has joined #openstack-keystone05:03
*** krtaylor has quit IRC05:04
*** krtaylor has joined #openstack-keystone05:09
morganfainbergstevemar this is kindof a mess.05:17
morganfainbergstevemar, is it a big deal to punt on the failure outcomes until later on?05:18
morganfainbergbecause there is *yet another* reason this type of magic stuff doesn't work (we don't emit certain types of updates in some cases becasue we did a disable instead of a update)05:18
morganfainbergit's...05:18
morganfainbergwonky05:18
stevemarmorganfainberg, punt on it05:26
morganfainbergwill comment that it needs some more rethinking and we should address it outside of the scope of this fix.05:26
stevemarfine with me05:26
stevemarlike i said, the important part was parity with what existed in juno05:27
stevemara deployer can just switch notifitcation_format to 'cadf' in config, and they'll see the exact same stuff in ceilometer, and in resource_info key of the payload05:28
stevemarthere will be more stuff too, and they can choose to consume it05:28
morganfainbergstevemar, ok comented05:28
morganfainbergand tossed a -1 on it05:29
stevemarmorganfainberg, is keystone's service id made available anywhere easily? or just catalog_api.get_service()05:29
morganfainbergotherwise dstanek had some questions on it, so i answered them, not sure if this needs a new patchset to address anything though05:29
morganfainbergstevemar, hmm... uh, i think it's only in the service catalog05:29
stevemarmorganfainberg, just something i was thinking about adding to the cadf payload05:31
*** lhcheng has joined #openstack-keystone05:45
*** browne has joined #openstack-keystone05:48
*** himangi has joined #openstack-keystone05:58
*** browne has quit IRC06:00
openstackgerritSteve Martinelli proposed openstack/keystone: Get initiator from manager and send to controller  https://review.openstack.org/15566006:02
*** lhcheng_ has joined #openstack-keystone06:05
*** lhcheng has quit IRC06:08
stevemarmorganfainberg, looking at https://review.openstack.org/#/c/15860006:08
stevemardo we even need the changes to line 194 and such?06:08
morganfainbergNot sure what happens when you se initiator to {} vs None. was trying to mirror your other change somewhat.06:10
morganfainbergThe note should be updated to say "yeah this won't ever work" in either case.06:10
stevemarbut that part was only used because of the decorate06:10
stevemardecorator*06:10
stevemarwith the new emit function, it just passes in the initiator right away06:10
morganfainbergCorrect. But we aren't removing the decorator yet. (Can we this cycle?)06:11
morganfainbergSo I just was making sure nothing is broken if the decorator is still used.06:11
stevemarmorganfainberg, but you are removing the decorator06:12
stevemarin the subsequent patches06:12
morganfainbergNo. We aren't. We are removing our use. Until the decorator is deleted from the code base, it should work ;)06:13
morganfainbergIf that makes sense.06:14
morganfainbergSo it probably isn't needed.06:18
stevemarmorganfainberg, i think at that point it'll just be disabled/internal using it06:20
morganfainbergSure. Can update tomorrow.06:20
stevemarand disabled events are pretty much the same as internal, i think06:20
stevemarall they end up doing is calling the callback handler06:21
openstackgerritSteve Martinelli proposed openstack/keystone: Add CADF notifications for trusts  https://review.openstack.org/15186706:25
*** rwsu is now known as rwsu-afk06:25
*** himangi has quit IRC06:34
openstackgerritAbhishek Kekane proposed openstack/keystone: Eventlet green threads not released back to pool  https://review.openstack.org/13082406:42
openstackgerritwanghong proposed openstack/keystone: make response of endpoint_group API contain full url  https://review.openstack.org/15186306:44
openstackgerritwanghong proposed openstack/keystone: add missing links for v3 OS-EC2 API response  https://review.openstack.org/15159206:54
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: WIP - Add service provider CRUD  https://review.openstack.org/15901806:59
*** stevemar has quit IRC07:10
*** stevemar has joined #openstack-keystone07:10
*** ChanServ sets mode: +v stevemar07:10
openstackgerritSteve Martinelli proposed openstack/python-keystoneclient: WIP - add support to samlize a token  https://review.openstack.org/15902207:12
*** mzbik has joined #openstack-keystone07:18
*** markvoelker has quit IRC07:32
*** markvoelker has joined #openstack-keystone07:33
*** markvoelker has quit IRC07:37
*** ekarlso has quit IRC07:48
*** himangi has joined #openstack-keystone08:03
*** lhcheng_ has quit IRC08:08
*** afazekas_ has joined #openstack-keystone08:30
*** jaosorior has joined #openstack-keystone08:30
*** nellysmitt has joined #openstack-keystone08:40
*** himangi has quit IRC08:43
*** himangi has joined #openstack-keystone08:43
*** karimb has joined #openstack-keystone08:43
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/15558408:47
ccardstevemar: did you get a chance to look at my issue?08:48
*** ekarlso has joined #openstack-keystone08:52
marekdccard: i think he is asleep now.08:53
marekd~4 a.m. at stevemar's clock08:53
*** jistr has joined #openstack-keystone08:53
*** himangi has quit IRC08:53
ccardmarekd: ok. I think I have a work round anyway - "openstack role add --project <project_id> --user <user_id> _member_" works, presumably because the ids are unique across all domains, so the domain is not required to look up the project and user.08:58
openstackgerritSteve Martinelli proposed openstack/keystone: WIP - add cadf notifications for oauth  https://review.openstack.org/15904509:04
openstackgerritAlistair Coles proposed openstack/keystonemiddleware: Delay denial when service token is invalid  https://review.openstack.org/15324709:04
*** rlt_ has joined #openstack-keystone09:11
rlt_Hello, I have set up a federated keystone for 2 regions. Is it possible to restrict access to a user to only one region ?09:14
marekdrlt_: hi. are you referring to K2K federation?09:15
*** markvoelker has joined #openstack-keystone09:16
*** stevemar has quit IRC09:16
*** markvoelker has quit IRC09:21
openstackgerritMarek Denis proposed openstack/python-keystoneclient-federation: Refactor federated authentication plugins  https://review.openstack.org/15904909:25
*** henrynash has joined #openstack-keystone09:29
*** ChanServ sets mode: +v henrynash09:29
*** himangi has joined #openstack-keystone09:43
*** himangi has quit IRC10:00
rlt_marekd, no i don't know K2K federation. I just look at the blueprints.10:05
bretonis there any blogpost, doc or spec about endpoint filter exception?10:09
bretonI want to understand why one might need it10:10
*** fmarco76 has joined #openstack-keystone10:16
*** markvoelker has joined #openstack-keystone10:17
*** markvoelker has quit IRC10:22
rlt_marekd, i don't think K2K federation will answer my requirement for restrict ua user to a specific region.10:25
marekdrlt_: so, what did you set up actually?10:28
marekdKeystone SP and Keystone IdP, I am gussing.10:29
marekdrlt_: btw K2K == Keystone 2 Keystone10:29
*** MasterPiece has joined #openstack-keystone10:32
rlt_First platform : One keystone (connect to LDAP) and one Horizon. Second Platform (RegionOne): Neutron, nova, glance...with out keystone and horizon. Third Platform (RegionTwo): Neutron, nova, glance...with out keystone and horizon.10:34
marekdrlt_: so you have one keysone only. and your users authenticate with that keystone?10:35
rlt_Yes in relation with LDAP.10:35
marekdrlt_: ok10:36
marekdyou mentioned you had set up federation10:36
marekdcan you tell more how did you do that?10:36
*** ioram has joined #openstack-keystone10:36
rlt_Ok, I made a mistake by using the word "federation"10:39
rlt_Yes of course.10:39
rlt_On my keystone, I defined two regions, two project "services" and two users this service on the LDAP. I set the endpoints per region. And on services (neutron nova ...) present on both platforms, they communicate with the only keystone (keystone authtoken)10:46
rlt_I don't know if i'm clear10:47
*** mzbik has quit IRC10:51
samueldmqmorning : )10:52
samueldmqhenrynash, hi, you around ? (domain-specific backends)10:54
henrynashsamueldmq: yep10:54
samueldmqhenrynash, I'm being caught at https://github.com/openstack/keystone/blob/master/keystone/identity/core.py#L450-L45910:55
samueldmqhenrynash, is self.driver always mapped to CONF.identity.default_domain_id?10:56
henrynashsamueldmq: you’re probably executing a test that creats a new domain10:56
samueldmqhenrynash, yes10:56
henrynashsamueldmq: running under LDAP not configured for multi-domain10:56
samueldmqhenrynash, and it do create the domain?10:57
henrynashyou’ll need to add some stubs in test_backend_ldap….hold on let me find you an example10:57
*** amakarov_away is now known as amakarov10:57
samueldmqhenrynash, shouldn't I have already an error in the instantiation of the domain?10:57
henrynashsamueldmq: is it a new test?10:57
samueldmqhenrynash, ok please10:58
samueldmqhenrynash, yes let me find it for you10:58
