Tuesday, 2015-03-10

« Monday, 2015-03-09 Index Wednesday, 2015-03-11 »
morganfainbergjamielennox, great.00:00
morganfainbergjamielennox, lets do that and please post up the current change (from the hack to this one)00:00
morganfainbergso we have it ready to go once the ksc stuff catches up [if that isn't too hard to do]00:01
morganfainbergno rush on that second part though.00:01
openstackgerritLance Bragstad proposed openstack/keystone: Federated token formatter  https://review.openstack.org/16138000:02
jamielennoxmorganfainberg: https://review.openstack.org/162529 is the ksc change00:03
morganfainbergjamielennox, ah that one00:03
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow loading auth plugins via overrides  https://review.openstack.org/16196200:15
jamielennoxmorganfainberg: that's about the strongest warning i can put on ^00:16
*** rushiagr_away has joined #openstack-keystone00:16
morganfainbergjamielennox, ooh ooh, we could write a c-binding that obfuscates that function >.>00:16
morganfainbergjamielennox, that works for me btw. it's good to see that separated out00:17
jamielennoxmorganfainberg: yea, makes the whole function up for replacement00:17
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967500:17
morganfainbergjamielennox, perfect.00:17
jamielennoxmorganfainberg: also i'm more worried about people reading it and thinking it's a good idea and c&p than reusing the method00:17
morganfainbergright00:18
jamielennoxmorganfainberg: start with a github plugin that blurs out that function00:18
morganfainbergLOL00:18
jamielennoxvim, emacs etc00:18
morganfainbergobfuscated python00:18
morganfainberguse awful things that break static analysis too and then #noqa00:18
morganfainberg>.>00:18
morganfainbergmake sure to use ctypes to dig everything out while you're at it00:19
morganfainbergeven though it's not needed00:19
jamielennoxi think you could probably like late attach the function with name '_' + uuid.uuid4().hex00:19
jamielennoxright, back to ironic auth00:21
openstackgerrithenry-nash proposed openstack/keystone: Fix typo in name of variable in resource router  https://review.openstack.org/16280800:23
*** iamjarvo has quit IRC00:34
*** gyee has quit IRC00:44
*** _cjones_ has quit IRC00:46
stevemarmorganfainberg, we need to decide if we are going forward with this bug: https://bugs.launchpad.net/keystone/+bug/142612800:48
openstackLaunchpad bug 1426128 in Keystone "Add ECP related bits to saml generation code" [Undecided,New]00:48
stevemargyee, marekd rodrigods ^00:48
openstackgerritMorgan Fainberg proposed openstack/keystone: Address nits for default cache time more explicit  https://review.openstack.org/16281500:49
*** r-daneel has quit IRC00:49
*** leonchio_ has quit IRC00:49
morganfainbergstevemar, wouldn't that break things if we leveraged a form of browser-based sso?00:50
stevemarmorganfainberg, you mean combining k2k and sso?00:53
morganfainbergstevemar, yes00:53
morganfainbergstevemar, which... we likely will do longer term00:54
morganfainbergread: horizon things.00:54
morganfainbergi am just checking that we're not backing ourselves into a corner here00:54
morganfainbergby addressing that bug as you proposed00:54
henrynashmorganfainberg: when you have a moment, like to talk about experimental/disabled etc....00:55
morganfainberghenrynash, yes00:55
morganfainberghenrynash, i figured we'd hit it at the meeting otmorrow00:55
morganfainbergbut..00:55
morganfainbergcan talk now00:55
henrynashsure…happyto have the wider conversation then00:56
morganfainberghenrynash, can have it in both places too ;)00:56
morganfainberghenrynash, your call00:56
henrynashjust wanted to make sure I wasn’t misunderstadning your comment00:56
morganfainbergmy comment is i disagree with "disabled"00:56
morganfainberglet HTTP do what it does well, tell them it's forbidden00:56
morganfainbergwhen they try and use it00:56
morganfainbergfiltering out experimental and/or deprecated = these are valid but you either want to move away from them or be careful about using00:57
morganfainbergthe hints are nice to be able to look at, but you don't need to know it. disabled is more of the same thing we had by removing things from the wsgi pipeline00:57
morganfainberga 403 is a 403 is a 403 ;)00:58
*** jorge_munoz has joined #openstack-keystone00:58
henrynashdon’t you think it is useful to know WHY its a 403?00:58
morganfainbergnope. not from JSON home00:58
morganfainberga deployer could do the same thing from policy00:58
henrynashe.g. that API has been removed for ever….or that instalaltion has disabled it00:58
morganfainbergand you'd not see it00:58
morganfainbergif it's removed you get a 40400:58
morganfainbergit's gone00:58
morganfainbergnever to return00:58
morganfainbergmaybe a 41000:59
morganfainberg;)00:59
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Rename get_events to list_events on the Revoke API  https://review.openstack.org/16281700:59
samueldmqstevemar, ^ I think you like this kind of patch, to keep consistency into the code base :)00:59
morganfainberg[ooh i like that, stub: 410 when we remove wsgi things]00:59
henrynash410, intersteing01:00
morganfainbergfwiw, very few things use 410, but this is a case where 410 would make sense01:00
stevemarmorganfainberg, we could add a flag to the API call01:01
henrynashI guess it feels odd me that in a REST word, we wouldn’t use JSON Home to give a richer set of info abour the status of our resources/APIs01:01
stevemarmorganfainberg, but we're most FF01:01
stevemarpost*01:01
morganfainbergi just dont see a big win to putting stuff into json home saying "disabled"01:01
stevemarhenrynash, go to bed01:01
morganfainberghenrynash, go sleep dude ;)01:01
henrynashok….we fight another day….tomorrow (well, actually today now for me)01:02
henrynash*fades to black*01:03
*** henrynash has quit IRC01:03
morganfainbergstevemar, can we use HTTP 418 somewhere in keystone01:06
morganfainbergi think we need to01:06
morganfainbergwe could co-opt 499 for keystone too01:07
stevemarmorganfainberg, sorry, i'm confused, why do we need that?01:07
morganfainbergstevemar, cause... why wouldn't keystone be a teapot?! :P01:09
stevemarmorganfainberg, bugging you for https://review.openstack.org/#/c/162756/ and it's dependents, should hopefully make sense :)01:09
morganfainbergsorry...01:09
morganfainbergstevemar, oh i saw those earlier01:09
morganfainbergstevemar, just hadn't gotten to them since i sat down01:09
stevemarmorganfainberg, you get to leave?01:09
stevemarno chain?01:10
morganfainbergstevemar, lunch man01:10
morganfainberglunch01:10
morganfainbergstevemar, some plus 2s added to that chain01:12
stevemarmorganfainberg, i have food now, whats the reason for the http code changes?01:13
morganfainbergteapot? cause it's funny01:14
morganfainbergthe others cause "meh?"01:14
morganfainberg410 makes sense if a resource/api is going away01:15
stevemaroh this is all in regard to henry handling disabled extensions01:16
morganfainbergyeash01:16
stevemarthats a tough one01:17
stevemar410 isn't a good fit01:18
morganfainbergwhen things are removed permanently?01:18
morganfainberge.g. an API has moved past deprecation01:18
morganfainberglike v2.0/*01:18
morganfainbergeventually01:18
morganfainbergi'd say 410 is a good fit for that01:18
stevemaryes01:19
morganfainbergnot for disabled01:19
morganfainberg403 = disabled01:19
morganfainbergjust the same as if policy.json was to make it disabled01:19
stevemarha, i tried googling and found a dolphm answer on SO: http://stackoverflow.com/questions/9220432/http-401-unauthorized-or-403-forbidden-for-a-disabled-user01:19
*** dolphm has left #openstack-keystone01:19
*** dolphm has joined #openstack-keystone01:19
*** ChanServ sets mode: +o dolphm01:19
morganfainbergstevemar, hehe01:19
morganfainbergdisabled is 403, you do not have rights to access X01:20
dolphmstevemar: asked *and* answered01:20
stevemari'm thinking 403 if the user is trying to access disabled stuff01:20
morganfainbergstevemar, yep01:20
stevemar(disabled extensions in this case)01:20
stevemardolphm, nice01:20
stevemardolphm, didn't notice that01:20
morganfainbergstevemar, if you disable some feature in the API it's simply a 40301:21
dolphmstevemar: disabled extensions should 404 - the extension should not exist01:21
morganfainbergdolphm, no such thing as extensions01:21
morganfainbergdolphm, APIs are not optional.01:21
morganfainbergif you remove things from wsgi pipeline - sure 404, it's not there.01:21
morganfainbergbut disabling something that is experimental should be the same as never granting someone rights to access it01:22
stevemarbut they exist01:22
dolphmmorganfainberg: so you're saying that there are two correct responses in that situation, and the correct response depends on the approach to implementation?01:22
morganfainbergotherwise the 404 is a question of "is the resource gone, or is the API gone"01:22
morganfainbergdolphm, i'd say yes. if the philosophy is "disabled API functionality is 'no one has access'" 403 [same as if a deployer disabled something via policy.json].01:23
morganfainbergdolphm, if you're claiming APIs can be optional [much harder to program to as a consumer of an API], a 404 is more correct as you'd remove it from wsgi pipeline01:23
morganfainbergdolphm, i've been pushing to make APIs non-optional (don't confuse this with defcore)01:24
morganfainbergdolphm, so you don't need to figure out what APIs someone has deployed, you should have a good idea of what keystone's api surface area is. if you don't have access to it, that is something totally different01:25
morganfainbergif you want to get hard-core security, 404 for anything/everything01:25
*** browne has quit IRC01:25
morganfainbergbut i think that is swinging too far away from user experience01:25
openstackgerritDolph Mathews proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic  https://review.openstack.org/16233801:31
openstackgerritDolph Mathews proposed openstack/keystone: Convert audit_ids to bytes  https://review.openstack.org/16099301:31
openstackgerritDolph Mathews proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens  https://review.openstack.org/16203101:31
openstackgerritDolph Mathews proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens  https://review.openstack.org/16189701:31
dolphmjorge_munoz: i didn't rerun tests on each individual commit, but the there's a pep8 fix and a unit test fix above ^01:36
dolphmanyone else use debian testing for development?01:41
openstackgerritayoung proposed openstack/keystone: ignore unknown groups  https://review.openstack.org/16278801:44
ayoungstevemar, are you covering https://review.openstack.org/#/c/142573/1601:46
ayoungIf so... I will pay you in code reviews.  Well, I'd do them anyways, but this is an explicit quid pro quo01:46
