Monday, 2015-03-09

« Sunday, 2015-03-08 Index Tuesday, 2015-03-10 »
*** esp has left #openstack-keystone00:02
*** henrynash has quit IRC00:04
bretonsamueldmq: db_sync, in fact, applies migrations starting from 1. It does nothing else. So, if you already have Juno migrations applied, db_sync will apply only Kilo ones.00:10
bretonsamueldmq: from time to time squash old migrations and move them to one giant migration. It's called 034_havana.py now. db_sync considers it to be the first.00:11
breton*from time to time we squash00:16
*** _cjones_ has quit IRC00:16
samueldmqbreton, ah ok ... so we always apply them00:26
samueldmqbreton, I was concerned by the addition of an index00:26
samueldmqbreton, from the table definition, sqlalchemy automatically names it ix_assignment_actor_id, but the migration names it ix_actor_id00:27
samueldmqbreton, so I was concerned that if we had a fresh installation OR a previous installation00:27
samueldmqbreton, we could have different names00:28
samueldmqbreton, https://github.com/openstack/keystone/blob/master/keystone/assignment/backends/sql.py#L40200:28
samueldmqbreton, https://github.com/openstack/keystone/blob/master/keystone/common/sql/migrate_repo/versions/054_add_actor_id_index.py#L2500:29
samueldmqbreton, so in fact, for subsequent migrations, I only need to consider ix_actor_id00:29
samueldmqbreton, thanks00:30
*** abhirc has quit IRC00:51
*** abhirc has joined #openstack-keystone00:51
*** nicodemos has quit IRC00:52
*** nicodemos has joined #openstack-keystone00:53
*** abhirc has quit IRC00:55
*** abhirc has joined #openstack-keystone00:55
*** abhirc has quit IRC00:57
*** abhirc has joined #openstack-keystone00:57
*** abhirc has quit IRC00:58
*** abhirc has joined #openstack-keystone00:58
*** abhirc has quit IRC01:05
*** _cjones_ has joined #openstack-keystone01:12
*** samueldmq has quit IRC01:17
*** samueldmq has joined #openstack-keystone01:18
*** radez_g0n3 is now known as radez01:25
*** ncoghlan has joined #openstack-keystone01:29
*** _cjones_ has quit IRC01:31
*** abhirc has joined #openstack-keystone01:40
*** _cjones_ has joined #openstack-keystone01:51
*** radez is now known as radez_g0n301:51
*** qwebirc49866 has joined #openstack-keystone01:58
*** qwebirc49866 has quit IRC01:58
*** DaveChen has joined #openstack-keystone01:59
*** krtaylor has quit IRC02:04
*** diegows has quit IRC02:11
*** kaisers has joined #openstack-keystone02:19
*** kaisers1 has quit IRC02:20
*** lhcheng has quit IRC02:29
*** Krast has joined #openstack-keystone02:32
*** _cjones_ has quit IRC02:37
*** samueldmq has quit IRC02:47
*** erkules has joined #openstack-keystone02:49
*** erkules_ has quit IRC02:49
*** browne has joined #openstack-keystone02:49
*** krtaylor has joined #openstack-keystone02:55
*** dimsum__ has quit IRC03:02
*** lhcheng has joined #openstack-keystone03:30
openstackgerritDave Chen proposed openstack/keystone: Use region or region_id in a consistent way  https://review.openstack.org/16246503:33
*** lhcheng has quit IRC03:34
openstackgerritDave Chen proposed openstack/keystone: Use `region` or `region_id` in a consistent way  https://review.openstack.org/16246503:39
*** _cjones_ has joined #openstack-keystone03:44
*** iamjarvo has quit IRC03:45
*** _cjones_ has quit IRC03:55
*** iamjarvo has joined #openstack-keystone04:02
*** iamjarvo has quit IRC04:02
*** iamjarvo has joined #openstack-keystone04:03
*** dimsum__ has joined #openstack-keystone04:03
*** dimsum__ has quit IRC04:09
*** iamjarvo has quit IRC04:45
*** _cjones_ has joined #openstack-keystone04:52
*** _cjones_ has quit IRC04:56
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Don't autodoc the test suite  https://review.openstack.org/16252505:12
*** lhcheng has joined #openstack-keystone05:19
*** lhcheng has quit IRC05:24
*** lhcheng has joined #openstack-keystone05:29
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Provide a generic auth plugin loader  https://review.openstack.org/16252905:45
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow loading auth plugins via getter function  https://review.openstack.org/16196205:51
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow loading auth plugins via getter function  https://review.openstack.org/16196205:52
*** topol has joined #openstack-keystone05:55
*** ChanServ sets mode: +v topol05:55
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/16238606:03
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow registering additional plugins  https://review.openstack.org/11256406:08
openstackgerritDave Chen proposed openstack/keystone: Add Foreign Key constraints to `assignment`  https://review.openstack.org/16254306:24
*** topol has quit IRC06:37
*** _cjones_ has joined #openstack-keystone06:53
openstackgerritSteve Martinelli proposed openstack/keystone: Add scope info to initiator data for CADF notifications  https://review.openstack.org/16254706:57
*** rwsu has joined #openstack-keystone06:57
*** _cjones_ has quit IRC06:58
*** rwsu is now known as rwsu-afk06:58
*** afazekas has joined #openstack-keystone07:09
*** mflobo has joined #openstack-keystone07:14
*** dimsum__ has joined #openstack-keystone07:41
bretonsamueldmq: I'd consider this difference a bug. Not sure how severe though07:44
*** lhcheng has left #openstack-keystone07:45
openstackgerritMerged openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/16238607:45
*** dimsum__ has quit IRC07:46
*** _cjones_ has joined #openstack-keystone07:55
openstackgerritSteve Martinelli proposed openstack/keystone: add cadf notifications for oauth  https://review.openstack.org/15904507:55
openstackgerritRodrigo Duarte proposed openstack/keystone: Remove extra semicolon from mapping fixtures  https://review.openstack.org/14808007:59
rodrigodsmarekd, stevemar ^08:00
*** _cjones_ has quit IRC08:00
rodrigodsremoved the dependency08:00
*** nellysmitt has joined #openstack-keystone08:00
marekdrodrigods: thanks.08:01
*** stevemar has quit IRC08:01
openstackgerritDave Chen proposed openstack/keystone: Add Foreign Key constraints to table of `assignment`  https://review.openstack.org/16254308:05
*** chlong has quit IRC08:07
*** nellysmitt has quit IRC08:12
*** nellysmitt has joined #openstack-keystone08:12
*** josecastroleon has joined #openstack-keystone08:15
*** pnavarro has joined #openstack-keystone08:19
*** browne has quit IRC08:28
openstackgerritRodrigo Duarte proposed openstack/keystone: Fix naming convention in configuration.rst  https://review.openstack.org/16256108:34
openstackgerritMarek Denis proposed openstack/keystone: Correct utf8/innodb issues with tables  https://review.openstack.org/15980308:47
openstackgerritDave Chen proposed openstack/keystone: Use assertFalse and assertTrue instead of assertEqual  https://review.openstack.org/16257008:55
*** _cjones_ has joined #openstack-keystone08:56
*** jamiec has quit IRC08:58
*** _cjones_ has quit IRC09:02
*** ncoghlan has quit IRC09:03
*** dobson has quit IRC09:04
*** hogepodge has quit IRC09:04
*** karimb has joined #openstack-keystone09:04
*** jamiec has joined #openstack-keystone09:06
*** dobson has joined #openstack-keystone09:06
*** hogepodge has joined #openstack-keystone09:06
*** henrynash has joined #openstack-keystone09:10
*** ChanServ sets mode: +v henrynash09:10
*** jistr has joined #openstack-keystone09:13
openstackgerritMarek Denis proposed openstack/keystone: IdP ID registration and validation  https://review.openstack.org/15215609:18
*** karimb has quit IRC09:25
*** karimb has joined #openstack-keystone09:27
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992809:27
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003209:34
kaisersHi! Does anybody here have experience with RedHat RDO OpenStack installations? Any idea where RDO hides keystone-paste.ini ?09:44
openstackgerrithenry-nash proposed openstack/keystone-specs: Mark the domain-config API as experimental  https://review.openstack.org/16248409:48
*** lhcheng has joined #openstack-keystone09:48
*** _cjones_ has joined #openstack-keystone09:59
*** henrynash has quit IRC10:02
*** _cjones_ has quit IRC10:09
*** abhirc has quit IRC10:16
*** dims_ has joined #openstack-keystone10:16
*** lhcheng has left #openstack-keystone10:26
*** radez_g0n3 is now known as radez10:29
*** radez is now known as radez_g0n310:53
*** fmarco76 has joined #openstack-keystone10:54
*** fmarco76 has left #openstack-keystone10:55
*** fmarco76 has joined #openstack-keystone10:58
*** josecastroleon has quit IRC11:00
*** chlong has joined #openstack-keystone11:03
*** _cjones_ has joined #openstack-keystone11:05
marekdkaisers: if i recall correctly it was somewhere in /usr/share ?11:09
marekdlbragstad: dolphinator: Remind me please. When I want to use any OpenStack service with Fernet tokens, such service will always need to connect with Keystone and validate it?11:11
*** markvoelker has joined #openstack-keystone11:13
kaisersmarekd: Thanks!11:15
*** erkules has quit IRC11:32
*** erkules has joined #openstack-keystone11:32
kaisersOne more question: is there a difference between "s3 extension" and "OS-KSS3" extension???11:37
kaisersThe API lists OS-KSS3 :http://developer.openstack.org/api-ref-identity-v2.html  but in the keystone-paste.ini i can only find "s3 extension"....11:38
*** _cjones_ has quit IRC11:38
*** diegows has joined #openstack-keystone11:46
*** markvoelker has quit IRC11:47
*** markvoelker has joined #openstack-keystone11:48
*** markvoelker has quit IRC11:52
*** samueldmq has joined #openstack-keystone12:00
*** raildo has joined #openstack-keystone12:05
*** panbalag has joined #openstack-keystone12:06
*** joesavak has joined #openstack-keystone12:19
openstackgerritDave Chen proposed openstack/keystone: Use assertFalse or assertTrue instead of assertEqual  https://review.openstack.org/16257012:27
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839812:30
*** iamjarvo has joined #openstack-keystone12:31
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839812:32
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839812:32
