Friday, 2015-04-17

« Thursday, 2015-04-16 Index Saturday, 2015-04-18 »
*** dims__ has joined #openstack-keystone00:04
*** dims_ has joined #openstack-keystone00:05
*** leonchio_ has quit IRC00:08
*** dims__ has quit IRC00:09
*** bknudson has joined #openstack-keystone00:12
*** ChanServ sets mode: +v bknudson00:12
*** nkinder has joined #openstack-keystone00:14
*** sdake has joined #openstack-keystone00:20
*** sdake_ has quit IRC00:24
mtreinishmorganfainberg: I just confirmed that signed commits work fine with gerrit, even with merge commits00:47
mtreinishforgot to check that after I started defaulting to singing the commits00:47
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Add endpoint and service ids to fixtures  https://review.openstack.org/17466800:48
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Allow searching a catalog on service or endpoint id  https://review.openstack.org/17466900:48
openstackgerritJamie Lennox proposed openstack/python-keystoneclient: Remove service_type requirement from catalog searching  https://review.openstack.org/17467000:48
mtreinishmorganfainberg: it's kinda disappointing though the gpg signature doesn't show up in any of the web views. You've got checkout out the repo and use show-signature to even know it's there00:52
*** _cjones_ has quit IRC00:53
*** ozialien has joined #openstack-keystone01:03
morganfainbergmtreinish: lame01:04
*** nkinder has quit IRC01:05
openstackgerritDavid Stanek proposed openstack/keystone: Adds an initial functional test  https://review.openstack.org/15846601:09
*** ozialien has left #openstack-keystone01:12
*** gyee_ has quit IRC01:13
openstackgerritLin Hua Cheng proposed openstack/keystone: Expose domain_name in the context for policy.json  https://review.openstack.org/17463301:16
*** mattfarina has joined #openstack-keystone01:17
*** alexsyip has quit IRC01:18
*** lhcheng has quit IRC01:23
*** tqtran has quit IRC01:38
*** davechen has joined #openstack-keystone01:40
openstackgerritDave Chen proposed openstack/keystone: Remove assigned protocol before removing IdP  https://review.openstack.org/17369601:40
*** erkules has joined #openstack-keystone01:43
openstackgerritJamie Lennox proposed openstack/keystone: Move endpoint_policy migrations into keystone core  https://review.openstack.org/17191601:43
openstackgerritJamie Lennox proposed openstack/keystone: Move endpoint policy into keystone core  https://review.openstack.org/17144801:43
*** erkules_ has quit IRC01:46
openstackgerritDave Chen proposed openstack/keystone: Remove assigned protocol before removing IdP  https://review.openstack.org/17369601:46
*** harlowja is now known as harlowja_away01:47
*** nkinder has joined #openstack-keystone01:49
*** dims_ has quit IRC01:54
*** trey has quit IRC01:54
*** trey has joined #openstack-keystone01:59
*** lhcheng has joined #openstack-keystone02:11
*** ChanServ sets mode: +v lhcheng02:11
*** lhcheng has quit IRC02:16
davechendstanek, hi David, are you still around?02:22
cburgess@morganfainberg *ping*02:23
*** nkinder has quit IRC02:24
*** davechen has quit IRC02:56
*** davechen has joined #openstack-keystone02:57
*** nkinder has joined #openstack-keystone03:00
*** richm has quit IRC03:17
*** nkinder has quit IRC03:18
*** sdake_ has joined #openstack-keystone03:34
*** sdake has quit IRC03:38
*** leonchio_ has joined #openstack-keystone03:44
*** ishant has joined #openstack-keystone03:45
*** trey has quit IRC03:50
*** gyee has quit IRC03:52
*** lhcheng has joined #openstack-keystone03:52
*** ChanServ sets mode: +v lhcheng03:52
*** gyee_ has joined #openstack-keystone03:52
*** gyee_ has quit IRC03:54
*** _cjones_ has joined #openstack-keystone03:54
*** trey has joined #openstack-keystone03:58
*** _cjones_ has quit IRC03:59
*** leonchio_ has quit IRC04:04
*** nkinder has joined #openstack-keystone04:32
openstackgerritLin Hua Cheng proposed openstack/keystone: Expose domain_name in the context for policy.json  https://review.openstack.org/17463304:49
*** ajayaa has joined #openstack-keystone05:06
*** ajayaa has quit IRC05:14
*** openstackgerrit has quit IRC05:21
*** openstackgerrit has joined #openstack-keystone05:21
*** stevemar has joined #openstack-keystone05:21
*** ChanServ sets mode: +v stevemar05:21
morganfainbergcburgess: pong05:23
morganfainbergcburgess: yes delayed but in Sunnyvale this week.05:24
*** stevemar has quit IRC05:32
*** stevemar has joined #openstack-keystone05:33
*** ChanServ sets mode: +v stevemar05:33
openstackgerritDave Chen proposed openstack/keystone: Remove assigned protocol before removing IdP  https://review.openstack.org/17369605:36
*** Ephur has quit IRC05:37
*** rushiagr_away is now known as rushiagr05:38
*** kiran-r has joined #openstack-keystone05:44
*** ajayaa has joined #openstack-keystone05:49
*** lhcheng has quit IRC05:56
*** rm_work is now known as rm_work|away06:03
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex  https://review.openstack.org/17262406:06
*** stevemar has quit IRC06:12
bigjoolsmorganfainberg: hi, cburgess was going to introduce you to me as I had a few questions about keystone. I'm all good for now, though.06:16