samueldmqkeystone.tests.unit.test_backend_ldap.DomainSpecificSQLIdentity.test_delete_is_domain_project10:59
samueldmqhenrynash, on this patch https://review.openstack.org/#/c/143763/10:59
samueldmqhenrynash, a little of background ..... when I update a is-domain project, I need to update its correspondent domain as well..11:01
samueldmqhenrynash, so we disable that project, and consequently the correspondent domain ... and we get that11:02
amakarovhenrynash, good day to you! I've done a little research on the cross-DC assignment sync and want to start working on it. As I see, we'll have the very same problem in revocation and other delegation stuff. My question: is it a spec, bug or blueprint?11:02
*** aix has joined #openstack-keystone11:02
henrynashsamueldq: sorry, not sure I understand “update its corresponding domain as well”….I thought we were removing the domain table?11:03
samueldmqhenrynash, yes but not in this step11:03
samueldmqhenrynash, this patch only reflect domain operations on is_domain projects, and vice versa11:04
samueldmqhenrynash, the next patches in the chain will migrate exisiting domains and drop the table11:04
samueldmqmakes sense?11:04
henrynashamakarov: so it definitely isn;t a bug!  ANd depending on the answr, it could be a spec, bp or just a best=practices guide11:04
henrynashsamueldmq: ah, ok11:04
samueldmqhenrynash, if I understood .... I created a domain without specifying its driver, right?11:05
amakarovhenrynash, well, let it be a blueprint then11:05
samueldmqhenrynash, and then it got mapped to the default driver ...11:06
samueldmqright?11:06
henrynashsamueldmq: so I can’t quite work out what;s going on (and not entirely sure what you;ve changed in tehetst code)….but remember, if you don’t have domain_specific enabled, then we only support teh default domain11:06
samueldmqhenrynash, that's a good tip ... I'll investigate a bit more and go back to you if I have any additional question11:08
samueldmqhenrynash, dont intend to take your time (it's expensive!!!) :-)11:09
samueldmqthx11:09
henrynashsamueldmq: np….sorry, a bit burried right now!11:09
samueldmqhenrynash, sure np11:09
*** henrynash has quit IRC11:11
*** rushiagr_away is now known as rushiagr11:12
*** markvoelker has joined #openstack-keystone11:18
*** dims has joined #openstack-keystone11:18
bretonmorganfainberg: would you mind if I steal your work on squashing migrations?11:21
*** markvoelker has quit IRC11:23
*** karimb has quit IRC11:33
*** henrynash has joined #openstack-keystone11:37
*** ChanServ sets mode: +v henrynash11:37
*** EmilienM is now known as EmilienM|afk11:39
openstackgerritAlexander Makarov proposed openstack/keystone: Redis token backend  https://review.openstack.org/15084411:45
*** karimb has joined #openstack-keystone11:50
samueldmqhenrynash, ping - I think there is a bug in that bit ... let me give you one situation, and you say me how it's supposed to work, ok?11:51
henrynashsamueldmq: sure11:52
samueldmqhenrynash, how fast ... :p11:52
samueldmqhenrynash, ldap for default domain for identity11:52
samueldmqhenrynash, sql for resource11:52
henrynashok11:52
samueldmqi) you create a new domain on resource11:52
samueldmqii) list_users(domain_x) (only in resource)11:53
samueldmqsuppose domain_specific_drivers are enabled11:53
samueldmqhow this should work? domain_x is only on resource and has no users...11:54
samueldmqon resource core, _select_identity_driver will try to find an identity driver for domain_x .... but actually there is no identity driver for it11:55
henrynashi guess if you never call any identity methods… or none of the manager calls you amke do…but that’s hard11:55
henrynashsamueldmq: so a common situation is that you have specific domain configs set up for some number of domains and then SQL for teh default domain and any other domains11:56
samueldmqhenrynash, yep ... but any identity operation for a non-identity domain will fail, when selecting the driver11:57
henrynashsamueldmq: what do you mean by “non-identity domain”?11:57
samueldmqhenrynash, a domain only created on the resource backend ... that dont map to a specific driver11:58
henrynashsamueldmq: Ok, so whether such a situation will work will still depend on how you have configured the ldap idenity drivers...11:59
henrynashsamuledmq: so look at class MultiLDAPandSQLIdentity in test_baclend_ldap11:59
samueldmqhenrynash, looking12:00
*** jaosorior has quit IRC12:01
henrynashsamueldmq: as long as you have the identity driver assigned to SQL in the general keystone.conf, and have some number of named daomins with their own ldap configs…then mulitple domains are supported (since they’ll all be handled by the sql driver)12:02
samueldmqhenrynash, hmm.. makes sense12:03
samueldmqso the default domain is mapped to sql12:03
henrynashsamueldmq: not nececssarily!12:03
henrynashsamueldmq: and domains that don’t have their own config file are mapped to SQL12:04
henrynashsamueldmq: normally, I would agree, that would usually incude the default domain…but in this particular example, we also provide a specifc config file for teh default domain12:04
henrynashsamueldmq: (typo) ANY domains that don’t have their own config file are mapped to SQL12:05
samueldmqhenrynash, and if we have not a sql identity? we still create domains in the resource bakcned, and they will fail to list_users, etc12:05
henrynashsamueldmq: …or you have to have the domains have their own config file…..hard today in a test…but easier whan i get my domain config in the database patch it (‘cause a test could create a config for teh new domai on teh fly)12:07
samueldmqhenrynash, yes .. but what I mean is to forbid the creation of new domains if you don't have any sql identity.. because we won't be able to handle identity for that domain12:08
samueldmqhenrynash, makes sense?12:08
henrynashsamueldmq: so normally any tests taht today fail becuase of this should have an override teh base clase in test_backend_ldap to expect an error….but allowed to run in MultiLDAPandSQLIdentity12:08
henrynashsamueldmq: hmm, there was a patch for this a while back….can’t remember what happend to it12:09
henrynashsamueldmq: I think its a decorator you attach to tests....12:09
samueldmqhenrynash, skip_if_no_multiple_domains_support?12:10
henrynashsamueldmq: yes…not sure how it works...12:10
samueldmqhenrynash, already using it :p12:11
henrynashsamueldmq: and whether it allows the tests to run in environemnts where they CAN run, like MultiLDAPandSQLIdentity12:11
openstackgerritAlexander Makarov proposed openstack/keystone: Correct initialization order for logging to use eventlet locks  https://review.openstack.org/15491512:11
*** aix has quit IRC12:11
samueldmqhenrynash, I'll dig it a bit more ... and submit a test exposing a bug (if there is one)12:12
henrynashsamueldmq: I’ll try and find where I did the test overriding in a recent patch (it mightbe that I should have used the decoratror)12:12
henrynashsamueldmq: here you go, this is in one of teh data driven test patches: https://review.openstack.org/#/c/154302/12/keystone/tests/unit/test_backend_ldap.py12:14
samueldmqhenrynash, hmm ... but looking at the code again .. I still think there is a bug12:15
samueldmqhenrynash, now I think I can explain well.. are you ready to the battle?12:15
henrynashsamuedlmq: ok…you have the floor12:15
samueldmqhenrynash, 3 2 1 ..12:15
samueldmqhenrynash, ldap for domain default + sql for domain1 (both specified in domain specific config files)12:16
henrynashsamueldmq: ok12:16
samueldmq(this is what we have on that test DomainSpecificLDAPandSQLIdentity)12:16
samueldmq1) create domain212:17
henrynashsamueldmq: and SQL in the main keystone.conf ot not?12:17
samueldmqlet's say no12:17
henrynashok12:17
samueldmqhenrynash, 2) after creating domain2: list_users(domain2)12:17
henrynashcreating new domains will fail12:18
samueldmqok... so sql in keystone.conf :p12:18
henrynashok, should now work12:18
samueldmqstep 2 will call _select_identity_driver(..), right?12:18
henrynashyes12:18
samueldmqwhat should it return?12:18
henrynashit should return the sql driver12:19
samueldmqthe driver for domain1 (the sql  one)12:19
*** markvoelker has joined #openstack-keystone12:19
samueldmqhenrynash, ygreat! it does not!12:19
samueldmqhenrynash, look at _select_identity_driver in identity core12:19
henrynashahh, well to be speccific you cant have TWO sql drivers12:19
henrynashyou can’t have an sql driver in keystone.conf AND one for domain112:19
henrynashyou should just have SQL in keystone.conf and any ldap drivers in their own config files12:20
samueldmqhenrynash, the default driver (self.driver) in identity manager12:21
samueldmqhenrynash, it always map to what is set in keystone_conf12:21
samueldmq:12:21
samueldmq?12:21
henrynashyes12:22
samueldmqhenrynash, so lets step back12:22
henrynashsamueldmq: remember there are two “defaults” you could mean12:22
henrynashsamueldmq: there is the “default domain” and the “default driver”12:23
henrynashsamuedmq: the “default driver” is the one sepcified in keystone.conf12:23