*** gordc has joined #openstack-keystone12:34
*** _cjones_ has joined #openstack-keystone12:36
*** sigmavirus24_awa is now known as sigmavirus2412:39
*** joesavak has quit IRC12:40
*** mohammed__ has joined #openstack-keystone12:42
*** aix has joined #openstack-keystone12:43
*** dims_ has quit IRC12:44
*** dimsum__ has joined #openstack-keystone12:44
*** joesavak has joined #openstack-keystone12:48
*** mohammed__ has left #openstack-keystone12:48
kaisersA more general question: How do i install/configure extensions in keystone in general? Can somebody pls point me to  documentation regarding this?12:50
marekdkaisers: extensions like oauth etc?12:51
kaisersi do know about keystone-paste.ini. Are new extensions added by adding the respective filter entry & pipeline additions? Are there sources needed to be installed?12:51
kaisersVery specific OS-KSS3 :-D12:52
kaisersI mean extensions like listet at http://developer.openstack.org/api-ref-identity-v2.html12:52
dstanekkaisers: how did you install Keystone?12:53
kaisersRDO standard installation12:53
kaisersMore specific RDO juno release on CentOS 712:53
dstanekkaisers: depending on the extension you may have to install Python libs if RDO didn't included them12:54
kaiserspython libs should be installed, if stuff like that is missing i'll be able to install. My issue is that i have no idea and find no documentation how an (any) extension from that API listing is installed12:55
kaisersi mean in keystone, of course12:56
*** Tahmina has joined #openstack-keystone12:57
kaisersFrom looking at the keystone-paste.ini and looking at the API page i find no correlation and i find no plugins/modules/etc. that i can research into or test installing. In Fact almost the only place i find anyhting about OS-KSS3 is that API page (linked above).12:57
dstanekkaisers: generally speaking you were right about added the pipeline entries - i don't know what the KSS3 extension is though12:57
kaisersdstanek: OS-KSS3 admin adds user manipulation for s3 accounts12:57
dstanekkaisers: i don't see that in the tree12:59
kaisersI should have been more specific, this is the api we require: http://developer.openstack.org/api-ref-identity-v2.html#os-kss3-admin-ext12:59
dstanekkaisers: i know what you are talking about, but i don't see the code anywhere13:00
*** dimsum__ is now known as dims13:01
kaisersdstanek: Oooops :-D13:02
dstanekkaisers: you may have to wait for one of the old timers to tell you what happened to it13:02
kaisersSo this should normally be in the Juno branch of keystone, is that correct?13:02
*** bknudson has left #openstack-keystone13:03
*** chlong has quit IRC13:04
kaisersdstanek: I'll lurk an pounce later on again. Thanks a lot for bringing me so far!! :)13:09
*** _cjones_ has quit IRC13:09
*** iamjarvo has quit IRC13:14
*** iamjarvo has joined #openstack-keystone13:16
*** chlong has joined #openstack-keystone13:17
*** yasu_ has joined #openstack-keystone13:18
*** henrynash has joined #openstack-keystone13:23
*** ChanServ sets mode: +v henrynash13:23
*** bknudson has joined #openstack-keystone13:24
*** ChanServ sets mode: +v bknudson13:24
*** mattfarina has joined #openstack-keystone13:33
openstackgerritRodrigo Duarte proposed openstack/keystone: Mirror domain entries to project table  https://review.openstack.org/16140813:38
openstackgerritRodrigo Duarte proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994413:38
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742713:38
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Bye bye domain table  https://review.openstack.org/16185413:38
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376313:38
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837213:38
*** richm has joined #openstack-keystone13:43
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839813:49
*** iamjarvo has quit IRC13:51
*** vhoward has joined #openstack-keystone13:55
*** henrynash has quit IRC13:56
*** henrynash has joined #openstack-keystone13:58
*** ChanServ sets mode: +v henrynash13:58
*** yasu_ has quit IRC14:05
*** _cjones_ has joined #openstack-keystone14:06
*** samueldmq_ has joined #openstack-keystone14:08
*** markvoelker has joined #openstack-keystone14:11
*** timcline has joined #openstack-keystone14:13
*** jsavak has joined #openstack-keystone14:17
*** markvoelker has quit IRC14:18
*** markvoelker has joined #openstack-keystone14:19
*** timcline has quit IRC14:20
*** timcline has joined #openstack-keystone14:20
*** joesavak has quit IRC14:21
*** markvoelker has quit IRC14:23
*** nellysmitt has quit IRC14:24
*** markvoelker has joined #openstack-keystone14:24
*** r-daneel has joined #openstack-keystone14:28
*** dolphinator is now known as dolphm14:37
dolphmmarekd: yes, they behave just like UUID tokens in that respect14:38
marekddolphm: ok, thanks.14:38
*** _cjones_ has quit IRC14:39
*** erkules has quit IRC14:40
*** jorge_munoz has joined #openstack-keystone14:46
*** erkules has joined #openstack-keystone14:47
*** erkules has quit IRC14:48
*** erkules has joined #openstack-keystone14:48
*** carlosmarin has joined #openstack-keystone14:49
*** topol has joined #openstack-keystone14:58
*** ChanServ sets mode: +v topol14:58
*** zzzeek has joined #openstack-keystone15:01
*** edmondsw has joined #openstack-keystone15:02
*** stevemar has joined #openstack-keystone15:03
*** ChanServ sets mode: +v stevemar15:03
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/16235015:04
edmondswlbragstad, can you take a look at https://review.openstack.org/#/c/161543/ ? Need another +2 and +w since the existing +2s were both from same company15:05
*** nellysmitt has joined #openstack-keystone15:08
lbragstadedmondsw: one question, inline15:10
lbragstadedmondsw: do we need to init the assignment.Manager()?15:10
marekdlbragstad: i was just commenting on this. i assume this must be initialized, but it's not that straightforward (see identity.Manager() above questionable line)15:12
marekdlbragstad: anyway, good point.15:12
lbragstadmarekd: ++15:12
lbragstadmarekd: I figured there was a reason, but not 100% sure. A comment would be helpful15:13
lbragstadcc edmondsw ^15:13
edmondswlbragstad, yes, we do... doesn't work without that15:16
marekdedmondsw: can we add a comment?15:17
edmondswmarekd, sure... what do you want it to say?15:17
marekdedmondsw: that this must be initialized even though it's seem not to be used/returned.15:18
edmondsw"init to avoid KeyError on assignment_api in resource.core"15:18
marekdsomething like this.15:18
*** j_king has joined #openstack-keystone15:20
*** browne has joined #openstack-keystone15:21
*** ayoung has joined #openstack-keystone15:22
*** ChanServ sets mode: +v ayoung15:22
j_kingworking on https://bugs.launchpad.net/cinder/+bug/1298135 and am trying to grok whether the trusts API is the correct way to extend a token authorization for long-running processes15:22
openstackLaunchpad bug 1298135 in Cinder "Cinder should handle token expiration for long ops" [Medium,Confirmed] - Assigned to j_king (james-agentultra)15:22
ayoungmorganfainberg, topol bknudson dstanek stevemar  do we have a plan for getting the functional testing started ?15:22
ayoungwe don't , today, have a functional subdir under tests15:23
stevemarayoung, dstanek has a slew of patches to get stuff working15:23
ayoungstevemar, looking15:23
bknudsonayoung: https://review.openstack.org/#/c/150528/15:23
stevemargordc, so alls i gotta do is update event_definitions?15:24
stevemargordc, hows that work?15:24
dstanekayoung: i also have a bunch of stuff i started working on that i haven't completed yet15:24
dstanekmostly moving v3 tests over to the functional tests15:24
gordcstevemar: yeah, just update event_definitions...15:25
stevemargordc, hows that mapping work?15:25
dstaneki've been doing too many streams of parallel work, me thinks15:25
gordcstevemar: it becomes an event. basically, a notificatoin comes in and the event_definitions will index the values you have in mapping15:26
*** afazekas has quit IRC15:26
gordcstevemar: we don't want to make samples of notifications that don't have measurements anymore... because well a metric should measure something.15:26
ayoungdstanek, so I think I have an easier way to go about testing Federation15:28
dstanekayoung: ?15:28
ayoungit won't test the whole stack, but it will test the mapping part15:29
stevemargordc, i see, so what happens if a field is incorrectly referenced? it just defaults to None?15:29
ayoungOK...so I wrote this up:  http://adam.younglogic.com/2015/03/key-fed-lookup-redux/15:29
ayoungnow, for my work, I am doing Kerberos, but I think we can do something using Basic Auth.15:29
*** edmondsw has quit IRC15:29
ayoungWe have the LDAP target already.  So we can, probably, use devstack's ldap support to set up ldap, and use SSSD/mod_lookup_identity to drive the mapping instead of pysaml15:30
dstanekayoung: that's easier than setting up an IdP you mean?15:30
ayoungyes15:30
gordcstevemar: nothing. if it ain't there it won't be there... each event has arbitrary collection of indexed values.15:30
*** markvoelker has quit IRC15:30
stevemargordc, that's super weird, but you're the boss15:30
ayoungdstanek, and, it also gets us a path to killing off the LDAP-specific code15:30
ayoung2 for 1 goodness15:31
*** markvoelker has joined #openstack-keystone15:31
dstanekdoes that test the whole saml path?15:31
ayoungNo,  just mapping15:31
dstanekthen i don't think that would be good enough for a functional test15:32
*** samueldmq_ has quit IRC15:32
ayoungHmm,  probably would still want SAML, but it would be a good alternative path to testing the mapping code15:32
dstanekayoung: to me that would just be another configuration of many - would all potential federation tests work on that or would it require different tests?15:33
gordcstevemar: well generally you'd index something you knew exists... but considering openstack notifications are crazytown we won't explode if it doesn't exist.15:33
