Wednesday, 2015-03-25

*** spandhe has quit IRC00:07
stevemarmorganfainberg, meh, not worth the effort00:10
*** markvoelker has joined #openstack-keystone00:25
dstanekstevemar: most things aren't00:27
*** bknudson has joined #openstack-keystone00:30
*** ChanServ sets mode: +v bknudson00:30
*** trey has quit IRC00:33
*** trey has joined #openstack-keystone00:35
*** mattfarina has quit IRC00:36
*** zzzeek has quit IRC00:41
*** browne has quit IRC00:46
*** gyee has quit IRC00:48
*** _cjones_ has quit IRC00:55
*** gokrokve has quit IRC01:11
*** lhcheng has quit IRC01:18
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: WIP: Randomize the memcache urls
openstackgerritBrant Knudson proposed openstack/keystone: Remove parent_id in v2 tenant response
*** diegows has quit IRC01:25
openstackgerritBrant Knudson proposed openstack/keystone: Update sample config file.
*** ayoung has joined #openstack-keystone01:30
*** ChanServ sets mode: +v ayoung01:30
*** mattfarina has joined #openstack-keystone01:36
*** browne has joined #openstack-keystone01:37
*** stevemar has quit IRC01:46
*** dims has quit IRC01:47
*** erkules_ has joined #openstack-keystone02:13
*** erkules has quit IRC02:15
*** spandhe has joined #openstack-keystone02:16
*** harlowja is now known as harlowja_away02:17
*** spandhe_ has joined #openstack-keystone02:20
*** spandhe has quit IRC02:21
*** spandhe_ is now known as spandhe02:21
openstackgerritMerged openstack/keystone: create _member_ role as specified in CONF
openstackgerritMerged openstack/keystone: Remove parent_id in v2 token response
*** thedodd has joined #openstack-keystone02:28
*** _cjones_ has joined #openstack-keystone02:29
*** _cjones_ has quit IRC02:29
*** _cjones_ has joined #openstack-keystone02:30
*** _cjones_ has quit IRC02:30
*** _cjones_ has joined #openstack-keystone02:31
*** richm has quit IRC02:38
*** haneef_ has joined #openstack-keystone02:40
*** r-daneel has quit IRC02:41
*** thedodd has quit IRC02:47
*** samueldmq has joined #openstack-keystone03:01
*** tqtran has quit IRC03:04
openstackgerritayoung proposed openstack/keystone-specs: Template for testing document
*** jonxml has joined #openstack-keystone03:08
*** jonxml has quit IRC03:08
*** samueldmq has quit IRC03:14
*** cburgess has quit IRC03:28
*** cburgess has joined #openstack-keystone03:28
*** sigmavirus24 is now known as sigmavirus24_awa03:36
openstackgerritDave Chen proposed openstack/keystone: Don't add unformatted project-specific endpoints to catalog
*** csd has quit IRC03:51
*** csd has joined #openstack-keystone03:59
*** yasu_ has joined #openstack-keystone03:59
*** yasu_ has quit IRC04:03
*** krtaylor has quit IRC04:05
*** krtaylor has joined #openstack-keystone04:08
*** stevemar has joined #openstack-keystone04:17
*** ChanServ sets mode: +v stevemar04:17
*** lhcheng has joined #openstack-keystone04:18
*** lhcheng has quit IRC04:23
stevemarjamielennox, ping04:41
*** rushiagr_away is now known as rushiagr04:44
openstackgerritSteve Martinelli proposed openstack/keystone: Update sample config file
*** drjones has joined #openstack-keystone05:05
openstackgerritSteve Martinelli proposed openstack/keystone: Update install.rst for Fedora
*** _cjones_ has quit IRC05:08
*** spandhe has quit IRC05:23
jamielennoxstevemar: kindof05:24
stevemarjamielennox, oh nice05:24
stevemarjamielennox, well, i'll leave my question open ended on the cache review05:24
jamielennoxstevemar: that was me replying to the ping - i haven't seen the comment05:24
stevemarjamielennox, yeah, no worries they were in regards to the same thing05:25
stevemarinstead of asking you on irc i will ask there05:25
jamielennoxso just to note, the other thing that really needs to be serialized for OSC is the version discovery logic05:25
jamielennoxi'm torn between whether i should expose that from the session, give like a get_state() function that you can serialize manually05:26
jamielennoxor use something like05:26
jamielennoxwhich is what i think pip uses05:26
stevemarthe latter sounds tried and true05:27
jamielennoxbut it comes with an inbuilt file cache handler, i just don't know what you should/could cache of auth-ed requests05:27
jamielennoxbut i guess it means we could start putting actual http cache headers in and expecting them to be used05:28
*** drjones has quit IRC05:38
*** _cjones_ has joined #openstack-keystone05:38
*** drjones has joined #openstack-keystone05:39
openstackgerritSteve Martinelli proposed openstack/keystone: Document websso setup
*** _cjones_ has quit IRC05:43
jamielennoxstevemar: oh, also seems to be working well, i'll see how the approach goes with websso stuff tomorrow05:47
*** jamielennox is now known as jamielennox|away05:49
morganfainbergstevemar, ping05:50
stevemarjamielennox, i think tqtran and lhcheng are lookin at that05:50
stevemarmorganfainberg, whats up05:50
*** lhcheng has joined #openstack-keystone05:50
*** ishant has joined #openstack-keystone05:52
*** dims has joined #openstack-keystone05:54
*** markvoelker has quit IRC06:17
openstackgerritSteve Martinelli proposed openstack/keystone: Rename notification for create/delete grants
*** dims has quit IRC06:28
*** markvoelker has joined #openstack-keystone06:47
*** markvoelker has quit IRC06:52
*** afazekas is now known as __afazekas07:01
morganfainbergayoung, ever want a vector version of the Keystone logo?