henrynashsamueldmq: the “default domain”  may or may not be using the “default driver"12:24
*** markvoelker has quit IRC12:24
samueldmqhenrynash, hmmm.. great, this makes me think a bit more12:24
samueldmqhenrynash, well.. you won12:24
samueldmqhenrynash, but jsut the round 112:24
samueldmqhenrynash, I'll mull it a bit more12:24
henrynashsamueldmq: ok, round 212:24
raildoFIGHT!12:25
henrynashsamueldmq: I’ll wait for the next…:-)12:25
samueldmqhenrynash, wait .. need to prepare myself, I am injured12:25
henrynashsamueldmq: ok!12:25
samueldmqhenrynash, yep .. will be back soon12:25
*** dims has quit IRC12:27
*** henrynash has quit IRC12:29
*** henrynash has joined #openstack-keystone12:36
*** ChanServ sets mode: +v henrynash12:36
samueldmqhenrynash, ready?12:38
henrynashok12:38
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: WIP: Exposing bug in domain-specific - Round 2  https://review.openstack.org/15909912:39
samueldmqhenrynash, ^12:39
samueldmqhenrynash, this fails with the error I have now12:40
henrynashsamueldmq: and it should12:40
henrynashsamueldmq: since there is no driver that can handle multiple domains that is not assigned to a specific domain12:41
samueldmqhenrynash, but I should get an exception when creting the new domain, no?12:41
samueldmqhenrynash, and not be allowed to create it and then not being able to make identity calls on it ...12:42
henrynashsamueldmq: now maybe that’s true...12:42
samueldmqhenrynash, :-)12:42
*** aix has joined #openstack-keystone12:43
henrynashsamueldmq: if we have implemened code in create domain to fail if there are no backends in identity that can handle it (I didn’t wrote that bit, is was added later)….then I’d agree, it should fail12:43
samueldmqhenrynash, yes ... exactly12:44
henrynashsamueldmq: yeah, i just looked at the check in create domain….and it’s too simple12:45
samueldmqhenrynash, if the default driver is sql or not, is that?12:46
henrynashsamuedmq: ahh, but we have kind of a chicken and egg problem12:46
henrynashsamueldmq: you may need to create a domain before adding the domain specifc config to it (you will certainly need to with my patch of storing the configs in a database)12:46
henrynashsamuedmq: and you would need to in the file case too….if you made the check REALLY accurate12:47
samueldmqhenrynash, sure .... first I'll submit a bug ok?12:47
henrynashsamueldmq: I’m not sure it can be fixed completely12:48
henrynashsamueldmq: in fact, it can't12:48
henrynashsamueldmq: we can’t fix the general case….since you need to create a domain before assign configs to it12:49
henrynashsorry off line for a bit, back on later12:54
*** henrynash has quit IRC12:54
*** jaosorior has joined #openstack-keystone12:55
openstackgerritAlexander Makarov proposed openstack/keystone: Correct initialization order for logging to use eventlet locks  https://review.openstack.org/15491513:00
*** EmilienM|afk is now known as EmilienM13:03
*** abhirc has joined #openstack-keystone13:03
*** henrynash has joined #openstack-keystone13:15
*** ChanServ sets mode: +v henrynash13:15
samueldmqhenrynash, since you need to create a domain before assign configs to it ....13:19
samueldmqhenrynash, create the domain and assignt the config in the same call ... if there is no config, rollback13:19
*** markvoelker has joined #openstack-keystone13:20
henrynashsamueldmq: so two problems with that13:20
henrynashsamueldmq: how would you do that in the current situation when teh configs are storied in a file13:20
henrynashsamueldmq: (2) unfortuantly peopel didn’t wnat the config to be par to fthe domain entity, rather to be “attached” to teh domain entity13:21
henrynashsamueldmq: so both makes doing what you suggest hard13:21
samueldmqsure ...13:22
samueldmqbut in the create_domain call, you i) create the entity ii)check for the file iii) if not specific file, check if it can be mapped in the default_driver13:22
samueldmqif iii fails, delte the domain entity and then return the exception still in the create_domain call13:23
*** dims has joined #openstack-keystone13:24
henrynashsamuedmq: os you *could* do that, seems to be a bit over the top for me…..13:24
*** markvoelker has quit IRC13:25
henrynashsamueldmq: if you have enabled multi_domain_configs, then I think we should accept that there may be a gao betwee creating a domain and configuring the domain configs…..I don’t see any harm in practice for that…..we just have to be cleverer in our testing13:25
*** MasterPiece has quit IRC13:26
samueldmqhenrynash, maybe just enforce that, if multi_domain_configs are enabled, the default driver MUST be sql13:27
samueldmqhenrynash, makes sense to me as well13:27
*** ljfisher has joined #openstack-keystone13:27
samueldmqhenrynash, so any created domain will always be mapped13:28
henrynashsamueldmq: so I’m not sure we can insist on that either…(for production), some peopel create all their sevice users in a special domain (that is SQL mapped) and everything else is LDAP13:28
samueldmqhenrynash, this makes us to be happy because no one is not hitting this problem13:29
samueldmqhenrynash, but the problem exists ... if you create a domain and can't even list_users, there is a problem in there that need to be fixed13:30
samueldmqhenrynash, that's my opinion, we can get other views over this13:30
henrynashsamuedlmq: not necessarily….maybe you are just about to define the config settinsg for it….nobody knows about it yet (and list domains is a cloud admin thinggy) so why is it a proplem?13:31
samueldmqhenrynash, keystone is configurable, and in one of its possible configs (the one showed in the tests) it allows you to create a domain but do not use it ...13:32
samueldmqhenrynash, this is independent of the fact of someone really using it13:33
samueldmqhenrynash, if someone does, he/she will hit the bug13:33
henrynashsamueldmq: well, they will find tehy can’t use it…it is still being onboarded13:34
henrynashsamuedlmq: that is not an unsual situation13:34
samueldmqhenrynash, so you create, everything is ok so far13:35
samueldmqhenrynash, until the moment you try to use it13:35
*** MaikZ has joined #openstack-keystone13:35
henrynashsamuedlmq: you need to think about this as to in reality how it would be used in practive13:35
henrynashsamueldmq: onboarding a customer into a domain will be a multi step process, maybe even carried out by different people13:36
MaikZHi, I'm having an issue with Keystone where even though multiple processes are running, only one is handling requests. I'm guessing it's unintentionally blocking on a shared resource - any ideas?13:37
*** gordc has joined #openstack-keystone13:37
samueldmqhenrynash, yes .. that's not something that affect final users .. but cloud admins instead, I agree13:37
henrynashsamueldmq: you’ll create the domain, set up teh configs, try some tests to see if teh ldap connect s working, finally ad a user or two etc.13:37
henrynashsamueldmq: so I, personally, don’t see it as an issue that you can’t use the domain untill you have set up a config that allows it to be used (if you’re environment is one that restricts things in that way)13:38
samueldmqhenrynash, hmm... I think I got your point13:39
samueldmqhenrynash, I have a cloud running with domain specific backends13:39
samueldmqhenrynash, I want to add a new domain and use the config file (today)13:40
henrynashok13:40
samueldmqhenrynash, you may want to i) create the domain and then ii) add the file, before reloading backends13:40
henrynashthat’s exactly waht you haev to do13:40
samueldmq'you can’t use the domain *untill* you have set up a config that allows it to be used'13:40
henrynashcorrect13:41
samueldmqhenrynash, but why not the reverse, i) first you add the config file defining how that domain will be connected and then ii) since you have everything that is necessary, create the domain13:41
samueldmqi) is what is you are saying, ii) is me13:41
samueldmqoops, no, i and ii are me13:42
samueldmqmine is the reverse of yours, is it clear? (sorry)13:42
henrynashso when you restart the backends, it will read teh file and say “Hmm I foudn a domain config file called ‘My New Domain”….what do  I do withthat…there is no domain of that name"13:42
samueldmqso, when you find configs, you create domains for them13:43
samueldmqdoesnt require the admin to go there and create the domain ..13:44
henrynashno, but you check teh domains are valid….and if you find one taht is not, you ignore it13:44
henrynashignore the file that is13:44
samueldmqso the admin has to both i) setup files and ii) create domains that match manually?13:46
henrynashyou could, change the meaning of a file, to imply creating the domain if it doesn’t exist….but you are also missing some data (e.g. description, and soon parent_id)13:46
henrynashsamueldmq: yes…which is why I am implementing the domain configs in a a database....13:46
samueldmqhenrynash, yes that makes it easier to do o nthe fly13:47
henrynashsamueldmq: which isn’t designed to make teh gap between domain creation and config creation zero…just make it all REST13:47