*** ajayaa has quit IRC06:19
bretonmorning, keystoneers06:40
*** pnavarro has joined #openstack-keystone06:55
davechenbreton: morning, nice to see you are up. :)06:55
*** lhcheng has joined #openstack-keystone06:56
*** ChanServ sets mode: +v lhcheng06:56
davechenmorganfainberg: Hi morgan,06:57
davechenmorganfainberg: I saw this spec (https://blueprints.launchpad.net/keystone/+spec/ondelete-cascade) is accepted by you? I saw the "Series goal"is properly defined. :)06:58
davechenmorganfainberg: If spec is needed, pls kindly let me know, I will provide a spec for review, thanks!07:00
morganfainbergWill look tomorrow.07:01
*** lhcheng has quit IRC07:02
morganfainbergdavechen: ^^07:02
*** zz_avozza is now known as avozza07:04
*** sdake has joined #openstack-keystone07:06
davechenmorganfainberg: thanks, not such urgent. Just saw steve's comment on the patch, so check the status of that BP and found someone has help to define some scope on that BP already.07:07
*** jsheeren has joined #openstack-keystone07:08
*** jaosorior has joined #openstack-keystone07:09
*** sdake_ has quit IRC07:09
*** krykowski has joined #openstack-keystone07:16
*** clayton has quit IRC07:17
*** dvorak has joined #openstack-keystone07:18
*** svasheka has quit IRC07:21
*** viktors has quit IRC07:28
*** chlong has quit IRC07:33
*** dims__ has joined #openstack-keystone07:33
*** dims__ has quit IRC07:38
*** davechen1 has joined #openstack-keystone07:44
*** davechen has quit IRC07:44
*** alex_xu has quit IRC07:46
*** alex_xu has joined #openstack-keystone07:48
*** davechen has joined #openstack-keystone07:49
*** jistr has joined #openstack-keystone07:50
*** henrynash has joined #openstack-keystone07:51
*** ChanServ sets mode: +v henrynash07:51
*** davechen1 has quit IRC07:51
*** erkules has quit IRC07:53
*** erkules has joined #openstack-keystone07:53
*** rushiagr is now known as rushiagr_away08:04
*** ajayaa has joined #openstack-keystone08:15
*** turul has joined #openstack-keystone08:18
*** sdake has quit IRC08:28
*** turul is now known as afazekas08:30
*** c0m0 has joined #openstack-keystone08:35
*** pcaruana has joined #openstack-keystone08:50
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware  https://review.openstack.org/15329608:57
*** ajayaa has quit IRC09:03
*** rushiagr_away is now known as rushiagr09:10
*** ihrachyshka has joined #openstack-keystone09:16
*** henrynash has quit IRC09:18
*** fhubik has joined #openstack-keystone09:19
openstackgerritDavid Charles Kennedy proposed openstack/keystonemiddleware: Add Endpoint Enforcement to Keystonemiddleware  https://review.openstack.org/15329609:21
*** davidckennedy has joined #openstack-keystone09:26
*** davidckennedy has quit IRC09:26
*** davidckennedy has joined #openstack-keystone09:27
*** Nikkau has joined #openstack-keystone09:27
*** avozza is now known as zz_avozza09:39
*** lhcheng has joined #openstack-keystone09:42
*** ChanServ sets mode: +v lhcheng09:42
*** aix has joined #openstack-keystone09:45
*** davechen has left #openstack-keystone09:46
*** jamielennox is now known as jamielennox|away09:49
*** zz_avozza is now known as avozza10:07
openstackgerritDavid Charles Kennedy proposed openstack/keystone-specs: Updated endpoint enforcement spec  https://review.openstack.org/17479910:26
*** krykowski_ has joined #openstack-keystone10:31
*** krykowski has quit IRC10:35
openstackgerritDavid Charles Kennedy proposed openstack/keystone-specs: Updated endpoint enforcement spec  https://review.openstack.org/17479910:36
samueldmqhi, morning10:49
*** dims__ has joined #openstack-keystone11:02
*** aix has quit IRC11:05
*** krykowski_ has quit IRC11:09
*** krykowski has joined #openstack-keystone11:09
bretonmorning11:10
*** ishant has quit IRC11:22
dstanekbreton: good morning11:24
*** amakarov_away is now known as amakarov11:33
*** lhcheng has quit IRC11:37
*** KanagarajM has joined #openstack-keystone11:45
KanagarajMhttp://developer.openstack.org/api-ref-identity-v3.html does not have Region API deatils11:45
amakarovdstanek, good day! Can you please look at https://review.openstack.org/#/c/173424/ again? I've tried to explain the situation a bit11:45
KanagarajMcould someone kindly let me know if the Region is not planned to support in public11:46
dstanekamakarov: i think for each of the three points you should say why they are not working or bad; to me it just reads like facts and not something that needs to be fixed11:50
dstanekKanagarajM: maybe that's an oversight. i don't think there are plans to remove that from the catalog.11:52
*** krykowski has quit IRC11:52
amakarovdstanek, I can't actually file a bug as it is none discovered :) May it be a link to algorithms comparing benchmark?11:53
KanagarajMdstanek: ok. i will file a bug on api-sites for the same11:53
KanagarajMdstanek: because api docs are not available, its very difficult to consume them11:54
dstanekamakarov: so what problem does that spec solve?11:55
amakarovdstanek, it improves tree operations performance11:56
amakarovsimplifies11:56
dstanekamakarov: you should add those two things to the spec then11:56
amakarovdstanek, got it11:57
dstanekamakarov: it currently reads as 'to do X we do Y, but nothing says why Y is bad11:57