morganfainbergdolphm, debian scares me to dev on [same reason RHEL does], it moves like molasses for things and in the case of debian testing... or unstable... or whatever is not "Stable" it's hard to know what you're actually getting01:47
*** rwsu has quit IRC01:47
dolphmmorganfainberg: i don't follow01:48
morganfainbergdolphm, i feel like things are very wonky with testing and unstable in debian01:49
morganfainbergdolphm, been bitten more than once using it for anything i want consistency in01:49
morganfainbergdolphm, personal experience. and stable is slooooow01:49
* morganfainberg sticks with ubuntu LTS for dev fwiw.01:49
dolphmmorganfainberg: well testing and unstable are certainly not for consistency01:50
morganfainbergexcept when i need cool things.. like python301:50
dolphmmorganfainberg: "stable is slooooow" is the advantage lol01:50
* samueldmq finds the notifications callback system interesting01:50
samueldmqobserver pattern there :)01:50
morganfainbergi like the pace of LTS under ubuntu. it's not slooooow, but it's also not the wild west01:50
morganfainbergand trusty doesn't have systemd01:51
dolphmmorganfainberg: then you can cherry pick from testing/backports if you need something more recent01:51
morganfainbergthat is a huge huge huge win for me01:51
dolphmneither does debian :D01:51
morganfainbergthe fact that debian jessie (sp?) will have systemd means i don't want to use it01:51
morganfainbergat least thats the info i gleaned from ML topics01:51
morganfainberg(not our ML, but debian ML)01:51
morganfainbergsystemd makes me cry.01:52
morganfainbergthere was nothing wrong with sysv init for servers.01:52
morganfainbergand i stand by that there is still nothing wrong with sysv init01:52
morganfainbergupstart and systemd are a solution looking for a problem.01:52
* morganfainberg steps out before inciting a holy war.01:53
stevemarayoung, so morganfainberg doesn't like that one01:54
stevemarits mucking things up01:54
stevemarayoung, reading your comment now... i'm a bit slow today01:55
*** _cjones_ has joined #openstack-keystone01:56
morganfainbergstevemar, ayoung just copy/pasted my comment to him.01:56
morganfainbergon why i didn't like it and what should be done instead... exactly what i talked to you about ;)01:57
ayoungyep01:57
ayoungmorganfainberg, does this need any sort of blessing to go in?01:57
morganfainbergayoung, i didn't block it with a -2. lets just say i'm very displeased with it and think it's going to make cleanup very hard.01:57
ayoungmorganfainberg, nah, forget the code changes.  Lets assume we get them done01:58
ayoungis the feature itself OK for Kilo>01:58
morganfainbergayoung, oh nah it's good from a conceptual basis01:58
ayoung?01:58
ayoungCool01:58
morganfainbergayoung, the feature is def. good.01:58
ayoungmorganfainberg, I'd say essential01:58
ayoungdidn't realize it, sorry for the late add01:58
morganfainbergi'd let it miss for kilo, but if is misses kilo it's def. going into Liberty01:58
ayoungI'll def help this one along01:58
morganfainbergif that makes it clear where i sit?01:58
ayoungUm...not clear01:59
morganfainbergi wont be unhappy if it misses kilo01:59
morganfainbergi know people want it for kilo01:59
ayoungah...I'd be very sad01:59
morganfainbergif it misses kilo it has to land in liberty01:59
ayoungit implements the "you don't need to explcitly set the groups in Federation"  which is essential01:59
morganfainberglike i said, if it misses kilo it has to land in liberty02:00
morganfainbergit's just late in the cycle so i can't be too hopped up if it misses kilo02:00
*** iamjarvo has joined #openstack-keystone02:00
morganfainbergthe feature is good.02:00
*** diegows has quit IRC02:02
*** tellesnobrega_ has joined #openstack-keystone02:14
*** tellesnobrega_ has quit IRC02:14
*** kaisers1 has joined #openstack-keystone02:18
*** kaisers has quit IRC02:20
*** lsg has joined #openstack-keystone02:26
*** erkules_ has joined #openstack-keystone02:30
*** erkules has quit IRC02:33
*** lsg has quit IRC02:34
*** lsg has joined #openstack-keystone02:35
*** browne has joined #openstack-keystone02:37
*** richm has quit IRC02:40
stevemarlhcheng_ is making me pull down osc code and test it, *grumble grumble*02:41
lhcheng_stevemar: oops, sorry! I was going to test that out again, then got distracted by another task at work02:42
stevemarlhcheng_, :) it's all good02:43
*** spandhe has quit IRC02:44
*** iamjarvo has quit IRC02:44
*** spandhe has joined #openstack-keystone02:44
lhcheng_stevemar: the new patch works02:45
lhcheng_the password prompt move to to a bit later02:45
lhcheng_until the first command is invoked02:45
lhcheng_stevemar: the password used to get prompted as the user enter openstack cli02:46
*** iamjarvo has joined #openstack-keystone02:47
*** spandhe has left #openstack-keystone02:47
stevemarlhcheng_, i'm doing the hypervisor show ones for now02:48
stevemarlhcheng_, maybe i'll get them all tonight!02:48
stevemaralso when you run devstack now, OSC will add bash completion :)02:48
stevemartabbing goodness02:49
lhcheng_stevemar:  cool02:49
lhcheng_hmm not working for me, is there a library that I have to updated?02:49
lhcheng_ciff library update?02:50
stevemarlhcheng_, update devstack?02:50
lhcheng_*cliff02:50
stevemarlhcheng_, `os hypervisor stats show` is sort of a list02:50
*** markvoelker has joined #openstack-keystone02:51
lhcheng_stevemar: yeah, OSC show command displays a list of Fields02:52
lhcheng_stevemar: patterned it from that02:53
lhcheng_stevemar: just updated devstack few hours ago, will try it again later02:53
stevemarlhcheng_, oh it displays aggregated data across all compute nodes02:57
lhcheng_yes :)02:57
stevemarit's kinda weird that it's not it's own command02:58
stevemarerr that it is it's own command02:58
stevemarand not bundled with `os hypervisor list`02:58
stevemarbut whatever02:58
stevemari think you and dtroyer already hashed that out02:58
lhcheng_ I had it in `os hypervisor list` originally02:59
lhcheng_but it is kinda weird mixing those up02:59
*** _cjones_ has quit IRC03:00
lhcheng_since the data is an aggregated data across, rather than per hypervisor03:00
*** _cjones_ has joined #openstack-keystone03:00
stevemaryeah, i guess so03:00
lhcheng_stevemar: I started setting up oidc on keystone following: http://docs.openstack.org/developer/keystone/extensions/openidc.html03:02
lhcheng_I noticed in the vm where you configured for testing, it still didn't have the federation configured yet.03:03
stevemarlhcheng_, i am delayed by 1 day for $reasons03:04
lhcheng_stevemar: trying to look the vm config as I am doing my own config to validate I am heading the right direction03:04
lhcheng_stevemar: oh okay, no rush03:04
stevemarlhcheng_, i can send you a guide for some of the work, how far have you gotten03:04
lhcheng_as far as where the vm state is :)03:04
lhcheng_so.. not that far :P03:05
lhcheng_I've setup oidc on my google account03:05
lhcheng_so got the clientid/secret configured in keystone03:05
stevemarlhcheng_, i can totally do a google hangout with you tomorrow and walk you through stuff03:08
stevemarlhcheng_, wheres the password related patch for osc?03:10
lhcheng_https://review.openstack.org/#/c/161088/03:10
stevemarah the one i just commented on :)03:11
openstackgerritMerged openstack/keystone: Moved sys.exit mocking into BaseTestClass  https://review.openstack.org/16276303:13
lhcheng_stevemar: cool, I am thinking of try setting up oidc based on the docs. at least that helps validate that we have adequate docs :)03:14
stevemarlhcheng_, ha03:15
stevemarlhcheng_, whats the point of reviewing the OS_URL from https://review.openstack.org/#/c/161088/503:15
*** tqtran has quit IRC03:15
lhcheng_hmm no idea, waiting for Dean to respond to that question03:16
lhcheng_I think you asked in the previous patchset?03:17
stevemari think so03:17
lhcheng_ah that config moved to TokenEndpoint class03:18
lhcheng_https://review.openstack.org/#/c/161088/6/openstackclient/api/auth_plugin.py03:18
lhcheng_umm might break backward compatibility?03:19
stevemarlhcheng_, sent you a guide for some oidc help, but it doesn't setup websso03:21
stevemarthat is ... other steps03:21
lhcheng_stevemar: thanks03:23
lhcheng_stevemar: the setup websso is the new feature, I am familiar with the patch I can probably figure that part03:24
stevemarlhcheng_, i'll try and recap the diffs here...03:25
*** zzzeek has quit IRC03:26
stevemarlhcheng_, 1) the redirect URL will /auth/OS-FEDERATION/websso/redirect 2) the IdP will need a 'remote_id' section, 3) keystone.conf will need to set remote_id_attribute option03:26
stevemarthose are the keystone related changes03:27
stevemarthen the horizon ones, which i think you know better than i do03:27
openstackgerritMerged openstack/keystone: Refactoring: use BaseTestCase instead of TestCase  https://review.openstack.org/16268603:28
openstackgerritMerged openstack/keystone: Removed maxDiff attribute from TestCase  https://review.openstack.org/16276403:28
lhcheng_yeah, that sounds like it03:28
lhcheng_what is the easiest way to validate federation is working?03:29
lhcheng_does OSC works with it? :)03:29
*** ccard_ has joined #openstack-keystone03:31
*** dims_ has quit IRC03:32
openstackgerritMerged openstack/keystone: Refactor: create a common base for notification tests  https://review.openstack.org/16275603:33
*** ccard__ has quit IRC03:34
lhcheng_stevemar: oh, it's in the docs03:35
lhcheng_stevemar: thank you sir03:35
lhcheng_stevemar: time for dinner, later!03:36
stevemarlhcheng_, yup it does, have fun!03:41
*** ayoung has quit IRC03:44
dolphmrunning keystone tests real fast like http://cdn.pasteraw.com/h50534yi1aw3x1qqk4dluo9x2wkvh2y03:46
dolphmhttp://i.imgur.com/q8K6TAD.png03:46
*** rushiagr_away has quit IRC03:49
*** jorge_munoz has quit IRC03:50
samueldmqstevemar, marekd any of you around ? just woud03:51
samueldmqjust would like to confirm something in federation*03:51
*** markvoelker has quit IRC03:53
*** markvoelker has joined #openstack-keystone03:53
samueldmqin the mapping rules, you use {0}, {1}, etc inside 'local' in the order they appear in the 'remote' properties03:54
samueldmqam I right?03:54
*** jorge_munoz has joined #openstack-keystone03:55
*** markvoelker has quit IRC03:57
lbragstaddolphm: nice, how long did those tests take?03:58
dolphmlbragstad: see the pasteraw link above03:58
lbragstadwhoa...03:59
morganfainbergwas that 90s dolphm ?04:01
morganfainbergor am i mis-reading it?04:01
lbragstad28 minutes worth of work in ~90 seconds?04:02
lbragstadI'd take it04:02
*** jorge_munoz has quit IRC04:02
dolphmmorganfainberg: you are correct sir04:03
morganfainberg8 workers nice04:03
morganfainbergs/8workers//04:04
morganfainberglooks like 20 workers04:04
samueldmqand since the slower one took 0:01:27s, that that means ~6s to split test jobs and join results at the end?04:06
samueldmqlol04:06
stevemarsamueldmq, sounds about right04:11