samueldmqyes I understand ...13:48
*** nellysmitt has quit IRC13:48
samueldmqI defend that the gap exists when you have the file but not the domain ...13:48
*** nellysmitt has joined #openstack-keystone13:49
samueldmqbut not when you have the domain and not the file, this should be avoided13:49
bretonMaikZ: how do you deploy Keystone? Got any logs?13:49
samueldmqhenrynash, I'll think about it a little bit more ... and we can possibly have someone else view :)13:51
henrynashsamueldmq: sure...13:51
samueldmqhenrynash, nice thanks13:51
henrynashsamueldmq: yw13:51
MaikZbreton: Both keystone-all and uwsgi, that was the point of my experiment. Interestingly, they have the same issue.13:51
MaikZuwsgi version is running now13:52
*** nellysmitt has quit IRC13:53
*** bknudson has joined #openstack-keystone13:53
*** ChanServ sets mode: +v bknudson13:53
bretonMaikZ: interesting. How may processes? Which version of Keystone?13:54
MaikZJuno, four to start with (probably something like 40 when/if it works)13:54
bretonalso, what makes you think that only one process is handling the request?13:56
MaikZCPU usage - of the 4 (uwsgi) or 16 (eventlet) Keystone processes, one is stuck at 98-point something %, the rest at 0%13:57
MaikZRequests are being generated by jmeter, v3 token create13:58
MaikZWhat the...I'm not sure what change did it, but the uwsgi version is now spreading load as expected14:04
*** abhirc_ has joined #openstack-keystone14:09
*** abhirc has quit IRC14:11
*** abhirc_ has quit IRC14:11
*** jdennis has quit IRC14:12
*** richm has joined #openstack-keystone14:12
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867914:14
*** dims has quit IRC14:17
*** dims has joined #openstack-keystone14:17
*** nkinder has quit IRC14:18
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867914:20
*** markvoelker has joined #openstack-keystone14:21
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875214:21
*** henrynash has quit IRC14:23
*** markvoelker has quit IRC14:26
*** mattfarina has joined #openstack-keystone14:30
*** jdennis has joined #openstack-keystone14:31
*** radez_g0n3 is now known as radez14:32
*** joesavak has joined #openstack-keystone14:32
*** bknudson has quit IRC14:33
*** bknudson has joined #openstack-keystone14:37
*** ChanServ sets mode: +v bknudson14:37
bretonmorganfainberg: it seems that there was no migration squashing between I and J14:38
*** jdennis has quit IRC14:41
openstackgerritDavid Stanek proposed openstack/keystone: Make the default cache time more explicit in code  https://review.openstack.org/11358614:43
*** david-lyle_afk is now known as david-lyle14:48
*** jdennis has joined #openstack-keystone14:49
*** jdennis has quit IRC14:49
*** jdennis has joined #openstack-keystone14:49
*** csoukup has joined #openstack-keystone14:52
*** markvoelker has joined #openstack-keystone14:52
*** markvoelker has quit IRC14:53
openstackgerritAlexander Makarov proposed openstack/keystone: Correct initialization order for logging to use eventlet locks  https://review.openstack.org/15491514:54
*** henrynash has joined #openstack-keystone15:02
*** ChanServ sets mode: +v henrynash15:02
openstackgerritMerged openstack/keystone: Remove explicit mentions of JSON from test_v2  https://review.openstack.org/15891715:04
amakarovbknudson, greetings! Looks like I've managed to rearrange server code to class hierarchy with minimal changes but changes looks too heavy for a 1-line patch.15:08
*** openstackgerrit has quit IRC15:08
*** openstackgerrit has joined #openstack-keystone15:08
amakarovs/looks/look/15:08
bknudson1-line patch?15:08
*** nkinder has joined #openstack-keystone15:08
amakarovbknudson, Initially it was so :)15:09
bknudsonit was moving code around before and creating duplication.15:09
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875215:11
amakarovbknudson, agreed though the idea was just to swap setup order15:13
bknudsonamakarov: the change to pass in a function ref instead seems simple enough.15:13
bknudsonamakarov: or make the change to refactor to the classes first and then make the fix for the bug in a separate patch.15:14
amakarovbknudson, I like the second option15:15
amakarovso WIP now15:15
*** sigmavirus24_awa is now known as sigmavirus2415:24
dstanekamakarov: bknudson: what's the plan for that one?15:30
amakarovdstanek, there are 2 goals actually: 1) fix a bug when logging system uses generic locks under eventlet; 2) make it look nice and sexy15:32
dstaneki just don't want to spend too much effort on this if eventlet is going away soon anyway15:33
bknudsonin 6 months.15:33
amakarovdstanek, the first idea bknudson told me was to pass additional function to be called at a specific point in the code15:34
dstanekamakarov: cool, i'd like to see how that looks15:36
* amakarov with tears in the eyes tosses his beautiful code to /dev /null15:39
bknudsonamakarov: you can post the code to refactor separately and dry your tears.15:40
amakarovbknudson, cool :)15:40
dstanekamakarov: out of curiosity, was that code working? it looked like it was using variables that were never defined15:40
bknudsonwe need unit tests for that code... it was in keystone-all before so there was no way to test.15:41
amakarovdstanek, just loose end here and there15:41
amakarovs/end/ends/15:41
dstanekamakarov: so the server actually started OK?15:42
amakarovdstanek, that in CR? No. Fixed locally.15:42
dstanekah, ok15:42
*** rushiagr is now known as rushiagr_away15:46
*** abhirc has joined #openstack-keystone15:48
rodrigodsmorganfainberg, ping re: prevent use slash in project name patch (https://review.openstack.org/#/c/157152/), we have commented adding a possible workaround for the problem we were trying to solve15:49
*** nellysmitt has joined #openstack-keystone15:49
openstackgerritAlexander Makarov proposed openstack/keystone: Correct initialization order for logging to use eventlet locks  https://review.openstack.org/15491515:51
amakarovdstanek, ^^15:51
*** nicodemos has joined #openstack-keystone15:53
amakarovbknudson, thanks )15:53
*** stevemar has joined #openstack-keystone15:54
*** ChanServ sets mode: +v stevemar15:54
*** nellysmitt has quit IRC15:54
rodrigodsayoung, can you also take a look in https://review.openstack.org/#/c/157152/ ? We are discussing how can we avoid name clashing during domain table -> project table migration and how can we can properly scope tokens to a target after this change15:55
ayoungrodrigods, looking15:56
*** MasterPiece has joined #openstack-keystone15:56
*** ayoung is now known as ayoung-mtg15:56
ayoung-mtgrodrigods, ask me again in about 40 minutes15:57
rodrigodsayoung-mtg, ok, thanks :)15:57
dstanekrodrigods: who will be using the / to request the token? the end user?16:01
raildodstanek, yes16:02
raildoin the token request, using the API16:03
dstanekso they need to know the full hierarchy?16:03
rodrigodsdstanek, with the discarded solution yes16:04
rodrigodsbut with the one we just proposed, no16:04
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875216:05
dstanekrodrigods: so do you still need to prevent / in the project name?16:05
*** henrynash has quit IRC16:06
raildodstanek, no, We will dont need anymore use the /. The end user will use the name, not the full hierarchy name16:06
raildodstanek, we want create a new API call for project scoped token request for is_domain_projects16:08
dstanekah, ok. i didn't know if i should look at that review or not16:09
rodrigodsdstanek, the code no, but we commented there with a solution for the problem16:12
openstackgerritAlexander Makarov proposed openstack/keystone: Refactor Keystone wsgi/eventlet app  https://review.openstack.org/15917216:14
openstackgerritAlexander Makarov proposed openstack/keystone: Refactor Keystone wsgi/eventlet app  https://review.openstack.org/15917216:24
*** lhcheng has joined #openstack-keystone16:26
*** rwsu-afk has quit IRC16:31
*** rushiagr_away is now known as rushiagr16:33
*** openstackstatus has joined #openstack-keystone16:42
*** ChanServ sets mode: +v openstackstatus16:42
*** rwsu has joined #openstack-keystone16:52
morganfainbergrodrigods: but today we support domain scoped tokens. How do you handle the domain scoped request?17:01
rodrigodsmorganfainberg, in the same way we do today? are you seeing any gaps in the solution?17:03
morganfainbergbreton: the squash is a 2-cycle support. In j we supported h -> j. This cycle we need to support I -> K, next cycle will be J -> L17:04
morganfainbergrodrigods: it looks like you said we would restrict this to project scoped tokens only for is_domain projects.17:04
morganfainbergAm I misreading that?17:04
rodrigodsmorganfainberg, hmm I tried to say that for is_domain projects, we would get the token by specifying only the scope and the domain (no need to specify the project itself, since the domain is the project)17:05
morganfainbergrodrigods: ah so I am misreading it. No worries17:05
rodrigodsmorganfainberg, if we specify the project, means that we do not want tokens from is_domain projects17:05
