Monday, 2015-04-06

*** markvoelker has quit IRC00:03
*** iamjarvo has joined #openstack-keystone00:54
*** iamjarvo has quit IRC00:59
*** markvoelker has joined #openstack-keystone01:00
*** xianghui has quit IRC01:02
*** xianghui has joined #openstack-keystone01:04
*** markvoelker has quit IRC01:04
*** bandwidth has quit IRC01:11
*** diegows has quit IRC01:15
*** erkules_ has joined #openstack-keystone01:42
*** erkules has quit IRC01:44
*** dimsum__ has quit IRC01:46
*** lhcheng has joined #openstack-keystone01:53
*** markvoelker has joined #openstack-keystone02:00
*** archers has joined #openstack-keystone02:01
*** markvoelker has quit IRC02:05
openstackgerritBoris Bobrov proposed openstack/keystone: Limit version of python-memcached
*** archers has quit IRC02:08
*** dimsum__ has joined #openstack-keystone02:46
*** dimsum__ has quit IRC02:52
*** chlong has joined #openstack-keystone03:00
*** markvoelker has joined #openstack-keystone03:01
*** markvoelker has quit IRC03:06
*** lhcheng has quit IRC03:30
*** angular_mike has quit IRC03:33
*** archers has joined #openstack-keystone03:45
*** archers has quit IRC03:47
*** iamjarvo has joined #openstack-keystone03:50
*** iamjarvo has quit IRC03:50
*** iamjarvo has joined #openstack-keystone03:50
*** markvoelker has joined #openstack-keystone04:02
*** iamjarvo has quit IRC04:07
*** markvoelker has quit IRC04:07
*** alexsyip has joined #openstack-keystone04:11
openstackgerritSteve Martinelli proposed openstack/keystone: WIP - Emit failure notifications for CADF audits events
*** lhcheng has joined #openstack-keystone04:31
*** lhcheng has quit IRC04:35
*** topol has quit IRC04:47
*** markvoelker has joined #openstack-keystone05:03
*** iamjarvo has joined #openstack-keystone05:19
*** iamjarvo has quit IRC05:31
*** lhcheng has joined #openstack-keystone05:32
*** lhcheng has quit IRC05:37
*** lhcheng has joined #openstack-keystone05:55
*** alexsyip has quit IRC06:20
*** henrynash has joined #openstack-keystone06:21
*** ChanServ sets mode: +v henrynash06:21
*** ParsectiX has joined #openstack-keystone06:38
*** henrynash has quit IRC06:39
*** ParsectiX has quit IRC06:43
*** jamielennox|away is now known as jamielennox06:48
*** ParsectiX has joined #openstack-keystone06:55
*** markvoelker has quit IRC07:04
openstackgerritMerged openstack/python-keystoneclient: Make non-import packages lazy
*** markvoelker has joined #openstack-keystone08:03
*** markvoelker has quit IRC08:08
*** therve has quit IRC08:21
*** chlong_ has joined #openstack-keystone08:54
*** lhcheng has quit IRC08:55
*** chlong has quit IRC08:57
*** markvoelker has joined #openstack-keystone09:04
*** markvoelker has quit IRC09:08
*** lhcheng has joined #openstack-keystone09:11
*** lhcheng has quit IRC09:25
openstackgerritVictor Sergeyev proposed openstack/keystone: Add server_default to relay_state_prefix in service_provider model
openstackgerritVictor Sergeyev proposed openstack/keystone: Migrate_repo init version helper
openstackgerritVictor Sergeyev proposed openstack/keystone: Share engine between migration helpers.
openstackgerritVictor Sergeyev proposed openstack/keystone: Use metadata.create_all() to fill a test database
openstackgerritVictor Sergeyev proposed openstack/keystone: Add index to the revocation_event.revoked_at.
openstackgerritVictor Sergeyev proposed openstack/keystone: Comparision of database models and migrations.
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix index name the assignment.actor_id table.
*** dimsum__ has joined #openstack-keystone09:56
*** markvoelker has joined #openstack-keystone10:04
*** markvoelker has quit IRC10:09
*** chlong_ has quit IRC10:41
*** chlong_ has joined #openstack-keystone10:58
*** ParsectiX has quit IRC11:03
*** chlong_ has quit IRC11:05
*** markvoelker has joined #openstack-keystone11:05
*** markvoelker has quit IRC11:10
*** diegows has joined #openstack-keystone11:18
*** ajayaa has joined #openstack-keystone11:24
*** chlong has joined #openstack-keystone11:24
*** amakarov_away is now known as amakarov11:31
-openstackstatus- NOTICE: gerrit has been restarted to restore event streaming. any change events missed by zuul (between 10:56 and 11:37 utc) will need to be rechecked or have new approval votes set11:39
bretonfolks, I'd appreciate if someone set an importance to
openstackLaunchpad bug 1440493 in Keystone "Crash with python-memcached==1.54" [Undecided,In progress] - Assigned to Boris Bobrov (bbobrov)11:44
*** jamielennox is now known as jamielennox|away11:49
*** diegows has quit IRC11:53
*** raildo has joined #openstack-keystone12:03
*** markvoelker has joined #openstack-keystone12:06
*** htruta has joined #openstack-keystone12:06
*** markvoelker has quit IRC12:10
*** markvoelker has joined #openstack-keystone12:24
*** dimsum__ has quit IRC12:25
*** ayoung has joined #openstack-keystone12:32
*** ChanServ sets mode: +v ayoung12:32
openstackgerritDave Chen proposed openstack/keystone: Fix the typo in `token/providers/fernet/`
openstackgerritAlexander Makarov proposed openstack/keystone: Make memcache client reusable across threads
openstackgerritAlexander Makarov proposed openstack/keystone: Make memcache client reusable across threads
*** dimsum__ has joined #openstack-keystone12:51
*** dimsum__ is now known as dims13:03
*** straycat is now known as undeadcat13:04
dstanekyay, no travel adapter needed for going to Canada!13:08
samueldmqdstanek, nice! o/13:08
*** rdo has quit IRC13:13
*** rdo has joined #openstack-keystone13:15
raildodstanek, ping, Do you agree to catch a ProjectNotFound here, and raise a validationError?
raildodstanek, and here too:
amakarovdstanek, greetings!13:21
amakarovwhat would you suggest for ?13:21
*** nkinder has quit IRC13:21
samueldmqdolphm, looking at your keystone-deploy again ...13:33
samueldmqdolphm, you set 'project' as project_term for v2 and 'tenant' for v313:34
dstanekraildo: yes, i think that't the right thing. if morganfainberg wants this bug then i'd be happy to +A13:35
*** rdo has quit IRC13:35
raildodstanek, ok, thanks for the help :)13:36
*** rdo has joined #openstack-keystone13:37
*** ParsectiX has joined #openstack-keystone13:37
amakarovdstanek, ping!13:40
*** svasheka has joined #openstack-keystone13:41
dstanekamakarov: pong13:41
amakarovdstanek, I'm about my patch :) Do you have any suggestion?