ayoungdstanek, I think I misread your comment.  WHen you said "This IdP is nowhere near production quality. "  I was thinking you meant for the test...but you mean "sufficient for test, don't use in production"15:33
dstanekayoung: yes, it's a piece of crap, but it works well enough for tests :-)15:33
marekddstanek: i think that's the best what we have among python impls :/15:34
ayoungdstanek,  so what I want to do is use the Mapping auth plugin as the normal way of binding to existing data, to include LDAP.15:34
marekdstevemar: did some research some time ago and pysaml was all in all the best.15:34
marekdayoung: and we use it in fact for K2K.15:34
marekddstanek: ^^15:34
marekdwell, some parts of it.15:35
ayoungmarekd, don't get me started15:35
ayoungas you recall I raised some objections when that design got started15:35
*** markvoelker has quit IRC15:35
*** edmondsw has joined #openstack-keystone15:35
*** _cjones_ has joined #openstack-keystone15:35
marekddont remember.15:36
openstackgerritMatthew Edmonds proposed openstack/keystone: 'Assignment' has no attr 'get_domain_by_name'  https://review.openstack.org/16154315:37
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: make extras optional in v3 get_token_data  https://review.openstack.org/16266115:37
openstackgerritDolph Mathews proposed openstack/keystone: Deprecate passing "extras" in token data  https://review.openstack.org/16266215:37
*** david-lyle_afk is now known as david-lyle15:38
*** markvoelker has joined #openstack-keystone15:38
edmondswlbragstad, marekd, new patch set is up with the comment added https://review.openstack.org/#/c/161543/15:40
bknudson"was introduced to copy a bug in v2" LOL15:40
*** rwsu-afk is now known as rwsu15:41
*** diegows has quit IRC15:42
lbragstadedmondsw: thanks for adding the comment,15:42
lbragstadlooks good to me once Jenkins passes15:43
dolphmbknudson: it's true15:43
edmondswlbragstad, tx15:43
*** markvoelker has quit IRC15:43
*** markvoelker has joined #openstack-keystone15:44
*** nellysmitt has quit IRC15:49
*** markvoelker has quit IRC15:49
*** Tahmina has quit IRC15:52
*** nellysmitt has joined #openstack-keystone15:52
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: remove dep on trust_api / v3 token helper  https://review.openstack.org/16187615:55
*** diegows has joined #openstack-keystone15:56
lbragstaddolphm: you're rebasing those on master I take it?15:57
dolphmlbragstad: yes, indirectly i suppose. just made that depend on "make extras optional"15:58
dolphmwhich is based on master15:58
*** tqtran has joined #openstack-keystone15:58
openstackgerritDolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens  https://review.openstack.org/16177415:59
*** _cjones_ has quit IRC16:01
lbragstaddolphm: cool, I'm reworking the federated stuff on top of your latest changes. I was going to rebase to pick up the federated mixin change16:03
dolphmlbragstad: it should be there then?16:08
lbragstaddolphm: I'm building on https://review.openstack.org/#/c/160993/16:08
lbragstaddolphm: which I think I'll need to rebase once https://review.openstack.org/#/c/161897/7 is rebased?16:09
dolphmlbragstad: i haven't rebased that one yet16:09
dolphmlbragstad: i'm rebasing and addressing comments on patch at a time16:09
lbragstaddolphm: yep, that's fine16:09
*** nellysmitt has quit IRC16:11
*** _cjones_ has joined #openstack-keystone16:14
*** _cjones_ has quit IRC16:14
*** _cjones_ has joined #openstack-keystone16:14
*** browne has quit IRC16:21
*** jsavak has quit IRC16:21
*** nellysmitt has joined #openstack-keystone16:21
*** esp has joined #openstack-keystone16:29
openstackgerritDolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens  https://review.openstack.org/16189716:35
*** krtaylor has quit IRC16:36
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic  https://review.openstack.org/16233816:38
openstackgerritDolph Mathews proposed openstack/keystone: Convert audit_ids to bytes  https://review.openstack.org/16099316:38
openstackgerritDolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens  https://review.openstack.org/16203116:38
dolphmlbragstad: all done ^16:38
dolphmlbragstad: you're implementing a new payload version, right?16:39
lbragstaddolphm: yep16:41
*** krtaylor has joined #openstack-keystone16:48
openstackgerritDavid Stanek proposed openstack/keystone: Refactoring: remove self._config_file_list from TestCase  https://review.openstack.org/16268416:51
openstackgerritDavid Stanek proposed openstack/keystone: Refactoring: removed client method from TestCase  https://review.openstack.org/16268516:51
openstackgerritDavid Stanek proposed openstack/keystone: Refactoring: use BaseTestCase instead of TestCase  https://review.openstack.org/16268616:51
openstackgerritDavid Stanek proposed openstack/keystone: Removes unused sys.exit mocking  https://review.openstack.org/16268716:51
dstanek^ stash cleanup16:51
*** Krast has quit IRC16:55
*** Krast has joined #openstack-keystone16:56
*** angular_mike has joined #openstack-keystone17:01
*** gyee has joined #openstack-keystone17:02
*** ChanServ sets mode: +v gyee17:02
*** browne has joined #openstack-keystone17:03
*** _cjones_ has quit IRC17:05
*** edmondsw has quit IRC17:08
*** nellysmitt has quit IRC17:11
*** nellysmitt has joined #openstack-keystone17:13
*** zzzeek has quit IRC17:16
*** nellysmitt has quit IRC17:17
*** zzzeek has joined #openstack-keystone17:21
*** _cjones_ has joined #openstack-keystone17:24
*** iamjarvo has joined #openstack-keystone17:36
*** iamjarvo has quit IRC17:36
*** iamjarvo has joined #openstack-keystone17:37
*** tqtran_ has joined #openstack-keystone17:38
*** lhcheng has joined #openstack-keystone17:38
*** tqtran_ has quit IRC17:38
*** harlowja has joined #openstack-keystone17:40
*** leonchio_ has joined #openstack-keystone17:41
*** lhcheng has quit IRC17:43
*** harlowja_ has joined #openstack-keystone17:43
*** harlowja has quit IRC17:45
*** fmarco76 has quit IRC17:47
*** lhcheng has joined #openstack-keystone17:57
*** lhcheng_ has joined #openstack-keystone17:58
*** jistr has quit IRC17:59
*** comstud has joined #openstack-keystone18:01
*** lhcheng has quit IRC18:01
openstackgerritDolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens  https://review.openstack.org/16177418:02
openstackgerritDolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens  https://review.openstack.org/16189718:03
openstackgerritDolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens  https://review.openstack.org/16203118:04
openstackgerritDolph Mathews proposed openstack/keystone: Convert audit_ids to bytes  https://review.openstack.org/16099318:04
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic  https://review.openstack.org/16233818:04
*** chlong has quit IRC18:05
openstackgerritDavid Stanek proposed openstack/keystone: Removes logging code that supported Python <2.7  https://review.openstack.org/16270618:19
openstackgerritEric Brown proposed openstack/keystonemiddleware: Use oslo_config choices support  https://review.openstack.org/16003118:20
*** karimb has quit IRC18:27
*** pnavarro has quit IRC18:29
openstackgerritDavid Stanek proposed openstack/keystone: Consistently use oslo_config.cfg.CONF  https://review.openstack.org/16271118:30
*** iamjarvo has quit IRC18:36
*** mgagne is now known as mgagne_PHL18:42
*** _cjones_ has quit IRC18:44
*** iamjarvo has joined #openstack-keystone18:49
openstackgerritMerged openstack/keystone: Refactor: make extras optional in v3 get_token_data  https://review.openstack.org/16266118:52
*** thedodd has joined #openstack-keystone18:54
openstackgerritMerged openstack/keystone: Deprecate passing "extras" in token data  https://review.openstack.org/16266218:54
* morganfainberg starts moving today.18:56
stevemarmorganfainberg, nice18:57
stevemareast coast is where its at18:57
morganfainbergno. not nice.18:57
morganfainbergoh not as in relocating unless you mean relocating beyond the edge of my bed :P18:59
* morganfainberg is not moving living location(s) yet18:59
*** spandhe has joined #openstack-keystone19:01
*** iamjarvo has quit IRC19:02
*** iamjarvo has joined #openstack-keystone19:05
*** iamjarvo has quit IRC19:05
*** iamjarvo has joined #openstack-keystone19:06
*** _cjones_ has joined #openstack-keystone19:12
*** jorge_munoz has quit IRC19:19
lbragstaddolphm: marekd federated fernet token length (w/ one group) http://cdn.pasteraw.com/ouzgugnazt0bf7fnjo5jdadddq1qs3k19:22
dolphmlbragstad: really?19:22
dolphmlbragstad: wasn't 140 unscoped size?19:22
lbragstaddolphm: yeah19:22
lbragstaddolphm: an unscoped token and federeated unscoped token are about the same19:23
dolphmlbragstad: then how is that possible?19:23
lbragstaddolphm: the only thing different from what I can tell, is the number of groups passed into the token19:23
dolphmlbragstad: so, keep adding groups to the list until you exceed 255 - what's the max number of groups?19:23
lbragstadso it can be a lot bigger than that19:23
morganfainbergand if it doesn't increase in size with more groups ... you might be missing something19:24
morganfainberg:P19:24
morganfainbergayoung. ping re: https://review.openstack.org/#/c/159803/ i think this is a better setup to isolate the schema fixes. should be ready for review now.19:25
ayoungmorganfainberg, lookING19:26
morganfainbergayoung, it may still need massaging to be 100% right.19:26
ayoungmorganfainberg, I see what you are aiming for...makes sense19:27
ayoungmorganfainberg, so...the issue is in the federation tables.  I think the version being 37 does not match that19:28
morganfainbergayoung, its the same net effect19:28
ayoungthe sanity check should be on the federation tables version, not the common one19:28
morganfainberg_37 had the same issue.19:28
morganfainbergjust no FKs associated19:29
ayoungah...so that is good there, but the Federation one should have it regardless...19:29
ayoungBut I like the direction19:29
morganfainbergwait what?19:29
ayoungmorganfainberg, the sanity check vesrion should be on the Federation repo19:29
ayoungnot on the global one19:29
morganfainbergit should be in both cases. if you are wedged in more than 1 schema in an upgrade, you don't want to need to re-run19:30