morganfainbergOh.17:06
rodrigodsraildo, ^17:06
*** markvoelker has joined #openstack-keystone17:07
morganfainbergHmm. But that doesn't solve the "how do I get a token using a domain name" issue. How do I reference a domain named X in the hierarchy somewhere. Domain names are not unique except within a hierarchy / namespace17:08
*** amakarov is now known as amakarov_away17:09
morganfainbergHaving not been picky/limiting in the past here is really biting us.17:09
*** _cjones_ has joined #openstack-keystone17:09
rodrigodsmorganfainberg, true :(17:10
rodrigodshaven't thought about this gap17:10
morganfainbergSo... I *think* we solve this in an not-as-good way. But it'll work. And I hate recommending this.17:12
raildomorganfainberg, we can forbid create a subdomain with the same name of other domain in the hierarchy?17:12
rodrigodsmorganfainberg, one option is to limit domain naming...17:12
rodrigods:)17:12
morganfainbergThat is one option. But you still can't know how to reference a domain deep in the hierarchy since there is no delimiter that is restricted17:13
rodrigodsmorganfainberg, why not?17:14
rodrigodsmorganfainberg, if names are unique...17:14
rodrigodsand we can't turn a project into a domain..17:14
morganfainbergBut domains x could be in 5 hierarchies.17:14
morganfainbergWhich one do you want?17:14
rodrigodsI meant unique across the whole cloud17:14
rodrigodslike we have today17:15
morganfainbergThat is what we have today. Yes17:15
morganfainbergok17:15
*** ljfisher has quit IRC17:15
morganfainbergso i hate to come to this conclusion but...17:16
morganfainbergi think there are 3 ways to do this17:16
morganfainberg1: what you just said, domains are unique globally17:16
morganfainberg2: we pre-calculate the hierarchy key for the domains, when you create the domain the name key is pre-calculated in a way we can do some sort of speedy lookup-y thing.17:18
morganfainbergthis also precludes starting a hierarchy in a specific location w/o knowing the parents17:19
morganfainbergi can't ask for domain HP to be the top unless it is globally unique, it is a top level, or i include <full_hierarchy>.HP17:20
rodrigodsmorganfainberg, got it17:20
morganfainberg3: we look for a way to leave the hierarchy for domains in the domain table17:20
morganfainberg3 doesn't solve the issues in the other options17:21
morganfainbergbut it does isolate the problems some.17:21
morganfainbergi don't like any of these options17:22
*** jamielennox is now known as jamielennox|away17:22
rodrigodsI liked the second one17:22
*** jistr has quit IRC17:22
rodrigodsor, it was the one I disliked less17:23
morganfainberghaha fair enough17:23
samueldmqmorganfainberg, the first one .... does it have any ux problem?17:23
raildoIf we find some clash name in the migration, we need to update the project name to <domain_name>.project_name, too?17:24
*** nellysmitt has joined #openstack-keystone17:24
morganfainbergsamueldmq, no - not really. it has the limitation that i can never name a domain "pepsi" if someone else in the cloud has a domain named "pepsi"17:24
morganfainbergraildo, it would be a lookup-key only not a rename.17:24
samueldmqmorganfainberg, well, I would go for that option, keep it consistent with we have today, and simpler17:25
samueldmqthat's what I think...17:25
morganfainbergthe best option is likely to keep domains globally unique for now17:25
morganfainbergit is easier to find a solution to that problem than to undo another change that turns out bad17:25
samueldmqmorganfainberg, ++17:25
morganfainbergand technically a reseller could just prefix domains with their name "resellerX.pepsi"17:26
morganfainbergor some other unique identifier.17:26
rodrigodsmorganfainberg, that's true17:26
rodrigodsjust afraid of some restriction that could bite us in the future again17:26
morganfainbergok so lets *start* by keeping domains globally unique17:26
morganfainbergit isn't changing any restriction17:26
morganfainbergnor changing any workflows17:26
raildook17:26
morganfainbergwe can tackle that issue in Liberty17:27
raildoI'll update the API spec about this too.17:27
morganfainbergraildo, thanks17:27
morganfainbergit should at the very least simplify some stuff17:27
rodrigodsmorganfainberg, so you agree to request project scoped tokens as we proposed17:27
morganfainbergrodrigods, let me re-read that17:27
morganfainbergi don't know about that part17:28
rodrigodsmorganfainberg, keeping domain names unique was a solution to have that solution heh17:28
morganfainbergrodrigods, right i was working through the options17:28
morganfainbergso you only get domain [dual scoped] tokens if you use the domain reference and ask for a project scoped token?17:29
*** rwsu has quit IRC17:29
morganfainbergrodrigods, that feels wierd17:29
rodrigodsmorganfainberg, true, was thinking to limit to project scoped token when project scope was requested17:29
morganfainbergthis might also be a case where we just keep domain scopes isolated and don't do the dual scope thing17:30
rodrigodsmorganfainberg, and dual scoped when requested with domain scope17:30
morganfainbergand also punt the dual scope thing to liberty when we solve the domain doesn't need to be unique17:30
*** jamielennox|away is now known as jamielennox17:30
morganfainbergi don't think that is a big issue tbh17:30
morganfainbergyou will always be using a unique name if you use domain name17:31
morganfainbergso you can always issue dualscope if the resource is_domain17:31
morganfainbergeven if only project was asked for17:31
rodrigodsmorganfainberg, yes...17:31
raildomorganfainberg, sure17:31
morganfainbergso either: 1) domains are only domains - no dual project scope ever17:31
morganfainbergor 2) always issue dual scope if resource is_domain17:31
raildo217:32
rodrigodsmorganfainberg, I'd go for the second17:32
morganfainbergi don't feel strongly either direction17:32
morganfainbergboth work for me, 1 is what we have today, 2 is generally waht we proposed17:32
morganfainbergat the summit17:32
morganfainbergboth work.17:32
raildothe first is more simple, but the second is more usual...17:32
rodrigodssecond is harder to implement though17:32
morganfainbergyou can always implement the first without changing anything and then we can add the dual scope as an addon17:33
morganfainbergget the whole project/domain hierarchy working then issue the dual scope17:33
rodrigodsmorganfainberg, ++17:33
morganfainbergits the same amount of work, and you've solved all the issues with identifing a resource as _is_domain17:34
rodrigodsthanks morganfainberg, seems like we have a solution17:34
*** rwsu has joined #openstack-keystone17:34
morganfainbergbut just makes it so can initially return a "this is not a project" error, so you can be more confident about the impoementation.17:34
rodrigodsand a "roadmap"17:34
morganfainbergand we can continue a number of enhancements/loosening of restrictions in the Liberty release17:35
morganfainbergthe goal is always to get a base implementation that you're happy with and build upon it17:35
rodrigodsmorganfainberg, btw, keeping domain names unique was samueldmq idea17:36
morganfainbergsure17:36
morganfainberg:)17:36
morganfainbergthanks for keeping on this stuff rodrigods, samueldmq, and raildo17:36
morganfainberglet me know when you've udpated that review so i can un -2 it17:37
raildomorganfainberg, np :) let's go finish this17:37
*** gyee has joined #openstack-keystone17:38
*** ChanServ sets mode: +v gyee17:38
crinklestevemar: openstackclient seems to be spitting out warnings in stderr, even when --quiet is used - http://paste.fedoraproject.org/190277/24870892/17:41
crinkleis there a way to make it not do that?17:41
openstackgerritMorgan Fainberg proposed openstack/keystone: Add in non-decorator notifiers  https://review.openstack.org/15860017:42
openstackgerritMorgan Fainberg proposed openstack/keystone: Get initiator from manager and send to controller  https://review.openstack.org/15566017:42
openstackgerritMorgan Fainberg proposed openstack/keystone: Add CADF notifications for trusts  https://review.openstack.org/15186717:43
openstackgerritMorgan Fainberg proposed openstack/keystone: Add CADF notifications for trusts  https://review.openstack.org/15186717:43
morganfainbergdstanek, i'm going to move functional testing target to kilo post k3, it's all test restructureing so i'm ok with it landing post FF.17:48
morganfainbergdstanek, it can always land earlier17:48
*** EmilienM is now known as EmilienM|afk17:49
openstackgerritLin Hua Cheng proposed openstack/keystone: Remove unused tmp directory in tests  https://review.openstack.org/15920717:49
*** karimb has quit IRC17:51
morganfainberglbragstad, https://review.openstack.org/#/c/145317/ i just left a comment in-line17:53
morganfainberglbragstad, but in short, make the actual provider (not the provider manager) aware of if it needs persistence17:53
morganfainberglbragstad, you're still locking klwt provider as the *only* provider that could skip persistence with the recent change17:53