amakarovdstanek, so it is not enough to state that iterating the tree is not the best solution, is it?11:58
*** krykowski has joined #openstack-keystone12:00
dstanekamakarov: where do you say that? you just say 'is not enough' and don't clarify why recursion is bad12:02
dstanekamakarov: i don't think you need algorithm times, but i was hoping to see more12:02
*** aix has joined #openstack-keystone12:03
amakarovdstanek, I see you point, writing down more detailed description12:03
dstanekamakarov: for instance, on a given size hierarchy that would require some number of DB lookups, whereas your solution requires 112:05
dstanekamakarov: that would help us better judge the added complexity again the potential gain12:05
amakarovdstanek, aha, so we need some kind of user-story with measurable profit?12:06
dstanekamakarov: something like that. right now it doesn't seem to me that adding this complexity would create much value in other areas.12:07
amakarovdstanek, I think it can help to make revocation events faster - where can I explain it in this spec? Or I need another one?12:09
bretonfolks, is there any blog post or explanation why we needed admin and public instances of keystone? Why can't we have only one instance?12:10
dstanekbreton: i don't think so, but my understanding is that restriction is melting away12:10
amakarovbreton, we don't like to expose user-list to public for example12:10
dstanekbreton: i believe it was for having certain privileged operations that could be more easily protected if they weren't exposed12:11
dstanekbreton: not sure how that panned out in practice12:11
dstanekbreton: i think the trend is to make that policy driven to remove the need for multiple ports12:12
dstanekamakarov: if it's related i would add that to the spec - you should use the spec to convince -core that we need this change12:13
bretondstanek: is this difference supported by clients? For example, ksc authenticates against public endpoint and then requests admin endpoint on user-list12:14
*** bknudson has quit IRC12:15
bretonthere is https://bugs.launchpad.net/keystone/+bug/1362630 but I am not sure what is its status12:15
openstackLaunchpad bug 1362630 in Keystone "keystone catalog command line fails with "'NoneType' object has no attribute 'has_service_catalog'"" [Undecided,Invalid] - Assigned to David J Hu (david-j-hu)12:15
dstanekbreton: i just change the os-endpoint12:21
*** KanagarajM has quit IRC12:22
*** dvorak is now known as clayton12:25
openstackgerritMerged openstack/oslo.policy: Uncap library requirements for liberty  https://review.openstack.org/17451512:31
*** bknudson has joined #openstack-keystone12:36
*** ChanServ sets mode: +v bknudson12:36
openstackgerritAlexander Makarov proposed openstack/keystone-specs: Materialized path for project hierarchy  https://review.openstack.org/17342412:39
amakarovdstanek, ^^12:39
*** gordc has joined #openstack-keystone12:44
*** fhubik is now known as fhubik_afk12:44
*** fhubik_afk is now known as fhubik12:48
*** c0m0 has quit IRC13:07
*** richm has joined #openstack-keystone13:09
*** jdennis has joined #openstack-keystone13:20
*** Ephur has joined #openstack-keystone13:21
*** rushiagr is now known as rushiagr_away13:23
*** fhubik has quit IRC13:33
*** fhubik has joined #openstack-keystone13:34
openstackgerritVictor Sergeyev proposed openstack/keystone: Fix mysql_engine and FK in *_token tables  https://review.openstack.org/17487113:34
*** rushil has joined #openstack-keystone13:35
*** fhubik has quit IRC13:40
*** sigmavirus24_awa is now known as sigmavirus2413:45
*** mattfarina has joined #openstack-keystone13:45
*** topol has joined #openstack-keystone13:46
*** ChanServ sets mode: +v topol13:46
*** dnalezyt has joined #openstack-keystone13:52
dstanekanyone have thoughts on https://review.openstack.org/#/c/158466/ ? it's blocking a bunch of other stuff13:56
kiran-rHello keystoners!!!14:02
bretonkiran-r: hello14:02
kiran-rI need an immediate help.14:02
kiran-rI accidentally deleted the only admin14:02
kiran-rHow do I create one??14:02
kiran-rPlease help me!14:02
kiran-rbreton: Hello!14:02
kiran-rAny solutions.??14:03
kiran-rI used os-purge cleanup-project on admin. :(14:04
*** rushil has quit IRC14:05
bretondstanek: -1'd ;)14:06
bretonkiran-r: create a user using admin_token14:07
dstanekkiran-r: yes, what breton said. you probably have to enable that again in your config.14:07
*** rushil has joined #openstack-keystone14:07
dstanekbreton: ouch. thanks. copy-paste issue14:07
kiran-rCan you please elaborate?14:07
bretonkiran-r: http://docs.openstack.org/havana/install-guide/install/apt/content/keystone-users.html14:08
*** rushiagr_away is now known as rushiagr14:08
dstanekbreton: that's what i get for trying to sneak in a few more tests14:08
bretonkiran-r: http://docs.openstack.org/juno/install-guide/install/apt/content/keystone-users.html14:08
bretonkiran-r: the latter link is for juno, the former is for old havana14:09
openstackgerritDavid Stanek proposed openstack/keystone: Adds an initial functional test  https://review.openstack.org/15846614:09
*** sdake has joined #openstack-keystone14:12
kiran-rbreton: Thanks alot14:17