ayounghttps://review.openstack.org/#/c/159803/14/keystone/common/sql/migrate_repo/__init__.py,cm  is good for fixing the common tabl;es, but a user can run the migrations for common and for federation separately19:30
ayoungdb_sync did  not automatically run for federation in the past19:30
*** jorge_munoz has joined #openstack-keystone19:30
morganfainbergayoung, and you could still be equally wedged19:30
ayoungI *think* so19:30
openstackgerritMerged openstack/keystone: Remove extra semicolon from mapping fixtures  https://review.openstack.org/14808019:30
morganfainbergyou have 2 separate code paths.19:31
morganfainbergjust using the same-ish logic19:31
morganfainbergmain repo vs extensions19:31
morganfainbergboth could get wedged in cases19:31
morganfainbergi dont want to run the "Fix" in all cases, we should know if/where we get wedged.19:31
morganfainbergagain this comes back to "dont run things that change the db unless you really need to"19:32
morganfainbergeven if it's a no op. i don't trust things to not go sideways.19:32
morganfainbergi think thats what your saying, just let _fix_37 run anywhere/anytime19:32
morganfainberg?19:32
ayoungmorganfainberg, I think that what should be done is to continue the logic you have  for extensions.  So in the federation extension __init__ file have the same code as  https://review.openstack.org/#/c/159803/14/keystone/common/sql/migrate_repo/__init__.py,cm  but for version 219:33
* morganfainberg is almost a fan of just removing the sanity check completly19:33
morganfainbergalways run sanity_check=False19:33
ayoungmorganfainberg, sanity check shoukld run at the end, not the beginning19:33
morganfainbergthe sanity check should probably never run19:34
ayoungtheir heart was in the right place, their head, not so much19:34
morganfainbergnot wedged down in oslo.db19:34
morganfainbergif we want to run a sanity check ourselves, thats fine.19:34
ayoungsanity check makes sense to run at the end of the migrations, to test if a new migration did something dumb19:34
morganfainbergbut it shouldn't be in oslo.db critical path at all19:34
ayoungYeah, it is the wrong time to run it19:34
ayoungbetter to have it in the functional tests19:35
morganfainbergit should (if anything) be run from our migration_helpers19:35
morganfainbergnot the oslo_db.sqlalchemy.migration.db_sync19:35
morganfainbergonce we have functional testing up we should swing back through and make sanity check only ever run there.19:36
dolphmjorge_munoz: lbragstad: have a link to the v2 fernet patch?19:37
lbragstaddolphm: I think this is the one jorge_munoz is working https://review.openstack.org/#/c/159229/19:37
dolphmjorge_munoz: lbragstad: my last patch should make v2 simpler to implement https://review.openstack.org/#/c/162338/19:38
openstackgerritLin Hua Cheng proposed openstack/keystone: Implement validation on the Identity V3 API  https://review.openstack.org/13212219:39
lbragstaddolphm: ++19:39
dolphmlbragstad: that's basically the end result that we discussed earlier last week19:39
lbragstaddolphm: yeah I was looking through it, it looks good19:39
samueldmqmorganfainberg, could we have 'list role assignments refactoring' back to priority reviews?19:43
morganfainbergsamueldmq, which one?19:44
samueldmqmorganfainberg, https://review.openstack.org/#/c/137202/19:44
morganfainbergsamueldmq, as it stands we're not getting enough reviews on the current high priority ones19:45
morganfainbergthat is pretty far down my list [especially since it involves a massive chain of patches]19:45
morganfainbergsamueldmq, it's just an issue of getting reviews on everything at this point.19:46
morganfainbergsamueldmq, and we are exceptionally close to a milestone.19:47
morganfainbergsamueldmq, i don't see it as a blocker for K3 or kilo, i see it as a nice to have.19:47
samueldmqmorganfainberg, ok I understand, it's just a question on getting reviews on it19:47
morganfainbergsame with x509 at this point19:47
morganfainbergnot a blocker for kilo/k319:48
morganfainbergnice to have if we get it19:48
samueldmqmorganfainberg, maybe the old "review other's patches prior to get yours reviewed" may work here, I'll try :)19:48
morganfainbergsamueldmq, this is what happens when everything gets wedged into the last milestone for features.19:48
morganfainbergsamueldmq, the nice to haves get booted19:48
morganfainbergbecause there just isn't enough bandwidth to get everything in19:48
ayoungmorganfainberg, remove the sanity check.  Create an explicit sanity check option for keystone-manage  as a follow on patch19:49
*** thedodd has quit IRC19:49
samueldmqmorganfainberg, k I understand, especially this one, that has been there for almost a complete cycle now :/19:49
morganfainbergayoung, once we have functional testing19:49
samueldmqmorganfainberg, but ok, your point is fair enough19:49
samueldmqmorganfainberg, thanks for clarifying19:49
morganfainbergayoung, but i don't see that as possible now and we need to backport this fix.19:49
*** thedodd has joined #openstack-keystone19:49
morganfainbergsamueldmq, i know. =/ doing my best to get things landed19:50
morganfainberglbragstad, https://review.openstack.org/#/c/161380/ needs a rebase.19:50
lbragstadmorganfainberg: working on it now19:51
samueldmqmorganfainberg, yeah you're doing well :)19:51
*** radez_g0n3 is now known as radez19:51
samueldmqmorganfainberg, I'll review more patches to try to get things moving19:51
samueldmqmorganfainberg, then maybe there will be time for this :)19:52
samueldmqmorganfainberg, thanks19:52
morganfainbergjorge_munoz, dolphm, lbragstad, and we need some movement on the v2 fernet support early this week.19:52
morganfainbergso we can get eyes on it before "OMG k3 is being cut"19:52
ayoungmorganfainberg, disable sanity check now19:53
ayoungadd sanity check in the future19:53
dolphmmorganfainberg: i'm reviewing it now, and looking at rebasing on top of some of my other patches, which should make it simpler to implement19:53
ayoungI don't see the value of the sanity check19:53
morganfainbergdolphm, ++19:53
*** thedodd has quit IRC19:54
dolphmlbragstad: is jorge_munoz around today?19:54
lbragstaddolphm: should be19:54
*** iamjarvo has quit IRC19:55
morganfainbergdhellmann, zzzeek, ping re: sanity check in oslo.db. I think we're at the point where we're ready to just disable it. it has succefully wedged deployers at least twice. it is being run in the wrong place and can get people into a state where you cannot run further migrations19:55
morganfainbergdhellmann, zzzeek, any reason we should continue to use it before i rip it out of keystone?19:55
morganfainbergayoung, ^cc19:55
morganfainbergayoung, before we do that.19:55
ayoungmorganfainberg, ++19:55
zzzeekmorganfainberg: the ping thing?   it helps if your DB connection is gone, which we’ve observed happens a lot with mis-configured HAProxys19:55
morganfainbergno, sanity check19:56
zzzeekoh19:56
zzzeekmorganfainberg: whats that?19:56
morganfainbergzzzeek, it's the "are we utf8/innodb"19:56
zzzeekmorganfainberg: oh19:56
morganfainbergit's run before you run any migrations... it means if your DB is not utf8/innodb and then you get a new migration, you can't run it19:56
morganfainbergyou can't even run a migration to fix it19:56
zzzeekmorganfainberg: how is that messing people up ?   at least the innodb part19:56
ayoungzzzeek, sanity check effectively prevents migrations from being run.  It prevents you from closing the barn door after the horse is long gone19:56
morganfainbergbecause oslo.db explodes with a valueerror19:56
zzzeekwhys that ?19:56
*** iamjarvo has joined #openstack-keystone19:57
ayoungit means we can't run any migrations after the sanity check detects a problem19:57
ayoungincvluding migrations to fix problems19:57
*** iamjarvo has quit IRC19:57
morganfainbergit runs sanity_check, verifies a table is utf8/innodb, but there is an issue because someone didn't put utf8 in their migration to create the table - and someone is running a mysql instance w/o utf8 being the default19:57
morganfainbergso, we just wedge a deployer19:57
zzzeekmorganfainberg: the innodb part, not the utf8 part19:57
morganfainbergzzzeek, both19:57
morganfainbergzzzeek, it checks both of them.19:57
*** iamjarvo has joined #openstack-keystone19:58
zzzeekmorganfainberg: how does the check for innodb throw a valueerror19:58
*** dims_ has joined #openstack-keystone19:58
morganfainbergoh19:58
morganfainbergit's only checking utf819:58
morganfainbergthought it was also checking innodb19:58
morganfainbergsomething was at one point19:58
zzzeekmorganfainberg: OK.  so, utf8, its in their my.cnf defaults and not table defs, that kind of thing?19:59
morganfainbergmust have changed/not made it into oslo.db19:59
morganfainbergzzzeek, something like that19:59
ayoungregardless, running the check before he migrations is damaging19:59
morganfainbergzzzeek, and they have already created the db/tables.19:59
ayoungit should run at the end, maybe19:59
morganfainbergzzzeek, then you can't run even a "fix this" migration19:59
morganfainbergbecause the db is declared insane - even though it was sane minutes ago.19:59
zzzeekmorganfainberg: whats the use case where someone has created all their tables with the wrong charset ?   legacy, or they mucked around on their end ?20:00
morganfainbergusually upgrading20:00
morganfainbergfrom an old install20:00
morganfainbergnot an uncommon case.20:00
zzzeekmorganfainberg: so what will you do instead ?20:00
*** dims has quit IRC20:00
morganfainbergrip it out, once we have functional testing will run the same type of check on the db20:00
morganfainbergso for now: skip sanity check always20:01
morganfainbergsoon: run it on each patch to ensure it doesn't happen in an explicit test20:01
morganfainbergbut we need real mysql [not unit tests]20:01
zzzeekmorganfainberg: none of this is something i have any opinion about.  if you’re comfortable with a gap where ppl with bad DBs install the software and they have weird encoding problems, that’s an app-level decision20:01
