Friday, 2015-03-06

*** timcline has quit IRC00:01
*** iamjarvo has quit IRC00:02
*** ayoung has quit IRC00:04
*** Akshik has joined #openstack-keystone00:06
Akshikim getting  Target WSGI script '/var/www/cgi-bin/keystone/main' cannot be loaded as Python module. im using icehouse in centos00:08
Akshikpls. help00:08
*** markvoelker has quit IRC00:11
*** zzzeek has joined #openstack-keystone00:20
*** stevemar has quit IRC00:27
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow loading auth plugins via overrides
jamielennoxbknudson, gyee: a fix to loading plugins from swift ^00:32
jamielennoxAkshik: it would seem you have a file out of date somewhere, is this an old copy of the main file with a newer keystone?00:34
bknudsonif it's got functools you know it's good.00:35
*** rdo has quit IRC00:35
jamielennoxbknudson: that's what qualifies you as a pythonista00:36
mtreinishbknudson: heh, I think I've got a good counter example: and
mtreinishthat's the recommended interface for the subunit stuff00:39
bknudsonmtreinish: you can overdo the functools.partial.00:40
bknudsonmight consider using a kwargs = {} at somepoint.00:40
mtreinishbknudson: yeah I've been meaning to refactor it. It was just copy and pasted from the subunit lib's example for doing that00:40
*** jaosorior has quit IRC00:42
bknudson -- that's just identity function00:43
*** rdo has joined #openstack-keystone00:43
*** dims has quit IRC00:44
samueldmq_morganfainberg, No More Downward SQL Schema Migrations - you around?00:46
mtreinishbknudson: yeah it is. (more copy and paste) I was just using it as an example of something I woudlnt consider good that had functools :)00:47
morganfainbergsamueldmq_, hi00:51
samueldmq_morganfainberg, ok, so in few words ... the motivation is: upgrades sometimes mess up the database and create inconsistent states00:52
samueldmq_morganfainberg, trying to downgrade what is inconsistent would still make it worst, so let's restore to a 'safe point'00:53
morganfainbergsamueldmq_, more to the point, regardless of upgrade results, downgrades are rarely tested [never?] in real environments, and with a bunch of the data mangling that happens in upgrades, downgrades could do a bad job of "restoring" to a previous schema consistently00:54
morganfainbergsamueldmq_, also a number of downgrade paths are very hard to do without keeping extra data that would only ever be used in a downgrade case. in short - since no one really ever does downgrades outside of our tests, why are we supporting them? a downgrade in production would be done by restoring [or every deployer that i've ever talked to has communicated that to me]00:55
samueldmq_morganfainberg, yes, sure ... so one best practice would be to create a 'restore point' in the database before upgrading?00:55
morganfainbergsamueldmq_, correct00:55
samueldmq_morganfainberg, and it takes our time developing them :)00:56
morganfainbergsamueldmq_, and maintaining them00:56
samueldmq_morganfainberg, yes, and time from our team is expensive!!00:56
bknudsondstanek: any reason you didn't +W this?
morganfainbergsamueldmq_, from everyone's team it is expensive00:57
samueldmq_morganfainberg, our = openstack :)00:57
samueldmq_morganfainberg, great! I really support this idea, thanks for pointing this out00:58
samueldmq_morganfainberg, what is the operator meetup ?00:58
samueldmq_morganfainberg, something at the summit?00:58
samueldmq_morganfainberg, to take like a survey from operators?00:59
morganfainbergsamueldmq_, it's an event happening next week in Boston i think00:59
morganfainbergor new york00:59
morganfainbergor one of those east coast cities00:59
morganfainbergbknudson, so.. luckily you reviewed the previous patches for ... that still doesn't change my complete lack of understanding "what is this trying to fix"?01:00
morganfainbergthe bug i'd incomplete based on the information in it, the commit message communicates nothing about what is really wrong, and the code is doing something-ish that relates to it, but it's unclear *why* this is an issue.01:01
bknudsonmorganfainberg: ok, if the only change is the commit message then I'm still fine with it.01:01
morganfainbergbknudson, my question is... what is it fixing?01:01
morganfainbergbknudson, can you explain it to me? seriously, i am missing some context to know what is going on here01:01
samueldmq_morganfainberg, ack, thanks .. please consider my help on keystone side if you need when it start happening01:02
bknudsonmorganfainberg: first, realize that a large commit was split up...01:02
morganfainbergbknudson, sure.01:02
bknudsonso there was a patch for just the backend.01:02
bknudsonunfortunately, the manager is complicated...01:02
bknudsonthe complication actually comes from the controller01:03
*** mikedillion has joined #openstack-keystone01:03
bknudsonwhich you have to imagine is going to be taking requests that might or might not have groups and options ... e.g., {domain}/config/{group}/{option} -> fn(domain, group=None,option=None)01:04
bknudsonso you could do -- PATCH domain1/config/group1/option101:04
bknudsonthat should actually be a 404 Not Found if there's no group1 or group1/option1 already01:04
morganfainbergso this is saying if it's not defined in the common.config options it should raise an exception?01:04
morganfainbergor is it more subtle than that01:05
bknudsonit's saying if you never created domain1/config/group1/option1 and try to update domain1/config/group1/option1 then you should get a 404 Not Found01:05
*** mikedillion has quit IRC01:05
morganfainbergbut only if you're doing an update01:05
morganfainberggot it01:05
bknudsonright, the only change is in update.01:06
*** mikedillion has joined #openstack-keystone01:06
bknudsonI think I complained about this in a previous commit and didn't -1 since there would be a follow-on patch...01:06
morganfainbergsure. this is one of those where without the context of the whole chain the bug, commit message, and code are really hard to go "aha that is X problem and fixing it by doing Y"01:07
morganfainberglike i said, i'd incomplete the bug even with the code without your explination - but figured i'd ask since it appeared to be important in some way01:08
morganfainbergThis could have been about options in common.config, what you described where options needed to be defined before an update, could have been about some other config object that wasn't clear here.01:09
morganfainbergbknudson, thanks for the description i think i can review this now :P01:10
*** tqtran has quit IRC01:10
*** markvoelker has joined #openstack-keystone01:15
bknudsonreally the complication should have been cleaned up in the controller so that the manager could be simple.01:16
*** aix has joined #openstack-keystone01:16
morganfainbergthat probably would have been a bit more straight forward01:16
*** rwsu is now known as rwsu-afk01:17
openstackgerritMerged openstack/keystone: rename cls in get_auth_context to self
*** markvoelker has quit IRC01:20
*** zzzeek has quit IRC01:23
*** crinkle has quit IRC01:23
openstackgerritMerged openstack/keystone: Add parent_id to test_project_model
openstackgerritMerged openstack/keystone: Fixed skip msg in templated catalog test
openstackgerritMerged openstack/keystone: Fix nits from 157495
*** r-daneel has quit IRC01:31
openstackgerritBrant Knudson proposed openstack/python-keystoneclient: Add OS-SIMPLE-CERT support for v3.
*** crinkle has joined #openstack-keystone01:34
dstanekmorganfainberg: i didn't +w because i didn't see henry's vote01:38
morganfainbergbknudson, ^01:39
bknudsondstanek: oh, I wound up -1 that one.01:40
dstanekbknudson: yeah i saw :-)01:42
samueldmq_>>> import this01:45
samueldmq_it prints a text: The Zen of Python01:46
samueldmq_o/ didnt know this01:46
morganfainbergsamueldmq_, do >>> from __future__ import braces01:46
samueldmq_SyntaxError: not a chance01:47
samueldmq_morganfainberg, that's funny :p01:48
openstackgerritBrant Knudson proposed openstack/keystone: Update testing docs
dstanekrun 'import antigravity' on your local machine01:51
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Fixes bug in SQL/LDAP when honoring driver_hints
samueldmq_bknudson, ^01:54
samueldmq_dstanek, well, I'm afraid on running this01:54
dstaneksamueldmq_: haha, it won't hurt01:54
samueldmq_dstanek, at least not me .. ok, if I disconnect it was your fault :p01:55
morganfainbergthats fantastic01:56
*** richm has joined #openstack-keystone01:56
*** _cjones_ has quit IRC01:56
samueldmq_dstanek, ahaha ! thats amazing01:57
*** mikedillion has quit IRC02:02
*** erkules_ has joined #openstack-keystone02:07
*** stevemar has joined #openstack-keystone02:08
*** ChanServ sets mode: +v stevemar02:08
*** erkules has quit IRC02:10
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
*** markvoelker has joined #openstack-keystone02:17
openstackgerritMerged openstack/keystone: Add checking for existing group/option to update domain config
*** markvoelker has quit IRC02:21
*** davechen has joined #openstack-keystone02:26
*** zzzeek has joined #openstack-keystone02:37
*** richm has quit IRC02:40
*** zzzeek_ has joined #openstack-keystone02:42
*** zzzeek has quit IRC02:42
*** zzzeek_ is now known as zzzeek02:42
*** zzzeek has quit IRC02:47
*** zzzeek has joined #openstack-keystone02:48
*** zzzeek has quit IRC02:48
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: remove Fernet formatter's dep on trust_api / v3 token helper
openstackgerritDolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens
openstackgerritDolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens
stevemargyee, whats sam leong's irc handle?02:56
openstackgerritMerged openstack/keystone: Fixes minor whitespace issues
*** browne has quit IRC03:04
openstackgerritDolph Mathews proposed openstack/keystone: refactor: scoped tokens are always scoped
*** radez is now known as radez_g0n303:05
*** richm has joined #openstack-keystone03:14
*** markvoelker has joined #openstack-keystone03:18
*** ayoung has joined #openstack-keystone03:19
*** ChanServ sets mode: +v ayoung03:19
*** markvoelker has quit IRC03:22
*** richm has quit IRC03:22
*** spandhe has quit IRC03:37
*** samueldmq_ has quit IRC03:42
*** browne has joined #openstack-keystone03:42
*** david-lyle is now known as david-lyle_afk03:44
*** ayoung has quit IRC03:49
*** chrisshattuck has quit IRC03:49
openstackgerritSteve Martinelli proposed openstack/keystone: Spelling and grammar cleanup
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow loading auth plugins via overrides
*** harlowja is now known as harlowja_away03:57
gyeestevemar, chioleong I think04:05
stevemargyee, tell him to go online more :)04:09
gyeeyeah I know04:09
gyeehe left for the day I think04:10
gyeeis this about the tokenless patch?04:10
stevemargyee, you let people leave?04:10
*** telemonster has quit IRC04:10
gyeeheh, I am not a manager man04:10
*** telemonster has joined #openstack-keystone04:10
stevemargyee, sort of, just wanted to say thanks for putting up with my reviews :)04:10