amakarovthe problem is that workaroung won't work anymore. Another one needed13:43
dstanekamakarov: hmm...let me see13:43
amakarovdstanek, look at the bug description it solves13:43
*** bknudson has joined #openstack-keystone13:48
*** ChanServ sets mode: +v bknudson13:48
*** ParsectiX has quit IRC13:51
*** ParsectiX has joined #openstack-keystone13:51
*** raildo has quit IRC13:53
*** markvoelker has quit IRC13:53
*** hogepodge has quit IRC13:53
*** x58 has quit IRC13:53
*** jamiec has quit IRC13:53
*** xianghui has quit IRC13:53
*** david-lyle has quit IRC13:53
*** lsmola_ has quit IRC13:53
*** toabctl has quit IRC13:53
*** Qlawy has quit IRC13:53
*** raginbajin has quit IRC13:53
*** d0ugal has quit IRC13:53
*** mkoderer has quit IRC13:53
*** kibutzz has quit IRC13:53
*** rharwood has quit IRC13:53
*** dtroyer has quit IRC13:53
*** hockeynut has quit IRC13:53
*** krtaylor has quit IRC13:53
*** mitz has quit IRC13:53
*** mordred has quit IRC13:53
*** cyeoh has quit IRC13:53
*** mgagne has quit IRC13:53
*** adam_g_out has quit IRC13:53
*** comstud has quit IRC13:53
*** lbragstad has quit IRC13:53
*** gus has quit IRC13:53
*** ekarlso has quit IRC13:53
*** sudorandom has quit IRC13:53
*** Trozz has quit IRC13:53
*** dolphm has quit IRC13:53
*** d34dh0r53 has quit IRC13:53
*** dims has quit IRC13:53
*** toddnni has quit IRC13:53
*** gabriel-bezerra has quit IRC13:53
*** sirushti has quit IRC13:53
*** gothicmindfood has quit IRC13:53
*** ajayaa has quit IRC13:53
*** harlowja_away has quit IRC13:53
*** trey has quit IRC13:53
*** viktors has quit IRC13:53
*** junhongl has quit IRC13:53
*** raildo has joined #openstack-keystone13:54
*** tellesnobrega has quit IRC13:54
*** tellesnobrega has joined #openstack-keystone13:55
*** dtroyer has joined #openstack-keystone13:55
*** hockeynut has joined #openstack-keystone13:55
*** krtaylor has joined #openstack-keystone13:55
*** mitz has joined #openstack-keystone13:55
*** mordred has joined #openstack-keystone13:55
*** cyeoh has joined #openstack-keystone13:55
*** mgagne has joined #openstack-keystone13:55
*** adam_g_out has joined #openstack-keystone13:55
*** lbragstad has joined #openstack-keystone13:55
*** comstud has joined #openstack-keystone13:55
*** gus has joined #openstack-keystone13:55
*** ekarlso has joined #openstack-keystone13:55
*** sudorandom has joined #openstack-keystone13:55
*** Trozz has joined #openstack-keystone13:55
*** dolphm has joined #openstack-keystone13:55
*** d34dh0r53 has joined #openstack-keystone13:55
*** sets mode: +o dolphm13:55
*** dims has joined #openstack-keystone13:56
*** toddnni has joined #openstack-keystone13:56
*** sirushti has joined #openstack-keystone13:56
*** gabriel-bezerra has joined #openstack-keystone13:56
*** gothicmindfood has joined #openstack-keystone13:56
*** edmondsw has joined #openstack-keystone13:57
*** markvoelker has joined #openstack-keystone13:58
*** hogepodge has joined #openstack-keystone13:58
*** x58 has joined #openstack-keystone13:58
*** jamiec has joined #openstack-keystone13:58
*** richm has joined #openstack-keystone13:58
*** xianghui has joined #openstack-keystone13:58
*** david-lyle has joined #openstack-keystone13:58
*** lsmola_ has joined #openstack-keystone13:58
*** toabctl has joined #openstack-keystone13:58
*** Qlawy has joined #openstack-keystone13:58
*** raginbajin has joined #openstack-keystone13:58
*** d0ugal has joined #openstack-keystone13:58
*** mkoderer has joined #openstack-keystone13:58
*** kibutzz has joined #openstack-keystone13:58
*** rharwood has joined #openstack-keystone13:58
*** ajayaa has joined #openstack-keystone13:58
*** harlowja_away has joined #openstack-keystone13:58
*** trey has joined #openstack-keystone13:58
*** viktors has joined #openstack-keystone13:58
*** junhongl has joined #openstack-keystone13:58
*** markvoelker has quit IRC14:00
*** hogepodge has quit IRC14:00
*** x58 has quit IRC14:00
*** jamiec has quit IRC14:00
dstanekamakarov: i can't think of a way to do that right now - it may be that we have to re-implement the __init__ logic14:00
*** markvoelker has joined #openstack-keystone14:01
*** hogepodge has joined #openstack-keystone14:01
*** x58 has joined #openstack-keystone14:01
*** jamiec has joined #openstack-keystone14:01
amakarovdstanek, tbh if we have reliable memcache pool we need our own memcache client :) Current pool handles memcache server failures very poor.14:04
dstanekamakarov: i think the plan is to actually get rid of the client in L14:05
amakarovdstanek, +1 :) for example:
dstanekif people are using memcached for token, then they've already lost14:06
amakarovdstanek, my patch solves the problem here and now: I admit it's not perfect but allows memcache to be used without version checking (!=1.54)14:07
*** sigmavirus24_awa is now known as sigmavirus2414:08
amakarovdstanek, what is your concern about my patch?14:09
dstanekamakarov: your patch removes the hack14:11
*** ParsectiX has quit IRC14:11
dstanekamakarov: you might as well just use the memcache.Client directly instead of creating the subclass14:12
dstanekthe while idea of the subclass is that threading.local is no longer in the mro. with your patch i think it's back and that means the locking behavior is back14:13
amakarovdstanek, it replaces the hack with the same result: as you can see, it removes all threading.local logic14:13
amakarovthe same as was before14:13
dstanekhow does it remove it?14:13
amakarovsee **object.__dict__14:13
amakarovwhen new class is created it uses object's methods instead of local's14:14
amakarovall the threading.local overrides are object's methods14:14
amakarovand my patch removes the override leaving mro for super() to work14:15
dstanekamakarov: it solves the traceback and puts threading.local back ... or am i missing magic somewhere?14:15
amakarovdstanek, it returns threading.local to mro - yes, but removes all overrides threading.local does14:17
amakarovthe las parameter to type() call is a dict of methods14:17
*** iamjarvo has joined #openstack-keystone14:19
*** nkinder has joined #openstack-keystone14:19
dstanekamakarov: so you are thinking you are overridding the getattribute and friends? i'll have to download the patch to test it out14:19
amakarovthis dict is made of memcache.Client's methods (including threading.local's), but **object.__dict__ overwrites all, that was changed in inherited classes (threading.local)14:20
amakarovdstanek, I've experimented in the python console before writing this patch )14:20
dstanekamakarov: so what happens to the __init__? you would override that too right?14:22
amakarovdstanek, good point14:23
* amakarov doublechecking14:23
dstanekamakarov: that's broken14:24
amakarovdstanek, correct: __init__ is from object too14:24
dstanekamakarov: does this actually work for you locally?14:24
*** topol has joined #openstack-keystone14:24
*** ChanServ sets mode: +v topol14:24
amakarovdstanek, unit-tests... they mock it :)14:25
amakarovwell, wip then14:25