morganfainbergor well .svg at least07:03
*** drjones has quit IRC07:05
*** browne has quit IRC07:14
*** henrynash has joined #openstack-keystone07:16
*** ChanServ sets mode: +v henrynash07:16
*** stevemar has quit IRC07:17
bretonkeystone has logo?07:27
morganfainbergbreton, it's an oooooold logo back from when termie made keystone lite07:27
morganfainbergbreton, :)07:27
*** afazekas has joined #openstack-keystone07:32
*** markvoelker has joined #openstack-keystone07:48
*** Bsony has joined #openstack-keystone07:50
*** chlong has quit IRC07:52
*** markvoelker has quit IRC07:53
marekdmorganfainberg: we should made a spec for Keystone logo08:06
*** dims has joined #openstack-keystone08:13
*** lhcheng is now known as lhcheng_afk08:26
*** jistr has joined #openstack-keystone08:38
*** dims has quit IRC08:45
*** markvoelker has joined #openstack-keystone08:49
*** Bsony_ has joined #openstack-keystone08:51
*** pnavarro has joined #openstack-keystone08:54
*** markvoelker has quit IRC08:54
*** Bsony has quit IRC08:54
*** Bsony_ has quit IRC09:22
*** lhcheng_afk has quit IRC09:31
openstackgerritDave Chen proposed openstack/keystone: Let "region" be effective both in the testcase and API
*** davechen has joined #openstack-keystone09:37
*** ajayaa has joined #openstack-keystone09:40
*** dims has joined #openstack-keystone09:43
*** dims_ has joined #openstack-keystone09:46
openstackgerritDave Chen proposed openstack/keystone: Let "region" be effective both in the testcase and API
*** markvoelker has joined #openstack-keystone09:50
*** dims has quit IRC09:50
*** davechen has left #openstack-keystone09:52
*** markvoelker has quit IRC09:54
openstackgerritrajiv proposed openstack/python-keystoneclient: Now keystone enables listing of user by name
*** henrynash has quit IRC10:33
*** bknudson has quit IRC10:33
*** erkules_ is now known as erkules10:36
*** erkules has joined #openstack-keystone10:36
*** krykowski has joined #openstack-keystone10:38
openstackgerritMerged openstack/keystone: Update sample config file
*** Bsony has joined #openstack-keystone10:48
*** Tahmina has joined #openstack-keystone10:48
*** samueldmq-away is now known as samueldmq-10:49
*** samueldmq- is now known as samueldmq10:49
samueldmqmorganfainberg, marekd  ++ keystone logo o/10:50
samueldmqmarekd, hello, good morning :)10:50
*** markvoelker has joined #openstack-keystone10:50
marekdsamueldmq: good morning :-)10:51
*** markvoelker has quit IRC10:55
*** henrynash has joined #openstack-keystone11:05
*** ChanServ sets mode: +v henrynash11:05
marekdhenrynash: Hi. Do  you know if we are still allowed to +A patches like this one: ?11:06
marekdmorganfainberg: ^^11:10
*** henrynash has quit IRC11:12
*** bdossant has joined #openstack-keystone11:16
*** bdossant has quit IRC11:21
*** henrynash has joined #openstack-keystone11:23
*** ChanServ sets mode: +v henrynash11:23
marekdhenrynash: Hi. Do  you know if we are still allowed to +A patches like this one:  ?11:44
*** Tahmina has quit IRC11:47
*** chlong has joined #openstack-keystone11:50
*** markvoelker has joined #openstack-keystone11:51
henrynashmarekd: I think so……I don’t believe there is any reason not to...11:51
*** markvoelker has quit IRC11:56
*** openstackgerrit has quit IRC12:06
*** openstackgerrit has joined #openstack-keystone12:06
*** henrynash has quit IRC12:06
*** dims_ has quit IRC12:07
*** jaosorior has joined #openstack-keystone12:08
*** dims has joined #openstack-keystone12:08
*** markvoelker has joined #openstack-keystone12:09
*** amakarov_away is now known as amakarov12:10
*** richm has joined #openstack-keystone12:12
*** ajayaa has quit IRC12:14
*** rushiagr is now known as rushiagr_away12:20
*** junhongl_ has joined #openstack-keystone12:20
*** ajayaa has joined #openstack-keystone12:26
*** gordc has joined #openstack-keystone12:34
*** Bsony has quit IRC12:50
*** bknudson has joined #openstack-keystone12:51
*** ChanServ sets mode: +v bknudson12:51
openstackgerritMerged openstack/keystone: Update install.rst for Fedora
*** Bsony has joined #openstack-keystone12:56
*** rwsu has quit IRC12:56
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Inherited role domain calls on keystoneclient v3
*** Bsony has quit IRC13:16
*** ishant has quit IRC13:18
*** Bsony has joined #openstack-keystone13:21
*** joesavak has joined #openstack-keystone13:21
*** gabriel-bezerra has joined #openstack-keystone13:26
openstackgerritBrant Knudson proposed openstack/keystone: Document mapping of policy action to operation
*** joesavak has quit IRC13:27
*** Bsony has quit IRC13:29
*** ajayaa has quit IRC13:30
openstackgerritBrant Knudson proposed openstack/keystone: Update access control configuration in httpd config
*** krtaylor has quit IRC13:35
*** rushiagr_away is now known as rushiagr13:35
*** openstackgerrit has quit IRC13:36
*** openstackgerrit has joined #openstack-keystone13:36
*** angular_mike has joined #openstack-keystone13:37
*** Bsony has joined #openstack-keystone13:38
*** kodoku has joined #openstack-keystone13:38
rodrigodsmarekd, hey, is there a change to add the /saml2/ecp endpoint?13:39
kodokuHi, I have just a question : What is the role of valid column in token table in keystone database ?13:39
marekdrodrigods: what do you mean ?13:39
bknudsonkodoku: if the token has been revoked then valid is false.13:39
rodrigodsmarekd, a new endpoint is being added here:
marekdrodrigods: there is this...13:41
kodokubknudson: ok So what is the variable in keystone.conf for increase time to revoke because i have issue with glance and in my database I see : id: bbe8a562d4644565b7d245660ad12847 |     valid: 0 |  expired: 2015-03-29 14:51:28 |13:41
rodrigodsmarekd, yep, an API spec update is needed (and should merge prior to this change)13:41
*** krtaylor has joined #openstack-keystone13:41
rodrigodsmarekd, is there a change for it?13:41
*** diegows has joined #openstack-keystone13:41
marekdrodrigods: rodrigods ah, i don't think so.13:42
marekdgo ahead :-)13:42
bknudsonkodoku: tokens are revoked due to a change in password or changing roles for the user or by being explicitly deleted... there's no time to revoke.13:42