kiran-rbreton: :)14:17
kiran-rdstanek: Thanks to you too! :)14:18
kiran-rYou both saved my day.14:18
kiran-r=D14:18
dstanekkiran-r: did you get it fixed?14:18
kiran-rbreton: I did.14:18
dstanekgreat!14:19
*** ayoung has quit IRC14:20
kiran-rbreton: I was not aware that we can bypass authentication using service token.14:23
kiran-r:)14:23
*** Nikkau has quit IRC14:28
*** Ephur has quit IRC14:29
dstanekkiran-r: that's exactly the reason why it should be turned off after the initial keystone configuration14:29
kiran-rdstanek: How to turn it off?14:32
*** dims__ has quit IRC14:33
*** carlosmarin has joined #openstack-keystone14:36
*** stevemar has joined #openstack-keystone14:37
*** ChanServ sets mode: +v stevemar14:37
*** krykowski has quit IRC14:38
dstanekkiran-r: http://docs.openstack.org/developer/keystone/configuringservices.html#admin-token14:40
kiran-rdstanek: Thanks!14:46
kiran-rWhat is the best way to delete resources in bulk14:46
kiran-rdstanek: What is the best way to clear resources?14:47
*** sdake_ has joined #openstack-keystone14:47
davidckennedydstanek the initial patch set for functional testing (referred to above) is seperated from the patch set specifying a tox env.  Wouldn't they be better together?  Is the former going to be exercised without the latter?14:48
*** sdake has quit IRC14:50
*** avozza is now known as zz_avozza14:54
*** afaranha_ has joined #openstack-keystone14:57
*** markvoelker has joined #openstack-keystone15:00
*** markvoelker has quit IRC15:00
*** markvoelker has joined #openstack-keystone15:00
openstackgerritMerged openstack/python-keystoneclient: Make process_header private  https://review.openstack.org/17317115:01
*** dims__ has joined #openstack-keystone15:04
*** davidckennedy has quit IRC15:06
*** zzzeek has joined #openstack-keystone15:08
*** jistr is now known as jistr|mtg15:16
*** rm_work|away is now known as rm_work15:18
*** dims__ has quit IRC15:22
*** zz_avozza is now known as avozza15:34
*** thedodd has joined #openstack-keystone15:39
*** joesavak has joined #openstack-keystone15:43
*** jistr|mtg is now known as jistr15:44
*** mtecer has joined #openstack-keystone15:49
*** weechat has joined #openstack-keystone15:49
*** weechat is now known as davidckennedy15:49
mtecerHi guys, is openstackclient now fully support keystone API v3 in Juno ?15:50
openstackgerritMerged openstack/pycadf: Uncap library requirements for liberty  https://review.openstack.org/17452515:50
*** jsavak has joined #openstack-keystone15:55
*** browne has joined #openstack-keystone15:55
*** mtecer has quit IRC15:58
*** joesavak has quit IRC15:59
*** gyee has joined #openstack-keystone15:59
*** ChanServ sets mode: +v gyee15:59
*** r-daneel has joined #openstack-keystone16:00
*** tqtran has joined #openstack-keystone16:06
*** tqtran is now known as tqtran_afk16:08
* kiran-r afk16:09
*** kiran-r has quit IRC16:09
*** pcaruana has quit IRC16:10
*** _cjones_ has joined #openstack-keystone16:11
openstackgerritDavid Charles Kennedy proposed openstack/keystone: Move endpoint catalog filtering to default driver  https://review.openstack.org/16767516:20
*** dims__ has joined #openstack-keystone16:24
davidckennedylbragstad thanks for the review.  I've addressed the issues and put a new set up.16:26
*** sdake has joined #openstack-keystone16:35
*** sdake_ has quit IRC16:39
*** ayoung has joined #openstack-keystone16:41
*** ChanServ sets mode: +v ayoung16:41
openstackgerritMerged openstack/python-keystoneclient-kerberos: Uncap library requirements for liberty  https://review.openstack.org/17453616:42
*** Ephur has joined #openstack-keystone16:44
*** jistr has quit IRC16:48
*** dims__ is now known as dimsum__16:50
*** lhcheng has joined #openstack-keystone16:51
*** ChanServ sets mode: +v lhcheng16:51
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Add is_domain field in Project Table  https://review.openstack.org/15742716:55
openstackgerritRaildo Mascena de Sousa Filho proposed openstack/keystone: Change project name constraint  https://review.openstack.org/15837216:56
samueldmqhi, how do the calls starting with '/v3/projects' get connected with the right method in the resource controller ?16:56
samueldmqI was looking at https://github.com/openstack/keystone/blob/master/keystone/resource/routers.py#L91-L9416:56
samueldmqand realized that it does not connect GET/HEAD/PUT/etc operations explicitly16:56
*** ihrachyshka has quit IRC17:00
dstaneksamueldmq: follow the code a little deeper...that code adds a Router instance for project - https://github.com/openstack/keystone/blob/master/keystone/common/router.py17:01
samueldmqdstanek, great! thanks17:02
*** markvoelker has quit IRC17:03
samueldmqdstanek, yeah, it instantiates Router, and I was looking at wsgi.RoutersBase :/17:03
samueldmqdstanek, thx17:03
rodrigodsgyee, replied in https://review.openstack.org/#/c/148730/17:08
*** davidckennedy has quit IRC17:08
*** lhcheng_ has joined #openstack-keystone17:11
*** lhcheng has quit IRC17:13
gyeerodrigods, yes, we'll need to change that behavior, updating the parent should be allowed regardless of child status17:16
gyeethat's consistent with ownership17:16