gyeeno thank you! he love your suggestions, especially the multistring opt04:11
gyeeI spoke to him about an hour ago04:11
gyeethank you!04:11
gyeeI can push a patch for him later tonight if I can't find him04:11
gyeeits dinner time for ppl at the left coast right now04:12
stevemarreviewing and -1's seem harsh, but it's all love04:12
gyeethat's why I told the ppl I am mentoring, embracing the -1s04:12
gyeeyou'll always learns something new from them04:12
gyeeSam came from a Java background so you may still see some Javaness in his code04:15
*** markvoelker has joined #openstack-keystone04:19
*** gyee has quit IRC04:23
*** markvoelker has quit IRC04:25
*** nonameentername has quit IRC04:27
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow loading auth plugins via overrides
jamielennoxif i want to bump the global keystonemiddleware requirement - do we think it's better to do that before kilo freeze or after?04:40
morganfainbergjamielennox, before.05:04
morganfainbergjamielennox, the earlier we bump that requirement the better05:05
jamielennoxmorganfainberg: ok - we missed the march release do we want to do that first?05:05
morganfainberggive distros more time to be aware of it05:05
morganfainbergjamielennox, uh was going to see about doing a release early next week if we had stuff to release05:05
morganfainbergonly cause i wont do a release on friday [i don't want to work over the weekend if i can avoid it]05:06
morganfainbergbasically wednesday is my cutoff for a ksc or ksm release05:06
jamielennoxmorganfainberg: is important - even though i just wrote it05:06
morganfainbergjamielennox, ayew05:07
jamielennoxi see no reason: shouldn't be in - but not urgent05:07
jamielennoxactually if we consider this the last release for kilo it might be05:07
morganfainbergi would make the DO NOT COPY THIS more pronounced05:07
morganfainbergpossibly a separate NOTE() that says UNDER NO CIRCUMSTANCES SHOULD YOU COPY THIS [this isn't a reason i'd reject the patch]05:08
jamielennoxthen this i haven't reviewed much - i don't know05:08
jamielennoxok - leave as a note and if i need to respin i will05:09
morganfainbergyeah .. the delay denial05:09
jamielennoxi thought caps was pretty good05:09
jamielennoxthe delay denial is fairly simple05:09
morganfainbergreally someone wants "i gave a bogus token, please let me through anyway"?05:09
* morganfainberg smh05:09
morganfainbergwait thats service token05:10
jamielennoxmorganfainberg: unfortunately we do that anyway05:10
jamielennoxhe just wants the same thing for service token05:11
morganfainbergthat last one yeah we need to get in, but that can go in post freeze05:12
morganfainbergwe don't *require* it for kilo, but it'll land before we cut the release that goes out w/ the named release05:13
morganfainbergjamielennox, i think your first one and the service-token one are the two i'd like to land... if not the service token one at least yours05:13
jamielennoxmorganfainberg: right - if it wasn't friday i'd be tempted to get that merged and release05:16
morganfainbergwell we can merge it... release wont happen till next week though05:16
jamielennoxmorganfainberg: well - it's 4:15 friday here, so prime release time05:16
*** ChristyF has quit IRC05:16
jamielennoxif you can bug people to review those two tomorrow then it'll be ready to go on monday05:16
morganfainbergyou know.. if you want to put your phone # on the commit and say "if this is broken call me, any time of the day/night and i'll fix it for you", then i think we can release it now :P05:17
jamielennoxmorganfainberg: i think that's RHEL05:17
morganfainberganyway... i need to go get food.05:18
morganfainbergit's late.05:18
morganfainbergjamielennox, oh.. we have a nasty icky thing that could be happening in ksm. i think i want to drop memorycache completely asap05:18
jamielennoxmorganfainberg: when i'm allowed to do a v2 we can drop many things05:19
morganfainbergbasically, you could cause significant bloat and slowdown on any service using ksm if lots of tokens are validated w/o memcache servers being setup05:19
morganfainbergok replace memorycache.05:19
morganfainbergis what i meant05:19
jamielennoxmorganfainberg: it goes to that fake cache in production?05:20
morganfainbergif you don't set memcache servers and you leave the default cache time, yep05:20
morganfainbergso.. the default behavior is "use bad fake cache"05:20
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Delay denial when service token is invalid
morganfainbergwe could use a backend like:
*** markvoelker has joined #openstack-keystone05:21
morganfainbergthat at least buckets up the deletions.05:21
morganfainbergthankfully only 300s of token validates, but that still could get icky. and per-process.05:22
morganfainbergsince it initializes a cache each process.  memorycache is just awful05:22
jamielennoxmorganfainberg: i'm happy to offload as much of that stuff as possible to other libraries05:22
morganfainbergi might roll up a "flip over to dogpile" w/ that driver i just linked patch tonight/tomorrow.05:23
morganfainbergif we can drop the only think in oslo-incubator for ksm, i'd be super happy05:23
jamielennoxright - me to05:24
jamielennoxafaik we are the only people using memorycache as well - so it can die after that05:24
morganfainbergnope, some other projects are :(05:25
morganfainbergmakes me sad.05:25
jamielennoxergh - why05:25
jamielennoxit's fairly specifc05:25
morganfainbergbecause it's there.05:25
*** markvoelker has quit IRC05:26
morganfainberganyway. it would be pretty easy to dump memorycache. i'll look into it05:26
*** lhcheng has quit IRC05:37
*** lhcheng has joined #openstack-keystone05:38
*** chrisshattuck has joined #openstack-keystone05:44
*** browne has quit IRC06:02
*** browne has joined #openstack-keystone06:02
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex
*** chrisshattuck has quit IRC06:04
*** chrisshattuck has joined #openstack-keystone06:10
davechenstevemar: hi,06:11
davechenstevemar: are you around?06:11
stevemardavechen, maaaaybe06:11
stevemardepends on the question :)06:11
davechenstevemar: haha,06:11
davechenstevemar: just want to confirm with you, do you have a patch intends to fix the DB ondelete issue?06:12
davechenstevemar: If no, I am trying to fix it recently.06:12
davechenstevemar: to follow your comment here,
*** Bsony has joined #openstack-keystone06:13
stevemardavechen, i do not have any patch intended to fix that06:15
stevemardavechen, i know henrynash had some questions about it06:16
davechenstevemar: I am thinking I lost you, get it I will try to do it and add you as the co-author if you don't object to it.06:16
davechenstevemar: yeah, it's indeed a issue.06:17
*** Bsony has quit IRC06:17
stevemardavechen, oh, don't worry about co-author, no need. but sure, post a patch and we'll review it06:20
stevemarlhcheng, you are a funny guy06:21
stevemar"good luck on fixing the gate"06:21
lhchengstevemar: :D06:21
*** markvoelker has joined #openstack-keystone06:22
lhchengstevemar: I just posted that, are you monitoring patches in real time and responding to IRC at the same time?06:22
stevemarlhcheng, i don't really have a method/system of reviewing06:23
davechenlhcheng, what's your first name? lin or hua cheng? I am curious about that :-)06:23
lhchengstevemar: how can you do that? specially at this time :)06:23
* stevemar shrugs at lhcheng 06:23
lhchengstevemar: lol both wrong06:24
lhchengwant to take another guess06:24
stevemarlhcheng, i'm mostly looking at bugs06:24
lhchengstevemar: lin hua06:24
davechenlhcheng: lin hua?06:25
davechenlhcheng, copy that.06:25
lhchengdavechen: yeah, but if I translate that to chinese. the chinese character for cheng should start first06:25
morganfainbergaha, was wondering why timestamp looked wiered in IRC...06:26
morganfainberg24h clock > 12h06:26
openstackgerritDolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens
lhchengdavechen: hello!06:26
davechenlhcheng, basically, the same with chen in English.06:26
lhchengdavechen: yeap06:27
davechenlhcheng: hi, there is a meeting up in next week06:27
*** markvoelker has quit IRC06:27
lhchengstevemar was probably assuming my name was in chinese format.06:27
lhchengdavechen: you going to the operators meetup?06:28
davechenlhcheng: in Minhang, Shanghai, if you are interesting in you can join us.06:28
davechenlhcheng: not just operators, but a lot of toipic about operators obviously.06:29
lhchengmorganfainberg: thought the timestamp has always been 24h, did it recently changed?06:29
morganfainberglhcheng, in my client06:29
morganfainberglhcheng, somehow got switched to %I from %H06:29
lhchengmorganfainberg: or you could be in sweden and it still dark at 10am :)06:30
davechenlhcheng: It's held in our company, not sure where is your base.06:30
lhchengdavechen: oh.. I am in california06:30
lhchengdavechen: thanks for the invite though06:30
* morganfainberg thinks it's time to go to sleep...06:30
stevemarlhcheng, i didn't ask about your name :) but good to know i said it incorrectly the entire time in SA06:31
davechenlhcheng:  I am wrong again. :-)06:31
lhchengstevemar: oh that's actually right, people just call me "lin" :)06:32
stevemarglad i didn't look like a jerk06:32
lhchengstevemar: I realized that works better, whenever I get a call and they mentioned my full first name, it usually get butchered :)06:34
lhchengdavechen: hey, got a quick question for you on
openstackLaunchpad bug 1416615 in Keystone "add schema for some extension entities" [Wishlist,Confirmed] - Assigned to Lin Hua Cheng (lin-hua-cheng)06:35
lhchengdavechen: is the bug supposed to cover all extension entities?06:36
stevemarlhcheng, i definitely don't expect it to cover all extensions06:36
davechenlhcheng, I suppose not.06:36
davechenlhcheng, I file the bug after review your patch.06:36
stevemarone at a time, no rush :) we can't run out of bugs to file06:37
lhchengdavechen: I guess for this one, I can just add the PolicyAssociation schema?06:37
lhchengstevemar: haha06:37
davechenlhcheng, split the bug is sound good.06:38
lhchengstevemar: more bugs more fun06:39
lhchengdavechen: which company do you work for?06:39
davechenlhcheng, as stevemar said, one by one, no rush, but this need their approval :)06:40
davechenyou can see my contact mail address.06:40
davechenlhcheng: I work with David Lyle, you should know him.06:41
lhchengdavechen: oh.. is there an r&d office you guys have in shanghai?06:41
davechenlhcheng: yeah, not only in Shanghai, BJ as well.06:42
lhchengdavechen: nice, it's like HP. They're everywhere :)06:46
*** Akshik has quit IRC06:47
*** ChanServ changes topic to "High Priority Reviews: | Middleware Release Planned for Next Week"06:56
*** Akshik has joined #openstack-keystone06:56
*** Bsony has joined #openstack-keystone06:57
*** chrisshattuck has quit IRC07:00
stevemarjamielennox, can you confirm that this bug is invalid now?