kodokubknudson hummmm, It's admin user and I have never change his password13:44
kodokubknudson: I have this bug :
openstackLaunchpad bug 1407592 in OpenStack Compute (nova) "Snapshots fail to upload larger (~30G+) images, with error '500 Internal Server Error Failed to upload image'" [Undecided,Incomplete]13:44
bknudsonkodoku: as I mentioned, there are other reasons a token can be revoked.13:44
rodrigodsmarekd, ok13:45
*** r-daneel has joined #openstack-keystone13:45
kodokubknudson: ok so maybe you have an idea for this revoke ? because I make just a snapshot in horizon and I have always this bug if snapshot is long....13:46
*** sigmavirus24_awa is now known as sigmavirus2413:47
marekdmaybe token expire ?13:48
kodokubknudson: ok I see in keystone log "DELETE /v2.0/tokens/dae5335b53a8409285c0b42801a650d6 HTTP/1.1" 204 103 0.027625"13:48
kodokumarekd token have 5 days of live13:49
*** krtaylor has left #openstack-keystone13:50
kodokuWhy my token is delete O_o13:50
openstackgerritBoris Bobrov proposed openstack/keystone: Deprecate memcache as token persistence backend
kodokubknudson No ideas ?13:55
bknudsonkodoku: the only way for that to happen is for somebody to issue a DELETE /v2.0/tokens/dae5335b53a8409285c0b42801a650d613:55
bknudsonwhen somebody does that then the token is revoked.13:56
bknudsonkeystone doesn't have any control over this.13:56
kodokubknudson: I am the only one to use my platform and I don't use api...13:57
*** pnavarro has quit IRC13:57
kodokumaybe a glance bug ?13:58
bknudsonI don't know glance.14:01
*** Ephur has quit IRC14:03
*** Ephur has joined #openstack-keystone14:05
*** uschreiber_ has joined #openstack-keystone14:08
dstanekkodoku: is there a user agent string in your log?14:09
*** Ephur has quit IRC14:10
bknudsonoooh we should log the user agent.14:11
bknudsontruncated in case they send us a long string.14:12
*** henrynash has joined #openstack-keystone14:12
*** ChanServ sets mode: +v henrynash14:12
*** Ephur has joined #openstack-keystone14:13
kodokudstanek no user agent id14:13
bknudsonthere's a cross-project spec for request ID14:14
kodoku2015-03-25 14:09:32.072 19136 INFO eventlet.wsgi.server [-] - - [25/Mar/2015 14:09:32] "DELETE /v2.0/tokens/dae5335b53a8409285c0b42801a650d6 HTTP/1.1" 204 103 0.02762514:14
bknudsonwhich if the applications log that too then you'd know where it came from14:14
kodoku10.121.141.41 is my horizon ip14:15
kodokuSo horizon delete my token ?14:15
dstanekkodoku: looks like it14:16
*** browne has joined #openstack-keystone14:16
kodokudstanek I try snap with glance python client for test14:16
*** atiwari has joined #openstack-keystone14:17
*** timcline has joined #openstack-keystone14:21
*** Bsony has quit IRC14:22
bknudsonwe've had complaints in the past where someone did something (boot an instance for example) and then delete the token (since they think they're done with it), and then the boot fails14:27
bknudsonapplications (such as nova) shouldn't forward the user's token on.14:28
bknudsonthey should create a trust or we should provide an easy way for a service to get a token from a token that doesn't get revoked.14:29
kodokudstanek bknudson ok when I sign out of horizon, my token is delete !!!14:29
kodokuSo when I sign out of horizon and if my snapshot is in progress, snap failed !14:30
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Inhrerit roles project calls on keystoneclient v3
*** rushiagr is now known as rushiagr_away14:42
*** carlosmarin has joined #openstack-keystone14:44
*** rushiagr_away is now known as rushiagr14:45
openstackgerritRodrigo Duarte proposed openstack/keystone-specs: Endpoint to generate ECP assertions
rodrigodsmarekd, ^14:49
*** samueldmq_ has joined #openstack-keystone14:49
*** atiwari has quit IRC14:51
marekdrodrigods: is the exampple of ECP wrapper assertion generated by Keystone ?14:59
ayoungSo If I do a keystone token-get from the command line and the user does not have a default project set in the user table, I still get back a tenant_id value.  How'd we pull that one off?15:02
*** browne has quit IRC15:04
ayoungah...env vars..right15:06
*** henrynash has quit IRC15:07
*** openstackgerrit has quit IRC15:08
*** openstackgerrit has joined #openstack-keystone15:09
*** uschreiber_ has quit IRC15:09
*** _cjones_ has joined #openstack-keystone15:19
*** _cjones_ has quit IRC15:20
ayoung$ keystone user-role-list15:21
ayoungWARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).15:21
ayoungUnknown Attribute: auth_tenant_id15:21
ayoungwhat did we do there...15:22
bretonfolks, what do you think of ?15:23
ayoungbreton, no.  It is useful.  I'd just put in a recommendation that people not use it at all.15:26
ayoungbreton, If we get fernet tokens to take off, we can go ephemeral everywhere, and get rid of all the token backends15:26
ayoungI won't argue the relative merits of memcache versus memcache pool, as I would not run with either of them without revocation events.15:27
bretonayoung: but it's totally non-ha. If one of memcache instances dies, the whole cloud becomes slow15:29
*** stevemar has joined #openstack-keystone15:29
*** ChanServ sets mode: +v stevemar15:29
ayoungbreton, we don't just desing for HA.  We have many people running mini-deployments all in one15:29
bretonisn't it the the concept of cloud that we can lose a node and keep everything running as before?15:30
ayoungremoving it would cause more churn than leaving it.15:30
ayoungbreton, the surest way to find out who uses a feature that you would never use yourself is threaten to remove it.  Then find oput who yells when you break things15:31
bretonayoung: the problem is not that no one uses it. The problem is that it's a ticking bomb. And if people rely on it and think "well, it supports multiple memcache hosts, what can go wrong?" it's going to explode on them15:32
*** samueldmq_ has quit IRC15:33
*** kodoku has quit IRC15:35
bretonmemcache_pool lacks this problem. In fact, it solves multiple problems of memcache driver, including the one linked to the review.15:38
*** thedodd has joined #openstack-keystone15:41
ayoungbreton, that is fine, and I am not saying we should not promote the memcache pool, just that deprecating the memcache driver is not worth the effort.15:44
