Wednesday, 2015-03-04

*** spandhe has quit IRC00:01
*** spandhe has joined #openstack-keystone00:03
*** timcline has joined #openstack-keystone00:05
*** ncoghlan has joined #openstack-keystone00:07
*** nkinder has joined #openstack-keystone00:09
*** jlk has joined #openstack-keystone00:11
jlkSo.. if keystone goes behind apache, as keystone dev docs suggest, how does one "stop" keystone in order to do a db migration, without stopping other things running behind apache?00:11
*** thedodd has quit IRC00:12
*** amerine has joined #openstack-keystone00:13
*** zzzeek has quit IRC00:17
*** markvoelker has quit IRC00:26
*** sigmavirus24_awa is now known as sigmavirus2400:26
morganfainbergjlk: you typically stop Apache.00:35
jlkyeah... that's not going to fly when apache is doing other tasks, like fronting other services or being a load balancer00:35
morganfainbergjlk: you can also disable keystone and graceful/reload so the wsgi isn't running for it.00:35
jlkWe could disable the keystone site, and reload apache, but AFAIK that doesn't close any active connections to the wsgi00:35
jlkmaybe that's... okay? and the changes of active connections doing some sql thing while trying to do a migration is a thing I just shouldn't worry about?00:36
morganfainbergYou can also disable the routing to the backend and remember keystone doesn't run long lived actions.00:37
morganfainbergSo then new connections would be denied (make it raise a service unavailable at the Apache layer). You have to restart Apache anyway to load the new code / graceful00:37
jlkshould be able to do that with an apache reload instead of restart though00:38
morganfainbergYou can also kill the wsgi processes, which Apache will load new ones on the next request.00:38
morganfainbergYeah graceful ~= reload.00:38
openstackgerritMerged openstack/keystone: Update sample config file  https://review.openstack.org/16097000:38
morganfainbergThe other option would be to use something like uwsgi with mod_uwsgi_proxy. You could then stop the uwsgi and not Apache.00:39
morganfainbergThis is not well tested but is on the list to do post kilo.00:39
openstackgerritMerged openstack/python-keystoneclient: Import functional CLI tests from tempest  https://review.openstack.org/15850300:40
morganfainbergI would probably just kill the wsgi processes after disabling the keystone "site" including a reload. Then when new code is deployed Id re-enable and on next request things go through and start the new code/wsgi processes managed by mod_wsgi00:40
jlkyeah, or put something in place to watch for the processes to die before continuing, a more graceful way00:41
jlksomething close to nova's graceful shutdown of compute.00:41
morganfainbergSure. Same net effect.00:42
morganfainbergWell again keystone doesn't really have log lived tasks. The traffic will likely quiesce in a few seconds.00:42
gyeedumb question, how do I rename a review topic?00:42
morganfainbergCompute could have things to do once shutdown is signaled.00:43
morganfainberggyee: either via the gerrit interface (web) or you can do it with a git review command line switch.00:43
jlkmorganfainberg: sure, but automation needs to be sure, and wait appropriately. Otherwise it can be too fast00:43
morganfainbergjlk: sure.00:44
gyeemorganfainberg, thanks, ah -t option00:45
mtreinishjamielennox: looks like your keystoneclient cli test patch landed. Want to propose the tempest removal? :)00:48
jamielennoxmtreinish: ah cool, yep i'll do that now00:48
jamielennoxmtreinish: gotta take the glory after all that00:48
*** gyee has quit IRC00:51
morganfainbergmtreinish: jamielennox yeah I pushed that patch through the moment I saw it. Yay!00:51
*** david-lyle has quit IRC00:52
mtreinishmorganfainberg: awesome thanks, I still hope I can kill all the cli tests in tempest by the end of the cycle00:52
mtreinishjamielennox: ^^^ if you want to be a good citizen and do it for everyone else :)00:52
jamielennoxmtreinish: because you know how much of a PITA passing code through the clients is :p00:53
mtreinishjamielennox: heh, that's why I haven't just done it00:54
morganfainbergmtreinish: ++00:55
morganfainbergjamielennox: I'm going to rip apart our middleware docs and make the "only supported" auth the plugin form soon.00:56
jamielennoxmorganfainberg: that's more of a problem than you think - but yay do it00:56
*** ljfisher has quit IRC00:56
morganfainbergYah. It's a problem. But since no one knows how to really configure middleware to use the plugins... It's needed.00:56
morganfainbergI've been asked 5 times now. :P00:57
jamielennoxmorganfainberg: you saw my post?00:57
jamielennoxi realize that's not sufficient00:57
morganfainbergYour site was not working the times I looked for it.00:57
jamielennox...00:57
morganfainbergGitHub pages can really suck sometimes.00:58
*** radez is now known as radez_g0n300:58
morganfainbergIt's not your site it was clearly gh pages on the fritz.00:58
jamielennoxhttp://www.jamielennox.net/blog/2015/02/23/v3-authentication-with-auth-token-middleware/00:58
jamielennoxmorganfainberg: i used gh pages so that it doesn't go down :(00:58
jamielennoxcan you host them on swift?00:58
jamielennoxi know you can deploy to an s3 bucket00:58
morganfainbergjamielennox: I fronted mine with cloudflare.00:58
morganfainbergBut probably could host it on swift or s3 easily. But gh pages and cloudflare is free.00:59
*** timcline has quit IRC00:59
jamielennoxi beat the SSL everywhere drum as much as anyone, but i was just hoping github would figure it out for me00:59
morganfainbergjamielennox: but yeah. Post is good. Real docs = better.00:59
morganfainbergEh cloudflare solved it for01:00
morganfainbergMe.01:00
morganfainbergWas good enough.01:00
openstackgerritwanghong proposed openstack/keystone: remove assignments when deleting a domain  https://review.openstack.org/12743301:01
*** jaosorior has quit IRC01:02
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867901:02
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875201:03
*** gyee has joined #openstack-keystone01:04
*** ChanServ sets mode: +v gyee01:04
openstackgerrithenry-nash proposed openstack/keystone: Stop debug logging of Ldap while running unit tests  https://review.openstack.org/16087201:04
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967501:05
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance  https://review.openstack.org/13720201:05
*** carlosmarin has quit IRC01:05
*** sigmavirus24 is now known as sigmavirus24_awa01:06
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992801:06
samueldmqlbragstad ^ replied your comments on list role assignments performance01:06
samueldmqlbragstad, thanks for your review01:07
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003201:08
openstackgerritIan Wienand proposed openstack/keystone: Move install of cryptography before six  https://review.openstack.org/16105501:08
samueldmqhenrynash, would you mind if I rebase that data-driven tests chain? (since I sent a new version of list role assignments)01:08
henrynashsamueldmq: go for it01:09
*** markvoelker has joined #openstack-keystone01:09
openstackgerritwanghong proposed openstack/keystone: move region and service exist checks into manager layer  https://review.openstack.org/14197701:09
samueldmqhenrynash, k thanks01:09
henrynashbknudson, stevemar, ayoung: if you are still about have fixed up the latest comments on https://review.openstack.org/#/c/158679/1601:10
openstackgerritwanghong proposed openstack/keystone: apply endpoint_group filters on token catalog  https://review.openstack.org/14418701:13
*** markvoelker has quit IRC01:14
jlkIf running keystone behind http, do admin_workers and public_workers come into play?01:14
jamielennoxjlk: no, that'd be controlled by httpd01:14
jlknow to mentally map that into processes and threads01:15
*** dims_ has joined #openstack-keystone01:17
*** davechen has joined #openstack-keystone01:17
*** jeffDeville has joined #openstack-keystone01:18
*** dims has quit IRC01:19
*** henrynash has quit IRC01:22
*** henrynash has joined #openstack-keystone01:22
*** ChanServ sets mode: +v henrynash01:22
*** jeffDeville has quit IRC01:23
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role  https://review.openstack.org/15437001:25
lbragstaddolphm: I'll take the blame for that one01:28
*** _cjones_ has quit IRC01:29
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Add support for data-driven backend assignment testing  https://review.openstack.org/14917801:30
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Add support for effective & inherited mode in data driven tests  https://review.openstack.org/15162301:31
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Add support for group membership to data driven assignment tests  https://review.openstack.org/15196201:31
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Broaden domain-group testing of list_role_assignments  https://review.openstack.org/15430201:32
*** _cjones_ has joined #openstack-keystone01:32
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Test list_role_assignment in standard inheritance tests  https://review.openstack.org/15389701:32
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Support project hierarchies in data driver tests  https://review.openstack.org/15448501:33
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Remove manager-driver assignment metadata construct  https://review.openstack.org/14899501:33
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Exposes bug in Federation list projects endpoint  https://review.openstack.org/15816301:34
*** kfox1111 has quit IRC01:42
*** samueldmq has quit IRC01:43
*** tqtran has quit IRC01:46
openstackgerritLance Bragstad proposed openstack/keystone: Convert audit_ids to bytes before msgpacking  https://review.openstack.org/16099301:47
*** _cjones_ has quit IRC01:49
*** jeffDeville has joined #openstack-keystone01:52
*** henrynash has quit IRC01:53
openstackgerritLance Bragstad proposed openstack/keystone: Fix a minor coding nit in Fernet testing  https://review.openstack.org/16106801:54
morganfainbergoh god01:55
morganfainbergthat turns into a literal set doesn't it01:55
morganfainberg'{<hex>}'01:55
morganfainberglbragstad, be glad you didn't try that w/ py26 :P01:55
morganfainbergor.. wow thats just wierd01:56
lbragstadmorganfainberg: yeah, not sure what the reason was behind that but dstanek caught it01:56
morganfainbergit works though01:56
morganfainbergweeeirdddd01:56
morganfainberg>>> uuid.UUID('{12345678901234567890123456789012}')01:56
morganfainbergUUID('12345678-9012-3456-7890-123456789012')01:56
morganfainberg>>>01:56
morganfainbergi ... don't even get that01:56
morganfainbergwhy are { allowed as part of that string...01:57
*** jeffDeville has quit IRC01:57
lbragstadmorganfainberg: no idea,01:58
lbragstadi thought it was some weird qwirk01:58
*** jeffDeville has joined #openstack-keystone01:59
*** jamielennox is now known as jamielennox|away01:59
morganfainberglbragstad, any idea how you're going to handle the v2 tokens?01:59
