Tuesday, 2015-04-07

« Monday, 2015-04-06 Index Wednesday, 2015-04-08 »
*** carlosmarin has joined #openstack-keystone00:02
*** nkinder has joined #openstack-keystone00:09
*** samueldmq has quit IRC00:10
*** samueldmq has joined #openstack-keystone00:10
*** zzzeek has quit IRC00:22
*** carlosmarin has quit IRC00:23
*** alexsyip has quit IRC00:30
*** darrenc is now known as darrenc_Afk00:40
*** markvoelker has joined #openstack-keystone00:50
*** lhcheng has quit IRC00:50
*** stevemar has quit IRC00:53
*** markvoelker has quit IRC00:55
openstackgerritayoung proposed openstack/oslo.policy: CLI Policy Check tool  https://review.openstack.org/17097800:55
*** Ephur has joined #openstack-keystone01:04
*** ThoamsHsiao has joined #openstack-keystone01:04
*** krtaylor has quit IRC01:10
*** _cjones_ has quit IRC01:14
*** Ephur has quit IRC01:14
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Adds inherited column to RoleAssignment PK  https://review.openstack.org/14247201:15
*** spandhe has quit IRC01:23
*** darrenc_Afk is now known as darrenc01:25
*** samueldmq has quit IRC01:25
*** wanghong has joined #openstack-keystone01:26
*** ThoamsHsiao has quit IRC01:29
*** sluo_wfh has joined #openstack-keystone01:39
*** sluo_wfh has quit IRC01:40
*** Ephur has joined #openstack-keystone01:40
*** erkules_ has joined #openstack-keystone01:41
*** erkules has quit IRC01:43
*** krtaylor has joined #openstack-keystone01:46
openstackgerritayoung proposed openstack/python-keystoneclient: pep8 fix for CMS  https://review.openstack.org/16013201:48
*** markvoelker has joined #openstack-keystone01:51
*** markvoelker has quit IRC01:56
*** samueldmq has joined #openstack-keystone01:57
openstackgerritguang-yee proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767502:09
*** topol has joined #openstack-keystone02:28
*** ChanServ sets mode: +v topol02:28
*** stevemar has joined #openstack-keystone02:29
*** ChanServ sets mode: +v stevemar02:29
*** richm has quit IRC02:37
*** iamjarvo has joined #openstack-keystone02:42
*** chlong has quit IRC02:42
*** chlong has joined #openstack-keystone02:44
*** markvoelker has joined #openstack-keystone02:52
openstackgerritayoung proposed openstack/python-keystoneclient: Use Model for access_info  https://review.openstack.org/16013402:53
openstackgerritayoung proposed openstack/python-keystoneclient: pep8 fix for CMS  https://review.openstack.org/16013202:53
openstackgerritayoung proposed openstack/python-keystoneclient: Test updates to prep for unified access info  https://review.openstack.org/16013302:53
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info  https://review.openstack.org/13851902:53
*** markvoelker has quit IRC02:56
*** dims has quit IRC02:58
*** dims has joined #openstack-keystone03:07
*** dims_ has joined #openstack-keystone03:08
*** dims has quit IRC03:12
openstackgerritayoung proposed openstack/python-keystoneclient: Update sample data with audit ids  https://review.openstack.org/17102803:15
*** topol has quit IRC03:16
*** dims_ has quit IRC03:20
*** lhcheng has joined #openstack-keystone03:21
*** samueldmq has quit IRC03:33
*** iamjarvo has quit IRC03:37
*** iamjarvo has joined #openstack-keystone03:41
*** iamjarvo has quit IRC03:41
*** iamjarvo has joined #openstack-keystone03:42
*** iamjarvo has quit IRC03:42
*** iamjarvo has joined #openstack-keystone03:42
*** iamjarvo has quit IRC03:43
*** iamjarvo has joined #openstack-keystone03:44
*** iamjarvo has quit IRC03:44
*** iamjarvo has joined #openstack-keystone03:44
*** iamjarvo has quit IRC03:44
*** iamjarvo has joined #openstack-keystone03:45
*** wanghong has quit IRC03:46
ayoungjamielennox, so...continueing your thought from the other day;  we could, in thery, pass the policy rule to Keystone during the token validation, and keystone could hand bak a yes/no answer.  If could even generate the answer for all possible API calls for a given server if we really wanted03:47
*** jamielennox is now known as jamielennox|away03:47
ayoungBoo03:47
openstackgerritayoung proposed openstack/python-keystoneclient: Update sample data with audit ids  https://review.openstack.org/17102803:48
openstackgerritayoung proposed openstack/python-keystoneclient: Access Info  https://review.openstack.org/13851903:48
openstackgerritayoung proposed openstack/python-keystoneclient: Test updates to prep for unified access info  https://review.openstack.org/16013303:49
openstackgerritayoung proposed openstack/python-keystoneclient: Use Model for access_info  https://review.openstack.org/16013403:49
*** gyee has quit IRC03:50
*** markvoelker has joined #openstack-keystone03:53
*** harlowja is now known as harlowja_away03:55
*** markvoelker has quit IRC03:57
*** iamjarvo has quit IRC04:00
*** tqtran has quit IRC04:03
*** ajayaa has joined #openstack-keystone04:05
*** alexsyip has joined #openstack-keystone04:08
*** _cjones_ has joined #openstack-keystone04:15
*** Administrator has joined #openstack-keystone04:18
*** Administrator is now known as Guest530104:18
*** _cjones_ has quit IRC04:19
*** Guest5301 has quit IRC04:20
*** ayoung has quit IRC04:25
*** pnavarro|off has joined #openstack-keystone04:28
*** pnavarro|off has quit IRC04:34
*** topol has joined #openstack-keystone04:46
*** ChanServ sets mode: +v topol04:46
*** markvoelker has joined #openstack-keystone04:53
*** markvoelker has quit IRC04:58
*** ajayaa has quit IRC05:17
*** topol has quit IRC05:27
*** ajayaa has joined #openstack-keystone05:30
*** markvoelker has joined #openstack-keystone05:54
*** markvoelker has quit IRC05:58
*** Bsony has joined #openstack-keystone06:14
*** Bsony has quit IRC06:22
*** ishant has joined #openstack-keystone06:23
*** mflobo has quit IRC06:25
*** mflobo has joined #openstack-keystone06:29
*** pnavarro has joined #openstack-keystone06:29
*** spandhe has joined #openstack-keystone06:32
*** jistr has joined #openstack-keystone06:47
*** pnavarro has quit IRC06:48
*** afazekas has joined #openstack-keystone06:54
*** markvoelker has joined #openstack-keystone06:55
*** markvoelker has quit IRC06:59
*** spandhe has quit IRC07:07
*** Bsony has joined #openstack-keystone07:07
*** Bsony has quit IRC07:18
*** alexsyip has quit IRC07:21
*** fhubik has joined #openstack-keystone07:27
*** spandhe has joined #openstack-keystone07:27
*** chlong has quit IRC07:34
*** ParsectiX has joined #openstack-keystone07:41
*** jistr has quit IRC07:50
*** stevemar has quit IRC07:54
*** markvoelker has joined #openstack-keystone07:56
*** markvoelker has quit IRC08:00
*** jaosorior has joined #openstack-keystone08:05
*** jistr has joined #openstack-keystone08:09
*** spandhe has quit IRC08:18
*** ParsectiX has quit IRC08:19
viktorshi folks! Can someone approve patch, which already got two +2 ? See https://review.openstack.org/#/c/137639/08:22
*** ParsectiX has joined #openstack-keystone08:23
*** ParsectiX has quit IRC08:28
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767508:37
*** lhcheng has quit IRC08:56
*** markvoelker has joined #openstack-keystone08:56
*** markvoelker has quit IRC09:01
*** lhcheng has joined #openstack-keystone09:06
*** rushiagr_away is now known as rushiagr09:06
*** davidckennedy has joined #openstack-keystone09:10
*** lhcheng has quit IRC09:17
*** fhubik is now known as fhubik_afk09:22
*** spandhe has joined #openstack-keystone09:25
*** dims has joined #openstack-keystone09:29
*** dims has quit IRC09:35
*** aix has joined #openstack-keystone09:45
*** fhubik_afk is now known as fhubik09:55
*** markvoelker has joined #openstack-keystone09:57
*** markvoelker has quit IRC10:02
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Add subjectAltName to generated ssl cert  https://review.openstack.org/15407410:04
*** chlong has joined #openstack-keystone10:07
openstackgerritVictor Sergeyev proposed openstack/keystone: POC: Run SQL migration tests on PostgreSQL and MySQL  https://review.openstack.org/17111510:25
viktorsdstanek: please look at ^ , when you'll have a time10:25
*** viktors is now known as viktors|lunch10:27
*** jistr has quit IRC10:30
*** samueldmq has joined #openstack-keystone10:38
samueldmqmorning10:39
*** fhubik is now known as fhubik_afk10:42
*** tobberydberg has joined #openstack-keystone10:43
*** jistr has joined #openstack-keystone10:51
*** jistr is now known as jistr|biab10:52
*** ParsectiX has joined #openstack-keystone10:52
*** markvoelker has joined #openstack-keystone10:58
openstackgerritDolph Mathews proposed openstack/python-keystoneclient: Drop explicit requirement for argparse  https://review.openstack.org/17112411:02
*** markvoelker has quit IRC11:03
*** fhubik_afk is now known as fhubik11:17
openstackgerritVictor Sergeyev proposed openstack/keystone: POC: Run SQL migration tests on PostgreSQL and MySQL  https://review.openstack.org/17111511:28
*** henrynash has joined #openstack-keystone11:33
*** ChanServ sets mode: +v henrynash11:33
*** viktors|lunch is now known as viktors11:33
*** chlong has quit IRC11:49
*** jistr|biab is now known as jistr11:49
*** chlong has joined #openstack-keystone11:51
samueldmqdolphm, ping - since we've dropped python 2.6 support, why do we still have gate-python-keystoneclient-python26 ?11:58
samueldmqdolphm, any thought on this?11:58
*** markvoelker has joined #openstack-keystone11:59
dolphmsamueldmq: oh, then my patch is wrong. iirc, that job was dropped at some point, but it makes sense that we'd continue to support 2.6 in the clients11:59
samueldmqdolphm, yeah, but I can't understand why your patch passed on it ( gate-python-keystoneclient-python26 )12:01
dolphmsamueldmq: the client depends on oslo.config, which explicitly requires argparse as well12:02
samueldmqdolphm, k, makes sense to be passing then .. thanks12:02
*** fhubik has quit IRC12:03
*** fhubik_lunch has quit IRC12:03
*** markvoelker has quit IRC12:03
*** fhubik has joined #openstack-keystone12:05
*** fhubik_afk has joined #openstack-keystone12:05
*** samueldmq-mob has joined #openstack-keystone12:07
*** hogepodge has quit IRC12:08
*** ParsectiX has quit IRC12:12
samueldmqhenrynash, hi, good morning12:12
samueldmqhenrynash, could you please take a look at 'Adds inherited column to RoleAssignment PK' - https://review.openstack.org/#/c/142472/12:13
samueldmqhenrynash, looks like now it is just the gate jobs failing (this code is not the cause)12:13
openstackgerritDolph Mathews proposed openstack/python-keystoneclient: Specify that argparse is only required for Python < 2.7  https://review.openstack.org/17112412:14
*** lhcheng has joined #openstack-keystone12:18
henrynashsamueldmq: will do12:18
*** hogepodge has joined #openstack-keystone12:20
*** lhcheng has quit IRC12:22
samueldmqhenrynash, nice thanks12:22
henrynashsamueldmq: so have we tested the non-sqlite upgrade scenario?  Our unit test won't do this in Jenkins, right?12:23
*** gordc has joined #openstack-keystone12:28
*** erkules_ is now known as erkules12:28
*** erkules has quit IRC12:28
*** erkules has joined #openstack-keystone12:28
*** dims has joined #openstack-keystone12:34
*** iamjarvo has joined #openstack-keystone12:36
*** dims has quit IRC12:39
*** stevemar has joined #openstack-keystone12:39
*** ChanServ sets mode: +v stevemar12:39
*** iamjarvo has quit IRC12:41
*** topol has joined #openstack-keystone12:43
*** ChanServ sets mode: +v topol12:43
*** topol_ has joined #openstack-keystone12:44
*** ChanServ sets mode: +v topol_12:44
*** topol has quit IRC12:48
*** topol_ is now known as topol12:48
*** topol has quit IRC12:52
*** markvoelker has joined #openstack-keystone12:59
*** fifieldt has joined #openstack-keystone13:00
*** krykowski has joined #openstack-keystone13:01
samueldmqhenrynash, I think check-tempest-dsvm-fulland check-tempest-dsvm-postgres-full run the tests against devstack with mysql and postgresql respectively13:03