samueldmqstevemar, what? my federation comment? or the one just above?04:11
stevemarsamueldmq, oops, federation comment04:12
stevemari want a machine with 20 workers :(04:12
dolphmstevemar: it's a rackspace baremetal server04:12
samueldmqstevemar, yees, then I get federation workflow :)04:12
dolphmstevemar: rent it by the hour!04:13
stevemari can't afford that04:13
samueldmqdolphm, how do we set up the number of workers to use?04:13
stevemarsamueldmq, i think it's based on number of processors? or something crazy04:13
dolphmsamueldmq: when you run tox, it defaults to the number of cores you have, ish04:13
stevemaroh right cores04:14
dolphmsamueldmq: i have no idea how to override that though. there's a --concurrency={worker_count} option that doesn't seem to work04:14
samueldmqstevemar, dolphm k04:14
dolphmstevemar: this is a 10 core box with hyperthreading, so 20 virtual cores, and i don't know why it's doing 19 workers04:14
samueldmqdolphm, it's doing 20 workers04:15
samueldmqdolphm, 0 to 19 :)04:15
dolphmsamueldmq: /facepalm.04:15
stevemarlol04:15
stevemarnice one dolphinator04:15
dolphmi'm going to bed now04:15
samueldmqo/04:15
stevemaro/04:15
* dolphm shuffles away in sadness.04:15
samueldmqdolphm, ahha, nah .. you just need to sleep :)04:16
dolphmas with all other things, i blame daylight savings04:16
samueldmqfair enough04:17
samueldmq:p04:17
*** rushiagr_away has joined #openstack-keystone04:22
*** markvoelker has joined #openstack-keystone04:24
*** panbalag has quit IRC04:26
* samueldmq goes to bed zzZ04:30
*** samueldmq is now known as samueldmq_away04:31
*** dims has joined #openstack-keystone04:32
openstackgerritLance Bragstad proposed openstack/keystone: Federated token formatter  https://review.openstack.org/16138004:33
*** samueldmq_away has quit IRC04:37
*** dims has quit IRC04:38
*** dims has joined #openstack-keystone04:40
*** markvoelker has quit IRC04:41
*** dims has quit IRC04:45
*** iamjarvo has quit IRC05:03
openstackgerritSteve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion  https://review.openstack.org/16286605:22
openstackgerritSteve Martinelli proposed openstack/keystone: Add API to create ecp wrapped saml assertion  https://review.openstack.org/16286605:24
*** jorge_munoz has joined #openstack-keystone05:25
*** _cjones_ has quit IRC05:29
*** stevemar has quit IRC05:31
*** markvoelker has joined #openstack-keystone05:38
openstackgerritLin Hua Cheng proposed openstack/keystone: On creation default service name to empty string  https://review.openstack.org/14696205:44
*** jorge_munoz has quit IRC05:45
*** harlowja_ is now known as harlowja_away05:57
*** dims has joined #openstack-keystone06:21
hugokuowhat kind of user has permission to validate all users's token ?06:24
hugokuoin Keystone V306:24
*** dims has quit IRC06:26
*** david-lyle has quit IRC06:30
*** _cjones_ has joined #openstack-keystone06:31
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add Proxy plugins  https://review.openstack.org/13786406:36
*** rushiagr_away is now known as rushiagr06:37
*** david-lyle has joined #openstack-keystone06:39
marekdsamuel: yes07:01
*** _cjones_ has quit IRC07:02
*** _cjones_ has joined #openstack-keystone07:03
*** _cjones_ has quit IRC07:03
*** david-lyle is now known as david-lyle_afk07:11
*** browne has quit IRC07:11
*** chlong has quit IRC07:21
*** jistr has joined #openstack-keystone07:31
*** openstackgerrit has quit IRC07:35
*** openstackgerrit has joined #openstack-keystone07:35
*** erkules_ is now known as erkules08:09
*** erkules has joined #openstack-keystone08:09
*** pnavarro has joined #openstack-keystone08:31
hugokuoWas x-service-catalog deprecated in Juno ?08:33
*** nellysmitt has joined #openstack-keystone09:06
openstackgerritKamil Rykowski proposed openstack/keystone: Use assertFalse or assertTrue instead of assertIs  https://review.openstack.org/16291809:10
*** dims has joined #openstack-keystone09:11
*** dims has quit IRC09:18
*** aix has joined #openstack-keystone09:19
*** markvoelker has quit IRC09:22
*** david-lyle_afk has quit IRC09:30
*** david-lyle_afk has joined #openstack-keystone09:30
openstackgerritDave Chen proposed openstack/keystone: Crosslink to other sites that are owned by Keystone  https://review.openstack.org/16149009:30
*** jistr has quit IRC09:34
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992809:42
openstackgerrithenry-nash proposed openstack/keystone: Mark the domain config API as experimental  https://review.openstack.org/16003209:43
*** jistr has joined #openstack-keystone09:46
*** lsg has quit IRC09:48
*** afazekas has joined #openstack-keystone09:52
*** dims has joined #openstack-keystone09:56
bretondstanek: I love Jenkins' reaction to https://review.openstack.org/#/c/162766/1 :)09:58
*** _cjones_ has joined #openstack-keystone10:03
*** _cjones_ has quit IRC10:04
*** _cjones_ has joined #openstack-keystone10:05
*** _cjones_ has quit IRC10:09
*** chlong has joined #openstack-keystone10:17
openstackgerritElena Ezhova proposed openstack/keystone: Prevent calling waitall() inside a GreenPool's greenthread  https://review.openstack.org/16072010:30
*** samueldmq has joined #openstack-keystone10:30
*** aix has quit IRC10:32
*** lhcheng_ has quit IRC10:32
*** nellysmitt has quit IRC10:41
*** chlong has quit IRC10:51
*** markvoelker has joined #openstack-keystone10:53
*** aix has joined #openstack-keystone10:57
marekdsamueldmq: yes11:00
*** nellysmitt has joined #openstack-keystone11:09
*** Krast has quit IRC11:09
*** diegows has joined #openstack-keystone11:20
*** panbalag has joined #openstack-keystone11:47
*** amakarov_away is now known as amakarov11:54
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: List projects filtering by is_domain flag  https://review.openstack.org/15839811:57
openstackgerritTelles Mota Vidal Nóbrega proposed openstack/keystone: Creating domain and filtering by parent_id  https://review.openstack.org/16137811:58
*** karimb has joined #openstack-keystone12:01
dstanekbreton: yeah, i saw that last night, but I didn't have time to look into why12:13
*** raildo_away is now known as raildo12:14
amakarovsamueldmq, hi! Are you here?12:17
dstanekbreton: yeah, i didn't add a file :-( so of course it works for me12:17
*** bjornar has quit IRC12:20
openstackgerritDavid Stanek proposed openstack/keystone: Refactor: extract and rename unique_id method  https://review.openstack.org/16276612:21
openstackgerritDavid Stanek proposed openstack/keystone: Simplify injection testcase setup  https://review.openstack.org/16276712:21
openstackgerritDavid Stanek proposed openstack/keystone: Removed optional dependency support  https://review.openstack.org/16277012:21
openstackgerritDavid Stanek proposed openstack/keystone: Decouple notifications from DI  https://review.openstack.org/16276912:21
openstackgerritDavid Stanek proposed openstack/keystone: Isolate injection tests  https://review.openstack.org/16276812:21
*** iamjarvo has joined #openstack-keystone12:22
*** dims has quit IRC12:25
*** dims has joined #openstack-keystone12:25
*** kaisers has joined #openstack-keystone12:26
*** kaisers1 has quit IRC12:27
marekddstanek: could you look here and possibly vote: https://review.openstack.org/#/c/159803/ ?12:31
*** htruta has joined #openstack-keystone12:35
*** markvoelker has quit IRC12:38
*** markvoelker has joined #openstack-keystone12:39
*** gordc has joined #openstack-keystone12:41
*** markvoelker has quit IRC12:43
*** jistr has quit IRC12:47
*** jistr has joined #openstack-keystone12:48
*** nellysmitt has quit IRC12:49
*** bknudson has joined #openstack-keystone12:56
*** ChanServ sets mode: +v bknudson12:56
*** richm has joined #openstack-keystone12:58
*** jistr has quit IRC13:04
*** jistr has joined #openstack-keystone13:05
*** stevemar has joined #openstack-keystone13:06
*** ChanServ sets mode: +v stevemar13:06
*** joesavak has joined #openstack-keystone13:08
openstackgerritDave Chen proposed openstack/keystone: Use assertFalse and assertTrue instead of assertEqual  https://review.openstack.org/16257013:13
*** markvoelker has joined #openstack-keystone13:13
*** stevemar has quit IRC13:18
*** stevemar has joined #openstack-keystone13:19
*** ChanServ sets mode: +v stevemar13:19
*** rushiagr is now known as rushiagr_away13:20
*** iamjarvo has quit IRC13:20
*** sigmavirus24_awa is now known as sigmavirus2413:25
*** bjornar has joined #openstack-keystone13:26
*** henrique_ has joined #openstack-keystone13:31
*** mattfarina has joined #openstack-keystone13:35
*** jlk has left #openstack-keystone13:38
*** jorge_munoz has joined #openstack-keystone13:42
*** bdossant has joined #openstack-keystone13:42
*** iamjarvo has joined #openstack-keystone13:51
*** ayoung has joined #openstack-keystone13:51
*** ChanServ sets mode: +v ayoung13:51
*** iamjarvo has quit IRC13:52
*** iamjarvo has joined #openstack-keystone13:52
openstackgerritDavid Stanek proposed openstack/keystone: Stops injecting revoke_api into TestCase  https://review.openstack.org/16300813:53
*** iamjarvo has quit IRC13:56
*** r-daneel has joined #openstack-keystone13:58
amakarovdstanek, greetings! Can you please put some bp or bug in your commit messages?13:59
dstanekamakarov: i do when there is a bp or bug associated with them14:00
*** ayoung has quit IRC14:02
*** fmarco76 has joined #openstack-keystone14:02
*** iamjarvo has joined #openstack-keystone14:03
*** iamjarvo has quit IRC14:03
*** iamjarvo has joined #openstack-keystone14:05
openstackgerritMatthieu Huin proposed openstack/keystone: add oauth authentication to config file  https://review.openstack.org/16131714:05
*** iamjarvo has quit IRC14:05
*** iamjarvo has joined #openstack-keystone14:06
*** zzzeek has joined #openstack-keystone14:08
bretondstanek: aren't these patches about fixing di?14:09
*** iamjarvo has quit IRC14:09
*** iamjarvo has joined #openstack-keystone14:11
dstanekbreton: which ones?14:11
dstanekbreton: i have something like ~30 patches pushed to gerrit and about 20 more locally that need rebased or fixed :-)14:12
amakarovsamueldmq, ping14:13
*** rushiagr_away is now known as rushiagr14:13
*** iamjarvo_ has joined #openstack-keystone14:13
bretondstanek: https://review.openstack.org/#/c/162766/ this and its 'Needed by'14:14
*** samueldmq_away has joined #openstack-keystone14:14
*** iamjarvo has quit IRC14:15
dstanekbreton: those were not specific to my DI work - those are cherry picked refactorings that i was pushing14:15
dstanekbreton: i did put the DI work on top of it though14:16
*** timcline has joined #openstack-keystone14:16
*** timcline has quit IRC14:16
bretonoh, ok. It's a pity though that DI stuff didn't get in kilo14:16
*** timcline has joined #openstack-keystone14:17
*** topol has joined #openstack-keystone14:17
*** ChanServ sets mode: +v topol14:17
*** iamjarvo has joined #openstack-keystone14:17
*** iamjarvo has quit IRC14:17
dstanekyeah, i agree, but i think henry's resource split was more important14:18