*** richm has quit IRC15:44
*** _cjones_ has joined #openstack-keystone15:45
*** _cjones_ has quit IRC15:45
*** _cjones_ has joined #openstack-keystone15:46
ayoungGAH...we don't make it possible to find out if default project is set on a user  using the serivce token?15:48
*** richm has joined #openstack-keystone15:48
*** gokrokve has joined #openstack-keystone15:51
*** rwsu has joined #openstack-keystone15:53
*** Bsony has joined #openstack-keystone15:56
ayoungThat might be more trouble than it is worth15:59
*** Bsony has quit IRC16:02
*** richm has quit IRC16:03
*** richm has joined #openstack-keystone16:04
*** lhcheng_afk has joined #openstack-keystone16:09
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Restore name to services listed in catalog
*** pnavarro has joined #openstack-keystone16:16
*** lhcheng_afk is now known as lhcheng16:19
*** chlong has quit IRC16:22
haneefrodrigods: is your k2k federation setup work with current master?16:24
stevemarhaneef, i think gyee tried it out recently a few days ago16:26
haneefNot with current master, as for as I know. I can ask him16:26
gabriel-bezerrahaneef: you mean his blog post?16:26
haneefI thought he had is vm intact. I'm getting this error:
openstackLaunchpad bug 1436141 in Keystone "Federation get unscoped token from assertion throws : ERROR tuple index out of range" [Undecided,New]16:27
stevemarseems to crap out at: local_mapping local: {u'name': u'{0}'}16:30
stevemardstanek, can you take a look at the bug? ^16:30
*** krykowski has quit IRC16:31
*** browne has joined #openstack-keystone16:31
stevemarhaneef, i think the mapping is off16:31
haneefCan you explain it bit? Is that a configuration?16:32
*** chlong has joined #openstack-keystone16:33
stevemarhaneef, i commented on the patch, a different mapping, try that one out16:35
stevemarhaneef, the one in rodrigods blog might be incorrect16:36
marekdhaneef: i think this is your problem.16:37
openstackLaunchpad bug 1401057 in Keystone "Direct mapping in mapping rules don't work with keywords" [Undecided,In progress] - Assigned to Marek Denis (marek-denis)16:37
marekdhaneef: a remote rule that has some keyword like 'any_one_of' 'not_any_of' cannot pass value to the direct mapping ({0} in local rule)16:37
haneefThanks stevemar: I will try it tonight and get back to you. It is in my home setup16:37
stevemarhaneef, cool, it should work, i hope16:38
marekdstevemar: haneef it should.16:38
stevemarrodrigods, can you update your blog's mapping? maybe put up a new patch to our docs that gives a valid sample, and point your blog to the official mapping in the docs? it'll keep us from getting defects :)16:39
*** chlong has quit IRC16:39
rodrigodshaneef, no...16:40
rodrigodsstevemar, I've updated it recently, not using {0} anymore16:40
openstackgerritayoung proposed openstack/python-keystoneclient: remove auth_ prefix
*** gokrokve_ has joined #openstack-keystone16:40
rodrigodsmarekd, yes, the example is generated by keystone16:40
marekdrodrigods: ok16:40
openstackgerritCyril Roelandt proposed openstack/python-keystoneclient: Prevent a UnicodeDecodeError in the s3token middleware
ayoungnkinder, ^^  I think that is going to be important for troubleshooting keystone.  We might want to carry that in RDO etc for Juno and Icehouse16:41
rodrigodshaneef, the blog post should work only for the Juno version of K2K16:42
rodrigodshaneef, planning to write a new one to address the changes from Kilo16:43
*** gokrokve has quit IRC16:43
haneefmarekd:  One more question, In  Shibblobath configuration,   it works if I   add SP entityId in Application defaults, but If I use  Appplication override+applicationId setting, it doesn't.  Any idea?16:43
marekdnot at the first glance.16:44
ayoungdtroyer, , does the common CLI support keystone operations using the SERVICE_TOKEN?16:48
ayoungah --os-token maybe16:49
*** gyee has joined #openstack-keystone16:49
*** ChanServ sets mode: +v gyee16:49
stevemarayoung, it sure does16:49
dtroyerayoung: yup, —os-token and —os-url (not auth-url)16:50
ayoungstevemar, so I have people using Juno and Icehouse for deployments.  Can we cound on the versions of the common CLI for troubleshooting those?16:50
stevemarayoung, depends on what is installed by the distro16:51
ayoungdtroyer, thanks...need to figure out the library dependency issues to use that to troubleshoot Juno deployments;  I don;t think people can update a Juno deployment use a modern CLI16:51
ayoungstevemar, nah,  it is distro irrelevent.  You ugrade one thing, and it pulls in an ugraded oslo lib, you;ve gone and corrupted the whole deployment16:51
ayoungyou can't mix and match...but you can run the client on a different machine than you have deployed on, and I think that is the advice I will dole out16:52
ayoungstevemar, Trying to write a troubleshooting guide:
ayoungits hard to think Juno when my head is in Liberty16:53
stevemarayoung, # mysql; use keystone; select * from assignments; :P16:54
stevemardtroyer, getting funky results when using admin token for OSC16:54
stevemari suggest we all look at:
stevemarOS manuals patch for using Kilo, lots of updates16:56
*** jistr has quit IRC16:58
*** tqtran has joined #openstack-keystone17:04
*** henrynash has joined #openstack-keystone17:07
*** ChanServ sets mode: +v henrynash17:07
ayoungstevemar, I have a whole section on doing unspeakable things at the database level17:10
ayoungOr should I call you Sneaky McPeterson?17:10
*** gokrokve_ has quit IRC17:15
*** amakarov is now known as amakarov_away17:18
*** harlowja_away is now known as harlowja17:18
stevemardolphm, ping17:19
stevemardolphm, your LP skills are better than mine, can you target to just Juno and not kilo?17:20
openstackLaunchpad bug 1395959 in Keystone "assignment table migration fails for keystone-manage db_sync if duplicate entry exists" [Undecided,In progress] - Assigned to Will Foster (wfoster-b)17:20
*** tqtran is now known as tqtran_afk17:20
ayoungstevemar, I'm going to make that a blog post17:21
stevemarayoung, excellent17:22
stevemari like blog posts17:22
stevemarsamueldmq, is this bug resolved?