openstackLaunchpad bug 1421616 in Keystone "Cannot create project using Horizon - Could not find default role "_member_"" [Undecided,New]07:15
*** jamielennox is now known as jamielennox|away07:16
stevemarjamielennox, i'm going to mark it as such, if you disagree then re-open it07:16
openstackgerritDave Chen proposed openstack/keystone: Fix the wrong order of parameters when using assertEqual
*** markvoelker has joined #openstack-keystone07:24
*** markvoelker has quit IRC07:29
*** Bsony has quit IRC07:36
*** Akshik has quit IRC07:46
*** Akshik has joined #openstack-keystone07:48
openstackgerritMerged openstack/keystone: Imported Translations from Transifex
*** chlong has quit IRC08:11
*** browne has quit IRC08:12
*** henrynash has joined #openstack-keystone08:18
*** ChanServ sets mode: +v henrynash08:18
*** krtaylor has quit IRC08:22
*** henrynash has quit IRC08:24
*** markvoelker has joined #openstack-keystone08:25
*** notmyname has quit IRC08:30
*** markvoelker has quit IRC08:31
*** karimb has joined #openstack-keystone08:35
*** krtaylor has joined #openstack-keystone08:35
*** henrynash has joined #openstack-keystone08:37
*** ChanServ sets mode: +v henrynash08:37
*** afazekas has joined #openstack-keystone08:39
*** stevemar has quit IRC08:42
openstackgerritMarek Denis proposed openstack/keystone: Fix the wrong order of parameters when using assertEqual
*** krtaylor has quit IRC08:54
*** jistr has joined #openstack-keystone09:02
*** erkules_ is now known as erkules09:04
*** Akshik has quit IRC09:08
*** krtaylor has joined #openstack-keystone09:10
*** markvoelker has joined #openstack-keystone09:27
*** markvoelker has quit IRC09:33
*** jistr is now known as jistr|biab09:36
*** henrynash has quit IRC09:38
*** haneef has quit IRC09:46
openstackgerritDave Chen proposed openstack/keystone: Fix the wrong order of parameters when using assertEqual
*** haneef has joined #openstack-keystone09:47
*** davechen has quit IRC09:54
*** samueldmq_ has joined #openstack-keystone09:55
*** samueldmq_ has quit IRC10:07
openstackgerritMerged openstack/keystone: Spelling and grammar cleanup
*** markvoelker has joined #openstack-keystone10:29
*** markvoelker has quit IRC10:35
openstackgerritMatthieu Huin proposed openstack/keystone: add oauth and federation authentication to config file
*** henrynash has joined #openstack-keystone10:39
*** ChanServ sets mode: +v henrynash10:39
*** jistr|biab is now known as jistr10:39
*** Akshik has joined #openstack-keystone10:39
*** Akshik has quit IRC10:54
*** lhcheng is now known as lhcheng_afk10:57
*** dims has joined #openstack-keystone11:00
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs
*** henrynash has quit IRC11:10
*** chlong has joined #openstack-keystone11:22
*** nellysmitt has joined #openstack-keystone11:25
*** dencaval has joined #openstack-keystone11:27
openstackgerritMarco Fargetta proposed openstack/keystone: Adding utf8 to federations tables
*** markvoelker has joined #openstack-keystone11:31
*** fmarco76 has joined #openstack-keystone11:36
*** markvoelker has quit IRC11:36
openstackgerritMerged openstack/keystone: Fix the wrong order of parameters when using assertEqual
*** amakarov_away is now known as amakarov11:54
*** markvoelker has joined #openstack-keystone12:32
*** markvoelker has quit IRC12:36
*** aix has quit IRC12:38
*** raildo_away is now known as raildo12:48
openstackgerritMarco Fargetta proposed openstack/keystone: Adding utf8 to federations tables
samueldmqfrom __future__ import dstanek13:03'Could you please revisit ?')13:03
dstaneksamueldmq: sure, let me finish what i'm doing and then i'll get right on it13:04
samueldmqdstanek, great! it already have your +2, but I needed to address some bknudson's concerns :)13:04
samueldmqdstanek, thanks13:04
*** markvoelker has joined #openstack-keystone13:06
*** lhcheng_afk has quit IRC13:09
*** karmatronic has joined #openstack-keystone13:14
*** karimb has quit IRC13:17
dstaneksamueldmq: are you going to removed the satisfied.append in the other case too?13:27
*** aix has joined #openstack-keystone13:30
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Add domain_id checking in create_project
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: List projects filtering by is_domain flag
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Add is_domain field in Project Table
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint
*** karmatronic has quit IRC13:41
*** karimb has joined #openstack-keystone13:42
*** gordc has joined #openstack-keystone13:43
*** radez_g0n3 is now known as radez13:46
*** obutenko has quit IRC13:46
*** sigmavirus24_awa is now known as sigmavirus2413:54
*** obutenko has joined #openstack-keystone13:58
*** mattfarina has joined #openstack-keystone14:00
*** jamiec has quit IRC14:01
*** jamiec has joined #openstack-keystone14:01
*** topol has joined #openstack-keystone14:03
*** ChanServ sets mode: +v topol14:03
*** fmarco76 has quit IRC14:04
*** fifieldt_ has quit IRC14:05
*** jamiec has quit IRC14:09
*** jamiec has joined #openstack-keystone14:09
*** samueldmq_ has joined #openstack-keystone14:09
*** obutenko has quit IRC14:18
openstackgerritBoris Bobrov proposed openstack/keystone: [wip] Migration squashing
*** obutenko has joined #openstack-keystone14:34
*** chlong has quit IRC14:34
*** dims has quit IRC14:37
*** dims has joined #openstack-keystone14:38
marekdmorganfainberg: i think the fix is getting into shape, but i am not sure if you guys discussed and it's even allowed to modify migration scripts that merged:
openstackgerritMerged openstack/keystone: Fix typos in tests/unit/
*** boris-42 has quit IRC14:52
openstackgerritBoris Bobrov proposed openstack/keystone: Migrations squash
*** richm has joined #openstack-keystone15:06
*** dims is now known as dimsum__15:07
bretonmorganfainberg: ^15:11
*** radez is now known as radez_g0n315:12
*** iamjarvo has joined #openstack-keystone15:13
*** carlosmarin has joined #openstack-keystone15:17
openstackgerritDolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens
*** r-daneel has joined #openstack-keystone15:20
*** timcline has joined #openstack-keystone15:20
*** atiwari has joined #openstack-keystone15:21
*** timcline_ has joined #openstack-keystone15:22
*** timcline has quit IRC15:26
openstackgerritDolph Mathews proposed openstack/keystone: Refactor Fernet: drop timestamps and move payload version into payload
*** kaisers1 has joined #openstack-keystone15:30
kaisers1Hi Keyston'ers!15:30
kaisers1Does anybody have a min for keystone newbie question regarding (configuring) extensions for keystone?15:31
*** kashyap has left #openstack-keystone15:33
*** jorge_munoz has joined #openstack-keystone15:33
*** radez_g0n3 is now known as radez15:34
dolphmmarekd: bknudson: i have a stack of changes on top of which address all of your -1's. i put up a squashed commit so you can see them all at once if you'd like (which i linked to), but they're broken into 6 or so patches in a sequence as well15:34
bknudsondolphm: where's the link?15:35
dolphmkaisers1: you have to ask your question before someone can try to answer it15:35
dolphmbknudson: they're all dep'd on
marekddolphm: thanks.15:35
dolphmbknudson: this is the squashed change
dolphmbknudson: it has direct links to all the individual patches as well15:36
*** samueldmq_ has quit IRC15:37
kaisers1dolphm: right, just don't want babble if nobody currently has the time to listen. :)15:39
marekddolphm: so ideally you want to approve whole chain or this squashed patch?15:39
kaisers1i'm looking to activate what seems to be very old keystone extensions, namely OS-KSADM and OS-KSS315:39
dolphmmarekd: i put up the squashed patch for illustration - morganfainberg would probably prefer the individual patches15:40
dolphmmarekd: you're welcome to review it however you wish15:40
*** joesavak has joined #openstack-keystone15:40
kaisers1But i can't find a way to "activate" these with a Juno installation15:40
dolphmkaisers1: whas is OS-KSS3?15:40
kaisers1dolphm: S3 token extensions afaics15:40
dolphmkaisers1: OS-KSADM is hardcoded into the v2 implementation15:40
*** topol has quit IRC15:41
kaisers1dolphm: Aaah, ok. that was my impression. This was merged into main keystone at some point, right?15:41
kaisers1dolphm: It seems both are listed as "extensions". So far i've only used default-keystone setups. How can i 'activate' these extensions or are they available by default?15:42
dolphmkaisers1: S3 is enabled via your paste pipeline, and is included on both :35357/v2.0/ and /v3 by default15:42
kaisers1dolphm: sorry, what is the 'paste pipeline'?15:42
dolphmkaisers1: most openstack projects use paste deploy to configure their WSGI middleware stacks:
dolphmkaisers1: S3 is implemented as middleware that sits on top of keystone15:43
dolphmkaisers1: you can add/remove whatever middleware you want in /etc/keystone/keystone-paste.ini15:43
kaisers1dolphm: Sidenote - I'm quite busy with OpenStack for months now. But every other day i still hear about completely new things i never previously heard about... :)15:43
kaisers1dolphm: /etc/keystone/keystone-paste.ini does not seem to be created on default, right? I'm looking at a Juno RDO OpenSTack intallation right now15:45
dolphmkaisers1: the tl;dr is that "filters" stack up on top of "apps" and are glued together into "pipelines" which are deployed as "composite" applications with their own endpoints, and scale independently, etc15:45
dolphmkaisers1: well it sounds like you're digging deeper and deeper into configuration :)15:45
dolphmkaisers1: RDO probably puts it somewhere else, but i'm not familiar at all with RDO15:46
dstaneksamueldmq: did you say that there were other things you needed to fix on that review?15:46
dolphmkaisers1: /etc/keystone is our default location15:46
dolphmkaisers1: it would normally be sitting right next to your keystone.conf at least15:46
kaisers1dolphm: what about devstack. I'll check that15:46
kaisers1yep, there it is15:47
dolphmkaisers1: so, S3 is defined here
dolphmkaisers1: and that middleware is added to these two pipelines by default
kaisers1dolphm: Yeah, currently staring that line into talking and explaining itself to me ;-)15:48
dolphmkaisers1: and those two pipelines are deployed here
dolphmkaisers1: and [composite:admin] is deployed as :35357 by default15:49
kaisers1dolphm: ok, admin default ist good (less work for me)15:49
dolphmkaisers1: read through the paste.deploy documentation if you want to get a grasp of how to configure all openstack projects on this level15:49
dolphmkaisers1: also, everything in OS-KSADM is native functionality in /v3/15:50
kaisers1dolphm: ok, good15:50
dolphmkaisers1: v3 is documented here
kaisers1dolphm: Ok, gotta stack of reading material now. :) But one more noob question for quickness: The fact that the s3 filter is present and not commented out, does that mean it should be running?15:53
amakarovdolphm, good day! Help me please: how can I propose a change to What project should I use?15:53
dolphmkaisers1: the fact that it's in the pipeline means it's deployed15:53
kaisers1Oh, stack of reading, devstack, openstack, stacking in my head. Gettin' stacked stupid in me head15:53
dolphmamakarov: if you commented out just the [filter] part, keystone would crash on startup because it wouldn't know what you were trying to include in the pipeline15:54
dolphmkaisers1: good luck on your adventure :)15:54
dolphmamakarov: sorry, that was meant for kaisers1 ^15:54
kaisers1dolphm: Ok, I'll read on from here. Thanks a lot!15:54
dolphmamakarov: that is in keystone doc/15:54
dstanekamakarov: that's in keystone's doc directory15:54
dolphmdocs/ *15:54