*** harlowja_away is now known as harlowja17:17
openstackgerritEric Brown proposed openstack/keystone: Move httpd under keystone root folder  https://review.openstack.org/17224517:21
rodrigodsgyee, yes, but we need the rule for this action17:22
rodrigodsan extra rule17:22
gyeerodrigods, how are we checking inherited project role assignments today? same deal right?17:23
rodrigodsgyee, but the user triggering the action can have a role that is not inherited17:24
gyeeactually, if we store the materialized path, checking for permission should be much easier17:24
gyeesay we have A -> B -> C -> D, and you have are the owner of B17:25
gyeewhen you are trying to access D, we just need to make sure that's a partial match of A -> B17:26
rodrigodsgyee, but how we do this? we call the policy enforcer?17:26
gyeeI thought we discussed this partial match advantage at the beginning of the hierarchical multitenancy initiative17:27
rodrigodsif we have A -> B -> C -> D17:28
rodrigodsand user X has admin role in A (not inherited)17:28
rodrigodswe have two options: check if X has role assignment in B, C and D17:28
rodrigodsor have a policy rule that gives "subtree power"17:29
rodrigodsand we can not just check if X has role assignment17:29
gyee++ for subtree power17:30
gyeeI think we'll need to enhance oslo policy to allow partial match17:30
gyeesubtree power is really about ownership17:30
rodrigodsgyee, so we need an API call to represent this subtree power rule17:30
rodrigodsthat is /cascade17:30
rodrigodsfor both enable/disable and delete17:30
gyee1) always deal with materialized/canonicalized paths17:32
gyee2) allow partial match17:32
openstackgerritMerged openstack/keystone: Remove assigned protocol before removing IdP  https://review.openstack.org/17369617:33
gyeefor enable/disable, cascade is implied17:33
rodrigodsgyee, yes17:33
openstackgerritMerged openstack/python-keystoneclient-federation: Uncap library requirements for liberty  https://review.openstack.org/17453517:35
rodrigodsgyee, for this we need to implement revocation events in ksm17:35
rodrigodsis there something that is blocking this?17:35
*** amerine has quit IRC17:35
gyeerodrigods, yes, we must get revocation events working17:35
*** amerine has joined #openstack-keystone17:36
*** lhcheng_ has quit IRC17:39
*** madhu_ak has joined #openstack-keystone17:41
openstackgerritMerged openstack/keystone: Remove unused policy rule for get_trust  https://review.openstack.org/17415517:42
openstackgerritMerged openstack/keystone: Make memcache client reusable across threads  https://review.openstack.org/17083517:42
madhu_akhi, I am looking - how to clear keystone tenant-list ? do we have any command for clearing the tenant_ids?17:42
openstackgerritMerged openstack/keystone: Expose domain_name in the context for policy.json  https://review.openstack.org/17463317:43
stevemarmadhu_ak, nope, you can delete by id only17:43
madhu_akhow to do that?17:43
stevemarkeystone tenant-delete <id> should work17:43
madhu_akyou mean keystone tenant-delete <id>17:43
madhu_ak?17:43
stevemaryep17:44
madhu_akawesome, will do17:44
madhu_akhave a question though17:44
stevemaronly 1 ID at a time17:44
openstackgerritMerged openstack/keystonemiddleware: Uncap library requirements for liberty  https://review.openstack.org/17449317:44
madhu_akyep17:44
madhu_akanother question17:44
raildodstanek, thanks for your comments in reseller patches :)17:44
openstackgerritMerged openstack/python-keystoneclient: Uncap library requirements for liberty  https://review.openstack.org/17453417:45
stevemarmadhu_ak, if you are interested in trying python-openstackclient, you can specify multiple IDs :) -> http://docs.openstack.org/developer/python-openstackclient/command-objects/project.html#project-delete17:45
stevemaranyway, whats your other question17:45
dstanekraildo: thanks for doing the work :-)17:46
madhu_akhave created tempest tests for neutron-lbaas tree and it perfectly working as designed for admin and non-admin users..the resources are indeed setup and cleaned up against devstack instance. For admin tests, when i run the tests for many times, I could see bunch of tenant_id's when I randomly check 'keystone toekn-list'17:46
madhu_ak'keystone tenant-list'17:47
stevemarmaybe tempest is creating tenants17:48
* stevemar shrugs17:48
madhu_aktenant_list are not cleared though, not sure where to put a check..btw I dont want to make any changes in /opt/stack/tempest/* files17:48
madhu_akbecause I dont want other tests to be disturbed though17:49
*** jaosorior has quit IRC17:52
madhu_akbtw, Is there a way to see the tenant_id's list using keystone for non-admin? meaning, when I run the tempest test against non-admin user, how to check whether it is actually creating/or not for non-admin17:53
*** lhcheng has joined #openstack-keystone17:58
*** ChanServ sets mode: +v lhcheng17:58
mgagnedstanek: ping17:59
dstanekmgagne: pong17:59
mgagnedstanek: I'm looking at your change here https://review.openstack.org/#/c/174556/2 in order to understand why https://review.openstack.org/#/c/120011/16 is failing17:59
mgagnedstanek: while tests are now isolated as you proposed, I see that the actual implement of templated catalog still rely on KVS18:00