morganfainbergzzzeek, at this point we're already there.20:02
morganfainbergthat ship has long since sailed.20:02
morganfainbergsanity check has served to wedge our deployers - and afaict thats it20:02
morganfainbergthen we get a bug and have to backport fixes to undo it.20:02
ayoungWe can run it at the end of migrations in the future.20:02
morganfainbergayoung, doesn't really solve the problem though. gate doesn't catch this really20:03
ayoungAnd then we will know after the migrations run that there is a problem, and they can report it20:03
ayoungmorganfainberg, I know20:03
ayoungit will be informational20:03
morganfainbergayoung, eh. a "hey go report a bug cause you saw this message" isn't great either you know20:04
morganfainbergmaybe we just make the sanity check something that we run in devstack explicitly20:04
openstackgerritMerged openstack/keystone: Refactoring: remove self._config_file_list from TestCase  https://review.openstack.org/16268420:04
morganfainbergfor now.20:04
morganfainbergput that in, get the change to devstack landed [should be easy]20:04
morganfainberganyway i need coffee.20:05
openstackgerritMerged openstack/keystone: Refactoring: removed client method from TestCase  https://review.openstack.org/16268520:05
morganfainbergand an asprin.20:05
openstackgerritRodrigo Duarte proposed openstack/keystone: Mirror domain entries to project table  https://review.openstack.org/16140820:06
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742720:06
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Bye bye domain table  https://review.openstack.org/16185420:06
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376320:06
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837220:06
morganfainbergayoung, i'll spin up a check we can ruin our db with... uh run against our db and then propose it against devstack20:06
ayoung++20:06
morganfainbergayoung, so we can get sanity check but not be stuck like we are.20:07
stevemargordc, got a new patch for setting user_id in ceilometer, let me know if i went overkill20:07
morganfainbergor maybe even better20:07
stevemari think i might have20:07
openstackgerritMerged openstack/keystone: Docstring fixes in fernet.token_formatters  https://review.openstack.org/16233720:07
morganfainbergzzzeek, is there a way we can force the connection string to always do utf8?20:07
morganfainbergzzzeek, unless it's explicitly overridden20:07
morganfainbergzzzeek, that might be even better.  which case someone would need to go out of their way to make tables w/o utf820:08
morganfainbergayoung, and we still do the dvstack thing, but less rush.20:08
ayoungstevemar, so...in Federation group mapping.  We throw an exception on the case where a glob matches the assertion, but one of the values from the assertion is not in the groups list20:09
ayoungthis means that every single group from the assertion needs to be made in the identity backend20:09
ayoungI'd rather just ignore them20:10
gordcstevemar: you went overkill for a daylight savings monday20:10
ayoungactaully, it 500s right now20:10
stevemarayoung, come again? i need an example20:10
ayoungstevemar, I was doing this with SSSD.  Say I have two groiups:  ipausers and admins20:10
ayoungthose are in LDAP, and my user is assigned to them20:11
ayoungstevemar, my mapping looks like this20:11
ayounghttp://adam.younglogic.com/2015/03/key-fed-lookup-redux/20:11
ayoung"local": [             {                 "group": {                     "name": "{0}",                     "domain": {"name": "Default"}                 }             }         ],         "remote": [20:12
ayoung28             {20:12
ayoung29                 "type": "REMOTE_USER_GROUPS"20:12
ayoung30             }20:12
ayoung31         ]20:12
ayoungstevemar, so that is going to match every group in REMOTE_USER_GROUPS.  But If LDAP assigns me a new group,  say the admins group, and Keystone doesn;'t know about it,  500  Groups20:13
ayoung{"error": {"message": "Group admins returned by mapping kerberos_mapping was not found in the backend. (Disable debug mode to suppress these details.)", "code": 500, "title": "Internal Server Error"}}20:13
ayoungstevemar, I think it is due to this call20:14
ayounghttp://git.openstack.org/cgit/openstack/keystone/tree/keystone/contrib/federation/utils.py#n16320:14
ayoungstevemar, I think the right logic is to not map any groups that are not in the back end.20:16
stevemarhmm okay... i see what you're doing there20:17
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Creating domain and filtering by parent_id  https://review.openstack.org/16137820:17
ayoungstevemar, yeah, the user  and kestone admins are not going to have control over what comes in the assertions.  We have to only use the data we know about20:18
stevemarayoung, i think what you're looking for is here: https://review.openstack.org/#/c/142573/20:18
ayounglooking20:18
stevemarayoung, check line 590ish20:18
ayoungstevemar, Not an explicit list20:18
ayoungstevemar, I don't like a whitelist20:19
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839820:19
ayoungI already have the list in the identity backend.  If I do a glob, just limit the mapping to the groups that actually exist20:19
ayoungLooking at that, I am not sure it actually would solve my problem20:20
stevemarayoung, try hacking something up to allow for groups 404'ing20:21
stevemarassuming it doesn't break any tests, i don't see why we can't add that mapping too20:21
zzzeekmorganfainberg: i thought oslo.db adds ‘utf8’ to the connection for mysql anyway20:21
zzzeekmorganfainberg: not sure if mysql can’t persist utf8 data correclty w/ a bad server side encoding tho20:21
openstackgerritMorgan Fainberg proposed openstack/keystone: Migrations squash  https://review.openstack.org/16217020:23
openstackgerritMerged openstack/keystone: 'Assignment' has no attr 'get_domain_by_name'  https://review.openstack.org/16154320:23
htrutamorganfainberg: working here with rodrigods on the reseller stuff, we got into a discussion. what should happen if a user wants to create a project with is_domain disabled without passing the parent_id?20:24
ayoungstevemar, I think I would change it from  " validate_groups_in_backend"  to "remove_groups_not_in_backend"20:24
ayoungif there are 0 groups left, throw the error20:24
stevemarayoung, that sounds like a viable move20:24
morganfainberghtruta, bad request.20:24
morganfainbergor validation error20:24
ayounglet me try it20:24
htrutawe thought of either raising an error or make the project_id his domain_id20:24
morganfainbergraise an error20:24
morganfainbergimo20:25
morganfainbergoh wait sec20:25
morganfainberghtruta, mirror the behavior today, what happens when you try and create a project w/o specifying a domain?20:25
morganfainbergdoes it go into default domain, your domain, or error?20:26
morganfainbergif it goes into default the answer would be either your domain or error20:26
morganfainbergand likely into your domain is the right one20:26
morganfainbergif it errors today, it should error20:26
morganfainbergdolphm, doh https://review.openstack.org/#/c/161876/ merge conflict20:27
rodrigodsmorganfainberg, today we don't accept the creation of a project without a domain (the schema doesn't accept domain being null)20:28
morganfainbergrodrigods, then mirror that20:28
morganfainbergrequire a parent id.20:28
morganfainberghm..20:28
morganfainbergrodrigods, would that break today's api though20:29
morganfainbergrodrigods, oh wait no, if they specify a domain id only it would go into that domain at the top20:29
morganfainbergbut if no domain is specified and no parent id is specified.20:29
rodrigodsmorganfainberg, but... we also do this https://github.com/openstack/keystone/blob/master/keystone/resource/controllers.py#L16020:29
morganfainbergrodrigods, ok so the only time it would error is if no domain is specified *and* no parent is specified20:30
rodrigodsmorganfainberg, makes sense20:30
morganfainbergrodrigods, because if the domain id wasn't there it'd fail today20:30
rodrigodsthis approach also eases a lot the tests fixing20:30
morganfainbergif you don't specify a parent, but if you specify a domain id, you just get a project parented by the domain itself [same as today]20:31
*** iamjarvo has quit IRC20:31
morganfainbergrodrigods, so we don't break anyone using the API the same as they would today20:31
*** aix has quit IRC20:31
rodrigodsmorganfainberg, ++20:31
htrutamorganfainberg: ++20:31
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic  https://review.openstack.org/16233820:31
openstackgerritDolph Mathews proposed openstack/keystone: Convert audit_ids to bytes  https://review.openstack.org/16099320:31
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: remove dep on trust_api / v3 token helper  https://review.openstack.org/16187620:31
openstackgerritDolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens  https://review.openstack.org/16203120:31
openstackgerritDolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens  https://review.openstack.org/16189720:31
openstackgerritDolph Mathews proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens  https://review.openstack.org/16177420:31
rodrigodsmorganfainberg, htruta, I also believe that we need to improve the schema in the future, there is a lot of not so straight forward constraints with the domain_id, parent_id and is_domain combination20:32
rodrigodsbut... this is a discussion for later20:32
dolphmdstanek: morganfainberg: y'all +2/+A'd this earlier, but a merge conflict on docstrings landed first https://review.openstack.org/#/c/161876/20:33
jorge_munozdolphm: Thanks, I’ll take a look and I’ll try to focus some time today.20:33
*** dims_ has quit IRC20:33
dolphmjorge_munoz: do you have any offline changes that haven't made it to gerrit yet?20:34
*** dims has joined #openstack-keystone20:34
dolphmjorge_munoz: if not, i'd like to at least try to get a rebase into gerrit for you20:35
jorge_munozdolphm: Some unit test20:35