dstanekyou could pretty easily construct the dict before making the new type, but i think that implementing the __init__ would be clearer14:27
dstanekbut i'd be interested to see what others thing14:27
amakarovdstanek, I'll try to figure something out )14:28
*** carlosmarin has joined #openstack-keystone14:38
openstackgerritDoug Hellmann proposed openstack/oslo.policy: Avoid reloading policy files in policy.d for every call
openstackgerritAlexander Makarov proposed openstack/keystone: Make memcache client reusable across threads
amakarovdstanek, ^^ what about this way?14:51
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Inherited role domain calls on keystoneclient v3
*** ajayaa has quit IRC14:52
dstanekamakarov: that's probably good, just a few small things to fix14:56
amakarovdstanek, ?14:56
dstaneki commented on the review14:56
*** chlong has quit IRC15:00
openstackgerritAlexander Makarov proposed openstack/keystone: Make memcache client reusable across threads
amakarovdstanek, ^^15:03
*** packet has joined #openstack-keystone15:07
*** zzzeek has joined #openstack-keystone15:07
*** packet has quit IRC15:20
*** rwsu has joined #openstack-keystone15:37
*** gyee has joined #openstack-keystone15:45
*** ChanServ sets mode: +v gyee15:45
*** david-lyle_ has joined #openstack-keystone15:46
raildomorganfainberg, ping, I saw that the reseller spec was migrated for the backlog, so I don't need change anything more about this, right?15:49
morganfainbergraildo: you need to repropose (move the spec to the liberty directory) as described in my email, include what has been completed for that spec, and use the commit tag in the message indicating it was previously approved for kilo15:51
*** mattamizer has joined #openstack-keystone15:54
*** mattamizer has quit IRC15:54
*** _cjones_ has joined #openstack-keystone15:56
*** dougwig has left #openstack-keystone16:00
*** _cjones_ has quit IRC16:01
*** stevemar has joined #openstack-keystone16:02
*** ChanServ sets mode: +v stevemar16:02
*** iamjarvo has quit IRC16:03
*** lhcheng has joined #openstack-keystone16:04
*** tqtran has joined #openstack-keystone16:04
*** alexsyip has joined #openstack-keystone16:09
*** adam_g_out is now known as adam_g16:12
*** ajayaa has joined #openstack-keystone16:14
raildomorganfainberg, right, but doesn't exist yes a Liberty directory in the keystone specs, so I must need create this directory?16:25
stevemarraildo, yep16:25
raildostevemar, ok, thanks16:26
morganfainbergThe priority today and tomorrow are be bugs on
morganfainbergPlease help to review / get them gating.16:29
morganfainbergWe have 7 left16:29
morganfainbergMost should be pretty straight forward. I can remove 1 or two more if we don't have the majority gating by tonight.16:30
morganfainbergPlease, please, please prioritize these reviews over new code/other fixes, etc. it is important we have a complete rc list by tomorrow.16:32
amakarov is ready and waiting for some time already16:32
openstackgerritHenrique Truta proposed openstack/python-keystoneclient: Inherited role domain calls on keystoneclient v3
*** david-lyle_ has quit IRC16:43
*** erkules_ is now known as erkules16:47
*** erkules has joined #openstack-keystone16:47
*** spandhe has joined #openstack-keystone16:47
*** iamjarvo has joined #openstack-keystone16:55
*** iamjarvo has quit IRC16:55
*** iamjarvo has joined #openstack-keystone16:56
*** iamjarvo has quit IRC17:01
openstackgerritMerged openstack/keystone: Fix the typo in `token/providers/fernet/`
morganfainbergamakarov: I need to run a test but it looks like we won't be doing the token delete from the persistence backend with your new logic.17:02
*** iamjarvo has joined #openstack-keystone17:02
*** iamjarvo has quit IRC17:02
*** iamjarvo has joined #openstack-keystone17:03
morganfainbergamakarov: we will only issue the revocation event. That is unfortunately not api compatible, we must also delete the tokens. Which I think means we cannot fix this set of bugs for all cases.17:03
*** iamjarvo has quit IRC17:03
morganfainbergamakarov: in short, your fix is good, but when the token revocation list is enabled, everything will still need to be revoked.17:04
amakarovmorganfainberg, well, what if I add token deletion?17:04
*** iamjarvo has joined #openstack-keystone17:04
morganfainbergamakarov: you can't easily do so, without doing a whole text scan of every token.17:04
amakarovmorganfainberg, ><17:04
morganfainbergamakarov: yeah. I know :(17:04
morganfainbergamakarov: let's circle back on this and improve the logic in liberty so we can separate "delete from persistence" and "issue revocation event".17:05
amakarovmorganfainberg, so it remains a "known issue" until Fernet tokens?17:05
morganfainbergMeaning we can solve the issue and make the TRL specifically the problem vs the meshed up set of actions.17:06
morganfainbergKnown issue when using the TRL. You can turn off using the TRL today and only use revocation events. This issue will be known until liberty and if you use the TRL.17:07
morganfainbergamakarov: :(. I like the fix, but we can't break compatibility.17:07
morganfainbergamakarov: isolating the issuance of an event from the TRL might even be back portable17:07
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Move reseller spec for Liberty release
morganfainbergSo let's really focus on isolating persistence delete from revocation event in liberty, then we can test having TRL disabled and make sure we don't have this issue. And verify we don't break compat when TRL is enabled.17:08
morganfainbergamakarov: with that said, I'm moving the bugs to l-1. We can talk through the change once rc is cut and get a better implementation :)17:09
morganfainbergamakarov: and I'm optimistic on the backport for it if we are careful about the fix(es)17:10
morganfainbergamakarov: I do appreciate the work you've put in on it.17:10
amakarovmorganfainberg, ok, so in short: group revocation do not delete tokens from persistence and it causes revoked tokens not appear in TRL if one is requested?17:10
morganfainbergIt looks like with your fix that is the case.17:11
morganfainbergThe TRL is dumb, it is very limited in what it can revoke (must be an index)17:11
morganfainbergGroups and roles are not an index.17:11
amakarovmorganfainberg, I understand we cannot just drop functionality people rely on17:12
amakarovSo can we just deny revocation by group as a temporary solution?17:13
* amakarov thinks we cannot :(17:13
amakarovmorganfainberg, how much time do I have to think about it?17:14
amakarovor just postpone it until next release?17:15
morganfainbergamakarov: rc is being cut this week. I want everything merged by tomorrow.17:15
morganfainbergamakarov: let's postpone and try and do a backport to k/j17:15
amakarovmorganfainberg, safety first :)17:15
morganfainbergamakarov: I think this is significant enough ux issue that it warrants a backport. But it's also a long standing issue.17:16
morganfainbergamakarov: exactly. :)17:16