dstanekmgagne: yes, that change only fixes the tests18:01
mgagnedstanek: as soon as you update templated catalog to raise NotImplemented for CUD calls, keystoneclient (in keystone repo) tests are failing18:01
dstanekthere is a dependent patch that removes kvs18:01
mgagnedstanek: does it address the keystoneclient tests?18:01
dstanekhttps://review.openstack.org/#/c/158442/18:01
mgagnedstanek: I read it and see if I still have questions.18:02
dstanekmgagne: i have not looked at the patch you mentioned, but it is definitely broken18:02
mgagnedstanek: that's what I found out.18:02
dstanekmgagne: added a comment on it with a link to my patch18:04
*** aix has quit IRC18:06
mgagnedstanek: tbh, I'm trying to backport his patch to icehouse and I still don't understand why keystoneclient tests are failing and how it actually relate to his change. Which catalog is actually tested in there?18:07
mgagnedstanek: but I think I figured out18:07
mgagnedstanek: your patch changes the catalog from templated to sql18:07
mgagnein tests18:07
dstanekyes, you may have more luck trying to backport my patches18:08
mgagnetrue, I didn't see the actual implement of service/endpoint list/read to templated catalog18:09
mgagnedstanek: will try yours, thanks a lot for the help18:09
dstanekmgagne: also you may want to wait a little until some of this actually merges so you don't have to do the work twice in case things change18:10
mgagnedstanek: I unfortunately don't have the luxury of time =)18:10
mgagnedstanek: do you plan implementing endpoint list too?18:10
*** amakarov is now known as amakarov_away18:14
dstanekmgagne: oh, oops. yes, i can do that18:15
dstanekmgagne: problem is that your backport won't be accepted until the fixes merge into master and are a clean backport18:16
dstanekmgagne: i can hack that together pretty quicly18:16
mgagnedstanek: oh, I don't plan on proposing the backport to icehouse because it would be too featureful =)18:16
dstanekmgagne: i thought that's what you were trying to do18:17
mgagnedstanek: I'm packaging keystone locally18:17
dstanekah i see18:17
mgagnedstanek: should have said: I'm trying to locally backport to icehouse18:17
raildodstanek, i have a doubt about your comment here (line 106): https://review.openstack.org/#/c/158372/41/keystone/resource/core.py18:24
dstanekraildo: which one?18:25
raildodstanek, about the race condition18:25
raildodstanek, we are creating the new constraint here: https://review.openstack.org/#/c/158372/41/keystone/common/sql/migrate_repo/versions/074_update_project_name_constraint.py18:25
dstanekraildo: then why are we doing the extra check?18:26
raildoso if the db is not sqlite, we can't create two projects with the same name, and we don't need this method18:26
*** rushiagr is now known as rushiagr_away18:26
raildodstanek, yes... because this extra check can be useful for the sqlite case18:27
dstanekraildo: so this is only there for sqlite testing? that should definitely be in a comment18:27
dstaneki wish we would add RI support into sqlite :-(18:27
dstanekraildo: what about for non-SQL backends?18:28
*** ashleighfarnham has joined #openstack-keystone18:28
*** ashleighfarnham has left #openstack-keystone18:28
rodrigodsdstanek, yeah... since the tests run against sqlite we couldn't add tests to verify this condition18:28
rodrigodsunless we had this "extra" checking in the code18:29
raildotoday this works for non-sql backends, right?18:29
raildowe are just updating the reference to considered is_domain,18:30
*** mtecer has joined #openstack-keystone18:30
dstanekraildo: do we check for unique name somewhere for non-SQL backends? no idea...but i'm sure that would be a race condition18:30
dstaneki definitely think this needs a comment saying that it's for sqlite testing18:31
rodrigods++18:31
rodrigodsthought we had another option to not have this method :(18:31
mtecerIs this the right room to ask Keystone v3 related question ?18:32
raildodstanek, my idea is test (without this extra verification)with other backends, mysql, postgres, and if this works, maybe we can remove this from the code and run the test just for non-sqlite18:32
*** avozza is now known as zz_avozza18:34
raildomtecer, I believe that we can help you :)18:35
mtecerraildo, thank you. I just switched from v2 to v3. Everything works fine with OS_TOKEN. Created an admin domain user role etc. When I switch to this user, do a user list, I get "ERROR: openstack The service catalog is empty"18:37
mtecerAny pointers ?18:37
raildomtecer, are you doing this request via openstack client? API call?18:38
mtecerraildo, openstack client18:39
raildomtecer, After create this user, you have grant some role for this user?18:40
mtecerraildo, I assigned this user as admin user in admin domain.18:41
raildomtecer, can you do: echo $OS_SERVICE_ENDPOINT18:42
raildomtecer, there is something like: http://localhost:35357/v3?18:43
mtecerraildo, OS_SERVICE_ENDPOINT is empty. However I have this OS_AUTH_URL="https://api.openstack.local:35357/v3"18:44
raildomtecer, mayve you have to set this for the v3 too18:45
raildomtecer, can you update this and test again?18:45