*** markvoelker has quit IRC13:04
henrynashsamuledmq: ah, ok…..that’s possible13:04
*** bknudson has joined #openstack-keystone13:06
*** ChanServ sets mode: +v bknudson13:06
*** openstackgerrit has quit IRC13:07
stevemarmaybe we should fix the bug found here for kilo... https://review.openstack.org/#/c/171115/2/keystone/common/sql/migrate_repo/versions/066_fixup_service_name_value.py13:07
*** openstackgerrit has joined #openstack-keystone13:07
samueldmqstevemar, ping - just to confirm13:08
samueldmqstevemar, we run keystone tests against the devstack env in check-tempest-dsvm-full and check-tempest-dsvm-postgres-full13:08
samueldmqstevemar, thus, mysql and postgresql, respectively, right?13:08
samueldmqstevemar, for migrations, etc13:08
bretonI wouldn't be so sure about that13:09
stevemarsamueldmq, that's the idea13:09
bretonwe had some bugs in migrations on mysql and postgresql that were not caught by these checks13:09
bretonand I -1'd 'Adds inherited column to RoleAssignment PK' only after a manual check -- tempest tests were successful13:10
samueldmqhmm, henrynash's concern is about whether our migration code at https://review.openstack.org/#/c/142472 is being tested agains mysql/postgresql13:11
*** dims has joined #openstack-keystone13:11
samueldmqyeah we have a new patchset there ... maybe I need to confirm this by myself, since we need this for today :/13:12
bretonI don't know. Even if it does, the coverage is not full.13:12
samueldmqany of you already have a postgres setup?13:12
bretonyes, I do13:12
samueldmqbreton, yeah I agree, we need to evolve in that front13:12
bretonsamueldmq: ping me when you upload a new patchset13:12
samueldmqbreton, could you please test that agains your env :-)13:12
samueldmqbreton, it's already there13:12
bretonok. And it has -1 from tempest because of that devstack bug?13:13
samueldmqbreton, I think the failing tempest is jenkins that is kinda unstable13:13
samueldmqbreton, yeah, afaik13:13
*** Ephur_ has joined #openstack-keystone13:15
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742713:19
*** Ephur has quit IRC13:19
*** richm has joined #openstack-keystone13:20
bretonwell13:21
bretonsamueldmq: http://paste.openstack.org/show/199424/13:21
*** henrynash has quit IRC13:22
samueldmqbreton, arrg, I am going to setup my own env and test this13:22
bretonsamueldmq: good luck with that :)13:22
samueldmqbreton, also, if you have time and want to post a patch, please fell free :p13:22
samueldmqwe need this for today afaik :p13:23
samueldmqgonna run!13:23
bretonI can't promise, but I'll try to.13:23
*** trey has quit IRC13:23
*** trey has joined #openstack-keystone13:25
samueldmqbreton, nice thanks13:25
*** ayoung has joined #openstack-keystone13:28
*** ChanServ sets mode: +v ayoung13:28
samueldmqbreton, tbh, I have no idea why that error is happening, I just instantiated the session object as we already do on other tests :/13:29
*** fhubik_afk has quit IRC13:31
*** ajayaa has quit IRC13:31
bretonsamueldmq: I think it is just an issue with tests. db_sync with postgres runs good, only test is failing13:33
*** zzzeek has joined #openstack-keystone13:34
samueldmqbreton, hmm maybe I need to re-instantiate the session after applying the migration13:35
samueldmqbreton, after self.upgrade(68) in my test13:35
*** dims has quit IRC13:36
*** markvoelker has joined #openstack-keystone13:37
*** dims has joined #openstack-keystone13:37
*** raildo|away is now known as raildo13:39
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994413:39
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742713:39
*** rushiagr is now known as rushiagr_away13:39
samueldmqbreton, yeah we need to13:40
samueldmqbreton, https://github.com/openstack/keystone/blob/master/keystone/tests/unit/test_sql_upgrade.py#L381-L38313:40
*** zzzeek has quit IRC13:40
*** ParsectiX has joined #openstack-keystone13:41
*** topol has joined #openstack-keystone13:43
*** ChanServ sets mode: +v topol13:44
*** ajayaa has joined #openstack-keystone13:48
*** zzzeek has joined #openstack-keystone13:49
openstackgerritKamil Rykowski proposed openstack/keystone-specs: Use oslo-versioned-objects to deal with upgrades  https://review.openstack.org/16719513:49
*** chlong has quit IRC13:51
openstackgerritSamuel de Medeiros Queiroz proposed openstack/keystone: Adds inherited column to RoleAssignment PK  https://review.openstack.org/14247213:52
samueldmqbreton, ^ I think everything will be ok now :-)13:53
samueldmqbreton, I tested agains mysql, please test it agains postgresql if you have time, thanks13:53
openstackgerritVictor Sergeyev proposed openstack/keystone: Handle NULL value for service.extra in migration 066  https://review.openstack.org/17120413:53
bretonsamueldmq: will test in 20 minutes13:54
samueldmqbreton, great! I gotta go afk for a bit, will be back soon13:57
*** ParsectiX has quit IRC14:00
*** samueldmq-mob has quit IRC14:01
openstackgerritMerged openstack/keystone: Skip SSL tests because some platforms do not enable SSLv3  https://review.openstack.org/17100114:05
*** boris-42 has joined #openstack-keystone14:07
*** sigmavirus24_awa is now known as sigmavirus2414:16
*** mattfarina has joined #openstack-keystone14:17
*** rushiagr_away is now known as rushiagr14:17
*** samueldmq_ has joined #openstack-keystone14:20
*** carlosmarin has joined #openstack-keystone14:21
*** davidckennedy has quit IRC14:27
*** amirosh has joined #openstack-keystone14:28
*** davidckennedy has joined #openstack-keystone14:31
*** amakarov_away is now known as amakarov14:32
amiroshHello, could somebody check https://review.openstack.org/#/c/156597/ it has two +2, just need workflow14:34
openstackgerritayoung proposed openstack/keystone-specs: Simplified template for backlog items.  https://review.openstack.org/17122614:36
ayoungamirosh, looking14:36
amiroshThanks, Adam!14:36
openstackgerritayoung proposed openstack/keystone: Improved policy setting in the 'v3 filter' tests  https://review.openstack.org/15659714:37
*** devlaps has quit IRC14:38
ayoungamirosh, done14:38
*** davidckennedy has quit IRC14:40
amiroshayoung, thanks!14:40
*** amirosh has quit IRC14:45
*** davidckennedy has joined #openstack-keystone14:47
*** edmondsw has joined #openstack-keystone14:47
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837214:56
*** atiwari has joined #openstack-keystone14:56
viktorsayoung: hi! Can you please restore your approve on https://review.openstack.org/#/c/137639/15:00
viktorsit was lost during rebase15:00
*** bdossant has joined #openstack-keystone15:00
ayoungviktors, looking15:02
ayoungviktors, that was just a rebase, right?15:04
viktorsayoung: yes, rebase on master15:04
ayoungviktors, done15:04
viktorsayoung: thanks!15:04
ayoungviktors, thanks for keeping on it15:04
*** ajayaa has quit IRC15:05
bknudsonthis review fixes a bug and has had a +2 on it for a while: https://review.openstack.org/#/c/166934/15:11
morganfainbergFor the record: I hate "extras"15:12
*** ishant has quit IRC15:13
*** henrynash has joined #openstack-keystone15:20
*** ChanServ sets mode: +v henrynash15:20
morganfainbergbknudson: dolphm dstanek ayoung breton henrynash stevemar https://review.openstack.org/#/c/142472/ could use eyes. It's the last rc1 bug I'm really pushing for.15:22
henrynashmorgangainberg: looking15:23
bknudsonI'll take a look15:23
bknudsonhenrynash: is the bug valid?15:24
bknudsonoh, you already said in the bug that it is.15:24
stevemarit's valid, but mehhh15:24
bknudsonwhy have a primary key if it's every column.15:25
* bknudson wishes devstack worked today.15:26
henrynashbknduson: having to go back and read the bug…15:26
morganfainbergstevemar: sadly with HMT this is more important than "basic" ehhhhh old behavior15:27
morganfainbergAnd with the increased focus on domain ux15:27
stevemarmorganfainberg, yeah, i suppose15:27
morganfainbergstevemar: if HMT had not landed I'd punt this.15:27
*** krtaylor has quit IRC15:28
morganfainbergIt just is medium because you can live without it. It was originally k3 but *something something underwater review wise*15:28
henrynashbknudson: so yes, the bug is valid…we can debate the best way of solving it….it’s one of those thinsg where there is no obvious PK (at least not one we woul dlook up by…..other than the whole row, in which case we are just using the PK as a uniquness constraint with index)15:29
morganfainbergthe catalog one, unfortunately, is being pushed due to scope/size.15:29
stevemarare we adding https://bugs.launchpad.net/keystone/+bug/141054315:29
openstackLaunchpad bug 1410543 in Keystone "Include service name in filtered catalog" [Medium,In progress] - Assigned to David Charles Kennedy (dkennedy-p)15:29
stevemaroh nvm15:29
morganfainbergstevemar: I would like that one. But I think it's grown too much. :(15:29
bknudsonI'd prefer the code was refactored to remove duplication first.15:29
bknudsonwhich I mentioned in an earlier review.15:30
stevemarwe should look at https://review.openstack.org/#/c/171204/ too15:30
ayounghenrynash, you going to +A that?15:37
henrynashayoung: two IBMers…so not good for one of us to +A15:37
ayounghenrynash, um...but the code was written by an external...however, I will look at it15:38
* ayoung ignoreintg allthe sqlite as "don't care"15:38
ayoungum...does not make sense to me that inherited would be in the primary key.15:39
ayoungit is a boolean, right?15:39
henrynashayoung: it is a boolean15:40
*** devlaps has joined #openstack-keystone15:40
ayoungmorganfainberg, would it be really obnoxious of me to -2 it now?15:41
ayoungcuz...I don't think I want this15:41
henrynashayoung: I think we either need to continue with the current approach (namely since there is no natual PK, all the fields combined are the PK), or we change it more fundamentally to use a different schema altogther15:41
bknudsonmy comments on https://review.openstack.org/#/c/142472/ should be easy to fix.15:42
morganfainbergayoung: you don't want a role able to exist on a domain and be inherited below it for a user?15:42
ayounghenrynash, but does it make sense for one user to have both inherited and uninherited where everything else matches?15:42
ayoungI think this is going to mess things up15:42
ayounglets defer to Liberty,  I think think this is going break things15:42
morganfainbergayoung: the way this works now I can either be a domain admin or a inherited admin.15:42
henrynashayoung: really? why….I think NOT being able to have this messes this up15:43
morganfainbergayoung: I can't be both.15:43
ayounghenrynash, it means that I can have two role assignements for the same role.  How is the CLI going to know which to add/remove?  I mean, buy default15:43
ayoungIt can't be both15:43
henrynashayoung: you can have that (many times over) today anyway15:43
morganfainbergayoung: that is a broken design. :(15:43
ayoungadmin on demo inherited and admin on demo uninherited15:44
henrynashayong: e.g. group role + direct user role + inherited from a project in the hierachy above me etc.15:44
ayounginherited implies uninherited15:44
ayoungdifferent target15:44
ayoungone is user, one is group15:44
ayoungthis is the explicit assignment15:44
morganfainbergayoung: domain admin, and I want to have admin on all projects. Today I have to create grants for all of them15:44
ayoungI'm going to -1 and we can review at the meeting today15:44
morganfainbergayoung: and it's broken by design only in sql15:45
ayoungI'll remove if over ruled15:45
morganfainbergBecause the way sql enforces constraints.15:45
henrynashmorganfainberg: agreed, my bug when I wrote it15:45
morganfainbergHonestly I'd like to do the inverse. Inherited is not only subordinate, it is domain and subordinate15:46