*** iamjarvo has joined #openstack-keystone14:18
openstackgerritMerged openstack/pycadf: Add api_audit_map.conf for Trove project  https://review.openstack.org/16241514:18
*** iamjarvo_ has quit IRC14:18
*** bdossant has quit IRC14:31
*** markvoelker has quit IRC14:37
*** markvoelker has joined #openstack-keystone14:37
*** markvoelker has quit IRC14:42
*** rwsu has joined #openstack-keystone14:44
openstackgerritDavid Stanek proposed openstack/keystone: Removed optional dependency support  https://review.openstack.org/16277014:46
openstackgerritDavid Stanek proposed openstack/keystone: Decouple notifications from DI  https://review.openstack.org/16276914:46
openstackgerritDavid Stanek proposed openstack/keystone: Removed dependency.provider  https://review.openstack.org/16302914:46
*** pnavarro has quit IRC14:49
*** markvoelker has joined #openstack-keystone14:49
*** pnavarro has joined #openstack-keystone14:49
*** iamjarvo has quit IRC14:52
openstackgerritDavid Stanek proposed openstack/keystone: Stops injecting revoke_api into TestCase  https://review.openstack.org/16300814:53
*** dims has quit IRC14:58
*** stevemar2 has joined #openstack-keystone15:01
*** ChanServ sets mode: +v stevemar215:01
*** stevemar has quit IRC15:01
*** dimsum__ has joined #openstack-keystone15:01
*** jsavak has joined #openstack-keystone15:04
*** joesavak has quit IRC15:06
*** iamjarvo has joined #openstack-keystone15:10
*** browne has joined #openstack-keystone15:12
*** tsufiev has quit IRC15:12
*** tsufiev has joined #openstack-keystone15:13
*** tsufiev has quit IRC15:14
*** radez_g0n3 is now known as radez15:15
*** Ephur has joined #openstack-keystone15:16
*** Ephur_ has joined #openstack-keystone15:17
*** krykowski has joined #openstack-keystone15:18
krykowskiHey guys, I have some issue after reinstalling the whole devstack. It crashes on creating images in glance due to 401 Unauthorized.15:21
*** Ephur has quit IRC15:21
krykowskiI tried to get image list with glance image-list but same error occured15:21
krykowskiIn the keystone logs I have following "Authorization failed. Could not find user: %SERVICE_USER%", what is that %SERVICE_USER% user?15:21
*** boris-42 has quit IRC15:22
*** david-lyle_afk is now known as david-lyle15:23
*** tsufiev_ has joined #openstack-keystone15:24
lbragstadkrykowski: it could be a setup issue. The service user is a user account for use by the service.15:29
lbragstadkrykowski: was this a clean stack.sh run?15:30
openstackgerritJorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens  https://review.openstack.org/15922915:31
*** joesavak has joined #openstack-keystone15:32
krykowski<lbragstad>: I had some old devstack installation so run ./clean.sh and removed whole /opt/stack/ directory. After that I've just pulled latest devstack and run ./stack.sh15:32
*** iamjarvo has quit IRC15:32
krykowskiI had to mess something, spent all day investigating it with no luck15:33
*** jorge_munoz has quit IRC15:33
*** jsavak has quit IRC15:34
*** boris-42 has joined #openstack-keystone15:39
*** jorge_munoz has joined #openstack-keystone15:45
*** gyee has joined #openstack-keystone15:46
*** ChanServ sets mode: +v gyee15:46
*** thedodd has joined #openstack-keystone15:46
dolphmjorge_munoz: you really can't set Workflow-1?! that's terrible15:48
dolphmwonder why & when they took that away?15:49
jorge_munozYes, I did not see it.15:51
*** ayoung has joined #openstack-keystone15:52
*** ChanServ sets mode: +v ayoung15:52
ayoungrodrigods, on https://review.openstack.org/#/c/142573/  I was just echoing morganfainberg 's comments from IRC into the review.  Are you actively working on that patch?15:53
dolphmjorge_munoz: regarding your PM, no the expiration shouldn't include a timezone. it should be assumed to be UTC, but bknudson has a fix in review to convert it to a UTC datetime instead of a local datetime, which is probably the issue you're seeing15:55
dolphmjorge_munoz: https://review.openstack.org/#/c/162489/15:55
dolphmjorge_munoz: did you pull the _get_token_id() refactor out?15:56
ayoungdolphm, Building the "assume UTC" aspect into the Access Info models was essential15:57
jorge_munozdolphm: Yes, it was not part of the patch.15:57
*** iamjarvo has joined #openstack-keystone15:57
jorge_munozdolphm: It was added in the initial commit.15:57
dolphmayoung: this would be lower level than that - timestamps are ultimately encoded into the fernet token format itself using 64 bit ints15:57
openstackgerrithenry-nash proposed openstack/keystone: Enable use of database domain config  https://review.openstack.org/15967515:58
dolphmayoung: we just need to read it back correctly :)15:58
openstackgerrithenry-nash proposed openstack/keystone: Enable sensitive substitutions into whitelisted domain configs  https://review.openstack.org/15992815:58
rodrigodsayoung, nope... :)15:58
ayoungdolphm, Heh...I would not call that lower level.  I'm agreeing with you, though, just that on the Keystone side, it will make it better if we have an abstraction that knows how to produce and consume the the right format15:58
rodrigodsayoung, you can assume it, as marekd did15:58
dolphmjorge_munoz: your current patch is failing without it - you can propose two (or more) patches at once that depend on each other15:58
ayoungrodrigods, If I assume it, I can;'t approve it15:59
*** markvoelker has quit IRC15:59
*** markvoelker has joined #openstack-keystone16:00
openstackgerritJorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens  https://review.openstack.org/15922916:00
ayoungdolphm, https://review.openstack.org/#/c/138519/16/keystoneclient/models/access_info.py,cm  see the DateString class there.16:00
ayoungdolphm, what in the fernet patch needs review attention?16:01
dolphmjorge_munoz: thanks for the pep8 fixes :)16:01
*** stevemar2 is now known as stevemar16:01
dolphmayoung: https://review.openstack.org/#/c/161876/16:01
dolphmayoung: https://review.openstack.org/#/c/162489/16:01
dolphmayoung: thanks!16:02
*** timcline has quit IRC16:02
jorge_munozdolphm: OK, I'll add a new patch that includes the UTC time.16:02
ayoungdolphm, looks cood.16:03
ayounggood16:03
*** fmarco76 has quit IRC16:04
*** pmath has left #openstack-keystone16:04
*** markvoelker has quit IRC16:05
*** iamjarvo has quit IRC16:07
*** browne has quit IRC16:08
ayoungdolphm, so you are convinced that not having the expiration in the token itself is the right approach?  I assume this is part of "get it as small as possible."16:08
dolphmayoung: i am, yes16:08
dolphmayoung: i agree with the concern, but it's a concern for an edge case (changing the token lifespan in a running system) that can be well documented behavior.16:09
ayoungdolphm, I think I'm OK with that.  I want to make sure we are not painting ourselves into a corner whee we need to reengineer to get to distributed signing.  In this case, the CONF value for timeout would have to be synchronized, but its just another piece of Keystone data that is cacheable.16:10
dolphmjorge_munoz: i'm confused - what are you adding, exactly, concerning UTC time? there's already a fix in review for the issue16:11
stevemarheads up keystone folks, probably a new release of osc coming out today, hold on to your hats!16:11
dolphmjorge_munoz: https://review.openstack.org/#/c/162489/16:11
dolphmstevemar: \o/16:11
dolphmayoung: ++16:11
jorge_munozdolphm: I was just including the fix on my patch.16:12
stevemardolphm, i said to hold on to your hat, like this, /o\16:12
dolphmayoung: there's another way to look at it as well - one keystone (maybe serving barbican or something) might have tighter security requirements (shorter ttl) than another that would otherwise recognize each other's tokens.16:13
dolphmayoung: point is - we're gaining some flexibility that puts ttl validation a tiny bit closer to the authorization point16:14
*** samueldmq_away has quit IRC16:14
dolphmstevemar: /o\16:14
stevemarmuch better16:14
dolphmjorge_munoz: how?16:14
jorge_munozdolphm: cherry-pick16:15
dolphmjorge_munoz: but it's already in review and approved - if you upload another instance of that review, it'll pull it out of the gate16:15
jorge_munozdolphm: Is the patch merged in?16:16
dolphmjorge_munoz: it's gating, so it'll be an hour or two16:16
dolphmjorge_munoz: since it's not the same dependency sequence, you could add "Depends-On: I56757e9636e7baf46eeb1657dab209616e310672" to your commit message so that it's not tested without it16:16
ayoungdolphm, in the token validator code you have:   if isinstance(payload[1], str):    Is that correct?   Should it be instance of basestring, or even six.string_types to be future proof?16:16
jorge_munozdolphm: Ok, thanks.16:17
dolphmayoung: yeah, that sounds wrong. where's that?16:18
ayoungdolphm, https://review.openstack.org/#/c/161774/11/keystone/token/providers/fernet/token_formatters.py,cm16:18
dolphmayoung: oh that might be nuked in a later patch. is that determining if it's a project scope or not?16:18
ayoungdolphm, its looking at the dataytype for a token16:18
dolphmayoung: yeah, i didn't touch that bit in that specific patch, but the conditional is completely deleted later on16:18
ayoungpayload = self.unpack(token_string)16:19
ayoungthen16:19
ayoung if isinstance(payload[1], str):16:19
dolphmayoung: it's deleted here, L179 or so on the left https://review.openstack.org/#/c/162031/11/keystone/token/providers/fernet/token_formatters.py,unified16:19
*** joesavak has quit IRC16:20
* ayoung guess right!16:20
ayoungdolphm, is it maybe worthwhile collapsing those changes?  Is there any value in splitting them this way for review?16:20
*** iamjarvo has joined #openstack-keystone16:20
openstackgerritJorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens  https://review.openstack.org/15922916:21
dolphmayoung: yes - the expiration removal and timestamp handling one warrant their own discussions16:21
ayoungok16:21
dolphmayoung: the following refactor is pretty big and would complicate things quite a bit :)16:21
ayoungFair enough16:22
ayoungdolphm, the pattern of referring to string elements by position is also Fragile.  I'll ignorethat, too, though if it is clean up later16:23
ayoungaudit_ids = payload[4]  for example16:23
dolphmayoung: payload is a tuple there16:23
dolphmayoung: and that's only done in that once class16:23
stevemarmorganfainberg, might be late for the meeting...16:23
dolphmayoung: one* class - nothing else is ever responsible for understanding / handling the payload order16:23
morganfainbergstevemar: np16:24
ayoungdolphm, so there is a better pattern for that kind of work.  It is to have a collection of simple objects that read and write their individual values.  You iterate throgu hone way to read, and the opposite way to write16:24
ayoungnot a deal breaker...just fragile code16:24