openstackLaunchpad bug 1409201 in Keystone " Typos in configuration.rst" [Low,In progress] - Assigned to Samuel de Medeiros Queiroz (samueldmq)17:23
dstanekmorganfainberg: is that long list of bugs in the release-blocking reviews all real blockers?17:31
morganfainbergdstanek, but i didn't star any of them17:31
morganfainbergso i have no control over them17:31
morganfainbergdstanek, the BP ones are the important ones17:32
morganfainbergdstanek, after that use the rc-1 milestone17:32
samueldmqstevemar, yes it is17:33
samueldmqstevemar, sorry, that's happened again, forgot to close it17:33
samueldmqraildo, I saw your 069 script updated the FK constraint of domain_id property on Project table17:35
samueldmqraildo, make use you do the same for user and group17:35
*** henrynash has quit IRC17:51
*** henrynash has joined #openstack-keystone17:52
*** ChanServ sets mode: +v henrynash17:52
*** lhcheng has quit IRC17:54
*** gokrokve has joined #openstack-keystone18:00
*** lhcheng has joined #openstack-keystone18:00
*** browne has quit IRC18:05
*** browne has joined #openstack-keystone18:05
*** gokrokve has quit IRC18:06
*** stevemar has quit IRC18:06
*** stevemar2 has joined #openstack-keystone18:06
*** ChanServ sets mode: +v stevemar218:06
*** j_king has quit IRC18:08
*** gokrokve has joined #openstack-keystone18:09
*** lhcheng has quit IRC18:17
*** afazekas has quit IRC18:19
*** pnavarro has quit IRC18:22
raildosamueldmq, the Fk for user and group was removed here:
raildosamueldmq, and I'm removing the Fk for project in the previous patch18:24
raildosamueldmq, so, there is not any other FK for  domain table.18:25
*** j_king has joined #openstack-keystone18:31
samueldmqraildo, k18:40
*** stevemar2 has quit IRC18:44
*** stevemar2 has joined #openstack-keystone18:45
*** ChanServ sets mode: +v stevemar218:45
*** thedodd has quit IRC18:48
*** thedodd has joined #openstack-keystone18:49
morganfainbergstevemar2, updated for juno not master18:50
openstackLaunchpad bug 1395959 in Keystone juno "assignment table migration fails for keystone-manage db_sync if duplicate entry exists" [Undecided,New]18:50
stevemar2morganfainberg, thx dude18:51
stevemar2ah, i thought that was how it was done, looks like i did it right the first time18:51
morganfainbergstevemar2, also that imposter is in the channel again18:51
morganfainbergstevemar2, "target to series" and then mark the main bug invalid, but not the series bug18:52
stevemar2gorram reavers!18:52
*** krtaylor has joined #openstack-keystone18:52
stevemar2trying to further triage the RC bugs18:52
*** thedodd has quit IRC18:54
*** lhcheng has joined #openstack-keystone18:55
*** lhcheng_ has joined #openstack-keystone18:56
*** lhcheng has quit IRC18:56
*** Bsony has joined #openstack-keystone18:59
*** thedodd has joined #openstack-keystone19:02
*** harlowja is now known as harlowja_away19:02
*** rushiagr is now known as rushiagr_away19:03
stevemar2lbragstad, can you revisit i think we can close out that bug :)19:06
openstackgerritSteve Martinelli proposed openstack/keystone: region.description is optional and can be null
* morganfainberg is doing a mass eviction of bugs from rc-1 milestone19:07
morganfainbergthis doesn't mean the bug can't land, it means it is not a release blocker19:08
openstackgerritSteve Martinelli proposed openstack/keystone: Loosen the validation schema used for trustee/trustor ids
stevemar2lbragstad, dstanek take a look at: should be a no-brainer19:17
dstanekstevemar2: did you ping us because we can't be trusted to do the hard reviews?19:18
stevemar2dstanek, obviously19:18
stevemar2dstanek, because you are alive and breathing, i saw you type before19:18
stevemar2i need live bodies for reviews19:18
*** zzzeek has joined #openstack-keystone19:19
morganfainbergok RC1 milestone is now paired down to just the blockers19:19
rodrigodsmorganfainberg, we have a critical bug of HMT:
openstackLaunchpad bug 1434916 in Keystone "GET /v3/projects/project_id with parents_as_list or subtree_as_list option is leaking extra data" [Undecided,In progress] - Assigned to Samuel de Medeiros Queiroz (samueldmq)19:20
dstanekstevemar2: am i blind? what uses _add_self_ref....?19:20
rodrigodsmorganfainberg, leaking information in subtree_as_list and parents_as_list calls19:20
dstanekah, it's overriding a base class method19:21
stevemar2lhcheng_, ping19:23
lhcheng_stevemar2: pong19:24
stevemar2lhcheng_, commented on the bug!19:24
stevemar2lhcheng_, i started last night, but i wasn't sure if i liked it19:24
*** thedodd has quit IRC19:25
openstackgerritSteve Martinelli proposed openstack/keystone: use tokens returned by delete_tokens to invalidate cache
lhcheng_stevemar2: oh didn't know you were already working on it.19:27
stevemar2lhcheng_, i was playing around, nothing serious19:27
stevemar2if you agree with the approach you can continue that patch, and i'll review it19:27
stevemar2or else start up another, i'll still review it, and abandon mine19:27
stevemar2there are a few ways we can solve this one19:28
*** stevemar2 has left #openstack-keystone19:32
*** stevemar2 has joined #openstack-keystone19:32
*** ChanServ sets mode: +v stevemar219:32
lhcheng_stevemar2: what other options do we have?19:33
*** thedodd has joined #openstack-keystone19:33
stevemar2lhcheng_, i'm not sure :)19:34
stevemar2send 2 notifications?19:34
stevemar2send a deprecation message in the payload19:34
stevemar2i dunno19:34