morganfainberglbragstad, don't do string checks ask the actual provider driver if it needs persistence - that way we could convert PKI over to it as well if we wanted.17:54
*** fmarco76 has left #openstack-keystone17:54
*** fmarco76 has joined #openstack-keystone17:55
*** nkinder has quit IRC17:56
*** fmarco76 has left #openstack-keystone17:56
raildomorganfainberg, so, now that we agreed with this solution, we don't need migrate the assignments types: USER_DOMAIN and GROUP_DOMAIN, right? Since we don't have dual scoped token anymore.17:58
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove deprecated methods and functions in token subsystem  https://review.openstack.org/15138117:59
*** jamielennox is now known as jamielennox|away18:02
morganfainbergraildo, i think not initially18:10
morganfainbergraildo when you do enable the dual scope you will18:11
*** himangi has joined #openstack-keystone18:15
*** _cjones_ has quit IRC18:15
*** jamielennox|away is now known as jamielennox18:15
*** himangi has quit IRC18:16
*** himangi has joined #openstack-keystone18:16
*** himangi_ has joined #openstack-keystone18:16
*** himangi has quit IRC18:16
raildomorganfainberg, ok, so we can move this migration for Liberty with dual scoped token. (just to know what we have to finish here)18:17
morganfainbergraildo, right. if we push the dual scope to liberty18:17
morganfainbergnothing saying it couldn't land in the next few days... but it doesn't have to happen for this spec18:17
*** kallebe has joined #openstack-keystone18:18
*** pnavarro has joined #openstack-keystone18:18
*** david8hu has quit IRC18:18
raildomorganfainberg, right. thanks :)18:19
kallebeHello. Does anyone know if there is a way to get Keystone admin url port from keystoneclient in code? I know "keystone endpoint-list" shows it, but I could not find how to get it from code18:21
kallebethe default for the port is 35357, right?18:21
*** ljfisher has joined #openstack-keystone18:22
kallebeI was wondering if it from this method: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/endpoints.py#L65 but I don't know which value to give to "endpoint"18:25
*** aix has quit IRC18:25
*** raildo has left #openstack-keystone18:26
*** raildo has joined #openstack-keystone18:26
*** _cjones_ has joined #openstack-keystone18:29
*** david8hu has joined #openstack-keystone18:31
*** MasterPiece has quit IRC18:33
*** MasterPiece has joined #openstack-keystone18:35
*** rushiagr is now known as rushiagr_away18:35
*** afazekas_ has quit IRC18:40
larskskallebe: If you have a keystone client object, you can call ksclient.service_catalog.get_endpoints().18:42
larskskallebe: that takes a service_type and endpoint_type parameter, where service_type can be something like 'compute' or 'identity' (the latter for keystone).18:42
larsksAnd endpoint_type can be somethig like 'adminurl' or 'publicurl' (I think).18:43
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 [List has been cleaned up for K3 target] | K3 is next week. Prioritize reviews!"18:43
kallebelarsks ok, thanks for the help. I was wondering if maybe the port could be changed in the future? Because there are some hard coded parts in other projects' clients using hard coded 3535718:43
kallebefor example: https://github.com/openstack/python-cinderclient/blob/master/cinderclient/client.py#L37318:43
morganfainberglbragstad, dolphm, do you want me to address the comment in KLWT i had or can you, otherwise i think that is close [except the V2 bits]18:44
lbragstadmorganfainberg: working on the V2 stuff now, I can address the comment18:44
larsksWell, you *could* change it, and clients that aren't using the service catalog are arguably broken.18:44
morganfainberglbragstad, perfect i'll not step on what you're doing18:44
larsksBut the port's not going to change unless *you* change it.18:44
morganfainberglbragstad, catch the comment when you upload your next patch / or around then :)18:44
morganfainberglbragstad, if there is anything else i can do let me know please.18:45
lbragstadmorganfainberg: I should have another iteration up soon18:45
morganfainberglbragstad, fantastic. will watch for it.18:45
lbragstadmorganfainberg: jorge_munoz is working on a bunch of test cases for the revocation stuff,18:45
morganfainbergyay!18:46
kallebelarsks ok, I will certainly not change it :) I was just thinking about this. I will try to fix the hard coded 35357 parts18:46
*** tqtran has joined #openstack-keystone18:46
openstackgerritSteve Martinelli proposed openstack/keystone: Cleanup policy related tests  https://review.openstack.org/15856118:51
*** pdesai has joined #openstack-keystone18:51
stevemarbknudson, just for you big guy ^18:51
openstackgerritSteve Martinelli proposed openstack/keystone: Cleanup policy related tests  https://review.openstack.org/15856118:52
*** nellysmitt has quit IRC18:53
openstackgerritMorgan Fainberg proposed openstack/keystone: Deprecate Eventlet Deployment in favor of wsgi containers  https://review.openstack.org/15749518:57
crinklewe're having issues with openstackclient spitting out warnings even when --quiet is used, is there a flag to make it go away? http://paste.fedoraproject.org/190277/24870892/19:12
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531719:15
openstackgerritLance Bragstad proposed openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841419:15
openstackgerritLance Bragstad proposed openstack/keystone: Implement KLWT for v2.0 tokens  https://review.openstack.org/15922919:15
larskscrinkle: If only the puppet modules would learn to separate stdout and stderr...19:16
dtroyercrinkle: those are coming from the nova lib directly, we'll have to explicitly turn it off for --quiet19:16
lbragstadmorganfainberg: fixed ^19:17
crinklelarsks: it would be nice if we could do it programmatically via the utility we're trying to use19:18
crinkledtroyer: okay, thank you19:18
larskscrinkle: I thought there was some work at some point to move stuff to using the REST api directly?  I haven't been following things for a while.19:18
openstackgerritMerged openstack/keystone: Enable endpoint_policy, endpoint_filter and oauth by default  https://review.openstack.org/15384219:18
crinklelarsks: we were hoping using openstackclient would solve some of the problems without adding a lot of extra work to manage sessions and such19:20
crinkleplus it's the only thing that supports keystone v319:20
crinklethe api library we were planning to use doesn't19:20
larsksAh, bummer.19:20
gordcstevemar: quickq, if i have project_id, is there an api to get the domain_id associated with it?19:24
gordcmorganfainberg, bknudson: ^19:26
bknudsongordc: should be able to get details for the project and it'll show the domain_id.19:26
bknudsonhttp://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3.html#projects-v3-projects19:27
bknudsonnot sure why domain_id is listed as an optional attribute?19:27
gordcbknudson: ah awesome. thanks!19:27
bknudsonoh, it's optional on create19:27
bknudsonthe docs are ambiguous as to whether a client can expect it in the response.19:28
gordcbknudson: i see... but if i have v3 enabled and assuming i did link project to domain, it would be ethere.19:31
bknudsonall projects are in a domain.19:31
gordcbknudson: awesome. thanks for confirmation... time to run away *fire alarm*19:33
morganfainberggyee, re SP stuff in the catalog19:33
gyeek19:33
morganfainbergok so you're good with how it is - doesn't need more generic?19:33
morganfainbergfor other types of services for now?19:33
gyeethat's fine19:34
morganfainbergwe can expand it some [and probably more easily] so we have a non-OS service lcoation long term19:34
morganfainbergok will approve that now.19:34
gyeego for it19:34
morganfainbergi think we're going to make it require ?service_providers though19:34
morganfainbergto not break things.19:34
morganfainbergthen ksc can default to requesting that / new clients can always request19:35
morganfainbergsame as ?nocatalog19:35
gyeeoh, like an explicit request?19:35
morganfainbergcc marekd ^19:35
morganfainbergto put it in the catalog19:35
morganfainbergtoday it'll break horizon >.<19:35
gyeeI don't understand, how's that breaking horizon?19:35
morganfainbergbecause django_openstack_auth does a naive iteration19:35
morganfainbergthat does direct key lookup in the dict19:35
morganfainbergfor thing in catalog: for x in thing['endpoints']19:35
gyeeoh19:36
morganfainbergwhich goes boom if you don't have endpoints19:36
gyeehow is django looking up sp url today? they are fetching the region right?19:37
gyeeso either way, its new code for them19:37
*** rlt_ has quit IRC19:38
morganfainbergyeah19:40
morganfainbergso lets get DOA fixed and released quickly on that front if possible19:41
morganfainbergcc david-lyle - going to need to provide a fix to DOA shortly to land some code.19:41
openstackgerritMerged openstack/keystone-specs: Drop unnecessary sections from federation docs  https://review.openstack.org/15692519:42