*** jeffDeville has quit IRC02:01
lbragstadmorganfainberg: I originally tried sending whatever I could to the V3 token formatter and making it look like a v2 response02:01
lbragstadbut that didn't quite turn out02:01
morganfainberglbragstad, didn't work?02:01
lbragstadnot really...02:01
morganfainbergwhat broke?02:01
lbragstadI don't think it was building the token data properly,02:02
lbragstadand it looked really ugly beating whatever we got back from the v3 data helper until it looked like a v2 repsonse02:03
lbragstadresponse*02:03
morganfainbergsure, but at least that could have been used by all providers02:04
morganfainbergand kept ick isolated.02:04
morganfainbergmaybe i'll take a stab at doing it for all providers, pki being the only "wierd" one02:04
*** jeffDeville has joined #openstack-keystone02:04
lbragstadmorganfainberg: that would be cool, jorge_munoz has something locally that he is hacking on to get it to work02:04
lbragstadmorganfainberg: I'd probably sync with him to see what he has02:05
morganfainbergsure.02:05
*** browne has quit IRC02:08
*** markvoelker has joined #openstack-keystone02:10
*** erkules_ has joined #openstack-keystone02:10
*** erkules has quit IRC02:13
*** jeffDeville has quit IRC02:13
*** markvoelker has quit IRC02:15
lbragstaddolphm: are you still thinking that we should have a format schema for unscoped tokens? https://github.com/openstack/keystone/blob/fb9954caede1e9b2896739ff95ed38b7ec49ad98/keystone/token/providers/fernet/core.py#L24-L2502:18
lbragstaddolphm: in that case, should we do different schemas for domain-scoped and unscoped?02:18
dstaneklbragstad: what'd i break?02:19
morganfainberglbragstad, http://paste.openstack.org/show/187089/ just need to make the v2_token_data_helper able to do the convert method there02:19
morganfainberglbragstad, i think.02:20
morganfainberglbragstad, so yeah data munging but not really totally awful (could probably short-circuit the openssl call for v3 too by refactoring a minor bit.02:20
lbragstaddstanek: you caught the '{' + uuid_string + '}' stuff02:22
dstaneklbragstad: ah, yeah. it wasn't wrong, just unnecessary02:22
morganfainbergdstanek, not sure why { + string + } worked02:23
lbragstadmorganfainberg: nice, you haven't tried that on fernet yet have you?02:23
morganfainberglbragstad, don't have the transform yet, but this short circuits v2 token issuance globally.02:23
dstanekmorganfainberg: https://docs.python.org/2/library/uuid.html - i don't think it's based on rfc 4122 though02:23
dolphmlbragstad: either yes, or put "null" into the "scoped" schema02:24
dstanekmorganfainberg: i think it's because of the definition of namespaces02:24
morganfainberglbragstad, so it always issues a v3, then it would transform to v2, for fernet you wouldn't care except on validate (validate would need the same rough treatment)02:24
morganfainbergoh nvm you would care for fernet, asnyway not that aweful to make v2 issuance just v3 + data transform02:25
dstaneklbragstad: did you guys get the unicode for v2 vs. str for v3 figured out?02:25
morganfainbergdstanek, that is routes vs header02:25
morganfainbergdstanek, if it comes in as part of the URL it's a different type02:25
morganfainberg:(02:25
dstanekah, that seems wrong02:26
morganfainbergdstanek, at least that is my guess at why it's different. doesn't mean it's right02:26
morganfainbergor the correct behavioer02:26
morganfainbergjust probably what is actually going on02:26
*** ayoung has joined #openstack-keystone02:27
*** ChanServ sets mode: +v ayoung02:27
*** markvoelker has joined #openstack-keystone02:27
dstanekmorganfainberg: that's probably what it is. the routes gives us unicode which i've always thought was wrong, but i never took time to read the HTTP spec about it02:27
*** stevemar has joined #openstack-keystone02:30
*** ChanServ sets mode: +v stevemar02:30
lbragstaddstanek: morganfainberg that makes sense02:32
lbragstadbecause once we get into the auth/controller.py layer, we handle both pretty much the same02:32
*** markvoelker has quit IRC02:33
dstaneklbragstad: maybe that string conversion needs to happen in the controller since it's a web layer thing02:33
dstanekso checking for unicode isn't correct to find what is a v2 token02:33
lbragstaddstanek: agreed02:34
*** stevemar has quit IRC02:35
morganfainberglbragstad, ok so i think http://paste.openstack.org/show/187113/ and then the conversion code.02:35
morganfainberglbragstad, should do it. plus maaaaybe some testing02:35
*** stevemar has joined #openstack-keystone02:36
*** ChanServ sets mode: +v stevemar02:36
*** jamielennox|away is now known as jamielennox02:37
lbragstadmorganfainberg: awesome, I'll see if I can get something working02:37
morganfainberglbragstad, ** no guarantees that actually works, but it should be minor massaging of code at worst to fix any assumptions i made that are bogus.02:38
morganfainberglbragstad, you could *probably* use the token_model as well to make converting easier02:38
lbragstadmorganfainberg: that makes sense02:38
lbragstadmorganfainberg: the v3_to_v2_token method doesn't exist yet, right?02:40
morganfainbergno it does not02:40
morganfainbergi figure you have some of that code already, i could hack it together as well.02:40
lbragstadok, just double checking02:41
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687002:49
stevemarmorganfainberg, whats the state of keystone!?02:50
morganfainbergstevemar huh?02:50
stevemarwith the last few patches02:50
morganfainbergexplain?02:51
morganfainbergoyu mean, are we ready to cut k3?02:51
*** raildo_ has joined #openstack-keystone02:51
morganfainbergstevemar, we need a patch or two to enable v2 tokens to work with fernet, and i think we're at the point where FFEs are needed for everything else02:52
morganfainbergbecause we need to be ready in ~2 days for k302:52
morganfainbergstevemar, aslo is cadf complete?02:52
*** jamielennox is now known as jamielennox|away02:52
morganfainbergoh nvm it is02:52
*** gothicmindfood has joined #openstack-keystone02:53
* morganfainberg waves at gothicmindfood 02:53
gothicmindfoodoh hai morganfainberg :)02:53
morganfainberggothicmindfood, how are you this fine day?02:53
morganfainbergs/day/evening02:53
gothicmindfoodmorganfainberg: if you take away the migraine I'd be doing great. But we can't have everything we want all the time, I guess.02:54
morganfainberggothicmindfood, boooooo. migranes are no fun02:54
stevemarmorganfainberg, i'd like to merge this guy: https://review.openstack.org/#/c/159045/02:55
morganfainbergthats one of those things you should always be able to have: migrane free days.02:55
*** jamielennox|away is now known as jamielennox02:55
stevemarbut o/w it's complete, we can handle that guy as a bug?02:55
morganfainbergstevemar, notifications aren't too much critical path, that can land pretty much anytime i would guess02:55
morganfainbergs/notifications/audit notifications02:55
stevemarmorganfainberg, yeah, thats whhat i figured02:55
stevemarthats why i was using my time to review instead of code02:56
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687002:56
*** jamielennox is now known as jamielennox|away02:56
morganfainbergwhat the...02:56
*** jamielennox|away is now known as jamielennox02:57
morganfainberguhm...02:57
morganfainberghttps://review.openstack.org/#/c/154370/ why are we adding the placeholders there?02:57
openstackgerritLin Hua Cheng proposed openstack/keystone: On creation default service name to empty string  https://review.openstack.org/14696202:58
morganfainbergdstanek, ping.03:00
morganfainbergdstanek, ok since you talked this through w/ marekd mind stepping me through https://review.openstack.org/#/c/142573/16 because i am still missing the understanding of the .extend vs .append03:00
morganfainbergand why that is important03:00
dstanekmorganfainberg: sure03:00
morganfainbergbecause the rest of it looks fine to me.03:01
dstanekso basically the output of the mapping is a list03:01
* morganfainberg isn't a fan of the ast use, but whatever.03:01
morganfainbergok03:01
dstanekin the local section we use {0} to refer to the first element in the list; may the username or goup03:02
dstanekbut...in the case of white or black listing those things are a list in a list03:02
dstanekmorganfainberg: actually now that i think about it, i don't like the tests because they hide this03:03
dstanekmorganfainberg: the test on line 900 here https://review.openstack.org/#/c/142573/16/keystone/tests/unit/test_v3_federation.py03:04
morganfainbergoh03:05
morganfainbergi think i see it.03:05
morganfainbergi *think*03:05
morganfainbergit's a bit weird03:06
dstanekthat test uses a whitelist so the output of the mapping is effectively [[groups*], username]03:06
morganfainbergthis almost tells me we should have used a proper object not abusing lists.03:06
dstanekvery considering the list is str-ed and late evaled03:06
morganfainbergbecause this is not straight forward to see03:06
dstanekyeah i agree - i eluded to that earlier03:06
dstanekright now the logic is kind of distributed03:07
morganfainbergi'm ok with this going in as is.. but i'm not a fan of it.03:07
*** raildo_ has quit IRC03:07
morganfainbergthis feels like another revocation event tree thing03:07
morganfainbergwhere very few people will get it.03:07
morganfainbergand it'll be at risk of regressions/bugs since it's not well understood03:08
dstanekagreed. i didn't want to +2 because i wanted to see if we could get a few other people to understand since it is to different03:08
morganfainbergdstanek, so, i'm going to +1 with a comment to consider my +1 a +2 when you feel there have been enough eyes on it03:08
dstanekmorganfainberg: sounds good - we can discuss with the others tomorrow and see if anyone else is interested in diving in03:09
morganfainbergdstanek, ++03:10
morganfainbergcomment added. if no one else wants to dive in we can push it through gate tmrrow.03:10
morganfainbergand circle back to clean this up in k303:11
morganfainbergor liberty03:11
morganfainbergs/k3/by rc03:11
*** spandhe has quit IRC03:12
morganfainbergthere are going to be a lot of -2s going out tomorrow.03:12
* morganfainberg wants something beside a procedural -2.03:12
*** browne has joined #openstack-keystone03:12
wanghongmorganfainberg, ping, I find that 45-49 and 56-60 are all placeholder migrations.03:16
*** timcline has joined #openstack-keystone03:16
morganfainbergwanghong, right, why are the placeholders being added?03:16
*** timcline has quit IRC03:17
*** dims_ has quit IRC03:17
morganfainbergwanghong, usually placeholder migrations are added solely as the first commit of a new cycle.03:17
wanghongmorganfainberg, ah, I know...03:17
morganfainbergwanghong, there is no specific numbering requirement for the placeholders ;)03:17
*** timcline has joined #openstack-keystone03:17
morganfainbergthey just are added for backports when we start another cycle wherever we are at.03:18
wanghongmorganfainberg, got it. I will remove them.03:19