openstackgerritJorge Munoz proposed openstack/keystone: Refactor: make Fernet token creation/validation API agnostic  https://review.openstack.org/16233816:25
openstackgerritJorge Munoz proposed openstack/keystone: Convert audit_ids to bytes  https://review.openstack.org/16099316:25
openstackgerritJorge Munoz proposed openstack/keystone: Refactor: remove dep on trust_api / v3 token helper  https://review.openstack.org/16187616:25
openstackgerritJorge Munoz proposed openstack/keystone: Drop Fernet token prefixes & add domain-scoped Fernet tokens  https://review.openstack.org/16203116:25
openstackgerritJorge Munoz proposed openstack/keystone: Remove redundant creation timestamp from fernet tokens  https://review.openstack.org/16189716:25
openstackgerritJorge Munoz proposed openstack/keystone: Remove the expiration timestamp from Fernet tokens  https://review.openstack.org/16177416:25
openstackgerritJorge Munoz proposed openstack/keystone: Implement Fernet tokens for v2.0 tokens  https://review.openstack.org/15922916:25
dolphmjorge_munoz: oh god16:25
dolphmjorge_munoz: please use --no-rebase each and every time you upload a change16:25
morganfainbergLooks like a rebase snuck in.16:25
morganfainbergdolphm: according to infra folks --no-rebase shouldn't be needed.16:26
dolphmjorge_munoz: because you're depending on other reviews, git-review has a tendency to try and automatically rebase the reviews your dependent on, which A) yanks gating changes out of the gate, B) clears Code-Review votes if the rebase is non-trivial, C) requires new check runs to occur on each patch16:26
dolphmmorganfainberg: yeah well they're completely wrong and i'm tired of complaining about it16:26
morganfainbergdolphm: I should go poke git-review and fix that bug :P16:27
ayoungI've found --no-rebase was getting ignored on me16:27
jorge_munozdolphm: oops16:27
morganfainbergdolphm: so... Ubuntu one keeps telling me I'm a bot when I login via iOS. Do you have the same issue?16:28
dolphmjorge_munoz: i should have mentioned it earlier!16:28
dolphmjorge_munoz: for future reference :)16:28
morganfainbergAnd...who the hell do I harass about that :( I'm not a bot.16:28
dolphmmorganfainberg: i don't use linux on the desktop16:29
jorge_munozdolphm: will do16:29
dolphmmorganfainberg: oh, i see what you mean, no!16:29
*** joesavak has joined #openstack-keystone16:29
morganfainbergdolphm: I am hating lp more and more.16:29
*** jsavak has joined #openstack-keystone16:30
morganfainbergdolphm: iOS must be automatically populating a hidden field. That is such a stupid thing to randomly change/add16:31
ayoungmorganfainberg, fairly certain you are a bot16:31
morganfainbergdolphm: doesn't happen on the desktop version with the same utilities.16:31
morganfainbergayoung: I might be :(. But bknudson is probably more of one :P16:32
*** ayoung is now known as ayoungbot16:32
* ayoungbot has revealed his true identity16:32
dolphmmorganfainberg: ayoungbot has a point16:32
*** ayoungbot is now known as ayoung16:33
dolphmbknudson: evilbrant_bot?16:33
*** joesavak has quit IRC16:34
*** lhcheng has joined #openstack-keystone16:38
*** _cjones_ has joined #openstack-keystone16:39
*** lhcheng_ has joined #openstack-keystone16:40
*** iamjarvo has quit IRC16:42
dolphmjorge_munoz: o/16:43
*** lhcheng has quit IRC16:43
dolphmjorge_munoz: what do you have a merge conflict with, exactly?16:43
jorge_munozdolphm: Nothing that I can tell, It started showing after I added the Depends-On16:44
*** harlowja_away is now known as harlowja_16:44
dolphmjorge_munoz: you didn't change anything else since patchset 20?16:44
jorge_munozdolphm: Nope16:45
jorge_munozjust the Depends-On on the commit message.16:46
*** dimsum__ has quit IRC16:46
dolphmjorge_munoz: let me try uploading one - i don't see an issue though16:46
morganfainbergayoung: so we have one operator who is now heavily using ldap assignment because they want tight control of the entities between identity and assignment (the whole thing we are trying to break the habit of)16:47
dolphmjorge_munoz: i mean, a reason for a conflict16:47
morganfainbergayoung: see https://bugs.launchpad.net/keystone/+bug/140963516:47
openstackLaunchpad bug 1409635 in Keystone "keystone fails to authenticate users when LDAP project_id_attribute is not CN" [Undecided,New]16:47
*** dimsum__ has joined #openstack-keystone16:47
morganfainbergayoung: the answers I have for his questions. Are "we don't support what you are doing" right now.16:47
dolphmjorge_munoz: so, you're patch actually conflicts with the patch you now Depends-On, which isn't allowed16:49
*** browne has joined #openstack-keystone16:50
jorge_munozdolphm: Ah, ok. I'll just wait till the patch i depend on gets merged and then I'll just rebase.16:50
dolphmjorge_munoz: yeah, that's the easiest solution :-/16:51
dolphmbknudson: if you have any more fixes for fernet, include them in the giant dep tree so we don't run into this ^ :P16:51
* dolphm food time16:51
*** haneef has joined #openstack-keystone16:54
ayoungmorganfainberg, what he is proposing is probably correct...still reading through the comments, though16:57
ayoungits bascially what we did in the identity backend16:57
morganfainbergayoung: this is ldap assignment. He has a question at the end, read only ldap backend, user is removed16:58
openstackgerritEric Brown proposed openstack/keystone: WIP: Replace exec calls with cryptography library  https://review.openstack.org/16308816:58
morganfainbergHow does sql assignment know?16:58
morganfainbergRight now he is out-of band removing from both identity and assignment. I think the only answer is the tool that edits ldap has to make an API call to keystone.16:59
morganfainbergOr edit sql (scary)16:59
*** iamjarvo has joined #openstack-keystone16:59
*** iamjarvo has quit IRC16:59
*** gyee has quit IRC17:00
ayoungmorganfainberg, I should probably cut and past my response to the mailing list about the FKs from last night17:00
*** jorge_munoz_ has joined #openstack-keystone17:00
*** iamjarvo has joined #openstack-keystone17:00
ayoungmorganfainberg, It doesn't know, and it shouldn't know17:00
ayoungif I ahd my way, we would treat the identity operations as coming from a completely different, non integrated system from assignment operations17:00
*** jistr has quit IRC17:01
morganfainbergayoung: I agree. We need a nice way to shift this operator that direction.17:01
ayoungI should be able to create a role assignment to a non-existant user or group17:01
*** lhcheng_ is now known as lhcheng17:01
*** gyee has joined #openstack-keystone17:02
*** ChanServ sets mode: +v gyee17:02
topolso Keystone meeting back to starting an hour later?17:02
ayoungand Mike Bayer really didn't get it.17:03
stevemartopol, yeah... wondering whats up17:03
*** _cjones_ has quit IRC17:05
dstanektime changes screw everything up17:05
*** gyee has quit IRC17:07
*** markvoelker has joined #openstack-keystone17:09
*** _cjones_ has joined #openstack-keystone17:09
ayoungThere is a movement afoot to kill daylight savings time.  Considering how it messed up my kids' sleep schedules this week I'm prone to sign on17:09
stevemarit looks like -meeting is being used by rally folks atm17:10
* breton didn't have the time change17:10
bretonUS problems17:10
*** leonchio_ has joined #openstack-keystone17:10
*** jorge_munoz_ has quit IRC17:11
stevemarmorganfainberg, not around?17:12
morganfainbergstevemar, yes17:12
morganfainbergi'm here17:12
stevemarmorganfainberg, isn't it keystone meeting time?17:13
morganfainbergyou time changed didn't you17:13
stevemari did17:13
*** iamjarvo has quit IRC17:14
*** krtaylor has quit IRC17:14
morganfainbergstevemar, keystone meeting is 1800 UTC17:14
dstanekstevemar: you have to put it in your calendar at 18:00 UTC17:14
morganfainbergstevemar, it is currently 1714 UTC17:14
morganfainberghttp://www.worldtimeserver.com/current_time_in_UTC.aspx17:14
stevemarmorganfainberg, mokay17:14
dstanekotherwise you'll be constantly messed up17:14
morganfainbergif you use exchange, you can do UTC, if you use google, you need to use https://www.google.com/search?client=safari&rls=en&q=reykjavik&ie=UTF-8&oe=UTF-817:15
morganfainbergerm17:15
morganfainbergreykjavik17:15
*** spandhe has joined #openstack-keystone17:15
morganfainbergso.. topol, stevemar, see you guys in ~45mins17:16
topolmorganfainberg, stevemar.  If I had realized sooner I couldhave gone to a long leisurely lunch...17:18
dstaneki have Google calendar configured to show my UTC and EST to make like easier17:18
stevemartopol, i know right, i rushed home17:18
*** markvoelker has quit IRC17:19
*** markvoelker has joined #openstack-keystone17:19
topolstevemar, rushed home??? didnt I tell Dini you now go into the office to show sympathy for her cause ?17:19
morganfainbergstevemar, topol, it's ok next week [just for you guys] we'll be starting at the same time as this week.17:19
morganfainbergso you can have a nice lunch17:20
stevemartopol, i had to rush home *from buying food*17:20
morganfainbergin fact... we will do this until the next daylight time shift17:20
topolmorganfainberg you are the best!17:20
*** markvoelker_ has joined #openstack-keystone17:21
topolthis left over trail mix from my last trip is oh so good17:21
*** markvoelker has quit IRC17:24
*** krtaylor has joined #openstack-keystone17:27
*** stevemar has quit IRC17:32
*** spandhe has quit IRC17:32
*** _cjones_ has quit IRC17:36
*** iamjarvo has joined #openstack-keystone17:37
*** _cjones_ has joined #openstack-keystone17:37
*** iamjarvo has quit IRC17:37
*** iamjarvo has joined #openstack-keystone17:38
*** timcline has joined #openstack-keystone17:40
*** spandhe has joined #openstack-keystone17:41
*** spandhe has quit IRC17:41
*** spandhe has joined #openstack-keystone17:42
*** htruta has quit IRC17:49
*** stevedroid has joined #openstack-keystone17:51
stevedroidtopol, fyi my isp seems down17:52
stevedroidEven the connection through data is slow17:52
ayoungmorganfainberg, so, I'd like to get https://review.openstack.org/#/c/142573/  through, and I don't think rewriting the object model like access info at this late stage is the right way to go17:54
ayoungthis has been heavily enough reviewed that it should be OK as is, but I don't want to do a +2a when you have a -1 on it17:54
openstackgerritRodrigo Duarte proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837217:55
morganfainbergayoung: I'm inclined to say push it to liberty17:55
ayoungmorganfainberg, I think it is too valuable17:55
ayoungmorganfainberg, I thought this functioanlity was already in the product.  Without it, we are building something very limited17:56
morganfainbergThen make it clear what is going on in the code. It is not clear in code, tests, fixtures, etc. we had at least 3 cores ask "what is going on here"17:56
ayoungI wish I had realized earlier.  I would have put more time into this than the access info17:56
rodrigodsmorganfainberg, what about adding a clear comment?17:57