amakarovmorganfainberg, I think there is no problem: Horizon guys rate it as low severity17:17
morganfainbergAck. Good to know horizon priority17:17
amakarovmorganfainberg, more to say: afaik they have their own workaround17:18
*** ajayaa has quit IRC17:18
*** rm_work is now known as rm_work|away17:29
samueldmqbreton, ping - you around ? can you give me a hand with DatabaseAlreadyControlledError ?17:30
*** stevemar has quit IRC17:30
*** stevemar has joined #openstack-keystone17:31
*** ChanServ sets mode: +v stevemar17:31
*** amakarov is now known as amakarov_away17:31
ayoungmorganfainberg, so...looking out to the future, one thing that is going to mess us up with Federation is that people are not going to be able to manage the groups coming in.  The only way to do fine grained role assignments will be via the mapping, and the domain admins can't yet be trusted to do their own mappins17:43
ayoungI thin that needs to be brainstormed big time in Vancouver17:43
samueldmqbreton, I found the workaroung on the logs ... TEST_RUN_CONCURRENCY=117:44
samueldmqbreton, thnaks17:44
morganfainbergayoung: yep17:50
ayoungmorganfainberg, I slipped a line to that effect into the planning etherpad17:51
morganfainbergayoung: thanks.17:51
morganfainberg4 bugs for rc. Woo17:53
*** lhcheng is now known as lhcheng_afk17:55
*** undeadcat is now known as straycat17:58
ayoung  morganfainberg so debian is going to keep pimping Eventlet?18:01
openstackLaunchpad bug 1435174 in Keystone "SSLTestCase errors when building Debian package" [Medium,Triaged]18:01
ayoungah...its from the tests...18:02
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone-specs: Move reseller spec for Liberty release
ayoungmorganfainberg,  looks like a KC bug, not Keystone server.  However...domain scoped tokens should probably not have a service catalog associated with them, or at least a SC that matches the omne we are planning on putting on unscoped tokenms18:06
openstackLaunchpad bug 1261468 in Keystone "domain-scoped token has "None" for tenant_id replacement" [Medium,In progress] - Assigned to Dave Chen (wei-d-chen)18:06
ayoungwioll add that to the bug report18:06
morganfainbergayoung: it could be filtered at the ksc level but we shouldn't be issuing the subbed urls if the values aren't there to sub in.18:07
ayoungmorganfainberg, well...right.  Hmmm....once we get proper HMT setup, wehere the domains ARE proejhcts, we'll not have to deal with this, either18:08
ayoungOK...I'll give the patch a revuiew18:08
openstackgerritMerged openstack/keystone: Document websso setup
*** harlowja_away is now known as harlowja18:11
ayoungmorganfainberg, +2A.18:16
morganfainbergI'll circle back on the security one and the other catalog one post coffee.18:17
morganfainbergThe SSL test case one is a bit odd. Need to bug zigo about that one.18:18
*** rm_work|away is now known as rm_work18:24
*** iamjarvo has quit IRC18:27
*** rm_work is now known as rm_work|away18:28
*** iamjarvo has joined #openstack-keystone18:33
*** rm_work|away is now known as rm_work18:34
*** iamjarvo has quit IRC18:34
*** iamjarvo has joined #openstack-keystone18:34
samueldmqmorganfainberg, I am concerned about migration 067, that merged recently18:37
samueldmqmorganfainberg, first, why are we dropping that index when we still have it in the table declaration ?18:38
samueldmqmorganfainberg, also, maybe this is not the cause of having 'Database models differs from migrations'18:40
samueldmqmorganfainberg, I think it is because we create that index as 'ix_actor_id' at 054_add_actor_id_index.py18:40
morganfainbergWe are iirc dropping the explicit fk index18:40
samueldmqmorganfainberg, we are dropping all the indexes for role_id from the assignment table, right?18:42
morganfainbergYes role_id18:42
morganfainbergNot actor_id18:42
samueldmqmorganfainberg, I thought we wanted it, since we explicitly add it on 05418:42
* samueldmq facepalm18:43
morganfainbergWe also drop the fk
morganfainbergSo the fk-index should be removed.18:44
samueldmqmorganfainberg, ++18:46
*** pnavarro|off has joined #openstack-keystone18:48
samueldmqmorganfainberg, are you working on bug #1403539 ?18:49
openstackbug 1403539 in Keystone "Can't create both inherited and direct role assignment on same entities" [Medium,In progress] - Assigned to Morgan Fainberg (mdrnstm)18:49
morganfainbergsamueldmq: no. Just was rebasing for you18:56
samueldmqmorganfainberg, k, I am gonna work on that tonight, thanks19:06
morganfainbergFwiw we need to get that gating today/tomorrow. If I get a chance to solve the issue with pgsql I will today. If not we'll get it dealt with tomorrow after your next pass.19:08
*** lhcheng_afk is now known as lhcheng19:13
samueldmqmorganfainberg, k I will ping you once I am effectively working on this tonight19:16
*** boris-42 has quit IRC19:18
*** uschreiber_ has joined #openstack-keystone19:18
*** iamjarvo has quit IRC19:23
*** uschreiber_ has quit IRC19:23
*** iamjarvo has joined #openstack-keystone19:28
raildolhcheng, Do you have same time to see my answers here? :)19:34
lhchengraildo: looking19:34
lhchengthought I looked at it this morning, didn't notice the question :)19:35
lhchengraildo: ah, this one : ?19:36
raildolhcheng, yeap19:36
lhchengraildo: I missed it, will post a reply. :)19:36
raildolhcheng, thanks19:37
dstanekwill any of you guys be at pycon?19:41
morganfainbergNot I. But I think stevemar will be19:42
dstanekyeah, stevemar will be there19:43
morganfainbergI couldn't justify being there (not giving a talk etc)19:43
stevemarmorganfainberg, just say you are PTL, that should be enough19:46
morganfainbergstevemar, hah19:46
bknudsonwhy have a conference for a single programming language? seems weird.19:51
dstanekit's more of a support group19:52
bknudson"My name is David Stanek and I use python"19:52
bknudson"Hi David"19:52
*** Guest48074 is now known as redrobot19:55
morganfainberg"Hi my name is morganfainberg, and I feel violated by the dependency resolution in pip and pypi"19:56
dstanekyou may need SVU and a therapist20:05
morganfainbergdstanek, hehe20:07
morganfainbergcan we just re-write everything in Go and Rust?20:07
bknudsonis there a godev conference?20:11
openstackgerritayoung proposed openstack/oslo.policy: CLI Policy Check tool
*** iamjarvo has quit IRC20:17
ayoungGo and Rust?20:18
morganfainbergayoung, going to -1 that cli, but only based on it should be code we can re-use and become an entry-point CLI script20:18
morganfainbergayoung, otherwise i like the ide.20:18
ayoungmorganfainberg, really I just wanted a publicly available link to it20:18
ayoungand why not keep the conversation in Gerrit!20:19
morganfainbergayoung, i will, just letting you know right now :)20:19
ayoungentrypoint CLI script is probably the right direction20:19
ayoungmorganfainberg, I've been running it against the Nova policy file.20:20
morganfainbergayoung, :)20:20
ayoungthere are so many things I want to change...20:21
ayoungis_admin must die20:21