morganfainbergwanghong, great!03:19
*** harlowja_ is now known as harlowja_away03:21
openstackgerritwanghong proposed openstack/keystone: add timestamp to project and role  https://review.openstack.org/15437003:22
*** markvoelker has joined #openstack-keystone03:28
*** gyee has quit IRC03:29
davechenmorganfainberg, hi03:32
morganfainbergdavechen, allo03:32
*** markvoelker has quit IRC03:33
davechenmorganfainberg, just wanna have a short dicussion with you about this readonly admin role.03:33
davechenmorganfainberg, https://blueprints.launchpad.net/keystone/+spec/admin-readonly-role03:33
davechenmorganfainberg, do you think it03:33
davechenmorganfainberg, do you think it's deserve to try in L?03:33
stevemaran admin user with read-only, that seems strange ^_-03:34
morganfainbergstevemar, think of it this way, a role that can "inspect anything" but can't change things03:34
morganfainbergstevemar, not "admin" but isn't restricted from looking at things.03:34
stevemarinspector role03:34
davechenyeah, there are some case the role just have a read permission but act as the admin.03:35
morganfainbergstevemar, go go gadget openstack?03:35
stevemarha03:35
morganfainbergdavechen, i think this is a case where we can represent this with current policy - and as we move towards dynamic policy it gets easier03:35
morganfainbergdavechen, so in either case we will need work done in policy to represent this.03:36
morganfainbergi see it as having value.03:36
morganfainbergbut it's definltey not keystone-exclusive03:36
morganfainberg*still see it as having value03:36
davechenis there anyone watch at this?03:36
morganfainbergso i think if we get rid of hard-coded admin everywhere and then we define an appropriate read-only role that is deployed in devstack we've demonstrated the direction03:37
morganfainbergdavechen, ... so L should be targeting at least that? No more hard-coded admin and a demonstration of this type of role in devstack w/ proper testing?03:38
stevemarmorganfainberg, i guess all the get/list calls would be 'admin-read'03:38
morganfainbergstevemar, yeah.03:38
davechennot just hard-coded, but remove them maybe a good starting.03:38
morganfainbergyeah, move all the "is_admin" type checks to rely on proper RBAC03:38
morganfainbergwhich can start with the "admin" role ;)03:39
davechentalked in nova project, they are not objective to this, but haven't see any action for this :)03:39
morganfainbergyeah no one has really jumped on it03:39
morganfainbergbut the projects would all accept that type of change03:39
openstackgerritLance Bragstad proposed openstack/keystone: Convert audit_ids to bytes before msgpacking  https://review.openstack.org/16099303:39
davechenso morganfainberg, maybe I can start from it and do some work in Keystone?03:40
morganfainbergdavechen, i don't think we have hard-coded is_admin (don't look at v2, we can't change that)03:40
morganfainbergdavechen, but you can absolutely do work to help along these lines. Lots of policy work to be done [centralizing policy] hopefully in Liberty03:41
morganfainbergdavechen, so 2 bits: in keystone - work on the policy centralization stuff, in other projects make "is admin" checks use RBAC where they hard-code a role03:41
davechenyeah, policy centralization  is good stuff.03:42
davechenmorganfainberg, thanks for the answer. :)03:43
morganfainbergdavechen, happy to help03:43
*** raildo has quit IRC03:54
*** timcline has quit IRC03:54
*** raildo has joined #openstack-keystone03:54
stevemarmorganfainberg, some one wants to use federation as a reseller, and not use authZ03:59
stevemarit's... different03:59
morganfainbergwait what?03:59
morganfainbergyou've said a bunch of words... and independently they all make sense...but put them together like that and.. huh?04:00
ayoungdavechen, read up on the dynamic policy specs04:10
ayoungstevemar, Federation is explicitly about authZ04:10
stevemarayoung, i dunno, sounds weird04:11
ayoungstevemar, well, federation is actually explicitly about authentication04:12
ayoungauthZ builds on AuthN04:12
*** adam_g has quit IRC04:20
*** _cjones_ has joined #openstack-keystone04:20
*** _cjones_ has quit IRC04:22
openstackgerritayoung proposed openstack/keystone: Stop debug logging of Ldap while running unit tests  https://review.openstack.org/16087204:23
*** adam_g has joined #openstack-keystone04:28
*** markvoelker has joined #openstack-keystone04:29
*** breton_ has joined #openstack-keystone04:30
davechenayoung, lots of spec there, found them.04:30
stevemarayoung, that wasn't why henry's tests were failing :(04:30
*** breton has quit IRC04:30
*** jamiec has quit IRC04:30
ayoungdavechen, that is how to get top your read only admin: hierarchical roles04:31
ayoungstevemar, nah, I just wanted to get that one out of the way and merged04:31
*** mgagne has quit IRC04:31
ayoungit was unrelated to the others, had sufficient +2s  and gerrit was kind enough to leave them on there after the rebase04:31
*** jamiec has joined #openstack-keystone04:31
stevemarayoung, yah, i suppose04:32
ayoungit looks like his test is failing cuz some uuid is changed from the cached value in the test fixture04:32
ayounghe'll figure it out04:32
davechenayoung, all of these spec is targeted for 'L'?04:32
stevemaraye04:32
ayoungdavechen, heh.  as much as we can get done.04:32
ayoungright now they are backlog04:32
ayoungwe'll knock em on down.04:32
ayoungdavechen, however, the readonly one can be done with just the "unified spec file"  I think04:33
stevemarhey morganfainberg whats the milestone for ffe blueprints?04:33
morganfainbergstevemar, RC?04:34
davechenayoung, maybe I can do something as well.04:34
stevemarmorganfainberg, i guess it's not available yet04:34
morganfainbergstevemar, no it's not04:34
davechenayoung, reading it... and thanks for the information.04:34
*** markvoelker has quit IRC04:34
*** richm has quit IRC04:39
*** mgagne has joined #openstack-keystone04:45
*** mgagne is now known as Guest7571104:45
*** openstackgerrit has quit IRC04:46
*** _cjones_ has joined #openstack-keystone04:50
*** openstackgerrit has joined #openstack-keystone04:52
*** _cjones_ has quit IRC04:54
*** comstud has quit IRC05:00
*** henrynash has joined #openstack-keystone05:05
*** ChanServ sets mode: +v henrynash05:05
*** markvoelker has joined #openstack-keystone05:31
*** jamielennox is now known as jamielennox|away05:32
*** openstack has joined #openstack-keystone05:35
*** markvoelker has quit IRC05:36
*** henrynash has quit IRC05:37
*** henrynash has joined #openstack-keystone05:37
*** ChanServ sets mode: +v henrynash05:37
*** ChristyF has joined #openstack-keystone05:45
*** CF_ has quit IRC05:48
*** ChristyF has quit IRC05:54
stevemarjamielennox|away, i guess you don't need get_auth_ref here: https://review.openstack.org/#/c/161096/1/openstackclient/api/auth.py05:55
stevemarsince there isn't really an auth ref...05:55
stevemarjust a token and endpoint05:55
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/16110406:04
*** jacorob has quit IRC06:08
*** lbragstad has quit IRC06:08
*** jacorob has joined #openstack-keystone06:09
*** lhcheng has quit IRC06:10
*** lbragstad has joined #openstack-keystone06:10
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867906:11
stevemarhenrynash, \o/ managed to get all the comments i hope06:11
henrynashstevmar: yep, Brant & I are going for the record number of suggestions per lines of code :-)06:12
stevemarhe is certainly getting there06:13
stevemarhenrynash, also one of your tests were failing, is that fixed up?06:14
henrynashstevemar: that’s in teh next patch…(consequnce of changes in that last one)…just fixing it now....06:15
stevemarhenrynash, cool cool, let me know when it's all ready to go, my laziness is paying off in the form of a timely review06:17
henrynashstevemar: :-) ready in 5 mins06:17
*** lbragstad has quit IRC06:19
*** jacorob has quit IRC06:21
*** jacorob has joined #openstack-keystone06:22
*** lbragstad has joined #openstack-keystone06:22
*** Akshik has joined #openstack-keystone06:23
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875206:24
henrynashstevemar: done06:24
henrynashstevemar: sorry, it was 7 mins, I lied06:24
openstackgerrithenry-nash proposed openstack/keystone: Stop debug logging of Ldap while running unit tests  https://review.openstack.org/16087206:25
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967506:26
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992806:26
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003206:27
*** markvoelker has joined #openstack-keystone06:32
*** markvoelker has quit IRC06:38
*** jogo has quit IRC06:53
Akshiklooping issue when trying to integrate openstack keystone icehouse with testshib, using ubuntu 12.04, any help06:54
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036406:57
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036406:59
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036407:01
*** lbragstad has quit IRC07:08
*** jacorob has quit IRC07:10
*** lhcheng has joined #openstack-keystone07:21
stevemarhenrynash, i think DomainConfigNotFound should probably be renamed at this point07:24
stevemaror, meh... i guess not07:30
*** david-lyle_afk has joined #openstack-keystone07:33
*** pnavarro has joined #openstack-keystone07:34
*** markvoelker has joined #openstack-keystone07:34
*** markvoelker has quit IRC07:39
*** afazekas has quit IRC07:48
*** lhcheng_ has joined #openstack-keystone07:49
*** openstackgerrit has quit IRC07:49
*** openstackgerrit has joined #openstack-keystone07:49
*** lhcheng has quit IRC07:52
*** ncoghlan has quit IRC08:07
*** pnavarro has quit IRC08:18
*** chlong has quit IRC08:20
-openstackstatus- NOTICE: Zuul check queue stuck due to reboot maintenance window at one of our cloud providers - no need to recheck changes at the moment, they won't move forward.08:30
*** ChanServ changes topic to "Zuul check queue stuck due to reboot maintenance window at one of our cloud providers - no need to recheck changes at the moment, they won't move forward."08:30
*** henrynash has quit IRC08:31
*** oguz has joined #openstack-keystone08:31
*** henrynash has joined #openstack-keystone08:32
*** ChanServ sets mode: +v henrynash08:32
*** ogzy has quit IRC08:33
*** pnavarro has joined #openstack-keystone08:33
*** markvoelker has joined #openstack-keystone08:35
*** markvoelker has quit IRC08:39
*** _afezekas|pub has joined #openstack-keystone08:42
*** karimb has joined #openstack-keystone08:42
stevemarmarekd, i already fixed up https://review.openstack.org/#/c/159865/6/keystone/tests/unit/test_v3_federation.py08:48
stevemarhttps://review.openstack.org/#/c/160584/08:48
marekdstevemar: yeah, just saw it08:49
marekdstevemar: thanks.08:49
stevemarmarekd, np! :)08:49
marekdstevemar: you know, us, mortals sometimes sleep, esp at 3 or 4am :-)08:50
stevemarmarekd, anything less than immortality is a waste of time08:50
stevemar:D08:50
*** jistr has joined #openstack-keystone08:50
marekdstevemar: heh08:51
marekdstevemar: glad to see lots of patches merged.08:51