morganfainbergayoung: frankly I think this is too late to wedge it in.17:57
morganfainbergOr ask for an ffe and do it post k317:57
ayoungThat was what I was asking Yesterday.  Does it need a FFE.  And the strict answer is "yes if it lands after..."17:58
morganfainbergYep.17:58
*** henrynash has joined #openstack-keystone17:58
*** ChanServ sets mode: +v henrynash17:58
morganfainbergBut not if it lands before.17:58
ayoungwhat is the cut off17:58
ayoung?17:58
morganfainbergNext week.17:59
morganfainbergK317:59
samueldmqamakarov, hi ... sorry I was away17:59
ayoungLet's discuss at the end of the meeting17:59
amakarovsamueldmq, np17:59
*** krykowski has quit IRC18:00
bretonfellas, it's meeting time18:01
*** tsufiev_ has quit IRC18:07
*** tsufiev_ has joined #openstack-keystone18:16
iamjarvowhat exactly is the public id used for?18:16
*** gyee has joined #openstack-keystone18:17
*** ChanServ sets mode: +v gyee18:17
*** karimb has quit IRC18:24
*** dimsum__ is now known as dims18:27
*** straycat has joined #openstack-keystone18:33
straycatHello18:33
straycatI've been setting up swift and got an odd message in the log: 'Auth Token confirmed use of v3.0 apis', this confuses me since I've not set up any v3 endpoint for keystone.18:35
straycatI've been setting up swift and got an odd message in the log: 'Auth Token confirmed use of v3.0 apis', this confuses me since I've not set up any v3 endpoint for keystone.18:35
straycatsorry :/18:35
*** _cjones_ has quit IRC18:38
bretonstraycat: everyone is on the meeting now18:38
bretonyou should wait for ~30 minutes18:39
straycatbreton, Okay thanks18:39
*** stevemar has joined #openstack-keystone18:41
*** ChanServ sets mode: +v stevemar18:41
iamjarvoif you are using ldap how do you then sign up users? i am trying to figure out the matching of id_mapping and user in the mysql identity database18:42
iamjarvoshould public_id in id_mapping match id in user?18:43
*** stevedroid has quit IRC18:43
*** henrynash has quit IRC18:44
*** henrynash has joined #openstack-keystone18:44
*** ChanServ sets mode: +v henrynash18:44
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Fix time issue in AccessInfo test  https://review.openstack.org/16312818:44
*** panbalag has quit IRC18:45
*** panbalag has joined #openstack-keystone18:45
*** zzzeek has quit IRC18:48
*** zzzeek has joined #openstack-keystone18:53
*** _cjones_ has joined #openstack-keystone18:54
openstackgerrithenry-nash proposed openstack/keystone-specs: Mark the domain-config API as experimental  https://review.openstack.org/16248419:00
ayoungjamielennox, did you see what I did with times in my accessinfo change?19:01
jamielennoxayoung: not recently19:01
dstanekwhat's the verdict on naming?19:01
*** markvoelker_ has quit IRC19:01
ayoungah...yours makes sense...I thought it was more expansive19:01
ayoungjamielennox, just that I am trying to make a class the encapsulate time handling19:01
dolphmiamjarvo: public ID of what? as opposed to a private ID, or...?19:01
ayoungbut I'm not doing the windows etc stuff19:02
ayoung"expires soon"19:02
ayoungso, disregard19:02
dolphmstraycat: keystone's default paste configuration deploys v3 - you don't have to add it to your catalog like other services do. auth_token does the discovery work automatically19:02
jamielennoxayoung: i'm still not convinced it should be a client side change, as opposed to some sort of keystone-common19:02
ayoungjamielennox, you are not wrong19:03
dolphmiamjarvo: ah, that public_id, missed your other messages. normally you'd add your users directly to LDAP and just auth them through keystone19:03
dolphmiamjarvo: there's no additional registration process19:03
ayoungjust that to get there is a lot more overhead, and the primary consumer is client, so I think making it work in client first and then splitting the repo is the right approach19:03
henrynashbknudson: fyi, I udpated https://review.openstack.org/#/c/159675/ to respond to your comments19:03
jamielennoxayoung: morganfainberg and i were talking the other day about declaring better interfaces for drivers etc and starting to split some stuff out, i think it would belong there19:04
ayoungjamielennox, if the code is not run against all of the client tests, we miss the majority of the logic19:04
dolphmiamjarvo: henrynash can probably answer more detailed questions if you have any19:04
bknudsonhenrynash: thanks! it's on my list.19:04
henrynashbknduson: thx19:04
henrynashiamjarvo: anyting I can help with?19:04
ayoungjamielennox, I also don't think that server, client, and common should be in three differnt git repos, but Python forces that upon us19:04
* dolphm list of release blockers is updating again! https://gist.github.com/dolph/651c6a1748f69637abd019:04
dolphmpoke me if there's something missing19:04
openstackgerritMerged openstack/python-keystoneclient: token signing support alternative message digest  https://review.openstack.org/11737219:05
jamielennoxayoung: client and server i do, common is more debatable19:05
dolphmi'm working now to add reviews that release blocking reviews are depedent on as well19:05
*** amakarov is now known as amakarov_away19:05
ayoungjamielennox, anyway, I am not going to drive splitting out common.  I'll support you if you want to, though.19:05
jamielennoxbknudson: can i have a hack exemption on https://review.openstack.org/#/c/161962/ ?19:06
jamielennoxbknudson: we've got the ksc change that will come through but given the swift issue can we release with that and roll over to the client code as it makes g-r?19:06
*** rushiagr is now known as rushiagr_away19:07
bknudsonjamielennox: y, I looked at this yesterday and I'm ok with the hack there... I think you explained it well enough.19:07
jamielennoxbknudson: cool, i think the plan was to get this in and release today19:08
henrynashjamielennox: here’s my proposal for the json home approach (updated with teh removal of dsiabled since the meeting): https://review.openstack.org/#/c/162484/19:08
bknudsonjamielennox: not sure if I'll have time to review today due to meetings, it's on my list.19:08
dolphmmorganfainberg: need to use #agree more often, that's handy: http://eavesdrop.openstack.org/meetings/keystone/2015/keystone.2015-03-10-18.03.html19:08
dstanekmorganfainberg: rodrigods: ayoung: i'm not sure what a good object representation would look like since the really is an ordered set of data19:08
bknudsonjamielennox: but I'm also fine with the hack for now and switching over to ksc when it's ready.19:08
dstanekforgot the link: https://review.openstack.org/#/c/142573/19:08
jamielennoxbknudson: you've seen it before though and are happy with the general idea if other people pass it19:08
bknudsonjamielennox: yes.19:09
jamielennoxhenrynash: are there client side libraries for dealing with jsonhome? when i looked when it was first proposed i found i'd probably be writing my own19:09
henrynashjamielennox: a good quetsions…to which I don’t know the answer…bknudson?19:10
jamielennoxhenrynash: if that hints block is standard (i assume it is) then i'm ok with that19:10
*** iamjarvo has quit IRC19:10
jamielennoxhenrynash: and i was wondering if whatever we use to parse it would know how to deal with hints19:10
henrynashjamielennox: yes, hints block with a status property is standard19:10
bknudsonI don't know about any JSON Home library either.19:10
bknudsonhere's our chance to make one.19:11
henrynashjamielennix: well. let me rephrase my answer: “it’s in the spec”…..:-)19:11
jamielennoxbknudson: yep, i don't mind that19:11
jamielennoxhenrynash: cool - that works for me then19:11
samueldmqhenrynash, just a quick question regarding domain-specific configs ...19:13
henrynashsamueldmq: sure19:14
samueldmqhenrynash, there we can set allow_user_update, etc ... for each config, right?19:14
henrynashsamueldmq: yes19:14
samueldmq(ldap in this case)19:14
samueldmqhenrynash, ok so one more advantage of your implementation is that you can query the keystone api to know whether a ldap is read-only/read-write19:15
*** rushiagr_away is now known as rushiagr19:15
henrynashsameuldmq: iindeed19:15
samueldmqhenrynash, and then horizon (supporting multiple domains) could present the user the write operations (update, delete, create) of users, for example, just for domains that support it19:15
henrynashsamueldmq: right19:16
samueldmqhenrynash, oh! that's great19:16
samueldmqhenrynash, thanks!19:16
*** henrynash has quit IRC19:17
*** haneef has quit IRC19:19
*** haneef has joined #openstack-keystone19:20
*** iamjarvo has joined #openstack-keystone19:24
rodrigodsdstanek, a list containing tuples?19:25
iamjarvohenrynash so the workflow with ldap is add them to ldap then when they auth through horizon all the needed info will be added? would the roles and project get added to ldap?19:25
iamjarvoroles, projects and domain19:26
dstanekrodrigods: i don't think that is any clearer - i think the real issue is that the intent is hidden19:26
morganfainbergdstanek, ++19:27
dstaneki think the list-of-lists data structure would be fine if something else around that code changed19:27
rodrigodsdstanek, maybe we can always treat as a list of lists19:27
morganfainbergdstanek, if it was always a list of lists, not a list of lists-and-string-and-other-stuff19:27
dstanekrodrigods: i'll take a quick crack at it19:27
morganfainbergand it was clear what was expected19:28
morganfainbergrodrigods, ^19:28
jamielennoxmorganfainberg: bknudson's ok with the ksm hack around for now if you would like to re-review and we can get it out today19:36
*** rushiagr is now known as rushiagr_away19:36
morganfainbergjamielennox, cool19:36
jamielennoxhttps://review.openstack.org/#/c/161962/19:36
morganfainbergjamielennox, will do19:36
jamielennoxor anyone watching please check ^19:37
*** vishy has joined #openstack-keystone19:38
*** Qlawy has quit IRC19:40
*** Qlawy has joined #openstack-keystone19:40
*** iamjarvo has quit IRC19:46
dolphmdstanek: how would you enumerate all tests in keystone without running any of them?19:49
breton# !!! - UNDER NO CIRCUMSTANCES COPY ANY OF THIS CODE - !!!19:49
bretonwut19:49
morganfainbergbreton, peope have a tendancy to see code in ksc and copy it in their own application19:49
*** Tahmina has joined #openstack-keystone19:49
morganfainbergbreton, thinking it is a "good idea"™19:49
dolphmbreton: instead of just calling keystoneclient19:50
morganfainbergdolphm, subunit --list ?19:50
stevemardolphm, theres a line that does that...19:50
dolphmmorganfainberg: that probably needs a "instead, you should ..."19:50
bknudsonmight want to put a FIXME comment in there.19:50
bknudsonhopefully it won't be there for long.19:50
stevemardolphm, https://github.com/openstack/oslotest/blob/master/tools/oslo_debug_helper#L3019:50
*** dims has quit IRC19:51
jamielennoxbknudson: there's a FIXME there as well19:51