morganfainbergBut I think I already lost that argument.15:46
ayoungmorganfainberg, wouldn't that just be inherited = true?15:46
henrynashthat was indeed a long discussion :-)15:46
morganfainbergayoung: it isn't how it works.15:46
morganfainbergayoung: inherited is only child projects.15:46
ayoungguh15:46
morganfainbergayoung: and you can never have the same role on the parent of it is inherited in sql due to constraints in the schema.15:47
ayoung (╯°□°)╯︵ ┻━┻)15:47
rodrigodsayoung, ^ to keep the same behavior as the domain inheritance15:47
henrynashayoung: it’s an artifact of (a design of) domains and projects…..I.e. if you want only the projects to get a role, then you must place it on the demain, and inherite means only the children get it15:47
ayoung┌∩┐(◣_◢)┌∩┐15:47
* ayoung going to go get lunch15:47
morganfainbergThe lowest impact is PK change. But I still personally think inherited should grant on the domain as well.15:48
henrynash(not to self….go brush up on 3-fingered keyboard sequeces)15:48
morganfainbergBut that becomes api incompat15:48
morganfainbergWhatever well punt this to liberty15:49
*** konstantin-maxim has joined #openstack-keystone15:51
*** konstantin-maxim has left #openstack-keystone15:51
openstackgerritThierry Carrez proposed openstack/keystone: Open Liberty development  https://review.openstack.org/17126015:52
bknudsonmorganfainberg: speaking of liberty!15:53
bknudson^15:53
morganfainbergYep.15:53
stevemaryay liberte!15:54
*** gyee has joined #openstack-keystone15:54
*** ChanServ sets mode: +v gyee15:54
* morganfainberg might have been talking to ttx about this.15:54
*** _cjones_ has joined #openstack-keystone15:54
stevemarmorganfainberg, always up to something15:54
*** lhcheng has joined #openstack-keystone15:56
stevemary'all missed the fun last night with the pip failures15:59
*** spandhe has quit IRC16:01
*** davidckennedy has quit IRC16:03
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient-federation: Remove unused private class on tests  https://review.openstack.org/17126316:03
openstackgerritSteve McLellan proposed openstack/keystonemiddleware: Correct memcached parameters in TokenCache  https://review.openstack.org/17126416:05
*** krykowski has quit IRC16:06
*** bdossant has quit IRC16:06
*** ChanServ changes topic to "Do not approve any more changes for Keystone (server) without checking with morganfainberg. We are looking to cut RC today."16:13
*** afazekas has quit IRC16:16
ayoungmorganfainberg, and why is this not an enumerated value, or two different booleans on the same row?16:17
samueldmqayoung, ping - I am back, and saw your comment at 'Adds inherited column to RoleAssignment PK'16:17
viktorsdstanek: around?16:17
morganfainbergayoung, doesn't matter for today can discuss more once the liberty open thing merged.16:18
ayoungsamueldmq, yeah...does not make sense to have multiple rows for the same assignment.16:18
samueldmqbknudson, thanks for your review there too, I will be sending a new patch set (Adds inherited column to RoleAssignment PK)16:18
morganfainbergayoung, merges*16:18
samueldmqayoung, it is not the same assignment16:18
ayoungmorganfainberg, we going to bump it for Kilo?16:18
morganfainbergayoung, already pushed to L16:18
samueldmqayoung, from our design, inherited role assignments are only applied to the subtree/project in the domain16:18
samueldmqhenrynash, right ^16:18
morganfainbergsamueldmq, correct16:18
ayoungsamueldmq, it is a modifier on the relationship:  parent only, children only, both.16:19
morganfainbergayoung, this is SQL being bad at representing this relationship16:19
morganfainbergwith the schema design16:19
samueldmqayoung, yes, this is our design, I know we could have a better name than 'inherited' for something that only goes to children16:19
samueldmqayoung, but this is a design question ... and what I am doing there is to fix the implementation vs design16:20
samueldmqayoung, changing the way we call/represent this should be in a separate design discussion (in which I would be interested to be part of)16:20
samueldmq:)16:20
ayoungsamueldmq, so, with the current design, if I wanted to add "parent" to an inherited, I would create a new role assignment.16:22
ayoungWhereas, what I am proposing would require an API change?16:22
samueldmqayoung, if I understand correct, you are proposing that 'inherited' represent parent + children, right?16:23
ayoungbecause our API either says inherited or says not inherited, and those are supposed to be mutually exclusive?16:23
ayoungsamueldmq, that was how I understood it, and it is a ding on me that I did not catch it during the design discussion16:23
samueldmqayoung, which honors the naming 'inherited' more correctly16:23
samueldmqayoung, yes this changes the api16:23
ayoungI'm trying to think now which will mess people up the least16:24
*** samueldmq_ has quit IRC16:24
samueldmqayoung, the api now says inherited -> only children, not inherited -> only the entity itself16:24
ayoungWe might just need this as is, if it is the only way to get it into Kilo.16:24
morganfainbergayoung, not landing in kilo16:24
samueldmqayoung, yes, and this is how it is defined on the api16:24
samueldmqmorganfainberg, no? that fix? oO16:25
ayoungmorganfainberg, oh, come on,  I needed 10 minutes to think about it.  Just due to my objection?16:25
morganfainbergsamueldmq, nope.16:25
* ayoung goes to look at the API16:25
morganfainbergayoung, more because your object raises a more sailient point16:25
morganfainbergayoung, clients16:25
samueldmqmorganfainberg, why? we are fixing our api16:25
morganfainbergayoung, lets spend more time and not break clients16:25
ayoung morganfainberg lets talk at the meeting.  This might be a really broken impl as is16:25
morganfainbergayoung, we've had a really broken impl for a while16:25
samueldmqmorganfainberg, I already had a discussion with henrynash some days ago, and we talked the same we are doing now16:25
morganfainbergayoung, we can make this fix part of reseller and work on not breaking people16:26
samueldmqmorganfainberg, we could change the name, or anything else, but this is just ot make the api vs code conssistent16:26
samueldmqayoung, ++16:26
morganfainbergayoung, so prove the client(s) aren't impacted16:27
ayoungsamueldmq, I think it is going to break client to have two assignements that are identical except for this value16:27
samueldmqmorganfainberg, maybe discuss at the meeting (as suggested by adam) ? and then see what other cores cthink?16:27
morganfainbergayoung, and we can land it16:27
*** jistr has quit IRC16:27
ayoungmorganfainberg, might I propose a solution...and ugly one...is that we instead split the boolean for inherited, and make the current behavioer....nah too intrusive16:27
morganfainbergayoung, and that is worth deferring [we can make an idempotent sql migraiton backport if it doesn't break people]16:27
samueldmqwe are landing inherited role assignments support on the clients now in kilo as well16:27
morganfainbergwe can also RC2 it16:27
morganfainbergit's not landing in RC1.16:27
samueldmqpython clients I mean16:27
morganfainbergwe likely have an RC2 anyway16:28
morganfainbergso we can bundle this in if it doesn't break anything16:28
ayoungparent  should be one boolean,  inherited a second,  and then you could always do "both" by direct SQL until we fizx the API16:28
samueldmqayoung, parent may confuse ppl when you have a domain inherited assingment16:29
ayoungsamueldmq, yeah, no calling it parent...16:29
ayoungbut a boolean that indicates that the assignment applies to the node and a second that indicates it the children16:29
samueldmqwell, the idea was to have a boolean to indicate whether it only goes to the children16:30
samueldmqif this boolean is False, it 's only to the parent16:30
samueldmqbut this boolean's name is 'inherited', which may be confusing16:31
ayoungsamueldmq, and now we havea third state: both16:31
ayoungsamueldmq, alternatively, make it an enumerated value16:31
samueldmqyeah, we need a trhoolean16:31
samueldmq:/16:31
morganfainbergayoung, ++ enum would be the right approach here16:31
morganfainbergayoung, there is a bunch of extra logic needed to migrate the DB, change how we lookup/edit that role based upon add/delete/etc for the various models16:32
samueldmqhmm, I think henry has other ideas as well..16:32
morganfainbergof roles16:32
ayoungmorganfainberg, and we can approxiamte an enumerated value with a series of booleans....I was just wondering if that would be a simple enough approach to sneak through for K16:32
samueldmqI remember we talked about the possibility of inheriting to a single branch, etc ...16:32
morganfainberg*and* you're right the client is going to be somewhat lost16:32
samueldmqanyway we need to discuss how to evolve this, this would be at midcycle, but you didnt get time to16:32
ayoungmorganfainberg, it should be one role assignemnt, no question16:32
morganfainbergsamueldmq, we're aiming to have our typical midcycle at the summit this time ;)16:33
ayoungcan we migrate to an integer value and keep the rest of the logic the same for now?16:33
morganfainbergayoung, no reason to push a migration into K for that. but yes.16:33
samueldmqmorganfainberg, yeah and I heard samuel will be there :-)16:33
ayoungmorganfainberg, this and the unified delegation discussion should happen together16:34
morganfainbergayoung, sounds good.16:34
ayoungmorganfainberg, I think I want to take is_admin, put it in a basket, tie a rock to it, and drop it down a well.16:34
morganfainbergayoung, uhm. can we encase it's feet in cement instead?16:35
morganfainbergi don't trust rope not to rot and let it float back to the surface16:35
ayoungmorganfainberg, not willing to waste the money on the concrete16:35
samueldmqayoung, morganfainberg basically this wasn't a great issue before, since we only had domain inherited assignments16:35
morganfainbergi think this is worth the single bag of cement :P16:35
samueldmqand one would call the inherited role 'project_admin', for ex16:35
samueldmqbut now with hierarchical projects this became more interesting16:36
morganfainbergayoung, now, i'd not be willing to bury it under hoover dam16:36
morganfainbergayoung, that would be too much $16:36
ayoungWho is building a new stadium these days?16:36
morganfainbergayoung i also like droping is_admin down in the marianas trench16:37
morganfainbergs/marianas trench/mariana trench16:37
ayoung"NO, is_admin, I expect you to DIE!"16:37
samueldmq++16:37
ayoungsamueldmq, so here is how it relates, and all ties back to policy16:37
samueldmqayoung, yeah, policy is one of the best things to get involved in L16:38
ayounglets start with a fresh install.  We use the ADMIN_TOKEN (or comparable mechanism TBD) to create a new user and a new god-like admin role16:38
ayounglet's call this role....ALL16:38
ayoungCuz ALL powers descend from this role assignement...if you have ALL, you are ALL Powerful...on whatever the scope is16:39
*** devlaps has quit IRC16:39
morganfainbergayoung, admin_token needs to die as well16:39
ayoungnow, we make this deity ALL on the Root domain16:39
ayoungmorganfainberg, yeah...I know16:39
morganfainbergayoung, i think the bag of cement can be used for more than one thing16:39
ayoungwe call it the root domain  because nothing NOTHING no single thing is going to be called admin16:40
amakarovmorganfainberg, king-size bag16:40
ayoungmorganfainberg, I grew up in a construction family.  I learned a very important lesson about that from my dad.16:40
ayoungYou encase people and thing in concerete, not in cement16:40
ayoungcement is just one component of concrete.  He took this very seriously16:40
morganfainbergayoung, sure. ok16:40
samueldmqhaha lol16:41