stevemarmarekd, oh yeah a ton08:52
marekd++08:53
*** jaosorior has joined #openstack-keystone09:01
openstackgerritMarcos Fermín Lobo proposed openstack/python-keystoneclient: Attributes required using token for auth  https://review.openstack.org/11522809:02
henrynashstevmar: back…you were thinking about the name of DomainConfigNotFound?09:02
*** oguz_ has joined #openstack-keystone09:03
*** oguz has quit IRC09:06
stevemarhenrynash, yeah, no big deal09:06
stevemarhenrynash, i'll take another whack at this stuff in a few hours09:06
stevemarmarekd, time to be human aain09:06
stevemaragain09:06
marekdstevemar: https://review.openstack.org/142573 - thanks for +2. I would like to enhance the way substitutions are done, but i think it's not very easy to do.09:06
marekdstevemar: that's why i don't want to do it now.09:07
stevemarmarekd, agreed09:07
stevemari was just thinking that09:07
stevemarthat whole thing should be cleaned up a bit09:07
*** openstack has joined #openstack-keystone15:27
*** samueldmq_ has joined #openstack-keystone15:31
ayoungbknudson, let me see what the code says.  I have not yet been able to make it work15:31
bknudsonwe could probably use more logging.15:31
*** jorge_munoz has joined #openstack-keystone15:37
ayoungrichm, looks like the issue is specifically with Nova15:38
ayoungrichm, the other services seem to do the right thing:15:38
ayoungBut somehow Nova is hard-coded to use V2  for auth15:38
*** vhoward has joined #openstack-keystone15:40
richmayoung: ok - do we need to close that bug and open a bug against nova?15:44
ayoungnah,  just added Nova to the bug15:44
richmayoung: ok - thanks15:44
ayoungrichm, all nice and pretty now15:45
*** samueldmq_ has quit IRC15:49
morganfainbergayoung: bknudson what is this about v2 tokens that are from v3 but missing domain info?15:54
ayoungmorganfainberg, nah15:54
ayoungmorganfainberg, it was ATM from Nova using V2 API to validate15:54
*** henrynash has joined #openstack-keystone15:54
*** ChanServ sets mode: +v henrynash15:54
ayoungso a V3 token would never be valid15:54
ayoungmorganfainberg, we could hack a fix into Keystone, but its a config change in Nova15:54
bknudsondoes nova override atm options?15:55
ayoungNova seems to have the V2.0  default hard coded in somehow15:55
morganfainbergA v3 token not in the default domain should be invalid against v2. Def a nova issue there.15:55
ayoungbknudson, I don't see how it could, but maybe15:55
ayoungmorganfainberg, so the question is what if we backed off the rule "A v3 token not in the default domain should be invalid against v2"15:55
morganfainbergOr a bug in atm.15:55
bknudsonhttp://git.openstack.org/cgit/openstack/nova/tree/etc/nova/api-paste.ini#n126 ?15:55
ayoungand I thin the answer is it would not break anything today15:55
*** jacorob has joined #openstack-keystone15:56
morganfainbergayoung: it could break keystone.15:56
ayoungcuz other services do not know about DOmains15:56
*** lbragstad has joined #openstack-keystone15:56
ayoungbut...the right thing is to fix in Nova15:56
bknudsonbtw - we had a similar issue in our chef cookbooks.15:56
morganfainbergayoung: the token would be valid in potentially bad ways when used against keystone. So backing off that rule is bad.15:56
bknudsonso seems to be a common issue with these tools -- can't keep up with our changes.15:56
ayoungmorganfainberg, the nova conf file shows the default being V2.  If I make is blank, discovery works right15:57
morganfainbergayoung: nova defaulting to v2 is def an issue :(15:57
bknudsonnova's default config file isn't in git anymore...15:57
ayoungI wonder if Nova is using the Keystone Client version still, and has an out of date middleware15:57
morganfainbergNo they aren't afaik.15:58
morganfainbergAt least Juno and later15:58
bknudsonayoung: I found an issue like that in our cookbooks... heat was still using keystoneclient middleware.15:58
bknudsonagain, similar issue with deployer tools not keeping up with our changes.15:58
bknudsonand of course whenever the deployment fails the first place they go is keystone... they don't check the cookbooks first.15:59
morganfainbergIf we split up ksc to "client" and "common" we could just get everyone to inherit the new ksm by having ksc import ksm16:00
bknudsonhere's the default nova config: http://docs.openstack.org/trunk/config-reference/content/list-of-compute-config-options.html16:00
bknudsonmorganfainberg: it's probably a little confusing to have APIs in ksc that we don't really expect applications to use (cms functions)16:01
morganfainbergbknudson: ++16:02
morganfainbergif we did the split now (in the next week) we might be able to get it accepted by kilo release.16:03
*** Bsony has quit IRC16:03
morganfainbergBut it's a chunk of work to do.16:03
morganfainbergWe may want to do it for liberty though for sure.16:03
*** david-lyle has joined #openstack-keystone16:08
ayoung[filter:authtoken]16:11
ayoungpaste.filter_factory = keystonemiddleware.auth_token:filter_factory16:11
ayoungso, not that.  Not sure how it is defaulting the value.  Maybe in an internal config16:11
*** david-lyle has quit IRC16:15
ayoungauth_version = None (StrOpt) API version of the admin Identity API endpoint.16:17
ayoung is not what my  conf file was showing16:17
*** darrenc has quit IRC16:25
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/16110416:28
rodrigodsdstanek, hi... any extra concerns in https://review.openstack.org/#/c/142573/16 ?16:28
dstanekrodrigods: no16:30
*** david-lyle has joined #openstack-keystone16:30
rodrigodsdstanek, great. Thanks16:31
*** darrenc has joined #openstack-keystone16:38
morganfainberglbragstad: ping re the v2 fernet stuff. This is something we need to get in the gate today if possible.16:41
*** rwsu-afk is now known as rwsu16:42
morganfainberglbragstad: and verifying this works with federated tokens / format for it.16:42
lbragstadmorganfainberg: agreed, jorge_munoz is working to get something up soon16:42
lbragstadmorganfainberg: I'm working on the federated side16:42
*** tqtran has joined #openstack-keystone16:43
morganfainberglbragstad: ok. I'd rather avoid a ffe for adding in these last two bits if we can avoid it - save those for things like domain SQL.16:44
*** thedodd has joined #openstack-keystone16:46
morganfainberglbragstad: also remember it'll likely take 6+ hours to pass check at the moment.16:46
morganfainbergjorge_munoz: ^16:47
*** _cjones_ has joined #openstack-keystone16:47
jorge_munozok16:49
jorge_munozI’ll try to push in a patch by  today.16:50
*** henrynash has quit IRC16:57
*** atiwari has quit IRC17:03
openstackgerritMatthieu Huin proposed openstack/keystone: add oauth and federation authentication to config file  https://review.openstack.org/16131717:07
*** lhcheng has joined #openstack-keystone17:08
*** henrynash has joined #openstack-keystone17:08
*** ChanServ sets mode: +v henrynash17:08
*** jistr has quit IRC17:13
-openstackstatus- NOTICE: Issue solved, gate slowly digesting accumulated changes17:15
fmarco76hi morgan, is this patch as you indicated yesterday in the chat? https://review.openstack.org/#/c/159803/17:17
*** nellysmitt has quit IRC17:18
*** esp has left #openstack-keystone17:24
*** esp has joined #openstack-keystone17:26
*** fmarco76 has quit IRC17:29
*** edmondsw has quit IRC17:30
morganfainbergI stand corrected. Fpf is tomorrow not kilo3 wow brain is broken by schedules of meetings.17:30
morganfainbergWe have a couple more weeks before k3. :( sorry for rushing you guys.17:31
stevemarlooks like a nice juicy bug with generating saml assertions17:31
stevemarmorganfainberg, lol17:31
stevemarthat is amazing17:32
samueldmqmorganfainberg, yeah more time o/17:32
morganfainbergYes.17:32
stevemarmorganfainberg, i have half a mind to think you planned this!17:32
morganfainberg>.>17:32
morganfainbergI wish I could have been that aware of the schedule to plan it.17:32
morganfainbergOn the plus side all the code will be reviewable by tomorrow and hopefully through gate long before k3.17:33
morganfainbergYes this means things can be re targeted to k3 as long as they are fully ready to review.17:34
morganfainberg(Hey it's better to think the k3 milestone is early rather than late)17:34
morganfainbergRight?!17:34
dolphmmorganfainberg: right!17:35
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867917:36
samueldmqmorganfainberg, haha yep :p and then we get happy when we realize it's later17:36
morganfainberg:P17:36
morganfainbergIt still doesn't make me happy to have everything crammed into k3.17:37
morganfainbergLike it is.17:37
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875217:37
openstackgerrithenry-nash proposed openstack/keystone: Stop debug logging of Ldap while running unit tests  https://review.openstack.org/16087217:38
henrynashbknudson: all latest comments fixed up in https://review.openstack.org/15867917:39
*** fmarco76 has joined #openstack-keystone17:40
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967517:40
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992817:43
*** spandhe has joined #openstack-keystone17:44
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003217:44
*** afazekas has quit IRC17:44
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036417:44
*** browne has quit IRC17:45
*** gyee has joined #openstack-keystone17:47
*** ChanServ sets mode: +v gyee17:47
*** fmarco76 has left #openstack-keystone17:48
*** zzzeek has joined #openstack-keystone17:51
*** afazekas has joined #openstack-keystone17:57
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867918:00
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875218:02
openstackgerrithenry-nash proposed openstack/keystone: Stop debug logging of Ldap while running unit tests  https://review.openstack.org/16087218:03
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967518:03
*** karimb has quit IRC18:04
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992818:04
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003218:04
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036418:05
henrynashstevemar, ayoung, bknudson, gyee: hoping we can get https://review.openstack.org/#/c/158679/ in today (teh check queue gods willing)18:08
*** aslaen has left #openstack-keystone18:09
gyeeyes sir18:10
henrynashgyee: thx18:16
*** browne has joined #openstack-keystone18:17
*** harlowja_away is now known as harlowja_18:19
raildohey, everyone. I'm writing the script that will drop the domain table. when I run the tests I get 'DatabaseAlreadyControlledError'. does anyone know what this mean?18:27
raildohaven't found anything useful on google18:28
*** afazekas has quit IRC18:31
morganfainbergraildo: it means the script is trying to initialize the db when it's already been initialized. Migrate starts by controlling the db, then running the scripts. You can't do that first part more than once.18:36
raildomorganfainberg: so, how can I be calling this initialization? it is happening on the tearDown.18:38
morganfainbergNot sure. It might be the connector you're using. I'd need to look at the code.18:39