dolphmdstanek: for the record, there are multiple documents so it should be called docs/ =)15:55
amakarovdolphm, dstanek thanks, had no idea it is not a separate project :)15:55
*** arunkant has joined #openstack-keystone15:55
dolphmamakarov: all of comes out of that directory15:55
dolphmamakarov: which is the same as / now15:56
*** ayoung has joined #openstack-keystone15:57
*** ChanServ sets mode: +v ayoung15:57
samueldmqdstanek, hi .. sorry for the late reply ...15:57
samueldmqdstanek, not something in the code/logic, basically a doc15:58
samueldmqdstanek, but then I needed to send a new patch set, that removed your +215:58
samueldmqdstanek, thanks for your review again :)15:58
dstanekah, ok - if there are no more changes i'll go ahead and approve it too15:59
*** ogzy has quit IRC15:59
samueldmqdstanek, ok so please go for it, no more changes, I already addressed everything :)16:00
samueldmqdstanek, thanks !!16:00
dolphmthere's a bunch of "tokenless authorization" headers in that don't actually apply to keystone ... i'm thinking those should be documented separately?16:01
*** stevemar has joined #openstack-keystone16:01
*** ChanServ sets mode: +v stevemar16:01
dolphmi assume that's all implemented in keystonemiddleware16:01
*** mflobo has left #openstack-keystone16:01
openstackgerritLance Bragstad proposed openstack/keystone: Add Federation mixin for setting up data
openstackgerritLance Bragstad proposed openstack/keystone: Federated token formatter
openstackgerritLance Bragstad proposed openstack/keystone: Add unscoped token formatter for Fernet tokens
bknudsondolphm: it must be implemented in middleware in keystone, and then the properties go through the normal mapping16:06
openstackgerritDolph Mathews proposed openstack/keystone: Refactor Fernet: drop timestamps and move payload version into payload
lbragstaddolphm: pushed and resolved ^16:06
lbragstadcc marekd^16:06
lbragstadmarekd: ^16:06
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: rename the "standard" token formatter to "scoped"
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: remove token formatters dep on 'token_data' on create()
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: remove Fernet formatter's dep on trust_api / v3 token helper
bknudsondolphm: but I agree that documentation doesn't have anything to do with the identity api.16:06
*** chrisshattuck has joined #openstack-keystone16:07
bknudsonwell, actually it looks like those headers are in the request.16:07
dolphmbknudson: right, but to keystonemiddleware, not identity-api specifically?16:07
samueldmqbknudson, I think so, and then it should be kept there, no?16:08
bknudsonno, those are in the request to keystone.16:08
samueldmqdolphm, I think keystone16:08
samueldmqbknudson, ++16:08
bknudsonso if auth_token wants to validate a token it sends a request using its client cert and X-Project-Id set.16:08
dolphmoh, that's not what i thought that was for at all16:09
dolphmi thought this was for clients to skip talking to keystone and just use x509 directly with nova, etc16:09
bknudsonmaybe there's another spec for that?16:10
dolphmbknudson: i actually thought that's what gyee and someone at CERN were interested in at some point16:11
dolphmwhich sounds cool to me16:11
openstackgerritBoris Bobrov proposed openstack/keystone: Migrations squash
bknudsondolphm: I know he's talked about it... keeping it in-house.16:12
dolphmbknudson: yeah, but then IIRC it had some weird upstream impact that didn't make any sense without us having x509 support upstream too16:13
dolphmanyway, i thought they were on the road to upstreaming it16:14
marekddolphm: i think jose was hacking something here.16:16
lbragstadmarekd: I'm going to propose that federated mixin refactor against master without and dependencies,16:17
lbragstadmarekd: something got messed up in the rebase16:17
marekdlbragstad: sure.16:17
*** krtaylor has quit IRC16:23
dolphmmarekd: how much longer are you around today?16:26
marekddolphm: wanted to talk about anyhing specific?16:27
dolphmmarekd: your -1 on
marekddolphm: ok, let me look at it now.16:28
dolphmmarekd: i'm hoping that can land today because we have so much behind it16:28
marekddolphm: sure.16:28
*** browne has joined #openstack-keystone16:30
openstackgerritLance Bragstad proposed openstack/keystone: Add Federation mixin for setting up data
openstackgerritLance Bragstad proposed openstack/keystone: Add Federation mixin for setting up data
*** topol has joined #openstack-keystone16:33
*** ChanServ sets mode: +v topol16:33
openstackgerritDolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens
*** chlong has joined #openstack-keystone16:33
stevemarmarekd, still want me to update ?16:34
openstackgerritDolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens
openstackgerritDolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens
marekdstevemar: sorry, didn't notice the comment.16:35
marekdno, it's fine16:35
*** krtaylor has joined #openstack-keystone16:35
marekdstevemar: it's approved16:35
lbragstadmarekd: addressed the comments and I believe I have a clean commit here
lbragstadcc stevemar ^16:36
openstackgerritDolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens
openstackgerritDolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens
openstackgerritDolph Mathews proposed openstack/keystone: Refactor Fernet: drop timestamps and move payload version into payload
*** joesavak has quit IRC16:37
dolphmlbragstad: that just looks like a refactor at first glance?16:37
lbragstaddolphm: yep, it is16:38
dolphmlbragstad: cool. marekd just +2'd16:38
lbragstaddolphm: its so we can leverage *all* that neat setup stuff for fernet tokens16:38
lbragstaddolphm: and not duplicate it16:38
dolphmlbragstad: ++16:38
dolphmmarekd: now it's just you and :P16:38
dolphmmarekd: i replied to most of your comments on patchset 4, but the gist is that everything you mentioned is either addressed or deleted anyway later in the series16:39
dstanekdolphm: any reason why has not been approved?16:40
dolphmdstanek: only because it's dependent on something that hasn't16:40
dolphmdstanek: so, not a real reason16:41
marekddolphm: ok, done.16:41
dolphmmarekd: sweet! thank you sir16:41
*** _cjones_ has joined #openstack-keystone16:43
*** _cjones_ has quit IRC16:43
*** _cjones_ has joined #openstack-keystone16:44
dolphmdstanek: you like reviewing refactors, right?!
lbragstaddolphm: you have a commit that removes this stuff, right?
dstanekdolphm: sure, i can review another one16:46
dolphmlbragstad: not that bit, no16:47
dolphmlbragstad: my series will conflict with that patch16:47
dolphmlbragstad: and +1 for using map() there16:47
lbragstaddolphm: ok, I'll address and push a new revision16:48
lbragstadcc bknudson ^16:48
dolphmlbragstad: let me find what you should rebase that change on...16:48
* marekd thought lbragstad used mmap() and was wondering since when we are going that low-level in OpenStack :P16:48
dolphmlbragstad: probably just on the last change
dolphmlbragstad: the only change i made to the handling of audit_ids in my series is that i keep it as a list the whole time16:49
dolphmlbragstad: they still need to be converted to bytes16:49
lbragstaddolphm: got it, I'll tack that on to the end16:49
dolphmlbragstad: i'm also curious what our new token size is after all this16:49
*** gyee has joined #openstack-keystone16:49
*** ChanServ sets mode: +v gyee16:49
lbragstaddolphm: it's going to be awesome16:49
lbragstadbecause we're getting rid of creation and expiration, right?16:50
marekd'awesome' is a new number in maths? next to pi, e and so on16:50
lbragstadmarekd: yes, it got me through all my math classes16:50
dolphmmarekd: ++16:51
dolphmlbragstad: as of the last patch in my series, it's gone down from 187 chars to 14016:51
dolphmso like you can totally tweet your bearer tokens: mission accomplished! product teams everywhere can rejoice16:51
lbragstaddolphm: cool, so it should be a *little* smaller than that with audit_ids in bytes16:51
*** boris-42 has joined #openstack-keystone16:53
*** notmyname has joined #openstack-keystone16:54
dstanekdolphm: why you remove the expiration from the token are you expecting that only the rotation will expire tokens?17:04
*** iamjarvo has quit IRC17:08
openstackgerritAlexander Makarov proposed openstack/keystone: Redis token backend
dolphmdstanek: that was my original thought17:30
dolphmdstanek: which will still work, but my new thought is that everything about these tokes is leaning towards stateless, and we can compute the expiration based on creation + CONF17:30
openstackgerritOpenStack Proposal Bot proposed openstack/keystonemiddleware: Updated from global requirements
dolphmdstanek: if you wanted to have a subset of tokens with no expiration, we could still do that, and do it better than before. set CONF token lifespan to 1000 years or whatever, force expire tokens via rotation, and just leave a special key in the rotation for long-lived tokens (you might have to manage your own rotation in that case)17:32
dstanekdolphm: ok, i just got finished on that review and you may have just invalidated my complaints if you go that route17:32
lbragstaddolphm: that would be a good idea for the long lived tokens17:33
*** rwsu-afk is now known as rwsu17:33
dolphmdstanek: if we go to what route, specifically?17:33
*** browne has quit IRC17:34
*** tqtran has joined #openstack-keystone17:34
*** arif-ali has quit IRC17:34
dolphmlbragstad: simplest approach might be to take away keystone's ability to write to a specific key file, and just try/except the delete during rotation :)17:34
dstanekdolphm: i have security concerns about having the rotation be the only thing that controls expiration; if you do a created + CONF i would not have that concern17:34
dolphmdstanek: then you shouldn't have any concerns with
dolphmdstanek: right? L180-183 on the right17:35
dolphmdstanek: i have an abandoned patch (or old patchset) that is entirely dependent on rotation, but then i remembered that Fernet has the token's creation time as part of the format itself (outside the payload)17:36
dstanekdolphm: not if the commit message is incorrect17:36
openstackgerritBoris Bobrov proposed openstack/keystone: Remove deprecated external authentication plugins
stevemarayoung, can you review , and
dolphmdstanek: touche! that's my old commit message17:37
dstanekdolphm: where does the rejection based on an expired token happen?17:37
dolphmdstanek: will fix17:37
*** jistr has quit IRC17:37
ayoungstevemar, wilco17:37
dolphmdstanek: good question, i don't have a functional test for it - but i believe that happens further up the stack when we pass up an expired token from the provider?17:37
dolphmdstanek: we can also pass a ttl to Fernet and it'll barf there17:37
openstackgerritOpenStack Proposal Bot proposed openstack/pycadf: Updated from global requirements
dstanekdolphm: if it's now the case where expiration is enforced by Keystone then i think the docstrings just need to be updated17:39
*** lhcheng__ has joined #openstack-keystone17:39
openstackgerritDolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens
ayoungstevemar, +2 A across the board.  THose were designed to make me happy17:39
stevemarayoung, \o/17:40
morganfainbergSo, based on my digging into ksm and how that works, I'd like to keep the expiration being enforced separate/held until the rest of fernet is done, that makes sense?17:40
morganfainbergExpiration only enforced by keystone that is.17:40
*** iamjarvo has joined #openstack-keystone17:41
*** iamjarvo has quit IRC17:41
dolphmmorganfainberg: that sounds like i need to change the dependency order of this, which won't be fun?