morganfainbergayoung, it's a good idea especially with how complex it is for people to understand policy20:21
ayoungI think that, instead, we should provide a way to make an admin user get a token scoped to whatever it is they need to adminify20:21
morganfainbergayoung, and crafting their own. TBH i kind of want policy.json to die....20:21
ayoungthe idea that certain tokens can change all things everywhere is evil20:21
morganfainbergayoung, service scoped tokens.20:22
ayoungmorganfainberg, what I would like to see out of policy.json is a reduction of what we put in there:20:22
ayoungire areally should be just the bottom role of the inherited-roles tree per api entrypoint20:22
*** raildo is now known as raildo|away20:23
*** iamjarvo has joined #openstack-keystone20:24
ayoungmorganfainberg, so  I got a public demo of Kerberos / SSSD federation working last Friday.  TOday it seems to be somewhat degraded20:24
ayoungI wrote up the steps here:
ayoungLet me recheck the demo, but if any of y'all want to see it...20:26
zigomorganfainberg: Are you around?20:26
zigoHow may I help to find out what the issue is?20:27
richmstevemar: dtroyer: is there some reason that v2 endpoint create supports --description but not v3?20:27
*** krtaylor has quit IRC20:28
stevemarrichm, it's not in the API
morganfainbergzigo, i am not sure where to start here. i'm wondering if it's some lib debian version that is out of sync w/ ubuntu 14.0420:28
stevemarrichm, that was created before i was ever a part of keystone :(20:28
dtroyerrichm:  IIRC the v3 API doesn't have it.20:28
zigomorganfainberg: Like which lib?20:28
morganfainbergzigo, thats where i'm stuck.20:28
stevemardtroyer, ding ding ding20:28
morganfainbergzigo, i need to circle back around to that bug today20:29
zigomorganfainberg: Mostly, Debian is always leading the way, and Ubuntu lagging behind, so that'd be a new lib version of something.20:29
* dtroyer drops back into hiding20:29
morganfainbergzigo, i haven't stood up debian in a lonnnng time20:29
morganfainbergzigo, so ...20:29
stevemardtroyer, pffft, good luck20:29
morganfainbergdtroyer, you can't hide in this channel >.>20:30
zigomorganfainberg: Could this be related to Python itself?20:30
zigomorganfainberg: Jessie got version
morganfainbergzigo, maybe, or might be a new version of somerthing else20:31
stevemarayoung, in your blog post: s/devdtackbdoes/devstack does20:31
ayoungstevemar, hanks20:31
zigomorganfainberg: FYI, a full trace is available here:
morganfainbergah thanks20:31
ayoungstevemar,   got the public demo here
ayoungstevemar, lemm know if you want to try it out.  I had to rebuild the IPA server20:32
ayoungSo everyone needs new accouns20:32
morganfainbergzigo, oh god20:32
openstackzigo: Error: "?!" is not a valid command.20:32
morganfainbergzigo, i am scared... i see greenlet stuff20:33
zigoArg! :)20:33
morganfainbergzigo, never makes me happy when i see greenlet stuff in tracebacks20:33
richmstevemar: dtroyer: sorry,  I meant "service create", and it looks like description was added some time after 1.0.120:33
*** krtaylor has joined #openstack-keystone20:33
morganfainbergzigo, there is a reason we're going to drop eventlet ;) that way we don't ever worry about wierd interactions.20:33
morganfainbergzigo, i don't think that is the case here. just always makes me uneasy when greenlet ends up in the traceback20:33
zigomorganfainberg: I'm really annoyed by Eventlet braking its own API every 2nd week btw.20:34
morganfainbergoooor this might actually be eventlet.20:34
zigoThe global-requirements.txt regarding this is a huge pain for me.20:34
morganfainbergzigo, is this correct: python-eventlet (0.16.1-1~bpo80+120:35
morganfainbergthe version there?20:35
zigomorganfainberg: What did you expect?20:35
zigo0.16.1 is what is in the global reqs, no?20:35
stevemarayoung, hook me up with a uname/passwd20:35
morganfainbergzigo, i'm making sure i have the correct version when i start poking at this20:35
ayoungstevemar, under wat20:35
zigo-1 <--- means first Debian release, and ~bpo80+1 means backport to Jessie.20:36
morganfainbergzigo, just confirming that that was in-fact the version you're hitting (based on the trace you gave me)20:36
morganfainbergzigo, ack.20:36
zigoSo, it's just 0.16.1 in fact.20:36
morganfainbergzigo, ok20:36
morganfainbergzigo, no extra silly patches etc?20:36
zigomorganfainberg: There's only patches in the unit test suite.20:37
morganfainbergcrap, looks like this is 2.7.920:37
zigo(I just checked)20:37
morganfainbergzigo, thanks20:37
*** obedmr has joined #openstack-keystone20:38
morganfainbergzigo, can you confirm the version of OpenSSL in jessie?20:38
zigomorganfainberg: Could this be related to the removal of SSLv3 in Debian as well?20:39
morganfainbergzigo, might be.20:39
zigoJessie has 1.0.1k20:39
morganfainbergzigo, though i thought we already addressed this in ubuntu a while back.20:39
zigoWell, I believe I did.20:39
zigoAnd each time I saw some SSLv3, it was rather explicit.20:40
zigoHowever, the error here is in self._sslobj.do_handshake()20:40
obedmrhi all, question, when setting keystone with HTTPD, what do you do for granting access over /etc/keystone/keystone.conf to the httpd user? adding it to keystone group? or adding keystone to httpd group? or? thank you20:40
openstackgerritMerged openstack/keystone: Don't add unformatted project-specific endpoints to catalog
*** pnavarro|off has quit IRC20:41
morganfainbergzigo, i'm thinking this is related to some hack around SNI for OpenSSL that is/isn't/changed in jessie20:42
morganfainbergand python 2.7.9 triggers it20:43
zigomorganfainberg: I don't even know what SNI is! :)20:45
zigoOh, that stuff to provide real vhosts over SSL?20:45
morganfainbergannnnnd we're down into the icky internals of eventlet20:46
zigo.oO(reading this makes me feel sick indeed...)20:47
zigoSo, eventlet is embedding the httplib / of Python?!?20:48
zigoWTF !!!20:48
morganfainbergwell no.20:48
morganfainbergit't patches it for greenlet trampoline20:48
morganfainbergso you can coroutine/yield20:48
zigoI'm not sure I want to know about all of this! :)20:48
morganfainbergfwiw, the docker folks said [similar issue] they recommend a rollback to 2.7.8 :P20:49
morganfainbergnot an option here20:49
bknudsonmaybe the ssl tests as they're written aren't worth it20:49
morganfainbergi'll bet that if i spin up a jessie node and test w/o eventlet it'll work.20:49
bknudsonreally we just want to know if we set up ssl20:49
zigo20 days from the release of Jessie, indeed, that's not an option.20:49
bknudsoncould do that just as well with mocks.20:49
zigoCause, if you didn't know, the release team announced that Jessie would be out on the 25th of this month.20:50
morganfainbergbknudson, doesn't mean this wont break in spectacular ways in debian in production though20:50
morganfainbergzigo, i wouldn't recommend rolling back python version20:50
*** topol has quit IRC20:50
morganfainbergzigo, just saying how docker folks handled it20:50