*** david-lyle has quit IRC18:42
*** david-lyle has joined #openstack-keystone18:42
*** haneef_ has joined #openstack-keystone18:42
openstackgerritLance Bragstad proposed openstack/keystone: Convert audit_ids to bytes before msgpacking  https://review.openstack.org/16099318:44
*** haneef_ has quit IRC18:45
*** gyee has quit IRC18:49
morganfainbergHmm18:50
*** samueldmq_ has joined #openstack-keystone18:54
ayounghenrynash, where is the test for "not enabled"  that we discussed?18:59
openstackgerritDavid J Hu proposed openstack/keystone: Version independent token issuance pipeline  https://review.openstack.org/15062918:59
*** haneef_ has joined #openstack-keystone19:03
*** stevemar has quit IRC19:07
*** stevemar has joined #openstack-keystone19:08
*** ChanServ sets mode: +v stevemar19:08
openstackgerritMatthieu Huin proposed openstack/keystone: add oauth and federation authentication to config file  https://review.openstack.org/16131719:14
openstackgerritMatthieu Huin proposed openstack/keystone: add oauth and federation authentication to config file  https://review.openstack.org/16131719:15
*** ChanServ changes topic to "Release Blockers: https://gist.github.com/dolph/651c6a1748f69637abd0 << please review for client release on Feb 1st | http://opensax.com/ | Reviews Guarantee Citizenship </starship troopers>"19:16
*** iamjarvo has joined #openstack-keystone19:16
iamjarvohi all, i am using openstack-horizon and looking at the logs. i should be able to copy the curl command in the log and do a request right? when i copy the command i get an unauthorized error19:17
iamjarvothis is what i see in the logs http://pastie.org/private/o4rgelaygpgkpphajhi9w19:19
*** gyee has joined #openstack-keystone19:19
*** ChanServ sets mode: +v gyee19:19
morganfainbergwow19:20
morganfainbergthat is an old channel topic19:20
iamjarvomorganfainberg what im asking is old?19:20
*** ChanServ changes topic to "High Priority Reviews: https://gist.github.com/dolph/651c6a1748f69637abd0 | Reviews Guarantee Citizenship </starship troopers>"19:20
morganfainbergiamjarvo, no what chanserv set the topic to19:20
iamjarvoahh i see19:20
morganfainbergiamjarvo, i just fixed it. this was related to zuul getting bound up on check queue19:21
iamjarvoo ok19:21
morganfainbergso now your question19:21
morganfainberglet me look19:21
iamjarvoseems like access_token_id  and trust_id should not be none19:21
morganfainbergah ok so the curl command wont work perfectly19:21
morganfainbergbecause we scrub out sensitive data [ such as the token id]19:22
iamjarvoo ok19:22
iamjarvoso i would need to obtain those values myself and add them in19:22
morganfainbergyeah19:23
morganfainbergit's because a token conveys authorization19:23
morganfainbergso if osmeone looked at the logs, they now could [in theory] use a token from the logs19:23
*** Bsony has joined #openstack-keystone19:24
morganfainbergand perform actions on the cloud19:24
*** aix has quit IRC19:24
iamjarvounderstood19:25
morganfainberglogs shouldn't contain the bearer token/authz for a given user - they may contain other information the public shouldn't see, but support staff shouldn't be able to act on a customer's behalf just by extracting a small bit of data out of logs.19:25
lbragstaddstanek: have a quick minute for a unit test inheritance question? I'm wondering if there is a way for me to use the existing federation tests in test_v3_federation.py in test_v3_auth.py. I have my federated fernet token class set to inherit from the federation tests, but it seems to try and run all federated tests with fernet even though I haven't created any yet19:25
iamjarvoso i am running into another problem and i am seeing similar none values. here is a log from keystong logs http://pastie.org/private/gchosiisnyutsbzeri8gyw19:25
dstaneklbragstad: sure19:26
iamjarvoan the error Recoverable error: Malformed request URL: URL's project_id 'None' doesn't match Context's project_id 'None' (HTTP 400) (Request-ID: req-4674f3cf-a147-4bdb-8195-be64be005879)19:27
dstaneklbragstad: the test runner runs all of a testcase's defined tests - if you inherit from a class you inherit all its methods too19:27
iamjarvoso i am trying to figure out what's the Context it is talking about19:27
lbragstaddstanek: cool, but what if you want the federated tests to run with a setup method done before that?19:27
dstaneklbragstad: this is why  we defined shared tests in a class that inherits from 'object' - the test running won't pick  them up and then we use that as a mixin in other classes19:28
dstaneklbragstad: if there is no shared setup you may want to do the mixin approach19:29
lbragstaddstanek: here is a small diff of what I have http://cdn.pasteraw.com/jindb5h7na60070cstlx172fs5o1c6o19:29
lbragstaddstanek:  I have a mix in for setting up the key repo19:29
morganfainbergiamjarvo, in nova?19:29
morganfainbergiamjarvo, because i've seen that error from nova when you try and use an unscoped token or a domain scoped token19:29
iamjarvomorganfainberg i was poking in nova but someone said it might be keystone related19:30
iamjarvoi poked in the horizon code and did see that the project_id value is empty in the nova client19:30
morganfainbergiamjarvo, that means somehow you have either an unscoped token or a domain scoped token19:31
morganfainbergif the token has no project_id, and no domain_id, it's unscoped19:31
morganfainbergbut i wasn't aware horizon could end up with unscoped/domain scoped tokens19:32
iamjarvomorganfainberg we are trying out the multidomain set up stuff19:32
morganfainberghm.19:33
morganfainbergit should still work... i think19:33
morganfainbergi mean... ayoung you've had multidomain + horizon work right?19:33
iamjarvoand i am signed in as the admin as all domains19:33
* morganfainberg hasn't seen anything to say it shouldn't work.19:33
* ayoung wakes up...wyhat19:33
morganfainbergayoung, multi domain, and horizon19:34
ayoungLDAP ....19:34
ayoungno default domainm, so list the domains and selelect the first19:34
ayoungnot a domain scoped token though19:34
iamjarvoso what would make the token now have a project_id, my assumption is its not getting passed in from the front end19:35
ayoungiamjarvo, code is in django-openstack-auth...you doing LDAP?19:35
iamjarvonope, just regular devstack setup for now19:35
iamjarvoim guessing users in a db somewhere19:36
ayounghttp://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/backend.py#n10419:36
ayoungiamjarvo, devstack puts users inssql, they always have a default domain, and the domain should19:36
ayoungbe set on all tokens.19:36
ayoungand horizon will convert one scoped token to another19:36
dstaneklbragstad: so it's running tests that you don't want/need?19:36
lbragstaddstanek: it not to say that I don't want those tests run, since they should work anyway, but I want to make sure the keyrepo is set up proir19:37
iamjarvoayoung but if the user is the controller of all domains which project_id does the user have?19:37
dstaneklbragstad: in my experience you should use mixes for tests and leave the setup to the test class19:37
lbragstadprior*19:37
ayoungiamjarvo, when they log in, they start with a token that is scoped to their default project19:38
ayoungHorizon does not handle domain scoped tokens yet19:38
iamjarvorunning this patch https://review.openstack.org/#/c/148082/19:40
lbragstaddstanek: this is a little better idea http://paste.openstack.org/show/188029/19:43
dstaneklbragstad: why are you calling config_overrides explicitly? isn't it getting called twice then?19:46
lbragstaddstanek: I was just playing with it trying to get different things to work19:46
openstackgerritSteve Martinelli proposed openstack/keystone: fix import order in federation controller  https://review.openstack.org/16137519:46
dstaneklbragstad: if you setup is in there it will be executed before the tests19:46
stevemarlbragstad, dstanek ^ easy one... not sure why it was passing pep8, probably hacking related19:46
lbragstadstevemar: lgtm19:47
*** r-daneel has joined #openstack-keystone19:47
dstanekstevemar: hacking doesn't actually check the groupings; just alphabetical in each group19:48
stevemarah19:48
*** Bsony has quit IRC19:48
stevemarbut, it knows the standard ones and the project related imports... shouldn't it therefore know that all others are 3rd party?19:48
stevemarand then check alpha from there19:49
stevemarjust shooting from the hip here19:49
dstanekstevemar: i don't think it actually knows out builtin vs project imports19:50
lbragstaddstanek: ok, so I modified to http://cdn.pasteraw.com/c4jaomvx110w229bdlq9h32ineii9ga19:51
stevemardstanek, shouldn't that be something to easily determine, meh... another day19:52
dstanekstevemar: it's not terrible19:52
*** mattamizer has joined #openstack-keystone19:53
*** mattamizer has quit IRC19:53
stevemardstanek, i have another question for ya19:53
stevemardstanek, this bug: https://bugs.launchpad.net/keystone/+bug/142825119:54
openstackLaunchpad bug 1428251 in Keystone "unable to generate saml assertion" [High,Confirmed]19:54
dstaneklbragstad: is that working for you19:54
dstanekstevemar: you think the rendering is incorrect?19:54
openstackgerritBrant Knudson proposed openstack/keystone: Fix sample policy to allow user to revoke or check own token  https://review.openstack.org/15591619:54
stevemardstanek, the saml assertion is generated correctly from the controller19:55
stevemarit's render_response() that gets messed up19:56
dstanekstevemar: what's wrong with it when it comes out?19:56
dstanekstevemar: what's in your apache log?19:56
*** EmilienM is now known as EmilienM|afk19:56
*** harlowja_ has quit IRC19:57
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994419:57
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742719:57
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376319:57
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837219:57
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Creating domain and filtering by parent_id  https://review.openstack.org/16137819:57
stevemardstanek, oops, forgot a critical log message19:57
stevemardstanek, added to the bug19:58
*** devlaps has joined #openstack-keystone19:58
stevemardstanek, i think maybe this line: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L341 it sending in a string format that render_response doesn't like19:58
dstanekstevemar: headers have to be bytes19:59
dstanekstevemar: are you setting a header somewhere?19:59
stevemardstanek, there's also this guy as a reference: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L44919:59
stevemaryes, it's in the first link19:59
stevemarhttps://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L343-L34519:59
stevemaror this one ^19:59
lbragstaddstanek: no, the unit tests still fail saying the key repo isn't setup19:59
dstaneklbragstad: can you push a quick patch to gerrit so i can pull down and experiment?20:00
lbragstadsure20:00
dstanekstevemar: i bet one or both of those URLs is a unicode object20:00