morganfainbergThe fact that you're introducing cases where the user gets different behaviors based upon a config in keystone still is making me uncomfortable.17:41
*** iamjarvo has joined #openstack-keystone17:42
ayoungmorganfainberg, ksm?17:42
morganfainbergayoung: auth_token17:42
dolphmmorganfainberg: but ... it's an edge case :)17:42
dolphmmorganfainberg: i'd say it's solvable via documentation17:43
ayoungmorganfainberg, I'm missing something.  Why doesit matter where in the token the value lives?17:43
*** lhcheng__ is now known as lhcheng17:43
*** david-lyle_afk is now known as david-lyle17:43
ayoungmorganfainberg, link to the discussion?17:43
morganfainbergayoung: if expiration is only calculated in keystone by the Ttl, changing the conf means tokens will (if cached, and the default is to cache) cause different behaviors to the end user17:44
ayoungmorganfainberg, won't all of that data be returned in the token response17:44
ayoungand...then the cached value should match what keystomne would say17:44
morganfainbergayoung: so cache the token validity. Then change keystones conf.17:45
ayoungWhich keystone conf value are you concerned about?17:45
morganfainbergNow tokens could result in changing state based on the cache.17:45
dolphmayoung: token lifespan17:45
* ayoung slow shifting gears here, sorry17:45
ayoungshouldn;'t that value be passed in to set the token lifespan/ttl in the fernet token?17:46
morganfainbergayoung: dolphm is pitching to make token expiration calculated based on creation and conf.token.expiration_time17:46
dolphmayoung: the goal is for fernet tokens to only carry a creation timestamp - no fixed expiration date17:46
morganfainbergOn validate.17:46
ayoungdolphm, hmm...I thought we made it possible for someone to explicitly request a longer expiration date in a token...if we didn't, we might need to17:46
morganfainbergayoung: no. Tokens are fixed lifespan. You can't override it17:47
ayoungmorganfainberg, I think I just got burned by Glance and a 1 hour token lifespan.  In real life, too.17:47
dolphmayoung: it would be safe to have longer token lifespans with fernet if you're also rotating keys17:47
dolphmayoung: like, rotate keys daily or weekly, and keep them for a year17:48
ayoungdolphm, yeah...and with that,. we should make plans to re-absorb kite to do Key distribution.17:48
ayoungits a perfect match of capabilities for our use pattern:  Group token signing17:48
dolphmayoung: yeah, i tried to keep the key persistence simple because i know it's going to get fancier17:49
morganfainbergayoung: kite aside. If expiration is solely calculated in keystone we're going to get some odd bugs. We've already have bugs reported because caching in ksm is inconsistent with in-memory17:49
ayoungWell, tehcnicnally, distribution is separate from persistence.17:49
*** afazekas has quit IRC17:49
*** stevemar has quit IRC17:50
dolphmmorganfainberg: not bugs, just fun new behaviors out of a distributed system :)17:50
morganfainbergdolphm: bugs reported. They won't be valid. But they will be reported as bugs17:50
dolphmayoung: right - simple expectations on where they come from is all i mean17:50
*** stevemar has joined #openstack-keystone17:50
*** ChanServ sets mode: +v stevemar17:50
ayoungmorganfainberg, so you want the expiry explicitly recorded in the token, and dolphm is proposing just using the value out of the Config file?17:50
ayoungdolphm, Ah...I see what you mean.17:50
dolphmmorganfainberg: i shall write all the many documentations to combat said bugs in advance17:50
morganfainbergayoung: yeah, I'm saying keep tokens Ttl as a int when you issue the token like today.17:51
morganfainbergayoung: at least until the rest of fernet is up and running.17:51
ayoungmorganfainberg, so you would have a case where, say you changed expiry from one hour to two, certain tokens would have been expired, and then unexpired at config change?17:51
morganfainbergayoung: yep17:51
dolphmayoung: yes17:51
ayoungor  a valid token might become invalid if the expiry is made shorter.17:52
dolphmayoung: that's the only edge case i'm aware of17:52
dolphmayoung: yes17:52
dstanekif the reason we are taking out the expiration date is token size we could just put in  smaller offset number to calculate the expiration17:52
dolphmhow often do people change the token lifespan in a running system? wouldn't they be willing to read a paragraph about the effects?17:52
morganfainbergayoung: and if they are cached at an endpoint behavior of the endpoint changed based on cache. And if using in-memory cache, request could succeed/fail randomly based upon worker you get.17:52
morganfainbergdolphm: this also means if you use multiple keystones, the confligs have to be the same.17:53
ayoungdolphm, and I think they are ok.  We are making it possible for people to read config values out of Keystone via the APIs, which mean that they coukld use the config values to set timeouts, instead of getting it from any ojne token17:53
ayoungmorganfainberg, oooh.17:53
dolphmdstanek: agree, just trying to go even smaller17:53
morganfainbergdolphm: or you get different expiry for the same token based on the endpoint you hit.17:53
morganfainbergE.g. Load balanced keystones.17:53
dolphmwe're at 140 chars for fernet tokens with all the proposed patches17:53
morganfainbergAnd load-balanced keystones are a real thing.17:54
ayoungmorganfainberg, I just envisioned a whole bunch of work on that really should be Puppet keeping configs in sync, but since we are now storing some configs in the database...does puppet have a mechanism to handle that?  Chef or Ansible for that mater?17:54
morganfainbergThis is a protect the deployer from themselves argument.17:54
morganfainbergayoung: sortof, but often you change 1 then the rest of your cluster.17:54
morganfainbergFor cms that won't kill the system by being different.17:55
dolphmthe config in a database thing seems silly in the face of zookeeper etc17:55
lbragstaddolphm: did you say the domain scoped stuff was fixed?17:55
dolphmbut i digress17:55
dolphmlbragstad: yes, in
*** joesavak has joined #openstack-keystone17:55
openstackgerritBoris Bobrov proposed openstack/keystone: Move external authentication plugins' last release
dolphmlbragstad: it adds an explicit domain scope and passes the tests that suddenly started failing when i made them more strict17:55
morganfainbergOoh I know, let's move all of keystones config into a db except the "how to connect17:56
morganfainbergTo said db" /s17:56
* ayoung interviewing an intern this afternoon, and just thought up eeeeevil Git based interview question17:56
dolphminterns know git now?17:56
morganfainbergEven better, we can use etcd for everything.17:56
morganfainberg  /s17:56
dolphmpretty sure systemd supports domain-specific sql configuration17:57
ayoungmorganfainberg, actually, I have a todo item to be able to store encrypted values in oslo  config, but I am holding off filing it  until I have chewed it over better17:57
lbragstaddolphm: I'm adding the audit_id stuff to the end of that series, and I get the following:
dolphmor something along those lines17:57
dolphmlbragstad: what's domain_id there?17:58
morganfainbergSo I am not really absolutely against keystone calculating the expiry only, but it does kind of rub me the wrong way.17:58
dolphmlbragstad: is that keystone-deploy?17:58
lbragstaddolphm: no, it's the script17:58
dolphmlbragstad: from keystone-deploy?17:58
morganfainbergdolphm: I wouldn't -1 or -2 it. But i need tons of docs on this and if we get lots17:58
lbragstaddomain_name = 'Default'17:58
ayoungdolphm,   my interns better know git.  Here's the question "When the git server was compromised, the community was able to quickly validate that the main branch had not been changed.  How were they able to tell?"17:59
morganfainbergOf bugs I'm going to revert it.17:59
dolphmmorganfainberg: ack17:59
lbragstaddolphm: yes, the one we use with keystone-deploy17:59
dolphmmorganfainberg: i can add them to that patch17:59
morganfainbergOr just give deployers your phone # :)17:59
morganfainbergdolphm: in that patch or dependent on it. Either works18:00
dolphmmorganfainberg: will do!18:00
dolphmlbragstad: what's the value of domain_id ?18:02
lbragstaddolphm: checkiung18:02
lbragstaddolphm: 'domain': {'id': u'default', 'name': u'Default'},18:03
lbragstadwe aren't passing uuid as the domain *id* ever time18:04
lbragstaddomain ids can be something user defined...18:04
lbragstadwhich is where we are bombing out I think, since UUID doesn't know how to convert 'domain'18:04
morganfainbergWoohoo. -1950 lines. breton thanks for working on that!18:05
morganfainberglbragstad: yeah domain has to be "string"18:06
dolphmlbragstad: OH 'default'!18:06
lbragstaddolphm: morganfainberg yep18:06
lbragstaddolphm: don't fix it yet18:06
morganfainbergAnd... That can explode your token size because a domain Id can be 255 bytes. :(18:06
lbragstaddolphm: I'm going to push what I have for the audit_id stuff18:06
dolphmmorganfainberg: personal problem?18:07
lbragstadyou can't fix stupid18:07
dolphmmorganfainberg: actually it's limited to 64 bytes, right?18:07
*** browne has joined #openstack-keystone18:07
breton -- fellas, could you please avoid +A-ing "+654, -651" patches in 2 minutes after uploads18:07
morganfainbergdolphm: is it?18:07
dolphmmorganfainberg: all / most IDs are 64 bytes IIRC18:07
morganfainbergdolphm: hm. That might be schema enforced. I hope?18:08
dolphmbreton: have a specific issue with that test refactor?18:08
dolphmmorganfainberg: i'd assume so18:08
*** spandhe has joined #openstack-keystone18:08
*** karimb has quit IRC18:08
lbragstadmorganfainberg: dolphm
morganfainbergdolphm: ah sql schema sets it at 5418:09
dolphmbreton: or you just mean the +A without a jenkins check first?18:09
lbragstadwe limit to 64 using jsonschema18:09
morganfainberglbragstad: that's name. Not Id18:09
lbragstadah, morganfainberg yep18:10
dolphmthe only domain ID that is custom is "default" afaik18:10
dstanekbreton: i though people wanted things getting through quickly :-)18:10
bretondolphm: I don't know. I saw it only by chance, while looking at zuul. I just dislike that such huge patches get accepted with zero discussion18:10
dolphmbreton: it was briefly discussed here. the two developers that are most familiar with that code (and wrote it), were the ones that +2'd. i'd be happy to give it a third set of eyes if you'd like18:11
amakarovbreton, wow, didn't even notice...18:11
dolphmbreton: it's also just a big copy/paste refactor18:11
lbragstadbreton: it started being reviewed here
morganfainbergOh hey. Yeah we don't allow custom ids except default.18:12
dolphmlbragstad: should have used the same Change-Id!18:12
morganfainberglbragstad: just saw that it does assign unique Id18:12
morganfainbergdolphm: ^^18:12
dolphmmorganfainberg: special case default domain id maybe?18:13
morganfainbergso, ick, have to special case default. :(18:13
lbragstadbreton: I proposed it to against master because there wasn't anything specific in the chain it was in that required it to be behind the other changes18:13
lbragstaddolphm: breton sure, I should have used the same change ID, my fault, but I abandon the old change immediately after and informed the other two developers about the change as soon as i proposed it18:13
lbragstadbreton: fwiw, they are both linked to each other18:14
dolphmlbragstad: Restore -> use same Change-Id next time18:14
morganfainbergdolphm: it's in check right?18:14
morganfainbergNot gate.18:14
morganfainbergWe should just do that to maintain the review history.18:15
dolphmmorganfainberg: yes, it's still queued in check18:15
morganfainbergEven this time.18:15
dolphmmorganfainberg: lbragstad: ++ ^18:15
morganfainbergPeople can re-+2 it.18:15
openstackgerritLance Bragstad proposed openstack/keystone: Convert audit_ids to bytes
lbragstaddolphm: ^ that will fail until the domain_id thing is fixed18:16
dolphmbreton: morganfainberg: lbragstad: abandoned the approved change-
dolphmlbragstad: ack18:17
morganfainbergdolphm: beat me to it. Was going to -2 it then abandon :P18:17
dolphmmorganfainberg: i figure abandon alone will kill the job :)18:17
morganfainbergdolphm: same net effect.18:18
morganfainbergdolphm: wfm!18:18
bretongreat, thank you18:18
*** morganfainberg is now known as needscoffeebadly18:19
openstackgerritLance Bragstad proposed openstack/keystone: Add Federation mixin for setting up data
lbragstadbreton: dolphm needscoffeebadly ^ done,18:20
needscoffeebadlydolphm: Friday! Dolphin time? ;)18:20
*** dolphm is now known as dolphin18:20
* dolphin *whatever squeeky sound dolphins make*18:20
*** dolphin is now known as Guest8273418:20
* lbragstad finds food18:21
needscoffeebadlyGuest82734: someone owns dolphin as a nick? :P18:21
*** needscoffeebadly is now known as CaptainMorgan18:22
*** vhoward has left #openstack-keystone18:25
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: remove dep on trust_api / v3 token helper
Guest82734dstanek: fixed the commit message and docstrings ^18:26
dstanekGuest82734: what did you guys decide about the config based expiration checking?18:26