ayoungmorganfainberg, trust me, if you ever meet my dad, you will understand.16:41
ayoungGetting ready for knee surgery, he got his weight Down to 24016:41
morganfainberghttps://www.youtube.com/watch?v=VAgLhr6sHtc16:41
ayoungHe's like, two of me16:41
ayoungBut, more important, when it comes to building things, he knows how to do it right.16:42
*** spandhe has joined #openstack-keystone16:42
ayoungAnyways...now you know where some of my pedantry comes from16:42
ayoungback to the ALL thing16:42
morganfainbergayoung, why for you approve more changes?16:43
samueldmqmorganfainberg, so I put a topic on our today's meeting ? to decide whether we fix this or *stop* everything and lets then discuss at the summit ?16:44
ayoungmorganfainberg, cuz he also instilled in me a real drive to actually get projects completed16:44
ayoungan ee way16:44
morganfainbergannnd gate reset...16:45
ayoungso, we make assign this person the ALL role on the ROOT domain16:45
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change domain_id FK in project table  https://review.openstack.org/16635416:45
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185416:45
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376316:45
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Stop calling domain drivers  https://review.openstack.org/16593616:45
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837216:45
ayoungso, we make assign this person the ALL role on the ROOT domain16:45
samueldmqhaha,16:45
samueldmqayoung, k go ahead16:45
ayoungand then any role assignment comes from that person's role assignemnt...delegated16:45
morganfainbergayoung, please do not approve more changes until we open for liberty16:45
ayoungmorganfainberg, did I?16:45
morganfainbergyeah i think you caught another test one16:46
morganfainbergayoung or zuul was massively backloged16:46
ayoungSorry.16:46
morganfainbergayoung, don't worry about it16:46
morganfainbergayoung, i'm just tying to make sure a couple things that were in flight land [indexes etc]16:46
samueldmqayoung, did we decide something for the 'inherited' thing? add a topic for today's meeting?16:47
ayoungmorganfainberg, understood, wasn't aware we were at (self censored metaphore involving Zuul)16:47
samueldmqayoung, I think we switched context without have an action point16:47
morganfainbergayoung, i could just approve the liberty opening patch but figure the rev. event index and the v2 grant notifications was worth holding for ;)16:48
samueldmqmorganfainberg, ha this is interesting: 'Open Liberty development'16:49
samueldmqmorganfainberg, didnt follow how it happens in the previous cycle, since I was not involved in keystone that much :-)16:50
samueldmqcan I +1 that ? :p16:50
morganfainbergsamueldmq, doesn't matter if you do or not16:50
samueldmqmorganfainberg, yeah I know16:50
morganfainbergsamueldmq, it's the formal opening of Liberty. if you want to feel free to ;)16:50
samueldmqmorganfainberg, yeah, L is going to be great, just want to get it on the right foot :p16:51
*** samueldmq_ has joined #openstack-keystone16:52
*** ajayaa has joined #openstack-keystone16:52
*** krtaylor has joined #openstack-keystone16:54
*** aix has quit IRC16:55
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient-federation: Add Saml2KeystoneUnscoped for K2K federation  https://review.openstack.org/16175117:05
rodrigodsstevemar, ^ a first version, it has the potential to change a lot depending on the reviewers opinions17:09
*** _cjones_ has quit IRC17:13
*** tqtran has joined #openstack-keystone17:17
*** _cjones_ has joined #openstack-keystone17:18
henrynashmorganfainberg: we’re gonna discuss the inherited PK patch at tonights meeting?17:18
henrynashmorganfainberg, ayoung, samueldmq: I added it to the agends17:21
morganfainberghenrynash, it's on the agenda17:21
henrynashmorganainberg: great, thx17:22
morganfainberghenrynash, i think. samueldmq said it was17:22
morganfainberg:P17:22
ayoungsamueldmq, sorry, I took a real world interrupt17:24
openstackgerritAlexander Makarov proposed openstack/keystone: Redundant events on group grant revocation  https://review.openstack.org/17130517:24
* morganfainberg tries to go get food before meeting.17:24
* samueldmq gets confused since it asked morganfainberg and ayoung if I would put a topic or not and didnt get response :p17:24
morganfainbergsamueldmq, put it as a topic17:25
morganfainbergsamueldmq, ;)17:25
morganfainbergsamueldmq, there. a clear answer17:25
ayoungsamueldmq, unified delegation is a topic for the summit.17:25
samueldmqmorganfainberg, yeah, I think17:25
ayoungI need to write it up.17:25
samueldmqmorganfainberg, I think henry did, thanks17:25
gyeerodrigods, stevemar, I am debating whether we should make the saml2 token expiration configuration as well. https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/idp.py#L4717:25
gyeeconfigurable17:25
samueldmqayoung, k, talk in the meeting the general idea we want to carry to the summit17:26
ayounggyee, would it be on a per IDP basis?17:26
samueldmqayoung, and what we solve for now17:26
gyeeayoung, I would think so, but right now its not be utilized17:26
rodrigodsgyee, ayoung currently it can't be by IdP17:26
gyeealso, it doesn't seem to have an affect with shibolleth regardless of its value17:26
samueldmqhenrynash, hello17:26
gyeeas shibboleth session overrides that value17:27
samueldmqhenrynash, are you adding the topic to the meeting?17:27
rodrigodsgyee, hmm17:27
gyeerodrigods, why not? it should be per IdP right17:27
rodrigodsgyee, isn't keystone the idp?17:28
gyeerodrigods, yes17:28
rodrigodsgyee, so we have the configuration for that specific keystone, right?17:28
rodrigodsgyee, https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/idp.py#L8717:28
openstackgerritAlexander Makarov proposed openstack/keystone: Group role revocation invalidates all user tokens  https://review.openstack.org/14185417:29
*** sigmavirus24 is now known as sigmavirus24_awa17:29
gyeerodrigods, nice!17:30
*** harlowja_away is now known as harlowja17:31
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add domain_id checking in create_project  https://review.openstack.org/15994417:31
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742717:31
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376317:31
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Restrict inherited role assignments to subdomains  https://review.openstack.org/16418017:31
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837217:31
gyeerodrigods, shibboleth doesn't seem to honor that value17:32
rodrigodsgyee, if we pass an expired assertion it still accepts?17:32
gyeerodrigods, shibboleth also seem to cut off at its own session expiration17:32
gyeemaybe there's a way to extend the session17:33
rodrigodsgyee, are you using the ECP assertion?17:34
* rodrigods wonders if we are losing this info in the ECP wrapping17:34
rodrigodsbefore considering shibboleth doesn't care about it17:34
gyeeyes, ECP wrapped17:34
gyeeECP shouldn't change it, its part of AuthnStatement in the ECP body17:36
rodrigodsgyee, does it contain something like " NotOnOrAfter="...""?17:37
gyeeyes17:37
gyeeso I set that value to don't expire in a month17:38
gyeebut shibboleth doesn't seem to take it17:38
rodrigodsgyee, strange... check this mail thread http://shibboleth.net/pipermail/users/2011-October/001332.html17:39
rodrigods>2. "NotBefore" and "NotOnOrAfter"17:39
rodrigods>Does Shibboleth SP verify "NotBefore" and "NotOnOrAfter" attributes if17:39
rodrigods>SAML assertion issued by IdP have the attributes?17:39
rodrigodsAnywhere the SP accepts an assertion as valid, it checks them.17:39
gyeeyes, it checks them17:40
gyeebut it don't honor a long expiration17:41
rodrigodsgyee, by don't honor, you mean you are passing an assertion generated some time ago (that still should be valid) and shibboleth is not accepting?17:42
gyeeright, since it hasn't expired yet17:43
rodrigodsgyee, now I get it, is should have a config telling the max age of an assertion17:44
morganfainbergLiberty open patch is gating17:44
morganfainbergwe're about 3h for the gate queue at the moment17:45
gyeeyeah Liberty!17:45
samueldmqo/17:45
*** pnavarro has joined #openstack-keystone17:49
henrynashsamuledmq: yes…and done.17:49
samueldmqhenrynash, nice, was adding as well.. thanks :)17:50
samueldmqhenrynash, did you save the page? I can't see anything related on https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting17:50
henrynashsamueldmq: look under RC117:51
samueldmqhenrynash, yeah, I need coffee17:52
samueldmqhenrynash, thanks17:52
morganfainbergso do i17:52
morganfainberg:(17:52
morganfainbergbut 8min isn't enough17:52
morganfainbergto go get some and back for meeting17:52
samueldmqmorganfainberg, ahah .. is that far away from you :/17:52
samueldmq?17:52
morganfainberg3 min walk each way17:52
morganfainbergplus the line to get coffee17:52
morganfainbergoh eff it. we might start the meeting a minute or two late i neeeeeeeeeeeeeeeeed caffination17:53
samueldmqsomeone may start the meeting17:53
samueldmq:p17:53
samueldmqmorganfainberg, go!17:53
stevemarnot yet :P17:54
*** ThoamsHsiao has joined #openstack-keystone17:56
stevemarrodrigods, that code is sooo much cleaner now17:57
*** Farhan has joined #openstack-keystone17:58
rodrigodsstevemar, ++17:58
* rodrigods wonders if we could receive the client as parameter and get the ecp_assertion in the plugin17:58
rodrigodsinside the plugin*17:58
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient-federation: Add Saml2KeystoneUnscoped for K2K federation  https://review.openstack.org/16175118:00
*** afazekas has joined #openstack-keystone18:00
rodrigodsremoved unused attributes in the test ^18:00
*** jamielennox|away is now known as jamielennox18:01
dolphmlhcheng: congrats!18:11
*** mattfarina has quit IRC18:13
*** mattfarina has joined #openstack-keystone18:16
*** sigmavirus24_awa is now known as sigmavirus2418:17
*** atiwari has quit IRC18:19
*** afazekas has quit IRC18:24
*** jdandrea has quit IRC18:25
rodrigodslhcheng needs voice status :)18:26
lhchengdolphm: thanks!18:26
*** dolphm sets mode: +v lhcheng18:28
*** dolphm sets mode: +v lbragstad18:28
*** lhcheng_ has joined #openstack-keystone18:32
openstackgerritMerged openstack/keystone: Add index to the revocation_event.revoked_at.  https://review.openstack.org/13763918:32
*** lhcheng has quit IRC18:34
*** lhcheng_ is now known as lhcheng18:34
*** mattfarina has quit IRC18:36
*** topol has quit IRC18:38
openstackgerritMerged openstack/keystone: Fix for notifications for v2 role grant/delete  https://review.openstack.org/16693418:38
*** topol has joined #openstack-keystone18:40
*** ChanServ sets mode: +v topol18:40
morganfainbergjamielennox, ping - when you have a bit of time let me know want to discuss some stuff with ya18:40
morganfainbergjamielennox, re: releases etc for KSC/KSM18:40
morganfainbergpost meeting18:40
openstackgerritLance Bragstad proposed openstack/keystone: Update man pages  https://review.openstack.org/17132718:48
openstackgerritSteve Martinelli proposed openstack/keystone: Add placeholders for reserved migrations  https://review.openstack.org/17132918:51
ekarlsodid keystone switch to alembic yet ?18:51
lbragstadekarlso: not yet18:53
*** gokrokve has joined #openstack-keystone18:58
samueldmqso ....19:01
morganfainbergok19:01
morganfainbergso.19:01
samueldmqthe list_role_assignment refactoring was going to fix most of inherited assignment issues19:01
samueldmq:/19:01
samueldmqbecause we have the inheritance logic duplicated19:01
samueldmqat a lot of places19:01
ayounghenrynash, I think a faster way to get to where you need is to make inherited either be yes or no, and that means a role assignment is always effective for the project it is  on19:01