openstackgerritLance Bragstad proposed openstack/keystone: Add unscoped token formatter for Fernet tokens  https://review.openstack.org/16137920:00
openstackgerritLance Bragstad proposed openstack/keystone: Federated token formatter  https://review.openstack.org/16138020:00
dolphmanyone ever seen this? it's a fresh ubuntu 12.04 box http://cdn.pasteraw.com/29ycne6aef1hcdrivxyiifjtgpsh3pg20:00
stevemardstanek, blah20:01
*** harlowja has joined #openstack-keystone20:01
lbragstaddolphm: yeah, i've seen issues with that but I think you have to resolve by using a different python pip?20:01
dolphmugh20:01
lbragstaddstanek: ^20:01
lbragstaddolphm: did you try python-pip from apt?20:02
stevemaryep you are right dstanek20:02
dolphmlbragstad: it's too old20:02
dstanekdolphm: it looks like it's installing into you .local and i bet you don't have that bin in your path20:02
dolphmdstanek: why would it do that by default?20:02
stevemardstanek, best to just wrap with str() ?20:02
stevemaror will that be py3 unfriendly?20:03
dstanekdolphm: pep-370 (i think), but i don't know why that's the default20:03
dstanekerr..maybe 37120:03
dstanekdolphm: it's this bad boy https://www.python.org/dev/peps/pep-0370/20:04
lbragstadjorge_munoz: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L25020:05
*** bknudson has left #openstack-keystone20:05
*** bknudson has joined #openstack-keystone20:05
*** ChanServ sets mode: +v bknudson20:05
dolphmdstanek: oh fun20:05
jorge_munozlbragstad: thanks20:06
dstanekmaybe ubuntu's python has that enabled by default :-(  it's easy to disable it though20:06
lbragstadjorge_munoz: np, i was wrong, it doesn't live in the provider20:06
dolphmdstanek: if i delete .local/ before running get-pip.py it installs somewhere else, but that sucks20:06
dolphm(somwhere else == /usr/local/bin/pip)20:06
openstackgerritSteve Martinelli proposed openstack/keystone: Change headers to be byte string friendly  https://review.openstack.org/16138320:07
stevemardstanek, ^20:07
stevemarthanks by the way20:07
*** _cjones_ has quit IRC20:08
dstanekstevemar: np20:10
lbragstaddolphm: I pushed a fernet refactor for adding an unscoped token formatter20:10
dolphmlbragstad: link?20:10
lbragstadhttps://review.openstack.org/#/c/161379/20:10
lbragstaddolphm: ^20:10
*** lhcheng is now known as lhcheng_afk20:11
dolphmlbragstad: did you consider the alternative -- just putting None into the "standard token format"20:11
lbragstaddolphm: that would work too20:12
dolphmlbragstad: well, i think they'd both work. i don't know which approach would be better :)20:13
lbragstadme either, but I wanted resolve that somehow before starting on the federated token formatter20:14
lbragstaddolphm: the old logic to determine if scope was included or not was not the best20:14
lbragstaddolphm: and I didn't want to drag that pattern to the federated formatter20:14
dolphmlbragstad: does one approach or the other impact federation?20:14
dolphmlbragstad: my thinking is that using None seems simpler in the short term, but two variants now might buy us something in the future? i just don't know what20:15
*** amerine has quit IRC20:15
morganfainbergdolphm, the cost of adding an additional formatter in the future is next to nil.20:16
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/16139020:16
lbragstaddolphm: the only thing I can think of is that if we set scope to none, we'll have to do a type check on verify20:16
morganfainbergso, i'd erro on the side of keeping things as simple as possible.20:16
morganfainbergerr*20:16
*** lhcheng_afk is now known as lhcheng20:16
morganfainbergbut if a new one is justified, sure.20:16
morganfainbergthe cost of removing the use of a formatter in the future is also next to nil.20:16
morganfainberg[we wont be able to actually remove the formatter, but we don't have to use it]20:17
dolphmi just noticed i still have a fork of keystone lite on my github account, everyone should enjoy the logo: https://github.com/dolph/keystone20:17
morganfainbergdolphm, i used to have one with the logo too!20:17
stevemarballoons!20:17
lbragstadI feel that logo predates me20:17
bknudsonwe should get shirts with that logo20:18
lbragstadthe benefit of using a dedicated unscoped formatter is that on create we recognize the token is unscoped and on validation of that token we don't determining if there is a scope or not.20:19
lbragstaddolphm: ^20:19
dolphmthis predates me: https://github.com/juvvadi/keystone/tree/master/keystone20:19
dolphmthere's a wadl file and an xsd dir20:19
dolphmbknudson: ++20:20
dolphmlbragstad: does that benefit still exist if we move the version into the payload?20:20
stevemarah simpler times20:21
dstaneklbragstad: did you push that review?20:21
dolphmthe original implementation of auth_token: https://github.com/juvvadi/keystone/blob/master/keystone/middleware/remoteauth.py20:21
lbragstadit should, we'd just be making the distinction between unscoped and scoped in the token_formatter?20:21
lbragstaddstanek: https://review.openstack.org/#/c/161380/120:22
dolphmlbragstad: well then let's do 3 variants20:22
dolphmlbragstad: 0 is unscoped, right?20:23
lbragstaddolphm: F00 is scoped, F01 isunscoped, and F02 is trust scoped20:23
lbragstadbut those can be changed20:23
dolphmlbragstad: i'd swap 00 and 01 for ocd reasons20:24
morganfainbergdolphm, ++20:24
lbragstaddolphm: ok20:24
morganfainberglbragstad, i'd -2000 that if i could unless they are swapped [for ocd reasons]20:24
morganfainberg>.>20:24
lbragstadmorganfainberg: I think the indexing should start at 120:25
*** _cjones_ has joined #openstack-keystone20:25
morganfainberglbragstad, don't make me hurt you :P20:25
bknudsonwe should use random numbers.20:25
lbragstadbknudson: ++20:25
bknudsonor letters... FUN20:25
bknudsonFFD20:25
bknudsonFSC20:25
lbragstadnew token format FFS20:26
lbragstad.. perfect20:26
morganfainbergbknudson, base64.b64_encode(uuid.uuid4().bytes)[:-2]20:26
morganfainbergoh god20:27
morganfainbergdolphm, i just saw your tweet about [::-2]20:27
morganfainbergor whatever20:28
morganfainberghah.20:28
*** dims has quit IRC20:29
*** dims has joined #openstack-keystone20:29
*** chlong has joined #openstack-keystone20:30
openstackgerritSteve Martinelli proposed openstack/oslo.policy: deprecate policy_dirs option  https://review.openstack.org/16140520:31
openstackgerritSteve Martinelli proposed openstack/oslo.policy: deprecate policy_dirs option  https://review.openstack.org/16040720:32
openstackgerritSteve Martinelli proposed openstack/oslo.policy: deprecate policy_dirs option  https://review.openstack.org/16040720:33
stevemarspammm20:33
morganfainbergstevemar, we should start using the deprecated_for_removal in keystone ;()20:36
morganfainberg;)20:36
stevemardeprecate all of keystone?20:36
morganfainbergstevemar, yes!20:36
stevemari'll be out of a job20:37
dolphmmorganfainberg: source- https://github.com/openstack/keystone/blob/master/keystone/tests/unit/token/test_fernet_provider.py#L207-L21220:38
dstanekstevemar: just tell uncle topol that you'll start working on the replacement20:38
morganfainbergdolphm, snicker20:38
morganfainbergyeah20:38
morganfainberg"hold my beer" ... really we got that into a commit? :P20:38
stevemardstanek, it's depreated for *removal*, not for replacement :P20:38
openstackgerritLance Bragstad proposed openstack/keystone: Federated token formatter  https://review.openstack.org/16138020:40
openstackgerritLance Bragstad proposed openstack/keystone: Add unscoped token formatter for Fernet tokens  https://review.openstack.org/16137920:40
lbragstaddstanek: ^ I pushed a new version of that patch set20:40
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Mirror domain entries to project table  https://review.openstack.org/16140820:40
morganfainberglbragstad, so i have a nit...20:40
morganfainberglbragstad, make the magic strings defined in 1 place, not in 2. 'F00'20:40
bknudsonall tests that using mocking should say "hold my beer"20:41
morganfainberglbragstad, you define both in the formatter class and in core.py20:41
morganfainberglbragstad, as the global/const20:41
lbragstadbknudson: ++20:41
lbragstadmorganfainberg: fixing20:41
dolphmbknudson: +++20:43
*** elmiko has joined #openstack-keystone20:44
elmikolbragstad: mind if i bug you about a question with v3.Password object?20:45
lbragstadelmiko: go ahead, someone here should be able to help20:45
elmikoso, it looks like the v3.Password wants to have user_domain_name and project_domain_name supplied. will there be entries for those in the keystone_auth section of the config file for an admin user?20:46
*** samueldmq_ has quit IRC20:47
elmikomy issue is that in our project, sahara, we have always created keystone Client objects to work with. now i'm needing to create a Session object and looking at the examples i'm not sure how to properly handle those domains for the admin user.20:47
dolphmelmiko: good question...20:49
elmikolol20:49
elmikoi really don't want to hard code 'Default' for those values20:49
dolphmwhere are the service user credential options defined now?! auth_token got butchered into little pieces last week20:49
bknudsonelmiko: you should be able to use auth plugins... so it loads the config values from the config file.20:49
morganfainbergelmiko, so the keystone_auth (assuming this is the auth_token bit) section has a specific format that ksm will use, jamielennox|away has a blog on it... and we need to update the official docs20:49
bknudsonthere must be some docs somewhere...20:49
bknudsonI think devstack sets it up for auth_token.20:49
morganfainbergconsuming ksc for things *not* auth_token should not re-use the same options.20:50
morganfainbergauth_token options *may* change and break you.20:50
bknudsonelmiko: http://www.jamielennox.net/blog/2015/02/17/loading-authentication-plugins/20:50
dolphmbknudson: doesn't look like we support service users in non-default domains though?20:50
morganfainbergdolphm, we do.20:50
dolphmhttps://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L1033-L104320:50
dolphmmorganfainberg: how?20:50
morganfainbergdolphm, sec.20:50
dolphmmorganfainberg: oh right above my link i think20:51
bknudsondolphm: right before that: https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L102520:51
morganfainbergdolphm, yeah20:51
elmikobknudson: thanks20:51
morganfainbergelmiko, so if you're using keystone client for things not auth_token related, you should be defining your own options for it.20:51
elmikowe are using the keystonemiddleware auth stuff, i just didn't see anything about domains20:51
dolphmelmiko: so user_domain_name and project_domain_name would go into keystone_authtoken20:52
dolphm[keystone_authtoken]20:52
morganfainbergelmiko, ok but you're not doing what another project is doing, where they are consuming auth_token's options to talk to other services20:52
morganfainbergelmiko, you're just using those options to configure auth_token middleware20:52
morganfainbergcorrect?20:52