Guest82734CaptainMorgan: ++18:26
Guest82734dstanek: when i was in the shower a couple weeks ago?18:27
Guest82734CaptainMorgan: can we kill the IBM "This change depends on a change that failed to merge." bot?18:27
CaptainMorganbknudson: ^18:27
CaptainMorganbefore we get them disabled or such let's ask nicely.18:28
CaptainMorganGuest82734: but yes.18:28
bknudsonCaptainMorgan: I have no control over it.18:28
CaptainMorganbknudson: who do I email?18:28
Guest82734it's been failing all week, afaik. if no one is going to fix it...18:28
CaptainMorganAnd say "fix plox or it shall be disabled"18:28
CaptainMorganOr hmm. There is some magic setting I can change somewhere for this I think.18:29
bknudsonCaptainMorgan: -- it's
CaptainMorganbknudson: ah thanks.18:29
Guest82734bknudson: if you have no control over it, then who the hell is supposed to maintain it?! that's crazy18:29
bknudsonGuest82734: we have a team in china.18:29
bknudsonit's a big company18:30
openstackgerritLin Hua Cheng proposed openstack/keystone: Made project_id required for ec2 credential
samueldmqCaptainMorgan I saw a discussion in the mailing list on horizon + pkiz18:30
CaptainMorganbknudson: will email them today. Since hours are all wonky I'll say it needs to get fixed first thing next week.18:30
bknudsonand I'm not their manager or team leader in any way.18:30
samueldmqCaptainMorgan, do you know if horizon supports pkiz right now?18:30
Guest82734bknudson: my point is that if *we* cause it to fail, we should be able to help fix it. if it's a rubberstamping black box, then it should die18:31
CaptainMorganbknudson: and let them know they need to keep track of it. Because us having to email after a week of failures is not ok.18:31
Guest82734bknudson: and if you, a keystone-core IBMer can't help fix it, it's totally a black box18:31
CaptainMorgananteaya: ^cc might be bugging you next week about a CI account. (Just a heads up)18:31
*** obutenko has quit IRC18:33
Guest82734samueldmq: if horizon doesn't break with PKI, it should support PKIz just fine18:33
stevemari love how bknudson is associated with the db2 testing ci - i emailed him yesterday about18:34
*** haneef has quit IRC18:34
stevemarfix a bug or two related to db2 and you're forever associated with it bknudson18:34
anteayaCaptainMorgan: who will?18:34
bknudsonif it's identifying a problem I'd be happy to look into it... that's my job.18:35
bknudsonbut I have no knowledge of how it's set up and administered.18:35
anteayaCaptainMorgan: and you can save time and give them this:
anteayasince they need to set up the account themselves18:35
bknudsonI doubt the company would give me time to work on that.18:35
samueldmqGuest82734, yes, it works .. I just checked it18:35
bknudsonI could ask.18:35
bknudsonGuest82734 isn't nearly as funny as dolphin.18:36
*** Guest82734 is now known as dolphinator18:36
*** joesavak has quit IRC18:36
bknudsonunless I'm missing the joke ... is it a prime #?18:36
samueldmqdolphinator, the issue before was that we had 'pki' hardcoded in django_openstack_auth, but it looks to be ok now18:36
samueldmqdolphinator, thx18:36
lhchengsamueldmq: horizon can accept pki token from keystone, but it uses the hashed pki for making later calls.18:37
openstackgerritBoris Bobrov proposed openstack/keystone: Remove fix for migration 37
*** markvoelker has quit IRC18:39
*** markvoelker has joined #openstack-keystone18:40
dolphinatorlhcheng: oh good point18:40
samueldmqlhcheng, as it was a uuid or other token? requesting the whole token info (service catalog, etc) when it needs?18:40
stevemaryess dolphinator18:40
dstanekhmmmm...anyone else get the greenthread errors when running the test suite?18:40
bretondstanek: the waitall() ones?18:41
samueldmqdstanek, yes18:41
lhchengsamueldmq: it fetches the catalog on login, and store the service catalog + token in the session.18:41
dstanekbreton: yes, so it's not just me18:41
samueldmqlhcheng, hm.. ok18:42
samueldmqlhcheng, I'm facing this (
openstackLaunchpad bug 1382079 in OpenStack Dashboard (Horizon) "Project selector not working" [High,In progress] - Assigned to Thiago Paiva Brito (thiagop)18:42
*** amakarov is now known as amakarov_away18:42
samueldmqlhcheng, I can't use horizon + v318:42
lhchengdolphinator: I think it works due to a logic somewhere in the keystone middleware where it is caching a hashed pki token. Not the best way to handle long tokens, but works for now.18:44
* lhcheng looking at bug18:44
*** ccrouch has left #openstack-keystone18:44
*** markvoelker has quit IRC18:44
dolphinatordstanek: breton: yes, i "fixed" it by downgrading greenthreads i think18:44
*** chrisshattuck has quit IRC18:45
lhchengsamueldmq: are you using devstack?18:45
dolphinatordstanek: as far as i looked into it, it seemed innocuous18:45
lhchengsamueldmq: and have you switch the session backend?18:45
samueldmqlhcheng, yes I am using devstack18:46
dstanekdolphinator: i'll give that a try18:47
samueldmqlhcheng, session bakcend?18:47
* stevemar needs a fun friday nick18:47
dolphinatorstevemar: stevebot?18:47
stevemari suppose18:47
samueldmqlhcheng, to use memcached ?18:47
lbragstad++ stevebot18:47
stevemarstevebot :Nickname is already in use.18:48
stevemarthat jerk18:48
lhchengsamueldmq: yeah, anything other than using cookie based18:49
dolphinatorstevemar: steve_in_march18:49
*** joesavak has joined #openstack-keystone18:49
samueldmqlhcheng, nice I'll give a try and come back to say what happened :)18:50
dolphinatorstevemar: steven_march18:50
*** arif-ali has joined #openstack-keystone18:50
lbragstadstevemar: stevedore18:50
CaptainMorganlbragstad, LOL18:50
*** stevemar is now known as stevedore18:50
stevedorei lift things!18:50
dolphinatorstevedore: ++18:50
stevedorelbragstad, dolphinator whats up with rax trial accounts? how long are they good for?18:50
* dolphinator hands stevedore a box18:51
dolphinatorstevedore: via ?18:51
stevedorelooking at that now18:51
stevedoredolphinator, pm'ing you18:51
CaptainMorgandolphinator, sadly the "free" level you get wasn't enough to get me more than the smallest vm ever w/o paying18:51
lhchengsamueldmq: cached session is probably easiest to configure:
CaptainMorgandolphinator, and i was told the free tier was only good for a few months.18:52
dolphinatorCaptainMorgan: was it $50/month for 12 months then?18:52
CaptainMorganwhen i set it up18:52
CaptainMorgandolphinator, i was told $30 for 618:52
CaptainMorganwhen i talked to someone on the phone [needed to for activation]18:52
lbragstadstevedore: are you building another iteration of ?18:52
bknudsonhey, no support fees.18:53
CaptainMorgandolphinator, or something18:53
bknudsonI'll call in for help and tell them to get dolphinator to do reviews.18:53
* CaptainMorgan needs to figure out how to setup HP Cloud account for himself.18:54
lhchengsamueldmq: here you go:
CaptainMorganor maybe i should just go stick a rack mounted server in some colo for dev work.18:54
*** arif-ali has quit IRC18:59
* dstanek needs lunch and coffee18:59
CaptainMorgandolphinator, bknudson, ayoung, dstanek, this is a high-ish priority review - we have another "could be wedged" case for deplpoyers19:00
CaptainMorganwe're going to need to back port it as well19:00
lbragstaddolphinator: how do you think we should go about the domain id fix?19:00
*** arif-ali has joined #openstack-keystone19:00
ayoungCaptainMorgan, Aye Aye19:00
lbragstadwe have to try and detect if we're dealing with a user defined string or now19:00
ayoungCaptainMorgan, I'm going to clean up the commit message on that19:00
openstackgerritayoung proposed openstack/keystone: Adding utf8 to federation tables
*** markvoelker has joined #openstack-keystone19:03
ayoungCaptainMorgan,   those cahnges...tehy seem like they woudn't work for other backends.19:03
CaptainMorganayoung, they are mysql-specific arguments19:03
CaptainMorganwe use it elsewhere19:03
ayoungthey ignored by non mysql backends?19:03
CaptainMorganayoung, for example:
CaptainMorganayoung, yeah they aren't passed to non-mysql backends19:04
*** Akshik has joined #openstack-keystone19:05
ayoungCaptainMorgan, OK.  looks right for Federation19:05
dolphinatorlbragstad: if only the default domain is an exception, we can just treat it exceptionally :-/19:07
samueldmqlhcheng, well.. followed this (
ayoungCaptainMorgan, I don't like the Federation fix being in the main migration code19:07
lbragstaddolphinator: yeah, we could,19:07
samueldmqlhcheng, and I can log sometimes, and then get back to the login page... sometimes I stay in the login page with no error :/19:07
ayoungCaptainMorgan, Posta review.  PLease tell me if it makes sense.19:10
lbragstaddolphinator: I left a comment on the review19:11
dolphinatorlbragstad: which one?19:11
dolphinatorlbragstad: ah okay19:11
samueldmqlhcheng, yes! got it :) (I was changing the config on instead of on
samueldmqlhcheng, thank you!!19:12
dolphinatorlbragstad: review this one first :)
lhchengsamueldmq: heh19:12
lbragstaddolphinator: I think the only place were we would need to have a special case like this would be the domain formatter, so i find it appropriate for it to live only there?19:12
lhchengsamueldmq: great!19:12
dolphinatorlbragstad: ++19:12
lhchengsamueldmq: anytime19:13
*** Akshik_ has joined #openstack-keystone19:14
*** Akshik has quit IRC19:15
*** marekd-mobile has joined #openstack-keystone19:15
CaptainMorgananteaya, thanks.19:16
anteayaCaptainMorgan: I've sent them to you19:16
CaptainMorgananteaya, ack19:16
anteayamy preference is for me to teach keystone team all the third party things19:16
CaptainMorgananteaya, happy to have them sent here19:17
anteayaand then you can teach the operators that want to comment/verify keystone patches19:17
CaptainMorgananteaya, that fix needs to go there19:17
anteayaso when they show up, ping me and we can address the conveyance of communication and expectations together19:17
*** joesavak has quit IRC19:17
lbragstaddolphinator: reviewed, one question inline
anteayaI'm ruining your tab complete19:18
CaptainMorganayoung, the fix can't be in the migration code, because sanit-check from oslo.db will fail19:18
CaptainMorgananteaya, nah, i was crossing brain-wires, trying to type ayo<tab> while looking at your last message19:18
*** _cjones_ has quit IRC19:18
*** Akshik_ has quit IRC19:19
CaptainMorganayoung, so we're in a catch-22, you need a sane DB table to run migrations, but you can't run migrations because the table isn't sane19:19
CaptainMorganayoung, its the same issue as above for migration _3719:19
dolphinatorlbragstad: responded19:20
CaptainMorganayoung, responded to your comment19:21
CaptainMorganayoung, but in short we already went rounds on this one and there is only so much we can do when oslo.db says "no your DB doesn't have innodb/utf8"19:21
ayoungCaptainMorgan, but doesn't the migration error out in the middle?19:22
CaptainMorganayoung, nope, oslo.db errors before it runs any migrations19:22
CaptainMorganthere is a bug against oslo.db19:22
ayoungfor table in tables:19:22
CaptainMorganbut we still need to fix our broken deployers19:22
ayoungjust blindly convert all tables?19:22
CaptainMorganayoung, trying to avoid potentially breaking anything by mucking with that19:23
CaptainMorgani'd rather keep these fixes really limited and specific19:23
ayoungCaptainMorgan, this one is bleeding all over the place19:23
ayoungand it does not solve the long term problem...19:23
CaptainMorganthe bug against oslo should19:23
CaptainMorganchanging charset and engine potentially on a live db is scary19:24
ayoungWe know the names of the tables due to the versions table.19:24
CaptainMorganlets not do it unless we really need to. i don't want to muck with db data if there is no reason to19:24
ayoungI'm not letting this change in as is19:24
*** aix has quit IRC19:24
CaptainMorganthis is about being as surgical as we can.19:24
ayoungCaptainMorgan, this is close, though19:24
ayounglets do it right19:24
CaptainMorganblinding changing tables is *not* doing it right19:24
CaptainMorganthis is only making the change if it is needed and 2nd all sorts of FK issues when yous tart doing this19:25
ayoungNah, not blind...we now the list of table names from the versions table19:25
ayoungor do wee....19:25
CaptainMorganwe can probably be more surgical even19:25
CaptainMorganand catch just federation names since we know what table versions we're at19:26
CaptainMorganayoung, oh19:26
CaptainMorganlook at lines 198-20719:27
CaptainMorganwe can check we're in the federation extension though when migrating19:27
CaptainMorganvs. any extension value error triggering the fix19:27
CaptainMorganayoung, package_name = '.'.join((contrib.__name__, extension))  can be checked19:28
ayoungCaptainMorgan, where is the oslo fix?  If it ireally is going to fix this, then lets push to get that in19:29
ayounglink, please?19:29
CaptainMorganayoung, the bug is in the comment19:29
CaptainMorganfiled against oslo.db19:29
CaptainMorganbug #142633419:29
openstackbug 1426334 in Keystone "DB migration problem with federation extension" [High,In progress] - Assigned to Adam Young (ayoung)19:29