morganfainbergdavid-lyle, will ping you in a little bit on this front so we can just make sure the DOA stuff is more defensive. ideally i'd like to work to get a release out shortly if at all possible.19:42
morganfainbergdavid-lyle, so we can get global req updates as needed.19:42
david-lylemorganfainberg: sure19:42
morganfainbergdavid-lyle, but i need bowl-of-coffee before trying to get this done ;)19:43
gyeeso DOA would have to maintain two dicts, one for catalog and the other for SP?19:43
morganfainberggyee, no, DOA today just need to not explode.19:43
gyee500 internal error :D19:43
morganfainbergwe can figure out the right way to support this in horizon once we're not breaking people if they turn on K2K federation19:43
morganfainberg;)19:43
openstackgerritJorge Munoz proposed openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841419:44
openstackgerritJorge Munoz proposed openstack/keystone: Implement KLWT for v2.0 tokens  https://review.openstack.org/15922919:44
*** browne has joined #openstack-keystone19:46
stevemarmorganfainberg, i thought lhcheng had already provided fixes for DOA?19:48
morganfainbergstevemar, oh maybe19:48
morganfainbergcool if so19:48
morganfainbergi knew it was an issue19:48
morganfainbergbut hadn't dug into it19:48
stevemarwelp, guess not, might be just my imagination19:48
gyeehappy thoughts :)19:49
stevemaryep19:50
*** kallebe has left #openstack-keystone19:50
stevemarbknudson, can you take another look at https://review.openstack.org/#/c/148624/ and the test cleanup patch?19:52
stevemarmorganfainberg, ^19:52
openstackgerritSteve Martinelli proposed openstack/keystone: Cleanup policy related tests  https://review.openstack.org/15856119:54
morganfainbergstevemar, i un-starred lots of stuff and the high prio list looks more sane now19:54
stevemar\o/19:54
stevemarmorganfainberg, what else did you want done for the 'replace extensions' bp ?19:55
morganfainbergstevemar, i think we got the docs done, right?19:55
stevemardid you actually want to move the directories around?19:55
morganfainbergand uh.. the extensions are loaded by default, right?19:55
stevemaryes, and yes19:55
morganfainbergnot this cycle19:55
morganfainbergor not for k319:55
morganfainbergmore specifically19:56
morganfainberggod not for k3 ;)19:56
stevemaryeah, didn't think you wanted that done just yet :P19:56
morganfainbergi think we're pretty solid on the changes for now. i'd almost say we could close the BP and do further cleanup separately19:57
gyeewhere's the x509 stuff on that list?19:57
morganfainberggyee, do we have x509 patches that aren't in merge-conflict?19:57
lhchengmorganfainberg, stevemar: I opened a bug yesterday to track fixing DOA to make it now blow-up. Haven't got the chance to work on it yet.19:57
stevemarmorganfainberg, if we can get a few cores to actually +2 the 'use oslo.policy instead of incubator' patch, then i could bug dhellmann to tag a new release19:57
gyeemorganfainberg, Sam's working on finishing up the unit tests today19:57
morganfainberglhcheng, awesome let me know if you can get that done or want me to jump on it.19:57
morganfainbergstevemar, ++19:57
*** browne has quit IRC19:57
stevemarlhcheng, i'll review it for ya19:57
lhchengthere is also a fix needed in horizon too, it is also doing some manual parsing of the service catalog :(19:57
stevemarbooo19:58
morganfainberglhcheng, ugh.19:58
morganfainberglhcheng, UGHAHDFASDKAJDLSKFJ. :P19:58
stevemarbut i think that's the only place?19:58
*** browne has joined #openstack-keystone19:58
stevemarmorganfainberg, i'm going to mark the replace-extensions work as complete then19:58
morganfainbergstevemar, as long as we don't populate service_providers info if there are no SPs19:58
morganfainbergi think we should be safe to land the code w/o exploding people19:59
stevemarmorganfainberg, that should be very easy to implement19:59
morganfainbergand we need to make sure we have filtering capabilities for SPs as well19:59
morganfainbergso we can limit who can get SAML for a given SP.19:59
morganfainbergbut that should be built on the current stuff19:59
*** ljfisher has quit IRC20:00
lhchengmorganfainberg: when do you need the fix by? could simply test first if adding SP in the catalog would blow-up DOA.20:01
*** atiwari has joined #openstack-keystone20:01
morganfainberglhcheng, as long as we don't blow up DOA unless k2k is turned on we're mostly ok20:01
morganfainbergbut we do need it sooner vs later20:01
morganfainbergway sooner = way better ;)20:01
openstackgerritSteve Martinelli proposed openstack/keystone: Move UserAuthInfo to a separate file  https://review.openstack.org/15771720:02
openstackgerritSteve Martinelli proposed openstack/keystone: Authenticate local users via federated workflow  https://review.openstack.org/15630820:02
lhchengmorganfainberg, stevemar: looking at KSC, this should be fine right: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/service_catalog.py#L9020:02
morganfainbergksc should be fine20:02
morganfainbergit's doa that has the issue20:02
lhchenglook like invalid keys are handled well enough20:03
morganfainbergksc is smart enough to know to skip things that doesn't make sense20:03
lhcheng++20:03
*** browne has quit IRC20:03
*** browne has joined #openstack-keystone20:03
lhchengmorganfainberg: okay, will take a look at DOA a bit. Just fighting some other issue atm.20:04
morganfainberglhcheng, sure20:04
morganfainberglhcheng, it should be adding a try/except in ~1 place like ksc does20:05
morganfainbergand then we're all happy20:05
lhchengmorganfainberg: going to check if I could just leverage the auth_plugin.get_endpoints () for endpoint lookup20:06
morganfainberglhcheng, that'd be cool.20:06
*** pdesai has quit IRC20:13
*** browne has quit IRC20:19
*** nkinder has joined #openstack-keystone20:19
*** browne has joined #openstack-keystone20:19
*** pdesai has joined #openstack-keystone20:20
stevemarwe need brave souls to look at marekd's work for direct user mapping -> https://review.openstack.org/#/c/154934 + dependent patches20:24
stevemari've reviewed it about 4-5 times now20:25
dstanekstevemar: on it20:25
stevemardstanek, thanks dave20:25
stevemardavid*20:25
stevemari had to go and throw in a real name, cmon stevemar you know better, stick to irc handles20:25
dstaneklol; fail20:26
dstanekstevemar: is there a spec or just the blueprint?20:26
*** himangi_ has quit IRC20:28
gyeedstanek, the browns got a new color, hot brown :)20:30
stevemardstanek, there is http://specs.openstack.org/openstack/keystone-specs/specs/kilo/federated-direct-user-mapping.html20:31
dstanekgyee: it's been a big deal in the news here for a few weeks; "a secret uniform change to be announced soon"20:31
dstanekgyee: what a disappointment20:31
gyeepinkish brown?20:32
dstanekgyee: puke orange20:32
bknudsonthe whole team should go to rehab20:32
stevemardstanek, the gist of it - the mapping engine should be able to handle a mapping where the user is locally authenticated20:32
dstanekstevemar: thx; I added a link to it in the bp20:32
stevemarbknudson, maybe just the fans?20:32
stevemarbknudson, the fans need out, it's a bad relationship20:33
dstanekstevemar: no, they are the reason to drink; without alcohol they would have nobody in the stadium20:33
*** marzif_ has joined #openstack-keystone20:33
bknudsonhopefully johnny football will be allowed to be around alcohol when he gets out.20:33
*** browne has quit IRC20:34
gyeeheh, I am sure he'll learn20:34
*** browne has joined #openstack-keystone20:35
openstackgerritSteve Martinelli proposed openstack/keystone: WIP - add cadf notifications for oauth  https://review.openstack.org/15904520:38
openstackgerritSteve Martinelli proposed openstack/keystone: Add documentation for key terms and basic authenticating  https://review.openstack.org/15201820:43
stevemarand not to sound like a broken record, but https://review.openstack.org/#/c/148624/ should be ready, (most of the comments around tests are addressed in a follow on patch) if we can get agreement on this one then we can release a new library \o/20:47
*** marzif_ has quit IRC20:51
openstackgerritSteve Martinelli proposed openstack/keystone: Make RuleProcessor._UserType class public  https://review.openstack.org/15771120:53
*** spandhe has joined #openstack-keystone20:55
*** MasterPiece has quit IRC20:55
openstackgerritSteve Martinelli proposed openstack/keystone: Move UserAuthInfo to a separate file  https://review.openstack.org/15771720:55
stevemardstanek, thanks for reviewing the patches dude :)20:56
*** MasterPiece has joined #openstack-keystone20:57
*** atiwari has quit IRC20:58
dstanekstevemar: np21:00
dstanekstevemar: i'm not 100% sure about the logic here: https://review.openstack.org/#/c/156308/12/keystone/auth/plugins/mapped.py21:01
dstanekah, nm - i think i just answered my own question21:02
*** karimb has joined #openstack-keystone21:02
*** 92AAALG4Y is now known as dank_21:05
ayoung-mtgI love this error:    "TypeError: factory() takes at most 5 arguments (75 given)"21:06