morganfainbergit looks like we have lots of issues here19:01
ayoungjust that in might or might not be inherited19:01
ayoungI realize that is not what was decided way back when...sorry if I missed that discussion19:02
openstackgerritLance Bragstad proposed openstack/keystone: Update man pages for the Kilo release  https://review.openstack.org/17132719:02
ayoungbut anything is is just too surprising.  No one would expect it to work the way it is specified19:02
rodrigodswe just imitated the behavior for domains, it was the main reason19:02
henrynashayoung: not really if you are used to domains and projects…19:03
henrynashayoung: then you almost certinly don’t want the role active on the domain19:03
rodrigodsinitially we implemented following what you are proposing19:03
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Stop calling domain drivers  https://review.openstack.org/16593619:03
ayounghenrynash, with the existing setup, you can not add new projects to a domain, even if you want to make it so someone can only manage projects and not users19:03
ayoungits a workaround for our limited policy19:03
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change domain_id FK in project table  https://review.openstack.org/16635419:03
ayoungand let's address it there ,not in the inheritance19:03
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185419:03
rodrigodsayoung, addressing the global admin doesn't fix the issue19:04
rodrigodsfor hmt at least19:04
morganfainberglhcheng, what is your LP username?19:05
ayoungrodrigods, if you want to split the operations that somone can do, you do that via separate role assignments and policy based on it19:05
samueldmqmorganfainberg, I'd propose: i) lets have the fix (migration) for api consistency in rc2, and backportable19:05
ajayaamorganfainberg, Given that this discussion is going on like forever, I think it's best to discuss the NoSql backend.19:05
ajayaalater*19:05
morganfainbergajayaa, sorry to have deferred that19:05
ajayaamorganfainberg, np.19:05
ayoungnosql for what?19:05
lhchengmorganfainberg: lin-hua-cheng19:05
ajayaaWe can have that discussion in the next meeting.19:06
morganfainbergajayaa, either next meeting or.. propose a spec19:06
ajayaaayoung, for Keystone.19:06
samueldmqmorganfainberg, ii) lets have the list_role_assignment refactoring early in L (and backport it as well, to fix remaining issues when applying inheritance, if any)19:06
ayoungajayaa, my answer is almost certainly going to be "does not make sense"19:06
ayoungajayaa, for what subset of Keystone?19:06
ajayaamorganfainberg, okay will do so.19:06
henrynashayoung: i’m all for a re-examination of the spec on this in L….night now teh only thing we can do is fix the bug……i’m really struggling with understanding the pushback……..since I haven’t heard (except for we don’t like the spec) what’s wroung with fiing this19:06
ajayaaayoung, for all the backends. We have POC running already.19:06
henrynashayoung: sorry…..I gotta go off line for while….food is calling…will be back on later….19:07
ayounghenrynash, having two role assignments with the same name, one for the node, one for the childre is confusing, and not something we should have designed19:07
ajayaaWe haven't included HMT in that given that it is still experimental.19:07
*** jistr has joined #openstack-keystone19:07
samueldmqayoung, yes I agree19:07
rodrigodsayoung, it happens for group and users19:07
samueldmqayoung, but we did19:07
ajayaaayoung, Why do you think it does not make sense?19:07
samueldmqayoung, so lets fix what we say we do19:07
samueldmqayoung, and change the api after, early in liberty19:07
rodrigodsits exactly the same design19:07
ayoungajayaa, actually, for most of Keystone, it should just be a matter of adding new dogpile implementations19:08
morganfainbergso sadly we don't specify in OS-Inherit docs how this is supposed to work19:08
ayoungajayaa, but for most things, you want transactional integrity19:09
morganfainbergor wait19:09
morganfainbergin one place we do19:09
ayoungajayaa, I really want the token backend to die19:09
morganfainbergThe inherited role is only applied to the owned projects (both existing and future projects), and will not appear as a role in a domain scoped token.19:09
morganfainbergsigh19:09
ayoungand that is where the biggest pain is19:09
ayoungfor identity; meh19:09
samueldmqmorganfainberg, yeah19:09
ayoungI want identity to die too19:09
morganfainbergayoung, ok we can't make the stupid api choice non-stupid19:09
samueldmqmorganfainberg, and btw, needs to be updated to include hierarchical projects19:09
ayoungreally, all Keystone I care about is assignment and policy...well, now resources19:10
morganfainbergsamueldmq, show me how much this will break horizon and/or what the exposure to someone consuming roles via OSC (setting etc)19:10
rushiagrayoung: I'm curious. Why identity should die too? Are you intending that it can all be in-memory in some way?19:10
morganfainbergsamueldmq, just show me what it all looks like19:10
ayoungrushiagr, nope19:10
ayoungrushiagr, Federations19:10
morganfainbergand that we haven't broken anything in subtle ways19:10
morganfainbergsamueldmq, then we can propose against RC219:10
morganfainbergsamueldmq, sound ok?19:10
rushiagrayoung: ah19:10
morganfainbergayoung, ^19:10
ayoungrushiagr, so, yeah, add federation to the parts of keystone I care about19:10
samueldmqmorganfainberg, yeah19:10
morganfainbergsamueldmq, my hesitation is a sudden change in percieved behavior19:11
morganfainbergIf an API's behavior isn't adequately documented, then developers using the API have no choice but to go by what they observe the behavior to be.19:11
rushiagrayoung: okay19:11
*** topol has quit IRC19:11
morganfainbergwe don't say anything about if you can apply a role to both the domain and it's children as inherited19:11
rodrigodsmorganfainberg, https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-inherit-ext.rst#assign-role-to-user-on-projects-in-a-subtree it is19:11
morganfainbergso.19:11
ayoungmorganfainberg, we don't do "domain is a project" today, right?19:11
morganfainberg...19:11
morganfainbergayoung, no we don't19:11
rushiagrayoung: but the question remains: why nosql makes no sense?19:12
samueldmqmorganfainberg, so someone who reads the docs and want to have a role assingment on both parents + children will do:19:12
rodrigodsmorganfainberg, look at: Note: It is possible for a user to have both a regular (non-inherited) and an inherited role assignment on the same project.19:12
ayoungSo if a role is assigned on a domain, and that role assignment is marked as inherited, it is only on the projects under it?19:12
samueldmqi) role X + project Y + user K19:12
samueldmqii) role X + project Y + user K + inherited19:12
morganfainbergrodrigods, we have the worst designed api i've seen in a long time here19:12
rushiagr(sorry for not introducing myself, I'm Rushi, ajayaa's colleague)19:12
bknudsonif you do a revoke does it make sure that it's revoking the inherited one? http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-inherit-ext.html#revoke-an-inherited-project-role-from-user-on-domain19:12
morganfainbergrodrigods, because of silly work arounds to "admin is god"19:12
morganfainbergs/god/root19:12
rodrigods:(19:12
ayoungBut  if a role is assigned on a project, and that role assignment is marked as inherited, it should be on that project and all the projects under it"19:12
morganfainbergmordred, ^19:12
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Creation of subdomains and filtering by parent_id  https://review.openstack.org/16137819:13
samueldmqmorganfainberg, keystone gives 200 ok in both, so the user assume everything is working, but no19:13
morganfainbergmordred, you'll appreciate that.19:13
ayoungthat is how I read the API doc19:13
mordredmorganfainberg: what did I do?19:13
* mordred reads19:13
morganfainbergmordred, "rodrigods, we have the worst designed api i've seen in a long time here"19:13
morganfainbergmordred, (what i said)19:13
morganfainberg<+morganfainberg>rodrigods, because of silly work arounds to "admin is god"19:13
morganfainberg[04/07/2015 -:- 12:12:54]  <+morganfainberg>s/god/root19:13
mordredmorganfainberg: ++19:13
mordredmorganfainberg: although I still think glancev2 is winning19:14
morganfainbergmordred, oh glance v2 is all sorts of special19:14
morganfainbergmordred, almost as good as the eventlet + sslv3 rabbit hole i chased yesterday19:14
morganfainbergmordred, *almost*19:14
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Creation of subdomains and filtering by parent_id  https://review.openstack.org/16137819:14
samueldmqmorganfainberg, glance is where everyone can do almost everything when using the defautl policy ?19:15
samueldmqmorganfainberg, https://github.com/openstack/glance/blob/master/etc/policy.json19:15
ayoungI take object to the statement "we have the worst designed api"  as am sure our  API was not designed19:15
morganfainbergmordred, anyway, just thought you'd be happy to see the admission of "omg silly" API19:15
morganfainbergayoung, oh i'm sure OS-INHERIT was designed19:15
morganfainbergayoung, the whole of keystone's api, not so much19:15
bknudsonlooks like delete_grant handles it correctly, where create_grant treated both inherited and not inherited the same.19:15
ayoungmorganfainberg, how does the algebra of "dsigned API on top of morphed from ooze API" work?19:15
bknudsonidetity v4 will fix all this.19:16
morganfainbergayoung, like a naturally occuring fractal19:16
morganfainbergayoung, except with a lot less elegance19:16
morganfainbergayoung, more like designed on quicksand19:16
samueldmqbknudson, yeah I knew we need to revisit this api :/19:16
samueldmqbknudson, the main reason we have found a lot of bugs around inherited assingments is that we duplicate the logic19:17
samueldmqbknudson, and the code in a lot of places19:17
morganfainbergayoung, https://youtu.be/aNaXdLWt17A?t=2119:17
samueldmqbknudson, this https://review.openstack.org/#/c/155733 will be fixing that19:17
samueldmqbknudson, early in the next cycle I hopep19:17
samueldmqhope*19:17
*** amakarov is now known as amakarov_away19:18
ayoungrushiagr, so...why nosql?19:19
bknudsonit's webscale19:20
ayoungbknudson with the deadpan19:20
rushiagrayoung: truly distributed, fault-tolerant, and linearly scalable, with DC-awareness19:21
morganfainbergsamueldmq, also fix the silent failure with the same fix19:21
*** samueldmq_ has quit IRC19:22
*** openstackgerrit has quit IRC19:22
*** openstackgerrit has joined #openstack-keystone19:22
samueldmqmorganfainberg, all in the same patch ?19:23
morganfainbergsamueldmq, it's part of the fix19:23
morganfainbergright?19:23
morganfainbergnot silently failing to apply a non-inherited role with an inherited role?19:23
samueldmqmorganfainberg, well it makes UX still worst,19:23
rushiagrayoung: maybe we'll write the spec, and let's discuss from there?19:23
morganfainbergthat sounds like the same bug... it has a schema change *and* silent failure19:23
samueldmqmorganfainberg, it's related19:23
morganfainbergstep back19:24
morganfainbergthe issue is we can't create the two types of assignments19:24
morganfainbergthat is the bug19:24
samueldmqmorganfainberg, yeah19:24
samueldmqexactly19:24
morganfainbergso, silently failing is part of this.19:24
morganfainbergyou don't know you can't create it19:24
samueldmqbeing silent on duplicates was making this still worst19:24
morganfainbergso19:24
*** raildo has left #openstack-keystone19:24
bknudsona PUT operation should be 200 OK if the resource already exists.19:24
morganfainbergif the resource is 100% the same: it is 200 ok19:25