bknudsonmorganfainberg: that would be a bug in debian.20:50
morganfainbergbknudson, it might be a bug in py2.7.920:50
morganfainbergbknudson, and 14.04, iirc uses something else20:51
morganfainbergbknudson, meaning we'd miss it in gate.20:51
bknudsongate should be running with ssl20:51
morganfainbergbknudson, this is why i want to chase this before saying "dump the tests out"20:52
morganfainberggyee, can i ask you do to me a huge favor today?20:52
morganfainbergbknudson, it might also be an issue with how we generated the cert20:53
bknudsonmorganfainberg: I'd rather mock than rely on how we generated the cert working on every os.20:53
morganfainbergbknudson, sure, but if it's just a cert generation error i'm content with saying that mock is the right answer20:54
morganfainbergif it is something more systemic ...20:54
morganfainbergbknudson, basically i just want to be sure before we change how the tests work.20:54
morganfainbergzigo, ok this is my lack of knowing debian... do i just install testing?20:57
morganfainbergzigo, is that close enough / what jessie is?20:57
morganfainbergzigo, or is there some other magic i need to do.20:57
zigomorganfainberg: Jessie currently IS testing, but you will need some more stuff.20:58
zigomorganfainberg: Jessie doesn't have Kilo.20:59
morganfainbergzigo, not worried about that, going to pull down via git.20:59
morganfainbergzigo, unless there are other associated libs that are an issue20:59
zigoYou can use that, if you're ok with using sbuild.20:59
morganfainbergzigo, not actually looking to build the package21:00
morganfainberglooking to test with a few versions / changes in tree21:00
zigoThe first bits is for upstream...21:00
morganfainbergso i'm going to just run tox21:00
morganfainbergisolate to the problematic tests and confirm it's an issue with either the SSL certs or something deeper21:00
morganfainberge.g. version of eventlet21:00
morganfainbergor openssl21:00
zigomorganfainberg: You can use tox, but I would advise you to just use the packaged stuff if you want to keep the same env.21:01
morganfainbergzigo, start with tox and then unwind. if it happens w/ the pip installed / mainline stuff21:01
morganfainbergwe have a bigger issue :)21:01
zigodeb jessie-kilo-backports main21:01
zigodeb jessie-kilo-backports-nochange main21:01
zigodeb-src jessie-kilo-backports main21:01
zigodeb-src jessie-kilo-backports-nochange main21:01
zigothen apt-get build-dep keystone21:01
zigoFYI, schroot is a very nice stuff to have throwable envs.21:02
morganfainbergand now i get annoyed with installers not letting me skip the "create a non-root account" bit21:04
zigomorganfainberg: If we need eventlet 0.17.1 or 0.17.2, I can switch to it.21:04
* morganfainberg grumbles. "for a stupid one-off VM... just let me skip the extra crap"21:04
morganfainbergreally... you can't select regions not your own with netinstall for clock.21:05
zigoI guess the gate is currently using 0.17.2, since we have eventlet>=0.16.1,!=0.17.0 in the global reqs.21:05
* morganfainberg is suddenly saddened by this install.21:05
zigomorganfainberg: Of course you can, but maybe only in the expert mode.21:06
zigoI *always* use the expert mode.21:06
morganfainbergzigo, even with expert it looks like the netinstall is a little hamstrung21:06
morganfainbergzigo, anyways..... no big deal doesn't matter21:07
zigoThe debian-installer team is really understaffed, be my guess and fix stuff if you have time! :)21:07
zigoNearly nobody cares about contributing to it.21:07
morganfainbergzigo, which is sad, because the install is the first experience lots of people have with a distro21:07
morganfainbergzigo, but i get it21:07
morganfainbergzigo, lets hope this is just "keystone has a bad cert generated"21:10
morganfainbergzigo, that is the easiest fix21:10
zigoOh, btw, I managed to get this done for Jessie:
zigoThe OpenStack image is now generated at the same time as the ISO images! :)21:11
zigoI'm just pointing at it if you want to use that instead of setting-up a distro by hand ...21:12
morganfainbergzigo, rioght now i'm using VMWare21:12
morganfainbergso it's a conversion in either case21:12
morganfainbergabout as much work w/o all the tools to convert raw/qcow over21:13
morganfainbergas installing21:13
zigoAh, right, and you'd be annoyed by cloud-init and friends.21:13
morganfainbergeh. cloud-init is annoying21:13
morganfainbergbut it'd be ok21:13
*** Bsony has joined #openstack-keystone21:14
morganfainbergi've done it before i just would rather just do it the install way so i can multi-task21:14
openstackgerritayoung proposed openstack/oslo.policy: CLI Policy Check tool
ayoungmorganfainberg, there ya go!21:18
morganfainbergayoung, nice21:19
*** iamjarvo has quit IRC21:19
ayoungmorganfainberg, you can test it like this21:20
ayoung.tox/py27/bin/policytool --policy /opt/stack/nova/etc/nova/policy.json --access sample_data/auth_v3_token_admin.json --is_admin=true21:20
*** edmondsw has quit IRC21:20
ayoungmorganfainberg, pretty sure the name policytool is going to conflict with something else in the distribution21:27
*** iamjarvo has joined #openstack-keystone21:27
morganfainbergprobably going to need to name it something else21:27
*** Bsony has quit IRC21:28
ayoungmorganfainberg,  think its ok to just call it oslo_policy ?21:29
ayoungor oslo_policy_tool?21:29
stevemari predict mfisch will ask a question about logging... very very soon21:32
mfischI'm about to commute though, so probably tomorrow morning21:32
morganfainbergayoung, i'd call it oslo-policytool probably21:33
morganfainberg /usr/bin/ld: cannot find -lz21:34
morganfainbergso bloody useful21:34
ayoungmorganfainberg, so, hyphens are problematic, and I'ma call it oslopolicy21:35
morganfainbergayoung, hyphens are problematic in python, not in bash :P21:35
ayoungmorganfainberg, and setup.cfg is python and hates me21:35
zigomorganfainberg: When building what?21:36
zigomorganfainberg: How come you're rebuilding lxml?21:37
openstackzigo: Error: "!!" is not a valid command.21:37
*** iamjarvo has quit IRC21:37
morganfainbergit is building python-lxml21:37
morganfainbergit's how this all works21:37
zigomorganfainberg: You're missing libgzip dev or something.21:37
zigo-lz ...21:38
morganfainbergthats what i'm trying to figure out which one i'm missing21:38
* morganfainberg facepalms21:38
morganfainbergthere is a reason i don't do packaging ;)21:38
zigoapt-get install zlib1g-dev21:38
zigoThat's one of the very few libs which has a name that doesn't start by lib.21:39
morganfainbergzigo, yeah21:39
zigoI believe we have that one and the libc6, and that's it. :)21:39
morganfainbergzigo, was trying to find it. keep forgetting how it ends up getting named.21:39
* morganfainberg hides in the "I'm not a system-engineer/devops/sysadmin" corner21:40
* morganfainberg tries to forget said past life.21:40
zigoI still think it's a non-sense to rebuild lxml from source.21:41
morganfainbergzigo, that is how tox/pip works21:41
morganfainbergzigo, by default21:41