mtecerYes, I will test it now.18:45
mtecerraildo, same error. One thing is that "admin" role I assign is the same from v2. Maybe I should re-create admin role and assign it in v3 ?18:50
*** zz_avozza is now known as avozza18:53
*** alexsyip has joined #openstack-keystone19:09
*** madhu_ak has quit IRC19:13
mtecerraildo, issue was that I used "OS_USER_DOMAIN_NAME" but it required "OS_DOMAIN_NAME". Thank you very much for your time.19:14
*** madhu_ak has joined #openstack-keystone19:16
raildomtecer, :)19:29
*** stevemar has quit IRC19:40
*** stevemar2 has joined #openstack-keystone19:40
*** ChanServ sets mode: +v stevemar219:40
*** kevinc has joined #openstack-keystone19:50
kevincDoes keystone have the ability to store metadata for users and projects?19:52
*** madhu_ak has left #openstack-keystone19:52
dstanekkevinc: what sort of metadata?19:57
kevincWhat department the user or project works in, internal billing codes. I don't care if the user can or cannot access this data.19:58
dstanekkevinc: there is a soon to be deprecated way to do it now, but i think it will be removed soon20:00
kevincDo people just integrate with LDAP and store that information in LDAP? or is there a better way?20:06
openstackgerritSteve Martinelli proposed openstack/keystone: DO NOT MERGE  https://review.openstack.org/17504020:06
dstanekkevinc: what are you trying to do exactly?20:07
dstanekstevemar2: should i merge that ^?20:07
*** topol has quit IRC20:09
*** mattfarina has quit IRC20:11
kevincFor all of the project in keystone we need to associate a project lead (first and last name) and project billing index, so we can run monthly reports for management so they can go back to each department and recover the cost of resources used20:12
*** pnavarro has quit IRC20:14
*** stevemar2 is now known as stevemar20:15
dstanekkevinc: unfortunately that's beyond my area of expertise20:15
kevincok thanks20:15
stevemardstanek, maybe not merge that one :)20:15
dstanekkevinc: maybe someone else in here will be able to answer that or you can ask on one of the mailing lists20:15
kevincis setting the "extra" information on the tenant the method that is going to be deprecated?20:17
ericksonsantosdstanek, ping about https://review.openstack.org/#/c/158720/1220:18
dstanekkevinc: yes, you don't set it directly you just put key-value pairs in the entity data and they are stashed there for you20:18
dstanekericksonsantos: hi20:19
ericksonsantosdstanek, hi, I'm new to openstack20:19
ericksonsantosdstanek, and I'm working with the guys of reseller20:20
kevincdstanek: thank you, setting the key-value pairs will work. There are no plans to depreciate this feature are there?20:21
dstanekkevinc: that's exactly what we have been taking about deprecating20:22
ericksonsantosdstanek, we tryed to follow henry-nash suggestion and map from ProjectNotFound to ValidationError in get_project20:22
*** openstackgerrit has quit IRC20:22
*** openstackgerrit has joined #openstack-keystone20:22
kevincoh ok20:22
kevincthank you20:22
ericksonsantosdstanek, but the get_project method is never called when project_id is invalid.20:23
ericksonsantosdstanek, we look into the code and realized that it occurs because of the "protected" wrapper, more accurately at https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L12420:24
dstanekericksonsantos: welcome :-)20:24
ericksonsantosdstanek, thanks :)20:24
dstanekyou mean in create_project right? not get_project?20:25
dstanekfor raising the ValidationError20:25
ericksonsantosdstanek, in get_project too20:25
ericksonsantosdstanek, I think it doesn't make much sense20:26
dstaneki don't think get_project should raise a validationerror - if the project_id doesn't exist it should be a ProjectNotFound20:26
ericksonsantosdstanek, so I agree with you :) but I think henry-nash want us to do that20:27
dstanekericksonsantos: looking for his comment20:28
ericksonsantosdstanek, or I understood his comment the wrong way20:28
rodrigodsericksonsantos, dstanek, think because we had a DomainNotFound20:28
*** pnavarro has joined #openstack-keystone20:28
ericksonsantosrodrigods, I don't think so20:29
rodrigodsericksonsantos, dstanek, sorry, confused the patches :)20:30
dstanekhis last comment is just about adding a test for the validation error20:30
rodrigodsdstanek, that's the tricky part20:31
rodrigodsdstanek, there is something wrong20:31
ericksonsantosdstanek, hmm, I see20:31
rodrigodsseems like the wrong controller method is being called20:32
rodrigodsericksonsantos can give more details :)20:32
*** gyee has quit IRC20:32
raildodstanek, maybe we need to change the bug description, since we are handle with this in the create_project not anymore in the list parents and subtree20:33
ericksonsantosrodrigods, when we make a get_project call with an invalid id we get a ProjectNotFound error20:33
ericksonsantosrodrigods, and I think that makes sense20:33
rodrigodsyep20:33
rodrigodsbut we handle the None case20:33
rodrigodsand raise a ValidationError for it20:33
rodrigodsand was suggested to "unify" the errors being raised20:34
ericksonsantosrodrigods, yes.20:35