*** pnavarro has joined #openstack-keystone20:35
dolphmjorge_munoz: unit or functional? i killed a bunch of tests in the other branch, see comment: https://review.openstack.org/#/c/159229/18/keystone/tests/unit/token/test_fernet_provider.py20:35
jorge_munozIts new unit test for the token converter20:36
jorge_munozdolphm: It should not affect the rebase20:37
*** iamjarvo has joined #openstack-keystone20:37
*** radez is now known as radez_g0n320:37
jorge_munozdolphm: I can take care of it later today.20:37
openstackgerritRodrigo Duarte proposed openstack/keystone: Mirror domain entries to project table  https://review.openstack.org/16140820:49
openstackgerritRodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742720:49
openstackgerritRodrigo Duarte proposed openstack/keystone: WIP: Bye bye domain table  https://review.openstack.org/16185420:49
openstackgerritRodrigo Duarte proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376320:49
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837220:49
dstanekbknudson: why do you want to keep all that exit stuff?20:52
openstackgerritMerged openstack/keystone: Removes logging code that supported Python <2.7  https://review.openstack.org/16270620:52
bknudsondstanek: it was added for a reason -- there was some code doing system.exit() and it caused a problem...20:53
bknudsonI think it caused the tests to complete successfully...20:53
dstanekbknudson: i just did a quick test and the tests will fail if sys.exit() is called and SystemExit is not explicitly caught20:54
bknudsonmaybe it's been fixed upstream.20:55
dstanekhere's what i get: http://paste.openstack.org/show/191078/20:55
*** iamjarvo has quit IRC20:55
openstackgerritMerged openstack/keystone: Consistently use oslo_config.cfg.CONF  https://review.openstack.org/16271120:56
*** henrynash has quit IRC20:56
*** iamjarvo has joined #openstack-keystone20:56
openstackgerritSteve Martinelli proposed openstack/keystone: Refactor: create a common base for notification tests  https://review.openstack.org/16275620:57
bknudsondstanek: https://github.com/openstack/keystone/commit/29b6421518de25d067ade422d3513a89d6febd6020:59
*** htruta has quit IRC20:59
bknudsonhttps://bugs.launchpad.net/keystone/+bug/127688520:59
openstackLaunchpad bug 1276885 in Keystone "fail_gracefully can exit test suite" [Medium,Fix released] - Assigned to Jamie Lennox (jamielennox)20:59
*** raildo is now known as raildo_away20:59
bknudsondstanek: if I have 2 tests that call sys.exit(), I only get 1 failure... there should have been 2 failures.21:00
*** henrynash has joined #openstack-keystone21:02
*** ChanServ sets mode: +v henrynash21:02
dstanekyou'll only get one because the process is dead21:02
bknudsonwe don't want the process to die.21:02
dstanekright, but that's enough to signal that we have a bug right? we not mock os._exit and raising SystemExit, which are two very common ways to exit a process. but if you use them you'll find out that it was wrong21:03
dstaneki can keep it if you really feel strongly; it just feels like wasted CPU21:04
bknudsonget a faster computer.21:04
dstanekwe should be able to run all of our tests on a macbook air in less than a minute. i shouldn't need 100 CPUs for such a small project.21:05
bknudsonthen I think we've got bigger problems than this mock.21:06
dstanekalso it's important to note that this is not currently being mocked out on a growing set of our tests21:06
bknudsonit should be moved into BaseTestCase21:07
openstackgerritSteve Martinelli proposed openstack/keystone: Refactor: move initiator test to cadf specific section  https://review.openstack.org/16275821:07
dstaneki can do that instead then21:07
openstackgerritSteve Martinelli proposed openstack/keystone: Add scope info to initiator data for CADF notifications  https://review.openstack.org/16254721:08
*** Tahmina has joined #openstack-keystone21:09
henrynashayoung, gyee: the next bit of domain-config is awaiting a push….if you get time: https://review.openstack.org/#/c/158752/21:09
ayounghenrynash, is this the one with the disable test?21:10
henrynashayoung: no, that’s the next one (and I did imprve the test for you)21:10
ayoungok21:11
*** thedodd has joined #openstack-keystone21:12
ayounghenrynash, explain to me again why we don't need the kills switch yet?  Is it that we can create cionfig objects, but not consume them yet?21:12
*** topol has quit IRC21:17
*** iamjarvo has quit IRC21:17
*** timcline has quit IRC21:18
*** timcline has joined #openstack-keystone21:19
*** mattfarina has quit IRC21:19
*** timcline has quit IRC21:23
rodrigodsmorganfainberg, this patch https://review.openstack.org/#/c/159944/15 is related to the FK discussion in the ML, it is also the first patch in the Reseller stack... can it get some attention (reviews)?21:27
openstackgerritDavid Stanek proposed openstack/keystone: Refactoring: use BaseTestCase instead of TestCase  https://review.openstack.org/16268621:29
openstackgerritDavid Stanek proposed openstack/keystone: Moved sys.exit mocking into BaseTestClass  https://review.openstack.org/16276321:29
openstackgerritDavid Stanek proposed openstack/keystone: Removed maxDiff attribute from TestCase  https://review.openstack.org/16276421:29
openstackgerritDavid Stanek proposed openstack/keystone: Fixes tests to use the config fixture  https://review.openstack.org/16276521:29
ayoungstevemar, so..what I posted before, that just returns the first entry REMOTE_USER_GROUPS, doesn't it:   "group": {                      "name": "{0}",21:32
dstanekbknudson: ^ fixed up those commits21:32
openstackgerritDavid Stanek proposed openstack/keystone: Refactor: extract and rename unique_id method  https://review.openstack.org/16276621:33
openstackgerritDavid Stanek proposed openstack/keystone: Simplify injection testcase setup  https://review.openstack.org/16276721:33
openstackgerritDavid Stanek proposed openstack/keystone: Isolate injection tests  https://review.openstack.org/16276821:33
openstackgerritDavid Stanek proposed openstack/keystone: Decouple notifications from DI  https://review.openstack.org/16276921:33
openstackgerritDavid Stanek proposed openstack/keystone: Removed optional dependency support  https://review.openstack.org/16277021:33
henrynashayoung: yes, you can create all the config objects you want…but if the config swicth to use them is not enabled, then they count for nothing21:33
ayounghenrynash, and the config switch is coming in the next patch?21:34
jamielennoxbknudson: if you haven't seen it: https://review.openstack.org/#/c/162529/ is loading plugins with a getter function, it's good for the base plugin but i don't think it works to have a straight auth.load_from_options_getter21:34
henrynashayoung: the config switch was created in a previous patch…but it is honored in the next patch, since that’s teh patch taht actually allows config objects to have an effect21:35
jamielennoxbknudson: you want the place the way the options are defined to be reflected in the way options are loaded, so i'd prefer we keep the initial plugin name loading in ksm if that's where we read it from21:35
ayoungthat is what I meant.  It is not yet honored, so no way to enable21:35
stevemarayoung, yeah, that's what i thought might happen, it'll do list -> single entity21:35
stevemarayoung, that's why i brought up marek's patch, it'll to list -> list21:35
henrynashayoung: it was not effect….see setup_domain_drivers() in identity.core in the curent patch21:35
ayoungstevemar, ah....yes, then I do want that patch21:36
henrynash(it has no effect)...21:36
bknudsonjamielennox: what doesn't work?21:36
ayounghenrynash, +2A.21:36
henrynashayoung: thx21:36
bknudsonI think https://review.openstack.org/#/c/162529/1/keystoneclient/auth/base.py looks good.21:36
bknudsonthe change could use tests.21:36
jamielennoxbknudson: there are two parts to loading a plugin, the bit that finds the plugin name and gets the class, and then the class loads the options related to the plugin21:37
jamielennoxbknudson: the class specific part works ok with load_from_options_getter, but i don't know if it makes sense to have an auth.load_from_options_getter because there's really no way to define the register_with_options_setter21:37
bknudsonjamielennox: where's the code that finds the plugin name and gets the class?21:37
jamielennoxbknudson: i updated the ksm side as well: https://review.openstack.org/#/c/161962/ it obviously fails but it worked in my test env21:38
bknudsonthat's not pretty at all.21:38
jamielennoxi like that it cuts out manually loading all the options for AuthTokenPlugin21:40
*** g2` has quit IRC21:40
*** sigmavirus24 is now known as sigmavirus24_awa21:41
bknudsonjamielennox: it's not bad... so you're saying you don't want the ksc change? (there's no tests)21:41
jamielennoxbknudson: i'll add the ksc tests if we are happy with the approach, it's fairly well tested already by virtue of load_from_conf_options and load_from_argparse_arguments both going through the new function21:42
bknudsonthere can't be a auth.load_from_conf_options that uses the getter?21:42
bknudsony, it shouldn't be a huge test.21:43
bknudsonjamielennox: I'm happy with the approach.21:43
jamielennoxbknudson: so i stopped shy of adding getter to load_from_conf_options, it feels weird21:43
jamielennoxthe load_from_conf_options should be the reverse of register_conf_options21:44
ayoungstevemar, wkil.21:44
bknudsonjamielennox: who calls register_conf_options?21:44
ayoungstevemar, will https://review.openstack.org/#/c/142573/16/keystone/contrib/federation/utils.py,cm  allow for globs?21:44
jamielennoxbknudson: auth_token21:44
jamielennoxbknudson: anyone that wants to load a plugin from conf21:45
bknudsonnot seeing it in auth_token...21:45
*** chlong has joined #openstack-keystone21:45
bknudsonnever mind, found one.21:46
*** samueldmq_ has joined #openstack-keystone21:46
bknudsonfor AuthTokenPlugin21:46
jamielennoxhttps://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_auth.py#L18021:47
bknudsonat import-time.21:47
stevemarayoung, what do you mean by globs?21:47