lhcheng_stevemar2: thinking about it more, thought at some point you tried to change the format in older patch. But then reverted back, due to we don't want to break backwards compatbility19:34
lhcheng_stevemar2: will get back to you in a bit, in a meeting.19:35
morganfainbergrodrigods, updated and tagged to RC119:36
stevemar2lhcheng_, right, but maybe that was being overly cautious ?19:36
morganfainberglbragstad, can you pair down your starred list to reflect only things here:
morganfainberglbragstad, the other things can land, but they aren't high priority/rc blockers19:37
*** harlowja_away is now known as harlowja19:38
*** thedodd has quit IRC19:39
rodrigodsmorganfainberg, thanks19:39
samueldmqlhcheng_, thanks for working on #143289219:40
*** lhcheng_ has quit IRC19:41
*** lhcheng has joined #openstack-keystone19:47
*** Tahmina has joined #openstack-keystone19:49
*** lhcheng has quit IRC19:51
*** lhcheng has joined #openstack-keystone19:52
*** lhcheng_ has joined #openstack-keystone19:55
*** carlosmarin has quit IRC19:56
*** browne has quit IRC19:58
*** lhcheng has quit IRC19:59
*** browne has joined #openstack-keystone20:02
*** angular_mike has quit IRC20:03
lbragstadmorganfainberg: yep20:06
*** Bsony has quit IRC20:06
openstackgerritSamuel de Medeiros Queiroz proposed openstack/python-keystoneclient: Fixes remaining oslo imports from namespace
samueldmqbknudson, ^20:08
*** lhcheng_ is now known as lhcheng20:12
samueldmqstevemar2, ping - saw your comment on #167778/20:12
samueldmqstevemar2, how does that oslo sync work?20:13
*** stevemar2 has quit IRC20:15
*** tqtran_afk is now known as tqtran20:16
*** browne has quit IRC20:26
*** browne has joined #openstack-keystone20:26
*** carlosmarin has joined #openstack-keystone20:27
*** gyee has quit IRC20:30
marekddstanek: any comment on ?20:31
dstanekmarekd: maybe, i'll take a look in a sec20:32
marekddstanek: apreciate20:32
haneefmarekd:   In the mapping, is it openstack_role or openstack_roles.20:33
rodrigodshaneef, _roles20:36
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Adds inherited column to RoleAssignment PK
marekdrodrigods: o, thanks.20:37
marekdi was grepping for that.20:37
samueldmqhenrynash, ^ you may be interested on this20:37
samueldmqhenrynash,  Adds inherited column to RoleAssignment PK
haneefrodrigods: Thanks. Let me check with openstack roles20:39
*** gokrokve has quit IRC20:39
*** gokrokve has joined #openstack-keystone20:40
*** Tahmina has quit IRC20:44
dstanekmarekd: i just commented. it seems bad that the models and migrations will be out of sync20:44
rodrigodshaneef, the assertion contains something like:
openstackgerritMerged openstack/keystone: add missing links for v3 OS-EC2 API response
*** gokrokve has quit IRC20:47
haneefYes. openstack_roles work.  steve gave which has openstack_role which caused the confusion20:47
*** gokrokve has joined #openstack-keystone20:48
*** henrynash has quit IRC20:53
openstackgerritMerged openstack/keystone: region.description is optional and can be null
*** henrynash has joined #openstack-keystone20:54
*** ChanServ sets mode: +v henrynash20:54
*** jaosorior has quit IRC21:02
*** Bsony has joined #openstack-keystone21:03
*** mattfarina has quit IRC21:07
marekddstanek: this whole patch is simply hard.21:11
marekdit cause so many problems.21:11
marekddstanek: do you have any alternatives?21:11
dstanekmarekd: i think it's just a matter of using SQL instead of the models to do the queries - looking for an example so i can add a comment about it21:18
*** lhcheng_ has joined #openstack-keystone21:29
*** lhcheng has quit IRC21:29
*** richm has quit IRC21:31
*** carlosmarin has quit IRC21:36
*** gokrokve has quit IRC21:45
*** samueldmq is now known as samueldmq-away21:48
*** lhcheng_ is now known as lhcheng21:49
*** dims has quit IRC21:50
morganfainbergmarekd, dstanek, the model should not be used for migration.21:51
morganfainbergthe model should reflect expected state when running the code21:51
*** dims has joined #openstack-keystone21:54
*** dims has quit IRC21:55
*** dims has joined #openstack-keystone21:55
dstanekmorganfainberg: yeah, i have a fix that uses table.c.column21:56
morganfainbergdstanek, ++21:56
dstanekbut i also don't like the fact that there is no specific test for the upgrade and that there is no downgrade21:56
dstanekand because there is no downgrade there is a hack in the shared code21:56
morganfainbergdowngrade should be skipped with a "we don't do downgrades"21:56
dstanekmorganfainberg: while i agree i really hate
morganfainbergdstanek, i have a fix for that actually.21:57
morganfainbergdstanek, it's way way way way way better than what we have21:57
morganfainbergdstanek, but it's a big change - i need to dig it up21:58
openstackgerritDavid Stanek proposed openstack/keystone: IdP ID registration and validation
morganfainbergdstanek, but i think you'll like it.21:58
*** iamjarvo has joined #openstack-keystone21:58
*** timcline has quit IRC21:58
bknudsonthere was a post to the -dev mailing list for neutron I think ... they deleted all the downgrades.21:58
dstanekmorganfainberg: my fix
morganfainbergbknudson, thats what we're going to do in liberty, but we can wedge in an upgrade right now that says "no downgrades"21:59
morganfainbergbknudson, mostly because i don't want to unwind all the code this close to RC21:59
morganfainbergbknudson, and accidentally lose coverage we may want.21:59
morganfainbergbknudson, i mean, thats me personally22:00
morganfainbergbknudson, wont say no if someone else wants to unwind that and remove all downgrades earlier22:00