zigotox is slowly becoming FreeBSD /usr/ports...21:41
morganfainbergzigo, slowly?21:41
zigomake world ...21:42
morganfainbergemerge world21:42
* morganfainberg hides the gentoo-ism under the rug21:42
zigoWell, Gentoo has maintained packages, I can't say the same thing for FreeBSD. :021:42
morganfainbergzigo, sooooortof maintained21:43
zigoBTW, has anyone ever tried OpenStack on Gentoo?21:43
morganfainbergdon't tempt fate man21:43
morganfainberg"bug: this doesn't work on gentoo" = "mark bug as closed 'not only i wont fix, but i'm laughing the whole way'"21:44
bknudsonhard to believe we can't get rid of the lxml requirement.21:49
dstanekis it optional now that only federation needs it?21:49
bknudsonit's in test-requirements.txt for federation tests.21:50
stevemaryeah, it's only for the tests21:51
*** dims has quit IRC21:52
sigmavirus24morganfainberg: zigo actually there is someone who maintains packages for Gentoo21:53
* sigmavirus24 knows all of the people who make really bad life decisions21:53
morganfainbergsigmavirus24, hahah21:53
zigosigmavirus24: I know, and I'm a bit curious about it.21:53
sigmavirus24zigo: they swear the packages work21:54
*** dims has joined #openstack-keystone21:54
*** dims has quit IRC21:54
*** dims has joined #openstack-keystone21:55
*** carlosmarin has quit IRC21:55
dstaneksigmavirus24: everyone thinks their crap works22:00
sigmavirus24dstanek: bingo22:00
dstanekdo i get a prize?22:01
stevemarfwiw, doesn't look like pysaml2 requires lxml either,
morganfainbergzigo, oh FFS.22:04
morganfainbergzigo, eventlet explicitly sets context to SSLv23_METHOD22:04
morganfainbergwith no way to override.22:04
openstackzigo: Error: "!!" is not a valid command.22:04
zigoThere we go ...22:04
zigoGood catch.22:04
dstanekstevemar: it looks like it needs either that or elementtree
zigomorganfainberg: I may patch eventlet if needed.22:05
zigomorganfainberg: Where does it do that?22:05
morganfainbergwait a sec.22:05
morganfainbergtry/except/else ... brain not working22:05
morganfainbergthat means try and if we don't get an exception do the else?22:05
morganfainbergzigo, it's deeeeeep in eventlet22:06
zigomorganfainberg: Where's that code?22:06
morganfainbergbut basically we can pass anything we damn well please to the wrap_ssl22:06
morganfainbergand it doesn't care22:06
morganfainbergwow this is naive code22:07
morganfainberglet me make sure i have the newest eventlet22:07
morganfainbergshould be new enough22:08
morganfainbergnothing changed22:08
zigomorganfainberg: There's a 0.17.2 in PyPi.22:08
morganfainbergnot materially different22:08
morganfainberglet me poke at the HTTPSConnetion to make sure we're ok22:08
morganfainbergbut basically, the server is set to use v2/v3 hard coded so the client is just doing the sane thing22:09
morganfainbergand using v322:09
morganfainbergwell httplib.HTTPSConnection22:09
morganfainbergthis is a rabbit hole22:09
morganfainbergannnnd httpsconnection can't force ssl versions22:10
morganfainberglet me change that value in eventlet and see if it solves the issue22:11
bknudsonSSLv23 typically means it allows all SSL protocols22:11
morganfainbergbknudson, and debian explicitly disallows v322:12
stevemardstanek, that's the standard lib, xml22:12
stevemarnot lxml22:12
morganfainbergand then httpconnection goes "oh you claim to support this" and bails out22:12
bknudsonpython really doesn't have a way to say all protocols but v3.22:13
morganfainbergbecause debian has no support for v3 built into the OpenSSL bin22:13
bknudsonrequires some newer python22:13
morganfainbergi'm looking at forcing TLS v1_222:13
zigomorganfainberg: As much as I know, SSLv23 is ok with Debian.22:13
morganfainbergsince that is the recommendation, or at least v1.122:13
zigoIt shouldn't just break ...22:13
morganfainbergzigo, it's an issue with the eventlet allowing v3 and advertising it on the server side and the client being unable to use it22:14
morganfainbergor not22:14
morganfainbergmaybe it's httplib side22:14
morganfainbergthis is debian ripped out support for something and things don't play nice without that support22:15
zigoIn Debian, we *explicitely* patched OpenSSL to *remove* SSLv3 support, for damned good security reasons.22:15
morganfainbergand they successfully broke things22:15
zigoBut for good.22:15
bknudsonwhat does SSLv23 give you when SSLv3 is disabled?22:15
bknudsonand, I assume SSLv222:16
bknudsonThere's a table here:
morganfainbergzigo, removing support in incompatible ways for "damn good reasons" is still an awful way of doing things22:16
morganfainbergzigo, especially when it horribly breaks stuff22:16
zigomorganfainberg: What's broken, IMO, is to still support known bad protocols.22:16
zigoThat is what is horrible.22:17
morganfainbergzigo, the answer is using python322:17
morganfainbergzigo, i'm looking at what we can do to fix this... but it's going to bite us again22:17
zigoYou'll see, there's going to be soon some new exploit due to SSLv3, and Debian wont have the issue ... :)22:17
bknudsondoes keystone start and TLS works on debian?22:17
morganfainbergbknudson, not with eventlet afaict22:17
morganfainbergbknudson, eventlet is just broken.22:18
bknudsonor is it just the tests that fail?22:18
zigobknudson: TLS is what everyone should be using, yes, not the stupid SSLv3 which is completely backward old.22:18
bknudsonmorganfainberg: you can't run any eventlet server on debian?22:18
morganfainbergbknudson, i think eventlet is unable to specify what versions it uses22:18
morganfainbergbknudson, so if the client is stupid and uses v3 and your one debian you're effed22:18
bknudsonwhat client is using sslv3 only?22:19
morganfainbergbknudson, reason #121022314441 not to terminate SSL in eventlet22:19
zigoOh, so does this means that, by default, on non-debian systems, the client will end up using sslv3 ???22:19
morganfainbergbknudson, eventlet patched httplib22:19
zigoThat's a HUGE security concern then!22:19
morganfainbergzigo, if it is allowed.22:19
morganfainbergzigo, if you don't advertise it (e.g. disable in your ssl terminator) it should be fine22:19
bknudsonit's python, we can monkeypatch it.22:19
zigomorganfainberg: But what you're saying is that it's going to be the default?22:20
morganfainbergzigo, it's a dumb default that is impacted by a monkeypatched httplib from eventlet22:20
morganfainbergzigo, so in *most* cases you'd never hit this22:20
morganfainbergyou know... unelss you're running something in a server patched with eventlet22:20
bknudsonmorganfainberg: where are you seeing this?22:20
morganfainbergbknudson, this is digging through eventlet's code22:21
zigomorganfainberg: So, basically, you're saying that we could have a man-in-the-middle downgrade attack?22:21
morganfainbergthe failure *looks* to be that eventlet wrap explicitly wraps v2322:21
morganfainbergand the httplib.HTTPConnection is also patched22:21
morganfainbergwhen you monkey patch eventlet in22:21
bknudsonwraps v23 so that it only uses sslv3?22:21