CaptainMorganoh no sec19:30
ayoungCloses-Bug: 1426334  Only klinks to Keystone.  Where is the Oslo fix?19:30
ayoungWho assigned it to me?19:30
CaptainMorganno idea19:30
CaptainMorganyou changed the commit msg19:31
ayoungCaptainMorgan, heh, I thought you were Marco19:31
ayoungWe doing casual nick Friday?19:32
CaptainMorgantoday, yes19:32
CaptainMorganlook at dolphinator19:32
CaptainMorganand stevedore19:32
*** joesavak has joined #openstack-keystone19:32
*** ayoung is now known as SugarAddy19:32
*** SugarAddy is now known as ayoung19:32
dolphinatorCaptainMorgan: i don't know what you're talking about19:33
ayoungtalking with dreamhost guys in a different channel, don't want to lost the thread there19:33
CaptainMorganso i *know* there is an oslo.db bug19:33
CaptainMorganlets just ask marco to add it in the comments19:33
ayoungCaptainMorgan, mmm, so  the issue is we run a migration, and it fails due to there being no utf-8 innodb...and yet we don't know the name of the table it failed on?19:34
CaptainMorganayoung, sanity_check raises an exception19:34
ayoungWhat if we could get the table out of the error message19:34
ayoungand then perform this migration on that table19:34
ayoungthat seems a little light to be solving the actual problem19:35
CaptainMorgani don't think i want to trust extracting the names from a generic valueerorr19:36
ayoungthat is going to do nothing for tables that are already created, though19:36
* CaptainMorgan thinks this is a SQL-A migrate/alembic option that needs to grow19:36
ayoungOK...what if...19:37
ayoung1.  we modigy migration 1 and  2 for fedration like you;ve done19:37
CaptainMorgani think the sanity check is just broken actually.19:37
CaptainMorganwe need a hacking check or something else to force conformity19:37
ayoungand  then also add a migration 3 that converts the table..why would that trigger the sanity check?19:37
CaptainMorganayoung, if the tables are already broken, not innodb/utf8 you can't run migration319:38
ayoungGAH  that sanity check is breaking things19:38
ayoungthat needs to die19:38
CaptainMorgansanity_check is causing the issue19:38
ayoungrevert that19:38
CaptainMorgannot something to revert19:38
* ayoung tempted to f(*&^(*&uing monkey patch it out of existence19:38
ayoungyes it is...19:38
CaptainMorganthis is a discussion to be had with oslo team19:38
CaptainMorgannot something we can simply revert i meant19:39
ayoungYeah, I know19:39
ayoungdamn short sighted19:39
CaptainMorganand we can't disable the sanity check easily from the CLI19:39
CaptainMorganif so, i would put some exceptional handling in19:39
CaptainMorganit's burried19:39
* CaptainMorgan did this chase the last time this happened19:39
CaptainMorgansince it is rare - most deployers run with sane defaults (UTF8 and innodb by default) this is an edge case.19:40
CaptainMorgani think the sanity check is inherited from grizzly era fwiw19:40
ayoungcan we make that an external utility that is run, then19:41
ayoungkeystone-manage db_unfsck19:41
CaptainMorganooh wait a sec... this might have changed some.19:41
CaptainMorganah we can work around it now i think...19:41
CaptainMorganwe can add an explicit sanity_check=False now19:42
CaptainMorganthat wasn't doable before19:42
CaptainMorganso we can move that logic to a migration19:42
CaptainMorganbut the sanity_check=false has to be in migration_helpers still19:43
CaptainMorganso it just changes the migration method from _fix_federation_tables to migrate_version(xxx)19:43
CaptainMorganwith an explicit no sanity_check passed fro that version19:43
* CaptainMorgan is still not pleased about this.19:43
*** Akshik has joined #openstack-keystone19:44
*** CaptainMorgan is now known as morganfainberg19:50
*** spandhe_ has joined #openstack-keystone19:51
*** joesavak has quit IRC19:52
*** spandhe has quit IRC19:53
*** spandhe_ is now known as spandhe19:53
dolphinatormorganfainberg: before i put it up for review,
*** _cjones_ has joined #openstack-keystone20:01
*** joesavak has joined #openstack-keystone20:02
lbragstaddolphinator: looks good20:09
ayoungmorganfainberg, so  we going to pass "sanity-check=False" and then run the migrations?20:10
ayoungor maybe just let --sanioty-check be passed in on the command line?20:10
morganfainbergayoung, sure. we can probably do that now. but i'm worried it'll become the norm to run it that way :P20:11
bretonwow, wait20:11
bretonyou are planning to run all migrations with sanity_check=False?20:12
ayoungmorganfainberg, So, I think that we can have gate/devstack run with sanity check enabled, and make it a flag to keystone-manage db_sync20:12
morganfainbergbreton, no20:12
ayoungbreton, no, we are planning on making it possible to run that way so we can unwedge people20:12
morganfainbergbreton, well i think we need to make sanity_check change a lot, because as it stands you can get people wedged.20:12
morganfainbergbut that aside20:12
morganfainbergno, only if its needed to fix a problem where someone is wedges20:12
morganfainbergit's poorly designed in that if you end up with a db w/ tables that don't have innodb/utf8 you cannot run any migrations. but it was totally valid to end up in that state via migrations because it wasn't enforced20:13
morganfainbergyou can't even run a migration to fix the state of the db.20:13
bretonso it will be per-migration?20:13
morganfainbergbreton, it'll be for a specific set of migrations that need it - in the case they need it20:14
morganfainbergaka a deployer is wedged20:14
ayoungbreton, I think we want the sanity check run at the end, not the beginning20:14
ayoungrunning it a-priori just makes it impossible to fix thigns20:14
openstackgerritMerged openstack/keystone: Fixes bug in SQL/LDAP when honoring driver_hints
morganfainbergayoung, that doesn't fix thing really either. i think sanity check needs to be something that migrate tools can turn off where needed20:14
morganfainbergnot something that wraps it20:14
*** _cjones_ has quit IRC20:14
morganfainbergaka alembic / sql-a-migrate20:14
ayoungbut running it after all migrations, or after each migration even, will at least report the error where it happens20:15
morganfainbergayoung, sure.20:15
ayoungbut...running it at the end probably is the best short term hack20:15
dstanekmorganfainberg: for - existing migrations are being changed. if they have already been run then the tables won't be utf-8 right?20:15
ayoungit lets you run, but then reports and error that says "you did something dumb"20:15
morganfainbergdstanek, that is correct, which is why the code in migration_helpers exists.20:15
morganfainbergdstanek, you can't unwedge easily with a migration.20:15
*** nellysmitt has quit IRC20:15
ayoungmorganfainberg, you coukld if there were no sanity check20:15
morganfainbergdstanek, because sanity_check prevents you from running any migrations20:15
ayoungmigration 3 could add the innodb to tables that were imporoerly defined20:16
ayoungok...we are in alignment20:16
ayoungmorganfainberg, let me know what you plan on doing.  I'd rather not have federation speciofic code in the migration helper20:16
morganfainbergayoung, there will be some specific code, i am hesitant to make --no-sanity checka cli option20:17
morganfainbergbut i think we can be better about it20:17
* morganfainberg has a thought on how to handle this nicely20:17
morganfainberglet me deal with the internal-HP-It issue i'm fighting right now.20:17
ayoungmorganfainberg, I would be more ok with a keystone-manage db_innodbify  approach20:17
ayoungif the migratio0n fails, they can run it by hand20:17
morganfainbergthen i'll post the change i'm thinking20:17
openstackgerritDolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens
morganfainbergayoung, nah, have a better idea ;)20:18
openstackgerritDolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens
openstackgerritDolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens
ayoungmorganfainberg, cool20:18
morganfainbergayoung, way better idea actually ;)20:18
morganfainbergi think you'll like it20:18
dstanekmorganfainberg: for this specific review?20:18
morganfainbergdstanek, yes20:18
morganfainbergdstanek, and anytime this comes up in the future.20:18
dstanekok, i'll continue onto other things20:18
ayoungmorganfainberg, I have an intern candidate on the way, and then need to go get the I'll likely not get to it until later tongith or this weekend.  send it via email, please20:18
morganfainbergayoung, it can wait till monday20:19
morganfainbergayoung, s/wait till monday/till this weekend.20:19
openstackgerritDolph Mathews proposed openstack/keystone: Convert audit_ids to bytes
morganfainbergor whatever.20:19
*** _cjones_ has joined #openstack-keystone20:21
bknudsonwhat's a weekend?20:21
morganfainbergbknudson, that thing that most people go outside and get burned by the daystar during20:22
ayoungbknudson, when parenting duties take priority20:22
bknudsonsounds terrible.20:22
morganfainbergor when people shovel more snow to so the can take kids elsewhere20:22
ayoungbknudson, you have no idea20:22
stevedorei am unfamiliar with this word20:24
*** _cjones_ has quit IRC20:26
*** _cjones_ has joined #openstack-keystone20:27
*** dnalezyt has joined #openstack-keystone20:27
*** dnalezyt has quit IRC20:28
*** dnalezyt has joined #openstack-keystone20:28
dstanekweekend is when you can drink in the early afternoon and not get fired20:29
*** dnalezyt has quit IRC20:30
*** dnalezyt has joined #openstack-keystone20:30
openstackgerritDolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens
openstackgerritDolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens
openstackgerritDolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens
openstackgerritDolph Mathews proposed openstack/keystone: Convert audit_ids to bytes
*** radez is now known as radez_g0n320:32
dstanekoh, no; the split off into keystone.resource has turned our circular dependency into a figure 820:33
dolphinatordstanek: lol20:33
*** henrynash has joined #openstack-keystone20:33
*** ChanServ sets mode: +v henrynash20:33
dstanekit was identity <- -> assignment and not it's identity <- -> assignment && identity <- -> resource && assignment <- -> resource20:34
dolphinatorstevedore: weekend is 48 hour period in which canadians celebrate not having to commute across the frozen wasteland for work20:34
dolphinatorstevedore: but you work remotely so you wouldn't know20:34
stevedoredolphinator, the wife says i'm a delicate flower since i don't commute in, and complain that it's cold20:36
lbragstadstevedore: lol20:37
stevedoremeanwhile she walks20:37
dolphinatorstevedore: /nick delicate_flower please20:37
stevedoreworking remotely has turned me soft, figuratively and  literally20:37
henrynashbknudson: when you have a moment, perhaps you could see if you are happy with my changes to your comments on:
stevedorehenrynash, you should know bknudson is never 'happy', he is just less angry with code20:39
*** dencaval has quit IRC20:39
dstanekstevedore: i'll get you the t-shirt20:39
bknudsonhenrynash: I actually had some comments from last night I forgot to hit the review button on.20:39
henrynashbknudson: np :-)20:40
dstanekhenrynash: oh, no. you'll never get it through ;-)20:40
henrynashdstanek: oh ye of little faith :-)20:41
bknudsonhenrynash: it's close... would like to see the spec updated with the other resources.20:41
henrynashbknudson: the domain-config-group etc.?20:42
bknudsonhenrynash: yes.20:42
*** raildo has quit IRC20:42
bknudsonthe previous patch set was correct with the relationship, but the relationship wasn't documented in the spec.20:43
henrynashbknudson: sure, we can do that….I know the spec is theoretically frozen, but I would think that whould be a reasonable fix to it20:43
bknudsonhenrynash: well, if this is going to be experimental then these resources shouldn't show up in the JSONHome20:44
bknudsonespecially since ?experimental for JSON Home never got implemented.20:44
* henrynash bknudson: really? I thought we *would* show these in Json hoe, but have a hints status of experimental…that’s actually in a follow on patch, see: 20:46
henrynashbknudson: a reasonable argumetn would be that this experimental setting should be merged with this api patch20:47
bknudsonhenrynash: ok... I don't know when that was decided.20:47
bknudsonno reason it can't work that way.20:47
bknudsonbut I don't think there's any documentation that says that's the way we do experimental in json-home?20:48
henrynashbknudson: so I thought it was a consquence of getting rid of extensions….instead teh API would (ideally show up in JSON HOme, but experiemantal if it was not ready for core20:48
bknudson says nothing about it20:49
*** Ephur_ has quit IRC20:49
bknudsonok, I didn't have time to review that one so I guess I have to live with the consequences.20:49
henrynashbknudson: ….I guess this will be a trial one...20:49
stevedoredolphinator, mosh needs scroll back20:49
*** henrynash has quit IRC20:50
bknudsonif we're going to make experimental in hints a thing then should be in the spec.20:50
lbragstaddolphinator: curious if we need to add config_fixture for default_domain_id ?