bknudsonhere's the devstack stuff: http://git.openstack.org/cgit/openstack-dev/devstack/tree/lib/keystone#n44120:52
elmikowell, we also create admin Client objects to perform some options, like trust delegation20:52
bknudsoniniset $conf_file $section auth_plugin password20:53
morganfainbergelmiko, don't re-use those options.20:53
elmikobut, i want to create barbicanclient Clients now. i think i need to use Session objects for that.20:53
bknudsonso if you have a new section for your client auth config you can point to the same plugin.20:53
morganfainbergelmiko, define your own. because if you re-use those options, what happens is someone deploys auth_token in a new way, or we choose a new format and you break your core code.20:53
bknudsonor the same plugin config options section20:53
dolphmmorganfainberg: can i file a bug against keystonemiddleware to turn jamie's post into docs and assign it to jamie?20:54
morganfainbergdolphm, please do .20:54
elmikoyea, i mean, i can't add to the keystone_authtoken section. i'm concerned people won't like it if i start creating variables under DEFAULT for admin_domain and admin_project_domain20:54
*** Bsony has joined #openstack-keystone20:55
bknudsonelmiko: you create a new section, just like keystone_authtoken is a section.20:55
morganfainbergelmiko, people can not like it all they want but relying on things being in the keystone_authtoken section is bad. we should probably socialized/fix all the projects to consume a separate file by default in devstack20:55
morganfainbergsince projects can consume multiple conf files.20:55
elmikofair20:55
elmikothanks for the guidance everybody =)20:56
morganfainberg:)20:56
bknudsonI think http://www.jamielennox.net/blog/2015/02/17/loading-authentication-plugins/ explains it pretty well.20:56
openstackgerritBen Nemec proposed openstack/oslo.policy: deprecate policy_dirs option  https://review.openstack.org/16040720:56
morganfainbergdolphm, i might do the doc work if jamie doesn't.. but assign it to him first.20:56
dolphmmorganfainberg: https://bugs.launchpad.net/keystonemiddleware/+bug/142831720:57
openstackLaunchpad bug 1428317 in keystonemiddleware "Turn auth_token plugin config blog post into docs" [High,Triaged] - Assigned to Jamie Lennox (jamielennox)20:57
morganfainbergdolphm, ++20:59
*** Bsony has quit IRC20:59
*** raildo is now known as raildo_away21:00
dolphmmorganfainberg: and relatedly, https://bugs.launchpad.net/keystone/+bug/142832121:00
openstackLaunchpad bug 1428321 in python-keystoneclient "Crosslink keystone documentation sites" [Wishlist,New]21:00
morganfainbergdolphm, yeah we need that.21:00
* morganfainberg glances at stevemar, the resident sphinx expert...21:00
morganfainberg[see what i did there?]21:00
stevemarmorganfainberg, whos it whats it21:01
stevemarohhh fancy21:02
stevemarmaybe i'll tackle that one21:02
stevemari have no idea how to do it21:02
henrynashayoung: the test is in https://review.openstack.org/#/c/159675/ - that’s the patch that actually causes the config to be used (and is controller by a config switch)…see the test in test_backend.py21:02
ayounghenrynash, thanks21:02
bknudsonwe should be able to deprecate the auth options in auth_token (just use the plugin)21:06
stevemarthanks dstanek21:06
openstackgerritSteve Martinelli proposed openstack/keystone: Change headers to be byte string friendly  https://review.openstack.org/16138321:06
ayounghenrynash, so,  on the .driver comment, the only reason to call the driver directly is if you need to skip overloaded behaviour in the manager's version of the function.  You don;t have that....21:06
henrynashayoung: yeah…got it…..jsust removing that....21:06
ayoungnone of Brant's changes eem like stop-ship, excefpt for doc formatting...21:06
ayoungnothing else jumps out at me,21:06
ayoungping me when you've got his changes made, and I;'ll give the final copy a once over21:07
dolphmstevemar: i'd just expect hard links, nothing fancy. each sphinx repo is independent21:07
dolphmstevemar: absolute* links21:07
stevemardolphm, oh sure take away the fun21:07
stevemardolphm, you thinking a small blurb at the top?21:08
dolphmstevemar: i'd just expect magic, nothing fancy.21:08
dolphmstevemar: yeah, probably. before Getting Started on http://docs.openstack.org/developer/keystone/ for example?21:08
stevemardolphm, yeah, maybe a section entitled 'Related Projects' ?21:09
dolphmstevemar: could almost replace the sentence "Additional documentation on Keystone and other components of OpenStack can be found on the OpenStack wiki. "21:09
stevemarAssociated/Related Identity Projects21:09
stevemaryeah, kill hte wiki with fire21:09
bknudsonpoint to jamielennox|away's blog.21:09
bknudsonand dolphm's twitter feed.21:10
dolphmstevemar: Additional Documentation? Additional Resources?21:10
dolphmbknudson: lol21:10
stevemarand the reference to the super old API link at the top21:10
stevemargah!21:10
stevemarbknudson, oh sure leave out my twitter feed21:10
bknudsonI need to get on twitter.21:11
dolphmstevemar: yeah, kill the API link too! (separate change?)21:12
bknudsonthere should be links to the developer docs on http://docs.openstack.org/developer/openstack-projects.html21:12
dolphmupdate*21:12
bknudsonnot sure where that page comes from21:12
dolphmbknudson: you mean from keystone?21:12
bknudsonlinks to keystonemiddleware at least21:13
*** Tahmina has joined #openstack-keystone21:13
bknudsonkeystoneclient is on http://docs.openstack.org/developer/language-bindings.html21:13
bknudsonbut I don't see any links to keystonemiddleware developer docs.21:13
bknudsonand now we've got extra keystoneclient libs... is there a link to them?21:14
openstackgerritLance Bragstad proposed openstack/keystone: Federated token formatter  https://review.openstack.org/16138021:15
openstackgerritLance Bragstad proposed openstack/keystone: Add unscoped token formatter for Fernet tokens  https://review.openstack.org/16137921:15
stevemarbknudson, i was showing that page to someone yesterday, noticed it dind't have OSC either21:15
stevemarbknudson, i made a change to that...21:15
lbragstaddstanek: pushed a new version of the federated fernet patch ^21:16
lbragstaddstanek: as well as the dependent patch,21:16
lbragstadincase you were doing anything to it21:16
stevemarbknudson, it's managed here: https://review.openstack.org/#/c/150907/21:16
stevemarerrr... you get the gist21:16
elmikoone more question about domains and the v3.Password, is 'Default' the proper default domain for users and projects, or is this highly installation dependent?21:16
bknudsonstevemar: yep... I'll put it on my list o' things to do.21:17
lbragstadstevemar: easy one for you if you want to look it over21:17
lbragstadhttps://review.openstack.org/#/c/160959/21:17
dstaneklbragstad: thx, i'll pull the latest21:17
lbragstaddstanek: anything sticking out that I'm doing wrong21:17
lbragstad?21:17
*** Tahmina has quit IRC21:20
openstackgerritSteve Martinelli proposed openstack/oslo.policy: deprecate policy_dirs option  https://review.openstack.org/16040721:21
*** Tahmina has joined #openstack-keystone21:21
stevemarlbragstad, dolphm beat me to it :(21:23
lbragstadstevemar: dolphm thanks!21:23
openstackgerrithenry-nash proposed openstack/keystone: Add support for whitelisting and partial domain configs  https://review.openstack.org/15867921:27
openstackgerrithenry-nash proposed openstack/keystone: Add API support for domain config  https://review.openstack.org/15875221:30
ayounghenrynash, looking21:30
henrynashayoungL thx21:31
openstackgerrithenry-nash proposed openstack/keystone: Stop debug logging of Ldap while running unit tests  https://review.openstack.org/16087221:31
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967521:33
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992821:36
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003221:37
openstackgerritSteve Martinelli proposed openstack/oslo.policy: deprecate policy_dirs option  https://review.openstack.org/16040721:37
openstackgerrithenry-nash proposed openstack/keystone: Support upload domain config files to database  https://review.openstack.org/16036421:37
stevemari just created my first cross repo dependency!21:38
stevemarhow neat21:38
dolphmstevemar: you have an oddly low threshhold for entertainment value21:38
stevemardolphm, maybe you just have an oddly high threshold for entertainment value21:39
dolphmstevemar: that's called "taste"21:39
stevemardolphm, excuse me, mr hoity toity21:39
*** samueldmq_ has joined #openstack-keystone21:41
bknudsonstevemar: tests won't run on the change until the other one is merged?21:42
dolphmbknudson: ??21:43
*** EmilienM|afk is now known as EmilienM21:43
bknudsondolphm: stevemar: tests won't run on https://review.openstack.org/#/c/160407/ until https://review.openstack.org/#/c/161353/ is merged?21:43
bknudsondolphm: note that stevemar is a canadian... they think curling is entertaining.21:44
*** zzzeek has quit IRC21:44
dolphmbknudson: oh fancy! they finally implemented Depends-On?21:45
bknudsonstevemar: now dolphm is excited.21:45
dolphmi've been asking for that for yyeaaaaarrrss21:46
*** zzzeek has joined #openstack-keystone21:46
*** topol has quit IRC21:47
stevemardolphm, thats what i was exicted about!21:47
stevemarbknudson, i dunno what it does under the covers21:47
dolphmstevemar: i thought you meant linking documentation across repos!21:47
stevemardolphm, pfft no21:48
stevemarbknudson, but it seems that way21:48
dstaneklbragstad: not really, you have a chicken/egg problem. you are wanting to do stuff in setup before things are actually setup21:49
lbragstadhmmm21:50
stevemardolphm, can you take a look at https://review.openstack.org/#/c/161383/21:50
lbragstaddstanek: so, do I have to setup federation stuff from scratch?21:50
dstaneklbragstad: i would. it's easier to consolidate than it is to split things apart21:51
dstaneklbragstad: with setUp the order of the code about the super() call in setUp matters as well as the ordering of the testcase's parents21:51
lbragstaddstanek: interesting21:52
*** dhellmann has quit IRC21:52
*** leonchio_ has joined #openstack-keystone21:52
dstaneklbragstad: in a couple of places you where expecting config_fixture to be there, but it wasn't created because the parent setUp hadn't gotten that far21:52
*** leonchio_ has quit IRC21:52
*** Ephur_ has joined #openstack-keystone21:54
*** dhellmann has joined #openstack-keystone21:55
*** dhellmann has quit IRC21:56
*** Ephur has quit IRC21:57
*** dhellmann has joined #openstack-keystone21:57
*** harlowja has quit IRC21:58
*** stevemar2 has joined #openstack-keystone21:59
*** ChanServ sets mode: +v stevemar221:59
*** stevemar has quit IRC22:00
*** chlong has quit IRC22:12
*** iamjarvo has quit IRC22:13
*** jamielennox|away is now known as jamielennox22:14
openstackgerritMerged openstack/keystone: Cleanup docstrings in test_v3_federation.py  https://review.openstack.org/16095922:15