morganfainbergif the resource is not the same, (inherit) then it's not the same.19:25
samueldmqmorganfainberg, but just the migration itself fixes this19:25
bknudsonthat problem is fixed by expanding the primary key19:25
samueldmqmorganfainberg, no need to touch that fail silently if duplicate thing19:25
samueldmqbknudson, ++19:25
bknudsonyou could add some tests that show the problem and that it's fixed.19:25
morganfainbergso make sure we test it explisitly19:26
morganfainbergthat is fine to show that is the correct behavior19:26
samueldmqyes we have a good test case on that patfch19:26
morganfainbergbut right now it's all silent / unknown / wierd19:26
samueldmqi) try to add both and fail in the second ii) migrate iii) add the second19:26
*** raildo has joined #openstack-keystone19:26
morganfainbergso just make sure we are clear on expected behavior, we test expected behavior, and fix the problem19:27
stevemarpffft dolphm, trying to be reasonable19:27
samueldmqmorganfainberg, ok I will revisit the tests I wrote, to make sure we cover all we need19:27
ayoungrushiagr, CAP theorem19:27
samueldmqand apply bknudson's comments, and then send a new patchset19:28
morganfainbergsamueldmq, re: the barbican thing?19:28
morganfainbergstevemar ^ not samueldmq19:28
bknudsondoes barbican use the mailing list as its bug tracker?19:28
samueldmqmorganfainberg, second time today :p19:29
raildohenrynash, ping, Do you have some time to see this patch? https://review.openstack.org/#/c/158720/ since we already have completed the previous discussion19:29
rm_workbknudson: pretty sure we use launchpad as the barbican bug tracker :P19:29
* rm_work jumps in with no context19:29
rushiagrayoung: We'll write spec, and let's discuss all the pros and cons of nosql and effects to CAP theorem there..19:30
rushiagrayoung: sorry, it's late here, and I need to sleep..19:30
bknudsonrushiagr: implement a nosql-based identity provider and keystone can use it.19:31
morganfainbergbknudson: ++ especially if it talks SAML ;) or OIDC ;)19:31
*** harlowja is now known as harlowja_away19:31
ajayaabknudson, morganfainberg, We have a working Keystone with Cassandra already and it works nicely in our test setup.19:32
bknudsonajayaa: saml?19:32
morganfainbergajayaa, i assume as a directly connected/managed identity store19:33
morganfainbergvs. an IdP (like FreeIPA/Ipsilon/Active Directory) correct?19:33
ayoungWe had a Dogpile backend for Identity.  That sill around?19:34
ayoungstill19:35
morganfainbergnope19:35
morganfainbergripped out when we dropped KVS19:35
ayoungso they reimplemented it19:35
ayoungrapture19:36
*** ajayaa_ has joined #openstack-keystone19:37
*** ajayaa has quit IRC19:37
stevemari'm lost19:37
*** harlowja_away is now known as harlowja19:37
ajayaa_stevemar, Are you following the NoSql discussion?19:38
bknudsonstevemar: are you on fire?19:38
stevemarbknudson, nah, i survived that19:39
bknudsongood.19:39
stevemarglad to know you're concerned <319:39
ajayaa_morganfainberg, yes. No federation.19:40
stevemarajayaa_, i am not following the nosql discussion. i was dropped in cause of federation19:40
ajayaa_sorry, I missed your Q as I got discussion.19:40
bknudsonajayaa_: how hard would it be to have it support SAML?19:40
stevemaroh, no federation, then i'm not interested19:40
* stevemar walks away for coffee19:40
ajayaa_bknudson, I don't know. I would have to read about SAML.19:41
ajayaa_What benefits do you get by using SAML? sorry I have not been following the federation stuff.19:42
ajayaa_going on in Keystone.19:42
gyeewhat's the issue with SAML?19:45
*** topol has joined #openstack-keystone19:45
*** ChanServ sets mode: +v topol19:45
ajayaa_I think we all have many questions and expectations in our mind when it comes to NoSql backend for Keystone. Let us(ajaya, rushiagr) write a spec and we can discuss it there.19:49
*** mattamizer has joined #openstack-keystone19:49
samueldmqdstanek, ping - you around ?19:49
samueldmqdstanek, what about somehting like http://paste.openstack.org/show/199776/ for migration tests19:49
samueldmqdstanek, it is just about the structuration and how we deal with tests for each migration19:50
samueldmqdstanek, in this ^approach we would have a class for each migration, inheriting from MigrationTest ...19:50
samueldmqdstanek, that's just an initial example to show the idea :)19:50
samueldmqdstanek, let me know what you think19:50
samueldmqbreton, bknudson ^ you may also be interested on this19:51
bknudsonsamueldmq: look at what nova does.19:51
bknudsonsamueldmq: there might be an abandoned review by christopher yeoh.19:51
samueldmqbknudson, going to look19:52
samueldmqbknudson, still looking .. but at a glance I can see they organize their tests in directories19:54
samueldmqbknudson, that's good :)19:54
*** jistr has quit IRC19:55
*** _cjones_ has quit IRC19:55
*** _cjones_ has joined #openstack-keystone19:55
bknudsonsamueldmq: https://review.openstack.org/#/c/23660/19:55
bknudsonwe don't need to do a snake walk anymore since there's no downgrades.19:56
bknudsonthe migration tests seem fine the way there are... we shouldn't have that many migrations anyways.19:57
samueldmqbknudson, yeah, the idea was interesting20:00
samueldmqbknudson, but yes, we dont need that walk anymore20:00
samueldmqbknudson, my idea was to have a better structure on migration tests ... since they are all in the same file20:01
samueldmqbknudson, but we dont have a* lot* of migrations .. it is not bad as it's today, but could be better :)20:02
*** topol has quit IRC20:05
*** samueldmq has quit IRC20:07
*** ayoung has quit IRC20:08
*** patrickeast has joined #openstack-keystone20:11
openstackgerritMerged openstack/keystone: Handle NULL value for service.extra in migration 066  https://review.openstack.org/17120420:11
*** ajayaa_ has quit IRC20:12
*** samueldmq_ has joined #openstack-keystone20:14
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742720:14
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change domain_id FK in project table  https://review.openstack.org/16635420:14
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Bye Bye Domain Table  https://review.openstack.org/16185420:14
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Honor domain operations in project table  https://review.openstack.org/14376320:14
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Stop calling domain drivers  https://review.openstack.org/16593620:14
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837220:14
*** samueldmq has joined #openstack-keystone20:15
*** tqtran_ has joined #openstack-keystone20:15
*** tqtran has quit IRC20:17
stevemarmorganfainberg, whats the deal with backporting to juno?20:18
stevemarjuno is closed out now right?20:18
openstackgerritMorgan Fainberg proposed openstack/keystone: DO NOT MERGE  https://review.openstack.org/17135520:19
stevemarbump: https://review.openstack.org/#/c/171329/20:20
morganfainbergstevemar, backports to Juno?20:22
morganfainbergstevemar, we can do those if the stable team accepts them20:22
stevemarmorganfainberg, yeah, someone in a bug report was asking about if it could be ported to juno20:22
morganfainbergdepends on the fix20:23
stevemarthis one: https://bugs.launchpad.net/keystone/+bug/140766120:23
openstackLaunchpad bug 1407661 in Keystone "keystone with LDAP identity complains about invalid input for trustor_user_id" [High,Fix committed] - Assigned to Steve Martinelli (stevemar)20:23
*** ayoung has joined #openstack-keystone20:24
*** ChanServ sets mode: +v ayoung20:24
morganfainbergneato.20:25
morganfainberggit commit -S <key-id> -a20:25
morganfainbergsigned git commits20:25
openstackgerritLin Hua Cheng proposed openstack/keystone: Validate user exist when assigning roles in V2  https://review.openstack.org/9398220:26
stevemarwhats the benefit of it?20:27
morganfainbergstevemar, gpg signed commit20:28
morganfainbergif you know my key you know it was actually me20:28
morganfainbergi might start doing it for the lulz20:28
bknudsondoes gerrit support it?20:28
morganfainbergbknudson, gerrit supports it, but you'd lose it when a merge commit happens20:29
morganfainbergit's directly tied to the SHA20:29
* morganfainberg just realized it's pointless with gerrit20:29
bknudsondo you need to pass the option or can you set it in your config and forget it?20:30
morganfainbergbknudson, not sure if you can make it an option20:30
morganfainbergprobably20:30
morganfainbergit's not shown in my man page, so its new20:30
* morganfainberg hasn't played with it20:32
morganfainbergwe'll see how bad it explodes things as I use it more20:32
openstackgerritMerged openstack/keystone: Improved policy setting in the 'v3 filter' tests  https://review.openstack.org/15659720:32
morganfainbergi plan on making it my default mode of committing until i find a reason not to20:32
morganfainbergaka: breaks gerrit in weird ways20:33
morganfainbergwhich case... i wont do it anymore20:33
morganfainbergjamielennox, you around?20:33
bknudsongood, gives me more plaintext so I can calculate your key.20:33
morganfainbergbknudson, sure thing!20:33
morganfainbergbknudson, let me check how many bits my key is.20:34
*** alex_xu has quit IRC20:34
jamielennoxmorganfainberg: yea, but i've got a meeting for the next half hour - can i ping you then?20:36
morganfainbergsure20:36
*** pnavarro has quit IRC20:37
morganfainbergbknudson, ah 4096 only20:37
mtreinishmorganfainberg: well it doesn't break gerrit at least: https://review.openstack.org/#/c/170270/20:38
bknudsondoesn't the submitter need your ssh key to impersonate you?20:38
morganfainbergmtreinish, haha yeah20:38
morganfainbergbknudson, yes.20:38
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient-federation: Add Saml2KeystoneUnscoped for K2K federation  https://review.openstack.org/16175120:38
bknudsonI might be fooled if someone registered M0rgan Fainberg.20:38
bknudsonor 0penStack Bot20:38
mtreinishbknudson: you can generate a gerrit password too, I'm not sure whether you can use that for submissions or just the rest api20:39
bknudsonnext time one of my changes gets reverted I'll just claim it was an impersonator.20:39
gyeegit blame don't lie20:40
rodrigodslol20:40
morganfainbergmy ssh key is like 8192 bits :(20:41
morganfainbergit sometimes takes a long time to login to slow embeded devices20:42
*** rushiagr is now known as rushiagr_away20:42
*** mattamizer has quit IRC20:45
*** topol has joined #openstack-keystone20:52
*** ChanServ sets mode: +v topol20:53
*** _cjones_ has quit IRC20:58
*** raildo is now known as raildo|away20:59
* morganfainberg wonders which is more painful21:03
morganfainberga gate reset or a rc221:04
jamielennoxmorganfainberg: alright, done - what's up?21:06
jamielennoxksc releases?21:06
morganfainbergjamielennox, was thinking i was going to add you to the release group for keystone21:06
jamielennoxmorganfainberg: that's dangerous21:06
morganfainbergso you can help with the ksc/ksm releases21:06
jamielennoxi could just release whenever i want21:06
morganfainbergyou could21:06
morganfainbergit's a question of if this makes sense to do.21:07
*** gokrokve has quit IRC21:07
morganfainberghell i could release daily right now :P21:07
jamielennoxi'm not too worried, we've increased the rate fairly significantly and i'd still coordinate it with you21:07
*** mattfarina has joined #openstack-keystone21:08
*** fifieldt has quit IRC21:08
morganfainbergit's a lot of mucking with LP and making sure things line up21:08
jamielennoxit would take some of the management stuff of your plate, the launchpad stuff21:08
morganfainbergi'm happy to let you jump in on these21:08
morganfainbergbut i understand if you'd rather not fight with LP21:08
morganfainberg;)21:08