morganfainbergbknudson, nah22:22
morganfainbergbknudson, this should impact only cases where you terminate SSL in eventlet22:22
*** sigmavirus24 is now known as sigmavirus24_awa22:22
morganfainberg*and* use patched eventlet httpsconnection22:22
* morganfainberg is still chasing a rabbit down a hole here22:22
dstanekstevemar: hmmm...i read that as lxml. looks like i need a break22:23
morganfainbergbknudson, this comes down to httplib being dum,b22:23
bknudsonmorganfainberg: doesn't get much dumber than not supporting TLS22:23
stevemardstanek, you had me concerned for there for a minute22:24
zigomorganfainberg: SSLv23 means that TLSv1 can be used, right?22:24
dstanekmorganfainberg: bknudson: i was having problems on debian using our bundled test certs and the openssl command line tools22:24
morganfainbergzigo, yeah it should22:24
bknudsondstanek: did it work with other certs?22:24
morganfainbergcan a cert say "no sslv3"?22:25
morganfainbergor TLSv1+ only?22:25
morganfainbergafaict protocol is not in the purview of the cert itself22:25
morganfainbergit's under the terminator (e.g. apache)22:25
zigoYeah, that's what I believe as well.22:26
zigoCerts have other issues (like type of hash and so on...)22:26
morganfainbergi mean:
morganfainbergThe OpenStack services and python clients do not currently have a configuration option for the SSL/TLS protocol version. Therefore, the best way to avoid SSLv3 with OpenStack code today is to ensure that the underlying SSL/TLS library (OpenSSL in this case) is compiled without SSLv3 support, as described above.22:27
morganfainbergwhich debian does22:27
zigomorganfainberg: Are you using keystone over WSGI? Or are you using the keystone daemon?22:27
morganfainbergand things breaks.22:27
morganfainbergzigo, this is in eventlet like our tests run22:27
openstackLaunchpad bug 1381365 in Keystone "SSL Version and cipher selection not possible" [Wishlist,Confirmed]22:28
morganfainbergno options in eventlet22:28
zigoI'm quite sure there's the issues in other daemons.22:29
morganfainbergi think the answer is we rip out these tests22:29
zigoI haven't reported it, but I clearly remember I saw it not only in keystone.22:29
morganfainbergand stand by "don't terminate SSL in eventlet"22:29
bknudsonif you want a secure configuration you're not going to be running keystone-all.22:29
morganfainbergbknudson, exactly22:29
zigoWell, in that case, kill keystone-all !22:29
morganfainbergso i'm ok ripping out these tests... or at list marking them with @wip so we can move them to the functional suite22:30
morganfainbergzigo, working on it22:30
zigoProviding something which is broken is very dangerous.22:30
morganfainbergzigo, M-cycle slated for release22:30
morganfainbergzigo, can't remove it without deprecation22:30
morganfainbergzigo, and it isn't "broken"22:30
*** _cjones_ has joined #openstack-keystone22:30
zigoFair enough.22:30
bknudsonyou can't run it on an untrusted network.22:30
morganfainbergbknudson, and we say as much22:30
morganfainbergok so i'll patch out these tests with @wip22:30
morganfainbergso we can keep them for functional (we should support them against apache when/if ssl is configured)22:31
morganfainbergactually... i'm going to skip_test them22:31
zigomorganfainberg: Just make sure you provide enough comments to explain why it's still @wip ...22:31
morganfainbergsince behavior will be different on differtent platforms22:31
morganfainbergzigo, oh don't worry there will be a massive comment here.22:31
morganfainbergbknudson, you good with this approach?22:31
zigoBTW, I still like having HTTP daemons with services.22:32
zigoI don't really care about encryption, but having the daemons is useful.22:32
bknudsonmorganfainberg: I'm fine with skipping the tests as a fix... can always revisit.22:32
zigoEveryone uses Apache/Nginx/HAProxy anyway.22:32
morganfainbergbknudson, cool.22:32
*** Bsony has joined #openstack-keystone22:34
zigomorganfainberg: Please make sure to add me on the review, so that I get the link to it, so I can include that when reporting against other openstack projects.22:36
dstanekbknudson: I didn't try any other certs. just the bundled and the ones created by our gen script22:39
bknudsondstanek: did the certs generated by the gen script work?22:39
*** __afazekas has quit IRC22:39
*** Bsony has quit IRC22:39
dstanekthere was a message about an error from the server output. no real details though22:41
openstackgerritMorgan Fainberg proposed openstack/keystone: Skip SSL tests because some platforms do not enable SSLv3
*** sigmavirus24_awa is now known as sigmavirus2422:45
morganfainbergzigo, bknudson, ^22:45
bknudsonmorganfainberg: I thought it was only the 2-way tests that didn't work?22:46
morganfainbergbknudson, 1-way tests also were failing22:46
bknudsontest_2way_ssl_fail probably passed.22:47
morganfainbergnot according to
zigomorganfainberg: Cheers! Bookmarked, and I'll add it to Keystone beta 3 tomorrow first thing in the morning.22:47
morganfainbergbknudson, oh 2way fail?22:47
zigomorganfainberg: Do you know when the next RC will be out?22:47
morganfainbergzigo, RC is slated for this week22:48
morganfainbergzigo, rc122:48
bknudsonthere's 4 failures and 5 tests... was wondering what passed.22:48
zigoI might as well be lazy and just wait then! :)22:48
morganfainbergbknudson, probably the failure test22:48
morganfainbergbknudson, :P22:48
morganfainbergor test_2way_ssl_with_ipv6_ok22:48
bknudsonFAIL: keystone.tests.unit.test_ssl.SSLTestCase.test_2way_ssl_with_ipv6_ok according to
openstackLaunchpad bug 1435174 in Keystone "SSLTestCase errors when building Debian package" [Medium,In progress] - Assigned to Morgan Fainberg (mdrnstm)22:49
morganfainbergso probably the "failure" case succeeded22:49
morganfainbergwe're getting rid of eventlet22:50
zigoOk, will test tomorrow then.22:50
morganfainbergzigo, ran on a jessie install locally22:50
zigoIf I still get some FAILED, I'll let you know in the bug report.22:50
morganfainbergshould be good22:50
bknudsonzigo: failed SSL tests? they're all skipped now.22:51
*** nkinder has quit IRC22:51
zigoGot that point! :)22:51
morganfainbergbknudson, yeah "if", don't think there will be more based on the build log22:51
*** markvoelker has quit IRC22:52
*** devlaps has joined #openstack-keystone22:59
*** topol has joined #openstack-keystone23:06
*** ChanServ sets mode: +v topol23:06
*** jamielennox|away is now known as jamielennox23:07
*** bknudson has quit IRC23:10
*** chlong has joined #openstack-keystone23:10
*** henrynash has joined #openstack-keystone23:10
*** ChanServ sets mode: +v henrynash23:10
*** henrynash has quit IRC23:10
*** _cjones_ has quit IRC23:13
*** topol has quit IRC23:18
*** sigmavirus24 is now known as sigmavirus24_awa23:21
*** _cjones_ has joined #openstack-keystone23:24
*** markvoelker has joined #openstack-keystone23:27
*** obedmr has left #openstack-keystone23:31
*** markvoelker has quit IRC23:53

Generated by 2.14.0 by Marius Gedminas - find it at!