lbragstador that shouldn't matter since it's assuming the default?20:52
*** dimsum__ has quit IRC21:01
*** samueldmq_ has joined #openstack-keystone21:12
dolphinatorstevedore: i assume you're in tmux ... ctrl+B and then {21:17
dolphinatorlbragstad: it's using the default anyway21:17
dolphinatorlbragstad: and i think those tests pass? i wrote a unit test for the new behavior21:18
lbragstaddolphinator: cool21:18
*** iamjarvo has quit IRC21:21
dolphinatorlbragstad: after your patch, an unscoped token is 140 chars. a project/domain scoped token is 164 chars, a trust scoped token is 184 chars21:21
lbragstaddolphinator: yep, sounds consistent with what I got, I didn't get the numbers for trust scoped though21:22
dolphinatorlbragstad: did you try bootstrap again?21:23
lbragstaddolphinator: I'll repull and try it21:23
openstackgerritMerged openstack/keystone: Update developer docs landing page
lbragstaddolphinator: works now!
dolphinatorlbragstad: yay!21:31
dolphinatornow if only ansible 1.9 would come out i could run playbooks against gerrit21:32
*** harlowja_away has quit IRC21:34
openstackgerritLance Bragstad proposed openstack/keystone: Convert audit_ids to bytes
lbragstadjorge_munoz: fixed ^21:35
jorge_munozlbragstad: thanks21:35
*** iamjarvo has joined #openstack-keystone21:35
*** dimsum__ has joined #openstack-keystone21:41
sigmavirus24/goto api21:43
sigmavirus24'scuse me21:44
*** topol has quit IRC21:45
dolphinatorbknudson: would that DB2 CI job be trying to cherry pick changes onto a custom code base?21:46
dolphinatorbknudson: i'm just trying to figure out how the error message makes any sense ("This change depends on a change that failed to merge.")21:47
bknudsondolphinator: I think there's actually lots of reasons for a "failed to merge error"... e.g., any time there's an issue early on it says it failed to merge.21:47
dolphinatorbknudson: fair enough21:47
bknudsondolphinator: I sent enough angry emails around here that I think we'll see some action on this (or I'll be available)21:48
dolphinatorbknudson: i came across a job that succeeded from this morning, so it might only be failing intermittently (although I've seen a lot of failures!)21:49
dolphinatorbknudson: lol thanks21:49
bknudsondolphinator: it needs to be more stable otherwise it's not useful... I thought that the keys were revoked already so I'm surprised it's still reporting.21:50
dolphinatorbknudson: the keys?21:53
bknudsondolphinator: infra can disable external CI from reporting or getting notifications...21:56
dolphinatorbknudson: ah, if that's happened, i'm not aware of it21:56
bknudson -- 2015-03-06T19:07:47  <clarkb> anteaya: CaptainMorgan all done21:57
*** panbalag has quit IRC21:58
morganfainbergdolphinator: they are also not posting useful success/failure logs.22:01
morganfainbergdolphinator: so unless they conform to the requirements for 3rd party CI again, it won't be enabled.22:01
dolphinatormorganfainberg: the successful jobs have logs22:02
dolphinatormorganfainberg: but i've never looked at them because i've never run into a legit failure22:02
morganfainbergOnce from 2-3 days ago didn't.22:02
morganfainbergThey were 404s22:02
dolphinatoroh fun22:02
morganfainbergYeah link was there, no logs.22:02
bknudsonhow long are we expected to keep logs?22:02
bknudson2-3 days ought to be enough for anyone.22:02
morganfainbergbknudson: I think 2wks.22:02
morganfainbergMight be 30days22:02
morganfainbergIt's on the 3rd party CI guidelines.22:03
anteayafailure should post logs22:03
anteayaelse how do you know what failed22:03
anteaya30 day log retention22:04
anteayait is in the requirements section22:04
morganfainberganteaya: yep was looking at the page for that link as you typed it :)22:05
anteayait is in muscle memory22:05
bknudsonanteaya: just wondering -- what's the process for getting reenabled?22:06
anteayaprove to keystone that you are following all requirements as listed above22:07
bknudsonit must be ssh keys from reading the gerrit stream that gets disabled:
anteayaand provide value by commenting on patches22:07
anteayathen when keystone says hey anita re-enable them, I will22:07
anteayaor can tell infra if I am unavailable22:08
bknudsonok... will worry about that when it's fixed.22:08
anteayabasically if you are happy (and they have fulfilled listed requirements - I'm counting on folks in here to check) then I'm happy22:08
anteayabknudson: yup22:08
*** radez_g0n3 is now known as radez22:08
anteayaand if you see a requirement you don't know what it means, ping me and we can go over it22:08
*** mattfarina has quit IRC22:09
*** timcline_ has quit IRC22:09
bknudsonanteaya: you also have a meeting for 3rd party ci?22:09
anteayaI'd much rather teach y'all what those mean than
anteayaI have two22:09
anteayamondays at 1500 utc and tuesdays at 0800 utc22:09
anteayaall welcome22:09
bknudsonkrtaylor also provides power ci here so maybe we can use him as a consultant.22:09
anteayaif you like22:10
anteayathe first problem is the system is broken and noone was watching22:10
anteayadon't care who fixes taht but that is the first problem that needs to be fixed22:10
*** joesavak has quit IRC22:11
*** dnalezyt has quit IRC22:12
*** dimsum__ has quit IRC22:16
*** dimsum__ has joined #openstack-keystone22:17
*** dimsum__ has quit IRC22:21
*** dimsum__ has joined #openstack-keystone22:23
*** r-daneel has quit IRC22:23
*** chlong has quit IRC22:24
lbragstaddolphinator: you were using depends-on recently, right?22:28
lbragstadjorge_munoz: was curious22:28
dolphinatorlbragstad: i have not used it yet, but i know mostly how it works22:29
bknudsonlbragstad: that was stevedore22:29
lbragstaddolphinator: is it documented somewhere? searching for it now22:31
*** radez is now known as radez_g0n322:31
dolphinatorlbragstad: not that i've seen, but haven't looked22:33
stevedorelbragstad, it was a bit finnicky22:34
dolphinatorlbragstad: you can also do multiple Depends-On within the same repo ... so you could depend on both patch A and patch B which are not dependent on each other already, without affecting those22:34
bknudsonstevedore: what happened?22:35
dolphinatorlbragstad: a bunch of fernet changes are near the front of the gate22:35
stevedorethe first patch in the chain merged, then the second patch would pass check but never entered gate22:35
openstackgerritMerged openstack/keystone: Add unscoped token formatter for Fernet tokens
openstackgerritMerged openstack/keystone: Refactor: rename the "standard" token formatter to "scoped"
dolphinatoroh well there we go22:36
bknudsonstevedore: you had to recheck?22:36
openstackgerritMerged openstack/keystone: Refactor: remove token formatters dep on 'token_data' on create()
dolphinatorlbragstad: ^22:36
dolphinatorlbragstad: ^22:36
stevedorebknudson, even after a recheck it did nothing22:36
stevedorebknudson, i ended up removing depends-on from the commit msg22:36
stevedoreand then it merged22:36
bknudsonI'm surprised they didn't get their account disabled #holdsagrudge22:36
dolphinatorone refactor left to review before we get to fun changes if anyone is interested:
dolphinatorbknudson: who?22:36
*** Akshik_ has joined #openstack-keystone22:37
openstackgerritMerged openstack/keystone: Add minimum release support notes for federation
lbragstadjorge_munoz: bunch of stuff just merged there22:38
*** tqtran is now known as tqtran_afk22:39
*** Akshik has quit IRC22:41
*** Akshik_ has quit IRC22:42
*** dimsum__ has quit IRC22:43
*** dimsum__ has joined #openstack-keystone22:43
*** tqtran_afk has quit IRC22:46
*** jorge_munoz has quit IRC22:46
*** dimsum__ has quit IRC22:48
*** carlosmarin has quit IRC22:56
bretondolphinator: re 155292: understood, thank you22:57
*** _cjones_ has quit IRC22:59
*** iamjarvo has quit IRC22:59
*** henrynash has joined #openstack-keystone23:00
*** ChanServ sets mode: +v henrynash23:00
*** r-daneel has joined #openstack-keystone23:02
*** henrynash has quit IRC23:05
*** r-daneel_ has joined #openstack-keystone23:06
*** r-daneel has quit IRC23:07
*** _cjones_ has joined #openstack-keystone23:07
*** r-daneel_ has quit IRC23:10
*** r-daneel_ has joined #openstack-keystone23:10
*** gordc has quit IRC23:10
openstackgerritBrant Knudson proposed openstack/keystone: Docstring fixes in fernet.token_formatters
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic
dolphinatorlbragstad: so i think this is what we were discussing earlier in the week:
dolphinatorlbragstad: that should make jorge's patch much simpler23:18
ayoungmorganfainberg, dolphinator stevedore do we have CLI support for federation commands yet, like creating IDPs and protocols?23:18
dolphinatorayoung: in openstackclient?23:18
morganfainbergayoung: I don't think we have direct support yet.23:18
morganfainbergMaybe in openstackclient. But I want to say that hasn't landed.23:19
bknudsonayoung: ?23:19
bknudsonstevedore is all over this stuff.23:19
bknudsonthey're never going to be in keystone CLI since they're v323:21
stevedoreayoung, you bet it's in OSC23:21
ayoungah...I have an old client.  got the RPM version23:21
stevedoreeven mappings23:21
ayoungopenstack 0.3.123:21
stevedorethat thing always gets up23:21
ayoungstevedore, well F21 was released with Icehouse23:22
ayoungJuno came out afterwards, so the RPMs are not yet updated, but I can get them from a repo23:22
stevedoreyep, new ones are around23:23
ayoungbut updateing is going to pull in all of the dependencies.  I'm guessing what I have was from installing packstack, since they are not the pip versions23:23
bknudson TypeError: decrypt() got an unexpected keyword argument 'ttl'23:25
bknudsonit's in the docs...23:28
*** doug-fish has left #openstack-keystone23:28
bknudson>>> val2 = fernets.decrypt(val1,ttl=100) -- worked for me.23:31
*** stevedore has quit IRC23:31
richmayoung: what package version do you need?23:31
*** mattfarina has joined #openstack-keystone23:40
openstackgerritSam Leong proposed openstack/keystone: Tokenless authz with X.509 SSL client certificate
*** mattfarina has quit IRC23:57
*** dimsum__ has joined #openstack-keystone23:59

Generated by 2.14.0 by Marius Gedminas - find it at!