morganfainbergi don't know if you're allowed to create milestones etc actually in LP21:09
morganfainbergshould probably check that first. sometimes LP just gets in the way21:09
jamielennoxmorganfainberg: i'll take it if you want to offload some stuff, but i don't see it would change the speed of releases or how we'd organize them21:09
morganfainbergjamielennox, yeah was more of an offload since out active hours are different21:10
morganfainberge.g. if we're waiting for a specific thing to merge or such21:10
jamielennoxmorganfainberg: ok, well see what permissions you can assign and we can at least coordinate and share it21:10
morganfainberghttps://launchpad.net/python-keystoneclient/1.x.x21:11
morganfainbergdo you have a "Create milestone" button21:11
morganfainbergabove: Latest bugs reported21:11
jamielennoxmorganfainberg: yep21:11
morganfainbergcool21:11
morganfainbergcreate 1.4.021:12
morganfainberg1.4.0 is the name21:12
morganfainbergthe rest can all be left blank21:12
jamielennoxdone21:14
morganfainbergif you look https://launchpad.net/python-keystoneclient/+milestone/1.4.021:15
morganfainbergyou should have a21:15
morganfainberg"create release" button21:15
morganfainbergright?21:15
jamielennoxLP is a horrible interface, i've done this for other projects and i always have to search for buttons21:15
jamielennoxyep21:15
morganfainbergok cool21:15
morganfainbergthen you can do the LP side21:15
morganfainbergthe gerrit side is me adding you to a group21:15
*** ayoung has quit IRC21:16
morganfainbergjamielennox, ok i'm going to add you to the release group21:16
*** _cjones_ has joined #openstack-keystone21:16
*** tobberydberg has quit IRC21:17
morganfainbergjamielennox, the rules i'd like to keep: no releases after Wednesday (US)21:17
morganfainbergjamielennox, and we coordinate when the releases are planned to go out21:17
morganfainbergjamielennox, so we have up to 2 days to catch regressions before the weekends :)21:17
jamielennoxmorganfainberg: sure, i don't see much changing other than shifting some of the workload21:17
morganfainbergjamielennox, yep21:17
morganfainbergjamielennox, you can now push signed tags to gerrit21:18
morganfainbergfor keystoneclient, middleware, and ksc-kerberos21:18
morganfainbergjamielennox, dolph has some scripts i use to assign bugs to the milestones etc.21:19
*** fifieldt has joined #openstack-keystone21:21
morganfainberglhcheng, you are signed into freenode/registered an account, right?21:21
*** ThoamsHsiao has quit IRC21:21
*** topol has quit IRC21:22
lhchengmorganfainberg:  I haven't registered21:22
lhchenglet me do that21:23
morganfainberglhcheng, please do21:23
morganfainbergso i can add you to the list of people who can change the topic of the channel as needed21:23
morganfainbergbeing core and all that21:24
*** chlong has joined #openstack-keystone21:25
*** alexsyip has joined #openstack-keystone21:27
*** ayoung has joined #openstack-keystone21:29
*** ChanServ sets mode: +v ayoung21:29
morganfainberglhcheng, make sure to identify w/ nickserv once you're registered21:31
morganfainberglhcheng, should make you +V in the channel like the rest of the core21:31
* lhcheng waiting for activation email21:32
morganfainbergah21:32
lhchengmorganfainberg: cool, will do that21:32
lhchengmorganfainberg: I just need to run this command: " /msg NickServ REGISTER <pwd> <email>" right?21:33
morganfainbergyeah21:34
lhchengokay, waiting for the email to arrive21:34
* morganfainberg doesn't remember email thing21:34
openstackgerritMerged openstack/keystone: Open Liberty development  https://review.openstack.org/17126021:34
stevemar\o/21:34
bknudsonopen the floodgates!21:35
stevemarstarting with https://review.openstack.org/#/c/171329/ ?21:35
*** lhcheng has quit IRC21:36
*** lhcheng has joined #openstack-keystone21:36
*** lhcheng has quit IRC21:37
*** openstackgerrit has quit IRC21:37
*** lhcheng has joined #openstack-keystone21:37
*** openstackgerrit has joined #openstack-keystone21:37
bknudsonlhcheng and openstackgerrit might be the same.21:37
bknudsonstevemar: seems like we should resolve https://review.openstack.org/#/c/142472/ before adding the placeholders.21:38
stevemarbknudson, ah yeah21:41
*** ThoamsHsiao has joined #openstack-keystone21:41
*** ThoamsHsiao has quit IRC21:41
*** lhcheng has quit IRC21:41
*** lhcheng has joined #openstack-keystone21:42
*** ChanServ sets mode: +v lhcheng21:42
lhchengmorganfainberg: \o/21:43
lhchengbknudson: what do I need to do for openstackgerrit?21:43
*** ThoamsHsiao has joined #openstack-keystone21:44
*** ThoamsHsiao has quit IRC21:48
*** ThoamsHsiao has joined #openstack-keystone21:49
*** ChanServ changes topic to "Liberty Development Open | Look for RC-critical bugs | Review KeystoneClient and KeystoneMiddleware code | Review Liberty Keystone Specs"21:49
*** samueldmq has quit IRC21:49
*** samueldmq_ has quit IRC21:49
morganfainbergjamielennox, we should formalize VersionList as a thing in the catalog21:50
morganfainberghttp://paste.openstack.org/show/199865/21:50
morganfainbergexample21:50
morganfainberglet the URL be the default for the deployer but let people lookup versionlist if it exists for a service21:50
morganfainbergthis should also become a x-project spec21:50
morganfainbergso we can get TC and a standard for what the versionlist needs to provide21:51
*** alexsyip has quit IRC21:51
*** stevemar has quit IRC21:58
*** carlosmarin has quit IRC21:58
*** carlosmarin has joined #openstack-keystone22:00
*** henrynash has quit IRC22:02
*** edmondsw has quit IRC22:02
*** mestery has quit IRC22:11
*** gyee has quit IRC22:11
openstackgerritMorgan Fainberg proposed openstack/keystone: Add placeholders for reserved migrations for Kilo backports.  https://review.openstack.org/17140822:12
*** mestery has joined #openstack-keystone22:12
morganfainbergbreton, not sure if you want to do the collapse again for liberty, but it should be safe to do so any time now. Or we can shift it around to other people :)22:13
morganfainbergbreton, figure i'd give ya first crack at it though22:13
*** gyee has joined #openstack-keystone22:14
*** ChanServ sets mode: +v gyee22:14
bretonmorganfainberg: I suggest not to do it now because new migrations might land22:14
bretonlets wait at least until release22:14
morganfainbergah until icehouse drops off you mean?22:15
morganfainbergEOL* that is22:15
bretonno, until K release22:15
morganfainbergRC was cut22:15
morganfainbergwe're clear22:15
morganfainbergliberty development is now open on master22:15
bretonso, no migrations in kilo under any circumstances?22:16
morganfainbergno we'd only be collapsing icehouse -> juno22:16
morganfainbergkilo might get new migrations22:16
bretonoh.22:16
morganfainbergbut that doesn't impact collapsing22:16
bretonright22:16
morganfainberg:)22:16
morganfainbergit's also why we do 2 cycle upgrades, then grenade doens't explode us at the start of the cycle22:17
bretonok, will do22:17
morganfainbergplease register a BP and target to L122:18
morganfainbergi'll set priority to low22:18
*** alexsyip has joined #openstack-keystone22:19
*** gordc has quit IRC22:20
bretonmorganfainberg: https://blueprints.launchpad.net/keystone/+spec/liberty-sql-squash22:21
morganfainbergthere we go22:22
morganfainbergall approved and official and stuff22:22
*** samueldmq has joined #openstack-keystone22:26
*** dims_ has joined #openstack-keystone22:30
*** dims_ has quit IRC22:30
*** dims_ has joined #openstack-keystone22:31
*** bknudson has quit IRC22:33
*** dims has quit IRC22:34
*** sigmavirus24 is now known as sigmavirus24_awa22:36
bretonlhcheng: congrats22:36
lhchengbreton: thanks22:37
*** boris-42 has quit IRC22:38
jamielennoxmorganfainberg: i want to just push url to be version list22:41
jamielennoxit's just a difficult transition22:41
morganfainbergjamielennox, thats a hard sell22:41
morganfainbergjamielennox, maybe versionlist is the right way to pivot22:41
jamielennoxi was hoping by liberty release that everything would work with an unversioned url in the catalog and then we could get people to change as available22:41
jamielennoxi know we're not pushing PKI tokens as hard any more, but i still would prefer to be removing things from the catalog22:42
morganfainbergwe've learned the "change this" tends to be bad and resistant, but if we offer better alternative22:42
morganfainbergjamielennox, s/bad and resistant/subject to resistence/22:42
*** carlosmarin has quit IRC22:42
jamielennoxi have a lot of the discovery code in ksc that is designed to push that way, i'm not saying we can't just change it over but there is the start of this for a while now22:43
jamielennoxcinderclient is trying to transition to an unversioned url in the catalog now22:43
jamielennox(ironic as they still have a project id in the url in v2 api)22:43
morganfainbergagain just a thought22:43
morganfainbergwe might be able to help as a transitional22:43
jamielennoxthe problem i have from a client perspective is having to support the lowest common denominator22:44
jamielennoxso for v3 i have to assume v3.0 unless more information is provided22:44
jamielennoxit's why i haven't pushed the catalog in the unscoped token for a while - i still think that's the right thing to do22:44
jamielennoxbut from a client perspective i'm always going to have to support the old way as well, so i've been more interested in making what we have work than adding new things even where useful22:45
morganfainbergthat is kindof my thought behind a pivot like this... but... *shrug*22:46
morganfainbergwas a thought22:46
morganfainberglet url be the <versioned> until they can move off22:46
morganfainbergif VersionList is there22:46
morganfainbergthe user can query22:47
morganfainbergand we can have some commonality on what versionlist provides22:47
morganfainbergand then eventually once everyone is off versioned endpoints...22:47
jamielennoxmorganfainberg: v4 auth22:47
morganfainbergversionlist (optional) might go away22:47
morganfainbergi also want to move auth endpoints for keystone out of /v3/auth22:47
morganfainberg something like /auth/version22:48
jamielennoxright22:48
jamielennoxi agree22:48
jamielennoxand all this OS-FEDERATION nonsense can get dropped into the /auth namespace22:48
morganfainbergyes.22:48
morganfainbergor even just dropped all together22:48
morganfainbergwe *could* make it just /auth and have the version be part of the request22:49
jamielennoxright, drop the federation term completely22:49
jamielennoxjust be auth22:49
morganfainberg{auth_ver: 4.0}22:49
morganfainbergif we need to version things it opens doors for us to be compatible22:49
morganfainbergbut we don't have to make it a straight-up url22:49
jamielennoxyep, no default_project_ids, no automatic scoping, you always request unscoped and rescope etc22:49
morganfainberg+++++++22:49
jamielennoxfederation and other auth will be almost identical22:50
jamielennoxcompletely agree with all of it22:50
morganfainbergand we just add a shim in /v2.0/auth that redirects over to the new auth stuff same with /v3/auth22:50
morganfainberg -- /v2.0/tokens that is22:50
morganfainbergso we don't maintain 15 different ways to auth.22:51
jamielennoxmorganfainberg: hmm, ok - i wasn't going to worry so much about moving the old stuff22:51
morganfainbergjamielennox, don't "move" just collect information and shuffle over to the new controller22:51
morganfainbergkeep the code paths coherant22:51
*** jaosorior has quit IRC22:52
morganfainbergand not have many places to fix problems22:52
morganfainbergyou can still auth in the normal places in my mind, just internally we use the new mechanisms.22:53
morganfainberg[i'd love a 301 but i know that isn't realistic22:53
jamielennoxoh, sure, that's juts wiring controllers to the backend22:54