*** radez is now known as radez_g0n322:15
*** joesavak has quit IRC22:17
*** iamjarvo has joined #openstack-keystone22:23
*** iamjarvo has quit IRC22:23
*** iamjarvo has joined #openstack-keystone22:24
*** kfox1111 has joined #openstack-keystone22:27
kfox1111Trying to put keystone behind a haproxy with ssl termination.22:27
kfox1111some cases, its switching https urls to http ones. any idea how to fix?22:27
*** harlowja has joined #openstack-keystone22:28
dstanekkfox1111: what version are you using?22:29
kfox1111juno.22:31
kfox1111this it maybe: https://review.openstack.org/#/c/132235/22:31
*** Tahmina has quit IRC22:32
*** Tahmina has joined #openstack-keystone22:33
morganfainbergdstanek, python MRO makes my head hurt sometimes... especially with multi-inheritance.22:36
morganfainbergdstanek, and even more so when we add in metaprogramming22:36
dstanekmorganfainberg: yeah, our tests suck :-P22:37
morganfainbergdstanek, if only someone was fixing that22:37
dstanekkfox1111: yes, i believe that's the fix22:38
*** mattfarina has quit IRC22:38
dstanekmorganfainberg: every time i get so far i hit a "oh crap" that has to be done first - feel overwhelmed every time i start it up again22:39
dolphmmorganfainberg: i assume you run into some failures using fernet tokens without v2 support?22:39
dolphmran*22:39
morganfainbergdolphm, some, but amazingly things kindof just worked overall22:39
morganfainbergin devstack that is22:40
morganfainbergdolphm, but the approach needs to be complete - because lots of people still rely on v2 :(22:40
dolphmmorganfainberg: did you configure auth_token to hit v3?22:40
bknudsonmorganfainberg: do you have a devstack patch?22:40
morganfainbergdolphm, no. out of the box.22:40
morganfainbergdolphm, ksm *mostly* just did the right thing22:40
bknudsonauth_token should default to none for the auth_versoin.22:40
morganfainbergbknudson, it did.22:40
dolphmso, v3?22:41
dolphmi thought we were still defaulting to v222:41
kfox1111dstanek: yeah, it seems to work. :)22:41
morganfainbergdolphm, no, i'm fairly certain jamielennox fixed that a while back if it's not specified22:41
kfox1111I'll mark it as backport potential.22:41
jamielennoxhmm?22:41
morganfainbergjamielennox, auth_token using v3 for service accounts.22:42
morganfainbergand validating tokens22:42
jamielennoxyea - but a couple of them have had to revert it22:42
jamielennoxassuming you mean service users with v322:42
dolphmlbragstad: keystone-deploy uses a domain-based role assignment to provide for 'admin' - so it gets 401'd when it hits auth_token with a fernet token22:42
dolphmlbragstad: so now i'm wondering if we need to support domain-scoped tokens.22:42
morganfainbergjamielennox, yes, not "in a different domain"22:42
morganfainbergjamielennox, just using v3 itself.22:42
jamielennoxvalidating with v3 (service user with v2 token) has been around for ages22:43
bknudsonfernet should fallback to uuid if it doesn't support the token format.22:43
morganfainbergjamielennox, not with fernet tokens. fernet cannot be used for v2 atm22:43
morganfainbergbknudson, so... storing data in the db?22:43
*** topol has joined #openstack-keystone22:44
morganfainbergbknudson, i'd rather have the v2 tokens work than fallback.22:44
bknudsonmorganfainberg: it's better than not working at all.22:44
*** ChanServ sets mode: +v topol22:44
morganfainbergbknudson, to be fair, the SPF was granted with the requirement that all current token formats were supported22:44
morganfainbergbknudson, s/formats/use-cases22:44
lbragstaddolphm: I think we test domain scoped tokens https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_auth.py#L408322:44
jamielennoxmorganfainberg: why does auth_token care? or fernet care?22:44
morganfainbergjamielennox, just fernet doesn't support v2 tokens at all yet22:44
dolphmbknudson: that's an interesting approach though22:44
jamielennoxmy understanding was fernet would be more or less indistinguishable from uuid22:44
dolphmjamielennox: from the client perspective, yes22:45
jamielennoxdolphm: right22:45
dolphmjamielennox: exact same flow & behaviors22:45
morganfainbergjamielennox, it will be. server just can't do v2 tokens yet thats all22:45
jamielennoxso so long as the is_cms checks don't pick it up then auth_token doesn't care22:45
lbragstaddolphm: https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_v3_auth.py#L425222:45
jamielennoxmorganfainberg: yep - i don't know how you'll indicate that22:45
morganfainbergjamielennox, you don't you fix fernet ;)22:45
dolphmlbragstad: oh, i'm wrong. i'm actually getting *more* failures than i thought, so this is probably my fault22:46
jamielennoxactually sure i do, if you use fernet tokens you _must_ set auth_version = 3 in [keysotne_authtoken]22:46
lbragstaddolphm: if it isn't, let me know.22:46
morganfainbergjamielennox, that isn't really viable. the token provider must support v2 tokens. it was a condition of the SPFE granted.22:46
jamielennoxmorganfainberg: i thought this was an 'experimental release22:47
jamielennox'22:47
jamielennoxauth_version = 3 seems reasonable for a prototype deployment22:47
dolphmlbragstad: will do22:47
morganfainbergjamielennox, it is. the SPFE requires it to support all token uses today. if it wasn't going to then it would have been pushed to liberty22:47
jamielennoxmorganfainberg: fair enough22:47
morganfainbergjamielennox, experimental means "we do everything we can to avoid changing things, but it could change with the right reasoning" aka "OMG THIS IS BROKEN" or an awful decision22:48
henrynashgyee, ayoung: if either of you are still about, perhpas you could see if you are still happy with: https://review.openstack.org/#/c/158679/22:48
morganfainbergbut experimental isn't meant to be "prototype, and not complete", especially if we grant a proposal freeze for it22:48
jamielennoxmorganfainberg: i'm sure the wording for fernet was way more hand wavy than that22:49
morganfainbergjamielennox, not when we granted the SPFE. "you will support all current use-cases for tokens" i think was the explicit condition for the exception22:49
jamielennoxmorganfainberg: ok22:49
morganfainbergjamielennox, so i expect the provider to support v2 tokens.22:50
morganfainbergwhen v2 is being deleted form the tree, in-tree providers can stop supporting that token version22:50
*** bknudson has quit IRC22:50
*** henrynash has quit IRC22:51
dolphmlbragstad: auth_token is getting 501's from keystone and returning 401's to the client22:51
lbragstaddolphm: are you calling something with v2.0?22:51
dolphmlbragstad: not that i'm aware of22:52
dolphmlbragstad: i have auth_token explicitly configured for v322:52
morganfainbergdolphm, to be fair, when i tested i used the current v2.0 patch.22:52
morganfainbergdolphm, in devstack (the one that needs to be updated/fixed)22:52
dolphmmorganfainberg: oh22:52
morganfainbergit mostly just worked.22:52
lbragstadfyi jorge_munoz should be sending up a patch soon22:52
lbragstadcc dolphm morganfainberg ^22:52
jorge_munozI would not use soon.22:53
morganfainbergi never bothered to fully test devstack against fernet w/o v2 support patch. it's not really in-scope since we claim v2.0 is still supported (much to our chagrin)22:53
*** timcline has quit IRC22:54
morganfainbergwhen we start making expirimental jobs with gate running w/o v2 enabled... i think we will see how many gaps we still have.22:54
morganfainbergjorge_munoz, what timeframe is "not soon"?22:55
morganfainbergbecause if you use blizzard's "soon™" that could be years.22:55
*** browne has quit IRC22:55
morganfainberg*shiftyeyes*22:55
dolphmmorganfainberg: i'd like to have that job running ASAP22:57
morganfainbergdolphm, the fernet one or the v3-only one?22:57
dolphmmorganfainberg: v3-only22:57
morganfainbergdolphm, because i was going to co-opt the eventlet job for fernet to start, and then flip them liberty if we are happy w/ fernet22:57
*** browne has joined #openstack-keystone22:58
morganfainbergsure. i'll see about making devstack able to do that.22:58
dolphmmorganfainberg: i'd rather have v3-only than a fernet job, frankly22:58
morganfainbergthen we can do expirimental.22:58
morganfainbergdolphm, we need both.22:58
dolphmthat's just my preference on priorities22:58
jorge_munozmorganfainberg: Well it depends, if this patch is meant more of a POC then the acutal implmentation then sometime time tomorrow. If its what we expect the final implementaion with full test coverage then it will require more time.22:58
dolphmif i had to choose one22:59
morganfainbergdolphm, the v3-only is actually lower on my priorities22:59
morganfainbergdolphm, only because i know it's massively broken. before liberty, yes, before testing fernet, no22:59
morganfainbergjorge_munoz, so because i am trying to make sure everything is in line for kilo-3, what is a general estimation to get it working? i'm just tyring to get a feel for "is it this week", is it next week? is it K3? is this happening in kilo at all?23:02
morganfainbergand i don't mean "POC"-not-really-ready.23:03
lbragstadmorganfainberg: I think the majority of it is the translation of v3 to v223:04
jorge_munozmorganfainberg: I think I can get something this week, but for sure next week.23:07
lbragstadjorge_munoz: would you be able to post something to at least get eyes on it?23:07
morganfainbergjorge_munoz, ok sounds good. if you're short on test coverage but have most of the code, feel free to post it WIP23:07
dolphmjorge_munoz: put whatever you have up at the end of today as a WIP so we can start talking about it23:08
*** gordc has quit IRC23:09
jorge_munozmorganfainberg: dolphm ok23:10
elmikohey folks, quick question about Session objects. want to make sure i understand this, if i create a Session based on a Password, that Session will be good for as long as i need to keep it around and it will only authenticate as needed?23:11
dolphmjamielennox: ^23:12
dolphmelmiko: yep!23:12
elmikodolphm: cool, thanks23:13
elmikoand jamielennox, your blog posts have been very insightful. thanks =)23:13
jamielennoxelmiko: glad they're useful23:13
elmikototally23:13
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate  https://review.openstack.org/15687023:14
*** david-lyle has quit IRC23:16
*** david-lyle has joined #openstack-keystone23:16
*** ljfisher has quit IRC23:21
dolphmcool ^23:22
*** david-lyle has quit IRC23:29
*** gokrokve has joined #openstack-keystone23:31
*** gokrokve has quit IRC23:32
*** henrynash has joined #openstack-keystone23:33
*** ChanServ sets mode: +v henrynash23:33
*** david-lyle has joined #openstack-keystone23:34
*** iamjarvo has quit IRC23:35
openstackgerritSteve Martinelli proposed openstack/keystone: Update developer docs landing page  https://review.openstack.org/16147523:35
*** stevemar2 is now known as stevemar23:38
*** chlong has joined #openstack-keystone23:42
*** chlong has quit IRC23:46
*** chlong has joined #openstack-keystone23:46
*** topol has quit IRC23:52
*** bknudson has joined #openstack-keystone23:52
*** ChanServ sets mode: +v bknudson23:52
*** EmilienM is now known as EmilienM|afk23:56
*** Tahmina has quit IRC23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!