bknudsonbut that makes sense since only oslo.config requires registering options.21:47
jamielennoxyea, all oslo.config stuff is done at import time21:48
jamielennox(which i think we'll need to change for auth_token - but different problem)21:48
bknudsondoing stuff at import time is generally a bad idea anyways.21:48
jamielennoxyea, and this was flapper's problem and bug, that zaqar doesn't use the global oslo.config option and it wanted to be able to pass their own one in21:49
jamielennoxso we'd have to do all our option registering at __init__21:49
ayoungstevemar, in bash   *21:50
ayoungmatch anything21:50
openstackgerritDavid Stanek proposed openstack/keystone: Removed maxDiff attribute from TestCase  https://review.openstack.org/16276421:50
openstackgerritDavid Stanek proposed openstack/keystone: Fixes tests to use the config fixture  https://review.openstack.org/16276521:50
openstackgerritDavid Stanek proposed openstack/keystone: Moved sys.exit mocking into BaseTestClass  https://review.openstack.org/16276321:50
openstackgerritDavid Stanek proposed openstack/keystone: Refactoring: use BaseTestCase instead of TestCase  https://review.openstack.org/16268621:50
*** g2` has joined #openstack-keystone21:51
stevemarayoung, lemme take a deeper look21:51
openstackgerritLance Bragstad proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic  https://review.openstack.org/16233821:51
openstackgerritLance Bragstad proposed openstack/keystone: Convert audit_ids to bytes  https://review.openstack.org/16099321:51
openstackgerritLance Bragstad proposed openstack/keystone: Refactor: remove dep on trust_api / v3 token helper  https://review.openstack.org/16187621:51
openstackgerritLance Bragstad proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens  https://review.openstack.org/16203121:51
openstackgerritLance Bragstad proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens  https://review.openstack.org/16189721:51
openstackgerritLance Bragstad proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens  https://review.openstack.org/16177421:51
openstackgerritLance Bragstad proposed openstack/keystone: Federated token formatter  https://review.openstack.org/16138021:51
bknudsonbot is going to get kicked for spamming.21:51
bknudsonjamielennox: so are you planning to provide a load_from_conf_options_with_getter() ? Or is that impossible somehow?21:53
*** angular_mike has quit IRC21:53
jamielennoxbknudson: it's possible21:54
*** samueldmq has quit IRC21:54
*** samueldmq_ is now known as samueldmq21:54
jamielennoxbknudson: it's just a very weird and specialized case21:54
jamielennoxthat if it was anything other than ksm i'd probably say no to21:55
bknudsonjamielennox: doesn't anyone who doesn't want to use oslo.config need this?21:55
stevemarayoung, i think it'll work for you21:56
stevemarhttp://paste.openstack.org/show/191097/21:56
jamielennoxbknudson: not really, they would just follow the same process as i did in that middleware review21:56
jamielennoxfind the plugin name from whatever set of options you are using21:56
bknudsonjamielennox: then we'll have all these copies of the code around.21:56
stevemarayoung, set blacklist to nothing, and use 'groups21:56
stevemar'groups'21:56
ayoungso no blacklist...you have to specify something to match....interesting.  Ok, I'm going to try that21:56
stevemarayoung, might still need to change that validator to not barf if group dne21:56
jamielennoxthen plugin = base.get_plugin_class(name) plugin.load_from_options_getter(_getter)21:56
ayoungstevemar, right21:57
*** chlong has quit IRC21:57
stevemarayoung, yeah, no blacklist effectively means allow everything21:57
jamielennoxmordred's shade is the other example i'm thinking of that would benefit from this21:57
stevemari *think* thtat'll work21:57
*** chlong has joined #openstack-keystone21:57
bknudsonmordred's shade sounds like a species of flower or tree.21:58
jamielennoxpoisonous mushroom21:58
jamielennoxso he's pulling config options from oslo.config, some stuff from CLI from env and all sorts of other places21:59
bknudsonjamielennox: ok, I'm fine with the changes in https://review.openstack.org/#/c/161962/5/keystonemiddleware/auth_token/__init__.py .21:59
jamielennoxbut either way you run this you've got a registration issue, i don't know how to correctly register the options for all those places21:59
bknudsonjust need a test in the ksc change21:59
*** trey has quit IRC22:00
*** trey has joined #openstack-keystone22:00
jamielennoxbknudson: ok - i'll get on that one now, will see if we can get ksc then ksm updated in time for kilo22:01
*** chlong has quit IRC22:04
*** gordc has quit IRC22:05
jamielennoxmorganfainberg: i'm thinking that we overreached with ksc-federation, as it becomes more the standard  i think the base plugin can be in ksc and then do like ksc-saml22:05
ayoungstevemar, {"error": {"message": "An unexpected error prevented the server from fulfilling your request: malformed string (Disable debug mode to suppress these details.)", "code": 500, "title": "Internal Server Error"}}[22:06
ayoungstevemar, so...maybe on to something here...22:06
morganfainbergjamielennox: trivial to merge that back into the main tree.22:06
jamielennoxmorganfainberg: so still seperate out the lxml and other reqs, but the case came up (again) for kerberos and SSL to be just a federation plugin and i don't want them to have deps on lxml and other saml stuff22:06
jamielennoxmorganfainberg: yep - just letting you know22:06
morganfainbergjamielennox: I'd rather have over reached and move t back than have to split it out again. But to be fair I'm mulling over  splitting up keystone server some (backends)22:07
jamielennoxmorganfainberg: i'll have to have another look at that base plugin stuff and see how appropriate it is to a non-federated federated plugin22:07
morganfainbergBut the ksc side is less of an issue.22:07
jamielennoxmorganfainberg: right, i was think post a pecan split that some real models on the server side is a good idea22:07
morganfainberg++22:07
jamielennoxwould clean up the driver interfaces a lot22:08
ayoungstevemar, http://paste.openstack.org/show/191098/22:08
morganfainbergYes. I am thinking that might be a goal for liberty. Define ABIs for our drivers and commit to them. And split the drivers out22:08
morganfainbergSo you install only the drivers you need and dependency mapping is easy.22:09
jamielennoxmorganfainberg: ++22:09
jamielennoxget rid of drivers needing to know the differences for v2 and v3 apis22:09
jamielennoxwhich is a fairly small set, but still there in case22:09
jamielennoxs22:09
morganfainbergYep22:09
ayoungstevemar,  "groups": "{0}",  seems to pull out the first element of the list, not the whole set of groups22:11
*** trey has quit IRC22:12
bknudsonayoung: see https://review.openstack.org/#/c/142573/22:14
ayoungbknudson, I'm running with that22:14
bknudsonshoot... that's supposed to allow you to "groups": "{0}"22:14
stevemarayoung, thats weird, it should do multiple groups, that's what the point of the patch it22:15
stevemaris22:15
*** dims_ has joined #openstack-keystone22:15
*** trey has joined #openstack-keystone22:15
bknudsonyou need whitelist or blacklist.22:16
ayoungbknudson, I have blacklist22:16
stevemarbknudson, he's using this http://paste.openstack.org/show/191097/22:17
ayoung[{"local": [{"user": {"name": "{0}", "id": "{0}"}}], "remote": [{"type": "REMOTE_USER"}]}, {"local": [{"domain": {"name": "Default"}, "groups": "{0}"}], "remote": [{"blacklist": [], "type": "REMOTE_USER_GROUPS"}]}]22:17
*** dims has quit IRC22:17
bknudsonthat looks like the test fixture...22:17
ayoungstevemar I put a break point in the code at22:18
ayoungb/keystone/contrib/federation/utils.py22:18
ayoung def get_assertion_params_from_env(context):22:18
stevemarerr change the {0}'s in 'user' to {1}22:18
*** rushiagr_away has quit IRC22:18
ayoungstevemar, nah, that one is fine22:19
ayoungits the group one that break...22:19
ayoungso groups {1}{  ?22:20
bknudsondoes whitelist or blacklist need to have a value?22:20
stevemarbknudson, both can have empty arrays22:21
bknudsonit does "if blacklisted_values:"22:21
stevemaroh22:21
stevemargood point..22:21
bknudson(not "if blacklisted_values is not None:")22:21
stevemarwhich maybe it shouldn't do... an empty list should be valid right22:21
stevemarayoung, ^ want to try that change?22:22
bknudsonI don't see the point of having an empty blacklist or whitelist.22:22
ayoungstevemar, groups: {1} gives the first entry in the list22:22
ayounger..second22:22
ayoungwhat should be in groups?  Are you telling me that it will be processed differntly if the blacklist is actaully accepted?22:23
*** openstack has joined #openstack-keystone22:24
ayoungdifferent error22:25
ayoungstevemar, http://paste.openstack.org/show/191106/22:26
bknudsonstill using group: {1} ?22:26
bknudsongroups: {1}22:26
ayounger..yeah22:26
bknudsonthere will only be groups: {0} if there's a blacklist or whitelist22:26
bknudson(despite what the example shows in the spec)22:27
ayoungbknudson, stevemar that made the difference22:27
ayounglet's get that patch in22:27
*** bknudson has quit IRC22:28
stevemar\o/22:28
stevemaryeah, that patch is pretty slick22:28
stevemari know nkinder really wanted something like that22:29
*** atiwari has quit IRC22:29
ayoungstevemar, needs my fix22:30
ayounglet me submit on top of that one22:30
stevemarayoung, sure, try to address brants comments too22:30
stevemarthe append vs extend is a bit wonky22:31
*** pnavarro has quit IRC22:31
openstackgerritMerged openstack/keystone: Add API support for domain config  https://review.openstack.org/15875222:36
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements  https://review.openstack.org/16235022:43
openstackgerritayoung proposed openstack/keystone: ignore unknown groups  https://review.openstack.org/16278822:44
ayoungmorganfainberg, do you have a proposed approach for https://review.openstack.org/#/c/158752 ?22:45
ayoungwropng patch sorry22:46
morganfainbergayoung: huh? Haha ok22:46