morganfainbergprovided we don't break anything22:00
bknudsonI like deleting code.22:00
morganfainbergbknudson, i know you do22:00
morganfainbergbknudson, maybe i can dig up my fix and have it posted up for review tomorrow22:01
morganfainbergwould be easier with downgrades removed.22:01
bknudsonmost of our migrations are placeholders22:03
morganfainbergbknudson, yay for the collapses!22:03
dstanekwould anything break if we delete all of the downgrades and fix the test_sql_upgrade tests?22:04
bknudsondowngrades would break22:05
morganfainbergdstanek, starting to work on that now: steps - 1: clear message downgrades dont work when they are attempted, 2: delete downgrades and downgrade tests, 3: restructure upgrade test(ing)22:05
morganfainbergdstanek, i have a lot of this work done, will have it posted up later today22:06
openstackLaunchpad bug 1434103 in Magnum "SQL schema downgrades are no longer supported" [Undecided,New]22:06
dstanekmorganfainberg: sweet, looking forward to seeing the deletes22:06
morganfainbergdstanek, this likely can't land until liberty because of strings/translations - but we can have the code up for review22:07
morganfainbergdstanek, and land it as soon as we cut rc22:08
bknudsonwhat strings?22:08
*** jamielennox|away is now known as jamielennox22:08
bknudsondeleting strings shoud be fine22:08
morganfainbergbknudson, communication to the user why a downgrade fails22:08
morganfainbergnew strings22:08
morganfainbergwe want good UX22:08
morganfainbergor are new strings allowed?22:08
dstanekwe can just use an existing string like "An unknown error has occured" ;)22:08
bknudsonNot Found22:09
morganfainbergbknudson, LOL22:09
morganfainbergbknudson, "I'M A TEAPOT"22:09
dstaneknew strings are not allowed iirc22:09
bknudsonuser "downgrade" Not found22:09
morganfainbergoh wait we don't have that one yet22:09
bknudsonI don't know what the ux is for the neutron change, but they just deleted the migrations:
bknudson+42, -102422:10
morganfainbergbknudson, i have an idea how to do the UX.22:10
morganfainbergbknudson, so should be not too bad22:11
bknudson would be good.22:11
bknudsonor a picture of a paper shredder.22:12
morganfainbergdowngrade = sql.drop_database(keystone022:12
*** Bsony has quit IRC22:17
*** iamjarvo has quit IRC22:19
*** henrynash has quit IRC22:39
morganfainbergbknudson, dstanek, so far: 25 files changed, 44 insertions(+), 505 deletions(-)22:41
bknudsonlooking good.22:41
bknudsonthere was a note to -dev about yapf... I'm going to try it22:42
bknudsonit's slow22:42
morganfainbergnow:  42 files changed, 44 insertions(+), 662 deletions(-)22:44
morganfainbergi think thats all the migrations22:44
morganfainbergnow to see what i broke...22:44
dstaneki wonder how well that works. IME tools like that sometimes make things harder to read and then you need to have '# pragma: don't touch' lines all over the place22:45
bknudsonit causes tox -e pep8 to fail22:45
bknudsonit's got 80 chars rather than 7922:45
dstanekbknudson:  the new version of seems to be adding policy rules now instead of just commenting them22:47
dstanekdid you intend that?22:47
bknudsonthere have been a lot of merge conflicts.22:47
dstaneknm, viewing between the 10..11 was showing new lines, but they were introduced in the rebase22:48
dstanekany reason not to +a that one?22:49
bknudsonyou like making things difficult for operators and developers?22:49
bknudsonmaybe you're concerned it's going to slow keystone down?22:50
bknudsonor think it should go someplace else.22:50
dstanekyes, all three!22:50
bknudsonI'll probably propose it to the admin guide if I can figure out the xml22:50
dstaneki'm going to submit a patch to the JSON spec to allow comments22:50
dstaneknever get in, but at least i can feel better about myself22:51
morganfainbergdstanek, lol22:51
* morganfainberg checks if mordred is here.22:51
morganfainbergdstanek, we should use toml instead of json22:51
* morganfainberg continues about his day after trolling.22:52
* mordred throws cat at morganfainberg22:52
lhchengbreton: ping22:52
bknudsoncould use ini files.22:52
* mordred throws cat at bknudson22:53
morganfainbergbknudson, we should write our own DSL for this22:53
dstanekmorganfainberg: i'll have a spec written up; maybe i'll invent ksML22:53
bknudsonoh, that's what it is.22:53
*** gyee has joined #openstack-keystone22:54
*** ChanServ sets mode: +v gyee22:54
bknudsonwe need a python version of JSON.22:54
morganfainbergbknudson, PSON?22:54
morganfainbergbknudson, wouldn't that just be pickle?22:54
bknudsonsafer than that.22:54
morganfainbergyou should write PSON specification then22:54
dstaneksomething without python versioning issues22:54
morganfainbergand we should make it a standard.22:54
morganfainbergthat all things should use cause it'll unifiy things22:55
* morganfainberg keeps trying to make the XKCD joke.22:55
*** gordc has quit IRC22:55
morganfainbergbknudson, oh damn it22:56
morganfainbergsomeone beat us to PSON22:57
lhchengmorganfainberg: this seems already fixed:
openstackLaunchpad bug 1431842 in Keystone "GET /v3/auth/tokens without X-Subject-Token raises TypeError" [Medium,Triaged] - Assigned to Lin Hua Cheng (lin-hua-cheng)22:57
lhchengmorganfainberg: just tested it, I got an error: 401 -  "The request you have made requires authentication. (Disable debug mode to suppress these details.)"22:57
morganfainberglhcheng, is it broken/working in juno and icehouse as well?22:57