lbragstadjorge_munoz: I'm pushing an iteration of the revocation patch, fixing some pep8 issues21:10
stevemarayoung-mtg, that's a spectacular error21:10
stevemardstanek, yeah theres a few things moving around there21:10
lbragstadjorge_munoz: just giving you a heads up since you'll have to pull again21:10
jorge_munozlbragstad: ok, thanks for the heads up.21:11
dstanekayoung-mtg: 75? what on earth are you doing?21:11
openstackgerritSteve Martinelli proposed openstack/keystone: Authenticate local users via federated workflow  https://review.openstack.org/15630821:12
stevemardstanek, can you re +2 this one: https://review.openstack.org/#/c/157711/ i fixed up the commit message and it took the +2 away :(21:12
stevemardstanek, awesome though, just the first patch in the chain needs to be fixed up21:13
*** browne has quit IRC21:15
*** browne has joined #openstack-keystone21:16
openstackgerritSteve Martinelli proposed openstack/keystone: Remove extra semicolon from mapping fixtures  https://review.openstack.org/14808021:16
bknudsonwhen using the policy.v3cloudsample.json, what's the admin_domain_id supposed to be set to? is "default" a good idea?21:20
gyeebknudson, yes, for backward compat21:22
bknudsongyee: ok, thanks.21:22
bknudsonalso, found some docs: http://docs.openstack.org/developer/keystone/configuration.html#keystone-api-protection-with-role-based-access-control-rbac21:22
*** ljfisher has joined #openstack-keystone21:24
gyeethat rule seem wrong, should be target.user.domain_id21:25
openstackgerritLance Bragstad proposed openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841421:25
openstackgerritLance Bragstad proposed openstack/keystone: Implement KLWT for v2.0 tokens  https://review.openstack.org/15922921:25
lbragstadjorge_munoz: you should be good to pull latest string of commits, ^21:26
bknudsongyee: the policy file needs better unit tests if that rule is wrong.21:27
gyeeyeah, we need more test coverage for both policy files21:27
openstackgerritDavid Stanek proposed openstack/keystone: WIP: Support read operations for templated catalogs  https://review.openstack.org/15844321:29
openstackgerritDavid Stanek proposed openstack/keystone: Removes KVS catalog backend  https://review.openstack.org/15844221:29
openstackgerritDavid Stanek proposed openstack/keystone: Adds an initial functional test  https://review.openstack.org/15846621:35
openstackgerritDavid Stanek proposed openstack/keystone: Support for running functional federation tests  https://review.openstack.org/13913721:35
openstackgerritDavid Stanek proposed openstack/keystone: enables bashate checking on dsvm code  https://review.openstack.org/15130921:35
openstackgerritDavid Stanek proposed openstack/keystone: adds a devstack plugin for running a pysaml2 IdP  https://review.openstack.org/15131021:35
openstackgerritDavid Stanek proposed openstack/keystone: adds a devstack plugin for setting up federation  https://review.openstack.org/15131121:35
openstackgerritDavid Stanek proposed openstack/keystone: adds a tox target for functional tests  https://review.openstack.org/15052821:35
*** markvoelker has quit IRC21:35
*** markvoelker has joined #openstack-keystone21:36
dstanektoo many reviews and not enough -1s21:37
gyeehow many do you need?21:40
*** markvoelker has quit IRC21:40
*** pnavarro has quit IRC21:41
*** markvoelker has joined #openstack-keystone21:42
dstanekgyee: num_reviews * 221:42
lbragstadstevemar: this looks good to me and my comments were addressed. If you want, I can pull it down and address dstanek's comments? https://review.openstack.org/#/c/126180/1721:47
stevemarlbragstad, sure21:49
stevemarlbragstad, gonna push it after that? i'm confused21:49
lbragstadstevemar: yeah, i was just going to fix the two comments dstanek and push back up for review,21:51
lbragstadstevemar: since it look close to being approved21:52
stevemarcoolio to me lbragstad21:52
*** radez is now known as radez_g0n321:53
openstackgerritLance Bragstad proposed openstack/keystone: Keystone Lightweight Tokens (KLWT)  https://review.openstack.org/14531721:54
openstackgerritLance Bragstad proposed openstack/keystone: Use revocation events for lightweight tokens  https://review.openstack.org/15841421:54
openstackgerritLance Bragstad proposed openstack/keystone: Implement KLWT for v2.0 tokens  https://review.openstack.org/15922921:54
dstaneklbragstad: nice - i have my +2 stamp ready to go!21:58
lbragstaddstanek: perfect!21:58
*** jaosorior has quit IRC22:02
*** pnavarro has joined #openstack-keystone22:05
morganfainbergwoohoo22:08
* morganfainberg finishes meeting and sees ^^ 22:09
*** mattfarina has quit IRC22:10
*** pnavarro has quit IRC22:11
*** bknudson has quit IRC22:15
openstackgerritLance Bragstad proposed openstack/keystone: Revamp the documentation surrounding notifications  https://review.openstack.org/12618022:16
stevemarlbragstad, thx22:17
*** stevemar has quit IRC22:27
lbragstad:q22:28
lbragstad... sorry wrong window22:29
morganfainberg:wq!22:29
rodrigods:qa!22:29
dstaneki once knew a guy that send ":q!" to his boss as a resignation warning and followed it up with a letter in email22:30
dstanekclassy22:30
lbragstadlol22:31
rodrigodshaha lol22:31
gyeenice22:31
gyeemy favor email title "OOO forever"22:31
*** browne has quit IRC22:31
*** browne has joined #openstack-keystone22:32
*** csoukup has quit IRC22:35
*** karimb has quit IRC22:45
*** jorge_munoz has quit IRC22:48
*** browne has quit IRC22:51
*** browne has joined #openstack-keystone22:52
mfischare there any things to worry about when switching from keystone.token.backends.sql.Token to keystone.token.persistence.backends.sql.Token?22:54
mfischor is it a drop-in22:54
morganfainbergmfisch, the former is an alias to the latter22:54
mfischso just the name is deprecated?22:54
morganfainbergyeah22:55
morganfainbergsee: https://github.com/openstack/keystone/blob/stable/juno/keystone/token/backends/sql.py22:55
morganfainbergit's just not that interesting ;)22:56
mfischwhy read code when there's Morgan AAS available on IRC!22:56
mfischor is it MaaS22:56
morganfainbergno, not MaaS as that is an ubuntu thing22:56
mfischFBaaS then22:56
* morganfainberg is clearly not an ubuntu thing22:56
morganfainbergor PTLaaS22:57
morganfainbergwe might have a few of those throughout openstack22:57
mfischones that actually answer questions on IRC?22:57
mfischits not * anyway22:57
morganfainbergwell i think there is only one in this channel22:58
morganfainbergbut there are a lot who answer questions in irc22:58
morganfainbergoh wait no there are at least 2 in this channel22:58
mfischyeah most are good ;)22:59
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract revocations to file  https://review.openstack.org/15727923:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract IdentityServer into file  https://review.openstack.org/15728223:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Move UserAuthPlugin into its own file  https://review.openstack.org/15728323:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Break default auth plugin into file  https://review.openstack.org/15728023:02
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Extract all TokenCache related classes to file  https://review.openstack.org/15728123:02
mfischI assume that was a rebase and not the most productive person of all time23:03
*** diegows has joined #openstack-keystone23:06
bretondstanek: I will -1 those patches tomorrow morning, if nobody +a them23:09
*** browne has quit IRC23:09
dstanekbreton: which patches?23:09
*** browne has joined #openstack-keystone23:09
*** gordc has quit IRC23:13
*** spandhe has quit IRC23:16
*** gyee has quit IRC23:20
*** joesavak has quit IRC23:26
*** browne has quit IRC23:27
*** browne has joined #openstack-keystone23:27
morganfainberglbragstad, dolphm, so far so good. KLWT seem to be working, restacking to make sure i have a clean environment23:29
dolphmmorganfainberg: =)23:30
morganfainbergwell besides that i saw it loading things from the keyfile(s) a bazillion times23:30
morganfainbergbut that might have been an artifact of my previous stack23:31
*** samueldmq_ has joined #openstack-keystone23:35
*** afazekas has quit IRC23:37
openstackgerritMerged openstack/keystone: Correct initialization order for logging to use eventlet locks  https://review.openstack.org/15491523:37
*** markvoelker has quit IRC23:42
*** markvoelker has joined #openstack-keystone23:42
*** chlong has quit IRC23:43
*** chlong_ has quit IRC23:44
*** markvoelker has quit IRC23:47
*** chlong has joined #openstack-keystone23:48
*** markvoelker has joined #openstack-keystone23:49
*** bknudson has joined #openstack-keystone23:51
*** ChanServ sets mode: +v bknudson23:51
openstackgerritRodrigo Duarte proposed openstack/keystone: Add parent_id to test_project_model  https://review.openstack.org/15929423:56
*** browne has quit IRC23:56
*** browne has joined #openstack-keystone23:57
*** gordc has joined #openstack-keystone23:58
« Tuesday, 2015-02-24 Index Thursday, 2015-02-26 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!