*** gokrokve has joined #openstack-keystone19:51
bknudsongreat.19:51
dstanekdolphm: stevemar: yeah, testtools discovery is what i use19:51
dstanekdolphm: stevemar: it won't run them, but it will import them19:52
dolphmdstanek: importing might be okay19:52
dolphmideally i want a plaintext list of like "package.path.to.module:Class.test_name"19:53
*** iamjarvo has joined #openstack-keystone19:55
*** iamjarvo has quit IRC19:55
*** iamjarvo has joined #openstack-keystone19:56
*** iamjarvo has quit IRC19:56
dolphmmorganfainberg: python -m subunut.run --list ? that outputs a bunch of binary along with test names?19:56
dolphmsubunit*19:57
morganfainberguhm. maybe it was a testtool thing19:57
dstaneksubunit emits the subunit protocol19:57
dolphmdstanek: how do you use testtools for that without running tests?19:57
*** iamjarvo has joined #openstack-keystone19:57
dolphmdstanek: that makes sense19:57
*** aix has quit IRC19:57
dstanekdolphm: .tox/py27/bin/python -m testtools.run discover -t ./ keystone/tests/unit --list19:57
morganfainbergdstanek, that!19:57
morganfainberg:)19:57
dolphmdstanek: perfect!19:57
stevemarisn't that what i linked?19:57
straycatdolphm, Ahh, how can I go about disabling that?19:58
straycatI tried obvious options but they all crashed keystone19:58
stevemari swear that's what i linked :)19:58
dolphmstraycat: i don't know why you would want to do that, but you just need to edit your paste config for keystone and basically remove /v3 from the final composition19:59
dolphmcompositions* (there's two)19:59
morganfainbergstraycat, what are you trying to accomplish19:59
morganfainberg?19:59
straycatdolphm, I'm just curious really, I should be able to specify the api in the swift config if I want19:59
dolphmstraycat: you can explicitly tell auth_token to use v2, but i forget the config opiton20:00
dolphmstraycat: api_version or something?20:00
straycatauth_version i think?20:00
dolphmstraycat: ++20:00
dolphmand auth_version='v2.0' is probably the magic value for v2-only20:01
*** dims has joined #openstack-keystone20:01
*** topol has quit IRC20:01
straycatcool20:02
rodrigodsjamielennox, noticed you are going through kc reviews :)20:04
rodrigodsjamielennox, please take a look in https://review.openstack.org/#/c/150078/ whenever you have a chance20:04
jamielennoxrodrigods: it's been on my looming list, i look at it occasionally and change my mind each time20:04
*** iamjarvo has quit IRC20:04
jamielennoxi feel like the python side of the API could be nicer, i just don't know what it should be20:05
*** thedodd has quit IRC20:06
rodrigodsjamielennox, makes sense... but we'd need to change the behavior of the subtree_as_list... that is already merged20:06
jamielennoxrodrigods: on client?20:07
rodrigodsjamielennox, yes20:07
jamielennoxoh - ok, well that might change my opinion20:07
dolphmdstanek: thank you sir! i'm now running every test in keystone in isolation 100 times to hunt for transient failures :)20:07
rodrigodsjamielennox, see https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v3/projects.py#L10720:07
openstackgerritMerged openstack/keystone: Fix seconds since epoch use in fernet tokens  https://review.openstack.org/16248920:08
dolphmjorge_munoz: ^20:09
lbragstaddolphm: sweet, do you think we should rebase the chain on that?20:09
jorge_munozdolphm: cool20:09
dolphmlbragstad: yeah, one sec20:09
lbragstaddolphm: I'm seeing a weird case with federated tokens...20:09
openstackgerritMerged openstack/keystone: Remove unused checkout_vendor  https://review.openstack.org/16248320:09
dolphmlbragstad: actually, need to wait for https://review.openstack.org/#/c/161876/ to land20:10
lbragstaddolphm: ok20:11
dolphm... which got yanked out of the gate :( and is now sitting in check queue for 3h 45 min20:11
lbragstad:/20:11
dolphmpost queue looks broken too20:11
lbragstaddolphm: so I'm curious if what I'm experiencing with validating federation tokens is because of bknudson's change20:12
dolphmmorganfainberg: any insight as to why the gate is getting increasingly sad today?20:12
*** Qlawy has quit IRC20:12
*** thedodd has joined #openstack-keystone20:12
morganfainbergdolphm: nope. Can look once I'm done with lunch.20:12
dolphmlbragstad: you're not seeing a failure in test_tampered_encrypted_token_throws_exception() are you?20:13
lbragstaddolphm: I don't think so20:13
lbragstadI'm seeing failures on validating tokens20:13
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L29620:13
dolphmlbragstad: that has about a 7% chance of transient failure :)20:13
openstackgerritIan Cordasco proposed openstack/oslo.policy: Publicize oslo_policy.opts.register  https://review.openstack.org/16316320:13
dolphmlbragstad: you're probably getting a bad expiry unless your system clock is in UTC?20:14
lbragstaddolphm: for some reason, with federated tokens, (current_time < expiry) is always False20:14
lbragstadcould be20:14
dolphmlbragstad: yeah, try setting your system clock to UTC or setting the token expiration to a day or so20:14
lbragstaddolphm: this is with the federation tests,20:14
lbragstaddolphm: our tests use the default expiration time, I think?20:15
dolphmlbragstad: which is short enough to running into UTC vs local time bugs20:15
lbragstadok20:15
dolphmlbragstad: increase the default token lifespan in keystone.common.config and see if tests start passing20:15
dolphmlbragstad: what do you get when you run $ date on your system?20:16
lbragstadTue Mar 10 15:16:40 CDT 201520:16
bknudsontry date -u20:17
*** henrynash has joined #openstack-keystone20:17
*** ChanServ sets mode: +v henrynash20:17
dolphmbknudson: i was just wondering if his system time was UTC20:18
dolphmbknudson: i don't see those problems on my dev box because it's in UTC :-/20:18
dolphmso bad timezone conversions never matter20:18
bknudsonif I was setting up a cloud system I'd use utc.20:18
bknudsonthere's no timezones in the cloud20:19
* dolphm today's #PROTIP ^20:19
*** Qlawy has joined #openstack-keystone20:19
*** Qlawy has quit IRC20:19
*** Qlawy has joined #openstack-keystone20:19
dolphmbknudson: that's like saying you don't care about the local weather forecast because it's sunny in geneva ;)20:21
henrynashayoung: hi…on the tests for domain config - see my reply to you concern - there are two other tests already added which I  *think* do what you are suggesting….but let me know if I am misunderstaning what you are adter20:22
henrynashayoung: https://review.openstack.org/#/c/159675/20:22
*** thedodd has quit IRC20:23
bknudson    /opt/stack/keystone/.tox/py27/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/dsa.py:177: PendingDeprecationWarning: The DSAPublicKeyWithNumbers interface has been renamed to DSAPublicKeyWithSerialization20:23
lbragstaddolphm: tried suggestion one http://cdn.pasteraw.com/e03rk7rhqpz2p5z0yio08lxk203u6xv20:24
*** chrisshattuck has joined #openstack-keystone20:24
dolphmlbragstad: 7200 seconds is only 2 hours20:24
dolphmlbragstad: not long enough to account for CDT!20:25
* lbragstad goes bigger!20:25
dolphmlbragstad: try 8640020:25
bknudsonI'm starting to see all sorts of test failures ... AttributeError: 'exceptions.AttributeError' object has no attribute 'with_traceback'20:26
bknudson    AttributeError: 'SkipTest' object has no attribute 'with_traceback'20:27
bknudsonanybody else see these?20:27
bretonbknudson: on tox -e py27?20:30
bknudsonbreton: yes, on keystone20:30
bretonI'll try now20:30
*** joesavak has joined #openstack-keystone20:31
*** samueldmq_ has joined #openstack-keystone20:31
dolphmbknudson: i'm trying too, with -r20:33
bknudsonpip freeze first then can diff it.20:33
*** jsavak has quit IRC20:33
dolphmbknudson: too late :(20:33
bknudsonI think there was a note in -dev today from lifeless...20:33
bretonpkg_resources.DistributionNotFound: virtualenv>=1.11.220:34
bretonbreton@breton-pc:~/src/keystone$ pip freeze | grep virtu20:34
bretonvirtualenv==12.0.720:34
bknudsonnot pointing fingers or jumping to conclustions or anything!!!20:34
bretonwtf20:34
*** jsavak has joined #openstack-keystone20:34
bknudsonyou're in worse shape than me.20:34
*** iamjarvo has joined #openstack-keystone20:34
*** radez is now known as radez_g0n320:35
*** joesavak has quit IRC20:36
dolphmbknudson: i see those failures20:37
bknudson:(20:38
dolphmbknudson: 7 fails20:38
bknudsonFAILED (id=214, failures=7, skips=1220)20:38
bknudson(and, rm -r .testrepository)20:38
dolphmbknudson: stuff like this http://cdn.pasteraw.com/8wc90sw9lh8zdkg3zi8uk13yg1310pj20:39
dolphmbknudson: testtools 1.7.0 release today https://pypi.python.org/pypi/testtools20:40
straycatlittle confused by, the default domain id in keystone.conf seems to be 'default' so shouldn't the tokens contain 'default' as the id? ( proxy-server[17222]: Inconsistent project domain id: None in token vs default in account metadata. )20:41
straycat*by this,20:41
dolphmbknudson: i'm running again with testtools != 1.7.020:41
bknudson.tox/py27/bin/pip -U "testtools<1.7.0"20:41
bknudson(worked for me)20:41
dolphmstraycat: v2 tokens don't have domains, they're just assumed to be in the default domain, but i'm also not sure what is producing that error or why exactly20:42
*** boris-42 has quit IRC20:42
dolphmstraycat: did you override auth_token with v2?20:42
straycatdolphm, tbf no, since disabling in the keystone-paste.ini worked. I'll try overriding auth_token with v220:43
dolphmstraycat: last i talked to them, swift looking to perform a live migration to v3-based identity information. i wonder if some of your data was migrated, and your override back to v2 isn't providing the data it needs to perform proper policy checks?20:44
dolphmstraycat: the discovery mechanism will use v2 if that's all that's available, and it sounds like that's working. overriding it to v2 without re-enabling v3 on the server shouldn't have any additional affect20:44
*** pnavarro has quit IRC20:44
straycathrm20:45
*** pnavarro has joined #openstack-keystone20:45
dolphmbknudson: i tried setting it in test-requirements.txt and using tox -r, but ended up with 1.7.0 installed anyway?!20:47
dolphmbknudson: just appended ,!=1.7.020:47
dolphmtrying again after moving it to the end of the file, in case something else deps on it too20:47
straycatdolphm, yeah i tried it anyway and it didn't make a difference :)20:48
openstackgerritDavid Stanek proposed openstack/keystone: this is a test to prove broken behavior is possible  https://review.openstack.org/16317220:49
dstanekmorganfainberg, rodrigods, ayoung, stevemar, marekd: does this prove that append vs. extend has bugs or am i doing something wrong? ^20:51
dolphmbknudson: no luck for me. i'm happy to blame testtools 1.7.0 though :)20:51
bknudsondolphm: posted change to g-r: https://review.openstack.org/#/c/163173/20:52
openstackgerritMerged openstack/python-keystoneclient: Creating parameter to list inherited role assignments  https://review.openstack.org/11730020:53