morganfainbergwell juno at least22:57
morganfainbergif so we should makr it as invalid or... dupe if we can find the duplicate22:58
lhchengmorganfainberg: just tested in master22:58
morganfainberglhcheng, lets confirm juno then makr it  as invalid22:58
morganfainbergif it's working22:58
morganfainberglhcheng, thanks!22:58
lhchengmorganfainberg: from the bug report, seems related to fernet changes. But it seems like lbragstad already fixed it somehow22:58
lhchengmorganfainberg: sure, will do22:58
*** markvoelker has quit IRC22:58
morganfainberglhcheng, you might not be able to mark invalid le tme know if you can't and i will22:59
lhchengmorganfainberg: yup, that options is available for me22:59
lhchengmorganfainberg: thanks22:59
bknudsonI told yapf the max line length and it still made lines too long... not ready for prime time.23:01
bknudsonit mostly just reformats the function arguments so they're all on separate lines.23:03
lhchengbknudson: thanks for the rebase on:   There are 2 +2s on it and gate passed, I think we can move it forward  :)23:05
lhchengbknudson: thanks!23:08
openstackgerritLance Bragstad proposed openstack/keystone: Cleanup Token Tests
*** chlong has joined #openstack-keystone23:10
openstackgerritLance Bragstad proposed openstack/keystone: Cleanup Token Tests
openstackgerritMorgan Fainberg proposed openstack/keystone: Remove SQL Downgrades
morganfainbergbknudson, dstanek, ^23:15
morganfainberg+58, -66423:16
bknudsonmorganfainberg: what's the ux?23:16
morganfainbergbknudson, changed the help string on keystone-manage and raise DBMigrationError23:17
morganfainbergLonger term we can make it even better23:17
morganfainbergor oslo.db will grow super powers23:17
morganfainberglikely the latter23:17
bknudsonthe spec said oslo.db would grow super powers.23:17
morganfainbergjust need to be careful not to suddenly break gate doing so23:18
morganfainbergso this is our starting place.23:18
bknudsonwith super powers comes super responsibility23:18
morganfainbergnext patch i'll propose a new way to test upgrades where it just walks up to max and each version it looks for a ._post_xx_migrate_test (like how nova does it)23:20
bknudsonthey tried to do that a long time ago and got -1d23:20
morganfainbergi think it's a better way to do it in general23:20
bknudsonbecause we said to put it in oslo or something.23:21
*** krtaylor has quit IRC23:21
morganfainbergyeah i think it'll make our migration tests cleaner, sow e should prob do it23:21
morganfainbergif it makes it's way into oslo... great.23:21
bknudsonput it in oslo?23:21
morganfainbergless for us to carry23:21
morganfainbergbut if it doesn't cleaner / easier to understand tests is a win23:21
bknudsonremoving downgrades definitely makes testing easier.23:22
morganfainbergbknudson, not sure where it should live.23:22
morganfainbergbknudson, ++ yes.23:22
morganfainbergbknudson, it also means upgrades don't need to do silly things like keep hints for downgrades around23:22
morganfainbergnot that we needed to do that, but cinder does23:22
morganfainbergand we were about to need to for domain -> is_domain(project)23:22
*** Bsony has joined #openstack-keystone23:23
openstackgerritMorgan Fainberg proposed openstack/keystone: Add relay_state_prefix to Service Provider
openstackgerritMorgan Fainberg proposed openstack/keystone: Add API to create ecp wrapped saml assertion
openstackgerritMorgan Fainberg proposed openstack/keystone: Add API to create ecp wrapped saml assertion
*** Bsony has quit IRC23:28
dstanekmorganfainberg: nice23:30
*** chlong has quit IRC23:37
*** chlong has joined #openstack-keystone23:37
morganfainbergbknudson, feel free to classify this, i don't have a DB2 environment to validate with23:42
openstackLaunchpad bug 1405726 in Keystone "getting scoped federation token fails when using db2" [Undecided,New]23:42
morganfainbergbknudson, classify/prioritise23:42
openstackgerritMerged openstack/keystone: Document mapping of policy action to operation
morganfainbergor bounce it.23:42
bknudsonI can take a look at it.23:42
morganfainbergbknudson, the '/rel/' links in our API docs are just placeholders right?23:44
morganfainbergnot expected to actually link to something useful23:44
bknudsonmorganfainberg: they're identifiers that happen to look like URLs23:44
morganfainbergah right23:45
bknudsonthey're not pointing to anything useful now.23:45
bknudsonalthough json home spec says it could provide some documentation23:45
*** markvoelker has joined #openstack-keystone23:47
*** markvoelker has quit IRC23:52
*** r-daneel has quit IRC23:52
bknudsonmorganfainberg: doesn't using distinct on a json object seem a little weird? (regarding ) -- whether you're db2 or not23:55
openstackLaunchpad bug 1405726 in Keystone "getting scoped federation token fails when using db2" [Undecided,New]23:55
morganfainbergbknudson, it does23:55
bknudsonsince it's not a canonical representation can't expect 2 values to be the same anyways.23:56
morganfainbergbknudson, then again... i hate the "extra" stuff anyway.23:56
morganfainbergwhich this is related to23:56
openstackgerritMerged openstack/keystone: Remove parent_id in v2 tenant response
bknudsonI would assume the extra junk isn't being used anyways.23:56
morganfainbergi'm happy to see this fixed to something better23:57
openstackgerritBrant Knudson proposed openstack/keystone: Fix sample policy to allow user to check own token

Generated by 2.14.0 by Marius Gedminas - find it at!