kevincdstanek: thank you for your help, one last question, is there a link to the discussion about deprecating the key-value pairs? I would like to note it in my documentation that the developers should watch it before using it to support our needs20:36
ericksonsantosrodrigods, so do you think we should map from ProjectNotFound to ValidationError in get_project?20:38
dstanekwhat would be invalid in a get_project call?20:39
dstanekif get_project is called with an id that doesn't exist that should result in a 40420:41
ericksonsantosdstanek, hmm... I can see just two cases: None and an id of a project that doesn't exist.20:41
*** tqtran_afk is now known as tqtran20:41
dstanekericksonsantos: how can you pass in a None?20:42
*** thedodd has quit IRC20:42
dstanekericksonsantos: i think of ValidationError an an HTTP thing - our architecture is really bad at separating the HTTP from the application code20:43
*** tqtran has quit IRC20:43
*** tqtran has joined #openstack-keystone20:43
ericksonsantosdstanek, I think we understood wrong.20:49
ericksonsantosdstanek, we should test the create_project passing None as id20:50
*** raildo has quit IRC20:51
ericksonsantosparent_id*20:52
ericksonsantosI'll make a test for this and change the commit message.20:53
ericksonsantosdstanek, thanks :)20:54
*** sdake_ has joined #openstack-keystone20:56
*** rharwood_ has joined #openstack-keystone20:57
*** gabrielbezerra has joined #openstack-keystone20:57
*** rharwood has quit IRC20:59
*** gabriel-bezerra has quit IRC20:59
*** iurygregory has quit IRC20:59
*** rharwood_ is now known as rharwood20:59
*** iurygregory has joined #openstack-keystone20:59
*** sdake has quit IRC20:59
*** leonchio_ has joined #openstack-keystone21:00
*** leonchio_ has quit IRC21:00
-openstackstatus- NOTICE: Gerrit will be unavailable between 22:00 and 23:59 UTC for project renames and a database update.21:04
*** avozza is now known as zz_avozza21:04
*** openstackgerrit has quit IRC21:23
*** openstackgerrit has joined #openstack-keystone21:23
*** sdake has joined #openstack-keystone21:25
*** stevemar has quit IRC21:29
*** sdake_ has quit IRC21:29
*** amerine has quit IRC21:41
*** amerine has joined #openstack-keystone21:41
*** bknudson has quit IRC21:44
*** jamielennox|away is now known as jamielennox21:48
*** kevinc has quit IRC21:49
*** markvoelker has joined #openstack-keystone21:49
*** markvoelker_ has joined #openstack-keystone21:50
*** gordc has quit IRC21:54
*** markvoelker has quit IRC21:54
*** mtecer has quit IRC21:55
*** markvoelker_ has quit IRC21:58
*** pnavarro has quit IRC21:58
*** carlosmarin has quit IRC22:00
*** amerine has quit IRC22:02
*** jsavak has quit IRC22:02
*** amerine has joined #openstack-keystone22:03
-openstackstatus- NOTICE: Gerrit is unavailable until 23:59 UTC for project renames and a database update.22:04
-openstackstatus- NOTICE: Gerrit is unavailable until 23:59 UTC for project renames and a database update.22:07
*** ChanServ changes topic to "Gerrit is unavailable until 23:59 UTC for project renames and a database update."22:07
*** sigmavirus24 is now known as sigmavirus24_awa22:13
*** sdake_ has joined #openstack-keystone22:24
*** sdake has quit IRC22:27
*** lhcheng has quit IRC22:32
*** Ephur has quit IRC22:41
*** lhcheng has joined #openstack-keystone22:42
*** ChanServ sets mode: +v lhcheng22:42
*** lhcheng_ has joined #openstack-keystone22:43
*** lhcheng has quit IRC22:43
*** rushil has quit IRC22:46
*** sdake has joined #openstack-keystone22:46
*** dnalezyt has quit IRC22:47
*** sdake_ has quit IRC22:50
*** lhcheng_ is now known as lhcheng22:53
*** ChanServ sets mode: +v lhcheng22:53
morganfainbergoh kevinc is not here.22:58
morganfainbergi could have answered re: extra and what he was looking for22:58
*** ChanServ changes topic to "Liberty Development Open | Look for RC-critical bugs | Review KeystoneClient and KeystoneMiddleware code | Review Liberty Keystone Specs"23:04
-openstackstatus- NOTICE: Gerrit is available again.23:04
*** sdake_ has joined #openstack-keystone23:14
*** sdake has quit IRC23:17
*** zzzeek has quit IRC23:23
*** lhcheng has quit IRC23:26
*** amerine has quit IRC23:27
*** amerine has joined #openstack-keystone23:27
*** lhcheng has joined #openstack-keystone23:30
*** ChanServ sets mode: +v lhcheng23:30
*** jamielennox is now known as jamielennox|away23:30
*** lhcheng_ has joined #openstack-keystone23:30
*** lhcheng has quit IRC23:30
*** sdake has joined #openstack-keystone23:32
*** lhcheng_ has quit IRC23:32
*** amerine has quit IRC23:33
*** zzzeek has joined #openstack-keystone23:33
*** amerine has joined #openstack-keystone23:33
*** lhcheng has joined #openstack-keystone23:34
*** ChanServ sets mode: +v lhcheng23:34
*** sdake_ has quit IRC23:36
*** alexsyip has quit IRC23:40
lhchengin the keystone policy file, we have a rule: "owner" : "user_id:%(user_id)s",23:44
lhchenganyone knows how the right side "user_id" is evaluated?23:44
lhchengI can't seem to find how the "user_id" is ever set here: "owner" : https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L134-L15623:45
*** zzzeek has quit IRC23:55
« Thursday, 2015-04-16 Index Saturday, 2015-04-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!