ayoungmorganfainberg, https://review.openstack.org/#/c/14257322:46
*** carlosmarin has quit IRC22:47
ayoungyour  comment on There has been enough confusion here on the .extend vs. .append that we need either significantly more documentation, or this needs to be re-thought to make it into a data structure that is understandable vs. a list that ends up with late eval data in it.22:47
morganfainbergYes. That needs to be an object representation not a list. Having a list that sort of works one way in one form and if you put a list of things in it works differently (hence the need for extend in one case vs append), makes this code hard to read/understand.22:48
morganfainbergI have talked with dstanek and marekd about it and looking back at it again it is hard to follow since it is not clear what is going on. If this was an object vs a parsed list it would help with understanding.22:49
*** henrynash has quit IRC22:51
morganfainbergso simply, turn the direct maps into something that is a bit more uniform vs just knowing that [ ['thing1', 'thing2']] will produce something very different behavior wise than ['thing1', 'thing2']22:51
morganfainbergAnd have it be opaque to the developers who need to maintain it.22:52
morganfainbergThe fact that three different cores went "why are you appending in one place and extending in another" clearly says that this is not straightforward. Let alone looking at the tests and fixtures to gain understanding. So, I am not in support of hard to understand and maintain code. Even if this means we lose this whitelist/blacklist for kilo. We have not been22:54
morganfainberggood at cleaning up messes yet.22:54
*** jorge_munoz has quit IRC22:55
openstackgerritSteve Martinelli proposed openstack/keystone: add cadf notifications for oauth  https://review.openstack.org/15904523:01
openstackgerritSteve Martinelli proposed openstack/keystone: Add scope info to initiator data for CADF notifications  https://review.openstack.org/16254723:03
openstackgerritSteve Martinelli proposed openstack/keystone: add cadf notifications for oauth  https://review.openstack.org/15904523:03
*** thedodd has quit IRC23:10
*** sigmavirus24_awa is now known as sigmavirus2423:20
anteayamorganfainberg: has anyone gotten in contact with you yet about: http://lists.openstack.org/pipermail/third-party-announce/2015-March/000166.html23:23
morganfainberganteaya, nope23:23
*** openstack has joined #openstack-keystone23:23
morganfainbergit's still posting btw afaict23:23
morganfainbergdunno if brant solved the issues23:24
morganfainbergor not23:24
morganfainbergit seems like it sometimes is passing now23:24
morganfainberganteaya, as of 03-07 03:13 it was posting that is https://review.openstack.org/#/c/162170/23:25
morganfainbergand that failure there was because it couldn't download something internally from some server in IBM.23:26
morganfainbergstevemar, ping re: https://review.openstack.org/#/c/142573/23:26
morganfainbergstevemar, i don't think this is something we want in it's current state considering how much "what is actually going on here" questions we've had23:27
anteayait shouldn't be posting any comments at all23:27
morganfainberganteaya, well as of 2 days ago it did.23:27
stevemarmorganfainberg, we definitely want the value it adds... just needs to be less cryptic23:28
morganfainbergstevemar, right as is was the key, the feature is good. the code is overloading things in very obscure ways23:28
morganfainbergstevemar, to be honest, i'm ok with this slipping kilo at this point.23:28
anteayamorganfainberg: thanks keep me posted23:29
morganfainbergstevemar, it is showing a gap in the mapping rules.23:29
morganfainberganteaya, sure.23:29
anteayaI'll see if I can find out how they could post on the 7th23:29
anteayalet me know if you see them post comments again23:29
morganfainbergstevemar, and the implementation. i'd rather clear up the issues before digging us in deeper23:29
morganfainberganteaya, absolutely.23:29
anteayathanks23:29
*** iamjarvo has joined #openstack-keystone23:30
stevemarmorganfainberg, right, thats what i was referring to23:30
stevemarmorganfainberg, except i don't know how to make it less crazy23:30
morganfainbergstevemar, punt on the feature, refactor things into a full object represenation for the rules vs. the weird string-ified-lists23:31
morganfainbergstevemar, then re implement on top of it.23:31
morganfainbergstevemar, i think this is a case where accepting this feature as is will net us something very broken down the line when we try and fix it23:31
morganfainbergstevemar, especially since i can't tell from the tests how the hell it's supposed to work. i'm avoiding a -2 here by a very small margin in my view of it.23:32
morganfainbergstevemar, i can't even definitively tell the tests are resulting in a sane response.23:33
*** sigmavirus24 is now known as sigmavirus24_awa23:33
morganfainbergstevemar, i'm worried about it being too opaque to support / cleanup.23:34
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Provide a generic auth plugin loader  https://review.openstack.org/16252923:35
*** henrynash has joined #openstack-keystone23:37
*** ChanServ sets mode: +v henrynash23:37
stevemarmorganfainberg, i see your point23:42
stevemarfwiw, i think theres probably one more enhancement to the mapping engine down the line (project level mapping), and that should be it for a while.23:42
stevemari dunno, it's tricky23:43
*** chlong has joined #openstack-keystone23:43
stevemar(doing the cleanup vs not)23:43
morganfainbergstevemar, i'd rather have code that is less opaque this late in the cycle.23:43
morganfainbergif this wasn't wedged in right before feature freeze i'd probably say "great now go clean it up or we'll revert it"23:44
stevemarmorganfainberg, fwiw, it's only 92 lines, most of which is schema and comments, so it's not adding that much more zaniness to the problem23:44
morganfainbergstevemar, it's adding a lot of zaniness.23:45
stevemarmorganfainberg, i don't have a vested interest in this fyi23:45
stevemarjust playing devils advocate23:45
*** _cjones_ has quit IRC23:45
morganfainbergstevemar, it's making it so ['thing', 'thing2'] and [['thing1', 'thing2'], 'thing3'] are very very very different things23:45
morganfainbergand this feels like we're doing it wrong, this data doesn't need to be serialized23:45
morganfainbergto be usable. it's not going out on the wire23:46
morganfainbergstevemar, sure, i'm arguing we should do the cleanup because this is adding wierd changes.23:46
morganfainbergstevemar, i have a vested interest in seeing this land... and i don't think it can land in kilo as is :(23:46
stevemarwomp womp23:47
morganfainbergstevemar, the more i discuss it the more i'm inclined to -2 it23:47
stevemarmorganfainberg, it'll be a good project for someone23:47
stevemarcleaning this up23:47
stevemarthe first pass was me and stanek at rax over a year ago (not geekdom)23:48
*** _cjones_ has joined #openstack-keystone23:48
anteayamorganfainberg: thanks we think it was an open connection on their end, so they continued to post even after they were disabled23:48
stevemarso it's due for a cleanup, but it's not the easiest thing clean up23:48
morganfainberganteaya, ahh23:49
anteayafirst time we either experienced it or noticed it, I'm not sure which23:49
morganfainberganteaya, good to know23:49
anteayaso we will clear caches next time23:49
anteayaand thanks23:49
morganfainberganteaya, probably because there hasn't been gerrit downtime recently (for renames etc)23:49
anteayaand yeah, if they post again before we re-enable them do let us know23:49
anteayapossibly23:49
morganfainberganteaya, will do. thnx23:49
anteayanot sure how often gerrit flushes its account caches23:49
morganfainbergstevemar, so lets prioritize the cleanup before we build more features that could make the cleanup much harder23:50
morganfainbergstevemar, the fact that we needed late eval'd data should have been enough of a redflag earlier for me to punt it back here.23:51
morganfainberganteaya, who knows.23:51
morganfainberganteaya, but obviously not that often :P23:51
stevemarmorganfainberg, alrighty23:52
anteayanot that often, yes23:52
*** Tahmina has quit IRC23:52
anteayawe havn't noticed it being an issue before23:52
morganfainbergstevemar, unrelated: this one should be easy[ish]: https://review.openstack.org/#/c/162170/23:53
morganfainbergstevemar, but no rush on it, it can actually land post k3 [though earlier would be a bonus]23:53
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove fix for migration 37  https://review.openstack.org/16226623:53
stevemarahh23:55
morganfainbergjamielennox, are we waiting on bug #1428900 to release ksm?23:56
openstackbug 1428900 in keystonemiddleware "auth_token middleware cannot load plugins from paste" [Medium,In progress] https://launchpad.net/bugs/1428900 - Assigned to Jamie Lennox (jamielennox)23:56
jamielennoxmorganfainberg: we are going to do it the fix in ksc then the update ksm way23:56
jamielennoxbknudson has gone23:56
morganfainbergjamielennox, so... hold on releasing ksm23:57
morganfainberg?23:57
jamielennoxi should have asked if he would approve keeping the hack until ksc catches up23:57
jamielennoxthen i could change it over to use the ksc featuers23:57
morganfainbergjamielennox, up to you on how you want to do this. postpone ksm release for ksc release + g-r update23:57
morganfainbergor go with a release earlier.23:57
* morganfainberg is ok with a small hack until KSC features are available fwiw23:58
morganfainbergas long as it's clearly commented as such23:58
jamielennoxmorganfainberg: having this blocking swift is a problem i want to solve sooner than it would take for the ksc and g-r updates to go through23:58
morganfainbergjamielennox, this is why i asked ;)23:59
jamielennoxmorganfainberg: let me revert the review to the older patch, i'll add some extra commenting23:59
jamielennoxyes, i think we should release the short term fix23:59
« Sunday, 2015-03-08 Index Tuesday, 2015-03-10 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!