dolphmbknudson: i'm guessing we need to fix keystone to adapt20:54
dolphmbknudson: those look like intentional public API changes20:54
bknudsonreally?20:54
bknudsoninteresting...20:54
dolphmbknudson: but i +1'd because we're probably not the only project affected20:54
*** iamjarvo has quit IRC20:55
openstackgerritMerged openstack/keystone: Prevent calling waitall() inside a GreenPool's greenthread  https://review.openstack.org/16072020:55
*** iamjarvo has joined #openstack-keystone20:57
*** raildo is now known as raildo_away21:04
bknudsondolphm: I guess there was something wrong with the wheel on pypi.21:09
bknudsonmissing part.21:09
*** jsavak has quit IRC21:12
ayoungdstanek, I have no clue.21:13
*** iamjarvo has quit IRC21:14
ayoungdstanek, what am I looking at ?21:14
dstanekayoung: i'm guessing a boxy looking thing that's glowing21:15
dstanekayoung: if one of the fields (in my test case Thing) has multiple values it throws off the indexing21:16
ayoungah21:16
ayoungdstanek, the boxy looking thing saw ViewSonic.  Where do I find Sonic?  Isn't he a hedgehog?21:16
*** Tahmina has quit IRC21:17
lbragstaddolphm: ok, so I have a working federation commit21:18
dolphmlbragstad: =D21:19
*** thedodd has joined #openstack-keystone21:20
lbragstaddolphm: I'm about to push for review21:20
dolphmlbragstad: --no-rebase =D21:20
lbragstaddolphm: just double checking I can push a new version, and not destroy other changes21:20
dolphmlbragstad: 161876 is in the gate, so you can make sure that the git sha matches what's gating21:21
dolphmlbragstad: in case you accidentally rebased during dev or whatever21:21
dolphmlbragstad: it's when you upload a different git sha in the same branch in the same project to gerrit for the same Change-Id that zuul plucks the change out of the gate and resets everything21:22
dolphmlbragstad: hence the "Are you sure you really want to upload all this?" prompt that git-review shows you, with SHAs21:22
lbragstaddolphm: so, double checking, if I do a git review -d 161380;21:22
dolphmlbragstad: that'll give you what's gating21:22
*** boris-42 has joined #openstack-keystone21:22
lbragstadgit stash pop; git commit -a;21:22
dolphmoh that's your change, nevermind21:23
lbragstadgit review --no-rebase -y21:23
dolphmskip the -y21:23
henrynashayoung: see me response to your comment on https://review.openstack.org/#/c/159675/ - I think the two other tests are doing what you want….but let me know if not21:23
ayounghenrynash, looking21:24
dolphmlbragstad: and make sure that the git SHA for "Refactor: make Fernet token creation/validation API agnostic" is one of the existing changesets on https://review.openstack.org/#/c/162338/21:24
dolphm(which is your change's immediate parent)21:24
ayounghenrynash, the one below doesn't set or check  CONF.identity.domain_configurations_from_database21:24
ayoungbut...21:24
henrynashayoung: yes it does, line 11721:25
dolphmbknudson: robert collins just posted a fix for you on -dev21:25
ayoungwhy so it does...my browser search failed me!21:26
henrynashayoung: :-)21:26
lbragstaddolphm: looks good21:26
lbragstad2489970 Refactor: make Fernet token creation/validation API agnostic21:26
henrynashayoung: and the one in test_backemd_ldap does this with a reload of all the drivers as well21:26
ayounghenrynash, so...looks good, but I would have named the res variable something different21:27
ayoungsomething like "base" versus "overload"21:27
*** stevemar has quit IRC21:27
henrynashayoung: fair comment21:27
ayoungor ...  something...I see what you are doing, though21:27
*** stevemar has joined #openstack-keystone21:27
*** ChanServ sets mode: +v stevemar21:27
lbragstaddolphm: matches the parent ID as listed here https://review.openstack.org/#/c/161380/21:28
ayounghenrynash, tests should be written so that it is "actual, expected"  do I read these that way?21:28
ayoungI think you have them reversed, is that correct?21:28
lbragstaddolphm: ahhh, nevermind... my patch (https://review.openstack.org/#/c/161380/) points to patch set 5 of https://review.openstack.org/#/c/162338/21:29
dolphmlbragstad: now just hit the Rebase button on your patch21:30
henrynashAre you sure it;s that way round?  I thought it was the otehr way round!!!21:30
dolphmlbragstad: oh upload it first, it's okay if it's outdated21:30
openstackgerritLance Bragstad proposed openstack/keystone: Federated token formatter  https://review.openstack.org/16138021:30
ayounghenrynash, +2A21:30
lbragstaddolphm: Rebase button won't work because of a conflict21:30
henrynashayoung: thx21:31
dolphmlbragstad: okay so from where you're at on your machine...21:31
dolphmlbragstad: git log -n 121:31
dolphmlbragstad: take note of your *own* commit SHA, assuming you've committed everything as you would have liked to upload it21:31
henrynashayoung: but is it really meant to be (actual, expected)?21:31
ayounghenrynash, yep21:31
dolphmlbragstad: then git review -d 162338 (you commit's parent)21:31
ayounghenrynash, I know, tripped me up, too21:31
dolphmlbragstad: then cherry pick yourself back on top: git cherry-pick <the commit sha you just noted>21:32
dolphmlbragstad: the cherry pick will fail, you can fix it, then git cherry-pick --continue && git review --no-rebase21:32
henrynashayoung: i’ll do a follow up patch to clean it up21:33
ayounghenrynash, confirm it first.  Remember: I lie.  I make things up.21:34
ayoungBut I'm pretty sure it is actual expected.  Let me see if I can find the code21:34
lbragstaddolphm: cool, that seems to resolve the conflict, just confirming before I push http://cdn.pasteraw.com/4mgm6y2ellir06erwny29xu5bcj1mml21:36
*** samueldmq has quit IRC21:36
*** samueldmq_ is now known as samueldmq21:37
lbragstaddolphm: parent ids match, so that looks good.21:38
dolphmlbragstad: looks good to me!21:39
openstackgerritLance Bragstad proposed openstack/keystone: Federated token formatter  https://review.openstack.org/16138021:40
*** mattfarina has quit IRC21:40
*** chlong has joined #openstack-keystone21:40
ayounghenrynash, I'm wrong21:46
ayounghttp://testtools.readthedocs.org/en/latest/api.html21:46
ayoungat least according to the docs I am wrong21:47
bknudsonjamielennox: was confused by the test changes in https://review.openstack.org/#/c/161962/21:50
henrynashayoung: I did *think* it was the otehr way round…but I often struggle to rememeber!21:50
ayounghenrynash, I've learned never to trust me on what I think code says21:51
openstackgerritBrant Knudson proposed openstack/keystone: Remove unused threads argument  https://review.openstack.org/16247521:51
*** iamjarvo has joined #openstack-keystone21:57
*** sigmavirus24 is now known as sigmavirus24_awa22:00
* morganfainberg is back from lunch22:00
morganfainbergand phone calls22:00
*** bknudson has quit IRC22:04
*** chlong has quit IRC22:07
*** tsufiev_ has quit IRC22:14
*** breton has quit IRC22:17
*** trey has quit IRC22:24
*** trey has joined #openstack-keystone22:26
*** iamjarvo has quit IRC22:26
openstackgerritMerged openstack/python-keystoneclient: Fix time issue in AccessInfo test  https://review.openstack.org/16312822:26
*** pnavarro has quit IRC22:26
*** iamjarvo has joined #openstack-keystone22:31
*** henrynash has quit IRC22:34
*** thedodd has quit IRC22:34
*** tsufiev_ has joined #openstack-keystone22:36
*** timcline_ has joined #openstack-keystone22:40
*** timcline_ has quit IRC22:41
*** david8hu has quit IRC22:41
*** timcline has quit IRC22:42
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow loading auth plugins via overrides  https://review.openstack.org/16196222:45
*** ayoung has quit IRC22:46
*** david8hu has joined #openstack-keystone22:50
*** _cjones_ has quit IRC23:05
*** _cjones_ has joined #openstack-keystone23:15
*** tsufiev_ has quit IRC23:16
*** tsufiev_ has joined #openstack-keystone23:21
*** iamjarvo has quit IRC23:24
*** iamjarvo has joined #openstack-keystone23:27
*** iamjarvo has quit IRC23:27
*** tsufiev_ has quit IRC23:27
*** iamjarvo has joined #openstack-keystone23:27
*** jorge_munoz has quit IRC23:29
morganfainbergjamielennox, ping23:29
morganfainbergjamielennox, re https://review.openstack.org/#/c/161962/23:29
morganfainbergjamielennox, a couple of in-line comments before  upgrade to +2.23:29
*** jorge_munoz has joined #openstack-keystone23:29
*** breton has joined #openstack-keystone23:31
*** david-lyle is now known as david-lyle_afk23:33
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Allow loading auth plugins via overrides  https://review.openstack.org/16196223:37
*** amerine has joined #openstack-keystone23:37
morganfainbergjamielennox, +2, thanks23:39
jamielennoxmorganfainberg: np - lets get that merged and released23:39
morganfainbergjamielennox, ++ thats why i pinged ya as soon as i reviewed23:40
jamielennoxmorganfainberg: brants not here - but he's ok with us passing it in his absense23:40
* morganfainberg looks at the list of +v people...23:40
morganfainbergi pick....23:40
morganfainbergstevemar!23:40
jamielennoxhaha - that was my guess too23:41
morganfainbergstevemar, ^ should be an easy review so we can solve a real issue for swift in KSM [and do a release this week]23:41
morganfainbergstevemar, i'd like to get that gating tonight so i can release tomorrow. if it doesn't release tomorrow we're on hold until next week.23:41
morganfainbergjamielennox, if another +2 lands on it, feel free to +A once check passes.23:42
morganfainbergjamielennox, i'll release early [my time] tomorrow if possible. if not possible tomorrow, monday of next week is the next shot23:42
lhchengstevemar: what should be the value of remote_id when configuring keystone for oidc?23:43
jamielennoxmarekd: https://review.openstack.org/161962 have a look at this please23:44
samueldmqjamielennox, what would be the override pattern you talk about in the docstring in there ? ^23:45
*** ayoung has joined #openstack-keystone23:46
*** ChanServ sets mode: +v ayoung23:46
*** tsufiev_ has joined #openstack-keystone23:46
*** david8hu has quit IRC23:51
*** gordc has quit IRC23:51
jamielennoxsamueldmq: we always allowed people to specify options in the CONF and in a dictionary that is passed to __init__23:53
jamielennoxthe dict is generally made up of options that are from the paste pipeline23:54
jamielennoxits parameter name is conf though which is really confusing23:54
*** chlong has joined #openstack-keystone23:54
jamielennoxso i call it that the passed in conf dict is the overrides of the global CONF object because that's how _conf_get treats them23:54
samueldmqjamielennox, so the past conf overrides the confs from the CONF23:55
*** gyee has quit IRC23:55
samueldmqah ok23:56
jamielennoxsamueldmq: even i had to read that sentence a couple of times23:56
jamielennoxyes23:56
*** david8hu has joined #openstack-keystone23:59
« Monday, 2015-03-09 Index Wednesday, 2015-03-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!