jamielennoxspeaking of which22:54
morganfainbergyes22:54
jamielennoxi got https://review.openstack.org/#/c/65428 to pass22:54
jamielennox(look at that review number)22:54
morganfainbergholy crap22:54
*** mattfarina has quit IRC22:54
jamielennoxhowever the next step is really difficult as things stand22:55
jamielennoxfirstly, having extensions in paste rather than in pecan means we can't actually change any of the existing routing code22:56
*** bknudson has joined #openstack-keystone22:56
*** ChanServ sets mode: +v bknudson22:56
jamielennoxbecause any extension code exists outside of pecan control22:56
morganfainberglets just say that was an intentional part of the "get rid of extensions" bp22:56
morganfainbergwe can start moving things out of paste22:56
jamielennoxok, is there any practical progress on that? otherwise i might take a swing at it22:57
morganfainbergeverything is on by default22:57
morganfainbergno more "optionality"22:57
morganfainbergthats where we landed in Kilo22:57
morganfainbergi think the next step is restructuring so /contrib dies22:58
morganfainberghowever that happens22:58
jamielennoxyep, but anything actually started there?22:58
morganfainbergnope22:58
jamielennoxok22:58
*** bknudson1 has joined #openstack-keystone22:58
morganfainbergand we need to find a way to merge the "extension" migrations into our main repo.22:58
jamielennoxsecond thing, dependency resolution - i understand we finally decided to kill that off as well22:58
morganfainbergjamielennox, yes. that needs to die22:58
jamielennoxmorganfainberg: oh - right, i did look at that and decided i had no idea how to merge migrations22:58
jamielennoxthat alembic could probably do it better and that just opened up a new can of worms22:59
morganfainbergjamielennox, the way you merge migrations is we need to do some work to make any migration idempotent.22:59
morganfainbergoooor22:59
morganfainbergthe really evil thing22:59
morganfainbergmake a temp table, remove dbcontroll for the extension and migrate things back in22:59
morganfainbergbut i like the idempotent idea better23:00
*** bknudson has quit IRC23:00
morganfainbergstack in a ton of migrations that say "if we are at state X do Y, else, nothing"23:00
jamielennoxis if not table exists enough?23:00
morganfainbergnope.23:00
morganfainbergbecause extensions have their own migration states.23:00
morganfainbergwe could collapse all of them down for liberty though23:00
morganfainbergi guess.23:00
jamielennoxmost extensions have only 1 or 2 migrations23:01
morganfainbergso lets think this through23:02
morganfainbergwe support 2 cycles of upgrades for schemas23:02
morganfainbergwe need smart migrations :(23:03
morganfainbergdamn it23:03
morganfainbergi don't think alembic solves it23:03
jamielennoxalembic solves for the fact that we can branch AFAIK23:04
gyeemorganfainberg, with per-domain backend store in sql, caching is not mandatory isn't it?23:04
morganfainbergno.23:04
jamielennoxso you don't have a sequential list, you could say that this change depends on this change whereever that may have happened23:04
morganfainbergit isn't23:04
morganfainbergbut woe to you who tries to use the domain-sql stuff w/o caching23:04
morganfainbergannnnnd potentially wierd ½ loaded configs23:04
morganfainberggyee, that code is not production ready imo23:05
gyeecame across this error when trying to import the conf files into sql23:05
morganfainbergjamielennox, right there was a reason we couldn't move to alembic yet23:05
gyee2015-04-07 00:36:09.918 6563 TRACE keystone   File "/home/thsiao/work/openstack/keystone_new/keystone/.venv/local/lib/python2.7/site-packages/dogpile/cache/region.py", line 278, in _mutex23:05
gyee2015-04-07 00:36:09.918 6563 TRACE keystone     return self._lock_registry.get(key)23:05
gyee2015-04-07 00:36:09.918 6563 TRACE keystone AttributeError: 'CacheRegion' object has no attribute '_lock_registry'23:05
morganfainberggyee, file a bug, tag it as rc-potential23:05
gyeesure23:05
morganfainbergkilo-rc-potential23:05
morganfainberg*23:05
jamielennoxmorganfainberg: i thought it was going to be solved by another project and we could just inherit there solution23:06
jamielennoxinstead they started maintaining sqlalchemy-migrate23:06
morganfainberggyee, i think anyone who uses domain-sql code is going to be realllllly unhappy in kilo23:06
morganfainbergjamielennox, no we had a specific reason alembic wasn't possible for us yet23:06
morganfainbergjamielennox, and it doesn't change that our migrations are going to have to be "smart"23:06
morganfainberggyee, it's a nice place to start but it has some very rough edges23:07
jamielennoxwell switching to alembic is a much different task which may or may not solve this extension issue anyway23:07
morganfainbergjamielennox, it wont23:07
morganfainbergjamielennox, but we *could* make all new migrations alembic23:07
gyeemorganfainberg, well, somebody need to clear the minefield :D23:07
jamielennoxmorganfainberg: wasn't that attempted and failed?23:07
morganfainbergjamielennox, there was i think a specific oslo.db bug23:08
morganfainbergjamielennox, that needed addressing to make it all work23:08
morganfainbergbreton, cc^ re moving to alembic23:08
morganfainbergjamielennox, but iirc we should be golden this cycle23:08
jamielennoxok, well if it doesn't solve the extension issue then i'm not all that worried23:09
morganfainbergjamielennox and we still need "smart" migrations.23:09
jamielennoxmorganfainberg: ok, well - i'll try and move one or two of the easy ones and see what happends23:11
jamielennoxbecause we will need to change how policy is enforced very soon in the pecan model and it is very wrapped up together23:12
morganfainbergjamielennox, sounds good.23:12
morganfainbergjamielennox, and don't worry about the extension migrations23:13
morganfainbergjamielennox, that we can handle the same way we do today23:13
jamielennox?23:13
morganfainbergseparate concern/bit of debt to cleanup23:13
morganfainbergjamielennox, migrate them independant of the main sql migrate repo23:13
morganfainbergthats how we handle it today23:13
*** alexsyip has quit IRC23:13
jamielennoxok23:13
jamielennoxthat would make it easier23:13
morganfainbergso you move things around, just don't worry about collapsing the sql schema migrations23:14
morganfainberginto the main repo23:14
jamielennoxok23:14
jamielennoxi think it was dstanek looking at removing dependency resolution, do you know how far that got?23:14
jamielennox(or dstanek if here)23:14
morganfainbergthere are a couple reviews up23:15
morganfainbergthat need rebasing23:15
jamielennoxok, so there is progress there at least - i haven't been watching for a while23:16
jamielennoxmorganfainberg: oh - i have another one, i want to kill specifying /v2.0 and /v3 from paste, honestly if you changed those values even keystone would fail in certain places23:18
morganfainbergwell one of the big goals i see for liberty is a mode where V2 disappears.23:18
morganfainbergor can be disabled23:18
morganfainbergand everythign still runs23:19
morganfainbergjamielennox, keep in mind moving to pecan, we have people with custom code that runs via paste, we need to clearly explain how to make sure that stuff still works23:19
jamielennoxsure, we wouldn't remove paste just move stuff23:20
*** raildo has joined #openstack-keystone23:20
jamielennoxso i guess that's a concern though about what i can change from common/wsgi and controllers23:21
morganfainbergjamielennox, but that means in paste we would really break things for people if their extension is only v2 pipeline23:21
morganfainbergwas my point23:21
jamielennoxmorganfainberg: yea, that's easy, even with our pipeline we would need to support that23:22
morganfainbergjamielennox, so the TL;DR lets not horribly break people :)23:22
*** ayoung has quit IRC23:22
morganfainberganything we move to pecan we need to just leave a stubby router thing that says "hey this is going away" etc23:22
morganfainbergthat goes into paste23:23
morganfainbergotherwise.. i think you're safe to make changes like not having separate v2/v3 etc23:23
jamielennoxmorganfainberg: is there a point in maintaining the concept of disabling things that were extensions?23:25
jamielennoxlike via config?23:25
morganfainbergwell. we need to have a way to do so. my thought is policy23:25
morganfainbergmake it so you can't ever pass the policy check for that whole set of APIs23:26
jamielennoxbut not like CONF.endpoint_policy.enabled23:26
morganfainbergbut this is something i'd like more views on23:26
morganfainberguh, not really.23:26
jamielennoxbecause trusts still has CONF.trusts.enabled23:26
morganfainbergwe could do that23:27
morganfainbergfor experimental stuff [with the understanding that the "enabled flag" is removed when it graduates to stable]23:27
morganfainbergthis is a convo we need more folks involved in23:27
morganfainbergi think mfisch would also be a good person to ask [as someone running an openstack cloud] and marekd23:28
gyeemorganfainberg, https://bugs.launchpad.net/keystone/+bug/144138623:40
openstackLaunchpad bug 1441386 in Keystone "keystone-manage domain_config_upload command yield "'CacheRegion' object has no attribute 'expiration_time'"" [Undecided,New]23:40
morganfainbergthanks23:40
gyeeI'll do some troubleshooting, would love some help from henrynash though23:40
morganfainbergyeah23:40
openstackgerritRodrigo Duarte proposed openstack/python-keystoneclient-federation: Add Saml2KeystoneUnscoped for K2K federation  https://review.openstack.org/16175123:45
jamielennoxrodrigods: that repo is largely abandoned23:46
bretonregarding alembic and migrations23:46
rodrigodsjamielennox, really? thought new federation plugins should be implemented there23:46
jamielennoxrodrigods: that was the plan, we decided that we wanted to be more specific that just -federation and that we'll do a -saml repo23:46
bretonthe feature will let use old migrations along with new ones23:47
morganfainbergbreton, the reason for not having it was a bug we were waiting for a release in oslo.db iirc23:47
morganfainbergbreton, and this cycle should be able to move to alembic, right?23:48
bretonmorganfainberg: yes, we were waiting for a release23:48
bretonyep23:48
rodrigodsjamielennox, but that change can land in -federation and than go to -saml?23:48
bretonnow when L is open, I'll do it by summit I think23:48
jamielennoxrodrigods: sure, but we'll never release -federation23:49
*** alexsyip has joined #openstack-keystone23:49
rodrigodsjamielennox, ok, good to know. thanks for the info23:49
morganfainbergbreton feel free to -1 this then https://review.openstack.org/#/c/171408/ - or we can abandon this one once we start with alembic.23:49
jamielennoxrodrigods: also https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/v3/federated.py#L25 is the base class you'll want23:49
rodrigodsjamielennox, hmm... I'm also open to implement this plugin in ksc (without -*)...23:50
rodrigodsjamielennox, what do you suggest?23:50
jamielennoxrodrigods: it's generally a problem of dependencies23:50
bretonmorganfainberg: lets do the latter23:51
jamielennoxfor k2k it may be ok to put it in ksc23:51
morganfainbergbreton, sounds good23:51
rodrigodsjamielennox, cool, will reimplement in ksc23:51
jamielennoxrodrigods: there's no xml parsing to be done?23:52
rodrigodsjamielennox, no... we get the assertion from keystone server23:53
jamielennoxrodrigods: that's what i thought, yea, so in ksc probably makes sense - i don't know where yet but propose it and we'll figure it out23:53
rodrigodsjamielennox, nice23:54
*** boris-42 has joined #openstack-keystone23:54
« Monday, 2015-04-06 Index Wednesday, 2015-04-08 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!